From e05114233445cf5af834b8a0195499ff00e82e8e Mon Sep 17 00:00:00 2001
From: Dennis <github@infinite-ways.de>
Date: Mon, 22 Dec 2025 17:44:56 +0100
Subject: [PATCH 001/122] Add region-based resource rule

---
 messages/de-DE.json                           |  28 +++
 messages/en-US.json                           |  34 +++
 messages/ru-RU.json                           |  28 +++
 server/db/regions.ts                          | 196 +++++++++++++++
 server/routers/badger/verifySession.test.ts   |  96 ++++++-
 server/routers/badger/verifySession.ts        |  46 ++++
 server/routers/resource/createResourceRule.ts |  12 +-
 server/routers/resource/updateResourceRule.ts |  12 +-
 .../resources/proxy/[niceId]/rules/page.tsx   | 238 +++++++++++++++++-
 9 files changed, 678 insertions(+), 12 deletions(-)
 create mode 100644 server/db/regions.ts

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 13ab3d11c..94950748f 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1734,6 +1734,34 @@
     "exitNode": "Exit-Node",
     "country": "Land",
     "rulesMatchCountry": "Derzeit basierend auf der Quell-IP",
+    "region": "Region",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Nordafrika",
+    "regionEasternAfrica": "Ostafrika",
+    "regionMiddleAfrica": "Zentralafrika",
+    "regionSouthernAfrica": "Südliches Afrika",
+    "regionWesternAfrica": "Westafrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karibik",
+    "regionCentralAmerica": "Mittelamerika",
+    "regionSouthAmerica": "Südamerika",
+    "regionNorthernAmerica": "Nordamerika",
+    "regionAsia": "Asien",
+    "regionCentralAsia": "Zentralasien",
+    "regionEasternAsia": "Ostasien",
+    "regionSouthEasternAsia": "Südostasien",
+    "regionSouthernAsia": "Südasien",
+    "regionWesternAsia": "Westasien",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Osteuropa",
+    "regionNorthernEurope": "Nordeuropa",
+    "regionSouthernEurope": "Südeuropa",
+    "regionWesternEurope": "Westeuropa",
+    "regionOceania": "Ozeanien",
+    "regionAustraliaAndNewZealand": "Australien und Neuseeland",
+    "regionMelanesia": "Melanesien",
+    "regionMicronesia": "Mikronesien",
+    "regionPolynesia": "Polynesien",
     "managedSelfHosted": {
         "title": "Verwaltetes Selbsthosted",
         "description": "Zuverlässiger und wartungsarmer Pangolin Server mit zusätzlichen Glocken und Pfeifen",
diff --git a/messages/en-US.json b/messages/en-US.json
index b023ac754..55cf2d6bd 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1734,6 +1734,40 @@
     "exitNode": "Exit Node",
     "country": "Country",
     "rulesMatchCountry": "Currently based on source IP",
+    "region": "Region",
+    "selectRegion": "Select region",
+    "searchRegions": "Search regions...",
+    "noRegionFound": "No region found.",
+    "rulesMatchRegion": "Select a regional grouping of countries",
+    "rulesErrorInvalidRegion": "Invalid region",
+    "rulesErrorInvalidRegionDescription": "Please select a valid region.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "Northern Africa",
+    "regionEasternAfrica": "Eastern Africa",
+    "regionMiddleAfrica": "Middle Africa",
+    "regionSouthernAfrica": "Southern Africa",
+    "regionWesternAfrica": "Western Africa",
+    "regionAmericas": "Americas",
+    "regionCaribbean": "Caribbean",
+    "regionCentralAmerica": "Central America",
+    "regionSouthAmerica": "South America",
+    "regionNorthernAmerica": "Northern America",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Central Asia",
+    "regionEasternAsia": "Eastern Asia",
+    "regionSouthEasternAsia": "South-Eastern Asia",
+    "regionSouthernAsia": "Southern Asia",
+    "regionWesternAsia": "Western Asia",
+    "regionEurope": "Europe",
+    "regionEasternEurope": "Eastern Europe",
+    "regionNorthernEurope": "Northern Europe",
+    "regionSouthernEurope": "Southern Europe",
+    "regionWesternEurope": "Western Europe",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia and New Zealand",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Managed Self-Hosted",
         "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index d687b7837..5eb1ee076 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1734,6 +1734,34 @@
     "exitNode": "Узел выхода",
     "country": "Страна",
     "rulesMatchCountry": "В настоящее время основано на исходном IP",
+    "region": "Регион",
+    "regionAfrica": "Африка",
+    "regionNorthernAfrica": "Северная Африка",
+    "regionEasternAfrica": "Восточная Африка",
+    "regionMiddleAfrica": "Центральная Африка",
+    "regionSouthernAfrica": "Южная Африка",
+    "regionWesternAfrica": "Западная Африка",
+    "regionAmericas": "Америка",
+    "regionCaribbean": "Карибы",
+    "regionCentralAmerica": "Центральная Америка",
+    "regionSouthAmerica": "Южная Америка",
+    "regionNorthernAmerica": "Северная Америка",
+    "regionAsia": "Азия",
+    "regionCentralAsia": "Центральная Азия",
+    "regionEasternAsia": "Восточная Азия",
+    "regionSouthEasternAsia": "Юго-Восточная Азия",
+    "regionSouthernAsia": "Южная Азия",
+    "regionWesternAsia": "Западная Азия",
+    "regionEurope": "Европа",
+    "regionEasternEurope": "Восточная Европа",
+    "regionNorthernEurope": "Северная Европа",
+    "regionSouthernEurope": "Южная Европа",
+    "regionWesternEurope": "Западная Европа",
+    "regionOceania": "Океания",
+    "regionAustraliaAndNewZealand": "Австралия и Новая Зеландия",
+    "regionMelanesia": "Меланезия",
+    "regionMicronesia": "Микронезия",
+    "regionPolynesia": "Полинезия",
     "managedSelfHosted": {
         "title": "Управляемый с самовывоза",
         "description": "Более надежный и низко обслуживаемый сервер Pangolin с дополнительными колокольнями и свистками",
diff --git a/server/db/regions.ts b/server/db/regions.ts
new file mode 100644
index 000000000..90a380a29
--- /dev/null
+++ b/server/db/regions.ts
@@ -0,0 +1,196 @@
+// Regions of the World
+// as of 2025-10-25
+//
+// Adapted according to the United Nations Geoscheme
+// see https://www.unicode.org/cldr/charts/48/supplemental/territory_containment_un_m_49.html
+// see https://unstats.un.org/unsd/methodology/m49
+
+export const REGIONS = [
+    {
+        name: "regionAfrica",
+        id: "002",
+        includes: [
+            {
+                name: "regionNorthernAfrica",
+                id: "015",
+                countries: ["DZ", "EG", "LY", "MA", "SD", "TN", "EH"]
+            },
+            {
+                name: "regionEasternAfrica",
+                id: "014",
+                countries: ["IO", "BI", "KM", "DJ", "ER", "ET", "TF", "KE", "MG", "MW", "MU", "YT", "MZ", "RE", "RW", "SC", "SO", "SS", "UG", "ZM", "ZW"]
+            },
+            {
+                name: "regionMiddleAfrica",
+                id: "017",
+                countries: ["AO", "CM", "CF", "TD", "CG", "CD", "GQ", "GA", "ST"]
+            },
+            {
+                name: "regionSouthernAfrica",
+                id: "018",
+                countries: ["BW", "SZ", "LS", "NA", "ZA"]
+            },
+            {
+                name: "regionWesternAfrica",
+                id: "011",
+                countries: ["BJ", "BF", "CV", "CI", "GM", "GH", "GN", "GW", "LR", "ML", "MR", "NE", "NG", "SH", "SN", "SL", "TG"]
+            }
+        ]
+    },
+    {
+        name: "regionAmericas",
+        id: "019",
+        includes: [
+            {
+                name: "regionCaribbean",
+                id: "029",
+                countries: ["AI", "AG", "AW", "BS", "BB", "BQ", "VG", "KY", "CU", "CW", "DM", "DO", "GD", "GP", "HT", "JM", "MQ", "MS", "PR", "BL", "KN", "LC", "MF", "VC", "SX", "TT", "TC", "VI"]
+            },
+            {
+                name: "regionCentralAmerica",
+                id: "013",
+                countries: ["BZ", "CR", "SV", "GT", "HN", "MX", "NI", "PA"]
+            },
+            {
+                name: "regionSouthAmerica",
+                id: "005",
+                countries: ["AR", "BO", "BV", "BR", "CL", "CO", "EC", "FK", "GF", "GY", "PY", "PE", "GS", "SR", "UY", "VE"]
+            },
+            {
+                name: "regionNorthernAmerica",
+                id: "021",
+                countries: ["BM", "CA", "GL", "PM", "US"]
+            }
+        ]
+    },
+    {
+        name: "regionAsia",
+        id: "142",
+        includes: [
+            {
+                name: "regionCentralAsia",
+                id: "143",
+                countries: ["KZ", "KG", "TJ", "TM", "UZ"]
+            },
+            {
+                name: "regionEasternAsia",
+                id: "030",
+                countries: ["CN", "HK", "MO", "KP", "JP", "MN", "KR"]
+            },
+            {
+                name: "regionSouthEasternAsia",
+                id: "035",
+                countries: ["BN", "KH", "ID", "LA", "MY", "MM", "PH", "SG", "TH", "TL", "VN"]
+            },
+            {
+                name: "regionSouthernAsia",
+                id: "034",
+                countries: ["AF", "BD", "BT", "IN", "IR", "MV", "NP", "PK", "LK"]
+            },
+            {
+                name: "regionWesternAsia",
+                id: "145",
+                countries: ["AM", "AZ", "BH", "CY", "GE", "IQ", "IL", "JO", "KW", "LB", "OM", "QA", "SA", "PS", "SY", "TR", "AE", "YE"]
+            }
+        ]
+    },
+    {
+        name: "regionEurope",
+        id: "150",
+        includes: [
+            {
+                name: "regionEasternEurope",
+                id: "151",
+                countries: ["BY", "BG", "CZ", "HU", "PL", "MD", "RO", "RU", "SK", "UA"]
+            },
+            {
+                name: "regionNorthernEurope",
+                id: "154",
+                countries: ["AX", "DK", "EE", "FO", "FI", "GG", "IS", "IE", "IM", "JE", "LV", "LT", "NO", "SJ", "SE", "GB"]
+            },
+            {
+                name: "regionSouthernEurope",
+                id: "039",
+                countries: ["AL", "AD", "BA", "HR", "GI", "GR", "VA", "IT", "MT", "ME", "MK", "PT", "SM", "RS", "SI", "ES"]
+            },
+            {
+                name: "regionWesternEurope",
+                id: "155",
+                countries: ["AT", "BE", "FR", "DE", "LI", "LU", "MC", "NL", "CH"]
+            }
+        ]
+    },
+    {
+        name: "regionOceania",
+        id: "009",
+        includes: [
+            {
+                name: "regionAustraliaAndNewZealand",
+                id: "053",
+                countries: ["AU", "CX", "CC", "HM", "NZ", "NF"]
+            },
+            {
+                name: "regionMelanesia",
+                id: "054",
+                countries: ["FJ", "NC", "PG", "SB", "VU"]
+            },
+            {
+                name: "regionMicronesia",
+                id: "057",
+                countries: ["GU", "KI", "MH", "FM", "NR", "MP", "PW", "UM"]
+            },
+            {
+                name: "regionPolynesia",
+                id: "061",
+                countries: ["AS", "CK", "PF", "NU", "PN", "WS", "TK", "TO", "TV", "WF"]
+            }
+        ]
+    }
+];
+
+type Subregion = {
+    name: string;
+    id: string;
+    countries: string[];
+};
+
+type Region = {
+    name: string;
+    id: string;
+    includes: Subregion[];
+};
+
+export function getRegionNameById(regionId: string): string | undefined {
+    // Check top-level regions
+    const region = REGIONS.find((r) => r.id === regionId);
+    if (region) {
+        return region.name;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        for (const subregion of region.includes) {
+            if (subregion.id === regionId) {
+                return subregion.name;
+            }
+        }
+    }
+
+    return undefined;
+}
+
+export function isValidRegionId(regionId: string): boolean {
+    // Check top-level regions
+    if (REGIONS.find((r) => r.id === regionId)) {
+        return true;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        if (region.includes.find((s) => s.id === regionId)) {
+            return true;
+        }
+    }
+
+    return false;
+}
\ No newline at end of file
diff --git a/server/routers/badger/verifySession.test.ts b/server/routers/badger/verifySession.test.ts
index 7c967acef..8333a4578 100644
--- a/server/routers/badger/verifySession.test.ts
+++ b/server/routers/badger/verifySession.test.ts
@@ -1,4 +1,37 @@
 import { assertEquals } from "@test/assert";
+import { REGIONS } from "@server/db/regions";
+
+function isIpInRegion(
+    ipCountryCode: string | undefined,
+    checkRegionCode: string
+): boolean {
+    if (!ipCountryCode) {
+        return false;
+    }
+
+    const upperCode = ipCountryCode.toUpperCase();
+
+    for (const region of REGIONS) {
+        // Check if it's a top-level region (continent)
+        if (region.id === checkRegionCode) {
+            for (const subregion of region.includes) {
+                if (subregion.countries.includes(upperCode)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        // Check subregions
+        for (const subregion of region.includes) {
+            if (subregion.id === checkRegionCode) {
+                return subregion.countries.includes(upperCode);
+            }
+        }
+    }
+
+    return false;
+}
 
 function isPathAllowed(pattern: string, path: string): boolean {
     // Normalize and split paths into segments
@@ -272,12 +305,71 @@ function runTests() {
         "Root path should not match non-root path"
     );
 
-    console.log("All tests passed!");
+    console.log("All path matching tests passed!");
+}
+
+function runRegionTests() {
+    console.log("\nRunning isIpInRegion tests...");
+
+    // Test undefined country code
+    assertEquals(
+        isIpInRegion(undefined, "150"),
+        false,
+        "Undefined country code should return false"
+    );
+
+    // Test subregion matching (Western Europe)
+    assertEquals(
+        isIpInRegion("DE", "155"),
+        true,
+        "Country should match its subregion"
+    );
+    assertEquals(
+        isIpInRegion("GB", "155"),
+        false,
+        "Country should NOT match wrong subregion"
+    );
+
+    // Test continent matching (Europe)
+    assertEquals(
+        isIpInRegion("DE", "150"),
+        true,
+        "Country should match its continent"
+    );
+    assertEquals(
+        isIpInRegion("GB", "150"),
+        true,
+        "Different European country should match Europe"
+    );
+    assertEquals(
+        isIpInRegion("US", "150"),
+        false,
+        "Non-European country should NOT match Europe"
+    );
+
+    // Test case insensitivity
+    assertEquals(
+        isIpInRegion("de", "155"),
+        true,
+        "Lowercase country code should work"
+    );
+
+    // Test invalid region code
+    assertEquals(
+        isIpInRegion("DE", "999"),
+        false,
+        "Invalid region code should return false"
+    );
+
+    console.log("All region tests passed!");
 }
 
 // Run all tests
 try {
     runTests();
+    runRegionTests();
+    console.log("\n✅ All tests passed!");
 } catch (error) {
-    console.error("Test failed:", error);
+    console.error("❌ Test failed:", error);
+    process.exit(1);
 }
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 0e3a3489c..0bc9bde88 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -39,6 +39,7 @@ import {
 } from "#dynamic/lib/checkOrgAccessPolicy";
 import { logRequestAudit } from "./logRequestAudit";
 import cache from "@server/lib/cache";
+import { REGIONS } from "@server/db/regions";
 
 const verifyResourceSessionSchema = z.object({
     sessions: z.record(z.string(), z.string()).optional(),
@@ -967,6 +968,12 @@ async function checkRules(
             (await isIpInAsn(ipAsn, rule.value))
         ) {
             return rule.action as any;
+        } else if (
+            clientIp &&
+            rule.match == "REGION" &&
+            (await isIpInRegion(ipCC, rule.value))
+        ) {
+            return rule.action as any;
         }
     }
 
@@ -1133,6 +1140,45 @@ async function isIpInAsn(
     return match;
 }
 
+export async function isIpInRegion(
+    ipCountryCode: string | undefined,
+    checkRegionCode: string
+): Promise<boolean> {
+    if (!ipCountryCode) {
+        return false;
+    }
+
+    const upperCode = ipCountryCode.toUpperCase();
+
+    for (const region of REGIONS) {
+        // Check if it's a top-level region (continent)
+        if (region.id === checkRegionCode) {
+            for (const subregion of region.includes) {
+                if (subregion.countries.includes(upperCode)) {
+                    logger.debug(`Country ${upperCode} is in region ${region.id} (${region.name})`);
+                    return true;
+                }
+            }
+            logger.debug(`Country ${upperCode} is not in region ${region.id} (${region.name})`);
+            return false;
+        }
+
+        // Check subregions
+        for (const subregion of region.includes) {
+            if (subregion.id === checkRegionCode) {
+                if (subregion.countries.includes(upperCode)) {
+                    logger.debug(`Country ${upperCode} is in region ${subregion.id} (${subregion.name})`);
+                    return true;
+                }
+                logger.debug(`Country ${upperCode} is not in region ${subregion.id} (${subregion.name})`);
+                return false;
+            }
+        }
+    }
+
+    return false;
+}
+
 async function getAsnFromIp(ip: string): Promise<number | undefined> {
     const asnCacheKey = `asn:${ip}`;
 
diff --git a/server/routers/resource/createResourceRule.ts b/server/routers/resource/createResourceRule.ts
index a516d14af..0796191b1 100644
--- a/server/routers/resource/createResourceRule.ts
+++ b/server/routers/resource/createResourceRule.ts
@@ -14,10 +14,11 @@ import {
     isValidUrlGlobPattern
 } from "@server/lib/validators";
 import { OpenAPITags, registry } from "@server/openApi";
+import { isValidRegionId } from "@server/db/regions";
 
 const createResourceRuleSchema = z.strictObject({
     action: z.enum(["ACCEPT", "DROP", "PASS"]),
-    match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN"]),
+    match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN", "REGION"]),
     value: z.string().min(1),
     priority: z.int(),
     enabled: z.boolean().optional()
@@ -126,6 +127,15 @@ export async function createResourceRule(
                     )
                 );
             }
+        } else if (match === "REGION") {
+            if (!isValidRegionId(value)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid region ID provided"
+                    )
+                );
+            }
         }
 
         // Create the new resource rule
diff --git a/server/routers/resource/updateResourceRule.ts b/server/routers/resource/updateResourceRule.ts
index b443bd1c2..fe717bb5e 100644
--- a/server/routers/resource/updateResourceRule.ts
+++ b/server/routers/resource/updateResourceRule.ts
@@ -14,6 +14,7 @@ import {
     isValidUrlGlobPattern
 } from "@server/lib/validators";
 import { OpenAPITags, registry } from "@server/openApi";
+import { isValidRegionId } from "@server/db/regions";
 
 // Define Zod schema for request parameters validation
 const updateResourceRuleParamsSchema = z.strictObject({
@@ -25,7 +26,7 @@ const updateResourceRuleParamsSchema = z.strictObject({
 const updateResourceRuleSchema = z
     .strictObject({
         action: z.enum(["ACCEPT", "DROP", "PASS"]).optional(),
-        match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN"]).optional(),
+        match: z.enum(["CIDR", "IP", "PATH", "COUNTRY", "ASN", "REGION"]).optional(),
         value: z.string().min(1).optional(),
         priority: z.int(),
         enabled: z.boolean().optional()
@@ -166,6 +167,15 @@ export async function updateResourceRule(
                         )
                     );
                 }
+            } else if (match === "REGION") {
+                if (!isValidRegionId(value)) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Invalid region ID provided"
+                        )
+                    );
+                }
             }
         }
 
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
index d10a38d65..c00f9e0df 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
@@ -6,7 +6,9 @@ import { Input } from "@/components/ui/input";
 import {
     Select,
     SelectContent,
+    SelectGroup,
     SelectItem,
+    SelectLabel,
     SelectTrigger,
     SelectValue
 } from "@/components/ui/select";
@@ -75,6 +77,7 @@ import { useRouter } from "next/navigation";
 import { useTranslations } from "next-intl";
 import { COUNTRIES } from "@server/db/countries";
 import { MAJOR_ASNS } from "@server/db/asns";
+import { REGIONS, getRegionNameById, isValidRegionId } from "@server/db/regions";
 import {
     Command,
     CommandEmpty,
@@ -119,6 +122,8 @@ export default function ResourceRules(props: {
         useState(false);
     const [openAddRuleAsnSelect, setOpenAddRuleAsnSelect] =
         useState(false);
+    const [openAddRuleRegionSelect, setOpenAddRuleRegionSelect] =
+        useState(false);
     const router = useRouter();
     const t = useTranslations();
     const { env } = useEnvContext();
@@ -138,7 +143,8 @@ export default function ResourceRules(props: {
         IP: "IP",
         CIDR: t("ipAddressRange"),
         COUNTRY: t("country"),
-        ASN: "ASN"
+        ASN: "ASN",
+        REGION: t("region")
     } as const;
 
     const addRuleForm = useForm({
@@ -258,6 +264,20 @@ export default function ResourceRules(props: {
             setLoading(false);
             return;
         }
+        if (
+            data.match === "REGION" &&
+            !isValidRegionId(data.value)
+        ) {
+            toast({
+                variant: "destructive",
+                title: t("rulesErrorInvalidRegion"),
+                description:
+                    t("rulesErrorInvalidRegionDescription") ||
+                    "Invalid region."
+            });
+            setLoading(false);
+            return;
+        }
 
         // find the highest priority and add one
         let priority = data.priority;
@@ -311,6 +331,8 @@ export default function ResourceRules(props: {
                 return t("rulesMatchCountry");
             case "ASN":
                 return "Enter an Autonomous System Number (e.g., AS15169 or 15169)";
+            case "REGION":
+                return t("rulesMatchRegion");
         }
     }
 
@@ -536,12 +558,12 @@ export default function ResourceRules(props: {
                 <Select
                     defaultValue={row.original.match}
                     onValueChange={(
-                        value: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN"
+                        value: "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION"
                     ) =>
                         updateRule(row.original.ruleId, {
                             match: value,
                             value:
-                                value === "COUNTRY" ? "US" : value === "ASN" ? "AS15169" : row.original.value
+                                value === "COUNTRY" ? "US" : value === "ASN" ? "AS15169" : value === "REGION" ? "021" : row.original.value
                         })
                     }
                 >
@@ -557,6 +579,11 @@ export default function ResourceRules(props: {
                                 {RuleMatch.COUNTRY}
                             </SelectItem>
                         )}
+                        {isMaxmindAvailable && (
+                            <SelectItem value="REGION">
+                                {RuleMatch.REGION}
+                            </SelectItem>
+                        )}
                         {isMaxmindAsnAvailable && (
                             <SelectItem value="ASN">
                                 {RuleMatch.ASN}
@@ -638,14 +665,14 @@ export default function ResourceRules(props: {
                             >
                                 {row.original.value
                                     ? (() => {
-                                          const found = MAJOR_ASNS.find(
+                                    const found = MAJOR_ASNS.find(
                                               (asn) =>
                                                   asn.code ===
                                                   row.original.value
-                                          );
-                                          return found
-                                              ? `${found.name} (${row.original.value})`
-                                              : `Custom (${row.original.value})`;
+                                    );
+                                    return found
+                                        ? `${found.name} (${row.original.value})`
+                                        : `Custom (${row.original.value})`;
                                       })()
                                     : "Select ASN"}
                                 <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
@@ -715,6 +742,88 @@ export default function ResourceRules(props: {
                             </div>
                         </PopoverContent>
                     </Popover>
+                ) : row.original.match === "REGION" ? (
+                    <Popover>
+                        <PopoverTrigger asChild>
+                            <Button
+                                variant="outline"
+                                role="combobox"
+                                className="min-w-[200px] justify-between"
+                            >
+                                {(() => {
+                                    const regionName = getRegionNameById(row.original.value);
+                                    if (!regionName) {
+                                        return t("selectRegion");
+                                    }
+                                    return `${t(regionName)} (${row.original.value})`;
+                                })()}
+                                <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                            </Button>
+                        </PopoverTrigger>
+                        <PopoverContent className="min-w-[200px] p-0">
+                            <Command>
+                                <CommandInput
+                                    placeholder={t("searchRegions")}
+                                />
+                                <CommandList>
+                                    <CommandEmpty>
+                                        {t("noRegionFound")}
+                                    </CommandEmpty>
+                                    {REGIONS.map((continent) => (
+                                        <CommandGroup key={continent.id} heading={t(continent.name)}>
+                                            <CommandItem
+                                                value={continent.id}
+                                                keywords={[
+                                                    t(continent.name),
+                                                    continent.id
+                                                ]}
+                                                onSelect={() => {
+                                                    updateRule(
+                                                        row.original.ruleId,
+                                                        { value: continent.id }
+                                                    );
+                                                }}
+                                            >
+                                                <Check
+                                                    className={`mr-2 h-4 w-4 ${
+                                                        row.original.value === continent.id
+                                                            ? "opacity-100"
+                                                            : "opacity-0"
+                                                    }`}
+                                                />
+                                                {t(continent.name)} ({continent.id})
+                                            </CommandItem>
+                                            {continent.includes.map((subregion) => (
+                                                <CommandItem
+                                                    key={subregion.id}
+                                                    value={subregion.id}
+                                                    keywords={[
+                                                        t(subregion.name),
+                                                        subregion.id
+                                                    ]}
+                                                    onSelect={() => {
+                                                        updateRule(
+                                                            row.original.ruleId,
+                                                            { value: subregion.id }
+                                                        );
+                                                    }}
+                                                >
+                                                    <Check
+                                                        className={`mr-2 h-4 w-4 ${
+                                                            row.original.value === subregion.id
+                                                                ? "opacity-100"
+                                                                : "opacity-0"
+                                                        }`}
+                                                    />
+                                                    {t(subregion.name)} ({subregion.id})
+                                                </CommandItem>
+                                            ))}
+                                        </CommandGroup>
+                                    ))}
+                                </CommandList>
+                            </Command>
+                        </PopoverContent>
+                    </Popover>
                 ) : (
                     <Input
                         defaultValue={row.original.value}
@@ -925,6 +1034,13 @@ export default function ResourceRules(props: {
                                                                     }
                                                                 </SelectItem>
                                                             )}
+                                                            {isMaxmindAvailable && (
+                                                                <SelectItem value="REGION">
+                                                                    {
+                                                                        RuleMatch.REGION
+                                                                    }
+                                                                </SelectItem>
+                                                            )}
                                                             {isMaxmindAsnAvailable && (
                                                                 <SelectItem value="ASN">
                                                                     {
@@ -1163,6 +1279,112 @@ export default function ResourceRules(props: {
                                                                 </div>
                                                             </PopoverContent>
                                                         </Popover>
+                                                    ) : addRuleForm.watch(
+                                                        "match"
+                                                    ) === "REGION" ? (
+                                                        <Popover
+                                                            open={
+                                                                openAddRuleRegionSelect
+                                                            }
+                                                            onOpenChange={
+                                                                setOpenAddRuleRegionSelect
+                                                            }
+                                                        >
+                                                            <PopoverTrigger
+                                                                asChild
+                                                            >
+                                                                <Button
+                                                                    variant="outline"
+                                                                    role="combobox"
+                                                                    aria-expanded={
+                                                                        openAddRuleRegionSelect
+                                                                    }
+                                                                    className="w-full justify-between"
+                                                                >
+                                                                    {field.value
+                                                                        ? (() => {
+                                                                              const regionName = getRegionNameById(field.value);
+                                                                              const translatedName = regionName ? t(regionName) : field.value;
+                                                                              return `${translatedName} (${field.value})`;
+                                                                          })()
+                                                                        : t(
+                                                                              "selectRegion"
+                                                                          )}
+                                                                    <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                                                                </Button>
+                                                            </PopoverTrigger>
+                                                            <PopoverContent className="w-full p-0">
+                                                                <Command>
+                                                                    <CommandInput
+                                                                        placeholder={t(
+                                                                            "searchRegions"
+                                                                        )}
+                                                                    />
+                                                                    <CommandList>
+                                                                        <CommandEmpty>
+                                                                            {t(
+                                                                                "noRegionFound"
+                                                                            )}
+                                                                        </CommandEmpty>
+                                                                        {REGIONS.map((continent) => (
+                                                                            <CommandGroup key={continent.id} heading={t(continent.name)}>
+                                                                                <CommandItem
+                                                                                    value={continent.id}
+                                                                                    keywords={[
+                                                                                        t(continent.name),
+                                                                                        continent.id
+                                                                                    ]}
+                                                                                    onSelect={() => {
+                                                                                        field.onChange(
+                                                                                            continent.id
+                                                                                        );
+                                                                                        setOpenAddRuleRegionSelect(
+                                                                                            false
+                                                                                        );
+                                                                                    }}
+                                                                                >
+                                                                                    <Check
+                                                                                        className={`mr-2 h-4 w-4 ${
+                                                                                            field.value === continent.id
+                                                                                                ? "opacity-100"
+                                                                                                : "opacity-0"
+                                                                                        }`}
+                                                                                    />
+                                                                                    {t(continent.name)} ({continent.id})
+                                                                                </CommandItem>
+                                                                                {continent.includes.map((subregion) => (
+                                                                                    <CommandItem
+                                                                                        key={subregion.id}
+                                                                                        value={subregion.id}
+                                                                                        keywords={[
+                                                                                            t(subregion.name),
+                                                                                            subregion.id
+                                                                                        ]}
+                                                                                        onSelect={() => {
+                                                                                            field.onChange(
+                                                                                                subregion.id
+                                                                                            );
+                                                                                            setOpenAddRuleRegionSelect(
+                                                                                                false
+                                                                                            );
+                                                                                        }}
+                                                                                    >
+                                                                                        <Check
+                                                                                            className={`mr-2 h-4 w-4 ${
+                                                                                                field.value === subregion.id
+                                                                                                    ? "opacity-100"
+                                                                                                    : "opacity-0"
+                                                                                            }`}
+                                                                                        />
+                                                                                        {t(subregion.name)} ({subregion.id})
+                                                                                    </CommandItem>
+                                                                                ))}
+                                                                            </CommandGroup>
+                                                                        ))}
+                                                                    </CommandList>
+                                                                </Command>
+                                                            </PopoverContent>
+                                                        </Popover>
                                                     ) : (
                                                         <Input {...field} />
                                                     )}

From 3d4df906cfa9edf05ea8f9a645365f8577e3a421 Mon Sep 17 00:00:00 2001
From: Dennis <github@infinite-ways.de>
Date: Mon, 22 Dec 2025 18:43:43 +0100
Subject: [PATCH 002/122] Added missing translations

---
 messages/de-DE.json | 6 ++++++
 messages/ru-RU.json | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 94950748f..ea3647cf7 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1735,6 +1735,12 @@
     "country": "Land",
     "rulesMatchCountry": "Derzeit basierend auf der Quell-IP",
     "region": "Region",
+    "selectRegion": "Region wählen...",
+    "searchRegions": "Regionen suchen...",
+    "noRegionFound": "Keine Region gefunden.",
+    "rulesMatchRegion": "Wählen Sie eine Regionalgruppe von Ländern",
+    "rulesErrorInvalidRegion": "Ungültige Region",
+    "rulesErrorInvalidRegionDescription": "Bitte wählen Sie eine gültige Region aus.",
     "regionAfrica": "Afrika",
     "regionNorthernAfrica": "Nordafrika",
     "regionEasternAfrica": "Ostafrika",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 5eb1ee076..95814125d 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1735,6 +1735,12 @@
     "country": "Страна",
     "rulesMatchCountry": "В настоящее время основано на исходном IP",
     "region": "Регион",
+    "selectRegion": "Выберите регион",
+    "searchRegions": "Поиск регионов...",
+    "noRegionFound": "Регион не найден.",
+    "rulesMatchRegion": "Выберите региональную группу стран",
+    "rulesErrorInvalidRegion": "Некорректный регион",
+    "rulesErrorInvalidRegionDescription": "Пожалуйста, выберите корректный регион.",
     "regionAfrica": "Африка",
     "regionNorthernAfrica": "Северная Африка",
     "regionEasternAfrica": "Восточная Африка",

From 20e547a0f602cdc7f212b5f519436d1e6c140a73 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Feb 2026 17:58:11 -0800
Subject: [PATCH 003/122] first pass

---
 server/auth/actions.ts                        |  35 ++--
 server/auth/canUserAccessResource.ts          |  29 +--
 server/auth/canUserAccessSiteResource.ts      |  29 +--
 server/db/pg/schema/schema.ts                 |  21 +-
 server/db/queries/verifySessionQueries.ts     |  48 ++++-
 server/db/sqlite/schema/schema.ts             |  28 ++-
 server/index.ts                               |   2 +-
 server/lib/calculateUserClientsForOrgs.ts     |  33 ++-
 server/lib/rebuildClientAssociations.ts       |  15 +-
 server/lib/userOrg.ts                         |  16 +-
 server/lib/userOrgRoles.ts                    |  22 ++
 server/middlewares/getUserOrgs.ts             |   3 +-
 server/middlewares/verifyAccessTokenAccess.ts |   8 +-
 server/middlewares/verifyAdmin.ts             |  25 ++-
 server/middlewares/verifyApiKeyAccess.ts      |   9 +-
 server/middlewares/verifyClientAccess.ts      |  38 ++--
 server/middlewares/verifyDomainAccess.ts      |   8 +-
 server/middlewares/verifyOrgAccess.ts         |   7 +-
 server/middlewares/verifyResourceAccess.ts    |  35 ++--
 server/middlewares/verifyRoleAccess.ts        |   4 +-
 server/middlewares/verifySiteAccess.ts        |  37 ++--
 .../middlewares/verifySiteResourceAccess.ts   |  38 ++--
 server/middlewares/verifyTargetAccess.ts      |   8 +-
 server/middlewares/verifyUserInRole.ts        |   6 +-
 server/private/middlewares/verifyIdpAccess.ts |   9 +-
 .../middlewares/verifyRemoteExitNodeAccess.ts |  13 +-
 .../routers/org/sendUsageNotifications.ts     |  18 +-
 .../remoteExitNode/createRemoteExitNode.ts    |   2 +-
 server/private/routers/ssh/signSshKey.ts      |  62 ++++--
 .../routers/accessToken/listAccessTokens.ts   |   2 +-
 server/routers/badger/verifySession.ts        |  33 ++-
 server/routers/client/createClient.ts         |   4 +-
 server/routers/client/listClients.ts          |   2 +-
 server/routers/client/listUserDevices.ts      |   2 +-
 server/routers/external.ts                    |  10 +
 server/routers/idp/validateOidcCallback.ts    |  51 +++--
 server/routers/integration.ts                 |  10 +
 server/routers/newt/createNewt.ts             |   2 +-
 server/routers/olm/createOlm.ts               |   2 +-
 server/routers/org/checkOrgUserAccess.ts      |  38 +++-
 server/routers/org/createOrg.ts               |  13 +-
 server/routers/org/getOrgOverview.ts          |  18 +-
 server/routers/org/listUserOrgs.ts            |  30 ++-
 server/routers/resource/createResource.ts     |   6 +-
 server/routers/resource/getUserResources.ts   |  46 ++--
 server/routers/resource/listResources.ts      |   2 +-
 server/routers/role/deleteRole.ts             |   8 +-
 server/routers/site/createSite.ts             |   4 +-
 server/routers/site/listSites.ts              |   2 +-
 server/routers/user/acceptInvite.ts           |   4 +-
 server/routers/user/addUserRole.ts            |  35 ++--
 server/routers/user/createOrgUser.ts          |  32 +--
 server/routers/user/getOrgUser.ts             |  38 +++-
 server/routers/user/index.ts                  |   1 +
 server/routers/user/listUsers.ts              |  37 +++-
 server/routers/user/myDevice.ts               |  23 +-
 server/routers/user/removeUserRole.ts         | 157 ++++++++++++++
 server/types/Auth.ts                          |   2 +-
 .../users/[userId]/access-controls/page.tsx   | 196 ++++++++++++------
 .../[orgId]/settings/access/users/page.tsx    |   4 +-
 60 files changed, 1023 insertions(+), 399 deletions(-)
 create mode 100644 server/lib/userOrgRoles.ts
 create mode 100644 server/routers/user/removeUserRole.ts

diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 3f5a145b6..feb91560a 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,7 +1,7 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { userActions, roleActions } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 
@@ -52,6 +52,7 @@ export enum ActionsEnum {
     listRoleResources = "listRoleResources",
     // listRoleActions = "listRoleActions",
     addUserRole = "addUserRole",
+    removeUserRole = "removeUserRole",
     // addUserSite = "addUserSite",
     // addUserAction = "addUserAction",
     // removeUserAction = "removeUserAction",
@@ -153,29 +154,19 @@ export async function checkUserActionPermission(
     }
 
     try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;
 
-        // If userOrgRoleId is not available on the request, fetch it
-        if (userOrgRoleId === undefined) {
-            const userOrgRole = await db
-                .select()
-                .from(userOrgs)
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, req.userOrgId!)
-                    )
-                )
-                .limit(1);
-
-            if (userOrgRole.length === 0) {
+        if (userOrgRoleIds === undefined) {
+            const { getUserOrgRoleIds } = await import(
+                "@server/lib/userOrgRoles"
+            );
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
+            if (userOrgRoleIds.length === 0) {
                 throw createHttpError(
                     HttpCode.FORBIDDEN,
                     "User does not have access to this organization"
                 );
             }
-
-            userOrgRoleId = userOrgRole[0].roleId;
         }
 
         // Check if the user has direct permission for the action in the current org
@@ -186,7 +177,7 @@ export async function checkUserActionPermission(
                 and(
                     eq(userActions.userId, userId),
                     eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                 )
             )
             .limit(1);
@@ -195,14 +186,14 @@ export async function checkUserActionPermission(
             return true;
         }
 
-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
         const roleActionPermission = await db
             .select()
             .from(roleActions)
             .where(
                 and(
                     eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                     eq(roleActions.orgId, req.userOrgId!)
                 )
             )
diff --git a/server/auth/canUserAccessResource.ts b/server/auth/canUserAccessResource.ts
index 161a0bee9..2c8911490 100644
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 
 export async function canUserAccessResource({
     userId,
     resourceId,
-    roleId
+    roleIds
 }: {
     userId: string;
     resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleResources)
+                  .where(
+                      and(
+                          eq(roleResources.resourceId, resourceId),
+                          inArray(roleResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];
 
     if (roleResourceAccess.length > 0) {
         return true;
diff --git a/server/auth/canUserAccessSiteResource.ts b/server/auth/canUserAccessSiteResource.ts
index 959b0eff6..7e6ec9bb8 100644
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 
 export async function canUserAccessSiteResource({
     userId,
     resourceId,
-    roleId
+    roleIds
 }: {
     userId: string;
     resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleSiteResources)
-        .where(
-            and(
-                eq(roleSiteResources.siteResourceId, resourceId),
-                eq(roleSiteResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleSiteResources)
+                  .where(
+                      and(
+                          eq(roleSiteResources.siteResourceId, resourceId),
+                          inArray(roleSiteResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];
 
     if (roleResourceAccess.length > 0) {
         return true;
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index ae90020a0..1d38bfb3e 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -9,6 +9,7 @@ import {
     real,
     serial,
     text,
+    unique,
     varchar
 } from "drizzle-orm/pg-core";
 
@@ -332,9 +333,6 @@ export const userOrgs = pgTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: boolean("isOwner").notNull().default(false),
     autoProvisioned: boolean("autoProvisioned").default(false),
     pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -383,6 +381,22 @@ export const roles = pgTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = pgTable(
+    "userOrgRoles",
+    {
+        userId: varchar("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = pgTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1031,6 +1045,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts
index 280c8a119..469df590d 100644
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -12,6 +12,7 @@ import {
     resources,
     roleResources,
     sessions,
+    userOrgRoles,
     userOrgs,
     userResources,
     users,
@@ -104,24 +105,57 @@ export async function getUserSessionWithUser(
 }
 
 /**
- * Get user organization role
+ * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
+ * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
  */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrgRole = await db
+    const userOrg = await db
         .select({
             userId: userOrgs.userId,
             orgId: userOrgs.orgId,
-            roleId: userOrgs.roleId,
             isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned,
-            roleName: roles.name
+            autoProvisioned: userOrgs.autoProvisioned
         })
         .from(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .limit(1);
 
-    return userOrgRole.length > 0 ? userOrgRole[0] : null;
+    if (userOrg.length === 0) return null;
+
+    const [firstRole] = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        )
+        .limit(1);
+
+    return firstRole
+        ? {
+              ...userOrg[0],
+              roleId: firstRole.roleId,
+              roleName: firstRole.roleName
+          }
+        : { ...userOrg[0], roleId: null, roleName: null };
+}
+
+/**
+ * Get role name by role ID (for display).
+ */
+export async function getRoleName(roleId: number): Promise<string | null> {
+    const [row] = await db
+        .select({ name: roles.name })
+        .from(roles)
+        .where(eq(roles.roleId, roleId))
+        .limit(1);
+    return row?.name ?? null;
 }
 
 /**
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 64866e679..2d475808b 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,6 +1,12 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
+    index,
+    integer,
+    sqliteTable,
+    text,
+    unique
+} from "drizzle-orm/sqlite-core";
 
 export const domains = sqliteTable("domains", {
     domainId: text("domainId").primaryKey(),
@@ -635,9 +641,6 @@ export const userOrgs = sqliteTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
@@ -692,6 +695,22 @@ export const roles = sqliteTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = sqliteTable(
+    "userOrgRoles",
+    {
+        userId: text("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = sqliteTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -1126,6 +1145,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
diff --git a/server/index.ts b/server/index.ts
index a61daca7f..0fc44c279 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
             session: Session;
             userOrg?: UserOrg;
             apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
             userOrgId?: string;
             userOrgIds?: string[];
             remoteExitNode?: RemoteExitNode;
diff --git a/server/lib/calculateUserClientsForOrgs.ts b/server/lib/calculateUserClientsForOrgs.ts
index 4be76dddc..02ac0c417 100644
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -10,6 +10,7 @@ import {
     roles,
     Transaction,
     userClients,
+    userOrgRoles,
     userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -39,20 +40,36 @@ export async function calculateUserClientsForOrgs(
             return;
         }
 
-        // Get all user orgs
-        const allUserOrgs = await transaction
+        // Get all user orgs with all roles (for org list and role-based logic)
+        const userOrgRoleRows = await transaction
             .select()
             .from(userOrgs)
-            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
+            .innerJoin(
+                userOrgRoles,
+                and(
+                    eq(userOrgs.userId, userOrgRoles.userId),
+                    eq(userOrgs.orgId, userOrgRoles.orgId)
+                )
+            )
+            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
             .where(eq(userOrgs.userId, userId));
 
-        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
+        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const orgIdToRoleRows = new Map<
+            string,
+            (typeof userOrgRoleRows)[0][]
+        >();
+        for (const r of userOrgRoleRows) {
+            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
+            list.push(r);
+            orgIdToRoleRows.set(r.userOrgs.orgId, list);
+        }
 
         // For each OLM, ensure there's a client in each org the user is in
         for (const olm of userOlms) {
-            for (const userRoleOrg of allUserOrgs) {
-                const { userOrgs: userOrg, roles: role } = userRoleOrg;
-                const orgId = userOrg.orgId;
+            for (const orgId of orgIdToRoleRows.keys()) {
+                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
+                const userOrg = roleRowsForOrg[0].userOrgs;
 
                 const [org] = await transaction
                     .select()
@@ -196,7 +213,7 @@ export async function calculateUserClientsForOrgs(
                 const requireApproval =
                     build !== "oss" &&
                     isOrgLicensed &&
-                    role.requireDeviceApproval;
+                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
 
                 const newClientData: InferInsertModel<typeof clients> = {
                     userId,
diff --git a/server/lib/rebuildClientAssociations.ts b/server/lib/rebuildClientAssociations.ts
index 625e57935..7ec767492 100644
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -14,6 +14,7 @@ import {
     siteResources,
     sites,
     Transaction,
+    userOrgRoles,
     userOrgs,
     userSiteResources
 } from "@server/db";
@@ -77,10 +78,10 @@ export async function getClientSiteResourceAccess(
     // get all of the users in these roles
     const userIdsFromRoles = await trx
         .select({
-            userId: userOrgs.userId
+            userId: userOrgRoles.userId
         })
-        .from(userOrgs)
-        .where(inArray(userOrgs.roleId, roleIds))
+        .from(userOrgRoles)
+        .where(inArray(userOrgRoles.roleId, roleIds))
         .then((rows) => rows.map((row) => row.userId));
 
     const newAllUserIds = Array.from(
@@ -811,12 +812,12 @@ export async function rebuildClientAssociationsFromClient(
 
         // Role-based access
         const roleIds = await trx
-            .select({ roleId: userOrgs.roleId })
-            .from(userOrgs)
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
             .where(
                 and(
-                    eq(userOrgs.userId, client.userId),
-                    eq(userOrgs.orgId, client.orgId)
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
                 )
             ) // this needs to be locked onto this org or else cross-org access could happen
             .then((rows) => rows.map((row) => row.roleId));
diff --git a/server/lib/userOrg.ts b/server/lib/userOrg.ts
index 6ed10039b..fb0b88c2b 100644
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -6,7 +6,7 @@ import {
     siteResources,
     sites,
     Transaction,
-    UserOrg,
+    userOrgRoles,
     userOrgs,
     userResources,
     userSiteResources,
@@ -19,9 +19,15 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
     org: Org,
     values: typeof userOrgs.$inferInsert,
+    roleId: number,
     trx: Transaction | typeof db = db
 ) {
     const [userOrg] = await trx.insert(userOrgs).values(values).returning();
+    await trx.insert(userOrgRoles).values({
+        userId: userOrg.userId,
+        orgId: userOrg.orgId,
+        roleId
+    });
 
     // calculate if the user is in any other of the orgs before we count it as an add to the billing org
     if (org.billingOrgId) {
@@ -58,6 +64,14 @@ export async function removeUserFromOrg(
     userId: string,
     trx: Transaction | typeof db = db
 ) {
+    await trx
+        .delete(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, org.orgId)
+            )
+        );
     await trx
         .delete(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
diff --git a/server/lib/userOrgRoles.ts b/server/lib/userOrgRoles.ts
new file mode 100644
index 000000000..5a4d75659
--- /dev/null
+++ b/server/lib/userOrgRoles.ts
@@ -0,0 +1,22 @@
+import { db, userOrgRoles } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+/**
+ * Get all role IDs a user has in an organization.
+ * Returns empty array if the user has no roles in the org (callers must treat as no access).
+ */
+export async function getUserOrgRoleIds(
+    userId: string,
+    orgId: string
+): Promise<number[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId })
+        .from(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+    return rows.map((r) => r.roleId);
+}
diff --git a/server/middlewares/getUserOrgs.ts b/server/middlewares/getUserOrgs.ts
index d7905700e..fa9794fb9 100644
--- a/server/middlewares/getUserOrgs.ts
+++ b/server/middlewares/getUserOrgs.ts
@@ -21,8 +21,7 @@ export async function getUserOrgs(
     try {
         const userOrganizations = await db
             .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
+                orgId: userOrgs.orgId
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));
diff --git a/server/middlewares/verifyAccessTokenAccess.ts b/server/middlewares/verifyAccessTokenAccess.ts
index 033b326d9..f1f2ca52e 100644
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAccessTokenAccess(
     req: Request,
@@ -93,7 +94,10 @@ export async function verifyAccessTokenAccess(
                 )
             );
         } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -118,7 +122,7 @@ export async function verifyAccessTokenAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
         });
 
         if (!resourceAllowed) {
diff --git a/server/middlewares/verifyAdmin.ts b/server/middlewares/verifyAdmin.ts
index 253bfc2dd..0dbeac2cb 100644
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyAdmin(
     req: Request,
@@ -62,13 +63,29 @@ export async function verifyAdmin(
         }
     }
 
-    const userRole = await db
+    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
+
+    if (req.userOrgRoleIds.length === 0) {
+        return next(
+            createHttpError(
+                HttpCode.FORBIDDEN,
+                "User does not have Admin access"
+            )
+        );
+    }
+
+    const userAdminRoles = await db
         .select()
         .from(roles)
-        .where(eq(roles.roleId, req.userOrg.roleId))
+        .where(
+            and(
+                inArray(roles.roleId, req.userOrgRoleIds),
+                eq(roles.isAdmin, true)
+            )
+        )
         .limit(1);
 
-    if (userRole.length === 0 || !userRole[0].isAdmin) {
+    if (userAdminRoles.length === 0) {
         return next(
             createHttpError(
                 HttpCode.FORBIDDEN,
diff --git a/server/middlewares/verifyApiKeyAccess.ts b/server/middlewares/verifyApiKeyAccess.ts
index 6edc5ab8e..b497892c8 100644
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyApiKeyAccess(
     req: Request,
@@ -103,8 +104,10 @@ export async function verifyApiKeyAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            orgId
+        );
 
         return next();
     } catch (error) {
diff --git a/server/middlewares/verifyClientAccess.ts b/server/middlewares/verifyClientAccess.ts
index d2df38a4b..1d994b53f 100644
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyClientAccess(
     req: Request,
@@ -113,21 +114,30 @@ export async function verifyClientAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            client.orgId
+        );
         req.userOrgId = client.orgId;
 
-        // Check role-based site access first
-        const [roleClientAccess] = await db
-            .select()
-            .from(roleClients)
-            .where(
-                and(
-                    eq(roleClients.clientId, client.clientId),
-                    eq(roleClients.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based client access (any of user's roles)
+        const roleClientAccessList =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleClients)
+                      .where(
+                          and(
+                              eq(roleClients.clientId, client.clientId),
+                              inArray(
+                                  roleClients.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
+        const [roleClientAccess] = roleClientAccessList;
 
         if (roleClientAccess) {
             // User has access to the site through their role
diff --git a/server/middlewares/verifyDomainAccess.ts b/server/middlewares/verifyDomainAccess.ts
index 88ffe678d..c9ecf42e0 100644
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs, apiKeyOrg } from "@server/db";
+import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyDomainAccess(
     req: Request,
@@ -63,7 +64,7 @@ export async function verifyDomainAccess(
                 .where(
                     and(
                         eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, apiKeyOrg.orgId)
+                        eq(userOrgs.orgId, orgId)
                     )
                 )
                 .limit(1);
@@ -97,8 +98,7 @@ export async function verifyDomainAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
 
         return next();
     } catch (error) {
diff --git a/server/middlewares/verifyOrgAccess.ts b/server/middlewares/verifyOrgAccess.ts
index 729766abd..cb797afb0 100644
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
-import { db, orgs } from "@server/db";
+import { db } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyOrgAccess(
     req: Request,
@@ -64,8 +65,8 @@ export async function verifyOrgAccess(
             }
         }
 
-        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRoleId = req.userOrg.roleId;
+        // User has access, attach the user's role(s) to the request for potential future use
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
         req.userOrgId = orgId;
 
         return next();
diff --git a/server/middlewares/verifyResourceAccess.ts b/server/middlewares/verifyResourceAccess.ts
index 2ae591ee1..ba49f02e3 100644
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyResourceAccess(
     req: Request,
@@ -107,20 +108,28 @@ export async function verifyResourceAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            resource.orgId
+        );
         req.userOrgId = resource.orgId;
 
-        const roleResourceAccess = await db
-            .select()
-            .from(roleResources)
-            .where(
-                and(
-                    eq(roleResources.resourceId, resource.resourceId),
-                    eq(roleResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleResources)
+                      .where(
+                          and(
+                              eq(roleResources.resourceId, resource.resourceId),
+                              inArray(
+                                  roleResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleResourceAccess.length > 0) {
             return next();
diff --git a/server/middlewares/verifyRoleAccess.ts b/server/middlewares/verifyRoleAccess.ts
index 8858ab53f..380b82048 100644
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRoleAccess(
     req: Request,
@@ -99,7 +100,6 @@ export async function verifyRoleAccess(
         }
 
         if (!req.userOrg) {
-            // get the userORg
             const userOrg = await db
                 .select()
                 .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                 .limit(1);
 
             req.userOrg = userOrg[0];
-            req.userOrgRoleId = userOrg[0].roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
         }
 
         if (!req.userOrg) {
diff --git a/server/middlewares/verifySiteAccess.ts b/server/middlewares/verifySiteAccess.ts
index 98858cfb9..e630cf0f1 100644
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteAccess(
     req: Request,
@@ -112,21 +113,29 @@ export async function verifySiteAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            site.orgId
+        );
         req.userOrgId = site.orgId;
 
-        // Check role-based site access first
-        const roleSiteAccess = await db
-            .select()
-            .from(roleSites)
-            .where(
-                and(
-                    eq(roleSites.siteId, site.siteId),
-                    eq(roleSites.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based site access first (any of user's roles)
+        const roleSiteAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSites)
+                      .where(
+                          and(
+                              eq(roleSites.siteId, site.siteId),
+                              inArray(
+                                  roleSites.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleSiteAccess.length > 0) {
             // User's role has access to the site
diff --git a/server/middlewares/verifySiteResourceAccess.ts b/server/middlewares/verifySiteResourceAccess.ts
index ca7d37fb3..8d5bd656f 100644
--- a/server/middlewares/verifySiteResourceAccess.ts
+++ b/server/middlewares/verifySiteResourceAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteResourceAccess(
     req: Request,
@@ -109,23 +110,34 @@ export async function verifySiteResourceAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            siteResource.orgId
+        );
         req.userOrgId = siteResource.orgId;
 
         // Attach the siteResource to the request for use in the next middleware/route
         req.siteResource = siteResource;
 
-        const roleResourceAccess = await db
-            .select()
-            .from(roleSiteResources)
-            .where(
-                and(
-                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
-                    eq(roleSiteResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSiteResources)
+                      .where(
+                          and(
+                              eq(
+                                  roleSiteResources.siteResourceId,
+                                  siteResourceIdNum
+                              ),
+                              inArray(
+                                  roleSiteResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
 
         if (roleResourceAccess.length > 0) {
             return next();
diff --git a/server/middlewares/verifyTargetAccess.ts b/server/middlewares/verifyTargetAccess.ts
index 7e433fcb8..141a04549 100644
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyTargetAccess(
     req: Request,
@@ -99,7 +100,10 @@ export async function verifyTargetAccess(
                 )
             );
         } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
             req.userOrgId = resource[0].orgId!;
         }
 
@@ -126,7 +130,7 @@ export async function verifyTargetAccess(
         const resourceAllowed = await canUserAccessResource({
             userId,
             resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
         });
 
         if (!resourceAllowed) {
diff --git a/server/middlewares/verifyUserInRole.ts b/server/middlewares/verifyUserInRole.ts
index 2a153114d..18eeb44f3 100644
--- a/server/middlewares/verifyUserInRole.ts
+++ b/server/middlewares/verifyUserInRole.ts
@@ -12,7 +12,7 @@ export async function verifyUserInRole(
         const roleId = parseInt(
             req.params.roleId || req.body.roleId || req.query.roleId
         );
-        const userRoleId = req.userOrgRoleId;
+        const userOrgRoleIds = req.userOrgRoleIds ?? [];
 
         if (isNaN(roleId)) {
             return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (!userRoleId) {
+        if (userOrgRoleIds.length === 0) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
             );
         }
 
-        if (userRoleId !== roleId) {
+        if (!userOrgRoleIds.includes(roleId)) {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
diff --git a/server/private/middlewares/verifyIdpAccess.ts b/server/private/middlewares/verifyIdpAccess.ts
index 410956844..2dbc1b8ff 100644
--- a/server/private/middlewares/verifyIdpAccess.ts
+++ b/server/private/middlewares/verifyIdpAccess.ts
@@ -13,9 +13,10 @@
 
 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyIdpAccess(
     req: Request,
@@ -84,8 +85,10 @@ export async function verifyIdpAccess(
             );
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            idpRes.idpOrg.orgId
+        );
 
         return next();
     } catch (error) {
diff --git a/server/private/middlewares/verifyRemoteExitNodeAccess.ts b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
index a2cd2bace..7d6128d8f 100644
--- a/server/private/middlewares/verifyRemoteExitNodeAccess.ts
+++ b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
@@ -12,11 +12,12 @@
  */
 
 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
-import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
+import { userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyRemoteExitNodeAccess(
     req: Request,
@@ -103,8 +104,10 @@ export async function verifyRemoteExitNodeAccess(
             );
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            exitNodeOrg.orgId
+        );
 
         return next();
     } catch (error) {
diff --git a/server/private/routers/org/sendUsageNotifications.ts b/server/private/routers/org/sendUsageNotifications.ts
index 4aa421520..72fc00d4c 100644
--- a/server/private/routers/org/sendUsageNotifications.ts
+++ b/server/private/routers/org/sendUsageNotifications.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, users, roles, orgs } from "@server/db";
+import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,7 +95,14 @@ async function getOrgAdmins(orgId: string) {
         })
         .from(userOrgs)
         .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+        .leftJoin(
+            userOrgRoles,
+            and(
+                eq(userOrgs.userId, userOrgRoles.userId),
+                eq(userOrgs.orgId, userOrgRoles.orgId)
+            )
+        )
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
         .where(
             and(
                 eq(userOrgs.orgId, orgId),
@@ -103,8 +110,11 @@ async function getOrgAdmins(orgId: string) {
             )
         );
 
-    // Filter to only include users with verified emails
-    const orgAdmins = admins.filter(
+    // Dedupe by userId (user may have multiple roles)
+    const byUserId = new Map(
+        admins.map((a) => [a.userId, a])
+    );
+    const orgAdmins = Array.from(byUserId.values()).filter(
         (admin) => admin.email && admin.email.length > 0
     );
 
diff --git a/server/private/routers/remoteExitNode/createRemoteExitNode.ts b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
index 6d5b5ea6f..f24afdde1 100644
--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -79,7 +79,7 @@ export async function createRemoteExitNode(
 
         const { remoteExitNodeId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index fbdee72d1..f45db3c85 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -30,7 +30,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq, or, and } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
@@ -122,7 +122,7 @@ export async function signSshKey(
             resource: resourceQueryString
         } = parsedBody.data;
         const userId = req.user?.userId;
-        const roleId = req.userOrgRoleId!;
+        const roleIds = req.userOrgRoleIds ?? [];
 
         if (!userId) {
             return next(
@@ -130,6 +130,15 @@ export async function signSshKey(
             );
         }
 
+        if (roleIds.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User has no role in organization"
+                )
+            );
+        }
+
         const [userOrg] = await db
             .select()
             .from(userOrgs)
@@ -310,11 +319,11 @@ export async function signSshKey(
             );
         }
 
-        // Check if the user has access to the resource
+        // Check if the user has access to the resource (any of their roles)
         const hasAccess = await canUserAccessSiteResource({
             userId: userId,
             resourceId: resource.siteResourceId,
-            roleId: roleId
+            roleIds
         });
 
         if (!hasAccess) {
@@ -326,28 +335,39 @@ export async function signSshKey(
             );
         }
 
-        const [roleRow] = await db
+        const roleRows = await db
             .select()
             .from(roles)
-            .where(eq(roles.roleId, roleId))
-            .limit(1);
+            .where(inArray(roles.roleId, roleIds));
 
-        let parsedSudoCommands: string[] = [];
-        let parsedGroups: string[] = [];
-        try {
-            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
-        } catch {
-            parsedSudoCommands = [];
+        const parsedSudoCommands: string[] = [];
+        const parsedGroupsSet = new Set<string>();
+        let homedir: boolean | null = null;
+        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
+        let sudoMode: "none" | "commands" | "all" = "none";
+        for (const roleRow of roleRows) {
+            try {
+                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
+            } catch {
+                // skip
+            }
+            try {
+                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
+            } catch {
+                // skip
+            }
+            if (roleRow?.sshCreateHomeDir === true) homedir = true;
+            const m = roleRow?.sshSudoMode ?? "none";
+            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
+                sudoMode = m as "none" | "commands" | "all";
+            }
         }
-        try {
-            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-            if (!Array.isArray(parsedGroups)) parsedGroups = [];
-        } catch {
-            parsedGroups = [];
+        const parsedGroups = Array.from(parsedGroupsSet);
+        if (homedir === null && roleRows.length > 0) {
+            homedir = roleRows[0].sshCreateHomeDir ?? null;
         }
-        const homedir = roleRow?.sshCreateHomeDir ?? null;
-        const sudoMode = roleRow?.sshSudoMode ?? "none";
 
         // get the site
         const [newt] = await db
diff --git a/server/routers/accessToken/listAccessTokens.ts b/server/routers/accessToken/listAccessTokens.ts
index 2f929fc62..495afeb3c 100644
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -208,7 +208,7 @@ export async function listAccessTokens(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index b5c66c0e9..2f6f7ac12 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -3,12 +3,13 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
     getResourceByDomain,
     getResourceRules,
+    getRoleName,
     getRoleResourceAccess,
-    getUserOrgRole,
     getUserResourceAccess,
     getOrgLoginPage,
     getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 import {
     LoginPage,
     Org,
@@ -916,9 +917,9 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);
+    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
 
-    if (!userOrgRole) {
+    if (!userOrgRoleIds.length) {
         return null;
     }
 
@@ -934,17 +935,23 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const roleResourceAccess = await getRoleResourceAccess(
-        resource.resourceId,
-        userOrgRole.roleId
-    );
-
-    if (roleResourceAccess) {
+    const roleNames: string[] = [];
+    for (const roleId of userOrgRoleIds) {
+        const roleResourceAccess = await getRoleResourceAccess(
+            resource.resourceId,
+            roleId
+        );
+        if (roleResourceAccess) {
+            const roleName = await getRoleName(roleId);
+            if (roleName) roleNames.push(roleName);
+        }
+    }
+    if (roleNames.length > 0) {
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: userOrgRole.roleName
+            role: roleNames.join(", ")
         };
     }
 
@@ -954,11 +961,15 @@ async function isUserAllowedToAccessResource(
     );
 
     if (userResourceAccess) {
+        const names = await Promise.all(
+            userOrgRoleIds.map((id) => getRoleName(id))
+        );
+        const role = names.filter(Boolean).join(", ") || "";
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: userOrgRole.roleName
+            role
         };
     }
 
diff --git a/server/routers/client/createClient.ts b/server/routers/client/createClient.ts
index 4eafb0616..3e5ba4fa1 100644
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -92,7 +92,7 @@ export async function createClient(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -234,7 +234,7 @@ export async function createClient(
                 clientId: newClient.clientId
             });
 
-            if (req.user && req.userOrgRoleId != adminRole.roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
                 // make sure the user can access the client
                 trx.insert(userClients).values({
                     userId: req.user.userId,
diff --git a/server/routers/client/listClients.ts b/server/routers/client/listClients.ts
index 53a66150c..95d6281bf 100644
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -297,7 +297,7 @@ export async function listClients(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/client/listUserDevices.ts b/server/routers/client/listUserDevices.ts
index 54fffe43b..4d37dc440 100644
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -316,7 +316,7 @@ export async function listUserDevices(
                 .where(
                     or(
                         eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..bae7bb4db 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -654,6 +654,16 @@ authenticated.post(
     user.addUserRole
 );
 
+authenticated.delete(
+    "/role/:roleId/remove/:userId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyResourceAccess,
diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index e34621856..8714c4d38 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -13,6 +13,7 @@ import {
     orgs,
     Role,
     roles,
+    userOrgRoles,
     userOrgs,
     users
 } from "@server/db";
@@ -570,32 +571,28 @@ export async function validateOidcCallback(
                     }
                 }
 
-                // Update roles for existing auto-provisioned orgs where the role has changed
-                const orgsToUpdate = autoProvisionedOrgs.filter(
-                    (currentOrg) => {
-                        const newOrg = userOrgInfo.find(
-                            (newOrg) => newOrg.orgId === currentOrg.orgId
-                        );
-                        return newOrg && newOrg.roleId !== currentOrg.roleId;
-                    }
-                );
-
-                if (orgsToUpdate.length > 0) {
-                    for (const org of orgsToUpdate) {
-                        const newRole = userOrgInfo.find(
-                            (newOrg) => newOrg.orgId === org.orgId
-                        );
-                        if (newRole) {
-                            await trx
-                                .update(userOrgs)
-                                .set({ roleId: newRole.roleId })
-                                .where(
-                                    and(
-                                        eq(userOrgs.userId, userId!),
-                                        eq(userOrgs.orgId, org.orgId)
-                                    )
-                                );
-                        }
+                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
+                const userRolesInOrgs = await trx
+                    .select()
+                    .from(userOrgRoles)
+                    .where(eq(userOrgRoles.userId, userId!));
+                for (const currentOrg of autoProvisionedOrgs) {
+                    const newRole = userOrgInfo.find(
+                        (newOrg) => newOrg.orgId === currentOrg.orgId
+                    );
+                    if (!newRole) continue;
+                    const currentRolesInOrg = userRolesInOrgs.filter(
+                        (r) => r.orgId === currentOrg.orgId
+                    );
+                    const hasIdpRole = currentRolesInOrg.some(
+                        (r) => r.roleId === newRole.roleId
+                    );
+                    if (!hasIdpRole) {
+                        await trx.insert(userOrgRoles).values({
+                            userId: userId!,
+                            orgId: currentOrg.orgId,
+                            roleId: newRole.roleId
+                        });
                     }
                 }
 
@@ -619,9 +616,9 @@ export async function validateOidcCallback(
                                 {
                                     orgId: org.orgId,
                                     userId: userId!,
-                                    roleId: org.roleId,
                                     autoProvisioned: true,
                                 },
+                                org.roleId,
                                 trx
                             );
                         }
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 6c39fe983..56e44c661 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -532,6 +532,16 @@ authenticated.post(
     user.addUserRole
 );
 
+authenticated.delete(
+    "/role/:roleId/remove/:userId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
 authenticated.post(
     "/resource/:resourceId/roles",
     verifyApiKeyResourceAccess,
diff --git a/server/routers/newt/createNewt.ts b/server/routers/newt/createNewt.ts
index b5da405e6..68cdcacf8 100644
--- a/server/routers/newt/createNewt.ts
+++ b/server/routers/newt/createNewt.ts
@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/routers/olm/createOlm.ts b/server/routers/olm/createOlm.ts
index b5da405e6..68cdcacf8 100644
--- a/server/routers/olm/createOlm.ts
+++ b/server/routers/olm/createOlm.ts
@@ -46,7 +46,7 @@ export async function createNewt(
 
         const { newtId, secret } = parsedBody.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/routers/org/checkOrgUserAccess.ts b/server/routers/org/checkOrgUserAccess.ts
index d9f0364e3..19e39c4fe 100644
--- a/server/routers/org/checkOrgUserAccess.ts
+++ b/server/routers/org/checkOrgUserAccess.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgs, users } from "@server/db";
+import { roles, userOrgRoles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -14,7 +14,7 @@ import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";
 
 async function queryUser(orgId: string, userId: string) {
-    const [user] = await db
+    const [userRow] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -22,10 +22,7 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
-            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -35,13 +32,40 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-    return user;
+
+    if (!userRow) return undefined;
+
+    const roleRows = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name,
+            isAdmin: roles.isAdmin
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+
+    const isAdmin = roleRows.some((r) => r.isAdmin);
+
+    return {
+        ...userRow,
+        isAdmin,
+        roleIds: roleRows.map((r) => r.roleId),
+        roles: roleRows.map((r) => ({
+            roleId: r.roleId,
+            name: r.roleName ?? ""
+        }))
+    };
 }
 
 export type CheckOrgUserAccessResponse = CheckOrgAccessPolicyResult;
diff --git a/server/routers/org/createOrg.ts b/server/routers/org/createOrg.ts
index 1a5d8799f..22dc742fa 100644
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@@ -9,6 +9,7 @@ import {
     orgs,
     roleActions,
     roles,
+    userOrgRoles,
     userOrgs,
     users,
     actions
@@ -312,9 +313,13 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: req.user!.userId,
                     orgId: newOrg[0].orgId,
-                    roleId: roleId,
                     isOwner: true
                 });
+                await trx.insert(userOrgRoles).values({
+                    userId: req.user!.userId,
+                    orgId: newOrg[0].orgId,
+                    roleId
+                });
                 ownerUserId = req.user!.userId;
             } else {
                 // if org created by root api key, set the server admin as the owner
@@ -332,9 +337,13 @@ export async function createOrg(
                 await trx.insert(userOrgs).values({
                     userId: serverAdmin.userId,
                     orgId: newOrg[0].orgId,
-                    roleId: roleId,
                     isOwner: true
                 });
+                await trx.insert(userOrgRoles).values({
+                    userId: serverAdmin.userId,
+                    orgId: newOrg[0].orgId,
+                    roleId
+                });
                 ownerUserId = serverAdmin.userId;
             }
 
diff --git a/server/routers/org/getOrgOverview.ts b/server/routers/org/getOrgOverview.ts
index d368d1b3c..fcdd7c0ed 100644
--- a/server/routers/org/getOrgOverview.ts
+++ b/server/routers/org/getOrgOverview.ts
@@ -117,20 +117,26 @@ export async function getOrgOverview(
             .from(userOrgs)
             .where(eq(userOrgs.orgId, orgId));
 
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, req.userOrg.roleId));
+        const roleIds = req.userOrgRoleIds ?? [];
+        const roleRows =
+            roleIds.length > 0
+                ? await db
+                      .select({ name: roles.name, isAdmin: roles.isAdmin })
+                      .from(roles)
+                      .where(inArray(roles.roleId, roleIds))
+                : [];
+        const userRoleName = roleRows.map((r) => r.name ?? "").join(", ") ?? "";
+        const isAdmin = roleRows.some((r) => r.isAdmin === true);
 
         return response<GetOrgOverviewResponse>(res, {
             data: {
                 orgName: org[0].name,
                 orgId: org[0].orgId,
-                userRoleName: role.name,
+                userRoleName,
                 numSites,
                 numUsers,
                 numResources,
-                isAdmin: role.isAdmin || false,
+                isAdmin,
                 isOwner: req.userOrg?.isOwner || false
             },
             success: true,
diff --git a/server/routers/org/listUserOrgs.ts b/server/routers/org/listUserOrgs.ts
index 301d0203e..8e6ce649d 100644
--- a/server/routers/org/listUserOrgs.ts
+++ b/server/routers/org/listUserOrgs.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, roles } from "@server/db";
-import { Org, orgs, userOrgs } from "@server/db";
+import { Org, orgs, userOrgRoles, userOrgs } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -82,10 +82,7 @@ export async function listUserOrgs(
         const { userId } = parsedParams.data;
 
         const userOrganizations = await db
-            .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
-            })
+            .select({ orgId: userOrgs.orgId })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId));
 
@@ -116,10 +113,27 @@ export async function listUserOrgs(
                 userOrgs,
                 and(eq(userOrgs.orgId, orgs.orgId), eq(userOrgs.userId, userId))
             )
-            .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
             .limit(limit)
             .offset(offset);
 
+        const roleRows = await db
+            .select({
+                orgId: userOrgRoles.orgId,
+                isAdmin: roles.isAdmin
+            })
+            .from(userOrgRoles)
+            .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    inArray(userOrgRoles.orgId, userOrgIds)
+                )
+            );
+
+        const orgHasAdmin = new Set(
+            roleRows.filter((r) => r.isAdmin).map((r) => r.orgId)
+        );
+
         const totalCountResult = await db
             .select({ count: sql<number>`cast(count(*) as integer)` })
             .from(orgs)
@@ -133,8 +147,8 @@ export async function listUserOrgs(
             if (val.userOrgs && val.userOrgs.isOwner) {
                 res.isOwner = val.userOrgs.isOwner;
             }
-            if (val.roles && val.roles.isAdmin) {
-                res.isAdmin = val.roles.isAdmin;
+            if (val.orgs && orgHasAdmin.has(val.orgs.orgId)) {
+                res.isAdmin = true;
             }
             if (val.userOrgs?.isOwner && val.orgs?.isBillingOrg) {
                 res.isPrimaryOrg = val.orgs.isBillingOrg;
diff --git a/server/routers/resource/createResource.ts b/server/routers/resource/createResource.ts
index 232cea266..d2124d22e 100644
--- a/server/routers/resource/createResource.ts
+++ b/server/routers/resource/createResource.ts
@@ -112,7 +112,7 @@ export async function createResource(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -278,7 +278,7 @@ async function createHttpResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,
@@ -371,7 +371,7 @@ async function createRawResource(
             resourceId: newResource[0].resourceId
         });
 
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             // make sure the user can access the resource
             await trx.insert(userResources).values({
                 userId: req.user?.userId!,
diff --git a/server/routers/resource/getUserResources.ts b/server/routers/resource/getUserResources.ts
index eb5f8a8d9..9afd6b4f3 100644
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -5,6 +5,7 @@ import {
     resources,
     userResources,
     roleResources,
+    userOrgRoles,
     userOrgs,
     resourcePassword,
     resourcePincode,
@@ -32,22 +33,29 @@ export async function getUserResources(
             );
         }
 
-        // First get the user's role in the organization
-        const userOrgResult = await db
-            .select({
-                roleId: userOrgs.roleId
-            })
+        // Check user is in organization and get their role IDs
+        const [userOrg] = await db
+            .select()
             .from(userOrgs)
             .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
             .limit(1);
 
-        if (userOrgResult.length === 0) {
+        if (!userOrg) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User not in organization")
             );
         }
 
-        const userRoleId = userOrgResult[0].roleId;
+        const userRoleIds = await db
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    eq(userOrgRoles.orgId, orgId)
+                )
+            )
+            .then((rows) => rows.map((r) => r.roleId));
 
         // Get resources accessible through direct assignment or role assignment
         const directResourcesQuery = db
@@ -55,20 +63,28 @@ export async function getUserResources(
             .from(userResources)
             .where(eq(userResources.userId, userId));
 
-        const roleResourcesQuery = db
-            .select({ resourceId: roleResources.resourceId })
-            .from(roleResources)
-            .where(eq(roleResources.roleId, userRoleId));
+        const roleResourcesQuery =
+            userRoleIds.length > 0
+                ? db
+                      .select({ resourceId: roleResources.resourceId })
+                      .from(roleResources)
+                      .where(inArray(roleResources.roleId, userRoleIds))
+                : Promise.resolve([]);
 
         const directSiteResourcesQuery = db
             .select({ siteResourceId: userSiteResources.siteResourceId })
             .from(userSiteResources)
             .where(eq(userSiteResources.userId, userId));
 
-        const roleSiteResourcesQuery = db
-            .select({ siteResourceId: roleSiteResources.siteResourceId })
-            .from(roleSiteResources)
-            .where(eq(roleSiteResources.roleId, userRoleId));
+        const roleSiteResourcesQuery =
+            userRoleIds.length > 0
+                ? db
+                      .select({
+                          siteResourceId: roleSiteResources.siteResourceId
+                      })
+                      .from(roleSiteResources)
+                      .where(inArray(roleSiteResources.roleId, userRoleIds))
+                : Promise.resolve([]);
 
         const [directResources, roleResourceResults, directSiteResourceResults, roleSiteResourceResults] = await Promise.all([
             directResourcesQuery,
diff --git a/server/routers/resource/listResources.ts b/server/routers/resource/listResources.ts
index a26a5df50..e6524a72e 100644
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -276,7 +276,7 @@ export async function listResources(
                 .where(
                     or(
                         eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/role/deleteRole.ts b/server/routers/role/deleteRole.ts
index 490fe91cc..24c26e654 100644
--- a/server/routers/role/deleteRole.ts
+++ b/server/routers/role/deleteRole.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { roles, userOrgs } from "@server/db";
+import { roles, userOrgRoles } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -114,11 +114,11 @@ export async function deleteRole(
         }
 
         await db.transaction(async (trx) => {
-            // move all users from the userOrgs table with roleId to newRoleId
+            // move all users from userOrgRoles with roleId to newRoleId
             await trx
-                .update(userOrgs)
+                .update(userOrgRoles)
                 .set({ roleId: newRoleId })
-                .where(eq(userOrgs.roleId, roleId));
+                .where(eq(userOrgRoles.roleId, roleId));
 
             // delete the old role
             await trx.delete(roles).where(eq(roles.roleId, roleId));
diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts
index ea4bc3e85..57e963e56 100644
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -111,7 +111,7 @@ export async function createSite(
 
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -399,7 +399,7 @@ export async function createSite(
                 siteId: newSite.siteId
             });
 
-            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
                 // make sure the user can access the site
                 trx.insert(userSites).values({
                     userId: req.user?.userId!,
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index e4881b1ab..f2d460ff7 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -235,7 +235,7 @@ export async function listSites(
                 .where(
                     or(
                         eq(userSites.userId, req.user!.userId),
-                        eq(roleSites.roleId, req.userOrgRoleId!)
+                        inArray(roleSites.roleId, req.userOrgRoleIds!)
                     )
                 );
         } else {
diff --git a/server/routers/user/acceptInvite.ts b/server/routers/user/acceptInvite.ts
index 388db4a31..30d3be7b9 100644
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -165,9 +165,9 @@ export async function acceptInvite(
                 org,
                 {
                     userId: existingUser[0].userId,
-                    orgId: existingInvite.orgId,
-                    roleId: existingInvite.roleId
+                    orgId: existingInvite.orgId
                 },
+                existingInvite.roleId,
                 trx
             );
 
diff --git a/server/routers/user/addUserRole.ts b/server/routers/user/addUserRole.ts
index 32eaa19d7..d41ad2051 100644
--- a/server/routers/user/addUserRole.ts
+++ b/server/routers/user/addUserRole.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db, UserOrg } from "@server/db";
-import { userOrgs, roles } from "@server/db";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -111,20 +111,23 @@ export async function addUserRole(
             );
         }
 
-        let newUserRole: UserOrg | null = null;
+        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
+            null;
         await db.transaction(async (trx) => {
-            [newUserRole] = await trx
-                .update(userOrgs)
-                .set({ roleId })
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, role.orgId)
-                    )
-                )
+            const inserted = await trx
+                .insert(userOrgRoles)
+                .values({
+                    userId,
+                    orgId: role.orgId,
+                    roleId
+                })
+                .onConflictDoNothing()
                 .returning();
 
-            // get the client associated with this user in this org
+            if (inserted.length > 0) {
+                newUserRole = inserted[0];
+            }
+
             const orgClients = await trx
                 .select()
                 .from(clients)
@@ -133,17 +136,15 @@ export async function addUserRole(
                         eq(clients.userId, userId),
                         eq(clients.orgId, role.orgId)
                     )
-                )
-                .limit(1);
+                );
 
             for (const orgClient of orgClients) {
-                // we just changed the user's role, so we need to rebuild client associations and what they have access to
                 await rebuildClientAssociationsFromClient(orgClient, trx);
             }
         });
 
         return response(res, {
-            data: newUserRole,
+            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
             success: true,
             error: false,
             message: "Role added to user successfully",
diff --git a/server/routers/user/createOrgUser.ts b/server/routers/user/createOrgUser.ts
index b39ea22e2..891836651 100644
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -221,12 +221,16 @@ export async function createOrgUser(
                         );
                     }
 
-                    await assignUserToOrg(org, {
-                        orgId,
-                        userId: existingUser.userId,
-                        roleId: role.roleId,
-                        autoProvisioned: false
-                    }, trx);
+                    await assignUserToOrg(
+                        org,
+                        {
+                            orgId,
+                            userId: existingUser.userId,
+                            autoProvisioned: false,
+                        },
+                        role.roleId,
+                        trx
+                    );
                 } else {
                     userId = generateId(15);
 
@@ -244,12 +248,16 @@ export async function createOrgUser(
                         })
                         .returning();
 
-                        await assignUserToOrg(org, {
-                            orgId,
-                            userId: newUser.userId,
-                            roleId: role.roleId,
-                            autoProvisioned: false
-                        }, trx);
+                        await assignUserToOrg(
+                            org,
+                            {
+                                orgId,
+                                userId: newUser.userId,
+                                autoProvisioned: false,
+                            },
+                            role.roleId,
+                            trx
+                        );
                 }
 
                 await calculateUserClientsForOrgs(userId, trx);
diff --git a/server/routers/user/getOrgUser.ts b/server/routers/user/getOrgUser.ts
index f22a29d37..2cced3fc2 100644
--- a/server/routers/user/getOrgUser.ts
+++ b/server/routers/user/getOrgUser.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgs, users } from "@server/db";
+import { roles, userOrgRoles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -12,7 +12,7 @@ import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 import { OpenAPITags, registry } from "@server/openApi";
 
 async function queryUser(orgId: string, userId: string) {
-    const [user] = await db
+    const [userRow] = await db
         .select({
             orgId: userOrgs.orgId,
             userId: users.userId,
@@ -20,10 +20,7 @@ async function queryUser(orgId: string, userId: string) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
-            isAdmin: roles.isAdmin,
             twoFactorEnabled: users.twoFactorEnabled,
             autoProvisioned: userOrgs.autoProvisioned,
             idpId: users.idpId,
@@ -33,13 +30,40 @@ async function queryUser(orgId: string, userId: string) {
             idpAutoProvision: idp.autoProvision
         })
         .from(userOrgs)
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(users, eq(userOrgs.userId, users.userId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
         .limit(1);
-    return user;
+
+    if (!userRow) return undefined;
+
+    const roleRows = await db
+        .select({
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name,
+            isAdmin: roles.isAdmin
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+
+    const isAdmin = roleRows.some((r) => r.isAdmin);
+
+    return {
+        ...userRow,
+        isAdmin,
+        roleIds: roleRows.map((r) => r.roleId),
+        roles: roleRows.map((r) => ({
+            roleId: r.roleId,
+            name: r.roleName ?? ""
+        }))
+    };
 }
 
 export type GetOrgUserResponse = NonNullable<
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index 35c5c4a7c..2de44d8b1 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -2,6 +2,7 @@ export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
+export * from "./removeUserRole";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
diff --git a/server/routers/user/listUsers.ts b/server/routers/user/listUsers.ts
index 401dcf58b..aeced75b1 100644
--- a/server/routers/user/listUsers.ts
+++ b/server/routers/user/listUsers.ts
@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idpOidcConfig } from "@server/db";
-import { idp, roles, userOrgs, users } from "@server/db";
+import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { and, sql } from "drizzle-orm";
+import { sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -31,7 +31,7 @@ const listUsersSchema = z.strictObject({
 });
 
 async function queryUsers(orgId: string, limit: number, offset: number) {
-    return await db
+    const rows = await db
         .select({
             id: users.userId,
             email: users.email,
@@ -41,8 +41,6 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
             username: users.username,
             name: users.name,
             type: users.type,
-            roleId: userOrgs.roleId,
-            roleName: roles.name,
             isOwner: userOrgs.isOwner,
             idpName: idp.name,
             idpId: users.idpId,
@@ -52,12 +50,39 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         })
         .from(users)
         .leftJoin(userOrgs, eq(users.userId, userOrgs.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .leftJoin(idp, eq(users.idpId, idp.idpId))
         .leftJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
         .where(eq(userOrgs.orgId, orgId))
         .limit(limit)
         .offset(offset);
+
+    const roleRows = await db
+        .select({
+            userId: userOrgRoles.userId,
+            roleId: userOrgRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userOrgRoles)
+        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(eq(userOrgRoles.orgId, orgId));
+
+    const rolesByUser = new Map<
+        string,
+        { roleId: number; roleName: string }[]
+    >();
+    for (const r of roleRows) {
+        const list = rolesByUser.get(r.userId) ?? [];
+        list.push({ roleId: r.roleId, roleName: r.roleName ?? "" });
+        rolesByUser.set(r.userId, list);
+    }
+
+    return rows.map((row) => {
+        const userRoles = rolesByUser.get(row.id) ?? [];
+        return {
+            ...row,
+            roles: userRoles
+        };
+    });
 }
 
 export type ListUsersResponse = {
diff --git a/server/routers/user/myDevice.ts b/server/routers/user/myDevice.ts
index 144108e11..3b991ca56 100644
--- a/server/routers/user/myDevice.ts
+++ b/server/routers/user/myDevice.ts
@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { db, Olm, olms, orgs, userOrgs } from "@server/db";
+import { db, Olm, olms, orgs, userOrgRoles, userOrgs } from "@server/db";
 import { idp, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -84,16 +84,31 @@ export async function myDevice(
             .from(olms)
             .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));
 
-        const userOrganizations = await db
+        const userOrgRows = await db
             .select({
                 orgId: userOrgs.orgId,
-                orgName: orgs.name,
-                roleId: userOrgs.roleId
+                orgName: orgs.name
             })
             .from(userOrgs)
             .where(eq(userOrgs.userId, userId))
             .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId));
 
+        const roleRows = await db
+            .select({
+                orgId: userOrgRoles.orgId,
+                roleId: userOrgRoles.roleId
+            })
+            .from(userOrgRoles)
+            .where(eq(userOrgRoles.userId, userId));
+
+        const roleByOrg = new Map(
+            roleRows.map((r) => [r.orgId, r.roleId])
+        );
+        const userOrganizations = userOrgRows.map((row) => ({
+            ...row,
+            roleId: roleByOrg.get(row.orgId) ?? 0
+        }));
+
         return response<MyDeviceResponse>(res, {
             data: {
                 user,
diff --git a/server/routers/user/removeUserRole.ts b/server/routers/user/removeUserRole.ts
new file mode 100644
index 000000000..8d353fea3
--- /dev/null
+++ b/server/routers/user/removeUserRole.ts
@@ -0,0 +1,157 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import stoi from "@server/lib/stoi";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const removeUserRoleParamsSchema = z.strictObject({
+    userId: z.string(),
+    roleId: z.string().transform(stoi).pipe(z.number())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/role/{roleId}/remove/{userId}",
+    description: "Remove a role from a user. User must have at least one role left in the org.",
+    tags: [OpenAPITags.Role, OpenAPITags.User],
+    request: {
+        params: removeUserRoleParamsSchema
+    },
+    responses: {}
+});
+
+export async function removeUserRole(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = removeUserRoleParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { userId, roleId } = parsedParams.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
+
+        if (!role) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
+            );
+        }
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(
+                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
+            )
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the roles of the owner of the organization"
+                )
+            );
+        }
+
+        const remainingRoles = await db
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, userId),
+                    eq(userOrgRoles.orgId, role.orgId)
+                )
+            );
+
+        if (remainingRoles.length <= 1) {
+            const hasThisRole = remainingRoles.some((r) => r.roleId === roleId);
+            if (hasThisRole) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "User must have at least one role in the organization. Remove the last role is not allowed."
+                    )
+                );
+            }
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, role.orgId),
+                        eq(userOrgRoles.roleId, roleId)
+                    )
+                );
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, role.orgId)
+                    )
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { userId, orgId: role.orgId, roleId },
+            success: true,
+            error: false,
+            message: "Role removed from user successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/types/Auth.ts b/server/types/Auth.ts
index 8e222987c..398c02406 100644
--- a/server/types/Auth.ts
+++ b/server/types/Auth.ts
@@ -5,5 +5,5 @@ import { Session } from "@server/db";
 export interface AuthenticatedRequest extends Request {
     user: User;
     session: Session;
-    userOrgRoleId?: number;
+    userOrgRoleIds?: number[];
 }
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 6313d512a..7a1dab309 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -8,7 +8,6 @@ import {
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import { Input } from "@app/components/ui/input";
 import {
     Select,
     SelectContent,
@@ -19,7 +18,6 @@ import {
 import { Checkbox } from "@app/components/ui/checkbox";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -44,6 +42,9 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
+import { Badge } from "@app/components/ui/badge";
+
+type UserRole = { roleId: number; name: string };
 
 export default function AccessControlsPage() {
     const { orgUser: user } = userOrgUserContext();
@@ -54,12 +55,12 @@ export default function AccessControlsPage() {
 
     const [loading, setLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
+    const [userRoles, setUserRoles] = useState<UserRole[]>([]);
 
     const t = useTranslations();
 
     const formSchema = z.object({
         username: z.string(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") }),
         autoProvisioned: z.boolean()
     });
 
@@ -67,11 +68,17 @@ export default function AccessControlsPage() {
         resolver: zodResolver(formSchema),
         defaultValues: {
             username: user.username!,
-            roleId: user.roleId?.toString(),
             autoProvisioned: user.autoProvisioned || false
         }
     });
 
+    const currentRoleIds = user.roleIds ?? [];
+    const currentRoles: UserRole[] = user.roles ?? [];
+
+    useEffect(() => {
+        setUserRoles(currentRoles);
+    }, [user.userId, currentRoleIds.join(",")]);
+
     useEffect(() => {
         async function fetchRoles() {
             const res = await api
@@ -94,32 +101,20 @@ export default function AccessControlsPage() {
         }
 
         fetchRoles();
-
-        form.setValue("roleId", user.roleId.toString());
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    async function onSubmit(values: z.infer<typeof formSchema>) {
+    async function handleAddRole(roleId: number) {
         setLoading(true);
-
         try {
-            // Execute both API calls simultaneously
-            const [roleRes, userRes] = await Promise.all([
-                api.post<AxiosResponse<InviteUserResponse>>(
-                    `/role/${values.roleId}/add/${user.userId}`
-                ),
-                api.post(`/org/${orgId}/user/${user.userId}`, {
-                    autoProvisioned: values.autoProvisioned
-                })
-            ]);
-
-            if (roleRes.status === 200 && userRes.status === 200) {
-                toast({
-                    variant: "default",
-                    title: t("userSaved"),
-                    description: t("userSavedDescription")
-                });
-            }
+            await api.post(`/role/${roleId}/add/${user.userId}`);
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+            const role = roles.find((r) => r.roleId === roleId);
+            if (role) setUserRoles((prev) => [...prev, role]);
         } catch (e) {
             toast({
                 variant: "destructive",
@@ -130,10 +125,61 @@ export default function AccessControlsPage() {
                 )
             });
         }
-
         setLoading(false);
     }
 
+    async function handleRemoveRole(roleId: number) {
+        setLoading(true);
+        try {
+            await api.delete(`/role/${roleId}/remove/${user.userId}`);
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: formatAxiosError(
+                    e,
+                    t("accessRoleErrorAddDescription")
+                )
+            });
+        }
+        setLoading(false);
+    }
+
+    async function onSubmit(values: z.infer<typeof formSchema>) {
+        setLoading(true);
+        try {
+            await api.post(`/org/${orgId}/user/${user.userId}`, {
+                autoProvisioned: values.autoProvisioned
+            });
+            toast({
+                variant: "default",
+                title: t("userSaved"),
+                description: t("userSavedDescription")
+            });
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: formatAxiosError(
+                    e,
+                    t("accessRoleErrorAddDescription")
+                )
+            });
+        }
+        setLoading(false);
+    }
+
+    const availableRolesToAdd = roles.filter(
+        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
+    );
+    const canRemoveRole = userRoles.length > 1;
+
     return (
         <SettingsContainer>
             <SettingsSection>
@@ -154,7 +200,6 @@ export default function AccessControlsPage() {
                                 className="space-y-4"
                                 id="access-controls-form"
                             >
-                                {/* IDP Type Display */}
                                 {user.type !== UserType.Internal &&
                                     user.idpType && (
                                         <div className="flex items-center space-x-2 mb-4">
@@ -171,49 +216,72 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormField
-                                    control={form.control}
-                                    name="roleId"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>{t("role")}</FormLabel>
+                                <FormItem>
+                                    <FormLabel>{t("role")}</FormLabel>
+                                    <div className="flex flex-wrap gap-2 items-center">
+                                        {userRoles.map((r) => (
+                                            <Badge
+                                                key={r.roleId}
+                                                variant="secondary"
+                                                className="flex items-center gap-1"
+                                            >
+                                                {r.name}
+                                                {canRemoveRole && (
+                                                    <button
+                                                        type="button"
+                                                        onClick={() =>
+                                                            handleRemoveRole(
+                                                                r.roleId
+                                                            )
+                                                        }
+                                                        disabled={loading}
+                                                        className="ml-1 rounded hover:bg-muted"
+                                                        aria-label={`Remove ${r.name}`}
+                                                    >
+                                                        ×
+                                                    </button>
+                                                )}
+                                            </Badge>
+                                        ))}
+                                        {availableRolesToAdd.length > 0 && (
                                             <Select
                                                 onValueChange={(value) => {
-                                                    field.onChange(value);
-                                                    // If auto provision is enabled, set it to false when role changes
-                                                    if (user.idpAutoProvision) {
-                                                        form.setValue(
-                                                            "autoProvisioned",
-                                                            false
-                                                        );
-                                                    }
+                                                    handleAddRole(
+                                                        parseInt(value, 10)
+                                                    );
                                                 }}
-                                                value={field.value}
+                                                disabled={loading}
                                             >
-                                                <FormControl>
-                                                    <SelectTrigger>
-                                                        <SelectValue
-                                                            placeholder={t(
-                                                                "accessRoleSelect"
-                                                            )}
-                                                        />
-                                                    </SelectTrigger>
-                                                </FormControl>
+                                                <SelectTrigger className="w-[180px]">
+                                                    <SelectValue
+                                                        placeholder={t(
+                                                            "accessRoleSelect"
+                                                        )}
+                                                    />
+                                                </SelectTrigger>
                                                 <SelectContent>
-                                                    {roles.map((role) => (
-                                                        <SelectItem
-                                                            key={role.roleId}
-                                                            value={role.roleId.toString()}
-                                                        >
-                                                            {role.name}
-                                                        </SelectItem>
-                                                    ))}
+                                                    {availableRolesToAdd.map(
+                                                        (role) => (
+                                                            <SelectItem
+                                                                key={
+                                                                    role.roleId
+                                                                }
+                                                                value={role.roleId.toString()}
+                                                            >
+                                                                {role.name}
+                                                            </SelectItem>
+                                                        )
+                                                    )}
                                                 </SelectContent>
                                             </Select>
-                                            <FormMessage />
-                                        </FormItem>
+                                        )}
+                                    </div>
+                                    {userRoles.length === 0 && (
+                                        <p className="text-sm text-muted-foreground">
+                                            {t("accessRoleSelectPlease")}
+                                        </p>
                                     )}
-                                />
+                                </FormItem>
 
                                 {user.idpAutoProvision && (
                                     <FormField
@@ -231,7 +299,9 @@ export default function AccessControlsPage() {
                                                 </FormControl>
                                                 <div className="space-y-1 leading-none">
                                                     <FormLabel>
-                                                        {t("autoProvisioned")}
+                                                        {t(
+                                                            "autoProvisioned"
+                                                        )}
                                                     </FormLabel>
                                                     <p className="text-sm text-muted-foreground">
                                                         {t(
diff --git a/src/app/[orgId]/settings/access/users/page.tsx b/src/app/[orgId]/settings/access/users/page.tsx
index c10363734..c64ee6396 100644
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -88,7 +88,9 @@ export default async function UsersPage(props: UsersPageProps) {
             status: t("userConfirmed"),
             role: user.isOwner
                 ? t("accessRoleOwner")
-                : user.roleName || t("accessRoleMember"),
+                : user.roles?.length
+                  ? user.roles.map((r) => r.roleName).join(", ")
+                  : t("accessRoleMember"),
             isOwner: user.isOwner || false
         };
     });

From dae169540bd3430f698725f9d8c830f441e5be96 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 2 Mar 2026 16:49:17 -0800
Subject: [PATCH 004/122] Fix defaults for orgs

---
 server/lib/readConfigFile.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts
index cca0aa6aa..f6c8592e9 100644
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -302,8 +302,8 @@ export const configSchema = z
             .optional()
             .default({
                 block_size: 24,
-                subnet_group: "100.90.128.0/24",
-                utility_subnet_group: "100.96.128.0/24"
+                subnet_group: "100.90.128.0/20",
+                utility_subnet_group: "100.96.128.0/20"
             }),
         rate_limits: z
             .object({

From 6cf1b9b0108d5f4eda8e22f716f91e8874a4c558 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 2 Mar 2026 18:51:48 -0800
Subject: [PATCH 005/122] Support improved targets msg v2

---
 server/lib/ip.ts                              | 123 +++++++++++
 server/lib/rebuildClientAssociations.ts       |  32 ++-
 server/routers/client/targets.ts              | 209 ++++++++++++++----
 server/routers/newt/buildConfiguration.ts     |  26 ++-
 server/routers/newt/handleGetConfigMessage.ts |   5 +-
 .../siteResource/updateSiteResource.ts        |  10 +-
 6 files changed, 326 insertions(+), 79 deletions(-)

diff --git a/server/lib/ip.ts b/server/lib/ip.ts
index 21ec78c1b..3a29b8661 100644
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -571,6 +571,129 @@ export function generateSubnetProxyTargets(
     return targets;
 }
 
+export type SubnetProxyTargetV2 = {
+    sourcePrefixes: string[]; // must be cidrs
+    destPrefix: string; // must be a cidr
+    disableIcmp?: boolean;
+    rewriteTo?: string; // must be a cidr
+    portRange?: {
+        min: number;
+        max: number;
+        protocol: "tcp" | "udp";
+    }[];
+};
+
+export function generateSubnetProxyTargetV2(
+    siteResource: SiteResource,
+    clients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[]
+): SubnetProxyTargetV2 | undefined {
+    if (clients.length === 0) {
+        logger.debug(
+            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
+        );
+        return;
+    }
+
+    let target: SubnetProxyTargetV2 | null = null;
+
+    const portRange = [
+        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
+        ...parsePortRangeString(siteResource.udpPortRangeString, "udp")
+    ];
+    const disableIcmp = siteResource.disableIcmp ?? false;
+
+    if (siteResource.mode == "host") {
+        let destination = siteResource.destination;
+        // check if this is a valid ip
+        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
+        if (ipSchema.safeParse(destination).success) {
+            destination = `${destination}/32`;
+
+            target = {
+                sourcePrefixes: [],
+                destPrefix: destination,
+                portRange,
+                disableIcmp
+            };
+        }
+
+        if (siteResource.alias && siteResource.aliasAddress) {
+            // also push a match for the alias address
+            target = {
+                sourcePrefixes: [],
+                destPrefix: `${siteResource.aliasAddress}/32`,
+                rewriteTo: destination,
+                portRange,
+                disableIcmp
+            };
+        }
+    } else if (siteResource.mode == "cidr") {
+        target = {
+            sourcePrefixes: [],
+            destPrefix: siteResource.destination,
+            portRange,
+            disableIcmp
+        };
+    }
+
+    if (!target) {
+        return;
+    }
+
+    for (const clientSite of clients) {
+        if (!clientSite.subnet) {
+            logger.debug(
+                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
+            );
+            continue;
+        }
+
+        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
+
+        // add client prefix to source prefixes
+        target.sourcePrefixes.push(clientPrefix);
+    }
+
+    // print a nice representation of the targets
+    // logger.debug(
+    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
+    // );
+
+    return target;
+}
+
+
+/**
+ * Converts a SubnetProxyTargetV2 to an array of SubnetProxyTarget (v1)
+ * by expanding each source prefix into its own target entry.
+ * @param targetV2 - The v2 target to convert
+ * @returns Array of v1 SubnetProxyTarget objects
+ */
+ export function convertSubnetProxyTargetsV2ToV1(
+     targetsV2: SubnetProxyTargetV2[]
+ ): SubnetProxyTarget[] {
+     return targetsV2.flatMap((targetV2) =>
+         targetV2.sourcePrefixes.map((sourcePrefix) => ({
+             sourcePrefix,
+             destPrefix: targetV2.destPrefix,
+             ...(targetV2.disableIcmp !== undefined && {
+                 disableIcmp: targetV2.disableIcmp
+             }),
+             ...(targetV2.rewriteTo !== undefined && {
+                 rewriteTo: targetV2.rewriteTo
+             }),
+             ...(targetV2.portRange !== undefined && {
+                 portRange: targetV2.portRange
+             })
+         }))
+     );
+ }
+
+
 // Custom schema for validating port range strings
 // Format: "80,443,8000-9000" or "*" for all ports, or empty string
 export const portRangeStringSchema = z
diff --git a/server/lib/rebuildClientAssociations.ts b/server/lib/rebuildClientAssociations.ts
index 625e57935..915c3648d 100644
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -32,7 +32,7 @@ import logger from "@server/logger";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
     parseEndpoint,
     formatEndpoint
 } from "@server/lib/ip";
@@ -659,17 +659,14 @@ async function handleSubnetProxyTargetUpdates(
         );
 
         if (addedClients.length > 0) {
-            const targetsToAdd = generateSubnetProxyTargets(
+            const targetToAdd = generateSubnetProxyTargetV2(
                 siteResource,
                 addedClients
             );
 
-            if (targetsToAdd.length > 0) {
-                logger.info(
-                    `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
+            if (targetToAdd) {
                 proxyJobs.push(
-                    addSubnetProxyTargets(newt.newtId, targetsToAdd)
+                    addSubnetProxyTargets(newt.newtId, [targetToAdd])
                 );
             }
 
@@ -695,17 +692,14 @@ async function handleSubnetProxyTargetUpdates(
         );
 
         if (removedClients.length > 0) {
-            const targetsToRemove = generateSubnetProxyTargets(
+            const targetToRemove = generateSubnetProxyTargetV2(
                 siteResource,
                 removedClients
             );
 
-            if (targetsToRemove.length > 0) {
-                logger.info(
-                    `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
+            if (targetToRemove) {
                 proxyJobs.push(
-                    removeSubnetProxyTargets(newt.newtId, targetsToRemove)
+                    removeSubnetProxyTargets(newt.newtId, [targetToRemove])
                 );
             }
 
@@ -1159,7 +1153,7 @@ async function handleMessagesForClientResources(
             }
 
             for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                     {
                         clientId: client.clientId,
                         pubKey: client.pubKey,
@@ -1167,8 +1161,8 @@ async function handleMessagesForClientResources(
                     }
                 ]);
 
-                if (targets.length > 0) {
-                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, targets));
+                if (target) {
+                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, [target]));
                 }
 
                 try {
@@ -1230,7 +1224,7 @@ async function handleMessagesForClientResources(
             }
 
             for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                     {
                         clientId: client.clientId,
                         pubKey: client.pubKey,
@@ -1238,9 +1232,9 @@ async function handleMessagesForClientResources(
                     }
                 ]);
 
-                if (targets.length > 0) {
+                if (target) {
                     proxyJobs.push(
-                        removeSubnetProxyTargets(newt.newtId, targets)
+                        removeSubnetProxyTargets(newt.newtId, [target])
                     );
                 }
 
diff --git a/server/routers/client/targets.ts b/server/routers/client/targets.ts
index bf612d352..48b7e216d 100644
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -1,8 +1,15 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms, Transaction } from "@server/db";
-import { Alias, SubnetProxyTarget } from "@server/lib/ip";
+import { S } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
+import { db, newts, olms, Transaction } from "@server/db";
+import {
+    Alias,
+    convertSubnetProxyTargetsV2ToV1,
+    SubnetProxyTarget,
+    SubnetProxyTargetV2
+} from "@server/lib/ip";
 import logger from "@server/logger";
 import { eq } from "drizzle-orm";
+import semver from "semver";
 
 const BATCH_SIZE = 50;
 const BATCH_DELAY_MS = 50;
@@ -19,57 +26,149 @@ function chunkArray<T>(array: T[], size: number): T[][] {
     return chunks;
 }
 
-export async function addTargets(newtId: string, targets: SubnetProxyTarget[]) {
-    const batches = chunkArray(targets, BATCH_SIZE);
+const NEWT_V2_TARGETS_VERSION = ">=1.11.0";
+
+export async function convertTargetsIfNessicary(
+    newtId: string,
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
+) {
+    // get the newt
+    const [newt] = await db
+        .select()
+        .from(newts)
+        .where(eq(newts.newtId, newtId));
+    if (!newt) {
+        throw new Error(`No newt found for id: ${newtId}`);
+    }
+
+    // check the semver
+    if (
+        newt.version &&
+        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
+    ) {
+        logger.debug(
+            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
+        );
+        targets = convertSubnetProxyTargetsV2ToV1(
+            targets as SubnetProxyTargetV2[]
+        );
+    }
+
+    return targets;
+}
+
+export async function addTargets(
+    newtId: string,
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
+) {
+    targets = await convertTargetsIfNessicary(newtId, targets);
+
+    const batches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets,
+        BATCH_SIZE
+    );
+
     for (let i = 0; i < batches.length; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
-            type: `newt/wg/targets/add`,
-            data: batches[i]
-        }, { incrementConfigVersion: true });
+        await sendToClient(
+            newtId,
+            {
+                type: `newt/wg/targets/add`,
+                data: batches[i]
+            },
+            { incrementConfigVersion: true }
+        );
     }
 }
 
 export async function removeTargets(
     newtId: string,
-    targets: SubnetProxyTarget[]
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
 ) {
-    const batches = chunkArray(targets, BATCH_SIZE);
+    targets = await convertTargetsIfNessicary(newtId, targets);
+
+    const batches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets,
+        BATCH_SIZE
+    );
     for (let i = 0; i < batches.length; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
-            type: `newt/wg/targets/remove`,
-            data: batches[i]
-        },{ incrementConfigVersion: true });
+        await sendToClient(
+            newtId,
+            {
+                type: `newt/wg/targets/remove`,
+                data: batches[i]
+            },
+            { incrementConfigVersion: true }
+        );
     }
 }
 
 export async function updateTargets(
     newtId: string,
     targets: {
-        oldTargets: SubnetProxyTarget[];
-        newTargets: SubnetProxyTarget[];
+        oldTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
+        newTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
     }
 ) {
-    const oldBatches = chunkArray(targets.oldTargets, BATCH_SIZE);
-    const newBatches = chunkArray(targets.newTargets, BATCH_SIZE);
+    // get the newt
+    const [newt] = await db
+        .select()
+        .from(newts)
+        .where(eq(newts.newtId, newtId));
+    if (!newt) {
+        logger.error(`addTargetsL No newt found for id: ${newtId}`);
+        return;
+    }
+
+    // check the semver
+    if (
+        newt.version &&
+        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
+    ) {
+        logger.debug(
+            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
+        );
+        targets = {
+            oldTargets: convertSubnetProxyTargetsV2ToV1(
+                targets.oldTargets as SubnetProxyTargetV2[]
+            ),
+            newTargets: convertSubnetProxyTargetsV2ToV1(
+                targets.newTargets as SubnetProxyTargetV2[]
+            )
+        };
+    }
+
+    const oldBatches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets.oldTargets,
+        BATCH_SIZE
+    );
+    const newBatches = chunkArray<SubnetProxyTarget | SubnetProxyTargetV2>(
+        targets.newTargets,
+        BATCH_SIZE
+    );
+
     const maxBatches = Math.max(oldBatches.length, newBatches.length);
 
     for (let i = 0; i < maxBatches; i++) {
         if (i > 0) {
             await sleep(BATCH_DELAY_MS);
         }
-        await sendToClient(newtId, {
-            type: `newt/wg/targets/update`,
-            data: {
-                oldTargets: oldBatches[i] || [],
-                newTargets: newBatches[i] || []
-            }
-        }, { incrementConfigVersion: true }).catch((error) => {
+        await sendToClient(
+            newtId,
+            {
+                type: `newt/wg/targets/update`,
+                data: {
+                    oldTargets: oldBatches[i] || [],
+                    newTargets: newBatches[i] || []
+                }
+            },
+            { incrementConfigVersion: true }
+        ).catch((error) => {
             logger.warn(`Error sending message:`, error);
         });
     }
@@ -94,14 +193,18 @@ export async function addPeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: `olm/wg/peer/data/add`,
-        data: {
-            siteId: siteId,
-            remoteSubnets: remoteSubnets,
-            aliases: aliases
-        }
-    }, { incrementConfigVersion: true }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: `olm/wg/peer/data/add`,
+            data: {
+                siteId: siteId,
+                remoteSubnets: remoteSubnets,
+                aliases: aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -125,14 +228,18 @@ export async function removePeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: `olm/wg/peer/data/remove`,
-        data: {
-            siteId: siteId,
-            remoteSubnets: remoteSubnets,
-            aliases: aliases
-        }
-    }, { incrementConfigVersion: true }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: `olm/wg/peer/data/remove`,
+            data: {
+                siteId: siteId,
+                remoteSubnets: remoteSubnets,
+                aliases: aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -166,14 +273,18 @@ export async function updatePeerData(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: `olm/wg/peer/data/update`,
-        data: {
-            siteId: siteId,
-            ...remoteSubnets,
-            ...aliases
-        }
-    }, { incrementConfigVersion: true }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: `olm/wg/peer/data/update`,
+            data: {
+                siteId: siteId,
+                ...remoteSubnets,
+                ...aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
diff --git a/server/routers/newt/buildConfiguration.ts b/server/routers/newt/buildConfiguration.ts
index e349f24e8..c20e713f6 100644
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -1,9 +1,23 @@
-import { clients, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, ExitNode, resources, Site, siteResources, targetHealthCheck, targets } from "@server/db";
+import {
+    clients,
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    ExitNode,
+    resources,
+    Site,
+    siteResources,
+    targetHealthCheck,
+    targets
+} from "@server/db";
 import logger from "@server/logger";
 import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
-import { generateSubnetProxyTargets, SubnetProxyTarget } from "@server/lib/ip";
+import {
+    generateSubnetProxyTargetV2,
+    SubnetProxyTargetV2
+} from "@server/lib/ip";
 
 export async function buildClientConfigurationForNewtClient(
     site: Site,
@@ -126,7 +140,7 @@ export async function buildClientConfigurationForNewtClient(
         .from(siteResources)
         .where(eq(siteResources.siteId, siteId));
 
-    const targetsToSend: SubnetProxyTarget[] = [];
+    const targetsToSend: SubnetProxyTargetV2[] = [];
 
     for (const resource of allSiteResources) {
         // Get clients associated with this specific resource
@@ -151,12 +165,14 @@ export async function buildClientConfigurationForNewtClient(
                 )
             );
 
-        const resourceTargets = generateSubnetProxyTargets(
+        const resourceTarget = generateSubnetProxyTargetV2(
             resource,
             resourceClients
         );
 
-        targetsToSend.push(...resourceTargets);
+        if (resourceTarget) {
+            targetsToSend.push(resourceTarget);
+        }
     }
 
     return {
diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index 801c8b65a..d17a37e48 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -6,6 +6,7 @@ import { db, ExitNode, exitNodes, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
+import { convertTargetsIfNessicary } from "../client/targets";
 
 const inputSchema = z.object({
     publicKey: z.string(),
@@ -126,13 +127,15 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         exitNode
     );
 
+    const targetsToSend = await convertTargetsIfNessicary(newt.newtId, targets);
+
     return {
         message: {
             type: "newt/wg/receive-config",
             data: {
                 ipAddress: site.address,
                 peers,
-                targets
+                targets: targetsToSend
             }
         },
         broadcast: false,
diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts
index 242b92265..c8119840f 100644
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -24,7 +24,7 @@ import { updatePeerData, updateTargets } from "@server/routers/client/targets";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
     isIpInCidr,
     portRangeStringSchema
 } from "@server/lib/ip";
@@ -608,18 +608,18 @@ export async function handleMessagingForUpdatedSiteResource(
 
         // Only update targets on newt if destination changed
         if (destinationChanged || portRangesChanged) {
-            const oldTargets = generateSubnetProxyTargets(
+            const oldTarget = generateSubnetProxyTargetV2(
                 existingSiteResource,
                 mergedAllClients
             );
-            const newTargets = generateSubnetProxyTargets(
+            const newTarget = generateSubnetProxyTargetV2(
                 updatedSiteResource,
                 mergedAllClients
             );
 
             await updateTargets(newt.newtId, {
-                oldTargets: oldTargets,
-                newTargets: newTargets
+                oldTargets: [oldTarget],
+                newTargets: [newTarget]
             });
         }
 

From b01fcc70feab3d86939c5ae6fd43e8bcb4ee50db Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 3 Mar 2026 14:45:18 -0800
Subject: [PATCH 006/122] Fix ts and add note about ipv4

---
 server/routers/siteResource/createSiteResource.ts | 2 +-
 server/routers/siteResource/updateSiteResource.ts | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/routers/siteResource/createSiteResource.ts b/server/routers/siteResource/createSiteResource.ts
index bbdc3638d..b12b8d100 100644
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -88,7 +88,7 @@ const createSiteResourceSchema = z
         },
         {
             message:
-                "Destination must be a valid IP address or valid domain AND alias is required"
+                "Destination must be a valid IPV4 address or valid domain AND alias is required"
         }
     )
     .refine(
diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts
index c8119840f..bc5daa55f 100644
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -618,8 +618,8 @@ export async function handleMessagingForUpdatedSiteResource(
             );
 
             await updateTargets(newt.newtId, {
-                oldTargets: [oldTarget],
-                newTargets: [newTarget]
+                oldTargets: oldTarget ? [oldTarget] : [],
+                newTargets: newTarget ? [newTarget] : []
             });
         }
 

From 84b082e1941b243f4aca9e193abc81a083c013a9 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 12 Mar 2026 23:36:35 +0100
Subject: [PATCH 007/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20show=20actual=20va?=
 =?UTF-8?q?lues=20for=20wireguard=20site=20credentials=20whenever=20possib?=
 =?UTF-8?q?le?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../sites/[niceId]/credentials/page.tsx       | 22 +++++++++----------
 src/lib/wireguard.ts                          |  4 +---
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx b/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
index ecf3b105a..d4463cb7c 100644
--- a/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
+++ b/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
@@ -39,6 +39,7 @@ import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { NewtSiteInstallCommands } from "@app/components/newt-install-commands";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import type { AxiosResponse } from "axios";
 
 export default function CredentialsPage() {
     const { env } = useEnvContext();
@@ -100,7 +101,9 @@ export default function CredentialsPage() {
                 generatedPublicKey = generatedKeypair.publicKey;
                 setPublicKey(generatedPublicKey);
 
-                const res = await api.get(`/org/${orgId}/pick-site-defaults`);
+                const res = await api.get<
+                    AxiosResponse<PickSiteDefaultsResponse>
+                >(`/org/${orgId}/pick-site-defaults`);
                 if (res && res.status === 200) {
                     const data = res.data.data;
                     setSiteDefaults(data);
@@ -108,7 +111,7 @@ export default function CredentialsPage() {
                     // generate config with the fetched data
                     generatedWgConfig = generateWireGuardConfig(
                         generatedKeypair.privateKey,
-                        data.publicKey,
+                        generatedKeypair.publicKey,
                         data.subnet,
                         data.address,
                         data.endpoint,
@@ -322,7 +325,7 @@ export default function CredentialsPage() {
                             {!loadingDefaults && (
                                 <>
                                     {wgConfig ? (
-                                        <div className="flex flex-col sm:flex-row items-center gap-4">
+                                        <div className="flex flex-col lg:flex-row items-center gap-4">
                                             <CopyTextBox
                                                 text={wgConfig}
                                                 outline={true}
@@ -342,25 +345,20 @@ export default function CredentialsPage() {
                                             text={generateObfuscatedWireGuardConfig(
                                                 {
                                                     subnet:
-                                                        siteDefaults?.subnet ||
                                                         site?.subnet ||
+                                                        siteDefaults?.subnet ||
                                                         null,
                                                     address:
-                                                        siteDefaults?.address ||
                                                         site?.address ||
+                                                        siteDefaults?.address ||
                                                         null,
                                                     endpoint:
-                                                        siteDefaults?.endpoint ||
                                                         site?.endpoint ||
+                                                        siteDefaults?.endpoint ||
                                                         null,
                                                     listenPort:
-                                                        siteDefaults?.listenPort ||
                                                         site?.listenPort ||
-                                                        null,
-                                                    publicKey:
-                                                        siteDefaults?.publicKey ||
-                                                        site?.publicKey ||
-                                                        site?.pubKey ||
+                                                        siteDefaults?.listenPort ||
                                                         null
                                                 }
                                             )}
diff --git a/src/lib/wireguard.ts b/src/lib/wireguard.ts
index bc8100eca..656e4240b 100644
--- a/src/lib/wireguard.ts
+++ b/src/lib/wireguard.ts
@@ -26,7 +26,6 @@ export function generateObfuscatedWireGuardConfig(options?: {
     address?: string | null;
     endpoint?: string | null;
     listenPort?: number | string | null;
-    publicKey?: string | null;
 }): string {
     const obfuscate = (
         value: string | null | undefined,
@@ -54,7 +53,6 @@ export function generateObfuscatedWireGuardConfig(options?: {
             ? options.listenPort
             : options.listenPort
         : 51820;
-    const publicKey = obfuscateKey(options?.publicKey);
 
     return `[Interface]
 Address = ${subnetWithCidr}
@@ -62,7 +60,7 @@ ListenPort = 51820
 PrivateKey = ${obfuscateKey(null)}
 
 [Peer]
-PublicKey = ${publicKey}
+PublicKey = ${obfuscateKey(null)}
 AllowedIPs = ${address}/32
 Endpoint = ${endpoint}:${listenPort}
 PersistentKeepalive = 5`;

From 47a99e35ee2ecd82fb1ab2da655d36fd3301715a Mon Sep 17 00:00:00 2001
From: Laurence <laurence.jones@live.co.uk>
Date: Fri, 13 Mar 2026 11:38:00 +0000
Subject: [PATCH 008/122] feat(installer): add default install directory with
 existing install detection

  - Default to /opt/pangolin for new installations
  - Check current directory and /opt/pangolin for existing installs
  - Prompt to use existing install if found at default location
  - Offer to change directory ownership when running via sudo
  - Create installation directory if it doesn't exist
---
 install/main.go | 119 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)

diff --git a/install/main.go b/install/main.go
index 9de332b60..dddcb89b8 100644
--- a/install/main.go
+++ b/install/main.go
@@ -14,6 +14,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"text/template"
 	"time"
@@ -90,6 +91,13 @@ func main() {
 	var config Config
 	var alreadyInstalled = false
 
+	// Determine installation directory
+	installDir := findOrSelectInstallDirectory()
+	if err := os.Chdir(installDir); err != nil {
+		fmt.Printf("Error changing to installation directory: %v\n", err)
+		os.Exit(1)
+	}
+
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
 		config = collectUserInput()
@@ -287,6 +295,117 @@ func main() {
 	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
 
+func hasExistingInstall(dir string) bool {
+	configPath := filepath.Join(dir, "config", "config.yml")
+	_, err := os.Stat(configPath)
+	return err == nil
+}
+
+func findOrSelectInstallDirectory() string {
+	const defaultInstallDir = "/opt/pangolin"
+
+	// Get current working directory
+	cwd, err := os.Getwd()
+	if err != nil {
+		fmt.Printf("Error getting current directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// 1. Check current directory for existing install
+	if hasExistingInstall(cwd) {
+		fmt.Printf("Found existing Pangolin installation in current directory: %s\n", cwd)
+		return cwd
+	}
+
+	// 2. Check default location (/opt/pangolin) for existing install
+	if cwd != defaultInstallDir && hasExistingInstall(defaultInstallDir) {
+		fmt.Printf("\nFound existing Pangolin installation at: %s\n", defaultInstallDir)
+		if readBool(fmt.Sprintf("Would you like to use the existing installation at %s?", defaultInstallDir), true) {
+			return defaultInstallDir
+		}
+	}
+
+	// 3. No existing install found, prompt for installation directory
+	fmt.Println("\n=== Installation Directory ===")
+	fmt.Println("No existing Pangolin installation detected.")
+
+	installDir := readString("Enter the installation directory", defaultInstallDir)
+
+	// Expand ~ to home directory if present
+	if strings.HasPrefix(installDir, "~") {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			fmt.Printf("Error getting home directory: %v\n", err)
+			os.Exit(1)
+		}
+		installDir = filepath.Join(home, installDir[1:])
+	}
+
+	// Convert to absolute path
+	absPath, err := filepath.Abs(installDir)
+	if err != nil {
+		fmt.Printf("Error resolving path: %v\n", err)
+		os.Exit(1)
+	}
+	installDir = absPath
+
+	// Check if directory exists
+	if _, err := os.Stat(installDir); os.IsNotExist(err) {
+		// Directory doesn't exist, create it
+		if readBool(fmt.Sprintf("Directory %s does not exist. Create it?", installDir), true) {
+			if err := os.MkdirAll(installDir, 0755); err != nil {
+				fmt.Printf("Error creating directory: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Printf("Created directory: %s\n", installDir)
+
+			// Offer to change ownership if running via sudo
+			changeDirectoryOwnership(installDir)
+		} else {
+			fmt.Println("Installation cancelled.")
+			os.Exit(0)
+		}
+	}
+
+	fmt.Printf("Installation directory: %s\n", installDir)
+	return installDir
+}
+
+func changeDirectoryOwnership(dir string) {
+	// Check if we're running via sudo by looking for SUDO_USER
+	sudoUser := os.Getenv("SUDO_USER")
+	if sudoUser == "" || os.Geteuid() != 0 {
+		return
+	}
+
+	sudoUID := os.Getenv("SUDO_UID")
+	sudoGID := os.Getenv("SUDO_GID")
+
+	if sudoUID == "" || sudoGID == "" {
+		return
+	}
+
+	fmt.Printf("\nRunning as root via sudo (original user: %s)\n", sudoUser)
+	if readBool(fmt.Sprintf("Would you like to change ownership of %s to user '%s'? This makes it easier to manage config files without sudo.", dir, sudoUser), true) {
+		uid, err := strconv.Atoi(sudoUID)
+		if err != nil {
+			fmt.Printf("Warning: Could not parse SUDO_UID: %v\n", err)
+			return
+		}
+		gid, err := strconv.Atoi(sudoGID)
+		if err != nil {
+			fmt.Printf("Warning: Could not parse SUDO_GID: %v\n", err)
+			return
+		}
+
+		if err := os.Chown(dir, uid, gid); err != nil {
+			fmt.Printf("Warning: Could not change ownership: %v\n", err)
+		} else {
+			fmt.Printf("Changed ownership of %s to %s\n", dir, sudoUser)
+		}
+	}
+}
+
 func podmanOrDocker() SupportedContainer {
 	inputContainer := readString("Would you like to run Pangolin as Docker or Podman containers?", "docker")
 

From 18ed38889fa19ad32009043b48652458a959e669 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Tue, 17 Mar 2026 04:07:02 +0100
Subject: [PATCH 009/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20filter=20sites=20s?=
 =?UTF-8?q?erver=20side=20in=20resource=20target?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/routers/resource/getResource.ts        | 17 ++--
 server/routers/target/listTargets.ts          |  1 +
 .../resources/proxy/[niceId]/proxy/page.tsx   | 26 ++---
 .../settings/resources/proxy/create/page.tsx  | 16 ++--
 .../resource-target-address-item.tsx          | 94 ++++++++++++-------
 src/lib/queries.ts                            | 18 +++-
 6 files changed, 107 insertions(+), 65 deletions(-)

diff --git a/server/routers/resource/getResource.ts b/server/routers/resource/getResource.ts
index cd870dcbf..7a52c0a85 100644
--- a/server/routers/resource/getResource.ts
+++ b/server/routers/resource/getResource.ts
@@ -1,15 +1,14 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { Resource, resources, sites } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { db, resources } from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { fromError } from "zod-validation-error";
-import logger from "@server/logger";
 import stoi from "@server/lib/stoi";
+import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
 
 const getResourceSchema = z.strictObject({
     resourceId: z
diff --git a/server/routers/target/listTargets.ts b/server/routers/target/listTargets.ts
index e4ef45f3b..18e932afa 100644
--- a/server/routers/target/listTargets.ts
+++ b/server/routers/target/listTargets.ts
@@ -40,6 +40,7 @@ function queryTargets(resourceId: number) {
             resourceId: targets.resourceId,
             siteId: targets.siteId,
             siteType: sites.type,
+            siteName: sites.name,
             hcEnabled: targetHealthCheck.hcEnabled,
             hcPath: targetHealthCheck.hcPath,
             hcScheme: targetHealthCheck.hcScheme,
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 51f11a2c3..aff10dc52 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -124,20 +124,15 @@ export default function ReverseProxyTargetsPage(props: {
             resourceId: resource.resourceId
         })
     );
-    const { data: sites = [], isLoading: isLoadingSites } = useQuery(
-        orgQueries.sites({
-            orgId: params.orgId
-        })
-    );
 
-    if (isLoadingSites || isLoadingTargets) {
+    if (isLoadingTargets) {
         return null;
     }
 
     return (
         <SettingsContainer>
             <ProxyResourceTargetsForm
-                sites={sites}
+                orgId={params.orgId}
                 initialTargets={remoteTargets}
                 resource={resource}
             />
@@ -160,12 +155,12 @@ export default function ReverseProxyTargetsPage(props: {
 }
 
 function ProxyResourceTargetsForm({
-    sites,
+    orgId,
     initialTargets,
     resource
 }: {
     initialTargets: LocalTarget[];
-    sites: ListSitesResponse["sites"];
+    orgId: string;
     resource: GetResourceResponse;
 }) {
     const t = useTranslations();
@@ -243,17 +238,21 @@ function ProxyResourceTargetsForm({
         });
     }, []);
 
+    const { data: sites = [] } = useQuery(
+        orgQueries.sites({
+            orgId
+        })
+    );
+
     const updateTarget = useCallback(
         (targetId: number, data: Partial<LocalTarget>) => {
             setTargets((prevTargets) => {
-                const site = sites.find((site) => site.siteId === data.siteId);
                 return prevTargets.map((target) =>
                     target.targetId === targetId
                         ? {
                               ...target,
                               ...data,
-                              updated: true,
-                              siteType: site ? site.type : target.siteType
+                              updated: true
                           }
                         : target
                 );
@@ -453,7 +452,7 @@ function ProxyResourceTargetsForm({
                 return (
                     <ResourceTargetAddressItem
                         isHttp={isHttp}
-                        sites={sites}
+                        orgId={orgId}
                         getDockerStateForSite={getDockerStateForSite}
                         proxyTarget={row.original}
                         refreshContainersForSite={refreshContainersForSite}
@@ -619,6 +618,7 @@ function ProxyResourceTargetsForm({
             method: isHttp ? "http" : null,
             port: 0,
             siteId: sites.length > 0 ? sites[0].siteId : 0,
+            siteName: sites.length > 0 ? sites[0].name : "",
             path: isHttp ? null : null,
             pathMatchType: isHttp ? null : null,
             rewritePath: isHttp ? null : null,
diff --git a/src/app/[orgId]/settings/resources/proxy/create/page.tsx b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
index 4c8cb8443..9a9eb3ba2 100644
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -216,9 +216,7 @@ export default function Page() {
     const [remoteExitNodes, setRemoteExitNodes] = useState<
         ListRemoteExitNodesResponse["remoteExitNodes"]
     >([]);
-    const [loadingExitNodes, setLoadingExitNodes] = useState(
-        build === "saas"
-    );
+    const [loadingExitNodes, setLoadingExitNodes] = useState(build === "saas");
 
     const [createLoading, setCreateLoading] = useState(false);
     const [showSnippets, setShowSnippets] = useState(false);
@@ -282,6 +280,7 @@ export default function Page() {
             method: isHttp ? "http" : null,
             port: 0,
             siteId: sites.length > 0 ? sites[0].siteId : 0,
+            siteName: sites.length > 0 ? sites[0].name : "",
             path: isHttp ? null : null,
             pathMatchType: isHttp ? null : null,
             rewritePath: isHttp ? null : null,
@@ -336,8 +335,7 @@ export default function Page() {
 
     // In saas mode with no exit nodes, force HTTP
     const showTypeSelector =
-        build !== "saas" ||
-        (!loadingExitNodes && remoteExitNodes.length > 0);
+        build !== "saas" || (!loadingExitNodes && remoteExitNodes.length > 0);
 
     const baseForm = useForm({
         resolver: zodResolver(baseResourceFormSchema),
@@ -600,7 +598,10 @@ export default function Page() {
             toast({
                 variant: "destructive",
                 title: t("resourceErrorCreate"),
-                description: formatAxiosError(e, t("resourceErrorCreateMessageDescription"))
+                description: formatAxiosError(
+                    e,
+                    t("resourceErrorCreateMessageDescription")
+                )
             });
         }
 
@@ -826,7 +827,8 @@ export default function Page() {
             cell: ({ row }) => (
                 <ResourceTargetAddressItem
                     isHttp={isHttp}
-                    sites={sites}
+                    orgId={orgId!.toString()}
+                    // sites={sites}
                     getDockerStateForSite={getDockerStateForSite}
                     proxyTarget={row.original}
                     refreshContainersForSite={refreshContainersForSite}
diff --git a/src/components/resource-target-address-item.tsx b/src/components/resource-target-address-item.tsx
index 6479ede76..2e06c99a9 100644
--- a/src/components/resource-target-address-item.tsx
+++ b/src/components/resource-target-address-item.tsx
@@ -1,12 +1,15 @@
 import { cn } from "@app/lib/cn";
 import type { DockerState } from "@app/lib/docker";
 import { parseHostTarget } from "@app/lib/parseHostTarget";
+import { orgQueries } from "@app/lib/queries";
 import { CaretSortIcon } from "@radix-ui/react-icons";
 import type { ListSitesResponse } from "@server/routers/site";
 import { type ListTargetsResponse } from "@server/routers/target";
 import type { ArrayElement } from "@server/types/ArrayElement";
+import { useQuery } from "@tanstack/react-query";
 import { CheckIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useState } from "react";
 import { ContainersSelector } from "./ContainersSelector";
 import { Button } from "./ui/button";
 import {
@@ -20,7 +23,6 @@ import {
 import { Input } from "./ui/input";
 import { Popover, PopoverContent, PopoverTrigger } from "./ui/popover";
 import { Select, SelectContent, SelectItem, SelectTrigger } from "./ui/select";
-import { useEffect } from "react";
 
 type SiteWithUpdateAvailable = ListSitesResponse["sites"][number];
 
@@ -36,14 +38,14 @@ export type LocalTarget = Omit<
 export type ResourceTargetAddressItemProps = {
     getDockerStateForSite: (siteId: number) => DockerState;
     updateTarget: (targetId: number, data: Partial<LocalTarget>) => void;
-    sites: SiteWithUpdateAvailable[];
+    orgId: string;
     proxyTarget: LocalTarget;
     isHttp: boolean;
     refreshContainersForSite: (siteId: number) => void;
 };
 
 export function ResourceTargetAddressItem({
-    sites,
+    orgId,
     getDockerStateForSite,
     updateTarget,
     proxyTarget,
@@ -52,10 +54,34 @@ export function ResourceTargetAddressItem({
 }: ResourceTargetAddressItemProps) {
     const t = useTranslations();
 
-    const selectedSite = sites.find(
-        (site) => site.siteId === proxyTarget.siteId
+    const [siteSearchQuery, setSiteSearchQuery] = useState("");
+
+    const { data: sites = [] } = useQuery(
+        orgQueries.sites({
+            orgId,
+            query: siteSearchQuery,
+            perPage: 10
+        })
     );
 
+    const [selectedSite, setSelectedSite] = useState<Pick<
+        SiteWithUpdateAvailable,
+        "name" | "siteId" | "type"
+    > | null>(() => {
+        if (
+            proxyTarget.siteName &&
+            proxyTarget.siteType &&
+            proxyTarget.siteId
+        ) {
+            return {
+                name: proxyTarget.siteName,
+                siteId: proxyTarget.siteId,
+                type: proxyTarget.siteType
+            };
+        }
+        return null;
+    });
+
     const handleContainerSelectForTarget = (
         hostname: string,
         port?: number
@@ -70,28 +96,23 @@ export function ResourceTargetAddressItem({
     return (
         <div className="flex items-center w-full" key={proxyTarget.targetId}>
             <div className="flex items-center w-full justify-start py-0 space-x-2 px-0 cursor-default border border-input rounded-md">
-                {selectedSite &&
-                    selectedSite.type === "newt" &&
-                    (() => {
-                        const dockerState = getDockerStateForSite(
-                            selectedSite.siteId
-                        );
-                        return (
-                            <ContainersSelector
-                                site={selectedSite}
-                                containers={dockerState.containers}
-                                isAvailable={dockerState.isAvailable}
-                                onContainerSelect={
-                                    handleContainerSelectForTarget
-                                }
-                                onRefresh={() =>
-                                    refreshContainersForSite(
-                                        selectedSite.siteId
-                                    )
-                                }
-                            />
-                        );
-                    })()}
+                {selectedSite && selectedSite.type === "newt" && (
+                    <ContainersSelector
+                        site={selectedSite}
+                        containers={
+                            getDockerStateForSite(selectedSite.siteId)
+                                .containers
+                        }
+                        isAvailable={
+                            getDockerStateForSite(selectedSite.siteId)
+                                .isAvailable
+                        }
+                        onContainerSelect={handleContainerSelectForTarget}
+                        onRefresh={() =>
+                            refreshContainersForSite(selectedSite.siteId)
+                        }
+                    />
+                )}
 
                 <Popover>
                     <PopoverTrigger asChild>
@@ -113,8 +134,11 @@ export function ResourceTargetAddressItem({
                         </Button>
                     </PopoverTrigger>
                     <PopoverContent className="p-0 w-45">
-                        <Command>
-                            <CommandInput placeholder={t("siteSearch")} />
+                        <Command shouldFilter={false}>
+                            <CommandInput
+                                placeholder={t("siteSearch")}
+                                onValueChange={(v) => setSiteSearchQuery(v)}
+                            />
                             <CommandList>
                                 <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
                                 <CommandGroup>
@@ -122,14 +146,18 @@ export function ResourceTargetAddressItem({
                                         <CommandItem
                                             key={site.siteId}
                                             value={`${site.siteId}:${site.name}`}
-                                            onSelect={() =>
+                                            onSelect={() => {
                                                 updateTarget(
                                                     proxyTarget.targetId,
                                                     {
-                                                        siteId: site.siteId
+                                                        siteId: site.siteId,
+                                                        siteType: site.type,
+                                                        siteName: site.name
                                                     }
-                                                )
-                                            }
+                                                );
+
+                                                setSelectedSite(site);
+                                            }}
                                         >
                                             <CheckIcon
                                                 className={cn(
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index d3e962d74..f6de28fc0 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -130,14 +130,26 @@ export const orgQueries = {
             }
         }),
 
-    sites: ({ orgId }: { orgId: string }) =>
+    sites: ({
+        orgId,
+        query,
+        perPage = 10_000
+    }: {
+        orgId: string;
+        query?: string;
+        perPage?: number;
+    }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "SITES"] as const,
+            queryKey: ["ORG", orgId, "SITES", { query, perPage }] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: "10000"
+                    pageSize: perPage.toString()
                 });
 
+                if (query?.trim()) {
+                    sp.set("query", query);
+                }
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListSitesResponse>
                 >(`/org/${orgId}/sites?${sp.toString()}`, { signal });

From 435cae06a2f5472b228496b2cf37c5f9aa2d9579 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Tue, 17 Mar 2026 04:16:24 +0100
Subject: [PATCH 010/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20refactor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../resource-target-address-item.tsx          | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/components/resource-target-address-item.tsx b/src/components/resource-target-address-item.tsx
index 2e06c99a9..dfefc3bf2 100644
--- a/src/components/resource-target-address-item.tsx
+++ b/src/components/resource-target-address-item.tsx
@@ -9,7 +9,7 @@ import type { ArrayElement } from "@server/types/ArrayElement";
 import { useQuery } from "@tanstack/react-query";
 import { CheckIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
-import { useState } from "react";
+import { useMemo, useState } from "react";
 import { ContainersSelector } from "./ContainersSelector";
 import { Button } from "./ui/button";
 import {
@@ -82,6 +82,22 @@ export function ResourceTargetAddressItem({
         return null;
     });
 
+    const sitesShown = useMemo(() => {
+        const allSites: Array<
+            Pick<SiteWithUpdateAvailable, "name" | "siteId" | "type">
+        > = [...sites];
+        if (
+            selectedSite !== null &&
+            !(
+                allSites.find((site) => site.siteId)?.siteId ===
+                selectedSite?.siteId
+            )
+        ) {
+            allSites.unshift(selectedSite);
+        }
+        return allSites;
+    }, [sites, selectedSite]);
+
     const handleContainerSelectForTarget = (
         hostname: string,
         port?: number
@@ -137,12 +153,13 @@ export function ResourceTargetAddressItem({
                         <Command shouldFilter={false}>
                             <CommandInput
                                 placeholder={t("siteSearch")}
+                                value={siteSearchQuery}
                                 onValueChange={(v) => setSiteSearchQuery(v)}
                             />
                             <CommandList>
                                 <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
                                 <CommandGroup>
-                                    {sites.map((site) => (
+                                    {sitesShown.map((site) => (
                                         <CommandItem
                                             key={site.siteId}
                                             value={`${site.siteId}:${site.name}`}

From 722595c1319535fa02d904794a205f1d8d926ae2 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 19 Mar 2026 00:35:26 +0100
Subject: [PATCH 011/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20=20make=20site=20s?=
 =?UTF-8?q?elector=20popover=20its=20own=20component?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../resource-target-address-item.tsx          | 80 +++-------------
 src/components/site-selector.tsx              | 91 +++++++++++++++++++
 2 files changed, 104 insertions(+), 67 deletions(-)
 create mode 100644 src/components/site-selector.tsx

diff --git a/src/components/resource-target-address-item.tsx b/src/components/resource-target-address-item.tsx
index dfefc3bf2..851b64b54 100644
--- a/src/components/resource-target-address-item.tsx
+++ b/src/components/resource-target-address-item.tsx
@@ -23,6 +23,7 @@ import {
 import { Input } from "./ui/input";
 import { Popover, PopoverContent, PopoverTrigger } from "./ui/popover";
 import { Select, SelectContent, SelectItem, SelectTrigger } from "./ui/select";
+import { SitesSelector } from "./site-selector";
 
 type SiteWithUpdateAvailable = ListSitesResponse["sites"][number];
 
@@ -54,16 +55,6 @@ export function ResourceTargetAddressItem({
 }: ResourceTargetAddressItemProps) {
     const t = useTranslations();
 
-    const [siteSearchQuery, setSiteSearchQuery] = useState("");
-
-    const { data: sites = [] } = useQuery(
-        orgQueries.sites({
-            orgId,
-            query: siteSearchQuery,
-            perPage: 10
-        })
-    );
-
     const [selectedSite, setSelectedSite] = useState<Pick<
         SiteWithUpdateAvailable,
         "name" | "siteId" | "type"
@@ -82,22 +73,6 @@ export function ResourceTargetAddressItem({
         return null;
     });
 
-    const sitesShown = useMemo(() => {
-        const allSites: Array<
-            Pick<SiteWithUpdateAvailable, "name" | "siteId" | "type">
-        > = [...sites];
-        if (
-            selectedSite !== null &&
-            !(
-                allSites.find((site) => site.siteId)?.siteId ===
-                selectedSite?.siteId
-            )
-        ) {
-            allSites.unshift(selectedSite);
-        }
-        return allSites;
-    }, [sites, selectedSite]);
-
     const handleContainerSelectForTarget = (
         hostname: string,
         port?: number
@@ -150,47 +125,18 @@ export function ResourceTargetAddressItem({
                         </Button>
                     </PopoverTrigger>
                     <PopoverContent className="p-0 w-45">
-                        <Command shouldFilter={false}>
-                            <CommandInput
-                                placeholder={t("siteSearch")}
-                                value={siteSearchQuery}
-                                onValueChange={(v) => setSiteSearchQuery(v)}
-                            />
-                            <CommandList>
-                                <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
-                                <CommandGroup>
-                                    {sitesShown.map((site) => (
-                                        <CommandItem
-                                            key={site.siteId}
-                                            value={`${site.siteId}:${site.name}`}
-                                            onSelect={() => {
-                                                updateTarget(
-                                                    proxyTarget.targetId,
-                                                    {
-                                                        siteId: site.siteId,
-                                                        siteType: site.type,
-                                                        siteName: site.name
-                                                    }
-                                                );
-
-                                                setSelectedSite(site);
-                                            }}
-                                        >
-                                            <CheckIcon
-                                                className={cn(
-                                                    "mr-2 h-4 w-4",
-                                                    site.siteId ===
-                                                        proxyTarget.siteId
-                                                        ? "opacity-100"
-                                                        : "opacity-0"
-                                                )}
-                                            />
-                                            {site.name}
-                                        </CommandItem>
-                                    ))}
-                                </CommandGroup>
-                            </CommandList>
-                        </Command>
+                        <SitesSelector
+                            orgId={orgId}
+                            selectedSite={selectedSite}
+                            onSelectSite={(site) => {
+                                updateTarget(proxyTarget.targetId, {
+                                    siteId: site.siteId,
+                                    siteType: site.type,
+                                    siteName: site.name
+                                });
+                                setSelectedSite(site);
+                            }}
+                        />
                     </PopoverContent>
                 </Popover>
 
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
new file mode 100644
index 000000000..9b7d44034
--- /dev/null
+++ b/src/components/site-selector.tsx
@@ -0,0 +1,91 @@
+import { orgQueries } from "@app/lib/queries";
+import type { ListSitesResponse } from "@server/routers/site";
+import { useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "./ui/command";
+import { cn } from "@app/lib/cn";
+import { CheckIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useDebounce } from "use-debounce";
+
+type Selectedsite = Pick<
+    ListSitesResponse["sites"][number],
+    "name" | "siteId" | "type"
+>;
+
+export type SitesSelectorProps = {
+    orgId: string;
+    selectedSite?: Selectedsite | null;
+    onSelectSite: (selected: Selectedsite) => void;
+};
+
+export function SitesSelector({
+    orgId,
+    selectedSite,
+    onSelectSite
+}: SitesSelectorProps) {
+    const t = useTranslations();
+    const [siteSearchQuery, setSiteSearchQuery] = useState("");
+    const [debouncedQuery] = useDebounce(siteSearchQuery, 150);
+
+    const { data: sites = [] } = useQuery(
+        orgQueries.sites({
+            orgId,
+            query: debouncedQuery,
+            perPage: 10
+        })
+    );
+
+    // always include the selected site in the list of sites shown
+    const sitesShown = useMemo(() => {
+        const allSites: Array<Selectedsite> = [...sites];
+        if (
+            selectedSite &&
+            !allSites.find((site) => site.siteId === selectedSite?.siteId)
+        ) {
+            allSites.unshift(selectedSite);
+        }
+        return allSites;
+    }, [sites, selectedSite]);
+
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={t("siteSearch")}
+                value={siteSearchQuery}
+                onValueChange={(v) => setSiteSearchQuery(v)}
+            />
+            <CommandList>
+                <CommandEmpty>{t("siteNotFound")}</CommandEmpty>
+                <CommandGroup>
+                    {sitesShown.map((site) => (
+                        <CommandItem
+                            key={site.siteId}
+                            value={`${site.siteId}:${site.name}`}
+                            onSelect={() => {
+                                onSelectSite(site);
+                            }}
+                        >
+                            <CheckIcon
+                                className={cn(
+                                    "mr-2 h-4 w-4",
+                                    site.siteId === selectedSite?.siteId
+                                        ? "opacity-100"
+                                        : "opacity-0"
+                                )}
+                            />
+                            {site.name}
+                        </CommandItem>
+                    ))}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}

From 8f33e25782b1dccb80997014d321bc2258b2a3c9 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 19 Mar 2026 01:18:27 +0100
Subject: [PATCH 012/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20use=20site=20selec?=
 =?UTF-8?q?tor=20on=20private=20resources?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx | 81 +++++++------------------
 src/components/site-selector.tsx        |  2 +-
 2 files changed, 24 insertions(+), 59 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 6df1aceb7..fa1ee22d3 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -1,15 +1,10 @@
 "use client";
 
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { StrategySelect } from "@app/components/StrategySelect";
 import { Tag, TagInput } from "@app/components/tags/tag-input";
 import { Button } from "@app/components/ui/button";
-import {
-    Command,
-    CommandEmpty,
-    CommandGroup,
-    CommandInput,
-    CommandItem,
-    CommandList
-} from "@app/components/ui/command";
 import {
     Form,
     FormControl,
@@ -32,24 +27,22 @@ import {
     SelectValue
 } from "@app/components/ui/select";
 import { Switch } from "@app/components/ui/switch";
-import { getUserDisplayName } from "@app/lib/getUserDisplayName";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { cn } from "@app/lib/cn";
+import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import { orgQueries, resourceQueries } from "@app/lib/queries";
-import { useQueries, useQuery } from "@tanstack/react-query";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { ListSitesResponse } from "@server/routers/site";
 import { UserType } from "@server/types/UserTypes";
-import { Check, ChevronsUpDown, ExternalLink } from "lucide-react";
+import { useQuery } from "@tanstack/react-query";
+import { ChevronsUpDown, ExternalLink } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useEffect, useRef, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { useEnvContext } from "@app/hooks/useEnvContext";
-import { usePaidStatus } from "@app/hooks/usePaidStatus";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { HorizontalTabs } from "@app/components/HorizontalTabs";
-import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
-import { StrategySelect } from "@app/components/StrategySelect";
+import { SitesSelector, type Selectedsite } from "./site-selector";
 
 // --- Helpers (shared) ---
 
@@ -407,6 +400,10 @@ export function InternalResourceForm({
                   clients: []
               };
 
+    const [selectedSite, setSelectedSite] = useState<Selectedsite>(
+        availableSites[0]
+    );
+
     const form = useForm<FormData>({
         resolver: zodResolver(formSchema),
         defaultValues
@@ -578,46 +575,14 @@ export function InternalResourceForm({
                                         </FormControl>
                                     </PopoverTrigger>
                                     <PopoverContent className="w-full p-0">
-                                        <Command>
-                                            <CommandInput
-                                                placeholder={t("searchSites")}
-                                            />
-                                            <CommandList>
-                                                <CommandEmpty>
-                                                    {t("noSitesFound")}
-                                                </CommandEmpty>
-                                                <CommandGroup>
-                                                    {availableSites.map(
-                                                        (site) => (
-                                                            <CommandItem
-                                                                key={
-                                                                    site.siteId
-                                                                }
-                                                                value={
-                                                                    site.name
-                                                                }
-                                                                onSelect={() =>
-                                                                    field.onChange(
-                                                                        site.siteId
-                                                                    )
-                                                                }
-                                                            >
-                                                                <Check
-                                                                    className={cn(
-                                                                        "mr-2 h-4 w-4",
-                                                                        field.value ===
-                                                                            site.siteId
-                                                                            ? "opacity-100"
-                                                                            : "opacity-0"
-                                                                    )}
-                                                                />
-                                                                {site.name}
-                                                            </CommandItem>
-                                                        )
-                                                    )}
-                                                </CommandGroup>
-                                            </CommandList>
-                                        </Command>
+                                        <SitesSelector
+                                            orgId={orgId}
+                                            selectedSite={selectedSite}
+                                            onSelectSite={(site) => {
+                                                setSelectedSite(site);
+                                                field.onChange(site.siteId);
+                                            }}
+                                        />
                                     </PopoverContent>
                                 </Popover>
                                 <FormMessage />
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
index 9b7d44034..0afd94c9a 100644
--- a/src/components/site-selector.tsx
+++ b/src/components/site-selector.tsx
@@ -15,7 +15,7 @@ import { CheckIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useDebounce } from "use-debounce";
 
-type Selectedsite = Pick<
+export type Selectedsite = Pick<
     ListSitesResponse["sites"][number],
     "name" | "siteId" | "type"
 >;

From e15703164d231c284090ee04e86b48a7e357cfe5 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Thu, 19 Mar 2026 04:44:24 +0100
Subject: [PATCH 013/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20resource=20selecto?=
 =?UTF-8?q?r=20in=20create=20share=20link=20form?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/CreateShareLinkForm.tsx | 83 +++++++++++++++++---------
 src/components/resource-selector.tsx   | 81 +++++++++++++++++++++++++
 src/lib/queries.ts                     | 18 +++++-
 3 files changed, 151 insertions(+), 31 deletions(-)
 create mode 100644 src/components/resource-selector.tsx

diff --git a/src/components/CreateShareLinkForm.tsx b/src/components/CreateShareLinkForm.tsx
index 2f6f9aff2..fef1fb0e1 100644
--- a/src/components/CreateShareLinkForm.tsx
+++ b/src/components/CreateShareLinkForm.tsx
@@ -69,6 +69,7 @@ import {
 import AccessTokenSection from "@app/components/AccessTokenUsage";
 import { useTranslations } from "next-intl";
 import { toUnicode } from "punycode";
+import { ResourceSelector, type SelectedResource } from "./resource-selector";
 
 type FormProps = {
     open: boolean;
@@ -99,18 +100,21 @@ export default function CreateShareLinkForm({
         orgQueries.resources({ orgId: org?.org.orgId ?? "" })
     );
 
-    const resources = useMemo(
-        () =>
-            allResources
-                .filter((r) => r.http)
-                .map((r) => ({
-                    resourceId: r.resourceId,
-                    name: r.name,
-                    niceId: r.niceId,
-                    resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
-                })),
-        [allResources]
-    );
+    const [selectedResource, setSelectedResource] =
+        useState<SelectedResource | null>(null);
+
+    // const resources = useMemo(
+    //     () =>
+    //         allResources
+    //             .filter((r) => r.http)
+    //             .map((r) => ({
+    //                 resourceId: r.resourceId,
+    //                 name: r.name,
+    //                 niceId: r.niceId,
+    //                 resourceUrl: `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
+    //             })),
+    //     [allResources]
+    // );
 
     const formSchema = z.object({
         resourceId: z.number({ message: t("shareErrorSelectResource") }),
@@ -199,15 +203,11 @@ export default function CreateShareLinkForm({
             setAccessToken(token.accessToken);
             setAccessTokenId(token.accessTokenId);
 
-            const resource = resources.find(
-                (r) => r.resourceId === values.resourceId
-            );
-
             onCreated?.({
                 accessTokenId: token.accessTokenId,
                 resourceId: token.resourceId,
                 resourceName: values.resourceName,
-                resourceNiceId: resource ? resource.niceId : "",
+                resourceNiceId: selectedResource ? selectedResource.niceId : "",
                 title: token.title,
                 createdAt: token.createdAt,
                 expiresAt: token.expiresAt
@@ -217,10 +217,10 @@ export default function CreateShareLinkForm({
         setLoading(false);
     }
 
-    function getSelectedResourceName(id: number) {
-        const resource = resources.find((r) => r.resourceId === id);
-        return `${resource?.name}`;
-    }
+    // function getSelectedResourceName(id: number) {
+    //     const resource = resources.find((r) => r.resourceId === id);
+    //     return `${resource?.name}`;
+    // }
 
     return (
         <>
@@ -241,7 +241,7 @@ export default function CreateShareLinkForm({
                         </CredenzaDescription>
                     </CredenzaHeader>
                     <CredenzaBody>
-                        <div className="space-y-4">
+                        <div className="flex flex-col gap-y-4 px-1">
                             {!link && (
                                 <Form {...form}>
                                     <form
@@ -269,10 +269,8 @@ export default function CreateShareLinkForm({
                                                                             "text-muted-foreground"
                                                                     )}
                                                                 >
-                                                                    {field.value
-                                                                        ? getSelectedResourceName(
-                                                                              field.value
-                                                                          )
+                                                                    {selectedResource?.name
+                                                                        ? selectedResource.name
                                                                         : t(
                                                                               "resourceSelect"
                                                                           )}
@@ -281,7 +279,7 @@ export default function CreateShareLinkForm({
                                                             </FormControl>
                                                         </PopoverTrigger>
                                                         <PopoverContent className="p-0">
-                                                            <Command>
+                                                            {/* <Command>
                                                                 <CommandInput
                                                                     placeholder={t(
                                                                         "resourceSearch"
@@ -333,7 +331,36 @@ export default function CreateShareLinkForm({
                                                                         )}
                                                                     </CommandGroup>
                                                                 </CommandList>
-                                                            </Command>
+                                                            </Command> */}
+
+                                                            <ResourceSelector
+                                                                orgId={
+                                                                    org.org
+                                                                        .orgId
+                                                                }
+                                                                selectedResource={
+                                                                    selectedResource
+                                                                }
+                                                                onSelectResource={(
+                                                                    r
+                                                                ) => {
+                                                                    form.setValue(
+                                                                        "resourceId",
+                                                                        r.resourceId
+                                                                    );
+                                                                    form.setValue(
+                                                                        "resourceName",
+                                                                        r.name
+                                                                    );
+                                                                    form.setValue(
+                                                                        "resourceUrl",
+                                                                        `${r.ssl ? "https://" : "http://"}${toUnicode(r.fullDomain || "")}/`
+                                                                    );
+                                                                    setSelectedResource(
+                                                                        r
+                                                                    );
+                                                                }}
+                                                            />
                                                         </PopoverContent>
                                                     </Popover>
                                                     <FormMessage />
diff --git a/src/components/resource-selector.tsx b/src/components/resource-selector.tsx
new file mode 100644
index 000000000..a940894b0
--- /dev/null
+++ b/src/components/resource-selector.tsx
@@ -0,0 +1,81 @@
+import { orgQueries } from "@app/lib/queries";
+import { useQuery } from "@tanstack/react-query";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "./ui/command";
+import { useState } from "react";
+import { useTranslations } from "next-intl";
+import { CheckIcon } from "lucide-react";
+import { cn } from "@app/lib/cn";
+import type { ListResourcesResponse } from "@server/routers/resource";
+import { useDebounce } from "use-debounce";
+
+export type SelectedResource = Pick<
+    ListResourcesResponse["resources"][number],
+    "name" | "resourceId" | "fullDomain" | "niceId" | "ssl"
+>;
+
+export type ResourceSelectorProps = {
+    orgId: string;
+    selectedResource?: SelectedResource | null;
+    onSelectResource: (resource: SelectedResource) => void;
+};
+
+export function ResourceSelector({
+    orgId,
+    selectedResource,
+    onSelectResource
+}: ResourceSelectorProps) {
+    const t = useTranslations();
+    const [resourceSearchQuery, setResourceSearchQuery] = useState("");
+
+    const [debouncedSearchQuery] = useDebounce(resourceSearchQuery, 150);
+
+    const { data: resources = [] } = useQuery(
+        orgQueries.resources({
+            orgId: orgId,
+            query: debouncedSearchQuery,
+            perPage: 10
+        })
+    );
+
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={t("resourceSearch")}
+                value={resourceSearchQuery}
+                onValueChange={setResourceSearchQuery}
+            />
+            <CommandList>
+                <CommandEmpty>{t("resourcesNotFound")}</CommandEmpty>
+                <CommandGroup>
+                    {resources.map((r) => (
+                        <CommandItem
+                            value={`${r.name}:${r.resourceId}`}
+                            key={r.resourceId}
+                            onSelect={() => {
+                                onSelectResource(r);
+                            }}
+                        >
+                            <CheckIcon
+                                className={cn(
+                                    "mr-2 h-4 w-4",
+                                    r.resourceId ===
+                                        selectedResource?.resourceId
+                                        ? "opacity-100"
+                                        : "opacity-0"
+                                )}
+                            />
+                            {`${r.name}`}
+                        </CommandItem>
+                    ))}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index f6de28fc0..dfa706a88 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -191,14 +191,26 @@ export const orgQueries = {
             }
         }),
 
-    resources: ({ orgId }: { orgId: string }) =>
+    resources: ({
+        orgId,
+        query,
+        perPage = 10_000
+    }: {
+        orgId: string;
+        query?: string;
+        perPage?: number;
+    }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "RESOURCES"] as const,
+            queryKey: ["ORG", orgId, "RESOURCES", { query, perPage }] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: "10000"
+                    pageSize: perPage.toString()
                 });
 
+                if (query?.trim()) {
+                    sp.set("query", query);
+                }
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListResourcesResponse>
                 >(`/org/${orgId}/resources?${sp.toString()}`, { signal });

From ce58e71c440f40a8ea26d6d4d7546c19f16b658a Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 03:59:10 +0100
Subject: [PATCH 014/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20make=20machine=20s?=
 =?UTF-8?q?elector=20a=20multi-combobox?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 messages/en-US.json                     |   5 +
 src/components/CreateShareLinkForm.tsx  |  59 ----------
 src/components/InternalResourceForm.tsx | 140 ++++++++++++++----------
 src/components/MachineClientsTable.tsx  |   2 +-
 src/components/UserDevicesTable.tsx     |   2 +-
 src/components/machine-selector.tsx     | 108 ++++++++++++++++++
 src/components/resource-selector.tsx    |  19 +++-
 src/lib/queries.ts                      |  16 ++-
 8 files changed, 231 insertions(+), 120 deletions(-)
 create mode 100644 src/components/machine-selector.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 3d5352293..06be10e65 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -148,6 +148,11 @@
     "createLink": "Create Link",
     "resourcesNotFound": "No resources found",
     "resourceSearch": "Search resources",
+    "machineSearch": "Search machines",
+    "machinesSearch": "Search machine clients...",
+    "machineNotFound": "No machines found",
+    "userDeviceSearch": "Search user devices",
+    "userDevicesSearch": "Search user devices...",
     "openMenu": "Open menu",
     "resource": "Resource",
     "title": "Title",
diff --git a/src/components/CreateShareLinkForm.tsx b/src/components/CreateShareLinkForm.tsx
index fef1fb0e1..d0e26a1c2 100644
--- a/src/components/CreateShareLinkForm.tsx
+++ b/src/components/CreateShareLinkForm.tsx
@@ -217,11 +217,6 @@ export default function CreateShareLinkForm({
         setLoading(false);
     }
 
-    // function getSelectedResourceName(id: number) {
-    //     const resource = resources.find((r) => r.resourceId === id);
-    //     return `${resource?.name}`;
-    // }
-
     return (
         <>
             <Credenza
@@ -279,60 +274,6 @@ export default function CreateShareLinkForm({
                                                             </FormControl>
                                                         </PopoverTrigger>
                                                         <PopoverContent className="p-0">
-                                                            {/* <Command>
-                                                                <CommandInput
-                                                                    placeholder={t(
-                                                                        "resourceSearch"
-                                                                    )}
-                                                                />
-                                                                <CommandList>
-                                                                    <CommandEmpty>
-                                                                        {t(
-                                                                            "resourcesNotFound"
-                                                                        )}
-                                                                    </CommandEmpty>
-                                                                    <CommandGroup>
-                                                                        {resources.map(
-                                                                            (
-                                                                                r
-                                                                            ) => (
-                                                                                <CommandItem
-                                                                                    value={`${r.name}:${r.resourceId}`}
-                                                                                    key={
-                                                                                        r.resourceId
-                                                                                    }
-                                                                                    onSelect={() => {
-                                                                                        form.setValue(
-                                                                                            "resourceId",
-                                                                                            r.resourceId
-                                                                                        );
-                                                                                        form.setValue(
-                                                                                            "resourceName",
-                                                                                            r.name
-                                                                                        );
-                                                                                        form.setValue(
-                                                                                            "resourceUrl",
-                                                                                            r.resourceUrl
-                                                                                        );
-                                                                                    }}
-                                                                                >
-                                                                                    <CheckIcon
-                                                                                        className={cn(
-                                                                                            "mr-2 h-4 w-4",
-                                                                                            r.resourceId ===
-                                                                                                field.value
-                                                                                                ? "opacity-100"
-                                                                                                : "opacity-0"
-                                                                                        )}
-                                                                                    />
-                                                                                    {`${r.name}`}
-                                                                                </CommandItem>
-                                                                            )
-                                                                        )}
-                                                                    </CommandGroup>
-                                                                </CommandList>
-                                                            </Command> */}
-
                                                             <ResourceSelector
                                                                 orgId={
                                                                     org.org
diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index fa1ee22d3..dc3223500 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -43,6 +43,8 @@ import { useEffect, useRef, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { SitesSelector, type Selectedsite } from "./site-selector";
+import { CaretSortIcon } from "@radix-ui/react-icons";
+import { MachineSelector } from "./machine-selector";
 
 // --- Helpers (shared) ---
 
@@ -243,7 +245,14 @@ export function InternalResourceForm({
         authDaemonPort: z.number().int().positive().optional().nullable(),
         roles: z.array(tagSchema).optional(),
         users: z.array(tagSchema).optional(),
-        clients: z.array(tagSchema).optional()
+        clients: z
+            .array(
+                z.object({
+                    clientId: z.number(),
+                    name: z.string()
+                })
+            )
+            .optional()
     });
 
     type FormData = z.infer<typeof formSchema>;
@@ -252,7 +261,7 @@ export function InternalResourceForm({
 
     const rolesQuery = useQuery(orgQueries.roles({ orgId }));
     const usersQuery = useQuery(orgQueries.users({ orgId }));
-    const clientsQuery = useQuery(orgQueries.clients({ orgId }));
+    const clientsQuery = useQuery(orgQueries.machineClients({ orgId }));
     const resourceRolesQuery = useQuery({
         ...resourceQueries.siteResourceRoles({
             siteResourceId: siteResourceId ?? 0
@@ -310,12 +319,9 @@ export function InternalResourceForm({
             }));
         }
         if (clientsData) {
-            existingClients = (
-                clientsData as { clientId: number; name: string }[]
-            ).map((c) => ({
-                id: c.clientId.toString(),
-                text: c.name
-            }));
+            existingClients = [
+                ...(clientsData as { clientId: number; name: string }[])
+            ];
         }
     }
 
@@ -592,8 +598,7 @@ export function InternalResourceForm({
                 </div>
 
                 <HorizontalTabs
-                    clientSide={true}
-                    defaultTab={0}
+                    clientSide
                     items={[
                         {
                             title: t(
@@ -610,7 +615,7 @@ export function InternalResourceForm({
                             : [{ title: t("sshAccess"), href: "#" }])
                     ]}
                 >
-                    <div className="space-y-4 mt-4">
+                    <div className="space-y-4 mt-4 p-1">
                         <div>
                             <div className="mb-8">
                                 <label className="font-medium block">
@@ -981,7 +986,7 @@ export function InternalResourceForm({
                         </div>
                     </div>
 
-                    <div className="space-y-4 mt-4">
+                    <div className="space-y-4 mt-4 p-1">
                         <div className="mb-8">
                             <label className="font-medium block">
                                 {t("editInternalResourceDialogAccessControl")}
@@ -1101,48 +1106,73 @@ export function InternalResourceForm({
                                                 <FormLabel>
                                                     {t("machineClients")}
                                                 </FormLabel>
-                                                <FormControl>
-                                                    <TagInput
-                                                        {...field}
-                                                        activeTagIndex={
-                                                            activeClientsTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveClientsTagIndex
-                                                        }
-                                                        placeholder={
-                                                            t(
-                                                                "accessClientSelect"
-                                                            ) ||
-                                                            "Select machine clients"
-                                                        }
-                                                        size="sm"
-                                                        tags={
-                                                            form.getValues()
-                                                                .clients ?? []
-                                                        }
-                                                        setTags={(newClients) =>
-                                                            form.setValue(
-                                                                "clients",
-                                                                newClients as [
-                                                                    Tag,
-                                                                    ...Tag[]
-                                                                ]
-                                                            )
-                                                        }
-                                                        enableAutocomplete={
-                                                            true
-                                                        }
-                                                        autocompleteOptions={
-                                                            allClients
-                                                        }
-                                                        allowDuplicates={false}
-                                                        restrictTagsToAutocompleteOptions={
-                                                            true
-                                                        }
-                                                        sortTags={true}
-                                                    />
-                                                </FormControl>
+                                                <Popover>
+                                                    <PopoverTrigger asChild>
+                                                        <FormControl>
+                                                            <Button
+                                                                variant="outline"
+                                                                role="combobox"
+                                                                className={cn(
+                                                                    "justify-between w-full",
+                                                                    "text-muted-foreground pl-1.5"
+                                                                )}
+                                                            >
+                                                                <span
+                                                                    className={cn(
+                                                                        "inline-flex items-center gap-1",
+                                                                        "overflow-x-auto"
+                                                                    )}
+                                                                >
+                                                                    {(
+                                                                        field.value ??
+                                                                        []
+                                                                    ).map(
+                                                                        (
+                                                                            client
+                                                                        ) => (
+                                                                            <span
+                                                                                key={
+                                                                                    client.clientId
+                                                                                }
+                                                                                className={cn(
+                                                                                    "bg-muted-foreground/20 font-normal text-foreground rounded-sm",
+                                                                                    "py-1 px-1.5 text-xs"
+                                                                                )}
+                                                                            >
+                                                                                {
+                                                                                    client.name
+                                                                                }
+                                                                            </span>
+                                                                        )
+                                                                    )}
+                                                                    <span className="pl-1">
+                                                                        {t(
+                                                                            "accessClientSelect"
+                                                                        )}
+                                                                    </span>
+                                                                </span>
+                                                                <CaretSortIcon className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                                                            </Button>
+                                                        </FormControl>
+                                                    </PopoverTrigger>
+                                                    <PopoverContent className="p-0">
+                                                        <MachineSelector
+                                                            selectedMachines={
+                                                                field.value ??
+                                                                []
+                                                            }
+                                                            orgId={orgId}
+                                                            onSelectMachines={(
+                                                                machines
+                                                            ) => {
+                                                                form.setValue(
+                                                                    "clients",
+                                                                    machines
+                                                                );
+                                                            }}
+                                                        />
+                                                    </PopoverContent>
+                                                </Popover>
                                                 <FormMessage />
                                             </FormItem>
                                         )}
@@ -1154,7 +1184,7 @@ export function InternalResourceForm({
 
                     {/* SSH Access tab */}
                     {!disableEnterpriseFeatures && mode !== "cidr" && (
-                        <div className="space-y-4 mt-4">
+                        <div className="space-y-4 mt-4 p-1">
                             <PaidFeaturesAlert tiers={tierMatrix.sshPam} />
                             <div className="mb-8">
                                 <label className="font-medium block">
diff --git a/src/components/MachineClientsTable.tsx b/src/components/MachineClientsTable.tsx
index bd5a8e00d..9c1da5b4d 100644
--- a/src/components/MachineClientsTable.tsx
+++ b/src/components/MachineClientsTable.tsx
@@ -540,7 +540,7 @@ export default function MachineClientsTable({
                 columns={columns}
                 rows={machineClients}
                 tableId="machine-clients"
-                searchPlaceholder={t("resourcesSearch")}
+                searchPlaceholder={t("machinesSearch")}
                 onAdd={() =>
                     startNavigation(() =>
                         router.push(`/${orgId}/settings/clients/machine/create`)
diff --git a/src/components/UserDevicesTable.tsx b/src/components/UserDevicesTable.tsx
index 1b7b0c694..52f2d1384 100644
--- a/src/components/UserDevicesTable.tsx
+++ b/src/components/UserDevicesTable.tsx
@@ -770,7 +770,7 @@ export default function UserDevicesTable({
                 columns={columns}
                 rows={userClients || []}
                 tableId="user-clients"
-                searchPlaceholder={t("resourcesSearch")}
+                searchPlaceholder={t("userDevicesSearch")}
                 onRefresh={refreshData}
                 isRefreshing={isRefreshing || isFiltering}
                 enableColumnVisibility
diff --git a/src/components/machine-selector.tsx b/src/components/machine-selector.tsx
new file mode 100644
index 000000000..c184079ca
--- /dev/null
+++ b/src/components/machine-selector.tsx
@@ -0,0 +1,108 @@
+import { orgQueries } from "@app/lib/queries";
+import type { ListClientsResponse } from "@server/routers/client";
+import { useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+import { useDebounce } from "use-debounce";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "./ui/command";
+import { cn } from "@app/lib/cn";
+
+import { CheckIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+
+export type SelectedMachine = Pick<
+    ListClientsResponse["clients"][number],
+    "name" | "clientId"
+>;
+
+export type MachineSelectorProps = {
+    orgId: string;
+    selectedMachines?: SelectedMachine[];
+    onSelectMachines: (machine: SelectedMachine[]) => void;
+};
+
+export function MachineSelector({
+    orgId,
+    selectedMachines = [],
+    onSelectMachines
+}: MachineSelectorProps) {
+    const t = useTranslations();
+    const [machineSearchQuery, setMachineSearchQuery] = useState("");
+
+    const [debouncedValue] = useDebounce(machineSearchQuery, 150);
+
+    const { data: machines = [] } = useQuery(
+        orgQueries.machineClients({ orgId, perPage: 10, query: debouncedValue })
+    );
+
+    // always include the selected site in the list of sites shown
+    const machinesShown = useMemo(() => {
+        const allMachines: Array<SelectedMachine> = [...machines];
+        for (const machine of selectedMachines) {
+            if (
+                !allMachines.find(
+                    (machine) => machine.clientId === machine.clientId
+                )
+            ) {
+                allMachines.unshift(machine);
+            }
+        }
+
+        return allMachines;
+    }, [machines, selectedMachines]);
+
+    const selectedMachinesIds = new Set(
+        selectedMachines.map((m) => m.clientId)
+    );
+
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={t("machineSearch")}
+                value={machineSearchQuery}
+                onValueChange={setMachineSearchQuery}
+            />
+            <CommandList>
+                <CommandEmpty>{t("machineNotFound")}</CommandEmpty>
+                <CommandGroup>
+                    {machinesShown.map((m) => (
+                        <CommandItem
+                            value={`${m.name}:${m.clientId}`}
+                            key={m.clientId}
+                            onSelect={() => {
+                                let newMachineClients = [];
+                                if (selectedMachinesIds.has(m.clientId)) {
+                                    newMachineClients = selectedMachines.filter(
+                                        (mc) => mc.clientId !== m.clientId
+                                    );
+                                } else {
+                                    newMachineClients = [
+                                        ...selectedMachines,
+                                        m
+                                    ];
+                                }
+                                onSelectMachines(newMachineClients);
+                            }}
+                        >
+                            <CheckIcon
+                                className={cn(
+                                    "mr-2 h-4 w-4",
+                                    selectedMachinesIds.has(m.clientId)
+                                        ? "opacity-100"
+                                        : "opacity-0"
+                                )}
+                            />
+                            {`${m.name}`}
+                        </CommandItem>
+                    ))}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}
diff --git a/src/components/resource-selector.tsx b/src/components/resource-selector.tsx
index a940894b0..134c2c71a 100644
--- a/src/components/resource-selector.tsx
+++ b/src/components/resource-selector.tsx
@@ -8,7 +8,7 @@ import {
     CommandItem,
     CommandList
 } from "./ui/command";
-import { useState } from "react";
+import { useMemo, useState } from "react";
 import { useTranslations } from "next-intl";
 import { CheckIcon } from "lucide-react";
 import { cn } from "@app/lib/cn";
@@ -44,6 +44,21 @@ export function ResourceSelector({
         })
     );
 
+    // always include the selected site in the list of sites shown
+    const resourcesShown = useMemo(() => {
+        const allResources: Array<SelectedResource> = [...resources];
+        if (
+            selectedResource &&
+            !allResources.find(
+                (resource) =>
+                    resource.resourceId === selectedResource?.resourceId
+            )
+        ) {
+            allResources.unshift(selectedResource);
+        }
+        return allResources;
+    }, [resources, selectedResource]);
+
     return (
         <Command shouldFilter={false}>
             <CommandInput
@@ -54,7 +69,7 @@ export function ResourceSelector({
             <CommandList>
                 <CommandEmpty>{t("resourcesNotFound")}</CommandEmpty>
                 <CommandGroup>
-                    {resources.map((r) => (
+                    {resourcesShown.map((r) => (
                         <CommandItem
                             value={`${r.name}:${r.resourceId}`}
                             key={r.resourceId}
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index dfa706a88..69c496e24 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -92,14 +92,26 @@ export const productUpdatesQueries = {
 };
 
 export const orgQueries = {
-    clients: ({ orgId }: { orgId: string }) =>
+    machineClients: ({
+        orgId,
+        query,
+        perPage = 10_000
+    }: {
+        orgId: string;
+        query?: string;
+        perPage?: number;
+    }) =>
         queryOptions({
             queryKey: ["ORG", orgId, "CLIENTS"] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
-                    pageSize: "10000"
+                    pageSize: perPage.toString()
                 });
 
+                if (query?.trim()) {
+                    sp.set("query", query);
+                }
+
                 const res = await meta!.api.get<
                     AxiosResponse<ListClientsResponse>
                 >(`/org/${orgId}/clients?${sp.toString()}`, { signal });

From 02697e27a4fa7be24affe70328b0e54a67bcb1d4 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:02:51 +0100
Subject: [PATCH 015/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20=20refactor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/machine-selector.tsx  | 18 +++++++++---------
 src/components/resource-selector.tsx |  5 +++--
 src/components/site-selector.tsx     |  3 ++-
 src/lib/queries.ts                   |  2 +-
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/components/machine-selector.tsx b/src/components/machine-selector.tsx
index c184079ca..6aaf1afdd 100644
--- a/src/components/machine-selector.tsx
+++ b/src/components/machine-selector.tsx
@@ -41,21 +41,21 @@ export function MachineSelector({
         orgQueries.machineClients({ orgId, perPage: 10, query: debouncedValue })
     );
 
-    // always include the selected site in the list of sites shown
+    // always include the selected machines in the list of machines shown (if the user isn't searching)
     const machinesShown = useMemo(() => {
         const allMachines: Array<SelectedMachine> = [...machines];
-        for (const machine of selectedMachines) {
-            if (
-                !allMachines.find(
-                    (machine) => machine.clientId === machine.clientId
-                )
-            ) {
-                allMachines.unshift(machine);
+        if (debouncedValue.trim().length === 0) {
+            for (const machine of selectedMachines) {
+                if (
+                    !allMachines.find((mc) => mc.clientId === machine.clientId)
+                ) {
+                    allMachines.unshift(machine);
+                }
             }
         }
 
         return allMachines;
-    }, [machines, selectedMachines]);
+    }, [machines, selectedMachines, debouncedValue]);
 
     const selectedMachinesIds = new Set(
         selectedMachines.map((m) => m.clientId)
diff --git a/src/components/resource-selector.tsx b/src/components/resource-selector.tsx
index 134c2c71a..96044a8d2 100644
--- a/src/components/resource-selector.tsx
+++ b/src/components/resource-selector.tsx
@@ -44,10 +44,11 @@ export function ResourceSelector({
         })
     );
 
-    // always include the selected site in the list of sites shown
+    // always include the selected resource in the list of resources shown
     const resourcesShown = useMemo(() => {
         const allResources: Array<SelectedResource> = [...resources];
         if (
+            debouncedSearchQuery.trim().length === 0 &&
             selectedResource &&
             !allResources.find(
                 (resource) =>
@@ -57,7 +58,7 @@ export function ResourceSelector({
             allResources.unshift(selectedResource);
         }
         return allResources;
-    }, [resources, selectedResource]);
+    }, [debouncedSearchQuery, resources, selectedResource]);
 
     return (
         <Command shouldFilter={false}>
diff --git a/src/components/site-selector.tsx b/src/components/site-selector.tsx
index 0afd94c9a..4c3c97651 100644
--- a/src/components/site-selector.tsx
+++ b/src/components/site-selector.tsx
@@ -47,13 +47,14 @@ export function SitesSelector({
     const sitesShown = useMemo(() => {
         const allSites: Array<Selectedsite> = [...sites];
         if (
+            debouncedQuery.trim().length === 0 &&
             selectedSite &&
             !allSites.find((site) => site.siteId === selectedSite?.siteId)
         ) {
             allSites.unshift(selectedSite);
         }
         return allSites;
-    }, [sites, selectedSite]);
+    }, [debouncedQuery, sites, selectedSite]);
 
     return (
         <Command shouldFilter={false}>
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index 69c496e24..2fd34e8ac 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -102,7 +102,7 @@ export const orgQueries = {
         perPage?: number;
     }) =>
         queryOptions({
-            queryKey: ["ORG", orgId, "CLIENTS"] as const,
+            queryKey: ["ORG", orgId, "CLIENTS", { query, perPage }] as const,
             queryFn: async ({ signal, meta }) => {
                 const sp = new URLSearchParams({
                     pageSize: perPage.toString()

From e358d1276568bd5e318b5711d4fd93377f67bea1 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:15:18 +0100
Subject: [PATCH 016/122] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20submit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index dc3223500..e79575ab3 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -531,9 +531,15 @@ export function InternalResourceForm({
     return (
         <Form {...form}>
             <form
-                onSubmit={form.handleSubmit((values) =>
-                    onSubmit(values as InternalResourceFormValues)
-                )}
+                onSubmit={form.handleSubmit((values) => {
+                    onSubmit({
+                        ...values,
+                        clients: (values.clients ?? []).map((c) => ({
+                            id: c.clientId.toString(),
+                            text: c.name
+                        }))
+                    });
+                })}
                 className="space-y-6"
                 id={formId}
             >

From 52cac4aa21ea44c01633f9aaf9d80deca6a74f3d Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:17:35 +0100
Subject: [PATCH 017/122] =?UTF-8?q?=F0=9F=9A=9A=20rename=20component?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx                       | 4 ++--
 .../{machine-selector.tsx => machines-selector.tsx}           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename src/components/{machine-selector.tsx => machines-selector.tsx} (99%)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index e79575ab3..ef2e02d57 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -44,7 +44,7 @@ import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { SitesSelector, type Selectedsite } from "./site-selector";
 import { CaretSortIcon } from "@radix-ui/react-icons";
-import { MachineSelector } from "./machine-selector";
+import { MachinesSelector } from "./machines-selector";
 
 // --- Helpers (shared) ---
 
@@ -1162,7 +1162,7 @@ export function InternalResourceForm({
                                                         </FormControl>
                                                     </PopoverTrigger>
                                                     <PopoverContent className="p-0">
-                                                        <MachineSelector
+                                                        <MachinesSelector
                                                             selectedMachines={
                                                                 field.value ??
                                                                 []
diff --git a/src/components/machine-selector.tsx b/src/components/machines-selector.tsx
similarity index 99%
rename from src/components/machine-selector.tsx
rename to src/components/machines-selector.tsx
index 6aaf1afdd..9c31a0bd3 100644
--- a/src/components/machine-selector.tsx
+++ b/src/components/machines-selector.tsx
@@ -27,7 +27,7 @@ export type MachineSelectorProps = {
     onSelectMachines: (machine: SelectedMachine[]) => void;
 };
 
-export function MachineSelector({
+export function MachinesSelector({
     orgId,
     selectedMachines = [],
     onSelectMachines

From e0fa5607e580c74010fe0992da9e3e547096d1a0 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Fri, 20 Mar 2026 04:37:57 +0100
Subject: [PATCH 018/122] push


From 3cca0c09c06e1a928c5cae9b8b5ad10ab231ee88 Mon Sep 17 00:00:00 2001
From: Noe Charmet <noe.charmet@shipfox.io>
Date: Mon, 23 Mar 2026 11:09:19 +0100
Subject: [PATCH 019/122] Allow setting Redis password from env

---
 server/private/lib/readConfigFile.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/private/lib/readConfigFile.ts b/server/private/lib/readConfigFile.ts
index 0ce6d0272..54260009b 100644
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -57,7 +57,10 @@ export const privateConfigSchema = z.object({
         .object({
             host: z.string(),
             port: portSchema,
-            password: z.string().optional(),
+            password: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("REDIS_PASSWORD")),
             db: z.int().nonnegative().optional().default(0),
             replicas: z
                 .array(

From 60982bf19fb74905062e441d369d5c4849df9367 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Mon, 23 Mar 2026 22:55:59 +0100
Subject: [PATCH 020/122] =?UTF-8?q?=F0=9F=9A=A7=20edit=20niceid=20in=20pri?=
 =?UTF-8?q?vate=20resources?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../siteResource/updateSiteResource.ts        | 78 +++++++++++--------
 src/components/EditInternalResourceDialog.tsx | 12 +--
 src/components/InternalResourceForm.tsx       | 24 +++++-
 3 files changed, 75 insertions(+), 39 deletions(-)

diff --git a/server/routers/siteResource/updateSiteResource.ts b/server/routers/siteResource/updateSiteResource.ts
index 596ed9a3f..fcb42a08e 100644
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -1,5 +1,4 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import {
     clientSiteResources,
     clientSiteResourcesAssociationsCache,
@@ -8,19 +7,13 @@ import {
     orgs,
     roles,
     roleSiteResources,
+    SiteResource,
+    siteResources,
     sites,
     Transaction,
     userSiteResources
 } from "@server/db";
-import { siteResources, SiteResource } from "@server/db";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { eq, and, ne } from "drizzle-orm";
-import { fromError } from "zod-validation-error";
-import logger from "@server/logger";
-import { OpenAPITags, registry } from "@server/openApi";
-import { updatePeerData, updateTargets } from "@server/routers/client/targets";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
     generateAliasConfig,
     generateRemoteSubnets,
@@ -28,12 +21,17 @@ import {
     isIpInCidr,
     portRangeStringSchema
 } from "@server/lib/ip";
-import {
-    getClientSiteResourceAccess,
-    rebuildClientAssociationsFromSiteResource
-} from "@server/lib/rebuildClientAssociations";
-import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import { updatePeerData, updateTargets } from "@server/routers/client/targets";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, ne } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
 
 const updateSiteResourceParamsSchema = z.strictObject({
     siteResourceId: z.string().transform(Number).pipe(z.int().positive())
@@ -43,7 +41,15 @@ const updateSiteResourceSchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
         siteId: z.int(),
-        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
+        niceId: z
+            .string()
+            .min(1)
+            .max(255)
+            .regex(
+                /^[a-zA-Z0-9-]+$/,
+                "niceId can only contain letters, numbers, and dashes"
+            )
+            .optional(),
         // mode: z.enum(["host", "cidr", "port"]).optional(),
         mode: z.enum(["host", "cidr"]).optional(),
         // protocol: z.enum(["tcp", "udp"]).nullish(),
@@ -167,6 +173,7 @@ export async function updateSiteResource(
         const {
             name,
             siteId, // because it can change
+            niceId,
             mode,
             destination,
             alias,
@@ -321,7 +328,8 @@ export async function updateSiteResource(
 
                 const sshPamSet =
                     isLicensedSshPam &&
-                    (authDaemonPort !== undefined || authDaemonMode !== undefined)
+                    (authDaemonPort !== undefined ||
+                        authDaemonMode !== undefined)
                         ? {
                               ...(authDaemonPort !== undefined && {
                                   authDaemonPort
@@ -334,15 +342,16 @@ export async function updateSiteResource(
                 [updatedSiteResource] = await trx
                     .update(siteResources)
                     .set({
-                        name: name,
-                        siteId: siteId,
-                        mode: mode,
-                        destination: destination,
-                        enabled: enabled,
+                        name,
+                        siteId,
+                        niceId,
+                        mode,
+                        destination,
+                        enabled,
                         alias: alias && alias.trim() ? alias : null,
-                        tcpPortRangeString: tcpPortRangeString,
-                        udpPortRangeString: udpPortRangeString,
-                        disableIcmp: disableIcmp,
+                        tcpPortRangeString,
+                        udpPortRangeString,
+                        disableIcmp,
                         ...sshPamSet
                     })
                     .where(
@@ -423,7 +432,8 @@ export async function updateSiteResource(
                 // Update the site resource
                 const sshPamSet =
                     isLicensedSshPam &&
-                    (authDaemonPort !== undefined || authDaemonMode !== undefined)
+                    (authDaemonPort !== undefined ||
+                        authDaemonMode !== undefined)
                         ? {
                               ...(authDaemonPort !== undefined && {
                                   authDaemonPort
@@ -617,10 +627,14 @@ export async function handleMessagingForUpdatedSiteResource(
                 mergedAllClients
             );
 
-            await updateTargets(newt.newtId, {
-                oldTargets: oldTargets,
-                newTargets: newTargets
-            }, newt.version);
+            await updateTargets(
+                newt.newtId,
+                {
+                    oldTargets: oldTargets,
+                    newTargets: newTargets
+                },
+                newt.version
+            );
         }
 
         const olmJobs: Promise<void>[] = [];
diff --git a/src/components/EditInternalResourceDialog.tsx b/src/components/EditInternalResourceDialog.tsx
index 866aebe3a..690ad405d 100644
--- a/src/components/EditInternalResourceDialog.tsx
+++ b/src/components/EditInternalResourceDialog.tsx
@@ -18,7 +18,7 @@ import { resourceQueries } from "@app/lib/queries";
 import { ListSitesResponse } from "@server/routers/site";
 import { useQueryClient } from "@tanstack/react-query";
 import { useTranslations } from "next-intl";
-import { useState } from "react";
+import { useState, useTransition } from "react";
 import {
     cleanForFQDN,
     InternalResourceForm,
@@ -49,10 +49,9 @@ export default function EditInternalResourceDialog({
     const t = useTranslations();
     const api = createApiClient(useEnvContext());
     const queryClient = useQueryClient();
-    const [isSubmitting, setIsSubmitting] = useState(false);
+    const [isSubmitting, startTransition] = useTransition();
 
     async function handleSubmit(values: InternalResourceFormValues) {
-        setIsSubmitting(true);
         try {
             let data = { ...values };
             if (data.mode === "host" && isHostname(data.destination)) {
@@ -70,6 +69,7 @@ export default function EditInternalResourceDialog({
                 name: data.name,
                 siteId: data.siteId,
                 mode: data.mode,
+                niceId: data.niceId,
                 destination: data.destination,
                 alias:
                     data.alias &&
@@ -127,8 +127,6 @@ export default function EditInternalResourceDialog({
                 ),
                 variant: "destructive"
             });
-        } finally {
-            setIsSubmitting(false);
         }
     }
 
@@ -162,7 +160,9 @@ export default function EditInternalResourceDialog({
                         orgId={orgId}
                         siteResourceId={resource.id}
                         formId="edit-internal-resource-form"
-                        onSubmit={handleSubmit}
+                        onSubmit={(values) =>
+                            startTransition(() => handleSubmit(values))
+                        }
                     />
                 </CredenzaBody>
                 <CredenzaFooter>
diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 6df1aceb7..0cf86a8eb 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -132,6 +132,7 @@ export type InternalResourceData = {
     siteName: string;
     mode: "host" | "cidr";
     siteId: number;
+    niceId: string;
     destination: string;
     alias?: string | null;
     tcpPortRangeString?: string | null;
@@ -149,6 +150,7 @@ export type InternalResourceFormValues = {
     mode: "host" | "cidr";
     destination: string;
     alias?: string | null;
+    niceId?: string;
     tcpPortRangeString?: string | null;
     udpPortRangeString?: string | null;
     disableIcmp?: boolean;
@@ -243,6 +245,12 @@ export function InternalResourceForm({
                     : undefined
             ),
         alias: z.string().nullish(),
+        niceId: z
+            .string()
+            .min(1)
+            .max(255)
+            .regex(/^[a-zA-Z0-9-]+$/)
+            .optional(),
         tcpPortRangeString: createPortRangeStringSchema(t),
         udpPortRangeString: createPortRangeStringSchema(t),
         disableIcmp: z.boolean().optional(),
@@ -387,6 +395,7 @@ export function InternalResourceForm({
                   disableIcmp: resource.disableIcmp ?? false,
                   authDaemonMode: resource.authDaemonMode ?? "site",
                   authDaemonPort: resource.authDaemonPort ?? null,
+                  niceId: resource.niceId,
                   roles: [],
                   users: [],
                   clients: []
@@ -534,7 +543,7 @@ export function InternalResourceForm({
                 className="space-y-6"
                 id={formId}
             >
-                <div className="grid grid-cols-2 gap-4">
+                <div className="grid gap-4">
                     <FormField
                         control={form.control}
                         name="name"
@@ -548,6 +557,19 @@ export function InternalResourceForm({
                             </FormItem>
                         )}
                     />
+                    <FormField
+                        control={form.control}
+                        name="niceId"
+                        render={({ field }) => (
+                            <FormItem>
+                                <FormLabel>{t("identifier")}</FormLabel>
+                                <FormControl>
+                                    <Input {...field} />
+                                </FormControl>
+                                <FormMessage />
+                            </FormItem>
+                        )}
+                    />
                     <FormField
                         control={form.control}
                         name="siteId"

From 37d331e813a67274c22bfcd7839bbdd8bc692541 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 16:05:05 -0700
Subject: [PATCH 021/122] Update version

---
 server/routers/client/targets.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routers/client/targets.ts b/server/routers/client/targets.ts
index 7cd59133c..b2d49db4c 100644
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -11,7 +11,7 @@ import logger from "@server/logger";
 import { eq } from "drizzle-orm";
 import semver from "semver";
 
-const NEWT_V2_TARGETS_VERSION = ">=1.11.0";
+const NEWT_V2_TARGETS_VERSION = ">=1.10.3";
 
 export async function convertTargetsIfNessicary(
     newtId: string,

From 7d8797840a1d9cc8d455fe858ff97d4f3b206e15 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 17:01:34 -0700
Subject: [PATCH 022/122] Add connection log

---
 server/cleanup.ts                             |   4 +-
 server/db/pg/schema/privateSchema.ts          |  38 ++-
 server/db/sqlite/schema/privateSchema.ts      |  36 ++-
 server/private/cleanup.ts                     |   4 +-
 server/private/routers/ws/messageHandlers.ts  |   4 +-
 .../newt/handleConnectionLogMessage.ts        | 302 ++++++++++++++++++
 server/routers/newt/index.ts                  |   1 +
 7 files changed, 384 insertions(+), 5 deletions(-)
 create mode 100644 server/routers/newt/handleConnectionLogMessage.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 137654827..7366bb876 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,9 +1,11 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
 async function cleanup() {
     await flushBandwidthToDb();
+    await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
     await wsCleanup();
 
@@ -14,4 +16,4 @@ export async function initCleanup() {
     // Handle process termination
     process.on("SIGTERM", () => cleanup());
     process.on("SIGINT", () => cleanup());
-}
\ No newline at end of file
+}
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index c9d7cc907..8fed6462a 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -17,7 +17,9 @@ import {
     users,
     exitNodes,
     sessions,
-    clients
+    clients,
+    siteResources,
+    sites
 } from "./schema";
 
 export const certificates = pgTable("certificates", {
@@ -302,6 +304,39 @@ export const accessAuditLog = pgTable(
     ]
 );
 
+export const connectionAuditLog = pgTable(
+    "connectionAuditLog",
+    {
+        id: serial("id").primaryKey(),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = pgTable("approvals", {
     approvalId: serial("approvalId").primaryKey(),
     timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -357,3 +392,4 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 8baeb5220..ecc386ea6 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -6,7 +6,7 @@ import {
     sqliteTable,
     text
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";
+import { clients, domains, exitNodes, orgs, sessions, siteResources, sites, users } from "./schema";
 
 export const certificates = sqliteTable("certificates", {
     certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -294,6 +294,39 @@ export const accessAuditLog = sqliteTable(
     ]
 );
 
+export const connectionAuditLog = sqliteTable(
+    "connectionAuditLog",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = sqliteTable("approvals", {
     approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
     timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -348,3 +381,4 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 0bd9822dd..933c943ed 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,10 +14,12 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 
 async function cleanup() {
     await flushBandwidthToDb();
+    await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
     await rateLimitService.cleanup();
     await wsCleanup();
@@ -29,4 +31,4 @@ export async function initCleanup() {
     // Handle process termination
     process.on("SIGTERM", () => cleanup());
     process.on("SIGINT", () => cleanup());
-}
\ No newline at end of file
+}
diff --git a/server/private/routers/ws/messageHandlers.ts b/server/private/routers/ws/messageHandlers.ts
index d388ce40a..9e4622e2d 100644
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,10 +18,12 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
+import { handleConnectionLogMessage } from "@server/routers/newt";
 
 export const messageHandlers: Record<string, MessageHandler> = {
     "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
-    "remoteExitNode/ping": handleRemoteExitNodePingMessage
+    "remoteExitNode/ping": handleRemoteExitNodePingMessage,
+    "newt/access-log": handleConnectionLogMessage,
 };
 
 if (build != "saas") {
diff --git a/server/routers/newt/handleConnectionLogMessage.ts b/server/routers/newt/handleConnectionLogMessage.ts
new file mode 100644
index 000000000..458470af7
--- /dev/null
+++ b/server/routers/newt/handleConnectionLogMessage.ts
@@ -0,0 +1,302 @@
+import { db } from "@server/db";
+import { MessageHandler } from "@server/routers/ws";
+import { connectionAuditLog, sites, Newt } from "@server/db";
+import { eq } from "drizzle-orm";
+import logger from "@server/logger";
+import { inflate } from "zlib";
+import { promisify } from "util";
+
+const zlibInflate = promisify(inflate);
+
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// How often to flush accumulated connection log data to the database
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+// Maximum number of records to buffer before forcing a flush
+const MAX_BUFFERED_RECORDS = 500;
+
+// Maximum number of records to insert in a single batch
+const INSERT_BATCH_SIZE = 100;
+
+interface ConnectionSessionData {
+    sessionId: string;
+    resourceId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: string; // ISO 8601 timestamp
+    endedAt?: string; // ISO 8601 timestamp
+    bytesTx?: number;
+    bytesRx?: number;
+}
+
+interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// In-memory buffer of records waiting to be flushed
+let buffer: ConnectionLogRecord[] = [];
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Decompress a base64-encoded zlib-compressed string into parsed JSON.
+ */
+async function decompressConnectionLog(
+    compressed: string
+): Promise<ConnectionSessionData[]> {
+    const compressedBuffer = Buffer.from(compressed, "base64");
+    const decompressed = await zlibInflate(compressedBuffer);
+    const jsonString = decompressed.toString("utf-8");
+    const parsed = JSON.parse(jsonString);
+
+    if (!Array.isArray(parsed)) {
+        throw new Error("Decompressed connection log data is not an array");
+    }
+
+    return parsed;
+}
+
+/**
+ * Convert an ISO 8601 timestamp string to epoch seconds.
+ * Returns null if the input is falsy.
+ */
+function toEpochSeconds(isoString: string | undefined | null): number | null {
+    if (!isoString) {
+        return null;
+    }
+    const ms = new Date(isoString).getTime();
+    if (isNaN(ms)) {
+        return null;
+    }
+    return Math.floor(ms / 1000);
+}
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    // Insert in batches to avoid overly large SQL statements
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await db.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if DB is unreachable
+            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
+                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
+                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop trying further batches from this snapshot — they'll be
+            // picked up by the next flush via the re-queued records above
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+export const handleConnectionLogMessage: MessageHandler = async (context) => {
+    const { message, client } = context;
+    const newt = client as Newt;
+
+    if (!newt) {
+        logger.warn("Connection log received but no newt client in context");
+        return;
+    }
+
+    if (!newt.siteId) {
+        logger.warn("Connection log received but newt has no siteId");
+        return;
+    }
+
+    if (!message.data?.compressed) {
+        logger.warn("Connection log message missing compressed data");
+        return;
+    }
+
+    // Look up the org for this site
+    const [site] = await db
+        .select({ orgId: sites.orgId })
+        .from(sites)
+        .where(eq(sites.siteId, newt.siteId));
+
+    if (!site) {
+        logger.warn(
+            `Connection log received but site ${newt.siteId} not found in database`
+        );
+        return;
+    }
+
+    const orgId = site.orgId;
+
+    let sessions: ConnectionSessionData[];
+    try {
+        sessions = await decompressConnectionLog(message.data.compressed);
+    } catch (error) {
+        logger.error("Failed to decompress connection log data:", error);
+        return;
+    }
+
+    if (sessions.length === 0) {
+        return;
+    }
+
+    // Convert to DB records and add to the buffer
+    for (const session of sessions) {
+        // Validate required fields
+        if (
+            !session.sessionId ||
+            !session.resourceId ||
+            !session.sourceAddr ||
+            !session.destAddr ||
+            !session.protocol
+        ) {
+            logger.debug(
+                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
+            );
+            continue;
+        }
+
+        const startedAt = toEpochSeconds(session.startedAt);
+        if (startedAt === null) {
+            logger.debug(
+                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
+            );
+            continue;
+        }
+
+        buffer.push({
+            sessionId: session.sessionId,
+            siteResourceId: session.resourceId,
+            orgId,
+            siteId: newt.siteId,
+            sourceAddr: session.sourceAddr,
+            destAddr: session.destAddr,
+            protocol: session.protocol,
+            startedAt,
+            endedAt: toEpochSeconds(session.endedAt),
+            bytesTx: session.bytesTx ?? null,
+            bytesRx: session.bytesRx ?? null
+        });
+    }
+
+    logger.debug(
+        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
+    );
+
+    // If the buffer has grown large enough, trigger an immediate flush
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+};
diff --git a/server/routers/newt/index.ts b/server/routers/newt/index.ts
index f31cd753b..63d1e1068 100644
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -8,3 +8,4 @@ export * from "./handleNewtPingRequestMessage";
 export * from "./handleApplyBlueprintMessage";
 export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
+export * from "./handleConnectionLogMessage";

From 0d4edcd1c79219f65f223cbdce179c3cf0cfcf1b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 17:23:51 -0700
Subject: [PATCH 023/122] make private

---
 server/cleanup.ts                             |   2 +-
 server/db/pg/schema/schema.ts                 |   3 +
 server/db/sqlite/schema/schema.ts             |   3 +
 server/lib/cleanupLogs.ts                     |  18 +-
 server/private/cleanup.ts                     |   2 +-
 .../newt/handleConnectionLogMessage.ts        | 324 ++++++++++++++++++
 server/private/routers/newt/index.ts          |   1 +
 server/private/routers/ws/messageHandlers.ts  |   2 +-
 .../newt/handleConnectionLogMessage.ts        | 299 +---------------
 9 files changed, 354 insertions(+), 300 deletions(-)
 create mode 100644 server/private/routers/newt/handleConnectionLogMessage.ts
 create mode 100644 server/private/routers/newt/index.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 7366bb876..81cc31692 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,5 +1,5 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
-import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
+import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index b93c21fd6..de423945d 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -55,6 +55,9 @@ export const orgs = pgTable("orgs", {
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
         .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
     sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
     sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
     isBillingOrg: boolean("isBillingOrg"),
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 188caac2b..ba02cfb76 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -47,6 +47,9 @@ export const orgs = sqliteTable("orgs", {
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
         .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
     sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
     sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
     isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
diff --git a/server/lib/cleanupLogs.ts b/server/lib/cleanupLogs.ts
index 8eb4ca77f..f5b6d8b2f 100644
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -2,6 +2,7 @@ import { db, orgs } from "@server/db";
 import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAudit";
 import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
+import { cleanUpOldLogs as cleanUpOldConnectionLogs } from "#dynamic/routers/newt";
 import { gt, or } from "drizzle-orm";
 import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";
 import { build } from "@server/build";
@@ -20,14 +21,17 @@ export function initLogCleanupInterval() {
                     settingsLogRetentionDaysAccess:
                         orgs.settingsLogRetentionDaysAccess,
                     settingsLogRetentionDaysRequest:
-                        orgs.settingsLogRetentionDaysRequest
+                        orgs.settingsLogRetentionDaysRequest,
+                    settingsLogRetentionDaysConnection:
+                        orgs.settingsLogRetentionDaysConnection
                 })
                 .from(orgs)
                 .where(
                     or(
                         gt(orgs.settingsLogRetentionDaysAction, 0),
                         gt(orgs.settingsLogRetentionDaysAccess, 0),
-                        gt(orgs.settingsLogRetentionDaysRequest, 0)
+                        gt(orgs.settingsLogRetentionDaysRequest, 0),
+                        gt(orgs.settingsLogRetentionDaysConnection, 0)
                     )
                 );
 
@@ -37,7 +41,8 @@ export function initLogCleanupInterval() {
                     orgId,
                     settingsLogRetentionDaysAction,
                     settingsLogRetentionDaysAccess,
-                    settingsLogRetentionDaysRequest
+                    settingsLogRetentionDaysRequest,
+                    settingsLogRetentionDaysConnection
                 } = org;
 
                 if (settingsLogRetentionDaysAction > 0) {
@@ -60,6 +65,13 @@ export function initLogCleanupInterval() {
                         settingsLogRetentionDaysRequest
                     );
                 }
+
+                if (settingsLogRetentionDaysConnection > 0) {
+                    await cleanUpOldConnectionLogs(
+                        orgId,
+                        settingsLogRetentionDaysConnection
+                    );
+                }
             }
 
             await cleanUpOldFingerprintSnapshots(365);
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 933c943ed..4b12f1b3c 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,7 +14,7 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
-import { flushConnectionLogToDb } from "@server/routers/newt/handleConnectionLogMessage";
+import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 
 async function cleanup() {
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
new file mode 100644
index 000000000..7549ab37f
--- /dev/null
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -0,0 +1,324 @@
+import { db, logsDb } from "@server/db";
+import { MessageHandler } from "@server/routers/ws";
+import { connectionAuditLog, sites, Newt } from "@server/db";
+import { and, eq, lt } from "drizzle-orm";
+import logger from "@server/logger";
+import { inflate } from "zlib";
+import { promisify } from "util";
+import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+
+const zlibInflate = promisify(inflate);
+
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// How often to flush accumulated connection log data to the database
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+// Maximum number of records to buffer before forcing a flush
+const MAX_BUFFERED_RECORDS = 500;
+
+// Maximum number of records to insert in a single batch
+const INSERT_BATCH_SIZE = 100;
+
+interface ConnectionSessionData {
+    sessionId: string;
+    resourceId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: string; // ISO 8601 timestamp
+    endedAt?: string; // ISO 8601 timestamp
+    bytesTx?: number;
+    bytesRx?: number;
+}
+
+interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// In-memory buffer of records waiting to be flushed
+let buffer: ConnectionLogRecord[] = [];
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Decompress a base64-encoded zlib-compressed string into parsed JSON.
+ */
+async function decompressConnectionLog(
+    compressed: string
+): Promise<ConnectionSessionData[]> {
+    const compressedBuffer = Buffer.from(compressed, "base64");
+    const decompressed = await zlibInflate(compressedBuffer);
+    const jsonString = decompressed.toString("utf-8");
+    const parsed = JSON.parse(jsonString);
+
+    if (!Array.isArray(parsed)) {
+        throw new Error("Decompressed connection log data is not an array");
+    }
+
+    return parsed;
+}
+
+/**
+ * Convert an ISO 8601 timestamp string to epoch seconds.
+ * Returns null if the input is falsy.
+ */
+function toEpochSeconds(isoString: string | undefined | null): number | null {
+    if (!isoString) {
+        return null;
+    }
+    const ms = new Date(isoString).getTime();
+    if (isNaN(ms)) {
+        return null;
+    }
+    return Math.floor(ms / 1000);
+}
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    // Insert in batches to avoid overly large SQL statements
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await logsDb.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if DB is unreachable
+            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
+                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
+                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop trying further batches from this snapshot — they'll be
+            // picked up by the next flush via the re-queued records above
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
+
+    try {
+        await logsDb
+            .delete(connectionAuditLog)
+            .where(
+                and(
+                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
+                    eq(connectionAuditLog.orgId, orgId)
+                )
+            );
+
+        // logger.debug(
+        //     `Cleaned up connection audit logs older than ${retentionDays} days`
+        // );
+    } catch (error) {
+        logger.error("Error cleaning up old connection audit logs:", error);
+    }
+}
+
+export const handleConnectionLogMessage: MessageHandler = async (context) => {
+    const { message, client } = context;
+    const newt = client as Newt;
+
+    if (!newt) {
+        logger.warn("Connection log received but no newt client in context");
+        return;
+    }
+
+    if (!newt.siteId) {
+        logger.warn("Connection log received but newt has no siteId");
+        return;
+    }
+
+    if (!message.data?.compressed) {
+        logger.warn("Connection log message missing compressed data");
+        return;
+    }
+
+    // Look up the org for this site
+    const [site] = await db
+        .select({ orgId: sites.orgId })
+        .from(sites)
+        .where(eq(sites.siteId, newt.siteId));
+
+    if (!site) {
+        logger.warn(
+            `Connection log received but site ${newt.siteId} not found in database`
+        );
+        return;
+    }
+
+    const orgId = site.orgId;
+
+    let sessions: ConnectionSessionData[];
+    try {
+        sessions = await decompressConnectionLog(message.data.compressed);
+    } catch (error) {
+        logger.error("Failed to decompress connection log data:", error);
+        return;
+    }
+
+    if (sessions.length === 0) {
+        return;
+    }
+
+    // Convert to DB records and add to the buffer
+    for (const session of sessions) {
+        // Validate required fields
+        if (
+            !session.sessionId ||
+            !session.resourceId ||
+            !session.sourceAddr ||
+            !session.destAddr ||
+            !session.protocol
+        ) {
+            logger.debug(
+                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
+            );
+            continue;
+        }
+
+        const startedAt = toEpochSeconds(session.startedAt);
+        if (startedAt === null) {
+            logger.debug(
+                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
+            );
+            continue;
+        }
+
+        buffer.push({
+            sessionId: session.sessionId,
+            siteResourceId: session.resourceId,
+            orgId,
+            siteId: newt.siteId,
+            sourceAddr: session.sourceAddr,
+            destAddr: session.destAddr,
+            protocol: session.protocol,
+            startedAt,
+            endedAt: toEpochSeconds(session.endedAt),
+            bytesTx: session.bytesTx ?? null,
+            bytesRx: session.bytesRx ?? null
+        });
+    }
+
+    logger.debug(
+        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
+    );
+
+    // If the buffer has grown large enough, trigger an immediate flush
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+};
diff --git a/server/private/routers/newt/index.ts b/server/private/routers/newt/index.ts
new file mode 100644
index 000000000..cc182cf7d
--- /dev/null
+++ b/server/private/routers/newt/index.ts
@@ -0,0 +1 @@
+export * from "./handleConnectionLogMessage";
diff --git a/server/private/routers/ws/messageHandlers.ts b/server/private/routers/ws/messageHandlers.ts
index 9e4622e2d..a3c9c5bdb 100644
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,7 +18,7 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
-import { handleConnectionLogMessage } from "@server/routers/newt";
+import { handleConnectionLogMessage } from "#dynamic/routers/newt";
 
 export const messageHandlers: Record<string, MessageHandler> = {
     "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
diff --git a/server/routers/newt/handleConnectionLogMessage.ts b/server/routers/newt/handleConnectionLogMessage.ts
index 458470af7..ca1b129d2 100644
--- a/server/routers/newt/handleConnectionLogMessage.ts
+++ b/server/routers/newt/handleConnectionLogMessage.ts
@@ -1,302 +1,13 @@
-import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { connectionAuditLog, sites, Newt } from "@server/db";
-import { eq } from "drizzle-orm";
-import logger from "@server/logger";
-import { inflate } from "zlib";
-import { promisify } from "util";
 
-const zlibInflate = promisify(inflate);
-
-// Retry configuration for deadlock handling
-const MAX_RETRIES = 3;
-const BASE_DELAY_MS = 50;
-
-// How often to flush accumulated connection log data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
-
-// Maximum number of records to buffer before forcing a flush
-const MAX_BUFFERED_RECORDS = 500;
-
-// Maximum number of records to insert in a single batch
-const INSERT_BATCH_SIZE = 100;
-
-interface ConnectionSessionData {
-    sessionId: string;
-    resourceId: number;
-    sourceAddr: string;
-    destAddr: string;
-    protocol: string;
-    startedAt: string; // ISO 8601 timestamp
-    endedAt?: string; // ISO 8601 timestamp
-    bytesTx?: number;
-    bytesRx?: number;
-}
-
-interface ConnectionLogRecord {
-    sessionId: string;
-    siteResourceId: number;
-    orgId: string;
-    siteId: number;
-    sourceAddr: string;
-    destAddr: string;
-    protocol: string;
-    startedAt: number; // epoch seconds
-    endedAt: number | null;
-    bytesTx: number | null;
-    bytesRx: number | null;
-}
-
-// In-memory buffer of records waiting to be flushed
-let buffer: ConnectionLogRecord[] = [];
-
-/**
- * Check if an error is a deadlock error
- */
-function isDeadlockError(error: any): boolean {
-    return (
-        error?.code === "40P01" ||
-        error?.cause?.code === "40P01" ||
-        (error?.message && error.message.includes("deadlock"))
-    );
-}
-
-/**
- * Execute a function with retry logic for deadlock handling
- */
-async function withDeadlockRetry<T>(
-    operation: () => Promise<T>,
-    context: string
-): Promise<T> {
-    let attempt = 0;
-    while (true) {
-        try {
-            return await operation();
-        } catch (error: any) {
-            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
-                attempt++;
-                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
-                const jitter = Math.random() * baseDelay;
-                const delay = baseDelay + jitter;
-                logger.warn(
-                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
-                );
-                await new Promise((resolve) => setTimeout(resolve, delay));
-                continue;
-            }
-            throw error;
-        }
-    }
-}
-
-/**
- * Decompress a base64-encoded zlib-compressed string into parsed JSON.
- */
-async function decompressConnectionLog(
-    compressed: string
-): Promise<ConnectionSessionData[]> {
-    const compressedBuffer = Buffer.from(compressed, "base64");
-    const decompressed = await zlibInflate(compressedBuffer);
-    const jsonString = decompressed.toString("utf-8");
-    const parsed = JSON.parse(jsonString);
-
-    if (!Array.isArray(parsed)) {
-        throw new Error("Decompressed connection log data is not an array");
-    }
-
-    return parsed;
-}
-
-/**
- * Convert an ISO 8601 timestamp string to epoch seconds.
- * Returns null if the input is falsy.
- */
-function toEpochSeconds(isoString: string | undefined | null): number | null {
-    if (!isoString) {
-        return null;
-    }
-    const ms = new Date(isoString).getTime();
-    if (isNaN(ms)) {
-        return null;
-    }
-    return Math.floor(ms / 1000);
-}
-
-/**
- * Flush all buffered connection log records to the database.
- *
- * Swaps out the buffer before writing so that any records added during the
- * flush are captured in the new buffer rather than being lost. Entries that
- * fail to write are re-queued back into the buffer so they will be retried
- * on the next flush.
- *
- * This function is exported so that the application's graceful-shutdown
- * cleanup handler can call it before the process exits.
- */
 export async function flushConnectionLogToDb(): Promise<void> {
-    if (buffer.length === 0) {
-        return;
-    }
-
-    // Atomically swap out the buffer so new data keeps flowing in
-    const snapshot = buffer;
-    buffer = [];
-
-    logger.debug(
-        `Flushing ${snapshot.length} connection log record(s) to the database`
-    );
-
-    // Insert in batches to avoid overly large SQL statements
-    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
-        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
-
-        try {
-            await withDeadlockRetry(async () => {
-                await db.insert(connectionAuditLog).values(batch);
-            }, `flush connection log batch (${batch.length} records)`);
-        } catch (error) {
-            logger.error(
-                `Failed to flush connection log batch of ${batch.length} records:`,
-                error
-            );
-
-            // Re-queue the failed batch so it is retried on the next flush
-            buffer = [...batch, ...buffer];
-
-            // Cap buffer to prevent unbounded growth if DB is unreachable
-            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
-                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
-                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
-                logger.warn(
-                    `Connection log buffer overflow, dropped ${dropped} oldest records`
-                );
-            }
-
-            // Stop trying further batches from this snapshot — they'll be
-            // picked up by the next flush via the re-queued records above
-            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
-            if (remaining.length > 0) {
-                buffer = [...remaining, ...buffer];
-            }
-            break;
-        }
-    }
+   return;
 }
 
-const flushTimer = setInterval(async () => {
-    try {
-        await flushConnectionLogToDb();
-    } catch (error) {
-        logger.error(
-            "Unexpected error during periodic connection log flush:",
-            error
-        );
-    }
-}, FLUSH_INTERVAL_MS);
-
-// Calling unref() means this timer will not keep the Node.js event loop alive
-// on its own — the process can still exit normally when there is no other work
-// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
-// before process.exit(), so no data is lost.
-flushTimer.unref();
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    return;
+}
 
 export const handleConnectionLogMessage: MessageHandler = async (context) => {
-    const { message, client } = context;
-    const newt = client as Newt;
-
-    if (!newt) {
-        logger.warn("Connection log received but no newt client in context");
-        return;
-    }
-
-    if (!newt.siteId) {
-        logger.warn("Connection log received but newt has no siteId");
-        return;
-    }
-
-    if (!message.data?.compressed) {
-        logger.warn("Connection log message missing compressed data");
-        return;
-    }
-
-    // Look up the org for this site
-    const [site] = await db
-        .select({ orgId: sites.orgId })
-        .from(sites)
-        .where(eq(sites.siteId, newt.siteId));
-
-    if (!site) {
-        logger.warn(
-            `Connection log received but site ${newt.siteId} not found in database`
-        );
-        return;
-    }
-
-    const orgId = site.orgId;
-
-    let sessions: ConnectionSessionData[];
-    try {
-        sessions = await decompressConnectionLog(message.data.compressed);
-    } catch (error) {
-        logger.error("Failed to decompress connection log data:", error);
-        return;
-    }
-
-    if (sessions.length === 0) {
-        return;
-    }
-
-    // Convert to DB records and add to the buffer
-    for (const session of sessions) {
-        // Validate required fields
-        if (
-            !session.sessionId ||
-            !session.resourceId ||
-            !session.sourceAddr ||
-            !session.destAddr ||
-            !session.protocol
-        ) {
-            logger.debug(
-                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
-            );
-            continue;
-        }
-
-        const startedAt = toEpochSeconds(session.startedAt);
-        if (startedAt === null) {
-            logger.debug(
-                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
-            );
-            continue;
-        }
-
-        buffer.push({
-            sessionId: session.sessionId,
-            siteResourceId: session.resourceId,
-            orgId,
-            siteId: newt.siteId,
-            sourceAddr: session.sourceAddr,
-            destAddr: session.destAddr,
-            protocol: session.protocol,
-            startedAt,
-            endedAt: toEpochSeconds(session.endedAt),
-            bytesTx: session.bytesTx ?? null,
-            bytesRx: session.bytesRx ?? null
-        });
-    }
-
-    logger.debug(
-        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
-    );
-
-    // If the buffer has grown large enough, trigger an immediate flush
-    if (buffer.length >= MAX_BUFFERED_RECORDS) {
-        // Fire and forget — errors are handled inside flushConnectionLogToDb
-        flushConnectionLogToDb().catch((error) => {
-            logger.error(
-                "Unexpected error during size-triggered connection log flush:",
-                error
-            );
-        });
-    }
+    return;
 };

From fe40ea58c14a5eae05efdbdd64f6460d12566b4d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 20:05:54 -0700
Subject: [PATCH 024/122] Source client info into schema

---
 server/db/pg/schema/privateSchema.ts          |  6 ++
 server/db/sqlite/schema/privateSchema.ts      |  6 ++
 .../newt/handleConnectionLogMessage.ts        | 64 ++++++++++++++++++-
 3 files changed, 73 insertions(+), 3 deletions(-)

diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index 8fed6462a..8d4e663df 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -319,6 +319,12 @@ export const connectionAuditLog = pgTable(
         siteId: integer("siteId").references(() => sites.siteId, {
             onDelete: "cascade"
         }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
         sourceAddr: text("sourceAddr").notNull(),
         destAddr: text("destAddr").notNull(),
         protocol: text("protocol").notNull(),
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index ecc386ea6..f58b5cd18 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -309,6 +309,12 @@ export const connectionAuditLog = sqliteTable(
         siteId: integer("siteId").references(() => sites.siteId, {
             onDelete: "cascade"
         }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
         sourceAddr: text("sourceAddr").notNull(),
         destAddr: text("destAddr").notNull(),
         protocol: text("protocol").notNull(),
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 7549ab37f..164c14488 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -1,7 +1,7 @@
 import { db, logsDb } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { connectionAuditLog, sites, Newt } from "@server/db";
-import { and, eq, lt } from "drizzle-orm";
+import { connectionAuditLog, sites, Newt, clients, orgs } from "@server/db";
+import { and, eq, lt, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { inflate } from "zlib";
 import { promisify } from "util";
@@ -39,6 +39,8 @@ interface ConnectionLogRecord {
     siteResourceId: number;
     orgId: string;
     siteId: number;
+    clientId: number | null;
+    userId: string | null;
     sourceAddr: string;
     destAddr: string;
     protocol: string;
@@ -243,8 +245,9 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
     // Look up the org for this site
     const [site] = await db
-        .select({ orgId: sites.orgId })
+        .select({ orgId: sites.orgId, orgSubnet: orgs.subnet })
         .from(sites)
+        .innerJoin(orgs, eq(sites.orgId, orgs.orgId))
         .where(eq(sites.siteId, newt.siteId));
 
     if (!site) {
@@ -256,6 +259,12 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
     const orgId = site.orgId;
 
+    // Extract the CIDR suffix (e.g. "/16") from the org subnet so we can
+    // reconstruct the exact subnet string stored on each client record.
+    const cidrSuffix = site.orgSubnet?.includes("/")
+        ? site.orgSubnet.substring(site.orgSubnet.indexOf("/"))
+        : null;
+
     let sessions: ConnectionSessionData[];
     try {
         sessions = await decompressConnectionLog(message.data.compressed);
@@ -268,6 +277,48 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         return;
     }
 
+    // Build a map from sourceAddr → { clientId, userId } by querying clients
+    // whose subnet field matches exactly. Client subnets are stored with the
+    // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
+    // each unique sourceAddr + the org's CIDR suffix and do a targeted IN query.
+    const ipToClient = new Map<string, { clientId: number; userId: string | null }>();
+
+    if (cidrSuffix) {
+        // Collect unique source addresses so we only query for what we need
+        const uniqueSourceAddrs = new Set<string>();
+        for (const session of sessions) {
+            if (session.sourceAddr) {
+                uniqueSourceAddrs.add(session.sourceAddr);
+            }
+        }
+
+        if (uniqueSourceAddrs.size > 0) {
+            // Construct the exact subnet strings as stored in the DB
+            const subnetQueries = Array.from(uniqueSourceAddrs).map(
+                (addr) => `${addr}${cidrSuffix}`
+            );
+
+            const matchedClients = await db
+                .select({
+                    clientId: clients.clientId,
+                    userId: clients.userId,
+                    subnet: clients.subnet
+                })
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.orgId, orgId),
+                        inArray(clients.subnet, subnetQueries)
+                    )
+                );
+
+            for (const c of matchedClients) {
+                const ip = c.subnet.split("/")[0];
+                ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
+            }
+        }
+    }
+
     // Convert to DB records and add to the buffer
     for (const session of sessions) {
         // Validate required fields
@@ -292,11 +343,18 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
             continue;
         }
 
+        // Match the source address to a client. The sourceAddr is the
+        // client's IP on the WireGuard network, which corresponds to the IP
+        // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
+        const clientInfo = ipToClient.get(session.sourceAddr) ?? null;
+
         buffer.push({
             sessionId: session.sessionId,
             siteResourceId: session.resourceId,
             orgId,
             siteId: newt.siteId,
+            clientId: clientInfo?.clientId ?? null,
+            userId: clientInfo?.userId ?? null,
             sourceAddr: session.sourceAddr,
             destAddr: session.destAddr,
             protocol: session.protocol,

From 6471571bc66798a97cfd3a87fe54e509f8a81822 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 20:18:03 -0700
Subject: [PATCH 025/122] Add ui for connection logs

---
 messages/en-US.json                           |   6 +
 server/lib/billing/tierMatrix.ts              |   2 +
 .../auditLogs/exportConnectionAuditLog.ts     |  99 +++
 server/private/routers/auditLogs/index.ts     |   2 +
 .../auditLogs/queryConnectionAuditLog.ts      | 378 +++++++++++
 server/private/routers/external.ts            |  19 +
 server/private/routers/integration.ts         |  19 +
 server/routers/auditLogs/types.ts             |  31 +
 .../[orgId]/settings/logs/connection/page.tsx | 630 ++++++++++++++++++
 src/app/navigation.tsx                        |   6 +
 10 files changed, 1192 insertions(+)
 create mode 100644 server/private/routers/auditLogs/exportConnectionAuditLog.ts
 create mode 100644 server/private/routers/auditLogs/queryConnectionAuditLog.ts
 create mode 100644 src/app/[orgId]/settings/logs/connection/page.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..3be427ee0 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2345,6 +2345,12 @@
     "logRetentionEndOfFollowingYear": "End of following year",
     "actionLogsDescription": "View a history of actions performed in this organization",
     "accessLogsDescription": "View access auth requests for resources in this organization",
+    "connectionLogs": "Connection Logs",
+    "connectionLogsDescription": "View connection logs for tunnels in this organization",
+    "sidebarLogsConnection": "Connection Logs",
+    "sourceAddress": "Source Address",
+    "destinationAddress": "Destination Address",
+    "duration": "Duration",
     "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
     "certResolver": "Certificate Resolver",
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index c08bcea71..f8a0cd2f5 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -8,6 +8,7 @@ export enum TierFeature {
     LogExport = "logExport",
     AccessLogs = "accessLogs", // set the retention period to none on downgrade
     ActionLogs = "actionLogs", // set the retention period to none on downgrade
+    ConnectionLogs = "connectionLogs",
     RotateCredentials = "rotateCredentials",
     MaintencePage = "maintencePage", // handle downgrade
     DevicePosture = "devicePosture",
@@ -26,6 +27,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
     [TierFeature.LogExport]: ["tier3", "enterprise"],
     [TierFeature.AccessLogs]: ["tier2", "tier3", "enterprise"],
     [TierFeature.ActionLogs]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.ConnectionLogs]: ["tier2", "tier3", "enterprise"],
     [TierFeature.RotateCredentials]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.MaintencePage]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.DevicePosture]: ["tier2", "tier3", "enterprise"],
diff --git a/server/private/routers/auditLogs/exportConnectionAuditLog.ts b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
new file mode 100644
index 000000000..9349528ad
--- /dev/null
+++ b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
@@ -0,0 +1,99 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { registry } from "@server/openApi";
+import { NextFunction } from "express";
+import { Request, Response } from "express";
+import { OpenAPITags } from "@server/openApi";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import {
+    queryConnectionAuditLogsParams,
+    queryConnectionAuditLogsQuery,
+    queryConnection,
+    countConnectionQuery
+} from "./queryConnectionAuditLog";
+import { generateCSV } from "@server/routers/auditLogs/generateCSV";
+import { MAX_EXPORT_LIMIT } from "@server/routers/auditLogs";
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/logs/connection/export",
+    description: "Export the connection audit log for an organization as CSV",
+    tags: [OpenAPITags.Logs],
+    request: {
+        query: queryConnectionAuditLogsQuery,
+        params: queryConnectionAuditLogsParams
+    },
+    responses: {}
+});
+
+export async function exportConnectionAuditLogs(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = queryConnectionAuditLogsQuery.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+
+        const parsedParams = queryConnectionAuditLogsParams.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+
+        const data = { ...parsedQuery.data, ...parsedParams.data };
+        const [{ count }] = await countConnectionQuery(data);
+        if (count > MAX_EXPORT_LIMIT) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Export limit exceeded. Your selection contains ${count} rows, but the maximum is ${MAX_EXPORT_LIMIT} rows. Please select a shorter time range to reduce the data.`
+                )
+            );
+        }
+
+        const baseQuery = queryConnection(data);
+
+        const log = await baseQuery.limit(data.limit).offset(data.offset);
+
+        const csvData = generateCSV(log);
+
+        res.setHeader("Content-Type", "text/csv");
+        res.setHeader(
+            "Content-Disposition",
+            `attachment; filename="connection-audit-logs-${data.orgId}-${Date.now()}.csv"`
+        );
+
+        return res.send(csvData);
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/auditLogs/index.ts b/server/private/routers/auditLogs/index.ts
index e1849a617..122455fea 100644
--- a/server/private/routers/auditLogs/index.ts
+++ b/server/private/routers/auditLogs/index.ts
@@ -15,3 +15,5 @@ export * from "./queryActionAuditLog";
 export * from "./exportActionAuditLog";
 export * from "./queryAccessAuditLog";
 export * from "./exportAccessAuditLog";
+export * from "./queryConnectionAuditLog";
+export * from "./exportConnectionAuditLog";
diff --git a/server/private/routers/auditLogs/queryConnectionAuditLog.ts b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
new file mode 100644
index 000000000..f321444cd
--- /dev/null
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -0,0 +1,378 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    connectionAuditLog,
+    logsDb,
+    siteResources,
+    sites,
+    clients,
+    primaryDb
+} from "@server/db";
+import { registry } from "@server/openApi";
+import { NextFunction } from "express";
+import { Request, Response } from "express";
+import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { OpenAPITags } from "@server/openApi";
+import { z } from "zod";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { fromError } from "zod-validation-error";
+import { QueryConnectionAuditLogResponse } from "@server/routers/auditLogs/types";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
+
+export const queryConnectionAuditLogsQuery = z.object({
+    // iso string just validate its a parseable date
+    timeStart: z
+        .string()
+        .refine((val) => !isNaN(Date.parse(val)), {
+            error: "timeStart must be a valid ISO date string"
+        })
+        .transform((val) => Math.floor(new Date(val).getTime() / 1000))
+        .prefault(() => getSevenDaysAgo().toISOString())
+        .openapi({
+            type: "string",
+            format: "date-time",
+            description:
+                "Start time as ISO date string (defaults to 7 days ago)"
+        }),
+    timeEnd: z
+        .string()
+        .refine((val) => !isNaN(Date.parse(val)), {
+            error: "timeEnd must be a valid ISO date string"
+        })
+        .transform((val) => Math.floor(new Date(val).getTime() / 1000))
+        .optional()
+        .prefault(() => new Date().toISOString())
+        .openapi({
+            type: "string",
+            format: "date-time",
+            description:
+                "End time as ISO date string (defaults to current time)"
+        }),
+    protocol: z.string().optional(),
+    sourceAddr: z.string().optional(),
+    destAddr: z.string().optional(),
+    clientId: z
+        .string()
+        .optional()
+        .transform(Number)
+        .pipe(z.int().positive())
+        .optional(),
+    siteId: z
+        .string()
+        .optional()
+        .transform(Number)
+        .pipe(z.int().positive())
+        .optional(),
+    siteResourceId: z
+        .string()
+        .optional()
+        .transform(Number)
+        .pipe(z.int().positive())
+        .optional(),
+    userId: z.string().optional(),
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative())
+});
+
+export const queryConnectionAuditLogsParams = z.object({
+    orgId: z.string()
+});
+
+export const queryConnectionAuditLogsCombined =
+    queryConnectionAuditLogsQuery.merge(queryConnectionAuditLogsParams);
+type Q = z.infer<typeof queryConnectionAuditLogsCombined>;
+
+function getWhere(data: Q) {
+    return and(
+        gt(connectionAuditLog.startedAt, data.timeStart),
+        lt(connectionAuditLog.startedAt, data.timeEnd),
+        eq(connectionAuditLog.orgId, data.orgId),
+        data.protocol
+            ? eq(connectionAuditLog.protocol, data.protocol)
+            : undefined,
+        data.sourceAddr
+            ? eq(connectionAuditLog.sourceAddr, data.sourceAddr)
+            : undefined,
+        data.destAddr
+            ? eq(connectionAuditLog.destAddr, data.destAddr)
+            : undefined,
+        data.clientId
+            ? eq(connectionAuditLog.clientId, data.clientId)
+            : undefined,
+        data.siteId
+            ? eq(connectionAuditLog.siteId, data.siteId)
+            : undefined,
+        data.siteResourceId
+            ? eq(connectionAuditLog.siteResourceId, data.siteResourceId)
+            : undefined,
+        data.userId
+            ? eq(connectionAuditLog.userId, data.userId)
+            : undefined
+    );
+}
+
+export function queryConnection(data: Q) {
+    return logsDb
+        .select({
+            sessionId: connectionAuditLog.sessionId,
+            siteResourceId: connectionAuditLog.siteResourceId,
+            orgId: connectionAuditLog.orgId,
+            siteId: connectionAuditLog.siteId,
+            clientId: connectionAuditLog.clientId,
+            userId: connectionAuditLog.userId,
+            sourceAddr: connectionAuditLog.sourceAddr,
+            destAddr: connectionAuditLog.destAddr,
+            protocol: connectionAuditLog.protocol,
+            startedAt: connectionAuditLog.startedAt,
+            endedAt: connectionAuditLog.endedAt,
+            bytesTx: connectionAuditLog.bytesTx,
+            bytesRx: connectionAuditLog.bytesRx
+        })
+        .from(connectionAuditLog)
+        .where(getWhere(data))
+        .orderBy(
+            desc(connectionAuditLog.startedAt),
+            desc(connectionAuditLog.id)
+        );
+}
+
+export function countConnectionQuery(data: Q) {
+    const countQuery = logsDb
+        .select({ count: count() })
+        .from(connectionAuditLog)
+        .where(getWhere(data));
+    return countQuery;
+}
+
+async function enrichWithDetails(
+    logs: Awaited<ReturnType<typeof queryConnection>>
+) {
+    // Collect unique IDs from logs
+    const siteResourceIds = [
+        ...new Set(
+            logs
+                .map((log) => log.siteResourceId)
+                .filter((id): id is number => id !== null && id !== undefined)
+        )
+    ];
+    const siteIds = [
+        ...new Set(
+            logs
+                .map((log) => log.siteId)
+                .filter((id): id is number => id !== null && id !== undefined)
+        )
+    ];
+    const clientIds = [
+        ...new Set(
+            logs
+                .map((log) => log.clientId)
+                .filter((id): id is number => id !== null && id !== undefined)
+        )
+    ];
+
+    // Fetch resource details from main database
+    const resourceMap = new Map<
+        number,
+        { name: string; niceId: string }
+    >();
+    if (siteResourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name,
+                niceId: siteResources.niceId
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, siteResourceIds));
+
+        for (const r of resourceDetails) {
+            resourceMap.set(r.siteResourceId, {
+                name: r.name,
+                niceId: r.niceId
+            });
+        }
+    }
+
+    // Fetch site details from main database
+    const siteMap = new Map<number, { name: string; niceId: string }>();
+    if (siteIds.length > 0) {
+        const siteDetails = await primaryDb
+            .select({
+                siteId: sites.siteId,
+                name: sites.name,
+                niceId: sites.niceId
+            })
+            .from(sites)
+            .where(inArray(sites.siteId, siteIds));
+
+        for (const s of siteDetails) {
+            siteMap.set(s.siteId, { name: s.name, niceId: s.niceId });
+        }
+    }
+
+    // Fetch client details from main database
+    const clientMap = new Map<number, { name: string }>();
+    if (clientIds.length > 0) {
+        const clientDetails = await primaryDb
+            .select({
+                clientId: clients.clientId,
+                name: clients.name
+            })
+            .from(clients)
+            .where(inArray(clients.clientId, clientIds));
+
+        for (const c of clientDetails) {
+            clientMap.set(c.clientId, { name: c.name });
+        }
+    }
+
+    // Enrich logs with details
+    return logs.map((log) => ({
+        ...log,
+        resourceName: log.siteResourceId
+            ? resourceMap.get(log.siteResourceId)?.name ?? null
+            : null,
+        resourceNiceId: log.siteResourceId
+            ? resourceMap.get(log.siteResourceId)?.niceId ?? null
+            : null,
+        siteName: log.siteId
+            ? siteMap.get(log.siteId)?.name ?? null
+            : null,
+        siteNiceId: log.siteId
+            ? siteMap.get(log.siteId)?.niceId ?? null
+            : null,
+        clientName: log.clientId
+            ? clientMap.get(log.clientId)?.name ?? null
+            : null
+    }));
+}
+
+async function queryUniqueFilterAttributes(
+    timeStart: number,
+    timeEnd: number,
+    orgId: string
+) {
+    const baseConditions = and(
+        gt(connectionAuditLog.startedAt, timeStart),
+        lt(connectionAuditLog.startedAt, timeEnd),
+        eq(connectionAuditLog.orgId, orgId)
+    );
+
+    // Get unique protocols
+    const uniqueProtocols = await logsDb
+        .selectDistinct({
+            protocol: connectionAuditLog.protocol
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    return {
+        protocols: uniqueProtocols
+            .map((row) => row.protocol)
+            .filter((protocol): protocol is string => protocol !== null)
+    };
+}
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/logs/connection",
+    description: "Query the connection audit log for an organization",
+    tags: [OpenAPITags.Logs],
+    request: {
+        query: queryConnectionAuditLogsQuery,
+        params: queryConnectionAuditLogsParams
+    },
+    responses: {}
+});
+
+export async function queryConnectionAuditLogs(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = queryConnectionAuditLogsQuery.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+        const parsedParams = queryConnectionAuditLogsParams.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+
+        const data = { ...parsedQuery.data, ...parsedParams.data };
+
+        const baseQuery = queryConnection(data);
+
+        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
+
+        // Enrich with resource, site, and client details
+        const log = await enrichWithDetails(logsRaw);
+
+        const totalCountResult = await countConnectionQuery(data);
+        const totalCount = totalCountResult[0].count;
+
+        const filterAttributes = await queryUniqueFilterAttributes(
+            data.timeStart,
+            data.timeEnd,
+            data.orgId
+        );
+
+        return response<QueryConnectionAuditLogResponse>(res, {
+            data: {
+                log: log,
+                pagination: {
+                    total: totalCount,
+                    limit: data.limit,
+                    offset: data.offset
+                },
+                filterAttributes
+            },
+            success: true,
+            error: false,
+            message: "Connection audit logs retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index df8ea8cbb..f06ad4517 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -478,6 +478,25 @@ authenticated.get(
     logs.exportAccessAuditLogs
 );
 
+authenticated.get(
+    "/org/:orgId/logs/connection",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.connectionLogs),
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.exportLogs),
+    logs.queryConnectionAuditLogs
+);
+
+authenticated.get(
+    "/org/:orgId/logs/connection/export",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.logExport),
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.exportLogs),
+    logActionAudit(ActionsEnum.exportLogs),
+    logs.exportConnectionAuditLogs
+);
+
 authenticated.post(
     "/re-key/:clientId/regenerate-client-secret",
     verifyClientAccess, // this is first to set the org id
diff --git a/server/private/routers/integration.ts b/server/private/routers/integration.ts
index 97b1adade..c17835025 100644
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -91,6 +91,25 @@ authenticated.get(
     logs.exportAccessAuditLogs
 );
 
+authenticated.get(
+    "/org/:orgId/logs/connection",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.connectionLogs),
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.exportLogs),
+    logs.queryConnectionAuditLogs
+);
+
+authenticated.get(
+    "/org/:orgId/logs/connection/export",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.logExport),
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.exportLogs),
+    logActionAudit(ActionsEnum.exportLogs),
+    logs.exportConnectionAuditLogs
+);
+
 authenticated.put(
     "/org/:orgId/idp/oidc",
     verifyValidLicense,
diff --git a/server/routers/auditLogs/types.ts b/server/routers/auditLogs/types.ts
index 474aa9261..20e11e17b 100644
--- a/server/routers/auditLogs/types.ts
+++ b/server/routers/auditLogs/types.ts
@@ -91,3 +91,34 @@ export type QueryAccessAuditLogResponse = {
         locations: string[];
     };
 };
+
+export type QueryConnectionAuditLogResponse = {
+    log: {
+        sessionId: string;
+        siteResourceId: number | null;
+        orgId: string | null;
+        siteId: number | null;
+        clientId: number | null;
+        userId: string | null;
+        sourceAddr: string;
+        destAddr: string;
+        protocol: string;
+        startedAt: number;
+        endedAt: number | null;
+        bytesTx: number | null;
+        bytesRx: number | null;
+        resourceName: string | null;
+        resourceNiceId: string | null;
+        siteName: string | null;
+        siteNiceId: string | null;
+        clientName: string | null;
+    }[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+    filterAttributes: {
+        protocols: string[];
+    };
+};
diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
new file mode 100644
index 000000000..737b1efd7
--- /dev/null
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -0,0 +1,630 @@
+"use client";
+import { ColumnFilter } from "@app/components/ColumnFilter";
+import { DateTimeValue } from "@app/components/DateTimePicker";
+import { LogDataTable } from "@app/components/LogDataTable";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { useStoredPageSize } from "@app/hooks/useStoredPageSize";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient } from "@app/lib/api";
+import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
+import { build } from "@server/build";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { ColumnDef } from "@tanstack/react-table";
+import axios from "axios";
+import { Cable, Monitor, Server } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useParams, useRouter, useSearchParams } from "next/navigation";
+import { useEffect, useState, useTransition } from "react";
+
+function formatBytes(bytes: number | null): string {
+    if (bytes === null || bytes === undefined) return "—";
+    if (bytes === 0) return "0 B";
+    const units = ["B", "KB", "MB", "GB", "TB"];
+    const i = Math.floor(Math.log(bytes) / Math.log(1024));
+    const value = bytes / Math.pow(1024, i);
+    return `${value.toFixed(i === 0 ? 0 : 1)} ${units[i]}`;
+}
+
+function formatDuration(startedAt: number, endedAt: number | null): string {
+    if (endedAt === null || endedAt === undefined) return "Active";
+    const durationSec = endedAt - startedAt;
+    if (durationSec < 0) return "—";
+    if (durationSec < 60) return `${durationSec}s`;
+    if (durationSec < 3600) {
+        const m = Math.floor(durationSec / 60);
+        const s = durationSec % 60;
+        return `${m}m ${s}s`;
+    }
+    const h = Math.floor(durationSec / 3600);
+    const m = Math.floor((durationSec % 3600) / 60);
+    return `${h}h ${m}m`;
+}
+
+export default function ConnectionLogsPage() {
+    const router = useRouter();
+    const api = createApiClient(useEnvContext());
+    const t = useTranslations();
+    const { orgId } = useParams();
+    const searchParams = useSearchParams();
+
+    const { isPaidUser } = usePaidStatus();
+
+    const [rows, setRows] = useState<any[]>([]);
+    const [isRefreshing, setIsRefreshing] = useState(false);
+    const [isExporting, startTransition] = useTransition();
+    const [filterAttributes, setFilterAttributes] = useState<{
+        protocols: string[];
+    }>({
+        protocols: []
+    });
+
+    // Filter states - unified object for all filters
+    const [filters, setFilters] = useState<{
+        protocol?: string;
+    }>({
+        protocol: searchParams.get("protocol") || undefined
+    });
+
+    // Pagination state
+    const [totalCount, setTotalCount] = useState<number>(0);
+    const [currentPage, setCurrentPage] = useState<number>(0);
+    const [isLoading, setIsLoading] = useState(false);
+
+    // Initialize page size from storage or default
+    const [pageSize, setPageSize] = useStoredPageSize(
+        "connection-audit-logs",
+        20
+    );
+
+    // Set default date range to last 7 days
+    const getDefaultDateRange = () => {
+        // if the time is in the url params, use that instead
+        const startParam = searchParams.get("start");
+        const endParam = searchParams.get("end");
+        if (startParam && endParam) {
+            return {
+                startDate: {
+                    date: new Date(startParam)
+                },
+                endDate: {
+                    date: new Date(endParam)
+                }
+            };
+        }
+
+        const now = new Date();
+        const lastWeek = getSevenDaysAgo();
+
+        return {
+            startDate: {
+                date: lastWeek
+            },
+            endDate: {
+                date: now
+            }
+        };
+    };
+
+    const [dateRange, setDateRange] = useState<{
+        startDate: DateTimeValue;
+        endDate: DateTimeValue;
+    }>(getDefaultDateRange());
+
+    // Trigger search with default values on component mount
+    useEffect(() => {
+        if (build === "oss") {
+            return;
+        }
+        const defaultRange = getDefaultDateRange();
+        queryDateTime(
+            defaultRange.startDate,
+            defaultRange.endDate,
+            0,
+            pageSize
+        );
+    }, [orgId]); // Re-run if orgId changes
+
+    const handleDateRangeChange = (
+        startDate: DateTimeValue,
+        endDate: DateTimeValue
+    ) => {
+        setDateRange({ startDate, endDate });
+        setCurrentPage(0); // Reset to first page when filtering
+        // put the search params in the url for the time
+        updateUrlParamsForAllFilters({
+            start: startDate.date?.toISOString() || "",
+            end: endDate.date?.toISOString() || ""
+        });
+
+        queryDateTime(startDate, endDate, 0, pageSize);
+    };
+
+    // Handle page changes
+    const handlePageChange = (newPage: number) => {
+        setCurrentPage(newPage);
+        queryDateTime(
+            dateRange.startDate,
+            dateRange.endDate,
+            newPage,
+            pageSize
+        );
+    };
+
+    // Handle page size changes
+    const handlePageSizeChange = (newPageSize: number) => {
+        setPageSize(newPageSize);
+        setCurrentPage(0); // Reset to first page when changing page size
+        queryDateTime(dateRange.startDate, dateRange.endDate, 0, newPageSize);
+    };
+
+    // Handle filter changes generically
+    const handleFilterChange = (
+        filterType: keyof typeof filters,
+        value: string | undefined
+    ) => {
+        // Create new filters object with updated value
+        const newFilters = {
+            ...filters,
+            [filterType]: value
+        };
+
+        setFilters(newFilters);
+        setCurrentPage(0); // Reset to first page when filtering
+
+        // Update URL params
+        updateUrlParamsForAllFilters(newFilters);
+
+        // Trigger new query with updated filters (pass directly to avoid async state issues)
+        queryDateTime(
+            dateRange.startDate,
+            dateRange.endDate,
+            0,
+            pageSize,
+            newFilters
+        );
+    };
+
+    const updateUrlParamsForAllFilters = (
+        newFilters:
+            | typeof filters
+            | {
+                  start: string;
+                  end: string;
+              }
+    ) => {
+        const params = new URLSearchParams(searchParams);
+        Object.entries(newFilters).forEach(([key, value]) => {
+            if (value) {
+                params.set(key, value);
+            } else {
+                params.delete(key);
+            }
+        });
+        router.replace(`?${params.toString()}`, { scroll: false });
+    };
+
+    const queryDateTime = async (
+        startDate: DateTimeValue,
+        endDate: DateTimeValue,
+        page: number = currentPage,
+        size: number = pageSize,
+        filtersParam?: {
+            protocol?: string;
+        }
+    ) => {
+        console.log("Date range changed:", { startDate, endDate, page, size });
+        if (!isPaidUser(tierMatrix.connectionLogs)) {
+            console.log(
+                "Access denied: subscription inactive or license locked"
+            );
+            return;
+        }
+        setIsLoading(true);
+
+        try {
+            // Use the provided filters or fall back to current state
+            const activeFilters = filtersParam || filters;
+
+            // Convert the date/time values to API parameters
+            const params: any = {
+                limit: size,
+                offset: page * size,
+                ...activeFilters
+            };
+
+            if (startDate?.date) {
+                const startDateTime = new Date(startDate.date);
+                if (startDate.time) {
+                    const [hours, minutes, seconds] = startDate.time
+                        .split(":")
+                        .map(Number);
+                    startDateTime.setHours(hours, minutes, seconds || 0);
+                }
+                params.timeStart = startDateTime.toISOString();
+            }
+
+            if (endDate?.date) {
+                const endDateTime = new Date(endDate.date);
+                if (endDate.time) {
+                    const [hours, minutes, seconds] = endDate.time
+                        .split(":")
+                        .map(Number);
+                    endDateTime.setHours(hours, minutes, seconds || 0);
+                } else {
+                    // If no time is specified, set to NOW
+                    const now = new Date();
+                    endDateTime.setHours(
+                        now.getHours(),
+                        now.getMinutes(),
+                        now.getSeconds(),
+                        now.getMilliseconds()
+                    );
+                }
+                params.timeEnd = endDateTime.toISOString();
+            }
+
+            const res = await api.get(`/org/${orgId}/logs/connection`, {
+                params
+            });
+            if (res.status === 200) {
+                setRows(res.data.data.log || []);
+                setTotalCount(res.data.data.pagination?.total || 0);
+                setFilterAttributes(res.data.data.filterAttributes);
+                console.log("Fetched connection logs:", res.data);
+            }
+        } catch (error) {
+            toast({
+                title: t("error"),
+                description: t("Failed to filter logs"),
+                variant: "destructive"
+            });
+        } finally {
+            setIsLoading(false);
+        }
+    };
+
+    const refreshData = async () => {
+        console.log("Data refreshed");
+        setIsRefreshing(true);
+        try {
+            // Refresh data with current date range and pagination
+            await queryDateTime(
+                dateRange.startDate,
+                dateRange.endDate,
+                currentPage,
+                pageSize
+            );
+        } catch (error) {
+            toast({
+                title: t("error"),
+                description: t("refreshError"),
+                variant: "destructive"
+            });
+        } finally {
+            setIsRefreshing(false);
+        }
+    };
+
+    const exportData = async () => {
+        try {
+            // Prepare query params for export
+            const params: any = {
+                timeStart: dateRange.startDate?.date
+                    ? new Date(dateRange.startDate.date).toISOString()
+                    : undefined,
+                timeEnd: dateRange.endDate?.date
+                    ? new Date(dateRange.endDate.date).toISOString()
+                    : undefined,
+                ...filters
+            };
+
+            const response = await api.get(
+                `/org/${orgId}/logs/connection/export`,
+                {
+                    responseType: "blob",
+                    params
+                }
+            );
+
+            // Create a URL for the blob and trigger a download
+            const url = window.URL.createObjectURL(new Blob([response.data]));
+            const link = document.createElement("a");
+            link.href = url;
+            const epoch = Math.floor(Date.now() / 1000);
+            link.setAttribute(
+                "download",
+                `connection-audit-logs-${orgId}-${epoch}.csv`
+            );
+            document.body.appendChild(link);
+            link.click();
+            link.parentNode?.removeChild(link);
+        } catch (error) {
+            let apiErrorMessage: string | null = null;
+            if (axios.isAxiosError(error) && error.response) {
+                const data = error.response.data;
+
+                if (data instanceof Blob && data.type === "application/json") {
+                    // Parse the Blob as JSON
+                    const text = await data.text();
+                    const errorData = JSON.parse(text);
+                    apiErrorMessage = errorData.message;
+                }
+            }
+            toast({
+                title: t("error"),
+                description: apiErrorMessage ?? t("exportError"),
+                variant: "destructive"
+            });
+        }
+    };
+
+    const columns: ColumnDef<any>[] = [
+        {
+            accessorKey: "startedAt",
+            header: ({ column }) => {
+                return t("timestamp");
+            },
+            cell: ({ row }) => {
+                return (
+                    <div className="whitespace-nowrap">
+                        {new Date(
+                            row.original.startedAt * 1000
+                        ).toLocaleString()}
+                    </div>
+                );
+            }
+        },
+        {
+            accessorKey: "protocol",
+            header: ({ column }) => {
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("protocol")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.protocols.map(
+                                (protocol) => ({
+                                    label: protocol.toUpperCase(),
+                                    value: protocol
+                                })
+                            )}
+                            selectedValue={filters.protocol}
+                            onValueChange={(value) =>
+                                handleFilterChange("protocol", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap font-mono text-xs">
+                        {row.original.protocol?.toUpperCase()}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "resourceName",
+            header: ({ column }) => {
+                return t("resource");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap">
+                        {row.original.resourceName ?? "—"}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "sourceAddr",
+            header: ({ column }) => {
+                return t("sourceAddress");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap font-mono text-xs">
+                        {row.original.sourceAddr}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "destAddr",
+            header: ({ column }) => {
+                return t("destinationAddress");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap font-mono text-xs">
+                        {row.original.destAddr}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "duration",
+            header: ({ column }) => {
+                return t("duration");
+            },
+            cell: ({ row }) => {
+                return (
+                    <span className="whitespace-nowrap">
+                        {formatDuration(
+                            row.original.startedAt,
+                            row.original.endedAt
+                        )}
+                    </span>
+                );
+            }
+        }
+    ];
+
+    const renderExpandedRow = (row: any) => {
+        return (
+            <div className="space-y-4">
+                <div className="grid grid-cols-1 md:grid-cols-3 gap-4 text-xs">
+                    <div className="space-y-2">
+                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            <Cable className="h-4 w-4" />
+                            Connection Details
+                        </div>
+                        <div>
+                            <strong>Session ID:</strong>{" "}
+                            <span className="font-mono">
+                                {row.sessionId ?? "—"}
+                            </span>
+                        </div>
+                        <div>
+                            <strong>Protocol:</strong>{" "}
+                            {row.protocol?.toUpperCase() ?? "—"}
+                        </div>
+                        <div>
+                            <strong>Source:</strong>{" "}
+                            <span className="font-mono">
+                                {row.sourceAddr ?? "—"}
+                            </span>
+                        </div>
+                        <div>
+                            <strong>Destination:</strong>{" "}
+                            <span className="font-mono">
+                                {row.destAddr ?? "—"}
+                            </span>
+                        </div>
+                        <div>
+                            <strong>Started At:</strong>{" "}
+                            {row.startedAt
+                                ? new Date(
+                                      row.startedAt * 1000
+                                  ).toLocaleString()
+                                : "—"}
+                        </div>
+                        <div>
+                            <strong>Ended At:</strong>{" "}
+                            {row.endedAt
+                                ? new Date(
+                                      row.endedAt * 1000
+                                  ).toLocaleString()
+                                : "Active"}
+                        </div>
+                        <div>
+                            <strong>Duration:</strong>{" "}
+                            {formatDuration(row.startedAt, row.endedAt)}
+                        </div>
+                    </div>
+                    <div className="space-y-2">
+                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            <Server className="h-4 w-4" />
+                            Resource & Site
+                        </div>
+                        <div>
+                            <strong>Resource:</strong>{" "}
+                            {row.resourceName ?? "—"}
+                            {row.resourceNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.resourceNiceId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>Site:</strong> {row.siteName ?? "—"}
+                            {row.siteNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.siteNiceId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>Site ID:</strong> {row.siteId ?? "—"}
+                        </div>
+                        <div>
+                            <strong>Resource ID:</strong>{" "}
+                            {row.siteResourceId ?? "—"}
+                        </div>
+                    </div>
+                    <div className="space-y-2">
+                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            <Monitor className="h-4 w-4" />
+                            Client & Transfer
+                        </div>
+                        <div>
+                            <strong>Client:</strong> {row.clientName ?? "—"}
+                            {row.clientId && (
+                                <span className="text-muted-foreground ml-1">
+                                    (ID: {row.clientId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>User ID:</strong> {row.userId ?? "—"}
+                        </div>
+                        <div>
+                            <strong>Bytes Sent (TX):</strong>{" "}
+                            {formatBytes(row.bytesTx)}
+                        </div>
+                        <div>
+                            <strong>Bytes Received (RX):</strong>{" "}
+                            {formatBytes(row.bytesRx)}
+                        </div>
+                        <div>
+                            <strong>Total Transfer:</strong>{" "}
+                            {formatBytes(
+                                (row.bytesTx ?? 0) + (row.bytesRx ?? 0)
+                            )}
+                        </div>
+                    </div>
+                </div>
+            </div>
+        );
+    };
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("connectionLogs")}
+                description={t("connectionLogsDescription")}
+            />
+
+            <PaidFeaturesAlert tiers={tierMatrix.connectionLogs} />
+
+            <LogDataTable
+                columns={columns}
+                data={rows}
+                title={t("connectionLogs")}
+                searchPlaceholder={t("searchLogs")}
+                searchColumn="protocol"
+                onRefresh={refreshData}
+                isRefreshing={isRefreshing}
+                onExport={() => startTransition(exportData)}
+                isExporting={isExporting}
+                onDateRangeChange={handleDateRangeChange}
+                dateRange={{
+                    start: dateRange.startDate,
+                    end: dateRange.endDate
+                }}
+                defaultSort={{
+                    id: "startedAt",
+                    desc: true
+                }}
+                // Server-side pagination props
+                totalCount={totalCount}
+                currentPage={currentPage}
+                pageSize={pageSize}
+                onPageChange={handlePageChange}
+                onPageSizeChange={handlePageSizeChange}
+                isLoading={isLoading}
+                // Row expansion props
+                expandable={true}
+                renderExpandedRow={renderExpandedRow}
+                disabled={
+                    !isPaidUser(tierMatrix.connectionLogs) || build === "oss"
+                }
+            />
+        </>
+    );
+}
\ No newline at end of file
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 0066721db..0a09214e3 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -3,6 +3,7 @@ import { Env } from "@app/lib/types/env";
 import { build } from "@server/build";
 import {
     Building2,
+    Cable,
     ChartLine,
     Combine,
     CreditCard,
@@ -189,6 +190,11 @@ export const orgNavSections = (
                                   title: "sidebarLogsAction",
                                   href: "/{orgId}/settings/logs/action",
                                   icon: <Logs className="size-4 flex-none" />
+                              },
+                              {
+                                  title: "sidebarLogsConnection",
+                                  href: "/{orgId}/settings/logs/connection",
+                                  icon: <Cable className="size-4 flex-none" />
                               }
                           ]
                         : [])

From 2c6e9507b55efdedcf88f77a054475b8dd9daa51 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 21:41:53 -0700
Subject: [PATCH 026/122] Connection log page working

---
 server/lib/ip.ts                              |  10 +-
 .../auditLogs/queryConnectionAuditLog.ts      | 156 ++++++++++++++-
 .../newt/handleConnectionLogMessage.ts        |  16 +-
 server/routers/auditLogs/types.ts             |  16 ++
 .../[orgId]/settings/logs/connection/page.tsx | 180 ++++++++++++++++--
 5 files changed, 349 insertions(+), 29 deletions(-)

diff --git a/server/lib/ip.ts b/server/lib/ip.ts
index 3a29b8661..7f829bcef 100644
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -581,6 +581,7 @@ export type SubnetProxyTargetV2 = {
         max: number;
         protocol: "tcp" | "udp";
     }[];
+    resourceId?: number;
 };
 
 export function generateSubnetProxyTargetV2(
@@ -617,7 +618,8 @@ export function generateSubnetProxyTargetV2(
                 sourcePrefixes: [],
                 destPrefix: destination,
                 portRange,
-                disableIcmp
+                disableIcmp,
+                resourceId: siteResource.siteResourceId,
             };
         }
 
@@ -628,7 +630,8 @@ export function generateSubnetProxyTargetV2(
                 destPrefix: `${siteResource.aliasAddress}/32`,
                 rewriteTo: destination,
                 portRange,
-                disableIcmp
+                disableIcmp,
+                resourceId: siteResource.siteResourceId,
             };
         }
     } else if (siteResource.mode == "cidr") {
@@ -636,7 +639,8 @@ export function generateSubnetProxyTargetV2(
             sourcePrefixes: [],
             destPrefix: siteResource.destination,
             portRange,
-            disableIcmp
+            disableIcmp,
+            resourceId: siteResource.siteResourceId,
         };
     }
 
diff --git a/server/private/routers/auditLogs/queryConnectionAuditLog.ts b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
index f321444cd..b638ed488 100644
--- a/server/private/routers/auditLogs/queryConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -17,6 +17,7 @@ import {
     siteResources,
     sites,
     clients,
+    users,
     primaryDb
 } from "@server/db";
 import { registry } from "@server/openApi";
@@ -193,6 +194,13 @@ async function enrichWithDetails(
                 .filter((id): id is number => id !== null && id !== undefined)
         )
     ];
+    const userIds = [
+        ...new Set(
+            logs
+                .map((log) => log.userId)
+                .filter((id): id is string => id !== null && id !== undefined)
+        )
+    ];
 
     // Fetch resource details from main database
     const resourceMap = new Map<
@@ -235,18 +243,46 @@ async function enrichWithDetails(
     }
 
     // Fetch client details from main database
-    const clientMap = new Map<number, { name: string }>();
+    const clientMap = new Map<
+        number,
+        { name: string; niceId: string; type: string }
+    >();
     if (clientIds.length > 0) {
         const clientDetails = await primaryDb
             .select({
                 clientId: clients.clientId,
-                name: clients.name
+                name: clients.name,
+                niceId: clients.niceId,
+                type: clients.type
             })
             .from(clients)
             .where(inArray(clients.clientId, clientIds));
 
         for (const c of clientDetails) {
-            clientMap.set(c.clientId, { name: c.name });
+            clientMap.set(c.clientId, {
+                name: c.name,
+                niceId: c.niceId,
+                type: c.type
+            });
+        }
+    }
+
+    // Fetch user details from main database
+    const userMap = new Map<
+        string,
+        { email: string | null }
+    >();
+    if (userIds.length > 0) {
+        const userDetails = await primaryDb
+            .select({
+                userId: users.userId,
+                email: users.email
+            })
+            .from(users)
+            .where(inArray(users.userId, userIds));
+
+        for (const u of userDetails) {
+            userMap.set(u.userId, { email: u.email });
         }
     }
 
@@ -267,6 +303,15 @@ async function enrichWithDetails(
             : null,
         clientName: log.clientId
             ? clientMap.get(log.clientId)?.name ?? null
+            : null,
+        clientNiceId: log.clientId
+            ? clientMap.get(log.clientId)?.niceId ?? null
+            : null,
+        clientType: log.clientId
+            ? clientMap.get(log.clientId)?.type ?? null
+            : null,
+        userEmail: log.userId
+            ? userMap.get(log.userId)?.email ?? null
             : null
     }));
 }
@@ -290,10 +335,111 @@ async function queryUniqueFilterAttributes(
         .from(connectionAuditLog)
         .where(baseConditions);
 
+    // Get unique destination addresses
+    const uniqueDestAddrs = await logsDb
+        .selectDistinct({
+            destAddr: connectionAuditLog.destAddr
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Get unique client IDs
+    const uniqueClients = await logsDb
+        .selectDistinct({
+            clientId: connectionAuditLog.clientId
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Get unique resource IDs
+    const uniqueResources = await logsDb
+        .selectDistinct({
+            siteResourceId: connectionAuditLog.siteResourceId
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Get unique user IDs
+    const uniqueUsers = await logsDb
+        .selectDistinct({
+            userId: connectionAuditLog.userId
+        })
+        .from(connectionAuditLog)
+        .where(baseConditions);
+
+    // Enrich client IDs with names from main database
+    const clientIds = uniqueClients
+        .map((row) => row.clientId)
+        .filter((id): id is number => id !== null);
+
+    let clientsWithNames: Array<{ id: number; name: string }> = [];
+    if (clientIds.length > 0) {
+        const clientDetails = await primaryDb
+            .select({
+                clientId: clients.clientId,
+                name: clients.name
+            })
+            .from(clients)
+            .where(inArray(clients.clientId, clientIds));
+
+        clientsWithNames = clientDetails.map((c) => ({
+            id: c.clientId,
+            name: c.name
+        }));
+    }
+
+    // Enrich resource IDs with names from main database
+    const resourceIds = uniqueResources
+        .map((row) => row.siteResourceId)
+        .filter((id): id is number => id !== null);
+
+    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
+    if (resourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, resourceIds));
+
+        resourcesWithNames = resourceDetails.map((r) => ({
+            id: r.siteResourceId,
+            name: r.name
+        }));
+    }
+
+    // Enrich user IDs with emails from main database
+    const userIdsList = uniqueUsers
+        .map((row) => row.userId)
+        .filter((id): id is string => id !== null);
+
+    let usersWithEmails: Array<{ id: string; email: string | null }> = [];
+    if (userIdsList.length > 0) {
+        const userDetails = await primaryDb
+            .select({
+                userId: users.userId,
+                email: users.email
+            })
+            .from(users)
+            .where(inArray(users.userId, userIdsList));
+
+        usersWithEmails = userDetails.map((u) => ({
+            id: u.userId,
+            email: u.email
+        }));
+    }
+
     return {
         protocols: uniqueProtocols
             .map((row) => row.protocol)
-            .filter((protocol): protocol is string => protocol !== null)
+            .filter((protocol): protocol is string => protocol !== null),
+        destAddrs: uniqueDestAddrs
+            .map((row) => row.destAddr)
+            .filter((addr): addr is string => addr !== null),
+        clients: clientsWithNames,
+        resources: resourcesWithNames,
+        users: usersWithEmails
     };
 }
 
@@ -342,7 +488,7 @@ export async function queryConnectionAuditLogs(
 
         const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
 
-        // Enrich with resource, site, and client details
+        // Enrich with resource, site, client, and user details
         const log = await enrichWithDetails(logsRaw);
 
         const totalCountResult = await countConnectionQuery(data);
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 164c14488..2ac7153b5 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -277,6 +277,8 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         return;
     }
 
+    logger.debug(`Sessions: ${JSON.stringify(sessions)}`)
+
     // Build a map from sourceAddr → { clientId, userId } by querying clients
     // whose subnet field matches exactly. Client subnets are stored with the
     // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
@@ -295,9 +297,15 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         if (uniqueSourceAddrs.size > 0) {
             // Construct the exact subnet strings as stored in the DB
             const subnetQueries = Array.from(uniqueSourceAddrs).map(
-                (addr) => `${addr}${cidrSuffix}`
+                (addr) => {
+                    // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
+                    const ip = addr.includes(":") ? addr.split(":")[0] : addr;
+                    return `${ip}${cidrSuffix}`;
+                }
             );
 
+            logger.debug(`Subnet queries: ${JSON.stringify(subnetQueries)}`);
+
             const matchedClients = await db
                 .select({
                     clientId: clients.clientId,
@@ -314,6 +322,7 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
             for (const c of matchedClients) {
                 const ip = c.subnet.split("/")[0];
+                logger.debug(`Client ${c.clientId} subnet ${c.subnet} matches ${ip}`);
                 ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
             }
         }
@@ -346,7 +355,10 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         // Match the source address to a client. The sourceAddr is the
         // client's IP on the WireGuard network, which corresponds to the IP
         // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
-        const clientInfo = ipToClient.get(session.sourceAddr) ?? null;
+        // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
+        const sourceIp = session.sourceAddr.includes(":") ? session.sourceAddr.split(":")[0] : session.sourceAddr;
+        const clientInfo = ipToClient.get(sourceIp) ?? null;
+
 
         buffer.push({
             sessionId: session.sessionId,
diff --git a/server/routers/auditLogs/types.ts b/server/routers/auditLogs/types.ts
index 20e11e17b..4c278cba5 100644
--- a/server/routers/auditLogs/types.ts
+++ b/server/routers/auditLogs/types.ts
@@ -112,6 +112,9 @@ export type QueryConnectionAuditLogResponse = {
         siteName: string | null;
         siteNiceId: string | null;
         clientName: string | null;
+        clientNiceId: string | null;
+        clientType: string | null;
+        userEmail: string | null;
     }[];
     pagination: {
         total: number;
@@ -120,5 +123,18 @@ export type QueryConnectionAuditLogResponse = {
     };
     filterAttributes: {
         protocols: string[];
+        destAddrs: string[];
+        clients: {
+            id: number;
+            name: string;
+        }[];
+        resources: {
+            id: number;
+            name: string | null;
+        }[];
+        users: {
+            id: string;
+            email: string | null;
+        }[];
     };
 };
diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index 737b1efd7..7ac137467 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -1,4 +1,5 @@
 "use client";
+import { Button } from "@app/components/ui/button";
 import { ColumnFilter } from "@app/components/ColumnFilter";
 import { DateTimeValue } from "@app/components/DateTimePicker";
 import { LogDataTable } from "@app/components/LogDataTable";
@@ -14,7 +15,8 @@ import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { ColumnDef } from "@tanstack/react-table";
 import axios from "axios";
-import { Cable, Monitor, Server } from "lucide-react";
+import { ArrowUpRight, Laptop, User } from "lucide-react";
+import Link from "next/link";
 import { useTranslations } from "next-intl";
 import { useParams, useRouter, useSearchParams } from "next/navigation";
 import { useEffect, useState, useTransition } from "react";
@@ -57,15 +59,31 @@ export default function ConnectionLogsPage() {
     const [isExporting, startTransition] = useTransition();
     const [filterAttributes, setFilterAttributes] = useState<{
         protocols: string[];
+        destAddrs: string[];
+        clients: { id: number; name: string }[];
+        resources: { id: number; name: string | null }[];
+        users: { id: string; email: string | null }[];
     }>({
-        protocols: []
+        protocols: [],
+        destAddrs: [],
+        clients: [],
+        resources: [],
+        users: []
     });
 
     // Filter states - unified object for all filters
     const [filters, setFilters] = useState<{
         protocol?: string;
+        destAddr?: string;
+        clientId?: string;
+        siteResourceId?: string;
+        userId?: string;
     }>({
-        protocol: searchParams.get("protocol") || undefined
+        protocol: searchParams.get("protocol") || undefined,
+        destAddr: searchParams.get("destAddr") || undefined,
+        clientId: searchParams.get("clientId") || undefined,
+        siteResourceId: searchParams.get("siteResourceId") || undefined,
+        userId: searchParams.get("userId") || undefined
     });
 
     // Pagination state
@@ -211,9 +229,7 @@ export default function ConnectionLogsPage() {
         endDate: DateTimeValue,
         page: number = currentPage,
         size: number = pageSize,
-        filtersParam?: {
-            protocol?: string;
-        }
+        filtersParam?: typeof filters
     ) => {
         console.log("Date range changed:", { startDate, endDate, page, size });
         if (!isPaidUser(tierMatrix.connectionLogs)) {
@@ -411,9 +427,41 @@ export default function ConnectionLogsPage() {
         {
             accessorKey: "resourceName",
             header: ({ column }) => {
-                return t("resource");
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("resource")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.resources.map((res) => ({
+                                value: res.id.toString(),
+                                label: res.name || "Unnamed Resource"
+                            }))}
+                            selectedValue={filters.siteResourceId}
+                            onValueChange={(value) =>
+                                handleFilterChange("siteResourceId", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
             },
             cell: ({ row }) => {
+                if (row.original.resourceName && row.original.resourceNiceId) {
+                    return (
+                        <Link
+                            href={`/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`}
+                        >
+                            <Button
+                                variant="outline"
+                                size="sm"
+                                className="text-xs h-6"
+                            >
+                                {row.original.resourceName}
+                                <ArrowUpRight className="ml-2 h-3 w-3" />
+                            </Button>
+                        </Link>
+                    );
+                }
                 return (
                     <span className="whitespace-nowrap">
                         {row.original.resourceName ?? "—"}
@@ -421,6 +469,86 @@ export default function ConnectionLogsPage() {
                 );
             }
         },
+        {
+            accessorKey: "clientName",
+            header: ({ column }) => {
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("client")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.clients.map((c) => ({
+                                value: c.id.toString(),
+                                label: c.name
+                            }))}
+                            selectedValue={filters.clientId}
+                            onValueChange={(value) =>
+                                handleFilterChange("clientId", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
+            },
+            cell: ({ row }) => {
+                const clientType = row.original.clientType === "olm" ? "machine" : "user";
+                if (row.original.clientName && row.original.clientNiceId) {
+                    return (
+                        <Link
+                            href={`/${row.original.orgId}/settings/clients/${clientType}/${row.original.clientNiceId}`}
+                        >
+                            <Button
+                                variant="outline"
+                                size="sm"
+                                className="text-xs h-6"
+                            >
+                                <Laptop className="mr-1 h-3 w-3" />
+                                {row.original.clientName}
+                                <ArrowUpRight className="ml-2 h-3 w-3" />
+                            </Button>
+                        </Link>
+                    );
+                }
+                return (
+                    <span className="whitespace-nowrap">
+                        {row.original.clientName ?? "—"}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "userEmail",
+            header: ({ column }) => {
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("user")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.users.map((u) => ({
+                                value: u.id,
+                                label: u.email || u.id
+                            }))}
+                            selectedValue={filters.userId}
+                            onValueChange={(value) =>
+                                handleFilterChange("userId", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
+            },
+            cell: ({ row }) => {
+                if (row.original.userEmail || row.original.userId) {
+                    return (
+                        <span className="flex items-center gap-1 whitespace-nowrap">
+                            <User className="h-4 w-4" />
+                            {row.original.userEmail ?? row.original.userId}
+                        </span>
+                    );
+                }
+                return <span>—</span>;
+            }
+        },
         {
             accessorKey: "sourceAddr",
             header: ({ column }) => {
@@ -437,7 +565,23 @@ export default function ConnectionLogsPage() {
         {
             accessorKey: "destAddr",
             header: ({ column }) => {
-                return t("destinationAddress");
+                return (
+                    <div className="flex items-center gap-2">
+                        <span>{t("destinationAddress")}</span>
+                        <ColumnFilter
+                            options={filterAttributes.destAddrs.map((addr) => ({
+                                value: addr,
+                                label: addr
+                            }))}
+                            selectedValue={filters.destAddr}
+                            onValueChange={(value) =>
+                                handleFilterChange("destAddr", value)
+                            }
+                            searchPlaceholder="Search..."
+                            emptyMessage="None found"
+                        />
+                    </div>
+                );
             },
             cell: ({ row }) => {
                 return (
@@ -470,10 +614,9 @@ export default function ConnectionLogsPage() {
             <div className="space-y-4">
                 <div className="grid grid-cols-1 md:grid-cols-3 gap-4 text-xs">
                     <div className="space-y-2">
-                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            <Cable className="h-4 w-4" />
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Connection Details
-                        </div>
+                        </div>*/}
                         <div>
                             <strong>Session ID:</strong>{" "}
                             <span className="font-mono">
@@ -518,10 +661,9 @@ export default function ConnectionLogsPage() {
                         </div>
                     </div>
                     <div className="space-y-2">
-                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            <Server className="h-4 w-4" />
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Resource & Site
-                        </div>
+                        </div>*/}
                         <div>
                             <strong>Resource:</strong>{" "}
                             {row.resourceName ?? "—"}
@@ -548,10 +690,9 @@ export default function ConnectionLogsPage() {
                         </div>
                     </div>
                     <div className="space-y-2">
-                        <div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            <Monitor className="h-4 w-4" />
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Client & Transfer
-                        </div>
+                        </div>*/}
                         <div>
                             <strong>Client:</strong> {row.clientName ?? "—"}
                             {row.clientId && (
@@ -561,7 +702,8 @@ export default function ConnectionLogsPage() {
                             )}
                         </div>
                         <div>
-                            <strong>User ID:</strong> {row.userId ?? "—"}
+                            <strong>User:</strong>{" "}
+                            {row.userEmail ?? row.userId ?? "—"}
                         </div>
                         <div>
                             <strong>Bytes Sent (TX):</strong>{" "}
@@ -627,4 +769,4 @@ export default function ConnectionLogsPage() {
             />
         </>
     );
-}
\ No newline at end of file
+}

From f9bff5954f190ce697b9d4ed6ed3b3992343e854 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 21:49:22 -0700
Subject: [PATCH 027/122] Add filters and refine table and query

---
 .../[orgId]/settings/logs/connection/page.tsx | 78 ++++++++-----------
 1 file changed, 33 insertions(+), 45 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index 7ac137467..1d93e0658 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -639,6 +639,31 @@ export default function ConnectionLogsPage() {
                                 {row.destAddr ?? "—"}
                             </span>
                         </div>
+                    </div>
+                    <div className="space-y-2">
+                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
+                            Resource & Site
+                        </div>*/}
+                        {/*<div>
+                            <strong>Resource:</strong>{" "}
+                            {row.resourceName ?? "—"}
+                            {row.resourceNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.resourceNiceId})
+                                </span>
+                            )}
+                        </div>*/}
+                        <div>
+                            <strong>Site:</strong> {row.siteName ?? "—"}
+                            {row.siteNiceId && (
+                                <span className="text-muted-foreground ml-1">
+                                    ({row.siteNiceId})
+                                </span>
+                            )}
+                        </div>
+                        <div>
+                            <strong>Site ID:</strong> {row.siteId ?? "—"}
+                        </div>
                         <div>
                             <strong>Started At:</strong>{" "}
                             {row.startedAt
@@ -659,66 +684,29 @@ export default function ConnectionLogsPage() {
                             <strong>Duration:</strong>{" "}
                             {formatDuration(row.startedAt, row.endedAt)}
                         </div>
-                    </div>
-                    <div className="space-y-2">
-                        {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
-                            Resource & Site
-                        </div>*/}
-                        <div>
-                            <strong>Resource:</strong>{" "}
-                            {row.resourceName ?? "—"}
-                            {row.resourceNiceId && (
-                                <span className="text-muted-foreground ml-1">
-                                    ({row.resourceNiceId})
-                                </span>
-                            )}
-                        </div>
-                        <div>
-                            <strong>Site:</strong> {row.siteName ?? "—"}
-                            {row.siteNiceId && (
-                                <span className="text-muted-foreground ml-1">
-                                    ({row.siteNiceId})
-                                </span>
-                            )}
-                        </div>
-                        <div>
-                            <strong>Site ID:</strong> {row.siteId ?? "—"}
-                        </div>
-                        <div>
+                        {/*<div>
                             <strong>Resource ID:</strong>{" "}
                             {row.siteResourceId ?? "—"}
-                        </div>
+                        </div>*/}
                     </div>
                     <div className="space-y-2">
                         {/*<div className="flex items-center gap-1 font-semibold text-sm mb-1">
                             Client & Transfer
                         </div>*/}
-                        <div>
-                            <strong>Client:</strong> {row.clientName ?? "—"}
-                            {row.clientId && (
-                                <span className="text-muted-foreground ml-1">
-                                    (ID: {row.clientId})
-                                </span>
-                            )}
-                        </div>
-                        <div>
-                            <strong>User:</strong>{" "}
-                            {row.userEmail ?? row.userId ?? "—"}
-                        </div>
-                        <div>
+                        {/*<div>
                             <strong>Bytes Sent (TX):</strong>{" "}
                             {formatBytes(row.bytesTx)}
-                        </div>
-                        <div>
+                        </div>*/}
+                        {/*<div>
                             <strong>Bytes Received (RX):</strong>{" "}
                             {formatBytes(row.bytesRx)}
-                        </div>
-                        <div>
+                        </div>*/}
+                        {/*<div>
                             <strong>Total Transfer:</strong>{" "}
                             {formatBytes(
                                 (row.bytesTx ?? 0) + (row.bytesRx ?? 0)
                             )}
-                        </div>
+                        </div>*/}
                     </div>
                 </div>
             </div>

From 7b78b914493cb1bf2f5066a05296b787f1dd7517 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 23 Mar 2026 22:00:53 -0700
Subject: [PATCH 028/122] Fix resource link

---
 src/app/[orgId]/settings/logs/connection/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/logs/connection/page.tsx b/src/app/[orgId]/settings/logs/connection/page.tsx
index 1d93e0658..dff42faac 100644
--- a/src/app/[orgId]/settings/logs/connection/page.tsx
+++ b/src/app/[orgId]/settings/logs/connection/page.tsx
@@ -449,7 +449,7 @@ export default function ConnectionLogsPage() {
                 if (row.original.resourceName && row.original.resourceNiceId) {
                     return (
                         <Link
-                            href={`/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`}
+                            href={`/${row.original.orgId}/settings/resources/client/?query=${row.original.resourceNiceId}`}
                         >
                             <Button
                                 variant="outline"

From 84925f724d8e6d0b068e1c20c87868fd68ee6f45 Mon Sep 17 00:00:00 2001
From: Fred KISSIE <fredkiss3@gmail.com>
Date: Tue, 24 Mar 2026 23:43:01 +0100
Subject: [PATCH 029/122] =?UTF-8?q?=F0=9F=92=84=20update=20UI?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/components/InternalResourceForm.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 0cf86a8eb..4486b05fe 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -543,7 +543,7 @@ export function InternalResourceForm({
                 className="space-y-6"
                 id={formId}
             >
-                <div className="grid gap-4">
+                <div className="grid grid-cols-2 gap-4">
                     <FormField
                         control={form.control}
                         name="name"

From 5b894e8682a0aa4db18c714da06db19cd19abe87 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:01:54 -0700
Subject: [PATCH 030/122] Disable everything if not paid

---
 src/app/[orgId]/settings/(private)/idp/create/page.tsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..fc2c6c382 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -275,6 +275,8 @@ export default function Page() {
         }
     }
 
+    const disabled = !isPaidUser(tierMatrix.orgOidc);
+
     return (
         <>
             <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                 </Button>
             </div>
 
+            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+
+            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                     loading={createLoading}
                     onClick={() => {
+                        if (disabled) return;
                         // log any issues with the form
                         console.log(form.formState.errors);
                         form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                     {t("idpSubmit")}
                 </Button>
             </div>
+            </fieldset>
         </>
     );
 }

From 5a2a97b23a5034c92e57179571d5485888fe001a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:12:13 -0700
Subject: [PATCH 031/122] Add better pooling controls

---
 server/db/pg/driver.ts     | 35 ++++++++++++---------
 server/db/pg/logsDriver.ts | 35 ++++++++++++---------
 server/db/pg/poolConfig.ts | 63 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 28 deletions(-)
 create mode 100644 server/db/pg/poolConfig.ts

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 5b357d060..9366e32e1 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,16 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+>[0];
\ No newline at end of file
diff --git a/server/db/pg/logsDriver.ts b/server/db/pg/logsDriver.ts
index 49e26f89f..146b8fb2f 100644
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
\ No newline at end of file
diff --git a/server/db/pg/poolConfig.ts b/server/db/pg/poolConfig.ts
new file mode 100644
index 000000000..f753121c1
--- /dev/null
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}
\ No newline at end of file

From 7db58f920c9b410b2e1401ee4e90b2cb928a6171 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Mar 2026 16:19:00 -0700
Subject: [PATCH 032/122] add site provisioning key crud

---
 server/auth/actions.ts                        |   3 +
 server/db/pg/schema/privateSchema.ts          |  42 +++++-
 server/db/sqlite/schema/privateSchema.ts      |  29 +++-
 server/middlewares/index.ts                   |   1 +
 .../verifySiteProvisioningKeyAccess.ts        | 131 ++++++++++++++++++
 server/routers/external.ts                    |  29 +++-
 .../createSiteProvisioningKey.ts              | 108 +++++++++++++++
 .../deleteSiteProvisioningKey.ts              | 116 ++++++++++++++++
 server/routers/siteProvisioning/index.ts      |   3 +
 .../listSiteProvisioningKeys.ts               | 115 +++++++++++++++
 10 files changed, 571 insertions(+), 6 deletions(-)
 create mode 100644 server/middlewares/verifySiteProvisioningKeyAccess.ts
 create mode 100644 server/routers/siteProvisioning/createSiteProvisioningKey.ts
 create mode 100644 server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
 create mode 100644 server/routers/siteProvisioning/index.ts
 create mode 100644 server/routers/siteProvisioning/listSiteProvisioningKeys.ts

diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 450e3f42b..6cdc4fa0a 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -109,6 +109,9 @@ export enum ActionsEnum {
     listApiKeyActions = "listApiKeyActions",
     listApiKeys = "listApiKeys",
     getApiKey = "getApiKey",
+    createSiteProvisioningKey = "createSiteProvisioningKey",
+    listSiteProvisioningKeys = "listSiteProvisioningKeys",
+    deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
     getCertificate = "getCertificate",
     restartCertificate = "restartCertificate",
     billing = "billing",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index c9d7cc907..63d6bcd60 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -7,7 +7,8 @@ import {
     bigint,
     real,
     text,
-    index
+    index,
+    primaryKey
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -89,7 +90,9 @@ export const subscriptions = pgTable("subscriptions", {
 
 export const subscriptionItems = pgTable("subscriptionItems", {
     subscriptionItemId: serial("subscriptionItemId").primaryKey(),
-    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
+    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", {
+        length: 255
+    }),
     subscriptionId: varchar("subscriptionId", { length: 255 })
         .notNull()
         .references(() => subscriptions.subscriptionId, {
@@ -329,13 +332,44 @@ export const approvals = pgTable("approvals", {
 });
 
 export const bannedEmails = pgTable("bannedEmails", {
-    email: varchar("email", { length: 255 }).primaryKey(),
+    email: varchar("email", { length: 255 }).primaryKey()
 });
 
 export const bannedIps = pgTable("bannedIps", {
-    ip: varchar("ip", { length: 255 }).primaryKey(),
+    ip: varchar("ip", { length: 255 }).primaryKey()
 });
 
+export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+        length: 255
+    }).primaryKey(),
+    name: varchar("name", { length: 255 }).notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: varchar("lastChars", { length: 4 }).notNull(),
+    createdAt: varchar("dateCreated", { length: 255 }).notNull()
+});
+
+export const siteProvisioningKeyOrg = pgTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+            length: 255
+        })
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 8baeb5220..ac2662e27 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -2,6 +2,7 @@ import { InferSelectModel } from "drizzle-orm";
 import {
     index,
     integer,
+    primaryKey,
     real,
     sqliteTable,
     text
@@ -318,7 +319,6 @@ export const approvals = sqliteTable("approvals", {
         .notNull()
 });
 
-
 export const bannedEmails = sqliteTable("bannedEmails", {
     email: text("email").primaryKey()
 });
@@ -327,6 +327,33 @@ export const bannedIps = sqliteTable("bannedIps", {
     ip: text("ip").primaryKey()
 });
 
+export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: text("siteProvisioningKeyId").primaryKey(),
+    name: text("name").notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: text("lastChars").notNull(),
+    createdAt: text("dateCreated").notNull()
+});
+
+export const siteProvisioningKeyOrg = sqliteTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: text("siteProvisioningKeyId")
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index 6437c90e2..0f485e637 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -24,6 +24,7 @@ export * from "./verifyClientAccess";
 export * from "./integration";
 export * from "./verifyUserHasAction";
 export * from "./verifyApiKeyAccess";
+export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
 export * from "./verifySiteResourceAccess";
diff --git a/server/middlewares/verifySiteProvisioningKeyAccess.ts b/server/middlewares/verifySiteProvisioningKeyAccess.ts
new file mode 100644
index 000000000..e0d446de6
--- /dev/null
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -0,0 +1,131 @@
+import { Request, Response, NextFunction } from "express";
+import { db, userOrgs, siteProvisioningKeys, siteProvisioningKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+
+export async function verifySiteProvisioningKeyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const userId = req.user!.userId;
+        const siteProvisioningKeyId = req.params.siteProvisioningKeyId;
+        const orgId = req.params.orgId;
+
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!siteProvisioningKeyId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid key ID")
+            );
+        }
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .limit(1);
+
+        if (!row?.siteProvisioningKeys) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        if (!row.siteProvisioningKeyOrg.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} does not have an organization ID`
+                )
+            );
+        }
+
+        if (!req.userOrg) {
+            const userOrgRole = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(
+                            userOrgs.orgId,
+                            row.siteProvisioningKeyOrg.orgId
+                        )
+                    )
+                )
+                .limit(1);
+            req.userOrg = userOrgRole[0];
+        }
+
+        if (!req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying site provisioning key access"
+            )
+        );
+    }
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..90f208863 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -15,6 +15,7 @@ import * as accessToken from "./accessToken";
 import * as idp from "./idp";
 import * as blueprints from "./blueprints";
 import * as apiKeys from "./apiKeys";
+import * as siteProvisioning from "./siteProvisioning";
 import * as logs from "./auditLogs";
 import * as newt from "./newt";
 import * as olm from "./olm";
@@ -42,7 +43,8 @@ import {
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
-    verifyLimits
+    verifyLimits,
+    verifySiteProvisioningKeyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import rateLimit, { ipKeyGenerator } from "express-rate-limit";
@@ -986,6 +988,31 @@ authenticated.get(
     apiKeys.listRootApiKeys
 );
 
+authenticated.put(
+    `/org/:orgId/site-provisioning-key`,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
+    logActionAudit(ActionsEnum.createSiteProvisioningKey),
+    siteProvisioning.createSiteProvisioningKey
+);
+
+authenticated.get(
+    `/org/:orgId/site-provisioning-keys`,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
+    siteProvisioning.listSiteProvisioningKeys
+);
+
+authenticated.delete(
+    `/org/:orgId/site-provisioning-key/:siteProvisioningKeyId`,
+    verifyOrgAccess,
+    verifySiteProvisioningKeyAccess,
+    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
+    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
+    siteProvisioning.deleteSiteProvisioningKey
+);
+
 authenticated.get(
     `/api-key/:apiKeyId/actions`,
     verifyUserIsServerAdmin,
diff --git a/server/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
new file mode 100644
index 000000000..9bb298966
--- /dev/null
+++ b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -0,0 +1,108 @@
+import { NextFunction, Request, Response } from "express";
+import { db, siteProvisioningKeyOrg, siteProvisioningKeys } from "@server/db";
+import HttpCode from "@server/types/HttpCode";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import createHttpError from "http-errors";
+import response from "@server/lib/response";
+import moment from "moment";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";
+
+const paramsSchema = z.object({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.strictObject({
+    name: z.string().min(1).max(255)
+});
+
+export type CreateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
+
+export type CreateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    siteProvisioningKey: string;
+    lastChars: string;
+    createdAt: string;
+};
+
+export async function createSiteProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    const parsedParams = paramsSchema.safeParse(req.params);
+    if (!parsedParams.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedParams.error).toString()
+            )
+        );
+    }
+
+    const parsedBody = bodySchema.safeParse(req.body);
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString()
+            )
+        );
+    }
+
+    const { orgId } = parsedParams.data;
+    const { name } = parsedBody.data;
+
+    const siteProvisioningKeyId = `spk-${generateId(15)}`;
+    const siteProvisioningKey = generateIdFromEntropySize(25);
+    const siteProvisioningKeyHash = await hashPassword(siteProvisioningKey);
+    const lastChars = siteProvisioningKey.slice(-4);
+    const createdAt = moment().toISOString();
+
+    await db.transaction(async (trx) => {
+        await trx.insert(siteProvisioningKeys).values({
+            siteProvisioningKeyId,
+            name,
+            siteProvisioningKeyHash,
+            createdAt,
+            lastChars
+        });
+
+        await trx.insert(siteProvisioningKeyOrg).values({
+            siteProvisioningKeyId,
+            orgId
+        });
+    });
+
+    try {
+        return response<CreateSiteProvisioningKeyResponse>(res, {
+            data: {
+                siteProvisioningKeyId,
+                orgId,
+                name,
+                siteProvisioningKey,
+                lastChars,
+                createdAt
+            },
+            success: true,
+            error: false,
+            message: "Site provisioning key created",
+            status: HttpCode.CREATED
+        });
+    } catch (e) {
+        logger.error(e);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to create site provisioning key"
+            )
+        );
+    }
+}
diff --git a/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts b/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
new file mode 100644
index 000000000..d1da01d97
--- /dev/null
+++ b/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
@@ -0,0 +1,116 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    db,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys
+} from "@server/db";
+import { and, eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.object({
+    siteProvisioningKeyId: z.string().nonempty(),
+    orgId: z.string().nonempty()
+});
+
+export async function deleteSiteProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { siteProvisioningKeyId, orgId } = parsedParams.data;
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!row) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(siteProvisioningKeyOrg)
+                .where(
+                    and(
+                        eq(
+                            siteProvisioningKeyOrg.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        ),
+                        eq(siteProvisioningKeyOrg.orgId, orgId)
+                    )
+                );
+
+            const siteProvisioningKeyOrgs = await trx
+                .select()
+                .from(siteProvisioningKeyOrg)
+                .where(
+                    eq(
+                        siteProvisioningKeyOrg.siteProvisioningKeyId,
+                        siteProvisioningKeyId
+                    )
+                );
+
+            if (siteProvisioningKeyOrgs.length === 0) {
+                await trx
+                    .delete(siteProvisioningKeys)
+                    .where(
+                        eq(
+                            siteProvisioningKeys.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        )
+                    );
+            }
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Site provisioning key deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/siteProvisioning/index.ts b/server/routers/siteProvisioning/index.ts
new file mode 100644
index 000000000..b3f69f100
--- /dev/null
+++ b/server/routers/siteProvisioning/index.ts
@@ -0,0 +1,3 @@
+export * from "./createSiteProvisioningKey";
+export * from "./listSiteProvisioningKeys";
+export * from "./deleteSiteProvisioningKey";
diff --git a/server/routers/siteProvisioning/listSiteProvisioningKeys.ts b/server/routers/siteProvisioning/listSiteProvisioningKeys.ts
new file mode 100644
index 000000000..65360625c
--- /dev/null
+++ b/server/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -0,0 +1,115 @@
+import {
+    db,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys
+} from "@server/db";
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import response from "@server/lib/response";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import { eq } from "drizzle-orm";
+
+const paramsSchema = z.object({
+    orgId: z.string().nonempty()
+});
+
+const querySchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative())
+});
+
+function querySiteProvisioningKeys(orgId: string) {
+    return db
+        .select({
+            siteProvisioningKeyId:
+                siteProvisioningKeys.siteProvisioningKeyId,
+            orgId: siteProvisioningKeyOrg.orgId,
+            lastChars: siteProvisioningKeys.lastChars,
+            createdAt: siteProvisioningKeys.createdAt,
+            name: siteProvisioningKeys.name
+        })
+        .from(siteProvisioningKeyOrg)
+        .innerJoin(
+            siteProvisioningKeys,
+            eq(
+                siteProvisioningKeys.siteProvisioningKeyId,
+                siteProvisioningKeyOrg.siteProvisioningKeyId
+            )
+        )
+        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
+}
+
+export type ListSiteProvisioningKeysResponse = {
+    siteProvisioningKeys: Awaited<
+        ReturnType<typeof querySiteProvisioningKeys>
+    >;
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export async function listSiteProvisioningKeys(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+        const { limit, offset } = parsedQuery.data;
+
+        const siteProvisioningKeysList = await querySiteProvisioningKeys(orgId)
+            .limit(limit)
+            .offset(offset);
+
+        return response<ListSiteProvisioningKeysResponse>(res, {
+            data: {
+                siteProvisioningKeys: siteProvisioningKeysList,
+                pagination: {
+                    total: siteProvisioningKeysList.length,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Site provisioning keys retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

From fff38aac85eae7205417e302c7a16aeff2f7a1ce Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:26:56 -0700
Subject: [PATCH 033/122] Add ssh access log

---
 server/private/routers/ssh/signSshKey.ts      | 19 +++++++++++++++++++
 src/app/[orgId]/settings/logs/access/page.tsx | 16 ++++++++--------
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index 5cffb4a34..c39d2e0ae 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -24,6 +24,7 @@ import {
     sites,
     userOrgs
 } from "@server/db";
+import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
@@ -463,6 +464,24 @@ export async function signSshKey(
             })
         });
 
+        await logAccessAudit({
+            action: true,
+            type: "ssh",
+            orgId: orgId,
+            resourceId: resource.siteResourceId,
+            user: req.user
+                ? { username: req.user.username ?? "", userId: req.user.userId }
+                : undefined,
+            metadata: {
+                resourceName: resource.name,
+                siteId: resource.siteId,
+                sshUsername: usernameToUse,
+                sshHost: sshHost
+            },
+            userAgent: req.headers["user-agent"],
+            requestIp: req.ip
+        });
+
         return response<SignSshKeyResponse>(res, {
             data: {
                 certificate: cert.certificate,
diff --git a/src/app/[orgId]/settings/logs/access/page.tsx b/src/app/[orgId]/settings/logs/access/page.tsx
index 810022b98..dbb7b6708 100644
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -493,7 +493,8 @@ export default function GeneralPage() {
                                 {
                                     value: "whitelistedEmail",
                                     label: "Whitelisted Email"
-                                }
+                                },
+                                { value: "ssh", label: "SSH" }
                             ]}
                             selectedValue={filters.type}
                             onValueChange={(value) =>
@@ -507,13 +508,12 @@ export default function GeneralPage() {
                 );
             },
             cell: ({ row }) => {
-                // should be capitalized first letter
-                return (
-                    <span>
-                        {row.original.type.charAt(0).toUpperCase() +
-                            row.original.type.slice(1) || "-"}
-                    </span>
-                );
+                const typeLabel =
+                    row.original.type === "ssh"
+                        ? "SSH"
+                        : row.original.type.charAt(0).toUpperCase() +
+                          row.original.type.slice(1);
+                return <span>{typeLabel || "-"}</span>;
             }
         },
         {

From d21dfb750e004a59a0229cb9cea827dfaa734b3d Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Mar 2026 17:01:20 -0700
Subject: [PATCH 034/122] ui for provisioning key

---
 messages/en-US.json                           |  20 ++
 .../settings/provisioning/create/page.tsx     |  10 +
 .../[orgId]/settings/provisioning/page.tsx    |  50 ++++
 src/app/navigation.tsx                        |   6 +
 .../CreateSiteProvisioningKeyCredenza.tsx     | 195 ++++++++++++++++
 src/components/SiteProvisioningKeysTable.tsx  | 216 ++++++++++++++++++
 6 files changed, 497 insertions(+)
 create mode 100644 src/app/[orgId]/settings/provisioning/create/page.tsx
 create mode 100644 src/app/[orgId]/settings/provisioning/page.tsx
 create mode 100644 src/components/CreateSiteProvisioningKeyCredenza.tsx
 create mode 100644 src/components/SiteProvisioningKeysTable.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..5cb3721ef 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -323,6 +323,25 @@
     "apiKeysDelete": "Delete API Key",
     "apiKeysManage": "Manage API Keys",
     "apiKeysDescription": "API keys are used to authenticate with the integration API",
+    "provisioningKeysTitle": "Provisioning Key",
+    "provisioningKeysManage": "Manage Provisioning Keys",
+    "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
+    "provisioningKeys": "Provisioning Keys",
+    "searchProvisioningKeys": "Search provisioning keys...",
+    "provisioningKeysAdd": "Generate Provisioning Key",
+    "provisioningKeysErrorDelete": "Error deleting provisioning key",
+    "provisioningKeysErrorDeleteMessage": "Error deleting provisioning key",
+    "provisioningKeysQuestionRemove": "Are you sure you want to remove this provisioning key from the organization?",
+    "provisioningKeysMessageRemove": "Once removed, the key can no longer be used for site provisioning.",
+    "provisioningKeysDeleteConfirm": "Confirm Delete Provisioning Key",
+    "provisioningKeysDelete": "Delete Provisioning key",
+    "provisioningKeysCreate": "Generate Provisioning Key",
+    "provisioningKeysCreateDescription": "Generate a new provisioning key for the organization",
+    "provisioningKeysSeeAll": "See all provisioning keys",
+    "provisioningKeysSave": "Save the provisioning key",
+    "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
+    "provisioningKeysErrorCreate": "Error creating provisioning key",
+    "provisioningKeysList": "New provisioning key",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
     "userDescription": "View and manage all users in the system",
@@ -1266,6 +1285,7 @@
     "sidebarRoles": "Roles",
     "sidebarShareableLinks": "Links",
     "sidebarApiKeys": "API Keys",
+    "sidebarProvisioning": "Provisioning",
     "sidebarSettings": "Settings",
     "sidebarAllUsers": "All Users",
     "sidebarIdentityProviders": "Identity Providers",
diff --git a/src/app/[orgId]/settings/provisioning/create/page.tsx b/src/app/[orgId]/settings/provisioning/create/page.tsx
new file mode 100644
index 000000000..98573147a
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/create/page.tsx
@@ -0,0 +1,10 @@
+import { redirect } from "next/navigation";
+
+type PageProps = {
+    params: Promise<{ orgId: string }>;
+};
+
+export default async function ProvisioningCreateRedirect(props: PageProps) {
+    const params = await props.params;
+    redirect(`/${params.orgId}/settings/provisioning`);
+}
diff --git a/src/app/[orgId]/settings/provisioning/page.tsx b/src/app/[orgId]/settings/provisioning/page.tsx
new file mode 100644
index 000000000..f8a30b86f
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/page.tsx
@@ -0,0 +1,50 @@
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { AxiosResponse } from "axios";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import SiteProvisioningKeysTable, {
+    SiteProvisioningKeyRow
+} from "../../../../components/SiteProvisioningKeysTable";
+import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/listSiteProvisioningKeys";
+import { getTranslations } from "next-intl/server";
+
+type ProvisioningPageProps = {
+    params: Promise<{ orgId: string }>;
+};
+
+export const dynamic = "force-dynamic";
+
+export default async function ProvisioningPage(props: ProvisioningPageProps) {
+    const params = await props.params;
+    const t = await getTranslations();
+
+    let siteProvisioningKeys: ListSiteProvisioningKeysResponse["siteProvisioningKeys"] =
+        [];
+    try {
+        const res = await internal.get<
+            AxiosResponse<ListSiteProvisioningKeysResponse>
+        >(
+            `/org/${params.orgId}/site-provisioning-keys`,
+            await authCookieHeader()
+        );
+        siteProvisioningKeys = res.data.data.siteProvisioningKeys;
+    } catch (e) {}
+
+    const rows: SiteProvisioningKeyRow[] = siteProvisioningKeys.map((k) => ({
+        name: k.name,
+        id: k.siteProvisioningKeyId,
+        key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
+        createdAt: k.createdAt
+    }));
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("provisioningKeysManage")}
+                description={t("provisioningKeysDescription")}
+            />
+
+            <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
+        </>
+    );
+}
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 0066721db..c90b211a3 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -2,6 +2,7 @@ import { SidebarNavItem } from "@app/components/SidebarNav";
 import { Env } from "@app/lib/types/env";
 import { build } from "@server/build";
 import {
+    Boxes,
     Building2,
     ChartLine,
     Combine,
@@ -203,6 +204,11 @@ export const orgNavSections = (
                         href: "/{orgId}/settings/api-keys",
                         icon: <KeyRound className="size-4 flex-none" />
                     },
+                    {
+                        title: "sidebarProvisioning",
+                        href: "/{orgId}/settings/provisioning",
+                        icon: <Boxes className="size-4 flex-none" />
+                    },
                     {
                         title: "sidebarBluePrints",
                         href: "/{orgId}/settings/blueprints",
diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
new file mode 100644
index 000000000..456731ed6
--- /dev/null
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -0,0 +1,195 @@
+"use client";
+
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/createSiteProvisioningKey";
+import { AxiosResponse } from "axios";
+import { InfoIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
+import CopyTextBox from "@app/components/CopyTextBox";
+
+const FORM_ID = "create-site-provisioning-key-form";
+
+type CreateSiteProvisioningKeyCredenzaProps = {
+    open: boolean;
+    setOpen: (open: boolean) => void;
+    orgId: string;
+};
+
+export default function CreateSiteProvisioningKeyCredenza({
+    open,
+    setOpen,
+    orgId
+}: CreateSiteProvisioningKeyCredenzaProps) {
+    const t = useTranslations();
+    const router = useRouter();
+    const api = createApiClient(useEnvContext());
+    const [loading, setLoading] = useState(false);
+    const [created, setCreated] =
+        useState<CreateSiteProvisioningKeyResponse | null>(null);
+
+    const createFormSchema = z.object({
+        name: z
+            .string()
+            .min(1, {
+                message: t("nameMin", { len: 1 })
+            })
+            .max(255, {
+                message: t("nameMax", { len: 255 })
+            })
+    });
+
+    type CreateFormValues = z.infer<typeof createFormSchema>;
+
+    const form = useForm<CreateFormValues>({
+        resolver: zodResolver(createFormSchema),
+        defaultValues: {
+            name: ""
+        }
+    });
+
+    useEffect(() => {
+        if (!open) {
+            setCreated(null);
+            form.reset({ name: "" });
+        }
+    }, [open, form]);
+
+    async function onSubmit(data: CreateFormValues) {
+        setLoading(true);
+        try {
+            const res = await api
+                .put<
+                    AxiosResponse<CreateSiteProvisioningKeyResponse>
+                >(`/org/${orgId}/site-provisioning-key`, { name: data.name })
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("provisioningKeysErrorCreate"),
+                        description: formatAxiosError(e)
+                    });
+                });
+
+            if (res && res.status === 201) {
+                setCreated(res.data.data);
+                router.refresh();
+            }
+        } finally {
+            setLoading(false);
+        }
+    }
+
+    const credential =
+        created &&
+        `${created.siteProvisioningKeyId}.${created.siteProvisioningKey}`;
+
+    return (
+        <Credenza open={open} onOpenChange={setOpen}>
+            <CredenzaContent>
+                <CredenzaHeader>
+                    <CredenzaTitle>
+                        {created
+                            ? t("provisioningKeysList")
+                            : t("provisioningKeysCreate")}
+                    </CredenzaTitle>
+                    {!created && (
+                        <CredenzaDescription>
+                            {t("provisioningKeysCreateDescription")}
+                        </CredenzaDescription>
+                    )}
+                </CredenzaHeader>
+                <CredenzaBody>
+                    {!created && (
+                        <Form {...form}>
+                            <form
+                                id={FORM_ID}
+                                onSubmit={form.handleSubmit(onSubmit)}
+                                className="space-y-4"
+                            >
+                                <FormField
+                                    control={form.control}
+                                    name="name"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>{t("name")}</FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    )}
+
+                    {created && credential && (
+                        <div className="space-y-4">
+                            <Alert variant="neutral">
+                                <InfoIcon className="h-4 w-4" />
+                                <AlertTitle className="font-semibold">
+                                    {t("provisioningKeysSave")}
+                                </AlertTitle>
+                                <AlertDescription>
+                                    {t("provisioningKeysSaveDescription")}
+                                </AlertDescription>
+                            </Alert>
+                            <CopyTextBox text={credential} />
+                        </div>
+                    )}
+                </CredenzaBody>
+                <CredenzaFooter>
+                    {!created ? (
+                        <>
+                            <CredenzaClose asChild>
+                                <Button variant="outline">{t("close")}</Button>
+                            </CredenzaClose>
+                            <Button
+                                type="submit"
+                                form={FORM_ID}
+                                loading={loading}
+                                disabled={loading}
+                            >
+                                {t("generate")}
+                            </Button>
+                        </>
+                    ) : (
+                        <CredenzaClose asChild>
+                            <Button variant="default">{t("done")}</Button>
+                        </CredenzaClose>
+                    )}
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
new file mode 100644
index 000000000..3fb3eb872
--- /dev/null
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -0,0 +1,216 @@
+"use client";
+
+import {
+    DataTable,
+    ExtendedColumnDef
+} from "@app/components/ui/data-table";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "@app/components/ui/dropdown-menu";
+import { Button } from "@app/components/ui/button";
+import { ArrowUpDown, MoreHorizontal } from "lucide-react";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import CreateSiteProvisioningKeyCredenza from "@app/components/CreateSiteProvisioningKeyCredenza";
+import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
+import { toast } from "@app/hooks/useToast";
+import { formatAxiosError } from "@app/lib/api";
+import { createApiClient } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import moment from "moment";
+import { useTranslations } from "next-intl";
+
+export type SiteProvisioningKeyRow = {
+    id: string;
+    key: string;
+    name: string;
+    createdAt: string;
+};
+
+type SiteProvisioningKeysTableProps = {
+    keys: SiteProvisioningKeyRow[];
+    orgId: string;
+};
+
+export default function SiteProvisioningKeysTable({
+    keys,
+    orgId
+}: SiteProvisioningKeysTableProps) {
+    const router = useRouter();
+    const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+    const [selected, setSelected] = useState<SiteProvisioningKeyRow | null>(
+        null
+    );
+    const [rows, setRows] = useState<SiteProvisioningKeyRow[]>(keys);
+    const api = createApiClient(useEnvContext());
+    const t = useTranslations();
+    const [isRefreshing, setIsRefreshing] = useState(false);
+    const [createOpen, setCreateOpen] = useState(false);
+
+    useEffect(() => {
+        setRows(keys);
+    }, [keys]);
+
+    const refreshData = async () => {
+        setIsRefreshing(true);
+        try {
+            await new Promise((resolve) => setTimeout(resolve, 200));
+            router.refresh();
+        } catch (error) {
+            toast({
+                title: t("error"),
+                description: t("refreshError"),
+                variant: "destructive"
+            });
+        } finally {
+            setIsRefreshing(false);
+        }
+    };
+
+    const deleteKey = async (siteProvisioningKeyId: string) => {
+        try {
+            await api.delete(
+                `/org/${orgId}/site-provisioning-key/${siteProvisioningKeyId}`
+            );
+            router.refresh();
+            setIsDeleteModalOpen(false);
+            setSelected(null);
+            setRows((prev) => prev.filter((row) => row.id !== siteProvisioningKeyId));
+        } catch (e) {
+            console.error(t("provisioningKeysErrorDelete"), e);
+            toast({
+                variant: "destructive",
+                title: t("provisioningKeysErrorDelete"),
+                description: formatAxiosError(
+                    e,
+                    t("provisioningKeysErrorDeleteMessage")
+                )
+            });
+            throw e;
+        }
+    };
+
+    const columns: ExtendedColumnDef<SiteProvisioningKeyRow>[] = [
+        {
+            accessorKey: "name",
+            enableHiding: false,
+            friendlyName: t("name"),
+            header: ({ column }) => {
+                return (
+                    <Button
+                        variant="ghost"
+                        onClick={() =>
+                            column.toggleSorting(column.getIsSorted() === "asc")
+                        }
+                    >
+                        {t("name")}
+                        <ArrowUpDown className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            accessorKey: "key",
+            friendlyName: t("key"),
+            header: () => <span className="p-3">{t("key")}</span>,
+            cell: ({ row }) => {
+                const r = row.original;
+                return <span className="font-mono">{r.key}</span>;
+            }
+        },
+        {
+            accessorKey: "createdAt",
+            friendlyName: t("createdAt"),
+            header: () => <span className="p-3">{t("createdAt")}</span>,
+            cell: ({ row }) => {
+                const r = row.original;
+                return <span>{moment(r.createdAt).format("lll")}</span>;
+            }
+        },
+        {
+            id: "actions",
+            enableHiding: false,
+            header: () => <span className="p-3"></span>,
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <div className="flex items-center gap-2 justify-end">
+                        <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                                <Button variant="ghost" className="h-8 w-8 p-0">
+                                    <span className="sr-only">
+                                        {t("openMenu")}
+                                    </span>
+                                    <MoreHorizontal className="h-4 w-4" />
+                                </Button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align="end">
+                                <DropdownMenuItem
+                                    onClick={() => {
+                                        setSelected(r);
+                                        setIsDeleteModalOpen(true);
+                                    }}
+                                >
+                                    <span className="text-red-500">
+                                        {t("delete")}
+                                    </span>
+                                </DropdownMenuItem>
+                            </DropdownMenuContent>
+                        </DropdownMenu>
+                    </div>
+                );
+            }
+        }
+    ];
+
+    return (
+        <>
+            <CreateSiteProvisioningKeyCredenza
+                open={createOpen}
+                setOpen={setCreateOpen}
+                orgId={orgId}
+            />
+
+            {selected && (
+                <ConfirmDeleteDialog
+                    open={isDeleteModalOpen}
+                    setOpen={(val) => {
+                        setIsDeleteModalOpen(val);
+                        if (!val) {
+                            setSelected(null);
+                        }
+                    }}
+                    dialog={
+                        <div className="space-y-2">
+                            <p>{t("provisioningKeysQuestionRemove")}</p>
+                            <p>{t("provisioningKeysMessageRemove")}</p>
+                        </div>
+                    }
+                    buttonText={t("provisioningKeysDeleteConfirm")}
+                    onConfirm={async () => deleteKey(selected.id)}
+                    string={selected.name}
+                    title={t("provisioningKeysDelete")}
+                />
+            )}
+
+            <DataTable
+                columns={columns}
+                data={rows}
+                persistPageSize="Org-provisioning-keys-table"
+                title={t("provisioningKeys")}
+                searchPlaceholder={t("searchProvisioningKeys")}
+                searchColumn="name"
+                onAdd={() => setCreateOpen(true)}
+                onRefresh={refreshData}
+                isRefreshing={isRefreshing}
+                addButtonText={t("provisioningKeysAdd")}
+                enableColumnVisibility={true}
+                stickyLeftColumn="name"
+                stickyRightColumn="actions"
+            />
+        </>
+    );
+}

From 38d30b0214d25a77c731b2ddd72dba611692371e Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:13:57 -0700
Subject: [PATCH 035/122] Add license script

---
 license.py | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 license.py

diff --git a/license.py b/license.py
new file mode 100644
index 000000000..865dfad7a
--- /dev/null
+++ b/license.py
@@ -0,0 +1,115 @@
+import os
+import sys
+
+# --- Configuration ---
+# The header text to be added to the files.
+HEADER_TEXT = """/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+"""
+
+def should_add_header(file_path):
+    """
+    Checks if a file should receive the commercial license header.
+    Returns True if 'private' is in the path or file content.
+    """
+    # Check if 'private' is in the file path (case-insensitive)
+    if 'server/private' in file_path.lower():
+        return True
+
+    # Check if 'private' is in the file content (case-insensitive)
+    # try:
+    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+    #         content = f.read()
+    #         if 'private' in content.lower():
+    #             return True
+    # except Exception as e:
+    #     print(f"Could not read file {file_path}: {e}")
+
+    return False
+
+def process_directory(root_dir):
+    """
+    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
+    skipping any 'node_modules' directories.
+    """
+    print(f"Scanning directory: {root_dir}")
+    files_processed = 0
+    headers_added = 0
+
+    for root, dirs, files in os.walk(root_dir):
+        # --- MODIFICATION ---
+        # Exclude 'node_modules' directories from the scan to improve performance.
+        if 'node_modules' in dirs:
+            dirs.remove('node_modules')
+
+        for file in files:
+            if file.endswith('.ts') or file.endswith('.tsx'):
+                file_path = os.path.join(root, file)
+                files_processed += 1
+
+                try:
+                    with open(file_path, 'r+', encoding='utf-8') as f:
+                        original_content = f.read()
+                        has_header = original_content.startswith(HEADER_TEXT.strip())
+                        
+                        if should_add_header(file_path):
+                            # Add header only if it's not already there
+                            if not has_header:
+                                f.seek(0, 0) # Go to the beginning of the file
+                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
+                                print(f"Added header to: {file_path}")
+                                headers_added += 1
+                            else:
+                                print(f"Header already exists in: {file_path}")
+                        else:
+                            # Remove header if it exists but shouldn't be there
+                            if has_header:
+                                # Find the end of the header and remove it (including following newlines)
+                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
+                                if original_content.startswith(header_with_newlines):
+                                    content_without_header = original_content[len(header_with_newlines):]
+                                else:
+                                    # Handle case where there might be different newline patterns
+                                    header_end = len(HEADER_TEXT.strip())
+                                    # Skip any newlines after the header
+                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
+                                        header_end += 1
+                                    content_without_header = original_content[header_end:]
+                                
+                                f.seek(0)
+                                f.write(content_without_header)
+                                f.truncate()
+                                print(f"Removed header from: {file_path}")
+                                headers_added += 1  # Reusing counter for modifications
+
+                except Exception as e:
+                    print(f"Error processing file {file_path}: {e}")
+
+    print("\n--- Scan Complete ---")
+    print(f"Total .ts or .tsx files found: {files_processed}")
+    print(f"Files modified (headers added/removed): {headers_added}")
+
+
+if __name__ == "__main__":
+    # Get the target directory from the command line arguments.
+    # If no directory is provided, it uses the current directory ('.').
+    if len(sys.argv) > 1:
+        target_directory = sys.argv[1]
+    else:
+        target_directory = '.' # Default to current directory
+
+    if not os.path.isdir(target_directory):
+        print(f"Error: Directory '{target_directory}' not found.")
+        sys.exit(1)
+
+    process_directory(os.path.abspath(target_directory))

From b2eab95a3b724ea947cecb9a6c57411f021b2271 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:17:33 -0700
Subject: [PATCH 036/122] Pass at first endpoints

---
 server/routers/external.ts                    |  23 ++
 .../routers/newt/createNewtProvisioningKey.ts | 108 ++++++++
 server/routers/newt/index.ts                  |   2 +
 server/routers/newt/registerNewt.ts           | 240 ++++++++++++++++++
 4 files changed, 373 insertions(+)
 create mode 100644 server/routers/newt/createNewtProvisioningKey.ts
 create mode 100644 server/routers/newt/registerNewt.ts

diff --git a/server/routers/external.ts b/server/routers/external.ts
index 45ab58bba..c32a7a8e9 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -102,6 +102,13 @@ authenticated.put(
     logActionAudit(ActionsEnum.createSite),
     site.createSite
 );
+
+authenticated.put(
+    "/org/:orgId/newt/provisioning-key",
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.createSite),
+    newt.createNewtProvisioningKey
+);
 authenticated.get(
     "/org/:orgId/sites",
     verifyOrgAccess,
@@ -1202,6 +1209,22 @@ authRouter.post(
     }),
     newt.getNewtToken
 );
+
+authRouter.post(
+    "/newt/register",
+    rateLimit({
+        windowMs: 15 * 60 * 1000,
+        max: 30,
+        keyGenerator: (req) =>
+            `newtRegister:${req.body.provisioningKey?.split(".")[0] || ipKeyGenerator(req.ip || "")}`,
+        handler: (req, res, next) => {
+            const message = `You can only register a newt ${30} times every ${15} minutes. Please try again later.`;
+            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
+        },
+        store: createStore()
+    }),
+    newt.registerNewt
+);
 authRouter.post(
     "/olm/get-token",
     rateLimit({
diff --git a/server/routers/newt/createNewtProvisioningKey.ts b/server/routers/newt/createNewtProvisioningKey.ts
new file mode 100644
index 000000000..2af4d166d
--- /dev/null
+++ b/server/routers/newt/createNewtProvisioningKey.ts
@@ -0,0 +1,108 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { newtProvisioningKeys, orgs } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { eq } from "drizzle-orm";
+import { fromError } from "zod-validation-error";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import { hashPassword } from "@server/auth/password";
+import moment from "moment";
+
+const paramsSchema = z.object({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.object({
+    expiresAt: z.number().int().positive().optional() // optional Unix timestamp (ms)
+});
+
+export type CreateNewtProvisioningKeyBody = z.infer<typeof bodySchema>;
+
+export type CreateNewtProvisioningKeyResponse = {
+    provisioningKeyId: string;
+    provisioningKey: string; // returned only once: "id.secret"
+    lastChars: string;
+    createdAt: string;
+    expiresAt: number | null;
+};
+
+export async function createNewtProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+        const { expiresAt } = parsedBody.data;
+
+        // Verify org exists
+        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, `Organization with ID ${orgId} not found`)
+            );
+        }
+
+        const provisioningKeyId = generateId(15);
+        const secret = generateIdFromEntropySize(25);
+        const keyHash = await hashPassword(secret);
+        const lastChars = secret.slice(-4);
+        const createdAt = moment().toISOString();
+        const provisioningKey = `${provisioningKeyId}.${secret}`;
+
+        await db.insert(newtProvisioningKeys).values({
+            provisioningKeyId,
+            orgId,
+            keyHash,
+            lastChars,
+            createdAt,
+            expiresAt: expiresAt ?? null
+        });
+
+        return response<CreateNewtProvisioningKeyResponse>(res, {
+            data: {
+                provisioningKeyId,
+                provisioningKey,
+                lastChars,
+                createdAt,
+                expiresAt: expiresAt ?? null
+            },
+            success: true,
+            error: false,
+            message: "Provisioning key created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/newt/index.ts b/server/routers/newt/index.ts
index 63d1e1068..76207e8d4 100644
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -9,3 +9,5 @@ export * from "./handleApplyBlueprintMessage";
 export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
 export * from "./handleConnectionLogMessage";
+export * from "./registerNewt";
+export * from "./createNewtProvisioningKey";
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
new file mode 100644
index 000000000..f301b452a
--- /dev/null
+++ b/server/routers/newt/registerNewt.ts
@@ -0,0 +1,240 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import {
+    newtProvisioningKeys,
+    newts,
+    orgs,
+    roles,
+    roleSites,
+    sites
+} from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { eq, and } from "drizzle-orm";
+import { fromError } from "zod-validation-error";
+import { verifyPassword, hashPassword } from "@server/auth/password";
+import {
+    generateId,
+    generateIdFromEntropySize
+} from "@server/auth/sessions/app";
+import { getUniqueSiteName } from "@server/db/names";
+import moment from "moment";
+import { build } from "@server/build";
+import { usageService } from "@server/lib/billing/usageService";
+import { FeatureId } from "@server/lib/billing";
+
+const bodySchema = z.object({
+    provisioningKey: z.string().nonempty()
+});
+
+export type RegisterNewtBody = z.infer<typeof bodySchema>;
+
+export type RegisterNewtResponse = {
+    newtId: string;
+    secret: string;
+};
+
+export async function registerNewt(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { provisioningKey } = parsedBody.data;
+
+        // Keys are in the format "id.secret"
+        const dotIndex = provisioningKey.indexOf(".");
+        if (dotIndex === -1) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Invalid provisioning key format"
+                )
+            );
+        }
+
+        const provisioningKeyId = provisioningKey.substring(0, dotIndex);
+        const provisioningKeySecret = provisioningKey.substring(dotIndex + 1);
+
+        // Look up the provisioning key by ID
+        const [keyRecord] = await db
+            .select()
+            .from(newtProvisioningKeys)
+            .where(
+                eq(newtProvisioningKeys.provisioningKeyId, provisioningKeyId)
+            )
+            .limit(1);
+
+        if (!keyRecord) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
+            );
+        }
+
+        // Verify the secret
+        const validSecret = await verifyPassword(
+            provisioningKeySecret,
+            keyRecord.keyHash
+        );
+        if (!validSecret) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
+            );
+        }
+
+        // Check if key has already been used
+        if (keyRecord.siteId !== null) {
+            return next(
+                createHttpError(
+                    HttpCode.CONFLICT,
+                    "Provisioning key has already been used"
+                )
+            );
+        }
+
+        // Check expiry
+        if (keyRecord.expiresAt !== null && keyRecord.expiresAt < Date.now()) {
+            return next(
+                createHttpError(HttpCode.GONE, "Provisioning key has expired")
+            );
+        }
+
+        const { orgId } = keyRecord;
+
+        // Verify the org exists
+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
+        }
+
+        // SaaS billing check
+        if (build == "saas") {
+            const usage = await usageService.getUsage(orgId, FeatureId.SITES);
+            if (!usage) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "No usage data found for this organization"
+                    )
+                );
+            }
+            const rejectSites = await usageService.checkLimitSet(
+                orgId,
+                FeatureId.SITES,
+                {
+                    ...usage,
+                    instantaneousValue: (usage.instantaneousValue || 0) + 1
+                }
+            );
+            if (rejectSites) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Site limit exceeded. Please upgrade your plan."
+                    )
+                );
+            }
+        }
+
+        const niceId = await getUniqueSiteName(orgId);
+        const newtId = generateId(15);
+        const newtSecret = generateIdFromEntropySize(25);
+        const secretHash = await hashPassword(newtSecret);
+
+        let newSiteId: number | undefined;
+
+        await db.transaction(async (trx) => {
+            // Create the site (type "newt", name = niceId)
+            const [newSite] = await trx
+                .insert(sites)
+                .values({
+                    orgId,
+                    name: niceId,
+                    niceId,
+                    type: "newt",
+                    dockerSocketEnabled: true
+                })
+                .returning();
+
+            newSiteId = newSite.siteId;
+
+            // Grant admin role access to the new site
+            const [adminRole] = await trx
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                .limit(1);
+
+            if (!adminRole) {
+                throw new Error(`Admin role not found for org ${orgId}`);
+            }
+
+            await trx.insert(roleSites).values({
+                roleId: adminRole.roleId,
+                siteId: newSite.siteId
+            });
+
+            // Create the newt for this site
+            await trx.insert(newts).values({
+                newtId,
+                secretHash,
+                siteId: newSite.siteId,
+                dateCreated: moment().toISOString()
+            });
+
+            // Mark the provisioning key as used
+            await trx
+                .update(newtProvisioningKeys)
+                .set({ siteId: newSite.siteId })
+                .where(
+                    eq(
+                        newtProvisioningKeys.provisioningKeyId,
+                        provisioningKeyId
+                    )
+                );
+
+            await usageService.add(orgId, FeatureId.SITES, 1, trx);
+        });
+
+        logger.info(
+            `Provisioned new site (ID: ${newSiteId}) and newt (ID: ${newtId}) for org ${orgId} via provisioning key ${provisioningKeyId}`
+        );
+
+        return response<RegisterNewtResponse>(res, {
+            data: {
+                newtId,
+                secret: newtSecret
+            },
+            success: true,
+            error: false,
+            message: "Newt registered successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred"
+            )
+        );
+    }
+}
\ No newline at end of file

From 0b5b6ed5a37c49c311fc2dcb520aba3e21a65e47 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:26:10 -0700
Subject: [PATCH 037/122] Adjust register endpoint

---
 server/routers/external.ts                    |   7 +-
 .../routers/newt/createNewtProvisioningKey.ts | 108 ------------------
 server/routers/newt/index.ts                  |   1 -
 server/routers/newt/registerNewt.ts           |  71 ++++++------
 .../createSiteProvisioningKey.ts              |   3 +
 5 files changed, 42 insertions(+), 148 deletions(-)
 delete mode 100644 server/routers/newt/createNewtProvisioningKey.ts

diff --git a/server/routers/external.ts b/server/routers/external.ts
index a658fa811..297cb2894 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -105,12 +105,7 @@ authenticated.put(
     site.createSite
 );
 
-authenticated.put(
-    "/org/:orgId/newt/provisioning-key",
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.createSite),
-    newt.createNewtProvisioningKey
-);
+
 authenticated.get(
     "/org/:orgId/sites",
     verifyOrgAccess,
diff --git a/server/routers/newt/createNewtProvisioningKey.ts b/server/routers/newt/createNewtProvisioningKey.ts
deleted file mode 100644
index 2af4d166d..000000000
--- a/server/routers/newt/createNewtProvisioningKey.ts
+++ /dev/null
@@ -1,108 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { newtProvisioningKeys, orgs } from "@server/db";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { eq } from "drizzle-orm";
-import { fromError } from "zod-validation-error";
-import {
-    generateId,
-    generateIdFromEntropySize
-} from "@server/auth/sessions/app";
-import { hashPassword } from "@server/auth/password";
-import moment from "moment";
-
-const paramsSchema = z.object({
-    orgId: z.string().nonempty()
-});
-
-const bodySchema = z.object({
-    expiresAt: z.number().int().positive().optional() // optional Unix timestamp (ms)
-});
-
-export type CreateNewtProvisioningKeyBody = z.infer<typeof bodySchema>;
-
-export type CreateNewtProvisioningKeyResponse = {
-    provisioningKeyId: string;
-    provisioningKey: string; // returned only once: "id.secret"
-    lastChars: string;
-    createdAt: string;
-    expiresAt: number | null;
-};
-
-export async function createNewtProvisioningKey(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const parsedBody = bodySchema.safeParse(req.body);
-        if (!parsedBody.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedBody.error).toString()
-                )
-            );
-        }
-
-        const { orgId } = parsedParams.data;
-        const { expiresAt } = parsedBody.data;
-
-        // Verify org exists
-        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
-        if (!org) {
-            return next(
-                createHttpError(HttpCode.NOT_FOUND, `Organization with ID ${orgId} not found`)
-            );
-        }
-
-        const provisioningKeyId = generateId(15);
-        const secret = generateIdFromEntropySize(25);
-        const keyHash = await hashPassword(secret);
-        const lastChars = secret.slice(-4);
-        const createdAt = moment().toISOString();
-        const provisioningKey = `${provisioningKeyId}.${secret}`;
-
-        await db.insert(newtProvisioningKeys).values({
-            provisioningKeyId,
-            orgId,
-            keyHash,
-            lastChars,
-            createdAt,
-            expiresAt: expiresAt ?? null
-        });
-
-        return response<CreateNewtProvisioningKeyResponse>(res, {
-            data: {
-                provisioningKeyId,
-                provisioningKey,
-                lastChars,
-                createdAt,
-                expiresAt: expiresAt ?? null
-            },
-            success: true,
-            error: false,
-            message: "Provisioning key created successfully",
-            status: HttpCode.CREATED
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
-        );
-    }
-}
diff --git a/server/routers/newt/index.ts b/server/routers/newt/index.ts
index 76207e8d4..33b5caf7c 100644
--- a/server/routers/newt/index.ts
+++ b/server/routers/newt/index.ts
@@ -10,4 +10,3 @@ export * from "./handleNewtPingMessage";
 export * from "./handleNewtDisconnectingMessage";
 export * from "./handleConnectionLogMessage";
 export * from "./registerNewt";
-export * from "./createNewtProvisioningKey";
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index f301b452a..b999eb35c 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -2,7 +2,8 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import {
-    newtProvisioningKeys,
+    siteProvisioningKeys,
+    siteProvisioningKeyOrg,
     newts,
     orgs,
     roles,
@@ -55,7 +56,7 @@ export async function registerNewt(
 
         const { provisioningKey } = parsedBody.data;
 
-        // Keys are in the format "id.secret"
+        // Keys are in the format "siteProvisioningKeyId.secret"
         const dotIndex = provisioningKey.indexOf(".");
         if (dotIndex === -1) {
             return next(
@@ -69,46 +70,51 @@ export async function registerNewt(
         const provisioningKeyId = provisioningKey.substring(0, dotIndex);
         const provisioningKeySecret = provisioningKey.substring(dotIndex + 1);
 
-        // Look up the provisioning key by ID
+        // Look up the provisioning key by ID, joining to get the orgId
         const [keyRecord] = await db
-            .select()
-            .from(newtProvisioningKeys)
+            .select({
+                siteProvisioningKeyId:
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                siteProvisioningKeyHash:
+                    siteProvisioningKeys.siteProvisioningKeyHash,
+                orgId: siteProvisioningKeyOrg.orgId
+            })
+            .from(siteProvisioningKeys)
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyOrg.siteProvisioningKeyId
+                )
+            )
             .where(
-                eq(newtProvisioningKeys.provisioningKeyId, provisioningKeyId)
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    provisioningKeyId
+                )
             )
             .limit(1);
 
         if (!keyRecord) {
-            return next(
-                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
-            );
-        }
-
-        // Verify the secret
-        const validSecret = await verifyPassword(
-            provisioningKeySecret,
-            keyRecord.keyHash
-        );
-        if (!validSecret) {
-            return next(
-                createHttpError(HttpCode.UNAUTHORIZED, "Invalid provisioning key")
-            );
-        }
-
-        // Check if key has already been used
-        if (keyRecord.siteId !== null) {
             return next(
                 createHttpError(
-                    HttpCode.CONFLICT,
-                    "Provisioning key has already been used"
+                    HttpCode.UNAUTHORIZED,
+                    "Invalid provisioning key"
                 )
             );
         }
 
-        // Check expiry
-        if (keyRecord.expiresAt !== null && keyRecord.expiresAt < Date.now()) {
+        // Verify the secret portion against the stored hash
+        const validSecret = await verifyPassword(
+            provisioningKeySecret,
+            keyRecord.siteProvisioningKeyHash
+        );
+        if (!validSecret) {
             return next(
-                createHttpError(HttpCode.GONE, "Provisioning key has expired")
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Invalid provisioning key"
+                )
             );
         }
 
@@ -200,13 +206,12 @@ export async function registerNewt(
                 dateCreated: moment().toISOString()
             });
 
-            // Mark the provisioning key as used
+            // Consume the provisioning key — cascade removes siteProvisioningKeyOrg
             await trx
-                .update(newtProvisioningKeys)
-                .set({ siteId: newSite.siteId })
+                .delete(siteProvisioningKeys)
                 .where(
                     eq(
-                        newtProvisioningKeys.provisioningKeyId,
+                        siteProvisioningKeys.siteProvisioningKeyId,
                         provisioningKeyId
                     )
                 );
diff --git a/server/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
index 9bb298966..a10df65a6 100644
--- a/server/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -28,6 +28,7 @@ export type CreateSiteProvisioningKeyResponse = {
     orgId: string;
     name: string;
     siteProvisioningKey: string;
+    provisioningKey: string; // combined "siteProvisioningKeyId.siteProvisioningKey" — put this in your newt config
     lastChars: string;
     createdAt: string;
 };
@@ -65,6 +66,7 @@ export async function createSiteProvisioningKey(
     const siteProvisioningKeyHash = await hashPassword(siteProvisioningKey);
     const lastChars = siteProvisioningKey.slice(-4);
     const createdAt = moment().toISOString();
+    const provisioningKey = `${siteProvisioningKeyId}.${siteProvisioningKey}`;
 
     await db.transaction(async (trx) => {
         await trx.insert(siteProvisioningKeys).values({
@@ -88,6 +90,7 @@ export async function createSiteProvisioningKey(
                 orgId,
                 name,
                 siteProvisioningKey,
+                provisioningKey,
                 lastChars,
                 createdAt
             },

From 3525b367b332eedcf689b0700ed47c6108120d11 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 24 Mar 2026 20:27:15 -0700
Subject: [PATCH 038/122] move to private routes

---
 messages/en-US.json                           |  16 +
 server/auth/actions.ts                        |   1 +
 server/db/pg/schema/privateSchema.ts          |   6 +-
 server/db/sqlite/schema/privateSchema.ts      |   6 +-
 server/lib/billing/tierMatrix.ts              |   6 +-
 .../routers/billing/featureLifecycle.ts       |  59 +++-
 server/private/routers/external.ts            |  46 ++-
 .../createSiteProvisioningKey.ts              |  67 +++-
 .../deleteSiteProvisioningKey.ts              |  13 +
 .../private/routers/siteProvisioning/index.ts |  17 +
 .../listSiteProvisioningKeys.ts               |  27 +-
 .../updateSiteProvisioningKey.ts              | 199 ++++++++++++
 server/routers/external.ts                    |  29 +-
 server/routers/siteProvisioning/index.ts      |   3 -
 server/routers/siteProvisioning/types.ts      |  41 +++
 .../settings/provisioning/create/page.tsx     |  10 -
 .../[orgId]/settings/provisioning/page.tsx    |  14 +-
 .../CreateSiteProvisioningKeyCredenza.tsx     | 162 +++++++++-
 .../EditSiteProvisioningKeyCredenza.tsx       | 297 ++++++++++++++++++
 src/components/LayoutMobileMenu.tsx           |   2 +-
 src/components/LayoutSidebar.tsx              |  18 +-
 src/components/ProductUpdates.tsx             |   8 +-
 src/components/SiteProvisioningKeysTable.tsx  | 106 ++++++-
 src/components/ui/data-table.tsx              |   4 +-
 24 files changed, 1054 insertions(+), 103 deletions(-)
 rename server/{ => private}/routers/siteProvisioning/createSiteProvisioningKey.ts (62%)
 rename server/{ => private}/routers/siteProvisioning/deleteSiteProvisioningKey.ts (90%)
 create mode 100644 server/private/routers/siteProvisioning/index.ts
 rename server/{ => private}/routers/siteProvisioning/listSiteProvisioningKeys.ts (80%)
 create mode 100644 server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
 delete mode 100644 server/routers/siteProvisioning/index.ts
 create mode 100644 server/routers/siteProvisioning/types.ts
 delete mode 100644 src/app/[orgId]/settings/provisioning/create/page.tsx
 create mode 100644 src/components/EditSiteProvisioningKeyCredenza.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 1785f0491..a7d16f30f 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -342,6 +342,22 @@
     "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
     "provisioningKeysErrorCreate": "Error creating provisioning key",
     "provisioningKeysList": "New provisioning key",
+    "provisioningKeysMaxBatchSize": "Max batch size",
+    "provisioningKeysUnlimitedBatchSize": "Unlimited batch size (no limit)",
+    "provisioningKeysMaxBatchUnlimited": "Unlimited",
+    "provisioningKeysMaxBatchSizeInvalid": "Enter a valid max batch size (1–1,000,000).",
+    "provisioningKeysValidUntil": "Valid until",
+    "provisioningKeysValidUntilHint": "Leave empty for no expiration.",
+    "provisioningKeysValidUntilInvalid": "Enter a valid date and time.",
+    "provisioningKeysNumUsed": "Times used",
+    "provisioningKeysLastUsed": "Last used",
+    "provisioningKeysNoExpiry": "No expiration",
+    "provisioningKeysNeverUsed": "Never",
+    "provisioningKeysEdit": "Edit Provisioning Key",
+    "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
+    "provisioningKeysUpdateError": "Error updating provisioning key",
+    "provisioningKeysUpdated": "Provisioning key updated",
+    "provisioningKeysUpdatedDescription": "Your changes have been saved.",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
     "userDescription": "View and manage all users in the system",
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 6cdc4fa0a..20f1fe795 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -111,6 +111,7 @@ export enum ActionsEnum {
     getApiKey = "getApiKey",
     createSiteProvisioningKey = "createSiteProvisioningKey",
     listSiteProvisioningKeys = "listSiteProvisioningKeys",
+    updateSiteProvisioningKey = "updateSiteProvisioningKey",
     deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
     getCertificate = "getCertificate",
     restartCertificate = "restartCertificate",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index b1dc98253..bb1e866c4 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -387,7 +387,11 @@ export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
     name: varchar("name", { length: 255 }).notNull(),
     siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
     lastChars: varchar("lastChars", { length: 4 }).notNull(),
-    createdAt: varchar("dateCreated", { length: 255 }).notNull()
+    createdAt: varchar("dateCreated", { length: 255 }).notNull(),
+    lastUsed: varchar("lastUsed", { length: 255 }),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: varchar("validUntil", { length: 255 })
 });
 
 export const siteProvisioningKeyOrg = pgTable(
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index e78343d6d..5913497b3 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -371,7 +371,11 @@ export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
     name: text("name").notNull(),
     siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
     lastChars: text("lastChars").notNull(),
-    createdAt: text("dateCreated").notNull()
+    createdAt: text("dateCreated").notNull(),
+    lastUsed: text("lastUsed"),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: text("validUntil")
 });
 
 export const siteProvisioningKeyOrg = sqliteTable(
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index f8a0cd2f5..8c41be5bf 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -16,7 +16,8 @@ export enum TierFeature {
     SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
     PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
     AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam"
+    SshPam = "sshPam",
+    SiteProvisioningKeys = "siteProvisioningKeys" // handle downgrade by revoking keys if needed
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -50,5 +51,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
         "enterprise"
     ],
     [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.SiteProvisioningKeys]: ["enterprise"]
 };
diff --git a/server/private/routers/billing/featureLifecycle.ts b/server/private/routers/billing/featureLifecycle.ts
index 9536a87f0..32e81784b 100644
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -26,9 +26,11 @@ import {
     orgs,
     resources,
     roles,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys,
     siteResources
 } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 
 /**
  * Get the maximum allowed retention days for a given tier
@@ -291,6 +293,10 @@ async function disableFeature(
                 await disableSshPam(orgId);
                 break;
 
+            case TierFeature.SiteProvisioningKeys:
+                await disableSiteProvisioningKeys(orgId);
+                break;
+
             default:
                 logger.warn(
                     `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -326,6 +332,57 @@ async function disableSshPam(orgId: string): Promise<void> {
     );
 }
 
+async function disableSiteProvisioningKeys(orgId: string): Promise<void> {
+    const rows = await db
+        .select({
+            siteProvisioningKeyId:
+                siteProvisioningKeyOrg.siteProvisioningKeyId
+        })
+        .from(siteProvisioningKeyOrg)
+        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
+
+    for (const { siteProvisioningKeyId } of rows) {
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(siteProvisioningKeyOrg)
+                .where(
+                    and(
+                        eq(
+                            siteProvisioningKeyOrg.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        ),
+                        eq(siteProvisioningKeyOrg.orgId, orgId)
+                    )
+                );
+
+            const remaining = await trx
+                .select()
+                .from(siteProvisioningKeyOrg)
+                .where(
+                    eq(
+                        siteProvisioningKeyOrg.siteProvisioningKeyId,
+                        siteProvisioningKeyId
+                    )
+                );
+
+            if (remaining.length === 0) {
+                await trx
+                    .delete(siteProvisioningKeys)
+                    .where(
+                        eq(
+                            siteProvisioningKeys.siteProvisioningKeyId,
+                            siteProvisioningKeyId
+                        )
+                    );
+            }
+        });
+    }
+
+    logger.info(
+        `Removed site provisioning keys for org ${orgId} after tier downgrade`
+    );
+}
+
 async function disableLoginPageBranding(orgId: string): Promise<void> {
     const [existingBranding] = await db
         .select()
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index f06ad4517..6cac25e20 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -26,6 +26,7 @@ import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
 import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
+import * as siteProvisioning from "#private/routers/siteProvisioning";
 
 import {
     verifyOrgAccess,
@@ -33,7 +34,8 @@ import {
     verifyUserIsServerAdmin,
     verifySiteAccess,
     verifyClientAccess,
-    verifyLimits
+    verifyLimits,
+    verifySiteProvisioningKeyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -537,3 +539,45 @@ authenticated.post(
     // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
     ssh.signSshKey
 );
+
+authenticated.put(
+    "/org/:orgId/site-provisioning-key",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
+    logActionAudit(ActionsEnum.createSiteProvisioningKey),
+    siteProvisioning.createSiteProvisioningKey
+);
+
+authenticated.get(
+    "/org/:orgId/site-provisioning-keys",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
+    siteProvisioning.listSiteProvisioningKeys
+);
+
+authenticated.delete(
+    "/org/:orgId/site-provisioning-key/:siteProvisioningKeyId",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifySiteProvisioningKeyAccess,
+    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
+    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
+    siteProvisioning.deleteSiteProvisioningKey
+);
+
+authenticated.patch(
+    "/org/:orgId/site-provisioning-key/:siteProvisioningKeyId",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
+    verifyOrgAccess,
+    verifySiteProvisioningKeyAccess,
+    verifyUserHasAction(ActionsEnum.updateSiteProvisioningKey),
+    logActionAudit(ActionsEnum.updateSiteProvisioningKey),
+    siteProvisioning.updateSiteProvisioningKey
+);
diff --git a/server/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
similarity index 62%
rename from server/routers/siteProvisioning/createSiteProvisioningKey.ts
rename to server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
index 9bb298966..45d980810 100644
--- a/server/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { NextFunction, Request, Response } from "express";
 import { db, siteProvisioningKeyOrg, siteProvisioningKeys } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
@@ -12,26 +25,37 @@ import {
 } from "@server/auth/sessions/app";
 import logger from "@server/logger";
 import { hashPassword } from "@server/auth/password";
+import type { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
 
 const paramsSchema = z.object({
     orgId: z.string().nonempty()
 });
 
-const bodySchema = z.strictObject({
-    name: z.string().min(1).max(255)
-});
+const bodySchema = z
+    .strictObject({
+        name: z.string().min(1).max(255),
+        maxBatchSize: z.union([
+            z.null(),
+            z.coerce.number().int().positive().max(1_000_000)
+        ]),
+        validUntil: z.string().max(255).optional()
+    })
+    .superRefine((data, ctx) => {
+        const v = data.validUntil;
+        if (v == null || v.trim() === "") {
+            return;
+        }
+        if (Number.isNaN(Date.parse(v))) {
+            ctx.addIssue({
+                code: "custom",
+                message: "Invalid validUntil",
+                path: ["validUntil"]
+            });
+        }
+    });
 
 export type CreateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
 
-export type CreateSiteProvisioningKeyResponse = {
-    siteProvisioningKeyId: string;
-    orgId: string;
-    name: string;
-    siteProvisioningKey: string;
-    lastChars: string;
-    createdAt: string;
-};
-
 export async function createSiteProvisioningKey(
     req: Request,
     res: Response,
@@ -58,7 +82,12 @@ export async function createSiteProvisioningKey(
     }
 
     const { orgId } = parsedParams.data;
-    const { name } = parsedBody.data;
+    const { name, maxBatchSize } = parsedBody.data;
+    const vuRaw = parsedBody.data.validUntil;
+    const validUntil =
+        vuRaw == null || vuRaw.trim() === ""
+            ? null
+            : new Date(Date.parse(vuRaw)).toISOString();
 
     const siteProvisioningKeyId = `spk-${generateId(15)}`;
     const siteProvisioningKey = generateIdFromEntropySize(25);
@@ -72,7 +101,11 @@ export async function createSiteProvisioningKey(
             name,
             siteProvisioningKeyHash,
             createdAt,
-            lastChars
+            lastChars,
+            lastUsed: null,
+            maxBatchSize,
+            numUsed: 0,
+            validUntil
         });
 
         await trx.insert(siteProvisioningKeyOrg).values({
@@ -89,7 +122,11 @@ export async function createSiteProvisioningKey(
                 name,
                 siteProvisioningKey,
                 lastChars,
-                createdAt
+                createdAt,
+                lastUsed: null,
+                maxBatchSize,
+                numUsed: 0,
+                validUntil
             },
             success: true,
             error: false,
diff --git a/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
similarity index 90%
rename from server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
rename to server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
index d1da01d97..fc8b05e60 100644
--- a/server/routers/siteProvisioning/deleteSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
diff --git a/server/private/routers/siteProvisioning/index.ts b/server/private/routers/siteProvisioning/index.ts
new file mode 100644
index 000000000..d143274f6
--- /dev/null
+++ b/server/private/routers/siteProvisioning/index.ts
@@ -0,0 +1,17 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createSiteProvisioningKey";
+export * from "./listSiteProvisioningKeys";
+export * from "./deleteSiteProvisioningKey";
+export * from "./updateSiteProvisioningKey";
diff --git a/server/routers/siteProvisioning/listSiteProvisioningKeys.ts b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
similarity index 80%
rename from server/routers/siteProvisioning/listSiteProvisioningKeys.ts
rename to server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
index 65360625c..5f7531a2c 100644
--- a/server/routers/siteProvisioning/listSiteProvisioningKeys.ts
+++ b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import {
     db,
     siteProvisioningKeyOrg,
@@ -11,6 +24,7 @@ import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
+import type { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 
 const paramsSchema = z.object({
     orgId: z.string().nonempty()
@@ -39,7 +53,11 @@ function querySiteProvisioningKeys(orgId: string) {
             orgId: siteProvisioningKeyOrg.orgId,
             lastChars: siteProvisioningKeys.lastChars,
             createdAt: siteProvisioningKeys.createdAt,
-            name: siteProvisioningKeys.name
+            name: siteProvisioningKeys.name,
+            lastUsed: siteProvisioningKeys.lastUsed,
+            maxBatchSize: siteProvisioningKeys.maxBatchSize,
+            numUsed: siteProvisioningKeys.numUsed,
+            validUntil: siteProvisioningKeys.validUntil
         })
         .from(siteProvisioningKeyOrg)
         .innerJoin(
@@ -52,13 +70,6 @@ function querySiteProvisioningKeys(orgId: string) {
         .where(eq(siteProvisioningKeyOrg.orgId, orgId));
 }
 
-export type ListSiteProvisioningKeysResponse = {
-    siteProvisioningKeys: Awaited<
-        ReturnType<typeof querySiteProvisioningKeys>
-    >;
-    pagination: { total: number; limit: number; offset: number };
-};
-
 export async function listSiteProvisioningKeys(
     req: Request,
     res: Response,
diff --git a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
new file mode 100644
index 000000000..526d8bfb8
--- /dev/null
+++ b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
@@ -0,0 +1,199 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    db,
+    siteProvisioningKeyOrg,
+    siteProvisioningKeys
+} from "@server/db";
+import { and, eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import type { UpdateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
+
+const paramsSchema = z.object({
+    siteProvisioningKeyId: z.string().nonempty(),
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z
+    .strictObject({
+        maxBatchSize: z
+            .union([
+                z.null(),
+                z.coerce.number().int().positive().max(1_000_000)
+            ])
+            .optional(),
+        validUntil: z.string().max(255).optional()
+    })
+    .superRefine((data, ctx) => {
+        if (
+            data.maxBatchSize === undefined &&
+            data.validUntil === undefined
+        ) {
+            ctx.addIssue({
+                code: "custom",
+                message: "Provide maxBatchSize and/or validUntil",
+                path: ["maxBatchSize"]
+            });
+        }
+        const v = data.validUntil;
+        if (v == null || v.trim() === "") {
+            return;
+        }
+        if (Number.isNaN(Date.parse(v))) {
+            ctx.addIssue({
+                code: "custom",
+                message: "Invalid validUntil",
+                path: ["validUntil"]
+            });
+        }
+    });
+
+export type UpdateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
+
+export async function updateSiteProvisioningKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteProvisioningKeyId, orgId } = parsedParams.data;
+        const body = parsedBody.data;
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!row) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        const setValues: {
+            maxBatchSize?: number | null;
+            validUntil?: string | null;
+        } = {};
+        if (body.maxBatchSize !== undefined) {
+            setValues.maxBatchSize = body.maxBatchSize;
+        }
+        if (body.validUntil !== undefined) {
+            setValues.validUntil =
+                body.validUntil.trim() === ""
+                    ? null
+                    : new Date(Date.parse(body.validUntil)).toISOString();
+        }
+
+        await db
+            .update(siteProvisioningKeys)
+            .set(setValues)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            );
+
+        const [updated] = await db
+            .select({
+                siteProvisioningKeyId:
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                name: siteProvisioningKeys.name,
+                lastChars: siteProvisioningKeys.lastChars,
+                createdAt: siteProvisioningKeys.createdAt,
+                lastUsed: siteProvisioningKeys.lastUsed,
+                maxBatchSize: siteProvisioningKeys.maxBatchSize,
+                numUsed: siteProvisioningKeys.numUsed,
+                validUntil: siteProvisioningKeys.validUntil
+            })
+            .from(siteProvisioningKeys)
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .limit(1);
+
+        if (!updated) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to load updated site provisioning key"
+                )
+            );
+        }
+
+        return response<UpdateSiteProvisioningKeyResponse>(res, {
+            data: {
+                ...updated,
+                orgId
+            },
+            success: true,
+            error: false,
+            message: "Site provisioning key updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 90f208863..45ab58bba 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -15,7 +15,6 @@ import * as accessToken from "./accessToken";
 import * as idp from "./idp";
 import * as blueprints from "./blueprints";
 import * as apiKeys from "./apiKeys";
-import * as siteProvisioning from "./siteProvisioning";
 import * as logs from "./auditLogs";
 import * as newt from "./newt";
 import * as olm from "./olm";
@@ -43,8 +42,7 @@ import {
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
-    verifyLimits,
-    verifySiteProvisioningKeyAccess
+    verifyLimits
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import rateLimit, { ipKeyGenerator } from "express-rate-limit";
@@ -988,31 +986,6 @@ authenticated.get(
     apiKeys.listRootApiKeys
 );
 
-authenticated.put(
-    `/org/:orgId/site-provisioning-key`,
-    verifyOrgAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
-    logActionAudit(ActionsEnum.createSiteProvisioningKey),
-    siteProvisioning.createSiteProvisioningKey
-);
-
-authenticated.get(
-    `/org/:orgId/site-provisioning-keys`,
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
-    siteProvisioning.listSiteProvisioningKeys
-);
-
-authenticated.delete(
-    `/org/:orgId/site-provisioning-key/:siteProvisioningKeyId`,
-    verifyOrgAccess,
-    verifySiteProvisioningKeyAccess,
-    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
-    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
-    siteProvisioning.deleteSiteProvisioningKey
-);
-
 authenticated.get(
     `/api-key/:apiKeyId/actions`,
     verifyUserIsServerAdmin,
diff --git a/server/routers/siteProvisioning/index.ts b/server/routers/siteProvisioning/index.ts
deleted file mode 100644
index b3f69f100..000000000
--- a/server/routers/siteProvisioning/index.ts
+++ /dev/null
@@ -1,3 +0,0 @@
-export * from "./createSiteProvisioningKey";
-export * from "./listSiteProvisioningKeys";
-export * from "./deleteSiteProvisioningKey";
diff --git a/server/routers/siteProvisioning/types.ts b/server/routers/siteProvisioning/types.ts
new file mode 100644
index 000000000..d06c1fe26
--- /dev/null
+++ b/server/routers/siteProvisioning/types.ts
@@ -0,0 +1,41 @@
+export type SiteProvisioningKeyListItem = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    lastChars: string;
+    createdAt: string;
+    name: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
+
+export type ListSiteProvisioningKeysResponse = {
+    siteProvisioningKeys: SiteProvisioningKeyListItem[];
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export type CreateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    siteProvisioningKey: string;
+    lastChars: string;
+    createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
+
+export type UpdateSiteProvisioningKeyResponse = {
+    siteProvisioningKeyId: string;
+    orgId: string;
+    name: string;
+    lastChars: string;
+    createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
+};
diff --git a/src/app/[orgId]/settings/provisioning/create/page.tsx b/src/app/[orgId]/settings/provisioning/create/page.tsx
deleted file mode 100644
index 98573147a..000000000
--- a/src/app/[orgId]/settings/provisioning/create/page.tsx
+++ /dev/null
@@ -1,10 +0,0 @@
-import { redirect } from "next/navigation";
-
-type PageProps = {
-    params: Promise<{ orgId: string }>;
-};
-
-export default async function ProvisioningCreateRedirect(props: PageProps) {
-    const params = await props.params;
-    redirect(`/${params.orgId}/settings/provisioning`);
-}
diff --git a/src/app/[orgId]/settings/provisioning/page.tsx b/src/app/[orgId]/settings/provisioning/page.tsx
index f8a30b86f..e8b53104f 100644
--- a/src/app/[orgId]/settings/provisioning/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/page.tsx
@@ -1,12 +1,14 @@
 import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import SiteProvisioningKeysTable, {
     SiteProvisioningKeyRow
 } from "../../../../components/SiteProvisioningKeysTable";
-import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/listSiteProvisioningKeys";
+import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 import { getTranslations } from "next-intl/server";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 
 type ProvisioningPageProps = {
     params: Promise<{ orgId: string }>;
@@ -34,7 +36,11 @@ export default async function ProvisioningPage(props: ProvisioningPageProps) {
         name: k.name,
         id: k.siteProvisioningKeyId,
         key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
-        createdAt: k.createdAt
+        createdAt: k.createdAt,
+        lastUsed: k.lastUsed,
+        maxBatchSize: k.maxBatchSize,
+        numUsed: k.numUsed,
+        validUntil: k.validUntil
     }));
 
     return (
@@ -44,6 +50,10 @@ export default async function ProvisioningPage(props: ProvisioningPageProps) {
                 description={t("provisioningKeysDescription")}
             />
 
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
+            />
+
             <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
         </>
     );
diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index 456731ed6..70c48ff08 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -13,18 +13,20 @@ import {
 import {
     Form,
     FormControl,
+    FormDescription,
     FormField,
     FormItem,
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
 import { Button } from "@app/components/ui/button";
+import { Checkbox } from "@app/components/ui/checkbox";
 import { Input } from "@app/components/ui/input";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
-import { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/createSiteProvisioningKey";
+import { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
 import { AxiosResponse } from "axios";
 import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
@@ -55,30 +57,61 @@ export default function CreateSiteProvisioningKeyCredenza({
     const [created, setCreated] =
         useState<CreateSiteProvisioningKeyResponse | null>(null);
 
-    const createFormSchema = z.object({
-        name: z
-            .string()
-            .min(1, {
-                message: t("nameMin", { len: 1 })
-            })
-            .max(255, {
-                message: t("nameMax", { len: 255 })
-            })
-    });
+    const createFormSchema = z
+        .object({
+            name: z
+                .string()
+                .min(1, {
+                    message: t("nameMin", { len: 1 })
+                })
+                .max(255, {
+                    message: t("nameMax", { len: 255 })
+                }),
+            unlimitedBatchSize: z.boolean(),
+            maxBatchSize: z
+                .number()
+                .int()
+                .min(1, { message: t("provisioningKeysMaxBatchSizeInvalid") })
+                .max(1_000_000, {
+                    message: t("provisioningKeysMaxBatchSizeInvalid")
+                }),
+            validUntil: z.string().optional()
+        })
+        .superRefine((data, ctx) => {
+            const v = data.validUntil;
+            if (v == null || v.trim() === "") {
+                return;
+            }
+            if (Number.isNaN(Date.parse(v))) {
+                ctx.addIssue({
+                    code: "custom",
+                    message: t("provisioningKeysValidUntilInvalid"),
+                    path: ["validUntil"]
+                });
+            }
+        });
 
     type CreateFormValues = z.infer<typeof createFormSchema>;
 
     const form = useForm<CreateFormValues>({
         resolver: zodResolver(createFormSchema),
         defaultValues: {
-            name: ""
+            name: "",
+            unlimitedBatchSize: false,
+            maxBatchSize: 100,
+            validUntil: ""
         }
     });
 
     useEffect(() => {
         if (!open) {
             setCreated(null);
-            form.reset({ name: "" });
+            form.reset({
+                name: "",
+                unlimitedBatchSize: false,
+                maxBatchSize: 100,
+                validUntil: ""
+            });
         }
     }, [open, form]);
 
@@ -88,7 +121,16 @@ export default function CreateSiteProvisioningKeyCredenza({
             const res = await api
                 .put<
                     AxiosResponse<CreateSiteProvisioningKeyResponse>
-                >(`/org/${orgId}/site-provisioning-key`, { name: data.name })
+                >(`/org/${orgId}/site-provisioning-key`, {
+                    name: data.name,
+                    maxBatchSize: data.unlimitedBatchSize
+                        ? null
+                        : data.maxBatchSize,
+                    validUntil:
+                        data.validUntil == null || data.validUntil.trim() === ""
+                            ? undefined
+                            : data.validUntil
+                })
                 .catch((e) => {
                     toast({
                         variant: "destructive",
@@ -110,6 +152,8 @@ export default function CreateSiteProvisioningKeyCredenza({
         created &&
         `${created.siteProvisioningKeyId}.${created.siteProvisioningKey}`;
 
+    const unlimitedBatchSize = form.watch("unlimitedBatchSize");
+
     return (
         <Credenza open={open} onOpenChange={setOpen}>
             <CredenzaContent>
@@ -149,6 +193,96 @@ export default function CreateSiteProvisioningKeyCredenza({
                                         </FormItem>
                                     )}
                                 />
+                                <FormField
+                                    control={form.control}
+                                    name="maxBatchSize"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t(
+                                                    "provisioningKeysMaxBatchSize"
+                                                )}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    type="number"
+                                                    min={1}
+                                                    max={1_000_000}
+                                                    autoComplete="off"
+                                                    disabled={
+                                                        unlimitedBatchSize
+                                                    }
+                                                    name={field.name}
+                                                    ref={field.ref}
+                                                    onBlur={field.onBlur}
+                                                    onChange={(e) => {
+                                                        const v =
+                                                            e.target.value;
+                                                        field.onChange(
+                                                            v === ""
+                                                                ? 100
+                                                                : Number(v)
+                                                        );
+                                                    }}
+                                                    value={field.value}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="unlimitedBatchSize"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-row items-center gap-3 space-y-0">
+                                            <FormControl>
+                                                <Checkbox
+                                                    id="provisioning-unlimited-batch"
+                                                    checked={field.value}
+                                                    onCheckedChange={(c) =>
+                                                        field.onChange(
+                                                            c === true
+                                                        )
+                                                    }
+                                                />
+                                            </FormControl>
+                                            <FormLabel
+                                                htmlFor="provisioning-unlimited-batch"
+                                                className="cursor-pointer font-normal !mt-0"
+                                            >
+                                                {t(
+                                                    "provisioningKeysUnlimitedBatchSize"
+                                                )}
+                                            </FormLabel>
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="validUntil"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t(
+                                                    "provisioningKeysValidUntil"
+                                                )}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    type="datetime-local"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t(
+                                                    "provisioningKeysValidUntilHint"
+                                                )}
+                                            </FormDescription>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
                             </form>
                         </Form>
                     )}
diff --git a/src/components/EditSiteProvisioningKeyCredenza.tsx b/src/components/EditSiteProvisioningKeyCredenza.tsx
new file mode 100644
index 000000000..9603374d5
--- /dev/null
+++ b/src/components/EditSiteProvisioningKeyCredenza.tsx
@@ -0,0 +1,297 @@
+"use client";
+
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import {
+    Form,
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Button } from "@app/components/ui/button";
+import { Checkbox } from "@app/components/ui/checkbox";
+import { Input } from "@app/components/ui/input";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { UpdateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
+import { AxiosResponse } from "axios";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
+import moment from "moment";
+
+const FORM_ID = "edit-site-provisioning-key-form";
+
+export type EditableSiteProvisioningKey = {
+    id: string;
+    name: string;
+    maxBatchSize: number | null;
+    validUntil: string | null;
+};
+
+type EditSiteProvisioningKeyCredenzaProps = {
+    open: boolean;
+    setOpen: (open: boolean) => void;
+    orgId: string;
+    provisioningKey: EditableSiteProvisioningKey | null;
+};
+
+export default function EditSiteProvisioningKeyCredenza({
+    open,
+    setOpen,
+    orgId,
+    provisioningKey
+}: EditSiteProvisioningKeyCredenzaProps) {
+    const t = useTranslations();
+    const router = useRouter();
+    const api = createApiClient(useEnvContext());
+    const [loading, setLoading] = useState(false);
+
+    const editFormSchema = z
+        .object({
+            name: z.string(),
+            unlimitedBatchSize: z.boolean(),
+            maxBatchSize: z
+                .number()
+                .int()
+                .min(1, { message: t("provisioningKeysMaxBatchSizeInvalid") })
+                .max(1_000_000, {
+                    message: t("provisioningKeysMaxBatchSizeInvalid")
+                }),
+            validUntil: z.string().optional()
+        })
+        .superRefine((data, ctx) => {
+            const v = data.validUntil;
+            if (v == null || v.trim() === "") {
+                return;
+            }
+            if (Number.isNaN(Date.parse(v))) {
+                ctx.addIssue({
+                    code: "custom",
+                    message: t("provisioningKeysValidUntilInvalid"),
+                    path: ["validUntil"]
+                });
+            }
+        });
+
+    type EditFormValues = z.infer<typeof editFormSchema>;
+
+    const form = useForm<EditFormValues>({
+        resolver: zodResolver(editFormSchema),
+        defaultValues: {
+            name: "",
+            unlimitedBatchSize: false,
+            maxBatchSize: 100,
+            validUntil: ""
+        }
+    });
+
+    useEffect(() => {
+        if (!open || !provisioningKey) {
+            return;
+        }
+        form.reset({
+            name: provisioningKey.name,
+            unlimitedBatchSize: provisioningKey.maxBatchSize == null,
+            maxBatchSize: provisioningKey.maxBatchSize ?? 100,
+            validUntil: provisioningKey.validUntil
+                ? moment(provisioningKey.validUntil).format("YYYY-MM-DDTHH:mm")
+                : ""
+        });
+    }, [open, provisioningKey, form]);
+
+    async function onSubmit(data: EditFormValues) {
+        if (!provisioningKey) {
+            return;
+        }
+        setLoading(true);
+        try {
+            const res = await api
+                .patch<
+                    AxiosResponse<UpdateSiteProvisioningKeyResponse>
+                >(
+                    `/org/${orgId}/site-provisioning-key/${provisioningKey.id}`,
+                    {
+                        maxBatchSize: data.unlimitedBatchSize
+                            ? null
+                            : data.maxBatchSize,
+                        validUntil:
+                            data.validUntil == null ||
+                            data.validUntil.trim() === ""
+                                ? ""
+                                : data.validUntil
+                    }
+                )
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("provisioningKeysUpdateError"),
+                        description: formatAxiosError(e)
+                    });
+                });
+
+            if (res && res.status === 200) {
+                toast({
+                    title: t("provisioningKeysUpdated"),
+                    description: t("provisioningKeysUpdatedDescription")
+                });
+                setOpen(false);
+                router.refresh();
+            }
+        } finally {
+            setLoading(false);
+        }
+    }
+
+    const unlimitedBatchSize = form.watch("unlimitedBatchSize");
+
+    if (!provisioningKey) {
+        return null;
+    }
+
+    return (
+        <Credenza open={open} onOpenChange={setOpen}>
+            <CredenzaContent>
+                <CredenzaHeader>
+                    <CredenzaTitle>{t("provisioningKeysEdit")}</CredenzaTitle>
+                    <CredenzaDescription>
+                        {t("provisioningKeysEditDescription")}
+                    </CredenzaDescription>
+                </CredenzaHeader>
+                <CredenzaBody>
+                    <Form {...form}>
+                        <form
+                            id={FORM_ID}
+                            onSubmit={form.handleSubmit(onSubmit)}
+                            className="space-y-4"
+                        >
+                            <FormField
+                                control={form.control}
+                                name="name"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>{t("name")}</FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                autoComplete="off"
+                                                disabled
+                                                {...field}
+                                            />
+                                        </FormControl>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="maxBatchSize"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>
+                                            {t("provisioningKeysMaxBatchSize")}
+                                        </FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                type="number"
+                                                min={1}
+                                                max={1_000_000}
+                                                autoComplete="off"
+                                                disabled={unlimitedBatchSize}
+                                                name={field.name}
+                                                ref={field.ref}
+                                                onBlur={field.onBlur}
+                                                onChange={(e) => {
+                                                    const v = e.target.value;
+                                                    field.onChange(
+                                                        v === ""
+                                                            ? 100
+                                                            : Number(v)
+                                                    );
+                                                }}
+                                                value={field.value}
+                                            />
+                                        </FormControl>
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="unlimitedBatchSize"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-center gap-3 space-y-0">
+                                        <FormControl>
+                                            <Checkbox
+                                                id="provisioning-edit-unlimited-batch"
+                                                checked={field.value}
+                                                onCheckedChange={(c) =>
+                                                    field.onChange(c === true)
+                                                }
+                                            />
+                                        </FormControl>
+                                        <FormLabel
+                                            htmlFor="provisioning-edit-unlimited-batch"
+                                            className="cursor-pointer font-normal !mt-0"
+                                        >
+                                            {t(
+                                                "provisioningKeysUnlimitedBatchSize"
+                                            )}
+                                        </FormLabel>
+                                    </FormItem>
+                                )}
+                            />
+                            <FormField
+                                control={form.control}
+                                name="validUntil"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>
+                                            {t("provisioningKeysValidUntil")}
+                                        </FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                type="datetime-local"
+                                                {...field}
+                                            />
+                                        </FormControl>
+                                        <FormDescription>
+                                            {t("provisioningKeysValidUntilHint")}
+                                        </FormDescription>
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
+                        </form>
+                    </Form>
+                </CredenzaBody>
+                <CredenzaFooter>
+                    <CredenzaClose asChild>
+                        <Button variant="outline">{t("close")}</Button>
+                    </CredenzaClose>
+                    <Button
+                        type="submit"
+                        form={FORM_ID}
+                        loading={loading}
+                        disabled={loading}
+                    >
+                        {t("save")}
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index e1c883a2b..854cad6db 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -93,7 +93,7 @@ export function LayoutMobileMenu({
                                                                 )
                                                             }
                                                         >
-                                                            <span className="flex-shrink-0 mr-2">
+                                                            <span className="flex-shrink-0 w-5 h-5 flex items-center justify-center text-muted-foreground mr-3">
                                                                 <Server className="h-4 w-4" />
                                                             </span>
                                                             <span className="flex-1">
diff --git a/src/components/LayoutSidebar.tsx b/src/components/LayoutSidebar.tsx
index e9e2d61eb..1cd2131f7 100644
--- a/src/components/LayoutSidebar.tsx
+++ b/src/components/LayoutSidebar.tsx
@@ -169,8 +169,8 @@ export function LayoutSidebar({
                             >
                                 <span
                                     className={cn(
-                                        "shrink-0",
-                                        !isSidebarCollapsed && "mr-2"
+                                        "flex-shrink-0 w-5 h-5 flex items-center justify-center text-muted-foreground",
+                                        !isSidebarCollapsed && "mr-3"
                                     )}
                                 >
                                     <Server className="h-4 w-4" />
@@ -222,36 +222,34 @@ export function LayoutSidebar({
                 </div>
             )}
 
-            <div className="w-full border-t border-border mb-3" />
-
-            <div className="p-4 pt-1 flex flex-col shrink-0">
+            <div className="pt-1 flex flex-col shrink-0 gap-2 w-full border-t border-border">
                 {canShowProductUpdates && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <ProductUpdates isCollapsed={isSidebarCollapsed} />
                     </div>
                 )}
 
                 {build === "enterprise" && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <SidebarLicenseButton
                             isCollapsed={isSidebarCollapsed}
                         />
                     </div>
                 )}
                 {build === "oss" && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <SupporterStatus isCollapsed={isSidebarCollapsed} />
                     </div>
                 )}
                 {build === "saas" && (
-                    <div className="mb-3 empty:mb-0">
+                    <div className="px-4">
                         <SidebarSupportButton
                             isCollapsed={isSidebarCollapsed}
                         />
                     </div>
                 )}
                 {!isSidebarCollapsed && (
-                    <div className="space-y-2">
+                    <div className="px-4 space-y-2 pb-4">
                         {loadFooterLinks() ? (
                             <>
                                 {loadFooterLinks()!.map((link, index) => (
diff --git a/src/components/ProductUpdates.tsx b/src/components/ProductUpdates.tsx
index 01689d9d7..76ab0252d 100644
--- a/src/components/ProductUpdates.tsx
+++ b/src/components/ProductUpdates.tsx
@@ -192,13 +192,13 @@ function ProductUpdatesListPopup({
                     <div
                         className={cn(
                             "relative z-1 cursor-pointer block group",
-                            "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                            "rounded-md border bg-secondary p-2 py-3 w-full flex flex-col gap-2 text-sm",
                             "transition duration-300 ease-in-out",
                             "data-closed:opacity-0 data-closed:translate-y-full"
                         )}
                     >
                         <div className="flex items-center gap-2">
-                            <BellIcon className="flex-none size-4 text-primary" />
+                            <BellIcon className="flex-none size-4" />
                             <div className="flex justify-between items-center flex-1">
                                 <p className="font-medium text-start">
                                     {t("productUpdateWhatsNew")}
@@ -346,13 +346,13 @@ function NewVersionAvailable({
                     rel="noopener noreferrer"
                     className={cn(
                         "relative z-2 group cursor-pointer block",
-                        "rounded-md border border-primary/30 bg-linear-to-br dark:from-primary/20 from-primary/20 via-background to-background p-2 py-3 w-full flex flex-col gap-2 text-sm",
+                        "rounded-md border bg-secondary p-2 py-3 w-full flex flex-col gap-2 text-sm",
                         "transition duration-300 ease-in-out",
                         "data-closed:opacity-0 data-closed:translate-y-full"
                     )}
                 >
                     <div className="flex items-center gap-2">
-                        <RocketIcon className="flex-none size-4 text-primary" />
+                        <RocketIcon className="flex-none size-4" />
                         <p className="font-medium flex-1">
                             {t("pangolinUpdateAvailable")}
                         </p>
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
index 3fb3eb872..df7fd241c 100644
--- a/src/components/SiteProvisioningKeysTable.tsx
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -15,19 +15,27 @@ import { ArrowUpDown, MoreHorizontal } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
 import CreateSiteProvisioningKeyCredenza from "@app/components/CreateSiteProvisioningKeyCredenza";
+import EditSiteProvisioningKeyCredenza from "@app/components/EditSiteProvisioningKeyCredenza";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { toast } from "@app/hooks/useToast";
 import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import moment from "moment";
 import { useTranslations } from "next-intl";
+import { build } from "@server/build";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 
 export type SiteProvisioningKeyRow = {
     id: string;
     key: string;
     name: string;
     createdAt: string;
+    lastUsed: string | null;
+    maxBatchSize: number | null;
+    numUsed: number;
+    validUntil: string | null;
 };
 
 type SiteProvisioningKeysTableProps = {
@@ -47,8 +55,15 @@ export default function SiteProvisioningKeysTable({
     const [rows, setRows] = useState<SiteProvisioningKeyRow[]>(keys);
     const api = createApiClient(useEnvContext());
     const t = useTranslations();
+    const { isPaidUser } = usePaidStatus();
+    const canUseSiteProvisioning =
+        isPaidUser(tierMatrix[TierFeature.SiteProvisioningKeys]) &&
+        build !== "oss";
     const [isRefreshing, setIsRefreshing] = useState(false);
     const [createOpen, setCreateOpen] = useState(false);
+    const [editOpen, setEditOpen] = useState(false);
+    const [editingKey, setEditingKey] =
+        useState<SiteProvisioningKeyRow | null>(null);
 
     useEffect(() => {
         setRows(keys);
@@ -121,6 +136,68 @@ export default function SiteProvisioningKeysTable({
                 return <span className="font-mono">{r.key}</span>;
             }
         },
+        {
+            accessorKey: "maxBatchSize",
+            friendlyName: t("provisioningKeysMaxBatchSize"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysMaxBatchSize")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <span>
+                        {r.maxBatchSize == null
+                            ? t("provisioningKeysMaxBatchUnlimited")
+                            : r.maxBatchSize}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "numUsed",
+            friendlyName: t("provisioningKeysNumUsed"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysNumUsed")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return <span>{r.numUsed}</span>;
+            }
+        },
+        {
+            accessorKey: "validUntil",
+            friendlyName: t("provisioningKeysValidUntil"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysValidUntil")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <span>
+                        {r.validUntil
+                            ? moment(r.validUntil).format("lll")
+                            : t("provisioningKeysNoExpiry")}
+                    </span>
+                );
+            }
+        },
+        {
+            accessorKey: "lastUsed",
+            friendlyName: t("provisioningKeysLastUsed"),
+            header: () => (
+                <span className="p-3">{t("provisioningKeysLastUsed")}</span>
+            ),
+            cell: ({ row }) => {
+                const r = row.original;
+                return (
+                    <span>
+                        {r.lastUsed
+                            ? moment(r.lastUsed).format("lll")
+                            : t("provisioningKeysNeverUsed")}
+                    </span>
+                );
+            }
+        },
         {
             accessorKey: "createdAt",
             friendlyName: t("createdAt"),
@@ -149,6 +226,16 @@ export default function SiteProvisioningKeysTable({
                             </DropdownMenuTrigger>
                             <DropdownMenuContent align="end">
                                 <DropdownMenuItem
+                                    disabled={!canUseSiteProvisioning}
+                                    onClick={() => {
+                                        setEditingKey(r);
+                                        setEditOpen(true);
+                                    }}
+                                >
+                                    {t("edit")}
+                                </DropdownMenuItem>
+                                <DropdownMenuItem
+                                    disabled={!canUseSiteProvisioning}
                                     onClick={() => {
                                         setSelected(r);
                                         setIsDeleteModalOpen(true);
@@ -174,6 +261,18 @@ export default function SiteProvisioningKeysTable({
                 orgId={orgId}
             />
 
+            <EditSiteProvisioningKeyCredenza
+                open={editOpen}
+                setOpen={(v) => {
+                    setEditOpen(v);
+                    if (!v) {
+                        setEditingKey(null);
+                    }
+                }}
+                orgId={orgId}
+                provisioningKey={editingKey}
+            />
+
             {selected && (
                 <ConfirmDeleteDialog
                     open={isDeleteModalOpen}
@@ -203,7 +302,12 @@ export default function SiteProvisioningKeysTable({
                 title={t("provisioningKeys")}
                 searchPlaceholder={t("searchProvisioningKeys")}
                 searchColumn="name"
-                onAdd={() => setCreateOpen(true)}
+                onAdd={() => {
+                    if (canUseSiteProvisioning) {
+                        setCreateOpen(true);
+                    }
+                }}
+                addButtonDisabled={!canUseSiteProvisioning}
                 onRefresh={refreshData}
                 isRefreshing={isRefreshing}
                 addButtonText={t("provisioningKeysAdd")}
diff --git a/src/components/ui/data-table.tsx b/src/components/ui/data-table.tsx
index 834c56e88..a0c11ffdf 100644
--- a/src/components/ui/data-table.tsx
+++ b/src/components/ui/data-table.tsx
@@ -171,6 +171,7 @@ type DataTableProps<TData, TValue> = {
     title?: string;
     addButtonText?: string;
     onAdd?: () => void;
+    addButtonDisabled?: boolean;
     onRefresh?: () => void;
     isRefreshing?: boolean;
     searchPlaceholder?: string;
@@ -203,6 +204,7 @@ export function DataTable<TData, TValue>({
     title,
     addButtonText,
     onAdd,
+    addButtonDisabled = false,
     onRefresh,
     isRefreshing,
     searchPlaceholder = "Search...",
@@ -635,7 +637,7 @@ export function DataTable<TData, TValue>({
                         )}
                         {onAdd && addButtonText && (
                             <div>
-                                <Button onClick={onAdd}>
+                                <Button onClick={onAdd} disabled={addButtonDisabled}>
                                     <Plus className="mr-2 h-4 w-4" />
                                     {addButtonText}
                                 </Button>

From 395cab795c3d23f182651cd5d3bbe1316cb2ff5b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 25 Mar 2026 20:33:58 -0700
Subject: [PATCH 039/122] Batch set bandwidth

---
 server/routers/gerbil/receiveBandwidth.ts | 146 +++++++++++++---------
 1 file changed, 84 insertions(+), 62 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index b73ce986d..042c844aa 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, sql } from "drizzle-orm";
-import { sites } from "@server/db";
+import { sql } from "drizzle-orm";
 import { db } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
@@ -31,7 +30,10 @@ const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 
 // How often to flush accumulated bandwidth data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+const FLUSH_INTERVAL_MS = 300_000; // 300 seconds
+
+// Maximum number of sites to include in a single batch UPDATE statement
+const BATCH_CHUNK_SIZE = 250;
 
 // In-memory accumulator: publicKey -> AccumulatorEntry
 let accumulator = new Map<string, AccumulatorEntry>();
@@ -75,13 +77,33 @@ async function withDeadlockRetry<T>(
     }
 }
 
+/**
+ * Execute a raw SQL query that returns rows, in a way that works across both
+ * the PostgreSQL driver (which exposes `execute`) and the SQLite driver (which
+ * exposes `all`).  Drizzle's typed query builder doesn't support bulk
+ * UPDATE … FROM (VALUES …) natively, so we drop to raw SQL here.
+ */
+async function dbQueryRows<T extends Record<string, unknown>>(
+    query: Parameters<(typeof sql)["join"]>[0][number]
+): Promise<T[]> {
+    const anyDb = db as any;
+    if (typeof anyDb.execute === "function") {
+        // PostgreSQL (node-postgres via Drizzle) — returns { rows: [...] } or an array
+        const result = await anyDb.execute(query);
+        return (Array.isArray(result) ? result : (result.rows ?? [])) as T[];
+    }
+    // SQLite (better-sqlite3 via Drizzle) — returns an array directly
+    return (await anyDb.all(query)) as T[];
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
  * Swaps out the accumulator before writing so that any bandwidth messages
  * received during the flush are captured in the new accumulator rather than
- * being lost or causing contention. Entries that fail to write are re-queued
- * back into the accumulator so they will be retried on the next flush.
+ * being lost or causing contention. Sites are updated in chunks via a single
+ * batch UPDATE per chunk. Failed chunks are discarded — exact per-flush
+ * accuracy is not critical and re-queuing is not worth the added complexity.
  *
  * This function is exported so that the application's graceful-shutdown
  * cleanup handler can call it before the process exits.
@@ -108,76 +130,76 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
     );
 
-    // Aggregate billing usage by org, collected during the DB update loop.
+    // Build a lookup so post-processing can reach each entry by publicKey.
+    const snapshotMap = new Map(sortedEntries);
+
+    // Aggregate billing usage by org across all chunks.
     const orgUsageMap = new Map<string, number>();
 
-    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+    // Process in chunks so individual queries stay at a reasonable size.
+    for (let i = 0; i < sortedEntries.length; i += BATCH_CHUNK_SIZE) {
+        const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
+        const chunkEnd = i + chunk.length - 1;
+
+        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
+        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
+        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
+        // in a single query instead of N individual round-trips.
+        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
+            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+        );
+        const valuesClause = sql.join(valuesList, sql`, `);
+
+        let rows: { orgId: string; pubKey: string }[] = [];
+
         try {
-            const updatedSite = await withDeadlockRetry(async () => {
-                const [result] = await db
-                    .update(sites)
-                    .set({
-                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
-                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
-                        lastBandwidthUpdate: currentTime,
-                    })
-                    .where(eq(sites.pubKey, publicKey))
-                    .returning({
-                        orgId: sites.orgId,
-                        siteId: sites.siteId
-                    });
-                return result;
-            }, `flush bandwidth for site ${publicKey}`);
-
-            if (updatedSite) {
-                if (exitNodeId) {
-                    const notAllowed = await checkExitNodeOrg(
-                        exitNodeId,
-                        updatedSite.orgId
-                    );
-                    if (notAllowed) {
-                        logger.warn(
-                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                        );
-                        // Skip usage tracking for this site but continue
-                        // processing the rest.
-                        continue;
-                    }
-                }
-
-                if (calcUsage) {
-                    const totalBandwidth = bytesIn + bytesOut;
-                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
-                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
-                }
-            }
+            rows = await withDeadlockRetry(async () => {
+                return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
+                    UPDATE sites
+                    SET
+                        "bytesOut"            = COALESCE("bytesOut", 0) + v.bytes_in,
+                        "bytesIn"             = COALESCE("bytesIn", 0)  + v.bytes_out,
+                        "lastBandwidthUpdate" = ${currentTime}
+                    FROM (VALUES ${valuesClause}) AS v(pub_key, bytes_in, bytes_out)
+                    WHERE sites."pubKey" = v.pub_key
+                    RETURNING sites."orgId" AS "orgId", sites."pubKey" AS "pubKey"
+                `);
+            }, `flush bandwidth chunk [${i}–${chunkEnd}]`);
         } catch (error) {
             logger.error(
-                `Failed to flush bandwidth for site ${publicKey}:`,
+                `Failed to flush bandwidth chunk [${i}–${chunkEnd}], discarding ${chunk.length} site(s):`,
                 error
             );
+            // Discard the chunk — exact per-flush accuracy is not critical.
+            continue;
+        }
 
-            // Re-queue the failed entry so it is retried on the next flush
-            // rather than silently dropped.
-            const existing = accumulator.get(publicKey);
-            if (existing) {
-                existing.bytesIn += bytesIn;
-                existing.bytesOut += bytesOut;
-            } else {
-                accumulator.set(publicKey, {
-                    bytesIn,
-                    bytesOut,
-                    exitNodeId,
-                    calcUsage
-                });
+        // Collect billing usage from the returned rows.
+        for (const { orgId, pubKey } of rows) {
+            const entry = snapshotMap.get(pubKey);
+            if (!entry) continue;
+
+            const { bytesIn, bytesOut, exitNodeId, calcUsage } = entry;
+
+            if (exitNodeId) {
+                const notAllowed = await checkExitNodeOrg(exitNodeId, orgId);
+                if (notAllowed) {
+                    logger.warn(
+                        `Exit node ${exitNodeId} is not allowed for org ${orgId}`
+                    );
+                    continue;
+                }
+            }
+
+            if (calcUsage) {
+                const current = orgUsageMap.get(orgId) ?? 0;
+                orgUsageMap.set(orgId, current + bytesIn + bytesOut);
             }
         }
     }
 
-    // Process billing usage updates outside the site-update loop to keep
-    // lock scope small and concerns separated.
+    // Process billing usage updates after all chunks are written.
     if (orgUsageMap.size > 0) {
-        // Sort org IDs for consistent lock ordering.
         const sortedOrgIds = [...orgUsageMap.keys()].sort();
 
         for (const orgId of sortedOrgIds) {

From 660420ddef68f2c5abee349bcd98709c91aac869 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:01:54 -0700
Subject: [PATCH 040/122] Disable everything if not paid

---
 src/app/[orgId]/settings/(private)/idp/create/page.tsx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..fc2c6c382 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -275,6 +275,8 @@ export default function Page() {
         }
     }
 
+    const disabled = !isPaidUser(tierMatrix.orgOidc);
+
     return (
         <>
             <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                 </Button>
             </div>
 
+            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+
+            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                     loading={createLoading}
                     onClick={() => {
+                        if (disabled) return;
                         // log any issues with the form
                         console.log(form.formState.errors);
                         form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                     {t("idpSubmit")}
                 </Button>
             </div>
+            </fieldset>
         </>
     );
 }

From 17eb93d045b94e7932421e5caca952224dc9ce0a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:12:13 -0700
Subject: [PATCH 041/122] Add better pooling controls

---
 server/db/pg/driver.ts     | 35 ++++++++++++---------
 server/db/pg/logsDriver.ts | 35 ++++++++++++---------
 server/db/pg/poolConfig.ts | 63 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 28 deletions(-)
 create mode 100644 server/db/pg/poolConfig.ts

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 5b357d060..9366e32e1 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,16 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+>[0];
\ No newline at end of file
diff --git a/server/db/pg/logsDriver.ts b/server/db/pg/logsDriver.ts
index 49e26f89f..146b8fb2f 100644
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
\ No newline at end of file
diff --git a/server/db/pg/poolConfig.ts b/server/db/pg/poolConfig.ts
new file mode 100644
index 000000000..f753121c1
--- /dev/null
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}
\ No newline at end of file

From 3e3b02021cdcc60fadb2d246efbe1f466b8054a2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 16:26:56 -0700
Subject: [PATCH 042/122] Add ssh access log

---
 server/private/routers/ssh/signSshKey.ts      | 19 +++++++++++++++++++
 src/app/[orgId]/settings/logs/access/page.tsx | 16 ++++++++--------
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index 5cffb4a34..c39d2e0ae 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -24,6 +24,7 @@ import {
     sites,
     userOrgs
 } from "@server/db";
+import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
@@ -463,6 +464,24 @@ export async function signSshKey(
             })
         });
 
+        await logAccessAudit({
+            action: true,
+            type: "ssh",
+            orgId: orgId,
+            resourceId: resource.siteResourceId,
+            user: req.user
+                ? { username: req.user.username ?? "", userId: req.user.userId }
+                : undefined,
+            metadata: {
+                resourceName: resource.name,
+                siteId: resource.siteId,
+                sshUsername: usernameToUse,
+                sshHost: sshHost
+            },
+            userAgent: req.headers["user-agent"],
+            requestIp: req.ip
+        });
+
         return response<SignSshKeyResponse>(res, {
             data: {
                 certificate: cert.certificate,
diff --git a/src/app/[orgId]/settings/logs/access/page.tsx b/src/app/[orgId]/settings/logs/access/page.tsx
index 810022b98..dbb7b6708 100644
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -493,7 +493,8 @@ export default function GeneralPage() {
                                 {
                                     value: "whitelistedEmail",
                                     label: "Whitelisted Email"
-                                }
+                                },
+                                { value: "ssh", label: "SSH" }
                             ]}
                             selectedValue={filters.type}
                             onValueChange={(value) =>
@@ -507,13 +508,12 @@ export default function GeneralPage() {
                 );
             },
             cell: ({ row }) => {
-                // should be capitalized first letter
-                return (
-                    <span>
-                        {row.original.type.charAt(0).toUpperCase() +
-                            row.original.type.slice(1) || "-"}
-                    </span>
-                );
+                const typeLabel =
+                    row.original.type === "ssh"
+                        ? "SSH"
+                        : row.original.type.charAt(0).toUpperCase() +
+                          row.original.type.slice(1);
+                return <span>{typeLabel || "-"}</span>;
             }
         },
         {

From 1f4cde5f7fae62fe6d6d75f3038ea68e68ad3c92 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:13:57 -0700
Subject: [PATCH 043/122] Add license script

---
 license.py | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 license.py

diff --git a/license.py b/license.py
new file mode 100644
index 000000000..865dfad7a
--- /dev/null
+++ b/license.py
@@ -0,0 +1,115 @@
+import os
+import sys
+
+# --- Configuration ---
+# The header text to be added to the files.
+HEADER_TEXT = """/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+"""
+
+def should_add_header(file_path):
+    """
+    Checks if a file should receive the commercial license header.
+    Returns True if 'private' is in the path or file content.
+    """
+    # Check if 'private' is in the file path (case-insensitive)
+    if 'server/private' in file_path.lower():
+        return True
+
+    # Check if 'private' is in the file content (case-insensitive)
+    # try:
+    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+    #         content = f.read()
+    #         if 'private' in content.lower():
+    #             return True
+    # except Exception as e:
+    #     print(f"Could not read file {file_path}: {e}")
+
+    return False
+
+def process_directory(root_dir):
+    """
+    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
+    skipping any 'node_modules' directories.
+    """
+    print(f"Scanning directory: {root_dir}")
+    files_processed = 0
+    headers_added = 0
+
+    for root, dirs, files in os.walk(root_dir):
+        # --- MODIFICATION ---
+        # Exclude 'node_modules' directories from the scan to improve performance.
+        if 'node_modules' in dirs:
+            dirs.remove('node_modules')
+
+        for file in files:
+            if file.endswith('.ts') or file.endswith('.tsx'):
+                file_path = os.path.join(root, file)
+                files_processed += 1
+
+                try:
+                    with open(file_path, 'r+', encoding='utf-8') as f:
+                        original_content = f.read()
+                        has_header = original_content.startswith(HEADER_TEXT.strip())
+                        
+                        if should_add_header(file_path):
+                            # Add header only if it's not already there
+                            if not has_header:
+                                f.seek(0, 0) # Go to the beginning of the file
+                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
+                                print(f"Added header to: {file_path}")
+                                headers_added += 1
+                            else:
+                                print(f"Header already exists in: {file_path}")
+                        else:
+                            # Remove header if it exists but shouldn't be there
+                            if has_header:
+                                # Find the end of the header and remove it (including following newlines)
+                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
+                                if original_content.startswith(header_with_newlines):
+                                    content_without_header = original_content[len(header_with_newlines):]
+                                else:
+                                    # Handle case where there might be different newline patterns
+                                    header_end = len(HEADER_TEXT.strip())
+                                    # Skip any newlines after the header
+                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
+                                        header_end += 1
+                                    content_without_header = original_content[header_end:]
+                                
+                                f.seek(0)
+                                f.write(content_without_header)
+                                f.truncate()
+                                print(f"Removed header from: {file_path}")
+                                headers_added += 1  # Reusing counter for modifications
+
+                except Exception as e:
+                    print(f"Error processing file {file_path}: {e}")
+
+    print("\n--- Scan Complete ---")
+    print(f"Total .ts or .tsx files found: {files_processed}")
+    print(f"Files modified (headers added/removed): {headers_added}")
+
+
+if __name__ == "__main__":
+    # Get the target directory from the command line arguments.
+    # If no directory is provided, it uses the current directory ('.').
+    if len(sys.argv) > 1:
+        target_directory = sys.argv[1]
+    else:
+        target_directory = '.' # Default to current directory
+
+    if not os.path.isdir(target_directory):
+        print(f"Error: Directory '{target_directory}' not found.")
+        sys.exit(1)
+
+    process_directory(os.path.abspath(target_directory))

From 348fcbcabf7016751c58314d6a3ceed84aa01b40 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 17:39:43 -0700
Subject: [PATCH 044/122] Try to solve th problem

---
 server/cleanup.ts                            |   2 +
 server/private/cleanup.ts                    |   2 +
 server/private/routers/ws/ws.ts              |  37 +-
 server/routers/newt/getNewtToken.ts          |  22 +-
 server/routers/newt/handleNewtPingMessage.ts |  19 +-
 server/routers/newt/pingAccumulator.ts       | 382 +++++++++++++++++++
 server/routers/olm/getOlmToken.ts            |   4 +-
 server/routers/olm/handleOlmPingMessage.ts   |  23 +-
 server/routers/ws/messageHandlers.ts         |   5 +
 server/routers/ws/ws.ts                      |  23 +-
 10 files changed, 446 insertions(+), 73 deletions(-)
 create mode 100644 server/routers/newt/pingAccumulator.ts

diff --git a/server/cleanup.ts b/server/cleanup.ts
index 81cc31692..10e9f4cc3 100644
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,9 +1,11 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 
 async function cleanup() {
+    await stopPingAccumulator();
     await flushBandwidthToDb();
     await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 4b12f1b3c..17d823491 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -16,8 +16,10 @@ import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 
 async function cleanup() {
+    await stopPingAccumulator();
     await flushBandwidthToDb();
     await flushConnectionLogToDb();
     await flushSiteBandwidthToDb();
diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index 4bfda5da8..d96c55c91 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -30,6 +30,7 @@ import {
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
+import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import logger from "@server/logger";
@@ -197,11 +198,7 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
 
-// Tracks the last Unix timestamp (seconds) at which a ping was flushed to the
-// DB for a given siteId. Resets on server restart which is fine – the first
-// ping after startup will always write, re-establishing the online state.
-const lastPingDbWrite: Map<number, number> = new Map();
-const PING_DB_WRITE_INTERVAL = 45; // seconds
+
 
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
@@ -853,32 +850,16 @@ const setupConnection = async (
         );
     });
 
-    // Handle WebSocket protocol-level pings from older newt clients that do
-    // not send application-level "newt/ping" messages. Update the site's
-    // online state and lastPing timestamp so the offline checker treats them
-    // the same as modern newt clients.
     if (clientType === "newt") {
         const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
             if (!newtClient.siteId) return;
-            const now = Math.floor(Date.now() / 1000);
-            const lastWrite = lastPingDbWrite.get(newtClient.siteId) ?? 0;
-            if (now - lastWrite < PING_DB_WRITE_INTERVAL) return;
-            lastPingDbWrite.set(newtClient.siteId, now);
-            try {
-                await db
-                    .update(sites)
-                    .set({
-                        online: true,
-                        lastPing: now
-                    })
-                    .where(eq(sites.siteId, newtClient.siteId));
-            } catch (error) {
-                logger.error(
-                    "Error updating newt site online state on WS ping",
-                    { error }
-                );
-            }
+            // Record the ping in the accumulator instead of writing to the
+            // database on every WS ping frame. The accumulator flushes all
+            // pending pings in a single batched UPDATE every ~10s, which
+            // prevents connection pool exhaustion under load (especially
+            // with cross-region latency to the database).
+            recordPing(newtClient.siteId);
         });
     }
 
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index 637973582..bc3cca9fc 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,5 +1,5 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
-import { db } from "@server/db";
+import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
@@ -92,6 +92,26 @@ export async function getNewtToken(
             );
         }
 
+        const [existingSession] = await db
+            .select()
+            .from(newtSessions)
+            .where(eq(newtSessions.newtId, existingNewt.newtId));
+
+        // if the session still has time in the expires, reuse it
+        if (existingSession && (existingSession.expiresAt + 30 * 60 * 1000) > Date.now()) {
+            return response<{ token: string; serverVersion: string }>(res, {
+                data: {
+                    token: existingSession.sessionId,
+                    serverVersion: APP_VERSION
+                },
+                success: true,
+                error: false,
+                message: "Token created successfully",
+                status: HttpCode.OK
+            });
+        }
+
+        // otherwise generate a new one
         const resToken = generateSessionToken();
         await createNewtSession(resToken, existingNewt.newtId);
 
diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index 319647b83..da25852a0 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -5,6 +5,7 @@ import { Newt } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { sendNewtSyncMessage } from "./sync";
+import { recordPing } from "./pingAccumulator";
 
 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -114,18 +115,12 @@ export const handleNewtPingMessage: MessageHandler = async (context) => {
         return;
     }
 
-    try {
-        // Mark the site as online and record the ping timestamp.
-        await db
-            .update(sites)
-            .set({
-                online: true,
-                lastPing: Math.floor(Date.now() / 1000)
-            })
-            .where(eq(sites.siteId, newt.siteId));
-    } catch (error) {
-        logger.error("Error updating online state on newt ping", { error });
-    }
+    // Record the ping in memory; it will be flushed to the database
+    // periodically by the ping accumulator (every ~10s) in a single
+    // batched UPDATE instead of one query per ping. This prevents
+    // connection pool exhaustion under load, especially with
+    // cross-region latency to the database.
+    recordPing(newt.siteId);
 
     // Check config version and sync if stale.
     const configVersion = await getClientConfigVersion(newt.newtId);
diff --git a/server/routers/newt/pingAccumulator.ts b/server/routers/newt/pingAccumulator.ts
new file mode 100644
index 000000000..83afd613e
--- /dev/null
+++ b/server/routers/newt/pingAccumulator.ts
@@ -0,0 +1,382 @@
+import { db } from "@server/db";
+import { sites, clients, olms } from "@server/db";
+import { eq, inArray } from "drizzle-orm";
+import logger from "@server/logger";
+
+/**
+ * Ping Accumulator
+ *
+ * Instead of writing to the database on every single newt/olm ping (which
+ * causes pool exhaustion under load, especially with cross-region latency),
+ * we accumulate pings in memory and flush them to the database periodically
+ * in a single batch.
+ *
+ * This is the same pattern used for bandwidth flushing in
+ * receiveBandwidth.ts and handleReceiveBandwidthMessage.ts.
+ *
+ * Supports two kinds of pings:
+ *   - **Site pings** (from newts): update `sites.online` and `sites.lastPing`
+ *   - **Client pings** (from OLMs): update `clients.online`, `clients.lastPing`,
+ *     `clients.archived`, and optionally reset `olms.archived`
+ */
+
+const FLUSH_INTERVAL_MS = 10_000; // Flush every 10 seconds
+const MAX_RETRIES = 2;
+const BASE_DELAY_MS = 50;
+
+// ── Site (newt) pings ──────────────────────────────────────────────────
+// Map of siteId -> latest ping timestamp (unix seconds)
+const pendingSitePings: Map<number, number> = new Map();
+
+// ── Client (OLM) pings ────────────────────────────────────────────────
+// Map of clientId -> latest ping timestamp (unix seconds)
+const pendingClientPings: Map<number, number> = new Map();
+// Set of olmIds whose `archived` flag should be reset to false
+const pendingOlmArchiveResets: Set<string> = new Set();
+
+let flushTimer: NodeJS.Timeout | null = null;
+
+// ── Public API ─────────────────────────────────────────────────────────
+
+/**
+ * Record a ping for a newt site. This does NOT write to the database
+ * immediately. Instead it stores the latest ping timestamp in memory,
+ * to be flushed periodically by the background timer.
+ */
+export function recordSitePing(siteId: number): void {
+    const now = Math.floor(Date.now() / 1000);
+    pendingSitePings.set(siteId, now);
+}
+
+/** @deprecated Use `recordSitePing` instead. Alias kept for existing call-sites. */
+export const recordPing = recordSitePing;
+
+/**
+ * Record a ping for an OLM client. Batches the `clients` table update
+ * (`online`, `lastPing`, `archived`) and, when `olmArchived` is true,
+ * also queues an `olms` table update to clear the archived flag.
+ */
+export function recordClientPing(
+    clientId: number,
+    olmId: string,
+    olmArchived: boolean
+): void {
+    const now = Math.floor(Date.now() / 1000);
+    pendingClientPings.set(clientId, now);
+    if (olmArchived) {
+        pendingOlmArchiveResets.add(olmId);
+    }
+}
+
+// ── Flush Logic ────────────────────────────────────────────────────────
+
+/**
+ * Flush all accumulated site pings to the database.
+ */
+async function flushSitePingsToDb(): Promise<void> {
+    if (pendingSitePings.size === 0) {
+        return;
+    }
+
+    // Snapshot and clear so new pings arriving during the flush go into a
+    // fresh map for the next cycle.
+    const pingsToFlush = new Map(pendingSitePings);
+    pendingSitePings.clear();
+
+    // Sort by siteId for consistent lock ordering (prevents deadlocks)
+    const sortedEntries = Array.from(pingsToFlush.entries()).sort(
+        ([a], [b]) => a - b
+    );
+
+    const BATCH_SIZE = 50;
+    for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
+        const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+
+        try {
+            await withRetry(async () => {
+                // Group by timestamp for efficient bulk updates
+                const byTimestamp = new Map<number, number[]>();
+                for (const [siteId, timestamp] of batch) {
+                    const group = byTimestamp.get(timestamp) || [];
+                    group.push(siteId);
+                    byTimestamp.set(timestamp, group);
+                }
+
+                if (byTimestamp.size === 1) {
+                    const [timestamp, siteIds] = Array.from(
+                        byTimestamp.entries()
+                    )[0];
+                    await db
+                        .update(sites)
+                        .set({
+                            online: true,
+                            lastPing: timestamp
+                        })
+                        .where(inArray(sites.siteId, siteIds));
+                } else {
+                    await db.transaction(async (tx) => {
+                        for (const [timestamp, siteIds] of byTimestamp) {
+                            await tx
+                                .update(sites)
+                                .set({
+                                    online: true,
+                                    lastPing: timestamp
+                                })
+                                .where(inArray(sites.siteId, siteIds));
+                        }
+                    });
+                }
+            }, "flushSitePingsToDb");
+        } catch (error) {
+            logger.error(
+                `Failed to flush site ping batch (${batch.length} sites), re-queuing for next cycle`,
+                { error }
+            );
+            for (const [siteId, timestamp] of batch) {
+                const existing = pendingSitePings.get(siteId);
+                if (!existing || existing < timestamp) {
+                    pendingSitePings.set(siteId, timestamp);
+                }
+            }
+        }
+    }
+}
+
+/**
+ * Flush all accumulated client (OLM) pings to the database.
+ */
+async function flushClientPingsToDb(): Promise<void> {
+    if (pendingClientPings.size === 0 && pendingOlmArchiveResets.size === 0) {
+        return;
+    }
+
+    // Snapshot and clear
+    const pingsToFlush = new Map(pendingClientPings);
+    pendingClientPings.clear();
+
+    const olmResetsToFlush = new Set(pendingOlmArchiveResets);
+    pendingOlmArchiveResets.clear();
+
+    // ── Flush client pings ─────────────────────────────────────────────
+    if (pingsToFlush.size > 0) {
+        const sortedEntries = Array.from(pingsToFlush.entries()).sort(
+            ([a], [b]) => a - b
+        );
+
+        const BATCH_SIZE = 50;
+        for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
+            const batch = sortedEntries.slice(i, i + BATCH_SIZE);
+
+            try {
+                await withRetry(async () => {
+                    const byTimestamp = new Map<number, number[]>();
+                    for (const [clientId, timestamp] of batch) {
+                        const group = byTimestamp.get(timestamp) || [];
+                        group.push(clientId);
+                        byTimestamp.set(timestamp, group);
+                    }
+
+                    if (byTimestamp.size === 1) {
+                        const [timestamp, clientIds] = Array.from(
+                            byTimestamp.entries()
+                        )[0];
+                        await db
+                            .update(clients)
+                            .set({
+                                lastPing: timestamp,
+                                online: true,
+                                archived: false
+                            })
+                            .where(inArray(clients.clientId, clientIds));
+                    } else {
+                        await db.transaction(async (tx) => {
+                            for (const [timestamp, clientIds] of byTimestamp) {
+                                await tx
+                                    .update(clients)
+                                    .set({
+                                        lastPing: timestamp,
+                                        online: true,
+                                        archived: false
+                                    })
+                                    .where(
+                                        inArray(clients.clientId, clientIds)
+                                    );
+                            }
+                        });
+                    }
+                }, "flushClientPingsToDb");
+            } catch (error) {
+                logger.error(
+                    `Failed to flush client ping batch (${batch.length} clients), re-queuing for next cycle`,
+                    { error }
+                );
+                for (const [clientId, timestamp] of batch) {
+                    const existing = pendingClientPings.get(clientId);
+                    if (!existing || existing < timestamp) {
+                        pendingClientPings.set(clientId, timestamp);
+                    }
+                }
+            }
+        }
+    }
+
+    // ── Flush OLM archive resets ───────────────────────────────────────
+    if (olmResetsToFlush.size > 0) {
+        const olmIds = Array.from(olmResetsToFlush).sort();
+
+        const BATCH_SIZE = 50;
+        for (let i = 0; i < olmIds.length; i += BATCH_SIZE) {
+            const batch = olmIds.slice(i, i + BATCH_SIZE);
+
+            try {
+                await withRetry(async () => {
+                    await db
+                        .update(olms)
+                        .set({ archived: false })
+                        .where(inArray(olms.olmId, batch));
+                }, "flushOlmArchiveResets");
+            } catch (error) {
+                logger.error(
+                    `Failed to flush OLM archive reset batch (${batch.length} olms), re-queuing for next cycle`,
+                    { error }
+                );
+                for (const olmId of batch) {
+                    pendingOlmArchiveResets.add(olmId);
+                }
+            }
+        }
+    }
+}
+
+/**
+ * Flush everything — called by the interval timer and during shutdown.
+ */
+export async function flushPingsToDb(): Promise<void> {
+    await flushSitePingsToDb();
+    await flushClientPingsToDb();
+}
+
+// ── Retry / Error Helpers ──────────────────────────────────────────────
+
+/**
+ * Simple retry wrapper with exponential backoff for transient errors
+ * (connection timeouts, unexpected disconnects).
+ */
+async function withRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isTransientError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Transient DB error in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+/**
+ * Detect transient connection errors that are safe to retry.
+ */
+function isTransientError(error: any): boolean {
+    if (!error) return false;
+
+    const message = (error.message || "").toLowerCase();
+    const causeMessage = (error.cause?.message || "").toLowerCase();
+    const code = error.code || "";
+
+    // Connection timeout / terminated
+    if (
+        message.includes("connection timeout") ||
+        message.includes("connection terminated") ||
+        message.includes("timeout exceeded when trying to connect") ||
+        causeMessage.includes("connection terminated unexpectedly") ||
+        causeMessage.includes("connection timeout")
+    ) {
+        return true;
+    }
+
+    // PostgreSQL deadlock
+    if (code === "40P01" || message.includes("deadlock")) {
+        return true;
+    }
+
+    // ECONNRESET, ECONNREFUSED, EPIPE
+    if (
+        code === "ECONNRESET" ||
+        code === "ECONNREFUSED" ||
+        code === "EPIPE" ||
+        code === "ETIMEDOUT"
+    ) {
+        return true;
+    }
+
+    return false;
+}
+
+// ── Lifecycle ──────────────────────────────────────────────────────────
+
+/**
+ * Start the background flush timer. Call this once at server startup.
+ */
+export function startPingAccumulator(): void {
+    if (flushTimer) {
+        return; // Already running
+    }
+
+    flushTimer = setInterval(async () => {
+        try {
+            await flushPingsToDb();
+        } catch (error) {
+            logger.error("Unhandled error in ping accumulator flush", {
+                error
+            });
+        }
+    }, FLUSH_INTERVAL_MS);
+
+    // Don't prevent the process from exiting
+    flushTimer.unref();
+
+    logger.info(
+        `Ping accumulator started (flush interval: ${FLUSH_INTERVAL_MS}ms)`
+    );
+}
+
+/**
+ * Stop the background flush timer and perform a final flush.
+ * Call this during graceful shutdown.
+ */
+export async function stopPingAccumulator(): Promise<void> {
+    if (flushTimer) {
+        clearInterval(flushTimer);
+        flushTimer = null;
+    }
+
+    // Final flush to persist any remaining pings
+    try {
+        await flushPingsToDb();
+    } catch (error) {
+        logger.error("Error during final ping accumulator flush", { error });
+    }
+
+    logger.info("Ping accumulator stopped");
+}
+
+/**
+ * Get the number of pending (unflushed) pings. Useful for monitoring.
+ */
+export function getPendingPingCount(): number {
+    return pendingSitePings.size + pendingClientPings.size;
+}
\ No newline at end of file
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 2734a63bc..027e7ec15 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -8,7 +8,9 @@ import {
     ExitNode,
     exitNodes,
     sites,
-    clientSitesAssociationsCache
+    clientSitesAssociationsCache,
+    olmSessions,
+    olmSessions
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
diff --git a/server/routers/olm/handleOlmPingMessage.ts b/server/routers/olm/handleOlmPingMessage.ts
index efcbf1696..0f520b234 100644
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -3,6 +3,7 @@ import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { clients, olms, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
+import { recordClientPing } from "@server/routers/newt/pingAccumulator";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
@@ -201,22 +202,12 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
             await sendOlmSyncMessage(olm, client);
         }
 
-        // Update the client's last ping timestamp
-        await db
-            .update(clients)
-            .set({
-                lastPing: Math.floor(Date.now() / 1000),
-                online: true,
-                archived: false
-            })
-            .where(eq(clients.clientId, olm.clientId));
-
-        if (olm.archived) {
-            await db
-                .update(olms)
-                .set({ archived: false })
-                .where(eq(olms.olmId, olm.olmId));
-        }
+        // Record the ping in memory; it will be flushed to the database
+        // periodically by the ping accumulator (every ~10s) in a single
+        // batched UPDATE instead of one query per ping. This prevents
+        // connection pool exhaustion under load, especially with
+        // cross-region latency to the database.
+        recordClientPing(olm.clientId, olm.olmId, !!olm.archived);
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }
diff --git a/server/routers/ws/messageHandlers.ts b/server/routers/ws/messageHandlers.ts
index 628caafd5..143e4d516 100644
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -11,6 +11,7 @@ import {
     startNewtOfflineChecker,
     handleNewtDisconnectingMessage
 } from "../newt";
+import { startPingAccumulator } from "../newt/pingAccumulator";
 import {
     handleOlmRegisterMessage,
     handleOlmRelayMessage,
@@ -46,6 +47,10 @@ export const messageHandlers: Record<string, MessageHandler> = {
     "ws/round-trip/complete": handleRoundTripMessage
 };
 
+// Start the ping accumulator for all builds — it batches per-site online/lastPing
+// updates into periodic bulk writes, preventing connection pool exhaustion.
+startPingAccumulator();
+
 if (build != "saas") {
     startOlmOfflineChecker(); // this is to handle the offline check for olms
     startNewtOfflineChecker(); // this is to handle the offline check for newts
diff --git a/server/routers/ws/ws.ts b/server/routers/ws/ws.ts
index 08a7dbd4c..6e6312715 100644
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@@ -6,6 +6,7 @@ import { Socket } from "net";
 import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
+import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import { messageHandlers } from "./messageHandlers";
@@ -386,22 +387,14 @@ const setupConnection = async (
     // the same as modern newt clients.
     if (clientType === "newt") {
         const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
             if (!newtClient.siteId) return;
-            try {
-                await db
-                    .update(sites)
-                    .set({
-                        online: true,
-                        lastPing: Math.floor(Date.now() / 1000)
-                    })
-                    .where(eq(sites.siteId, newtClient.siteId));
-            } catch (error) {
-                logger.error(
-                    "Error updating newt site online state on WS ping",
-                    { error }
-                );
-            }
+            // Record the ping in the accumulator instead of writing to the
+            // database on every WS ping frame. The accumulator flushes all
+            // pending pings in a single batched UPDATE every ~10s, which
+            // prevents connection pool exhaustion under load (especially
+            // with cross-region latency to the database).
+            recordPing(newtClient.siteId);
         });
     }
 

From 6bb6cf8a48dd99f291657b02ed6b99fba4aab144 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 17:54:51 -0700
Subject: [PATCH 045/122] Clean up

---
 server/private/routers/ws/ws.ts     |  5 -----
 server/routers/newt/getNewtToken.ts | 19 -------------------
 server/routers/olm/getOlmToken.ts   |  2 --
 3 files changed, 26 deletions(-)

diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index d96c55c91..67b83f931 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -19,14 +19,9 @@ import { Socket } from "net";
 import {
     Newt,
     newts,
-    NewtSession,
-    olms,
     Olm,
-    OlmSession,
     RemoteExitNode,
-    RemoteExitNodeSession,
     remoteExitNodes,
-    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index bc3cca9fc..9d3da7e97 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -92,25 +92,6 @@ export async function getNewtToken(
             );
         }
 
-        const [existingSession] = await db
-            .select()
-            .from(newtSessions)
-            .where(eq(newtSessions.newtId, existingNewt.newtId));
-
-        // if the session still has time in the expires, reuse it
-        if (existingSession && (existingSession.expiresAt + 30 * 60 * 1000) > Date.now()) {
-            return response<{ token: string; serverVersion: string }>(res, {
-                data: {
-                    token: existingSession.sessionId,
-                    serverVersion: APP_VERSION
-                },
-                success: true,
-                error: false,
-                message: "Token created successfully",
-                status: HttpCode.OK
-            });
-        }
-
         // otherwise generate a new one
         const resToken = generateSessionToken();
         await createNewtSession(resToken, existingNewt.newtId);
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 027e7ec15..741b29f0a 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -9,8 +9,6 @@ import {
     exitNodes,
     sites,
     clientSitesAssociationsCache,
-    olmSessions,
-    olmSessions
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";

From 9b84623d0c40a89b2aa1f9e8a7242b35e445d558 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 18:12:51 -0700
Subject: [PATCH 046/122] Cache token for thundering hurd

---
 server/lib/tokenCache.ts                      | 22 ++++++
 server/private/lib/cache.ts                   | 13 ++++
 server/private/lib/tokenCache.ts              | 77 +++++++++++++++++++
 .../remoteExitNode/getRemoteExitNodeToken.ts  | 25 ++++--
 server/routers/newt/getNewtToken.ts           | 18 ++++-
 server/routers/olm/getOlmToken.ts             | 19 ++++-
 6 files changed, 161 insertions(+), 13 deletions(-)
 create mode 100644 server/lib/tokenCache.ts
 create mode 100644 server/private/lib/tokenCache.ts

diff --git a/server/lib/tokenCache.ts b/server/lib/tokenCache.ts
new file mode 100644
index 000000000..022f46c15
--- /dev/null
+++ b/server/lib/tokenCache.ts
@@ -0,0 +1,22 @@
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    const token = await createSession();
+    return token;
+}
diff --git a/server/private/lib/cache.ts b/server/private/lib/cache.ts
index e8c03ba3d..1a2006d46 100644
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
diff --git a/server/private/lib/tokenCache.ts b/server/private/lib/tokenCache.ts
new file mode 100644
index 000000000..bb6645688
--- /dev/null
+++ b/server/private/lib/tokenCache.ts
@@ -0,0 +1,77 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import redisManager from "#dynamic/lib/redis";
+import { encrypt, decrypt } from "@server/lib/crypto";
+import logger from "@server/logger";
+
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const cached = await redisManager.get(cacheKey);
+            if (cached) {
+                const token = decrypt(cached, secret);
+                if (token) {
+                    logger.debug(`Token cache hit for key: ${cacheKey}`);
+                    return token;
+                }
+                // Decryption produced an empty string – treat as a miss
+                logger.warn(
+                    `Token cache decryption returned empty string for key: ${cacheKey}, treating as miss`
+                );
+            }
+        } catch (e) {
+            logger.warn(
+                `Token cache read/decrypt failed for key ${cacheKey}, falling through to session creation:`,
+                e
+            );
+        }
+    }
+
+    const token = await createSession();
+
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const encrypted = encrypt(token, secret);
+            await redisManager.set(cacheKey, encrypted, ttlSeconds);
+            logger.debug(
+                `Token cached in Redis for key: ${cacheKey} (TTL ${ttlSeconds}s)`
+            );
+        } catch (e) {
+            logger.warn(
+                `Token cache write failed for key ${cacheKey} (session was still created):`,
+                e
+            );
+        }
+    }
+
+    return token;
+}
diff --git a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
index 24f0de159..025e2d34e 100644
--- a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
+++ b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
@@ -23,8 +23,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
     createRemoteExitNodeSession,
-    validateRemoteExitNodeSessionToken
+    validateRemoteExitNodeSessionToken,
+    EXPIRES
 } from "#private/auth/sessions/remoteExitNode";
+import { getOrCreateCachedToken } from "@server/private/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -103,14 +105,23 @@ export async function getRemoteExitNodeToken(
             );
         }
 
-        const resToken = generateSessionToken();
-        await createRemoteExitNodeSession(
-            resToken,
-            existingRemoteExitNode.remoteExitNodeId
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `remote_exit_node:token_cache:${existingRemoteExitNode.remoteExitNodeId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createRemoteExitNodeSession(
+                    token,
+                    existingRemoteExitNode.remoteExitNodeId
+                );
+                return token;
+            }
         );
 
-        // logger.debug(`Created RemoteExitNode token response: ${JSON.stringify(resToken)}`);
-
         return response<{ token: string }>(res, {
             data: {
                 token: resToken
diff --git a/server/routers/newt/getNewtToken.ts b/server/routers/newt/getNewtToken.ts
index 9d3da7e97..c5abb9968 100644
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,6 +1,8 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
 import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
+import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
+import { EXPIRES } from "@server/auth/sessions/newt";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { eq } from "drizzle-orm";
@@ -92,9 +94,19 @@ export async function getNewtToken(
             );
         }
 
-        // otherwise generate a new one
-        const resToken = generateSessionToken();
-        await createNewtSession(resToken, existingNewt.newtId);
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `newt:token_cache:${existingNewt.newtId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createNewtSession(token, existingNewt.newtId);
+                return token;
+            }
+        );
 
         return response<{ token: string; serverVersion: string }>(res, {
             data: {
diff --git a/server/routers/olm/getOlmToken.ts b/server/routers/olm/getOlmToken.ts
index 741b29f0a..5b8411eb7 100644
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -20,8 +20,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
     createOlmSession,
-    validateOlmSessionToken
+    validateOlmSessionToken,
+    EXPIRES
 } from "@server/auth/sessions/olm";
+import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -132,8 +134,19 @@ export async function getOlmToken(
 
         logger.debug("Creating new olm session token");
 
-        const resToken = generateSessionToken();
-        await createOlmSession(resToken, existingOlm.olmId);
+        // Return a cached token if one exists to prevent thundering herd on
+        // simultaneous restarts; falls back to creating a fresh session when
+        // Redis is unavailable or the cache has expired.
+        const resToken = await getOrCreateCachedToken(
+            `olm:token_cache:${existingOlm.olmId}`,
+            config.getRawConfig().server.secret!,
+            Math.floor(EXPIRES / 1000),
+            async () => {
+                const token = generateSessionToken();
+                await createOlmSession(token, existingOlm.olmId);
+                return token;
+            }
+        );
 
         let clientIdToUse;
         if (orgId) {

From 99a064b77af0d84f8d996885bb4ee5db5dfb5305 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 24 Mar 2026 20:27:34 -0700
Subject: [PATCH 047/122] Fix import problems

---
 server/private/lib/tokenCache.ts | 2 +-
 server/private/routers/ws/ws.ts  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/private/lib/tokenCache.ts b/server/private/lib/tokenCache.ts
index bb6645688..284f1d698 100644
--- a/server/private/lib/tokenCache.ts
+++ b/server/private/lib/tokenCache.ts
@@ -11,7 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import redisManager from "#dynamic/lib/redis";
+import redisManager from "#private/lib/redis";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 
diff --git a/server/private/routers/ws/ws.ts b/server/private/routers/ws/ws.ts
index 67b83f931..21f4fad37 100644
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -20,6 +20,7 @@ import {
     Newt,
     newts,
     Olm,
+    olms,
     RemoteExitNode,
     remoteExitNodes,
 } from "@server/db";

From c80c7df1d06266fbea9926159b86fd7bb675b178 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 25 Mar 2026 20:33:58 -0700
Subject: [PATCH 048/122] Batch set bandwidth

---
 server/routers/gerbil/receiveBandwidth.ts | 146 +++++++++++++---------
 1 file changed, 84 insertions(+), 62 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index b73ce986d..042c844aa 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, sql } from "drizzle-orm";
-import { sites } from "@server/db";
+import { sql } from "drizzle-orm";
 import { db } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
@@ -31,7 +30,10 @@ const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 
 // How often to flush accumulated bandwidth data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+const FLUSH_INTERVAL_MS = 300_000; // 300 seconds
+
+// Maximum number of sites to include in a single batch UPDATE statement
+const BATCH_CHUNK_SIZE = 250;
 
 // In-memory accumulator: publicKey -> AccumulatorEntry
 let accumulator = new Map<string, AccumulatorEntry>();
@@ -75,13 +77,33 @@ async function withDeadlockRetry<T>(
     }
 }
 
+/**
+ * Execute a raw SQL query that returns rows, in a way that works across both
+ * the PostgreSQL driver (which exposes `execute`) and the SQLite driver (which
+ * exposes `all`).  Drizzle's typed query builder doesn't support bulk
+ * UPDATE … FROM (VALUES …) natively, so we drop to raw SQL here.
+ */
+async function dbQueryRows<T extends Record<string, unknown>>(
+    query: Parameters<(typeof sql)["join"]>[0][number]
+): Promise<T[]> {
+    const anyDb = db as any;
+    if (typeof anyDb.execute === "function") {
+        // PostgreSQL (node-postgres via Drizzle) — returns { rows: [...] } or an array
+        const result = await anyDb.execute(query);
+        return (Array.isArray(result) ? result : (result.rows ?? [])) as T[];
+    }
+    // SQLite (better-sqlite3 via Drizzle) — returns an array directly
+    return (await anyDb.all(query)) as T[];
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
  * Swaps out the accumulator before writing so that any bandwidth messages
  * received during the flush are captured in the new accumulator rather than
- * being lost or causing contention. Entries that fail to write are re-queued
- * back into the accumulator so they will be retried on the next flush.
+ * being lost or causing contention. Sites are updated in chunks via a single
+ * batch UPDATE per chunk. Failed chunks are discarded — exact per-flush
+ * accuracy is not critical and re-queuing is not worth the added complexity.
  *
  * This function is exported so that the application's graceful-shutdown
  * cleanup handler can call it before the process exits.
@@ -108,76 +130,76 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
     );
 
-    // Aggregate billing usage by org, collected during the DB update loop.
+    // Build a lookup so post-processing can reach each entry by publicKey.
+    const snapshotMap = new Map(sortedEntries);
+
+    // Aggregate billing usage by org across all chunks.
     const orgUsageMap = new Map<string, number>();
 
-    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+    // Process in chunks so individual queries stay at a reasonable size.
+    for (let i = 0; i < sortedEntries.length; i += BATCH_CHUNK_SIZE) {
+        const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
+        const chunkEnd = i + chunk.length - 1;
+
+        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
+        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
+        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
+        // in a single query instead of N individual round-trips.
+        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
+            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+        );
+        const valuesClause = sql.join(valuesList, sql`, `);
+
+        let rows: { orgId: string; pubKey: string }[] = [];
+
         try {
-            const updatedSite = await withDeadlockRetry(async () => {
-                const [result] = await db
-                    .update(sites)
-                    .set({
-                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
-                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
-                        lastBandwidthUpdate: currentTime,
-                    })
-                    .where(eq(sites.pubKey, publicKey))
-                    .returning({
-                        orgId: sites.orgId,
-                        siteId: sites.siteId
-                    });
-                return result;
-            }, `flush bandwidth for site ${publicKey}`);
-
-            if (updatedSite) {
-                if (exitNodeId) {
-                    const notAllowed = await checkExitNodeOrg(
-                        exitNodeId,
-                        updatedSite.orgId
-                    );
-                    if (notAllowed) {
-                        logger.warn(
-                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
-                        );
-                        // Skip usage tracking for this site but continue
-                        // processing the rest.
-                        continue;
-                    }
-                }
-
-                if (calcUsage) {
-                    const totalBandwidth = bytesIn + bytesOut;
-                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
-                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
-                }
-            }
+            rows = await withDeadlockRetry(async () => {
+                return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
+                    UPDATE sites
+                    SET
+                        "bytesOut"            = COALESCE("bytesOut", 0) + v.bytes_in,
+                        "bytesIn"             = COALESCE("bytesIn", 0)  + v.bytes_out,
+                        "lastBandwidthUpdate" = ${currentTime}
+                    FROM (VALUES ${valuesClause}) AS v(pub_key, bytes_in, bytes_out)
+                    WHERE sites."pubKey" = v.pub_key
+                    RETURNING sites."orgId" AS "orgId", sites."pubKey" AS "pubKey"
+                `);
+            }, `flush bandwidth chunk [${i}–${chunkEnd}]`);
         } catch (error) {
             logger.error(
-                `Failed to flush bandwidth for site ${publicKey}:`,
+                `Failed to flush bandwidth chunk [${i}–${chunkEnd}], discarding ${chunk.length} site(s):`,
                 error
             );
+            // Discard the chunk — exact per-flush accuracy is not critical.
+            continue;
+        }
 
-            // Re-queue the failed entry so it is retried on the next flush
-            // rather than silently dropped.
-            const existing = accumulator.get(publicKey);
-            if (existing) {
-                existing.bytesIn += bytesIn;
-                existing.bytesOut += bytesOut;
-            } else {
-                accumulator.set(publicKey, {
-                    bytesIn,
-                    bytesOut,
-                    exitNodeId,
-                    calcUsage
-                });
+        // Collect billing usage from the returned rows.
+        for (const { orgId, pubKey } of rows) {
+            const entry = snapshotMap.get(pubKey);
+            if (!entry) continue;
+
+            const { bytesIn, bytesOut, exitNodeId, calcUsage } = entry;
+
+            if (exitNodeId) {
+                const notAllowed = await checkExitNodeOrg(exitNodeId, orgId);
+                if (notAllowed) {
+                    logger.warn(
+                        `Exit node ${exitNodeId} is not allowed for org ${orgId}`
+                    );
+                    continue;
+                }
+            }
+
+            if (calcUsage) {
+                const current = orgUsageMap.get(orgId) ?? 0;
+                orgUsageMap.set(orgId, current + bytesIn + bytesOut);
             }
         }
     }
 
-    // Process billing usage updates outside the site-update loop to keep
-    // lock scope small and concerns separated.
+    // Process billing usage updates after all chunks are written.
     if (orgUsageMap.size > 0) {
-        // Sort org IDs for consistent lock ordering.
         const sortedOrgIds = [...orgUsageMap.keys()].sort();
 
         for (const orgId of sortedOrgIds) {

From b4ca6432dba2ea012c962da5ce0ffb03d8b20f2d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 26 Mar 2026 16:24:44 -0700
Subject: [PATCH 049/122] Fix double id

---
 src/components/CreateSiteProvisioningKeyCredenza.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index 70c48ff08..e18bbbd06 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -150,7 +150,7 @@ export default function CreateSiteProvisioningKeyCredenza({
 
     const credential =
         created &&
-        `${created.siteProvisioningKeyId}.${created.siteProvisioningKey}`;
+        created.siteProvisioningKey;
 
     const unlimitedBatchSize = form.watch("unlimitedBatchSize");
 

From e13a0769396a6d8cf8293cc96b8a3606c953950f Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 16:37:31 -0700
Subject: [PATCH 050/122] ui improvements

---
 messages/bg-BG.json                           |   1 +
 messages/cs-CZ.json                           |   1 +
 messages/de-DE.json                           |   1 +
 messages/en-US.json                           |   1 +
 messages/es-ES.json                           |   1 +
 messages/fr-FR.json                           |   1 +
 messages/it-IT.json                           |   1 +
 messages/ko-KR.json                           |   1 +
 messages/nb-NO.json                           |   1 +
 messages/nl-NL.json                           |   1 +
 messages/pl-PL.json                           |   1 +
 messages/pt-PT.json                           |   1 +
 messages/ru-RU.json                           |   1 +
 messages/tr-TR.json                           |   1 +
 messages/zh-CN.json                           |   1 +
 messages/zh-TW.json                           |   1 +
 server/auth/actions.ts                        |   5 +-
 server/db/queries/verifySessionQueries.ts     |  42 ---
 server/middlewares/index.ts                   |   1 +
 server/middlewares/integration/index.ts       |   1 +
 .../verifyApiKeyCanSetUserOrgRoles.ts         |  74 ++++++
 .../verifyUserCanSetUserOrgRoles.ts           |  54 ++++
 server/routers/external.ts                    |  11 +
 server/routers/integration.ts                 |  11 +
 server/routers/user/index.ts                  |   1 +
 server/routers/user/listUsers.ts              |  30 ++-
 server/routers/user/setUserOrgRoles.ts        | 151 +++++++++++
 .../users/[userId]/access-controls/page.tsx   | 239 ++++++++----------
 .../[orgId]/settings/access/users/page.tsx    |  13 +-
 .../proxy/[niceId]/authentication/page.tsx    |   9 +-
 src/components/PermissionsSelectBox.tsx       |   3 +-
 src/components/UsersTable.tsx                 |  75 +++++-
 src/components/ui/badge.tsx                   |   2 +-
 33 files changed, 533 insertions(+), 205 deletions(-)
 create mode 100644 server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
 create mode 100644 server/middlewares/verifyUserCanSetUserOrgRoles.ts
 create mode 100644 server/routers/user/setUserOrgRoles.ts

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 0b96141e9..10b83f38d 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Изтрийте потребител",
     "actionListUsers": "Изброяване на потребители",
     "actionAddUserRole": "Добавяне на роля на потребител",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Генериране на токен за достъп",
     "actionDeleteAccessToken": "Изтриване на токен за достъп",
     "actionListAccessTokens": "Изброяване на токени за достъп",
diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index cb5372b36..ea12fe535 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Odstranit uživatele",
     "actionListUsers": "Seznam uživatelů",
     "actionAddUserRole": "Přidat uživatelskou roli",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generovat přístupový token",
     "actionDeleteAccessToken": "Odstranit přístupový token",
     "actionListAccessTokens": "Seznam přístupových tokenů",
diff --git a/messages/de-DE.json b/messages/de-DE.json
index 150a8597e..cef7223fb 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Benutzer entfernen",
     "actionListUsers": "Benutzer auflisten",
     "actionAddUserRole": "Benutzerrolle hinzufügen",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Zugriffstoken generieren",
     "actionDeleteAccessToken": "Zugriffstoken löschen",
     "actionListAccessTokens": "Zugriffstoken auflisten",
diff --git a/messages/en-US.json b/messages/en-US.json
index 895ee1332..cdfd57110 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1150,6 +1150,7 @@
     "actionRemoveUser": "Remove User",
     "actionListUsers": "List Users",
     "actionAddUserRole": "Add User Role",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generate Access Token",
     "actionDeleteAccessToken": "Delete Access Token",
     "actionListAccessTokens": "List Access Tokens",
diff --git a/messages/es-ES.json b/messages/es-ES.json
index e33a85ace..2fc52b885 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Eliminar usuario",
     "actionListUsers": "Listar usuarios",
     "actionAddUserRole": "Añadir rol de usuario",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generar token de acceso",
     "actionDeleteAccessToken": "Eliminar token de acceso",
     "actionListAccessTokens": "Lista de Tokens de Acceso",
diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index ec3dbffb8..2b3368a07 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Supprimer un utilisateur",
     "actionListUsers": "Lister les utilisateurs",
     "actionAddUserRole": "Ajouter un rôle utilisateur",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Générer un jeton d'accès",
     "actionDeleteAccessToken": "Supprimer un jeton d'accès",
     "actionListAccessTokens": "Lister les jetons d'accès",
diff --git a/messages/it-IT.json b/messages/it-IT.json
index adab7879a..6891cd290 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Rimuovi Utente",
     "actionListUsers": "Elenca Utenti",
     "actionAddUserRole": "Aggiungi Ruolo Utente",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Genera Token di Accesso",
     "actionDeleteAccessToken": "Elimina Token di Accesso",
     "actionListAccessTokens": "Elenca Token di Accesso",
diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 59f464305..02915abd7 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "사용자 제거",
     "actionListUsers": "사용자 목록",
     "actionAddUserRole": "사용자 역할 추가",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "액세스 토큰 생성",
     "actionDeleteAccessToken": "액세스 토큰 삭제",
     "actionListAccessTokens": "액세스 토큰 목록",
diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index e8a9fa9a3..50ec9a717 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Fjern bruker",
     "actionListUsers": "List opp brukere",
     "actionAddUserRole": "Legg til brukerrolle",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Generer tilgangstoken",
     "actionDeleteAccessToken": "Slett tilgangstoken",
     "actionListAccessTokens": "List opp tilgangstokener",
diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 32580cc45..f0eaff3fd 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Gebruiker verwijderen",
     "actionListUsers": "Gebruikers weergeven",
     "actionAddUserRole": "Gebruikersrol toevoegen",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Genereer Toegangstoken",
     "actionDeleteAccessToken": "Verwijder toegangstoken",
     "actionListAccessTokens": "Lijst toegangstokens",
diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index ba0587b94..998fcc880 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Usuń użytkownika",
     "actionListUsers": "Lista użytkowników",
     "actionAddUserRole": "Dodaj rolę użytkownika",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Wygeneruj token dostępu",
     "actionDeleteAccessToken": "Usuń token dostępu",
     "actionListAccessTokens": "Lista tokenów dostępu",
diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 3ce98fff6..b121f4b16 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Remover Utilizador",
     "actionListUsers": "Listar Utilizadores",
     "actionAddUserRole": "Adicionar Função ao Utilizador",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Gerar Token de Acesso",
     "actionDeleteAccessToken": "Eliminar Token de Acesso",
     "actionListAccessTokens": "Listar Tokens de Acesso",
diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 12043d8a2..0d42245e4 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Удалить пользователя",
     "actionListUsers": "Список пользователей",
     "actionAddUserRole": "Добавить роль пользователя",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Сгенерировать токен доступа",
     "actionDeleteAccessToken": "Удалить токен доступа",
     "actionListAccessTokens": "Список токенов доступа",
diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 362f891fb..2bfed7fb3 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "Kullanıcıyı Kaldır",
     "actionListUsers": "Kullanıcıları Listele",
     "actionAddUserRole": "Kullanıcı Rolü Ekle",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "Erişim Jetonu Oluştur",
     "actionDeleteAccessToken": "Erişim Jetonunu Sil",
     "actionListAccessTokens": "Erişim Jetonlarını Listele",
diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index a7f2682fa..f297d1ea9 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1148,6 +1148,7 @@
     "actionRemoveUser": "删除用户",
     "actionListUsers": "列出用户",
     "actionAddUserRole": "添加用户角色",
+    "actionSetUserOrgRoles": "Set User Roles",
     "actionGenerateAccessToken": "生成访问令牌",
     "actionDeleteAccessToken": "删除访问令牌",
     "actionListAccessTokens": "访问令牌",
diff --git a/messages/zh-TW.json b/messages/zh-TW.json
index 1ae6a5156..8b9d05f53 100644
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -1091,6 +1091,7 @@
   "actionRemoveUser": "刪除用戶",
   "actionListUsers": "列出用戶",
   "actionAddUserRole": "添加用戶角色",
+  "actionSetUserOrgRoles": "Set User Roles",
   "actionGenerateAccessToken": "生成訪問令牌",
   "actionDeleteAccessToken": "刪除訪問令牌",
   "actionListAccessTokens": "訪問令牌",
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 6a5ed15dc..ae5136659 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -4,6 +4,7 @@ import { userActions, roleActions } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export enum ActionsEnum {
     createOrgUser = "createOrgUser",
@@ -54,6 +55,7 @@ export enum ActionsEnum {
     // listRoleActions = "listRoleActions",
     addUserRole = "addUserRole",
     removeUserRole = "removeUserRole",
+    setUserOrgRoles = "setUserOrgRoles",
     // addUserSite = "addUserSite",
     // addUserAction = "addUserAction",
     // removeUserAction = "removeUserAction",
@@ -158,9 +160,6 @@ export async function checkUserActionPermission(
         let userOrgRoleIds = req.userOrgRoleIds;
 
         if (userOrgRoleIds === undefined) {
-            const { getUserOrgRoleIds } = await import(
-                "@server/lib/userOrgRoles"
-            );
             userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
             if (userOrgRoleIds.length === 0) {
                 throw createHttpError(
diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts
index 469df590d..66f968b02 100644
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -104,48 +104,6 @@ export async function getUserSessionWithUser(
     };
 }
 
-/**
- * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
- * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
- */
-export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrg = await db
-        .select({
-            userId: userOrgs.userId,
-            orgId: userOrgs.orgId,
-            isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned
-        })
-        .from(userOrgs)
-        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .limit(1);
-
-    if (userOrg.length === 0) return null;
-
-    const [firstRole] = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        )
-        .limit(1);
-
-    return firstRole
-        ? {
-              ...userOrg[0],
-              roleId: firstRole.roleId,
-              roleName: firstRole.roleName
-          }
-        : { ...userOrg[0], roleId: null, roleName: null };
-}
-
 /**
  * Get role name by role ID (for display).
  */
diff --git a/server/middlewares/index.ts b/server/middlewares/index.ts
index 6437c90e2..435ccdb23 100644
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -17,6 +17,7 @@ export * from "./verifyAccessTokenAccess";
 export * from "./requestTimeout";
 export * from "./verifyClientAccess";
 export * from "./verifyUserHasAction";
+export * from "./verifyUserCanSetUserOrgRoles";
 export * from "./verifyUserIsServerAdmin";
 export * from "./verifyIsLoggedInUser";
 export * from "./verifyIsLoggedInUser";
diff --git a/server/middlewares/integration/index.ts b/server/middlewares/integration/index.ts
index df186c1c8..8a213c6d2 100644
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -1,6 +1,7 @@
 export * from "./verifyApiKey";
 export * from "./verifyApiKeyOrgAccess";
 export * from "./verifyApiKeyHasAction";
+export * from "./verifyApiKeyCanSetUserOrgRoles";
 export * from "./verifyApiKeySiteAccess";
 export * from "./verifyApiKeyResourceAccess";
 export * from "./verifyApiKeyTargetAccess";
diff --git a/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts b/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
new file mode 100644
index 000000000..894665095
--- /dev/null
+++ b/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
@@ -0,0 +1,74 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import logger from "@server/logger";
+import { ActionsEnum } from "@server/auth/actions";
+import { db } from "@server/db";
+import { apiKeyActions } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+async function apiKeyHasAction(apiKeyId: string, actionId: ActionsEnum) {
+    const [row] = await db
+        .select()
+        .from(apiKeyActions)
+        .where(
+            and(
+                eq(apiKeyActions.apiKeyId, apiKeyId),
+                eq(apiKeyActions.actionId, actionId)
+            )
+        );
+    return !!row;
+}
+
+/**
+ * Allows setUserOrgRoles on the key, or both addUserRole and removeUserRole.
+ */
+export function verifyApiKeyCanSetUserOrgRoles() {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            if (!req.apiKey) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "API Key not authenticated"
+                    )
+                );
+            }
+
+            const keyId = req.apiKey.apiKeyId;
+
+            if (await apiKeyHasAction(keyId, ActionsEnum.setUserOrgRoles)) {
+                return next();
+            }
+
+            const hasAdd = await apiKeyHasAction(keyId, ActionsEnum.addUserRole);
+            const hasRemove = await apiKeyHasAction(
+                keyId,
+                ActionsEnum.removeUserRole
+            );
+
+            if (hasAdd && hasRemove) {
+                return next();
+            }
+
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have permission perform this action"
+                )
+            );
+        } catch (error) {
+            logger.error("Error verifying API key set user org roles:", error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying key action access"
+                )
+            );
+        }
+    };
+}
diff --git a/server/middlewares/verifyUserCanSetUserOrgRoles.ts b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
new file mode 100644
index 000000000..1a7554ab3
--- /dev/null
+++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
@@ -0,0 +1,54 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import logger from "@server/logger";
+import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
+
+/**
+ * Allows the new setUserOrgRoles action, or legacy permission pair addUserRole + removeUserRole.
+ */
+export function verifyUserCanSetUserOrgRoles() {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            const canSet = await checkUserActionPermission(
+                ActionsEnum.setUserOrgRoles,
+                req
+            );
+            if (canSet) {
+                return next();
+            }
+
+            const canAdd = await checkUserActionPermission(
+                ActionsEnum.addUserRole,
+                req
+            );
+            const canRemove = await checkUserActionPermission(
+                ActionsEnum.removeUserRole,
+                req
+            );
+
+            if (canAdd && canRemove) {
+                return next();
+            }
+
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have permission perform this action"
+                )
+            );
+        } catch (error) {
+            logger.error("Error verifying set user org roles access:", error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying role access"
+                )
+            );
+        }
+    };
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index bae7bb4db..bb331dc69 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -39,6 +39,7 @@ import {
     verifyApiKeyAccess,
     verifyDomainAccess,
     verifyUserHasAction,
+    verifyUserCanSetUserOrgRoles,
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
@@ -837,6 +838,16 @@ authenticated.post(
     user.updateOrgUser
 );
 
+authenticated.post(
+    "/org/:orgId/user/:userId/roles",
+    verifyOrgAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
+
 authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
 authenticated.get("/org/:orgId/user/:userId/check", org.checkOrgUserAccess);
 
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index e77f82c83..32c06078b 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -16,6 +16,7 @@ import {
     verifyApiKey,
     verifyApiKeyOrgAccess,
     verifyApiKeyHasAction,
+    verifyApiKeyCanSetUserOrgRoles,
     verifyApiKeySiteAccess,
     verifyApiKeyResourceAccess,
     verifyApiKeyTargetAccess,
@@ -814,6 +815,16 @@ authenticated.post(
     user.updateOrgUser
 );
 
+authenticated.post(
+    "/org/:orgId/user/:userId/roles",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
+
 authenticated.delete(
     "/org/:orgId/user/:userId",
     verifyApiKeyOrgAccess,
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index a300e0092..0884e8a2b 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -3,6 +3,7 @@ export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
 export * from "./removeUserRole";
+export * from "./setUserOrgRoles";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
diff --git a/server/routers/user/listUsers.ts b/server/routers/user/listUsers.ts
index 37567f24e..fe7f6b250 100644
--- a/server/routers/user/listUsers.ts
+++ b/server/routers/user/listUsers.ts
@@ -5,11 +5,10 @@ import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { and, eq, inArray, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq } from "drizzle-orm";
 
 const listUsersParamsSchema = z.strictObject({
     orgId: z.string()
@@ -56,15 +55,24 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         .limit(limit)
         .offset(offset);
 
-    const roleRows = await db
-        .select({
-            userId: userOrgRoles.userId,
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(eq(userOrgRoles.orgId, orgId));
+    const userIds = rows.map((r) => r.id);
+    const roleRows =
+        userIds.length === 0
+            ? []
+            : await db
+                  .select({
+                      userId: userOrgRoles.userId,
+                      roleId: userOrgRoles.roleId,
+                      roleName: roles.name
+                  })
+                  .from(userOrgRoles)
+                  .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+                  .where(
+                      and(
+                          eq(userOrgRoles.orgId, orgId),
+                          inArray(userOrgRoles.userId, userIds)
+                      )
+                  );
 
     const rolesByUser = new Map<
         string,
diff --git a/server/routers/user/setUserOrgRoles.ts b/server/routers/user/setUserOrgRoles.ts
new file mode 100644
index 000000000..525c91729
--- /dev/null
+++ b/server/routers/user/setUserOrgRoles.ts
@@ -0,0 +1,151 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const setUserOrgRolesParamsSchema = z.strictObject({
+    orgId: z.string(),
+    userId: z.string()
+});
+
+const setUserOrgRolesBodySchema = z.strictObject({
+    roleIds: z.array(z.int().positive()).min(1)
+});
+
+export async function setUserOrgRoles(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setUserOrgRolesParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setUserOrgRolesBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId, userId } = parsedParams.data;
+        const { roleIds } = parsedBody.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const uniqueRoleIds = [...new Set(roleIds)];
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found in this organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the roles of the owner of the organization"
+                )
+            );
+        }
+
+        const orgRoles = await db
+            .select({ roleId: roles.roleId })
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.orgId, orgId),
+                    inArray(roles.roleId, uniqueRoleIds)
+                )
+            );
+
+        if (orgRoles.length !== uniqueRoleIds.length) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "One or more role IDs are invalid for this organization"
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
+
+            if (uniqueRoleIds.length > 0) {
+                await trx.insert(userOrgRoles).values(
+                    uniqueRoleIds.map((roleId) => ({
+                        userId,
+                        orgId,
+                        roleId
+                    }))
+                );
+            }
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(eq(clients.userId, userId), eq(clients.orgId, orgId))
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { userId, orgId, roleIds: uniqueRoleIds },
+            success: true,
+            error: false,
+            message: "User roles set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 7a1dab309..6dcdf16fb 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -3,23 +3,18 @@
 import {
     Form,
     FormControl,
+    FormDescription,
     FormField,
     FormItem,
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import {
-    Select,
-    SelectContent,
-    SelectItem,
-    SelectTrigger,
-    SelectValue
-} from "@app/components/ui/select";
 import { Checkbox } from "@app/components/ui/checkbox";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { AxiosResponse } from "axios";
-import { useEffect, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { ListRolesResponse } from "@server/routers/role";
@@ -42,12 +37,20 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
-import { Badge } from "@app/components/ui/badge";
 
-type UserRole = { roleId: number; name: string };
+const accessControlsFormSchema = z.object({
+    username: z.string(),
+    autoProvisioned: z.boolean(),
+    roles: z.array(
+        z.object({
+            id: z.string(),
+            text: z.string()
+        })
+    )
+});
 
 export default function AccessControlsPage() {
-    const { orgUser: user } = userOrgUserContext();
+    const { orgUser: user, updateOrgUser } = userOrgUserContext();
 
     const api = createApiClient(useEnvContext());
 
@@ -55,28 +58,34 @@ export default function AccessControlsPage() {
 
     const [loading, setLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [userRoles, setUserRoles] = useState<UserRole[]>([]);
+    const [activeRoleTagIndex, setActiveRoleTagIndex] = useState<number | null>(
+        null
+    );
 
     const t = useTranslations();
 
-    const formSchema = z.object({
-        username: z.string(),
-        autoProvisioned: z.boolean()
-    });
-
     const form = useForm({
-        resolver: zodResolver(formSchema),
+        resolver: zodResolver(accessControlsFormSchema),
         defaultValues: {
             username: user.username!,
-            autoProvisioned: user.autoProvisioned || false
+            autoProvisioned: user.autoProvisioned || false,
+            roles: (user.roles ?? []).map((r) => ({
+                id: r.roleId.toString(),
+                text: r.name
+            }))
         }
     });
 
     const currentRoleIds = user.roleIds ?? [];
-    const currentRoles: UserRole[] = user.roles ?? [];
 
     useEffect(() => {
-        setUserRoles(currentRoles);
+        form.setValue(
+            "roles",
+            (user.roles ?? []).map((r) => ({
+                id: r.roleId.toString(),
+                text: r.name
+            }))
+        );
     }, [user.userId, currentRoleIds.join(",")]);
 
     useEffect(() => {
@@ -104,59 +113,67 @@ export default function AccessControlsPage() {
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    async function handleAddRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.post(`/role/${roleId}/add/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            const role = roles.find((r) => r.roleId === roleId);
-            if (role) setUserRoles((prev) => [...prev, role]);
-        } catch (e) {
+    const allRoleOptions = useMemo(
+        () =>
+            roles
+                .map((role) => ({
+                    id: role.roleId.toString(),
+                    text: role.name
+                }))
+                .filter((role) => role.text !== "Admin"),
+        [roles]
+    );
+
+    function setRoleTags(
+        updater: Tag[] | ((prev: Tag[]) => Tag[])
+    ) {
+        const prev = form.getValues("roles");
+        const next = typeof updater === "function" ? updater(prev) : updater;
+
+        if (next.length === 0) {
             toast({
                 variant: "destructive",
                 title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
+                description: t("accessRoleSelectPlease")
             });
+            return;
         }
-        setLoading(false);
+
+        form.setValue("roles", next, { shouldDirty: true });
     }
 
-    async function handleRemoveRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.delete(`/role/${roleId}/remove/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
-        } catch (e) {
+    async function onSubmit(values: z.infer<typeof accessControlsFormSchema>) {
+        if (values.roles.length === 0) {
             toast({
                 variant: "destructive",
                 title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
+                description: t("accessRoleSelectPlease")
             });
+            return;
         }
-        setLoading(false);
-    }
 
-    async function onSubmit(values: z.infer<typeof formSchema>) {
         setLoading(true);
         try {
-            await api.post(`/org/${orgId}/user/${user.userId}`, {
+            const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
+            await Promise.all([
+                api.post(`/org/${orgId}/user/${user.userId}/roles`, {
+                    roleIds
+                }),
+                api.post(`/org/${orgId}/user/${user.userId}`, {
+                    autoProvisioned: values.autoProvisioned
+                })
+            ]);
+
+            updateOrgUser({
+                roleIds,
+                roles: values.roles.map((r) => ({
+                    roleId: parseInt(r.id, 10),
+                    name: r.text
+                })),
                 autoProvisioned: values.autoProvisioned
             });
+
             toast({
                 variant: "default",
                 title: t("userSaved"),
@@ -175,11 +192,6 @@ export default function AccessControlsPage() {
         setLoading(false);
     }
 
-    const availableRolesToAdd = roles.filter(
-        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
-    );
-    const canRemoveRole = userRoles.length > 1;
-
     return (
         <SettingsContainer>
             <SettingsSection>
@@ -216,72 +228,43 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormItem>
-                                    <FormLabel>{t("role")}</FormLabel>
-                                    <div className="flex flex-wrap gap-2 items-center">
-                                        {userRoles.map((r) => (
-                                            <Badge
-                                                key={r.roleId}
-                                                variant="secondary"
-                                                className="flex items-center gap-1"
-                                            >
-                                                {r.name}
-                                                {canRemoveRole && (
-                                                    <button
-                                                        type="button"
-                                                        onClick={() =>
-                                                            handleRemoveRole(
-                                                                r.roleId
-                                                            )
-                                                        }
-                                                        disabled={loading}
-                                                        className="ml-1 rounded hover:bg-muted"
-                                                        aria-label={`Remove ${r.name}`}
-                                                    >
-                                                        ×
-                                                    </button>
-                                                )}
-                                            </Badge>
-                                        ))}
-                                        {availableRolesToAdd.length > 0 && (
-                                            <Select
-                                                onValueChange={(value) => {
-                                                    handleAddRole(
-                                                        parseInt(value, 10)
-                                                    );
-                                                }}
-                                                disabled={loading}
-                                            >
-                                                <SelectTrigger className="w-[180px]">
-                                                    <SelectValue
-                                                        placeholder={t(
-                                                            "accessRoleSelect"
-                                                        )}
-                                                    />
-                                                </SelectTrigger>
-                                                <SelectContent>
-                                                    {availableRolesToAdd.map(
-                                                        (role) => (
-                                                            <SelectItem
-                                                                key={
-                                                                    role.roleId
-                                                                }
-                                                                value={role.roleId.toString()}
-                                                            >
-                                                                {role.name}
-                                                            </SelectItem>
-                                                        )
+                                <FormField
+                                    control={form.control}
+                                    name="roles"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-col items-start">
+                                            <FormLabel>{t("role")}</FormLabel>
+                                            <FormControl>
+                                                <TagInput
+                                                    {...field}
+                                                    activeTagIndex={
+                                                        activeRoleTagIndex
+                                                    }
+                                                    setActiveTagIndex={
+                                                        setActiveRoleTagIndex
+                                                    }
+                                                    placeholder={t(
+                                                        "accessRoleSelect2"
                                                     )}
-                                                </SelectContent>
-                                            </Select>
-                                        )}
-                                    </div>
-                                    {userRoles.length === 0 && (
-                                        <p className="text-sm text-muted-foreground">
-                                            {t("accessRoleSelectPlease")}
-                                        </p>
+                                                    size="sm"
+                                                    tags={field.value}
+                                                    setTags={setRoleTags}
+                                                    enableAutocomplete={true}
+                                                    autocompleteOptions={
+                                                        allRoleOptions
+                                                    }
+                                                    allowDuplicates={false}
+                                                    restrictTagsToAutocompleteOptions={
+                                                        true
+                                                    }
+                                                    sortTags={true}
+                                                    disabled={loading}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
                                     )}
-                                </FormItem>
+                                />
 
                                 {user.idpAutoProvision && (
                                     <FormField
@@ -299,9 +282,7 @@ export default function AccessControlsPage() {
                                                 </FormControl>
                                                 <div className="space-y-1 leading-none">
                                                     <FormLabel>
-                                                        {t(
-                                                            "autoProvisioned"
-                                                        )}
+                                                        {t("autoProvisioned")}
                                                     </FormLabel>
                                                     <p className="text-sm text-muted-foreground">
                                                         {t(
diff --git a/src/app/[orgId]/settings/access/users/page.tsx b/src/app/[orgId]/settings/access/users/page.tsx
index c64ee6396..812ac2b64 100644
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -86,11 +86,14 @@ export default async function UsersPage(props: UsersPageProps) {
             idpId: user.idpId,
             idpName: user.idpName || t("idpNameInternal"),
             status: t("userConfirmed"),
-            role: user.isOwner
-                ? t("accessRoleOwner")
-                : user.roles?.length
-                  ? user.roles.map((r) => r.roleName).join(", ")
-                  : t("accessRoleMember"),
+            roleLabels: user.isOwner
+                ? [t("accessRoleOwner")]
+                : (() => {
+                      const names = (user.roles ?? [])
+                          .map((r) => r.roleName)
+                          .filter((n): n is string => Boolean(n?.length));
+                      return names.length ? names : [t("accessRoleMember")];
+                  })(),
             isOwner: user.isOwner || false
         };
     });
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
index a533fb6c3..414a9b652 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
@@ -129,12 +129,13 @@ export default function ResourceAuthenticationPage() {
             orgId: org.org.orgId
         })
     );
-    const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery(
-        orgQueries.identityProviders({
+    const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery({
+        ...orgQueries.identityProviders({
             orgId: org.org.orgId,
             useOrgOnlyIdp: env.app.identityProviderMode === "org"
-        })
-    );
+        }),
+        enabled: isPaidUser(tierMatrix.orgOidc)
+    });
 
     const pageLoading =
         isLoadingOrgRoles ||
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index 1f7c5279d..01be1aedb 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -95,7 +95,8 @@ function getActionsCategories(root: boolean) {
             [t("actionListRole")]: "listRoles",
             [t("actionUpdateRole")]: "updateRole",
             [t("actionListAllowedRoleResources")]: "listRoleResources",
-            [t("actionAddUserRole")]: "addUserRole"
+            [t("actionAddUserRole")]: "addUserRole",
+            [t("actionSetUserOrgRoles")]: "setUserOrgRoles"
         },
         "Access Token": {
             [t("actionGenerateAccessToken")]: "generateAccessToken",
diff --git a/src/components/UsersTable.tsx b/src/components/UsersTable.tsx
index 9b1dfee68..be1d6a345 100644
--- a/src/components/UsersTable.tsx
+++ b/src/components/UsersTable.tsx
@@ -12,6 +12,13 @@ import { Button } from "@app/components/ui/button";
 import { ArrowRight, ArrowUpDown, Crown, MoreHorizontal } from "lucide-react";
 import { UsersDataTable } from "@app/components/UsersDataTable";
 import { useState, useEffect } from "react";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@app/components/ui/popover";
+import { Badge, badgeVariants } from "@app/components/ui/badge";
+import { cn } from "@app/lib/cn";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { toast } from "@app/hooks/useToast";
@@ -36,10 +43,65 @@ export type UserRow = {
     type: string;
     idpVariant: string | null;
     status: string;
-    role: string;
+    roleLabels: string[];
     isOwner: boolean;
 };
 
+const MAX_ROLE_BADGES = 3;
+
+function UserRoleBadges({ roleLabels }: { roleLabels: string[] }) {
+    const visible = roleLabels.slice(0, MAX_ROLE_BADGES);
+    const overflow = roleLabels.slice(MAX_ROLE_BADGES);
+
+    return (
+        <div className="flex flex-wrap items-center gap-1">
+            {visible.map((label, i) => (
+                <Badge key={`${label}-${i}`} variant="secondary">
+                    {label}
+                </Badge>
+            ))}
+            {overflow.length > 0 && (
+                <OverflowRolesPopover labels={overflow} />
+            )}
+        </div>
+    );
+}
+
+function OverflowRolesPopover({ labels }: { labels: string[] }) {
+    const [open, setOpen] = useState(false);
+
+    return (
+        <Popover open={open} onOpenChange={setOpen}>
+            <PopoverTrigger asChild>
+                <button
+                    type="button"
+                    className={cn(
+                        badgeVariants({ variant: "secondary" }),
+                        "border-dashed"
+                    )}
+                    onMouseEnter={() => setOpen(true)}
+                    onMouseLeave={() => setOpen(false)}
+                >
+                    +{labels.length}
+                </button>
+            </PopoverTrigger>
+            <PopoverContent
+                align="start"
+                side="top"
+                className="w-auto max-w-xs p-2"
+                onMouseEnter={() => setOpen(true)}
+                onMouseLeave={() => setOpen(false)}
+            >
+                <ul className="space-y-1 text-sm">
+                    {labels.map((label, i) => (
+                        <li key={`${label}-${i}`}>{label}</li>
+                    ))}
+                </ul>
+            </PopoverContent>
+        </Popover>
+    );
+}
+
 type UsersTableProps = {
     users: UserRow[];
 };
@@ -124,7 +186,8 @@ export default function UsersTable({ users: u }: UsersTableProps) {
             }
         },
         {
-            accessorKey: "role",
+            id: "role",
+            accessorFn: (row) => row.roleLabels.join(", "),
             friendlyName: t("role"),
             header: ({ column }) => {
                 return (
@@ -140,13 +203,7 @@ export default function UsersTable({ users: u }: UsersTableProps) {
                 );
             },
             cell: ({ row }) => {
-                const userRow = row.original;
-
-                return (
-                    <div className="flex flex-row items-center gap-2">
-                        <span>{userRow.role}</span>
-                    </div>
-                );
+                return <UserRoleBadges roleLabels={row.original.roleLabels} />;
             }
         },
         {
diff --git a/src/components/ui/badge.tsx b/src/components/ui/badge.tsx
index 4d38e0fd4..2b474f45b 100644
--- a/src/components/ui/badge.tsx
+++ b/src/components/ui/badge.tsx
@@ -4,7 +4,7 @@ import { cva, type VariantProps } from "class-variance-authority";
 import { cn } from "@app/lib/cn";
 
 const badgeVariants = cva(
-    "inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-0",
+    "inline-flex items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors outline-none focus:outline-none focus-visible:outline-none focus-visible:ring-0",
     {
         variants: {
             variant: {

From d046084e84cac2ff1cac3e0724aa5a093e333117 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 16:44:30 -0700
Subject: [PATCH 051/122] delete role move to new role

---
 server/routers/role/deleteRole.ts | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/server/routers/role/deleteRole.ts b/server/routers/role/deleteRole.ts
index 24c26e654..4d2797250 100644
--- a/server/routers/role/deleteRole.ts
+++ b/server/routers/role/deleteRole.ts
@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { roles, userOrgRoles } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq, exists, aliasedTable } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -114,13 +114,32 @@ export async function deleteRole(
         }
 
         await db.transaction(async (trx) => {
-            // move all users from userOrgRoles with roleId to newRoleId
+            const uorNewRole = aliasedTable(userOrgRoles, "user_org_roles_new");
+
+            // Users who already have newRoleId: drop the old assignment only (unique on userId+orgId+roleId).
+            await trx.delete(userOrgRoles).where(
+                and(
+                    eq(userOrgRoles.roleId, roleId),
+                    exists(
+                        trx
+                            .select()
+                            .from(uorNewRole)
+                            .where(
+                                and(
+                                    eq(uorNewRole.userId, userOrgRoles.userId),
+                                    eq(uorNewRole.orgId, userOrgRoles.orgId),
+                                    eq(uorNewRole.roleId, newRoleId)
+                                )
+                            )
+                    )
+                )
+            );
+
             await trx
                 .update(userOrgRoles)
                 .set({ roleId: newRoleId })
                 .where(eq(userOrgRoles.roleId, roleId));
 
-            // delete the old role
             await trx.delete(roles).where(eq(roles.roleId, roleId));
         });
 

From 19a686b3e4040f91d125184b209517992a989dc8 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 26 Mar 2026 16:49:43 -0700
Subject: [PATCH 052/122] Add restrictions around provisioning key

---
 server/routers/newt/registerNewt.ts | 45 +++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 12 deletions(-)

diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index b999eb35c..427ac173f 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -14,7 +14,7 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
-import { eq, and } from "drizzle-orm";
+import { eq, and, sql } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import { verifyPassword, hashPassword } from "@server/auth/password";
 import {
@@ -26,6 +26,8 @@ import moment from "moment";
 import { build } from "@server/build";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
+import { INSPECT_MAX_BYTES } from "buffer";
+import { v } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
 
 const bodySchema = z.object({
     provisioningKey: z.string().nonempty()
@@ -77,7 +79,10 @@ export async function registerNewt(
                     siteProvisioningKeys.siteProvisioningKeyId,
                 siteProvisioningKeyHash:
                     siteProvisioningKeys.siteProvisioningKeyHash,
-                orgId: siteProvisioningKeyOrg.orgId
+                orgId: siteProvisioningKeyOrg.orgId,
+                maxBatchSize: siteProvisioningKeys.maxBatchSize,
+                numUsed: siteProvisioningKeys.numUsed,
+                validUntil: siteProvisioningKeys.validUntil
             })
             .from(siteProvisioningKeys)
             .innerJoin(
@@ -118,13 +123,28 @@ export async function registerNewt(
             );
         }
 
+        if (keyRecord.maxBatchSize && keyRecord.numUsed >= keyRecord.maxBatchSize) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Provisioning key has reached its maximum usage"
+                )
+            );
+        }
+
+        if (keyRecord.validUntil && new Date(keyRecord.validUntil) < new Date()) {
+            return next(
+                createHttpError(
+                    HttpCode.UNAUTHORIZED,
+                    "Provisioning key has expired"
+                )
+            );
+        }
+
         const { orgId } = keyRecord;
 
         // Verify the org exists
-        const [org] = await db
-            .select()
-            .from(orgs)
-            .where(eq(orgs.orgId, orgId));
+        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
         if (!org) {
             return next(
                 createHttpError(HttpCode.NOT_FOUND, "Organization not found")
@@ -208,7 +228,11 @@ export async function registerNewt(
 
             // Consume the provisioning key — cascade removes siteProvisioningKeyOrg
             await trx
-                .delete(siteProvisioningKeys)
+                .update(siteProvisioningKeys)
+                .set({
+                    lastUsed: moment().toISOString(),
+                    numUsed: sql`${siteProvisioningKeys.numUsed} + 1`
+                })
                 .where(
                     eq(
                         siteProvisioningKeys.siteProvisioningKeyId,
@@ -236,10 +260,7 @@ export async function registerNewt(
     } catch (error) {
         logger.error(error);
         return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "An error occurred"
-            )
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
         );
     }
-}
\ No newline at end of file
+}

From 13eadeaa8f0f67f2624110e1e28e258b7d730bae Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 18:19:10 -0700
Subject: [PATCH 053/122] support legacy one role per user

---
 messages/en-US.json                           |   2 +
 server/private/routers/external.ts            |  36 +++-
 server/private/routers/integration.ts         |  23 +++
 .../{ => private}/routers/user/addUserRole.ts |  19 ++-
 server/private/routers/user/index.ts          |  16 ++
 .../routers/user/removeUserRole.ts            |  20 ++-
 .../routers/user/setUserOrgRoles.ts           |  14 +-
 server/routers/external.ts                    |  24 +--
 server/routers/integration.ts                 |  22 +--
 server/routers/user/addUserRoleLegacy.ts      | 159 ++++++++++++++++++
 server/routers/user/index.ts                  |   5 +-
 server/routers/user/types.ts                  |  18 ++
 .../users/[userId]/access-controls/page.tsx   |  65 ++++++-
 src/components/PermissionsSelectBox.tsx       |   2 +-
 14 files changed, 360 insertions(+), 65 deletions(-)
 rename server/{ => private}/routers/user/addUserRole.ts (91%)
 create mode 100644 server/private/routers/user/index.ts
 rename server/{ => private}/routers/user/removeUserRole.ts (89%)
 rename server/{ => private}/routers/user/setUserOrgRoles.ts (92%)
 create mode 100644 server/routers/user/addUserRoleLegacy.ts
 create mode 100644 server/routers/user/types.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index cdfd57110..361771d87 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -512,6 +512,8 @@
     "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
     "accessControlsDescription": "Manage what this user can access and do in the organization",
     "accessControlsSubmit": "Save Access Controls",
+    "singleRolePerUserPlanNotice": "Your plan only supports one role per user.",
+    "singleRolePerUserEditionNotice": "This edition only supports one role per user.",
     "roles": "Roles",
     "accessUsersRoles": "Manage Users & Roles",
     "accessUsersRolesDescription": "Invite users and add them to roles to manage access to the organization",
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index df8ea8cbb..f5749d529 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -26,6 +26,7 @@ import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
 import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
+import * as user from "#private/routers/user";
 
 import {
     verifyOrgAccess,
@@ -33,7 +34,10 @@ import {
     verifyUserIsServerAdmin,
     verifySiteAccess,
     verifyClientAccess,
-    verifyLimits
+    verifyLimits,
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyUserCanSetUserOrgRoles
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -518,3 +522,33 @@ authenticated.post(
     // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
     ssh.signSshKey
 );
+
+authenticated.post(
+    "/user/:userId/add-role/:roleId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.addUserRole),
+    logActionAudit(ActionsEnum.addUserRole),
+    user.addUserRole
+);
+
+authenticated.delete(
+    "/user/:userId/remove-role/:roleId",
+    verifyRoleAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
+
+authenticated.post(
+    "/user/:userId/org/:orgId/roles",
+    verifyOrgAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
diff --git a/server/private/routers/integration.ts b/server/private/routers/integration.ts
index 97b1adade..f8e6a63f4 100644
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -20,8 +20,11 @@ import {
     verifyApiKeyIsRoot,
     verifyApiKeyOrgAccess,
     verifyApiKeyIdpAccess,
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
     verifyLimits
 } from "@server/middlewares";
+import * as user from "#private/routers/user";
 import {
     verifyValidSubscription,
     verifyValidLicense
@@ -140,3 +143,23 @@ authenticated.get(
     verifyApiKeyHasAction(ActionsEnum.listIdps),
     orgIdp.listOrgIdps
 );
+
+authenticated.post(
+    "/user/:userId/add-role/:roleId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.addUserRole),
+    logActionAudit(ActionsEnum.addUserRole),
+    user.addUserRole
+);
+
+authenticated.delete(
+    "/user/:userId/remove-role/:roleId",
+    verifyApiKeyRoleAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
+    logActionAudit(ActionsEnum.removeUserRole),
+    user.removeUserRole
+);
diff --git a/server/routers/user/addUserRole.ts b/server/private/routers/user/addUserRole.ts
similarity index 91%
rename from server/routers/user/addUserRole.ts
rename to server/private/routers/user/addUserRole.ts
index d41ad2051..a46bd1ed8 100644
--- a/server/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -1,5 +1,19 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import stoi from "@server/lib/stoi";
 import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -8,7 +22,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
@@ -17,11 +30,9 @@ const addUserRoleParamsSchema = z.strictObject({
     roleId: z.string().transform(stoi).pipe(z.number())
 });
 
-export type AddUserRoleResponse = z.infer<typeof addUserRoleParamsSchema>;
-
 registry.registerPath({
     method: "post",
-    path: "/role/{roleId}/add/{userId}",
+    path: "/user/{userId}/add-role/{roleId}",
     description: "Add a role to a user.",
     tags: [OpenAPITags.Role, OpenAPITags.User],
     request: {
diff --git a/server/private/routers/user/index.ts b/server/private/routers/user/index.ts
new file mode 100644
index 000000000..6317eced5
--- /dev/null
+++ b/server/private/routers/user/index.ts
@@ -0,0 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./addUserRole";
+export * from "./removeUserRole";
+export * from "./setUserOrgRoles";
diff --git a/server/routers/user/removeUserRole.ts b/server/private/routers/user/removeUserRole.ts
similarity index 89%
rename from server/routers/user/removeUserRole.ts
rename to server/private/routers/user/removeUserRole.ts
index 8d353fea3..e9c3d10c0 100644
--- a/server/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -1,5 +1,19 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import stoi from "@server/lib/stoi";
 import { db } from "@server/db";
 import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -8,7 +22,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
@@ -19,8 +32,9 @@ const removeUserRoleParamsSchema = z.strictObject({
 
 registry.registerPath({
     method: "delete",
-    path: "/role/{roleId}/remove/{userId}",
-    description: "Remove a role from a user. User must have at least one role left in the org.",
+    path: "/user/{userId}/remove-role/{roleId}",
+    description:
+        "Remove a role from a user. User must have at least one role left in the org.",
     tags: [OpenAPITags.Role, OpenAPITags.User],
     request: {
         params: removeUserRoleParamsSchema
diff --git a/server/routers/user/setUserOrgRoles.ts b/server/private/routers/user/setUserOrgRoles.ts
similarity index 92%
rename from server/routers/user/setUserOrgRoles.ts
rename to server/private/routers/user/setUserOrgRoles.ts
index 525c91729..67563fd26 100644
--- a/server/routers/user/setUserOrgRoles.ts
+++ b/server/private/routers/user/setUserOrgRoles.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { clients, db } from "@server/db";
@@ -8,7 +21,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 
 const setUserOrgRolesParamsSchema = z.strictObject({
diff --git a/server/routers/external.ts b/server/routers/external.ts
index bb331dc69..03d5fa111 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -39,7 +39,6 @@ import {
     verifyApiKeyAccess,
     verifyDomainAccess,
     verifyUserHasAction,
-    verifyUserCanSetUserOrgRoles,
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
@@ -645,6 +644,7 @@ authenticated.delete(
     logActionAudit(ActionsEnum.deleteRole),
     role.deleteRole
 );
+
 authenticated.post(
     "/role/:roleId/add/:userId",
     verifyRoleAccess,
@@ -652,17 +652,7 @@ authenticated.post(
     verifyLimits,
     verifyUserHasAction(ActionsEnum.addUserRole),
     logActionAudit(ActionsEnum.addUserRole),
-    user.addUserRole
-);
-
-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyRoleAccess,
-    verifyUserAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
+    user.addUserRoleLegacy
 );
 
 authenticated.post(
@@ -838,16 +828,6 @@ authenticated.post(
     user.updateOrgUser
 );
 
-authenticated.post(
-    "/org/:orgId/user/:userId/roles",
-    verifyOrgAccess,
-    verifyUserAccess,
-    verifyLimits,
-    verifyUserCanSetUserOrgRoles(),
-    logActionAudit(ActionsEnum.setUserOrgRoles),
-    user.setUserOrgRoles
-);
-
 authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
 authenticated.get("/org/:orgId/user/:userId/check", org.checkOrgUserAccess);
 
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 32c06078b..2865b4bcb 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -596,17 +596,7 @@ authenticated.post(
     verifyLimits,
     verifyApiKeyHasAction(ActionsEnum.addUserRole),
     logActionAudit(ActionsEnum.addUserRole),
-    user.addUserRole
-);
-
-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyApiKeyRoleAccess,
-    verifyApiKeyUserAccess,
-    verifyLimits,
-    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
+    user.addUserRoleLegacy
 );
 
 authenticated.post(
@@ -815,16 +805,6 @@ authenticated.post(
     user.updateOrgUser
 );
 
-authenticated.post(
-    "/org/:orgId/user/:userId/roles",
-    verifyApiKeyOrgAccess,
-    verifyApiKeyUserAccess,
-    verifyLimits,
-    verifyApiKeyCanSetUserOrgRoles(),
-    logActionAudit(ActionsEnum.setUserOrgRoles),
-    user.setUserOrgRoles
-);
-
 authenticated.delete(
     "/org/:orgId/user/:userId",
     verifyApiKeyOrgAccess,
diff --git a/server/routers/user/addUserRoleLegacy.ts b/server/routers/user/addUserRoleLegacy.ts
new file mode 100644
index 000000000..db0c6182f
--- /dev/null
+++ b/server/routers/user/addUserRoleLegacy.ts
@@ -0,0 +1,159 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import stoi from "@server/lib/stoi";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+/** Legacy path param order: /role/:roleId/add/:userId */
+const addUserRoleLegacyParamsSchema = z.strictObject({
+    roleId: z.string().transform(stoi).pipe(z.number()),
+    userId: z.string()
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/role/{roleId}/add/{userId}",
+    description:
+        "Legacy: set exactly one role for the user (replaces any other roles the user has in the org).",
+    tags: [OpenAPITags.Role, OpenAPITags.User],
+    request: {
+        params: addUserRoleLegacyParamsSchema
+    },
+    responses: {}
+});
+
+export async function addUserRoleLegacy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = addUserRoleLegacyParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { userId, roleId } = parsedParams.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);
+
+        if (!role) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
+            );
+        }
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(
+                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
+            )
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the role of the owner of the organization"
+                )
+            );
+        }
+
+        const [roleInOrg] = await db
+            .select()
+            .from(roles)
+            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, role.orgId)))
+            .limit(1);
+
+        if (!roleInOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Role not found or does not belong to the specified organization"
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, role.orgId)
+                    )
+                );
+
+            await trx.insert(userOrgRoles).values({
+                userId,
+                orgId: role.orgId,
+                roleId
+            });
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, role.orgId)
+                    )
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { ...existingUser, roleId },
+            success: true,
+            error: false,
+            message: "Role added to user successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/routers/user/index.ts b/server/routers/user/index.ts
index 0884e8a2b..e03676caa 100644
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -1,9 +1,8 @@
 export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
-export * from "./addUserRole";
-export * from "./removeUserRole";
-export * from "./setUserOrgRoles";
+export * from "./types";
+export * from "./addUserRoleLegacy";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
diff --git a/server/routers/user/types.ts b/server/routers/user/types.ts
new file mode 100644
index 000000000..bd5b54efa
--- /dev/null
+++ b/server/routers/user/types.ts
@@ -0,0 +1,18 @@
+import type { UserOrg } from "@server/db";
+
+export type AddUserRoleResponse = {
+    userId: string;
+    roleId: number;
+};
+
+/** Legacy POST /role/:roleId/add/:userId response shape (membership + effective role). */
+export type AddUserRoleLegacyResponse = UserOrg & { roleId: number };
+
+export type SetUserOrgRolesParams = {
+    orgId: string;
+    userId: string;
+};
+
+export type SetUserOrgRolesBody = {
+    roleIds: number[];
+};
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 6dcdf16fb..c9ed7d561 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -37,6 +37,9 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { build } from "@server/build";
 
 const accessControlsFormSchema = z.object({
     username: z.string(),
@@ -51,8 +54,9 @@ const accessControlsFormSchema = z.object({
 
 export default function AccessControlsPage() {
     const { orgUser: user, updateOrgUser } = userOrgUserContext();
+    const { env } = useEnvContext();
 
-    const api = createApiClient(useEnvContext());
+    const api = createApiClient({ env });
 
     const { orgId } = useParams();
 
@@ -63,6 +67,18 @@ export default function AccessControlsPage() {
     );
 
     const t = useTranslations();
+    const { isPaidUser, hasSaasSubscription, hasEnterpriseLicense } =
+        usePaidStatus();
+    const multiRoleFeatureTiers = Array.from(
+        new Set([...tierMatrix.sshPam, ...tierMatrix.orgOidc])
+    );
+    const isPaid = isPaidUser(multiRoleFeatureTiers);
+    const supportsMultipleRolesPerUser = isPaid;
+    const showMultiRolePaywallMessage =
+        !env.flags.disableEnterpriseFeatures &&
+        ((build === "saas" && !isPaid) ||
+            (build === "enterprise" && !isPaid) ||
+            (build === "oss" && !isPaid));
 
     const form = useForm({
         resolver: zodResolver(accessControlsFormSchema),
@@ -124,11 +140,28 @@ export default function AccessControlsPage() {
         [roles]
     );
 
-    function setRoleTags(
-        updater: Tag[] | ((prev: Tag[]) => Tag[])
-    ) {
+    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
         const prev = form.getValues("roles");
-        const next = typeof updater === "function" ? updater(prev) : updater;
+        const nextValue =
+            typeof updater === "function" ? updater(prev) : updater;
+        const next = supportsMultipleRolesPerUser
+            ? nextValue
+            : nextValue.length > 1
+              ? [nextValue[nextValue.length - 1]]
+              : nextValue;
+
+        // In single-role mode, selecting the currently selected role can transiently
+        // emit an empty tag list from TagInput; keep the prior selection.
+        if (
+            !supportsMultipleRolesPerUser &&
+            next.length === 0 &&
+            prev.length > 0
+        ) {
+            form.setValue("roles", [prev[prev.length - 1]], {
+                shouldDirty: true
+            });
+            return;
+        }
 
         if (next.length === 0) {
             toast({
@@ -155,11 +188,14 @@ export default function AccessControlsPage() {
         setLoading(true);
         try {
             const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+            const updateRoleRequest = supportsMultipleRolesPerUser
+                ? api.post(`/user/${user.userId}/org/${orgId}/roles`, {
+                      roleIds
+                  })
+                : api.post(`/role/${roleIds[0]}/add/${user.userId}`);
 
             await Promise.all([
-                api.post(`/org/${orgId}/user/${user.userId}/roles`, {
-                    roleIds
-                }),
+                updateRoleRequest,
                 api.post(`/org/${orgId}/user/${user.userId}`, {
                     autoProvisioned: values.autoProvisioned
                 })
@@ -233,7 +269,7 @@ export default function AccessControlsPage() {
                                     name="roles"
                                     render={({ field }) => (
                                         <FormItem className="flex flex-col items-start">
-                                            <FormLabel>{t("role")}</FormLabel>
+                                            <FormLabel>{t("roles")}</FormLabel>
                                             <FormControl>
                                                 <TagInput
                                                     {...field}
@@ -261,6 +297,17 @@ export default function AccessControlsPage() {
                                                     disabled={loading}
                                                 />
                                             </FormControl>
+                                            {showMultiRolePaywallMessage && (
+                                                <FormDescription>
+                                                    {build === "saas"
+                                                        ? t(
+                                                              "singleRolePerUserPlanNotice"
+                                                          )
+                                                        : t(
+                                                              "singleRolePerUserEditionNotice"
+                                                          )}
+                                                </FormDescription>
+                                            )}
                                             <FormMessage />
                                         </FormItem>
                                     )}
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index 01be1aedb..80a4b9926 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -96,7 +96,7 @@ function getActionsCategories(root: boolean) {
             [t("actionUpdateRole")]: "updateRole",
             [t("actionListAllowedRoleResources")]: "listRoleResources",
             [t("actionAddUserRole")]: "addUserRole",
-            [t("actionSetUserOrgRoles")]: "setUserOrgRoles"
+            [t("actionRemoveUserRole")]: "removeUserRole"
         },
         "Access Token": {
             [t("actionGenerateAccessToken")]: "generateAccessToken",

From e05af54f76492ad62b31ad75494fa444a6bf4fa7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Thu, 26 Mar 2026 21:36:51 -0700
Subject: [PATCH 054/122] Use standard component

---
 .../CreateSiteProvisioningKeyCredenza.tsx     | 111 ++++++++++++++----
 .../EditSiteProvisioningKeyCredenza.tsx       |  93 +++++++++++----
 2 files changed, 162 insertions(+), 42 deletions(-)

diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index e18bbbd06..3a1c7c372 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -36,6 +36,10 @@ import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { zodResolver } from "@hookform/resolvers/zod";
 import CopyTextBox from "@app/components/CopyTextBox";
+import {
+    DateTimePicker,
+    DateTimeValue
+} from "@app/components/DateTimePicker";
 
 const FORM_ID = "create-site-provisioning-key-form";
 
@@ -261,27 +265,92 @@ export default function CreateSiteProvisioningKeyCredenza({
                                 <FormField
                                     control={form.control}
                                     name="validUntil"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>
-                                                {t(
-                                                    "provisioningKeysValidUntil"
-                                                )}
-                                            </FormLabel>
-                                            <FormControl>
-                                                <Input
-                                                    type="datetime-local"
-                                                    {...field}
-                                                />
-                                            </FormControl>
-                                            <FormDescription>
-                                                {t(
-                                                    "provisioningKeysValidUntilHint"
-                                                )}
-                                            </FormDescription>
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
+                                    render={({ field }) => {
+                                        const dateTimeValue: DateTimeValue =
+                                            (() => {
+                                                if (!field.value) return {};
+                                                const d = new Date(
+                                                    field.value
+                                                );
+                                                if (isNaN(d.getTime()))
+                                                    return {};
+                                                const hours = d
+                                                    .getHours()
+                                                    .toString()
+                                                    .padStart(2, "0");
+                                                const minutes = d
+                                                    .getMinutes()
+                                                    .toString()
+                                                    .padStart(2, "0");
+                                                const seconds = d
+                                                    .getSeconds()
+                                                    .toString()
+                                                    .padStart(2, "0");
+                                                return {
+                                                    date: d,
+                                                    time: `${hours}:${minutes}:${seconds}`
+                                                };
+                                            })();
+
+                                        return (
+                                            <FormItem>
+                                                <FormLabel>
+                                                    {t(
+                                                        "provisioningKeysValidUntil"
+                                                    )}
+                                                </FormLabel>
+                                                <FormControl>
+                                                    <DateTimePicker
+                                                        value={dateTimeValue}
+                                                        onChange={(value) => {
+                                                            if (!value.date) {
+                                                                field.onChange(
+                                                                    ""
+                                                                );
+                                                                return;
+                                                            }
+                                                            const d = new Date(
+                                                                value.date
+                                                            );
+                                                            if (value.time) {
+                                                                const [
+                                                                    h,
+                                                                    m,
+                                                                    s
+                                                                ] =
+                                                                    value.time.split(
+                                                                        ":"
+                                                                    );
+                                                                d.setHours(
+                                                                    parseInt(
+                                                                        h,
+                                                                        10
+                                                                    ),
+                                                                    parseInt(
+                                                                        m,
+                                                                        10
+                                                                    ),
+                                                                    parseInt(
+                                                                        s || "0",
+                                                                        10
+                                                                    )
+                                                                );
+                                                            }
+                                                            field.onChange(
+                                                                d.toISOString()
+                                                            );
+                                                        }}
+                                                    />
+                                                </FormControl>
+                                                <FormDescription>
+                                                    {t(
+                                                        "provisioningKeysValidUntilHint"
+                                                    )}
+                                                </FormDescription>
+                                                <FormMessage />
+                                            </FormItem>
+                                        );
+                                    }}
                                 />
                             </form>
                         </Form>
diff --git a/src/components/EditSiteProvisioningKeyCredenza.tsx b/src/components/EditSiteProvisioningKeyCredenza.tsx
index 9603374d5..138190edc 100644
--- a/src/components/EditSiteProvisioningKeyCredenza.tsx
+++ b/src/components/EditSiteProvisioningKeyCredenza.tsx
@@ -33,7 +33,10 @@ import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { zodResolver } from "@hookform/resolvers/zod";
-import moment from "moment";
+import {
+    DateTimePicker,
+    DateTimeValue
+} from "@app/components/DateTimePicker";
 
 const FORM_ID = "edit-site-provisioning-key-form";
 
@@ -109,9 +112,7 @@ export default function EditSiteProvisioningKeyCredenza({
             name: provisioningKey.name,
             unlimitedBatchSize: provisioningKey.maxBatchSize == null,
             maxBatchSize: provisioningKey.maxBatchSize ?? 100,
-            validUntil: provisioningKey.validUntil
-                ? moment(provisioningKey.validUntil).format("YYYY-MM-DDTHH:mm")
-                : ""
+            validUntil: provisioningKey.validUntil ?? ""
         });
     }, [open, provisioningKey, form]);
 
@@ -257,23 +258,73 @@ export default function EditSiteProvisioningKeyCredenza({
                             <FormField
                                 control={form.control}
                                 name="validUntil"
-                                render={({ field }) => (
-                                    <FormItem>
-                                        <FormLabel>
-                                            {t("provisioningKeysValidUntil")}
-                                        </FormLabel>
-                                        <FormControl>
-                                            <Input
-                                                type="datetime-local"
-                                                {...field}
-                                            />
-                                        </FormControl>
-                                        <FormDescription>
-                                            {t("provisioningKeysValidUntilHint")}
-                                        </FormDescription>
-                                        <FormMessage />
-                                    </FormItem>
-                                )}
+                                render={({ field }) => {
+                                    const dateTimeValue: DateTimeValue =
+                                        (() => {
+                                            if (!field.value) return {};
+                                            const d = new Date(field.value);
+                                            if (isNaN(d.getTime())) return {};
+                                            const hours = d
+                                                .getHours()
+                                                .toString()
+                                                .padStart(2, "0");
+                                            const minutes = d
+                                                .getMinutes()
+                                                .toString()
+                                                .padStart(2, "0");
+                                            const seconds = d
+                                                .getSeconds()
+                                                .toString()
+                                                .padStart(2, "0");
+                                            return {
+                                                date: d,
+                                                time: `${hours}:${minutes}:${seconds}`
+                                            };
+                                        })();
+
+                                    return (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("provisioningKeysValidUntil")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <DateTimePicker
+                                                    value={dateTimeValue}
+                                                    onChange={(value) => {
+                                                        if (!value.date) {
+                                                            field.onChange("");
+                                                            return;
+                                                        }
+                                                        const d = new Date(
+                                                            value.date
+                                                        );
+                                                        if (value.time) {
+                                                            const [h, m, s] =
+                                                                value.time.split(
+                                                                    ":"
+                                                                );
+                                                            d.setHours(
+                                                                parseInt(h, 10),
+                                                                parseInt(m, 10),
+                                                                parseInt(
+                                                                    s || "0",
+                                                                    10
+                                                                )
+                                                            );
+                                                        }
+                                                        field.onChange(
+                                                            d.toISOString()
+                                                        );
+                                                    }}
+                                                />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t("provisioningKeysValidUntilHint")}
+                                            </FormDescription>
+                                            <FormMessage />
+                                        </FormItem>
+                                    );
+                                }}
                             />
                         </form>
                     </Form>

From ad7d68d2b443ea4b04a174277830040c072cf2f2 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Thu, 26 Mar 2026 21:46:01 -0700
Subject: [PATCH 055/122] basic idp mapping builder

---
 server/routers/idp/validateOidcCallback.ts    |  94 +++--
 .../(private)/idp/[idpId]/general/page.tsx    | 167 +++++----
 .../settings/(private)/idp/create/page.tsx    | 119 +++---
 src/components/AutoProvisionConfigWidget.tsx  | 349 +++++++++++++-----
 src/lib/idpRoleMapping.ts                     | 266 +++++++++++++
 5 files changed, 755 insertions(+), 240 deletions(-)
 create mode 100644 src/lib/idpRoleMapping.ts

diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 8714c4d38..86545269b 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -41,6 +41,7 @@ import {
     assignUserToOrg,
     removeUserFromOrg
 } from "@server/lib/userOrg";
+import { unwrapRoleMapping } from "@app/lib/idpRoleMapping";
 
 const ensureTrailingSlash = (url: string): string => {
     return url;
@@ -367,7 +368,7 @@ export async function validateOidcCallback(
             const defaultRoleMapping = existingIdp.idp.defaultRoleMapping;
             const defaultOrgMapping = existingIdp.idp.defaultOrgMapping;
 
-            const userOrgInfo: { orgId: string; roleId: number }[] = [];
+            const userOrgInfo: { orgId: string; roleIds: number[] }[] = [];
             for (const org of allOrgs) {
                 const [idpOrgRes] = await db
                     .select()
@@ -379,8 +380,6 @@ export async function validateOidcCallback(
                         )
                     );
 
-                let roleId: number | undefined = undefined;
-
                 const orgMapping = idpOrgRes?.orgMapping || defaultOrgMapping;
                 const hydratedOrgMapping = hydrateOrgMapping(
                     orgMapping,
@@ -405,38 +404,47 @@ export async function validateOidcCallback(
                     idpOrgRes?.roleMapping || defaultRoleMapping;
                 if (roleMapping) {
                     logger.debug("Role Mapping", { roleMapping });
-                    const roleName = jmespath.search(claims, roleMapping);
+                    const roleMappingJmes = unwrapRoleMapping(
+                        roleMapping
+                    ).evaluationExpression;
+                    const roleMappingResult = jmespath.search(
+                        claims,
+                        roleMappingJmes
+                    );
+                    const roleNames = normalizeRoleMappingResult(
+                        roleMappingResult
+                    );
 
-                    if (!roleName) {
-                        logger.error("Role name not found in the ID token", {
-                            roleName
+                    if (!roleNames.length) {
+                        logger.error("Role mapping returned no valid roles", {
+                            roleMappingResult
                         });
                         continue;
                     }
 
-                    const [roleRes] = await db
+                    const roleRes = await db
                         .select()
                         .from(roles)
                         .where(
                             and(
                                 eq(roles.orgId, org.orgId),
-                                eq(roles.name, roleName)
+                                inArray(roles.name, roleNames)
                             )
                         );
 
-                    if (!roleRes) {
-                        logger.error("Role not found", {
+                    if (!roleRes.length) {
+                        logger.error("No mapped roles found in organization", {
                             orgId: org.orgId,
-                            roleName
+                            roleNames
                         });
                         continue;
                     }
 
-                    roleId = roleRes.roleId;
+                    const roleIds = [...new Set(roleRes.map((r) => r.roleId))];
 
                     userOrgInfo.push({
                         orgId: org.orgId,
-                        roleId
+                        roleIds
                     });
                 }
             }
@@ -584,15 +592,17 @@ export async function validateOidcCallback(
                     const currentRolesInOrg = userRolesInOrgs.filter(
                         (r) => r.orgId === currentOrg.orgId
                     );
-                    const hasIdpRole = currentRolesInOrg.some(
-                        (r) => r.roleId === newRole.roleId
-                    );
-                    if (!hasIdpRole) {
-                        await trx.insert(userOrgRoles).values({
-                            userId: userId!,
-                            orgId: currentOrg.orgId,
-                            roleId: newRole.roleId
-                        });
+                    for (const roleId of newRole.roleIds) {
+                        const hasIdpRole = currentRolesInOrg.some(
+                            (r) => r.roleId === roleId
+                        );
+                        if (!hasIdpRole) {
+                            await trx.insert(userOrgRoles).values({
+                                userId: userId!,
+                                orgId: currentOrg.orgId,
+                                roleId
+                            });
+                        }
                     }
                 }
 
@@ -606,6 +616,12 @@ export async function validateOidcCallback(
 
                 if (orgsToAdd.length > 0) {
                     for (const org of orgsToAdd) {
+                        const [initialRoleId, ...additionalRoleIds] =
+                            org.roleIds;
+                        if (!initialRoleId) {
+                            continue;
+                        }
+
                         const [fullOrg] = await trx
                             .select()
                             .from(orgs)
@@ -618,9 +634,17 @@ export async function validateOidcCallback(
                                     userId: userId!,
                                     autoProvisioned: true,
                                 },
-                                org.roleId,
+                                initialRoleId,
                                 trx
                             );
+
+                            for (const roleId of additionalRoleIds) {
+                                await trx.insert(userOrgRoles).values({
+                                    userId: userId!,
+                                    orgId: org.orgId,
+                                    roleId
+                                });
+                            }
                         }
                     }
                 }
@@ -745,3 +769,25 @@ function hydrateOrgMapping(
     }
     return orgMapping.split("{{orgId}}").join(orgId);
 }
+
+function normalizeRoleMappingResult(
+    result: unknown
+): string[] {
+    if (typeof result === "string") {
+        const role = result.trim();
+        return role ? [role] : [];
+    }
+
+    if (Array.isArray(result)) {
+        return [
+            ...new Set(
+                result
+                    .filter((value): value is string => typeof value === "string")
+                    .map((value) => value.trim())
+                    .filter(Boolean)
+            )
+        ];
+    }
+
+    return [];
+}
diff --git a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
index 7d4bece1e..9754b07e5 100644
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -47,6 +47,14 @@ import { ListRolesResponse } from "@server/routers/role";
 import AutoProvisionConfigWidget from "@app/components/AutoProvisionConfigWidget";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import {
+    compileRoleMappingExpression,
+    createMappingBuilderRule,
+    detectRoleMappingConfig,
+    ensureMappingBuilderRuleIds,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 export default function GeneralPage() {
     const { env } = useEnvContext();
@@ -56,9 +64,15 @@ export default function GeneralPage() {
     const [loading, setLoading] = useState(false);
     const [initialLoading, setInitialLoading] = useState(true);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [roleMappingMode, setRoleMappingMode] = useState<
-        "role" | "expression"
-    >("role");
+    const [roleMappingMode, setRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [fixedRoleNames, setFixedRoleNames] = useState<string[]>([]);
+    const [mappingBuilderClaimPath, setMappingBuilderClaimPath] =
+        useState("groups");
+    const [mappingBuilderRules, setMappingBuilderRules] = useState<
+        MappingBuilderRule[]
+    >([createMappingBuilderRule()]);
+    const [rawRoleExpression, setRawRoleExpression] = useState("");
     const [variant, setVariant] = useState<"oidc" | "google" | "azure">("oidc");
 
     const dashboardRedirectUrl = `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`;
@@ -190,34 +204,8 @@ export default function GeneralPage() {
                     // Set the variant
                     setVariant(idpVariant as "oidc" | "google" | "azure");
 
-                    // Check if roleMapping matches the basic pattern '{role name}' (simple single role)
-                    // This should NOT match complex expressions like 'Admin' || 'Member'
-                    const isBasicRolePattern =
-                        roleMapping &&
-                        typeof roleMapping === "string" &&
-                        /^'[^']+'$/.test(roleMapping);
-
-                    // Determine if roleMapping is a number (roleId) or matches basic pattern
-                    const isRoleId =
-                        !isNaN(Number(roleMapping)) && roleMapping !== "";
-                    const isRoleName = isBasicRolePattern;
-
-                    // Extract role name from basic pattern for matching
-                    let extractedRoleName = null;
-                    if (isRoleName) {
-                        extractedRoleName = roleMapping.slice(1, -1); // Remove quotes
-                    }
-
-                    // Try to find matching role by name if we have a basic pattern
-                    let matchingRoleId = undefined;
-                    if (extractedRoleName && availableRoles.length > 0) {
-                        const matchingRole = availableRoles.find(
-                            (role) => role.name === extractedRoleName
-                        );
-                        if (matchingRole) {
-                            matchingRoleId = matchingRole.roleId;
-                        }
-                    }
+                    const detectedRoleMappingConfig =
+                        detectRoleMappingConfig(roleMapping);
 
                     // Extract tenant ID from Azure URLs if present
                     let tenantId = "";
@@ -238,9 +226,7 @@ export default function GeneralPage() {
                         clientSecret: data.idpOidcConfig.clientSecret,
                         autoProvision: data.idp.autoProvision,
                         roleMapping: roleMapping || null,
-                        roleId: isRoleId
-                            ? Number(roleMapping)
-                            : matchingRoleId || null
+                        roleId: null
                     };
 
                     // Add variant-specific fields
@@ -259,10 +245,18 @@ export default function GeneralPage() {
 
                     form.reset(formData);
 
-                    // Set the role mapping mode based on the data
-                    // Default to "expression" unless it's a simple roleId or basic '{role name}' pattern
-                    setRoleMappingMode(
-                        matchingRoleId && isRoleName ? "role" : "expression"
+                    setRoleMappingMode(detectedRoleMappingConfig.mode);
+                    setFixedRoleNames(detectedRoleMappingConfig.fixedRoleNames);
+                    setMappingBuilderClaimPath(
+                        detectedRoleMappingConfig.mappingBuilder.claimPath
+                    );
+                    setMappingBuilderRules(
+                        ensureMappingBuilderRuleIds(
+                            detectedRoleMappingConfig.mappingBuilder.rules
+                        )
+                    );
+                    setRawRoleExpression(
+                        detectedRoleMappingConfig.rawExpression
                     );
                 }
             } catch (e) {
@@ -327,7 +321,26 @@ export default function GeneralPage() {
                 return;
             }
 
-            const roleName = roles.find((r) => r.roleId === data.roleId)?.name;
+            const roleMappingExpression = compileRoleMappingExpression({
+                mode: roleMappingMode,
+                fixedRoleNames,
+                mappingBuilder: {
+                    claimPath: mappingBuilderClaimPath,
+                    rules: mappingBuilderRules
+                },
+                rawExpression: rawRoleExpression
+            });
+
+            if (data.autoProvision && !roleMappingExpression) {
+                toast({
+                    title: t("error"),
+                    description:
+                        "A role mapping is required when auto-provisioning is enabled.",
+                    variant: "destructive"
+                });
+                setLoading(false);
+                return;
+            }
 
             // Build payload based on variant
             let payload: any = {
@@ -335,10 +348,7 @@ export default function GeneralPage() {
                 clientId: data.clientId,
                 clientSecret: data.clientSecret,
                 autoProvision: data.autoProvision,
-                roleMapping:
-                    roleMappingMode === "role"
-                        ? `'${roleName}'`
-                        : data.roleMapping || ""
+                roleMapping: roleMappingExpression
             };
 
             // Add variant-specific fields
@@ -497,42 +507,43 @@ export default function GeneralPage() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
-                        <SettingsSectionForm>
-                            <PaidFeaturesAlert
-                                tiers={tierMatrix.autoProvisioning}
-                            />
+                        <PaidFeaturesAlert
+                            tiers={tierMatrix.autoProvisioning}
+                        />
 
-                            <Form {...form}>
-                                <form
-                                    onSubmit={form.handleSubmit(onSubmit)}
-                                    className="space-y-4"
-                                    id="general-settings-form"
-                                >
-                                    <AutoProvisionConfigWidget
-                                        control={form.control}
-                                        autoProvision={form.watch(
-                                            "autoProvision"
-                                        )}
-                                        onAutoProvisionChange={(checked) => {
-                                            form.setValue(
-                                                "autoProvision",
-                                                checked
-                                            );
-                                        }}
-                                        roleMappingMode={roleMappingMode}
-                                        onRoleMappingModeChange={(data) => {
-                                            setRoleMappingMode(data);
-                                            // Clear roleId and roleMapping when mode changes
-                                            form.setValue("roleId", null);
-                                            form.setValue("roleMapping", null);
-                                        }}
-                                        roles={roles}
-                                        roleIdFieldName="roleId"
-                                        roleMappingFieldName="roleMapping"
-                                    />
-                                </form>
-                            </Form>
-                        </SettingsSectionForm>
+                        <Form {...form}>
+                            <form
+                                onSubmit={form.handleSubmit(onSubmit)}
+                                className="space-y-4"
+                                id="general-settings-form"
+                            >
+                                <AutoProvisionConfigWidget
+                                    autoProvision={form.watch("autoProvision")}
+                                    onAutoProvisionChange={(checked) => {
+                                        form.setValue("autoProvision", checked);
+                                    }}
+                                    roleMappingMode={roleMappingMode}
+                                    onRoleMappingModeChange={(data) => {
+                                        setRoleMappingMode(data);
+                                    }}
+                                    roles={roles}
+                                    fixedRoleNames={fixedRoleNames}
+                                    onFixedRoleNamesChange={setFixedRoleNames}
+                                    mappingBuilderClaimPath={
+                                        mappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={mappingBuilderRules}
+                                    onMappingBuilderRulesChange={
+                                        setMappingBuilderRules
+                                    }
+                                    rawExpression={rawRoleExpression}
+                                    onRawExpressionChange={setRawRoleExpression}
+                                />
+                            </form>
+                        </Form>
                     </SettingsSectionBody>
                 </SettingsSection>
 
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 4c783e9b2..2d6985849 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -42,6 +42,12 @@ import { useParams, useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
+import {
+    compileRoleMappingExpression,
+    createMappingBuilderRule,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 export default function Page() {
     const { env } = useEnvContext();
@@ -49,9 +55,15 @@ export default function Page() {
     const router = useRouter();
     const [createLoading, setCreateLoading] = useState(false);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [roleMappingMode, setRoleMappingMode] = useState<
-        "role" | "expression"
-    >("role");
+    const [roleMappingMode, setRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [fixedRoleNames, setFixedRoleNames] = useState<string[]>([]);
+    const [mappingBuilderClaimPath, setMappingBuilderClaimPath] =
+        useState("groups");
+    const [mappingBuilderRules, setMappingBuilderRules] = useState<
+        MappingBuilderRule[]
+    >([createMappingBuilderRule()]);
+    const [rawRoleExpression, setRawRoleExpression] = useState("");
     const t = useTranslations();
     const { isPaidUser } = usePaidStatus();
 
@@ -228,7 +240,26 @@ export default function Page() {
                 tokenUrl = tokenUrl?.replace("{{TENANT_ID}}", data.tenantId);
             }
 
-            const roleName = roles.find((r) => r.roleId === data.roleId)?.name;
+            const roleMappingExpression = compileRoleMappingExpression({
+                mode: roleMappingMode,
+                fixedRoleNames,
+                mappingBuilder: {
+                    claimPath: mappingBuilderClaimPath,
+                    rules: mappingBuilderRules
+                },
+                rawExpression: rawRoleExpression
+            });
+
+            if (data.autoProvision && !roleMappingExpression) {
+                toast({
+                    title: t("error"),
+                    description:
+                        "A role mapping is required when auto-provisioning is enabled.",
+                    variant: "destructive"
+                });
+                setCreateLoading(false);
+                return;
+            }
 
             const payload = {
                 name: data.name,
@@ -240,10 +271,7 @@ export default function Page() {
                 emailPath: data.emailPath,
                 namePath: data.namePath,
                 autoProvision: data.autoProvision,
-                roleMapping:
-                    roleMappingMode === "role"
-                        ? `'${roleName}'`
-                        : data.roleMapping || "",
+                roleMapping: roleMappingExpression,
                 scopes: data.scopes,
                 variant: data.type
             };
@@ -363,43 +391,44 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
-                        <SettingsSectionForm>
-                            <PaidFeaturesAlert
-                                tiers={tierMatrix.autoProvisioning}
-                            />
-                            <Form {...form}>
-                                <form
-                                    className="space-y-4"
-                                    id="create-idp-form"
-                                    onSubmit={form.handleSubmit(onSubmit)}
-                                >
-                                    <AutoProvisionConfigWidget
-                                        control={form.control}
-                                        autoProvision={
-                                            form.watch(
-                                                "autoProvision"
-                                            ) as boolean
-                                        } // is this right?
-                                        onAutoProvisionChange={(checked) => {
-                                            form.setValue(
-                                                "autoProvision",
-                                                checked
-                                            );
-                                        }}
-                                        roleMappingMode={roleMappingMode}
-                                        onRoleMappingModeChange={(data) => {
-                                            setRoleMappingMode(data);
-                                            // Clear roleId and roleMapping when mode changes
-                                            form.setValue("roleId", null);
-                                            form.setValue("roleMapping", null);
-                                        }}
-                                        roles={roles}
-                                        roleIdFieldName="roleId"
-                                        roleMappingFieldName="roleMapping"
-                                    />
-                                </form>
-                            </Form>
-                        </SettingsSectionForm>
+                        <PaidFeaturesAlert
+                            tiers={tierMatrix.autoProvisioning}
+                        />
+                        <Form {...form}>
+                            <form
+                                className="space-y-4"
+                                id="create-idp-form"
+                                onSubmit={form.handleSubmit(onSubmit)}
+                            >
+                                <AutoProvisionConfigWidget
+                                    autoProvision={
+                                        form.watch("autoProvision") as boolean
+                                    } // is this right?
+                                    onAutoProvisionChange={(checked) => {
+                                        form.setValue("autoProvision", checked);
+                                    }}
+                                    roleMappingMode={roleMappingMode}
+                                    onRoleMappingModeChange={(data) => {
+                                        setRoleMappingMode(data);
+                                    }}
+                                    roles={roles}
+                                    fixedRoleNames={fixedRoleNames}
+                                    onFixedRoleNamesChange={setFixedRoleNames}
+                                    mappingBuilderClaimPath={
+                                        mappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={mappingBuilderRules}
+                                    onMappingBuilderRulesChange={
+                                        setMappingBuilderRules
+                                    }
+                                    rawExpression={rawRoleExpression}
+                                    onRawExpressionChange={setRawRoleExpression}
+                                />
+                            </form>
+                        </Form>
                     </SettingsSectionBody>
                 </SettingsSection>
 
diff --git a/src/components/AutoProvisionConfigWidget.tsx b/src/components/AutoProvisionConfigWidget.tsx
index f5979aec3..44ee8c6e0 100644
--- a/src/components/AutoProvisionConfigWidget.tsx
+++ b/src/components/AutoProvisionConfigWidget.tsx
@@ -1,57 +1,74 @@
 "use client";
 
 import {
-    FormField,
-    FormItem,
     FormLabel,
-    FormControl,
-    FormDescription,
-    FormMessage
+    FormDescription
 } from "@app/components/ui/form";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import {
-    Select,
-    SelectContent,
-    SelectItem,
-    SelectTrigger,
-    SelectValue
-} from "@app/components/ui/select";
+import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { useTranslations } from "next-intl";
-import { Control, FieldValues, Path } from "react-hook-form";
+import { useMemo, useState } from "react";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import {
+    createMappingBuilderRule,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 type Role = {
     roleId: number;
     name: string;
 };
 
-type AutoProvisionConfigWidgetProps<T extends FieldValues> = {
-    control: Control<T>;
+type AutoProvisionConfigWidgetProps = {
     autoProvision: boolean;
     onAutoProvisionChange: (checked: boolean) => void;
-    roleMappingMode: "role" | "expression";
-    onRoleMappingModeChange: (mode: "role" | "expression") => void;
+    roleMappingMode: RoleMappingMode;
+    onRoleMappingModeChange: (mode: RoleMappingMode) => void;
     roles: Role[];
-    roleIdFieldName: Path<T>;
-    roleMappingFieldName: Path<T>;
+    fixedRoleNames: string[];
+    onFixedRoleNamesChange: (roleNames: string[]) => void;
+    mappingBuilderClaimPath: string;
+    onMappingBuilderClaimPathChange: (claimPath: string) => void;
+    mappingBuilderRules: MappingBuilderRule[];
+    onMappingBuilderRulesChange: (rules: MappingBuilderRule[]) => void;
+    rawExpression: string;
+    onRawExpressionChange: (expression: string) => void;
 };
 
-export default function AutoProvisionConfigWidget<T extends FieldValues>({
-    control,
+export default function AutoProvisionConfigWidget({
     autoProvision,
     onAutoProvisionChange,
     roleMappingMode,
     onRoleMappingModeChange,
     roles,
-    roleIdFieldName,
-    roleMappingFieldName
-}: AutoProvisionConfigWidgetProps<T>) {
+    fixedRoleNames,
+    onFixedRoleNamesChange,
+    mappingBuilderClaimPath,
+    onMappingBuilderClaimPathChange,
+    mappingBuilderRules,
+    onMappingBuilderRulesChange,
+    rawExpression,
+    onRawExpressionChange
+}: AutoProvisionConfigWidgetProps) {
     const t = useTranslations();
-
     const { isPaidUser } = usePaidStatus();
+    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
+        number | null
+    >(null);
+
+    const roleOptions = useMemo(
+        () =>
+            roles.map((role) => ({
+                id: role.name,
+                text: role.name
+            })),
+        [roles]
+    );
 
     return (
         <div className="space-y-4">
@@ -81,97 +98,243 @@ export default function AutoProvisionConfigWidget<T extends FieldValues>({
                         <RadioGroup
                             value={roleMappingMode}
                             onValueChange={onRoleMappingModeChange}
-                            className="flex space-x-6"
+                            className="flex flex-wrap gap-x-6 gap-y-2"
                         >
                             <div className="flex items-center space-x-2">
-                                <RadioGroupItem value="role" id="role-mode" />
+                                <RadioGroupItem
+                                    value="fixedRoles"
+                                    id="fixed-roles-mode"
+                                />
                                 <label
-                                    htmlFor="role-mode"
+                                    htmlFor="fixed-roles-mode"
                                     className="text-sm font-medium"
                                 >
-                                    {t("selectRole")}
+                                    Fixed roles
                                 </label>
                             </div>
                             <div className="flex items-center space-x-2">
                                 <RadioGroupItem
-                                    value="expression"
+                                    value="mappingBuilder"
+                                    id="mapping-builder-mode"
+                                />
+                                <label
+                                    htmlFor="mapping-builder-mode"
+                                    className="text-sm font-medium"
+                                >
+                                    Mapping builder
+                                </label>
+                            </div>
+                            <div className="flex items-center space-x-2">
+                                <RadioGroupItem
+                                    value="rawExpression"
                                     id="expression-mode"
                                 />
                                 <label
                                     htmlFor="expression-mode"
                                     className="text-sm font-medium"
                                 >
-                                    {t("roleMappingExpression")}
+                                    Raw expression
                                 </label>
                             </div>
                         </RadioGroup>
                     </div>
 
-                    {roleMappingMode === "role" ? (
-                        <FormField
-                            control={control}
-                            name={roleIdFieldName}
-                            render={({ field }) => (
-                                <FormItem>
-                                    <Select
-                                        onValueChange={(value) =>
-                                            field.onChange(Number(value))
-                                        }
-                                        value={field.value?.toString()}
-                                    >
-                                        <FormControl>
-                                            <SelectTrigger>
-                                                <SelectValue
-                                                    placeholder={t(
-                                                        "selectRolePlaceholder"
-                                                    )}
-                                                />
-                                            </SelectTrigger>
-                                        </FormControl>
-                                        <SelectContent>
-                                            {roles.map((role) => (
-                                                <SelectItem
-                                                    key={role.roleId}
-                                                    value={role.roleId.toString()}
-                                                >
-                                                    {role.name}
-                                                </SelectItem>
-                                            ))}
-                                        </SelectContent>
-                                    </Select>
-                                    <FormDescription>
-                                        {t("selectRoleDescription")}
-                                    </FormDescription>
-                                    <FormMessage />
-                                </FormItem>
-                            )}
-                        />
-                    ) : (
-                        <FormField
-                            control={control}
-                            name={roleMappingFieldName}
-                            render={({ field }) => (
-                                <FormItem>
-                                    <FormControl>
-                                        <Input
-                                            {...field}
-                                            defaultValue={field.value || ""}
-                                            value={field.value || ""}
-                                            placeholder={t(
-                                                "roleMappingExpressionPlaceholder"
-                                            )}
-                                        />
-                                    </FormControl>
-                                    <FormDescription>
-                                        {t("roleMappingExpressionDescription")}
-                                    </FormDescription>
-                                    <FormMessage />
-                                </FormItem>
-                            )}
-                        />
+                    {roleMappingMode === "fixedRoles" && (
+                        <div className="space-y-2">
+                            <TagInput
+                                tags={fixedRoleNames.map((name) => ({
+                                    id: name,
+                                    text: name
+                                }))}
+                                setTags={(nextTags) => {
+                                    const next =
+                                        typeof nextTags === "function"
+                                            ? nextTags(
+                                                  fixedRoleNames.map((name) => ({
+                                                      id: name,
+                                                      text: name
+                                                  }))
+                                              )
+                                            : nextTags;
+
+                                    onFixedRoleNamesChange(
+                                        [...new Set(next.map((tag) => tag.text))]
+                                    );
+                                }}
+                                activeTagIndex={activeFixedRoleTagIndex}
+                                setActiveTagIndex={setActiveFixedRoleTagIndex}
+                                placeholder="Select one or more roles"
+                                enableAutocomplete={true}
+                                autocompleteOptions={roleOptions}
+                                restrictTagsToAutocompleteOptions={true}
+                                allowDuplicates={false}
+                                sortTags={true}
+                                size="sm"
+                            />
+                            <FormDescription>
+                                Assign the same role set to every auto-provisioned
+                                user.
+                            </FormDescription>
+                        </div>
+                    )}
+
+                    {roleMappingMode === "mappingBuilder" && (
+                        <div className="space-y-4 rounded-md border p-3">
+                            <div className="space-y-2">
+                                <FormLabel>Claim path</FormLabel>
+                                <Input
+                                    value={mappingBuilderClaimPath}
+                                    onChange={(e) =>
+                                        onMappingBuilderClaimPathChange(
+                                            e.target.value
+                                        )
+                                    }
+                                    placeholder="groups"
+                                />
+                                <FormDescription>
+                                    Path in the token payload that contains source
+                                    values (for example, groups).
+                                </FormDescription>
+                            </div>
+
+                            <div className="space-y-3">
+                                <div className="hidden md:grid md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:gap-3">
+                                    <FormLabel>Match value</FormLabel>
+                                    <FormLabel>Assign roles</FormLabel>
+                                    <span />
+                                </div>
+
+                                {mappingBuilderRules.map((rule, index) => (
+                                    <BuilderRuleRow
+                                        key={rule.id ?? `mapping-rule-${index}`}
+                                        roleOptions={roleOptions}
+                                        rule={rule}
+                                        onChange={(nextRule) => {
+                                            const nextRules =
+                                                mappingBuilderRules.map(
+                                                    (row, i) =>
+                                                        i === index
+                                                            ? nextRule
+                                                            : row
+                                                );
+                                            onMappingBuilderRulesChange(
+                                                nextRules
+                                            );
+                                        }}
+                                        onRemove={() => {
+                                            const nextRules =
+                                                mappingBuilderRules.filter(
+                                                    (_, i) => i !== index
+                                                );
+                                            onMappingBuilderRulesChange(
+                                                nextRules.length
+                                                    ? nextRules
+                                                    : [createMappingBuilderRule()]
+                                            );
+                                        }}
+                                    />
+                                ))}
+                            </div>
+
+                            <Button
+                                type="button"
+                                variant="outline"
+                                onClick={() => {
+                                    onMappingBuilderRulesChange([
+                                        ...mappingBuilderRules,
+                                        createMappingBuilderRule()
+                                    ]);
+                                }}
+                            >
+                                Add mapping rule
+                            </Button>
+                        </div>
+                    )}
+
+                    {roleMappingMode === "rawExpression" && (
+                        <div className="space-y-2">
+                            <Input
+                                value={rawExpression}
+                                onChange={(e) =>
+                                    onRawExpressionChange(e.target.value)
+                                }
+                                placeholder={t("roleMappingExpressionPlaceholder")}
+                            />
+                            <FormDescription>
+                                Expression must evaluate to a string or string
+                                array.
+                            </FormDescription>
+                        </div>
                     )}
                 </div>
             )}
         </div>
     );
 }
+
+function BuilderRuleRow({
+    rule,
+    roleOptions,
+    onChange,
+    onRemove
+}: {
+    rule: MappingBuilderRule;
+    roleOptions: Tag[];
+    onChange: (rule: MappingBuilderRule) => void;
+    onRemove: () => void;
+}) {
+    const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
+
+    return (
+        <div className="grid gap-3 rounded-md border p-3 md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:items-start">
+            <div className="space-y-1">
+                <FormLabel className="text-xs md:hidden">Match value</FormLabel>
+                <Input
+                    value={rule.matchValue}
+                    onChange={(e) =>
+                        onChange({
+                            ...rule,
+                            matchValue: e.target.value
+                        })
+                    }
+                    placeholder="Match value (for example: admin)"
+                />
+            </div>
+            <div className="space-y-1 min-w-0">
+                <FormLabel className="text-xs md:hidden">Assign roles</FormLabel>
+                <TagInput
+                    tags={rule.roleNames.map((name) => ({ id: name, text: name }))}
+                    setTags={(nextTags) => {
+                        const next =
+                            typeof nextTags === "function"
+                                ? nextTags(
+                                      rule.roleNames.map((name) => ({
+                                          id: name,
+                                          text: name
+                                      }))
+                                  )
+                                : nextTags;
+                        onChange({
+                            ...rule,
+                            roleNames: [...new Set(next.map((tag) => tag.text))]
+                        });
+                    }}
+                    activeTagIndex={activeTagIndex}
+                    setActiveTagIndex={setActiveTagIndex}
+                    placeholder="Assign roles"
+                    enableAutocomplete={true}
+                    autocompleteOptions={roleOptions}
+                    restrictTagsToAutocompleteOptions={true}
+                    allowDuplicates={false}
+                    sortTags={true}
+                    size="sm"
+                />
+            </div>
+            <div className="flex justify-end md:justify-start">
+                <Button type="button" variant="ghost" onClick={onRemove}>
+                    Remove
+                </Button>
+            </div>
+        </div>
+    );
+}
diff --git a/src/lib/idpRoleMapping.ts b/src/lib/idpRoleMapping.ts
new file mode 100644
index 000000000..2b336b3dd
--- /dev/null
+++ b/src/lib/idpRoleMapping.ts
@@ -0,0 +1,266 @@
+export type RoleMappingMode = "fixedRoles" | "mappingBuilder" | "rawExpression";
+
+export type MappingBuilderRule = {
+    /** Stable React list key; not used when compiling JMESPath. */
+    id?: string;
+    matchValue: string;
+    roleNames: string[];
+};
+
+function newMappingBuilderRuleId(): string {
+    if (typeof crypto !== "undefined" && "randomUUID" in crypto) {
+        return crypto.randomUUID();
+    }
+    return `rule-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;
+}
+
+export function createMappingBuilderRule(): MappingBuilderRule {
+    return {
+        id: newMappingBuilderRuleId(),
+        matchValue: "",
+        roleNames: []
+    };
+}
+
+/** Ensures every rule has a stable id (e.g. after loading from the API). */
+export function ensureMappingBuilderRuleIds(
+    rules: MappingBuilderRule[]
+): MappingBuilderRule[] {
+    return rules.map((rule) =>
+        rule.id ? rule : { ...rule, id: newMappingBuilderRuleId() }
+    );
+}
+
+export type MappingBuilderConfig = {
+    claimPath: string;
+    rules: MappingBuilderRule[];
+};
+
+export type RoleMappingConfig = {
+    mode: RoleMappingMode;
+    fixedRoleNames: string[];
+    mappingBuilder: MappingBuilderConfig;
+    rawExpression: string;
+};
+
+const SINGLE_QUOTED_ROLE_REGEX = /^'([^']+)'$/;
+const QUOTED_ROLE_ARRAY_REGEX = /^\[(.*)\]$/;
+
+/** Stored role mappings created by the mapping builder are prefixed so the UI can restore the builder. */
+export const PANGOLIN_ROLE_MAP_BUILDER_PREFIX = "__PANGOLIN_ROLE_MAP_BUILDER_V1__";
+
+const BUILDER_METADATA_SEPARATOR = "\n---\n";
+
+export type UnwrappedRoleMapping = {
+    /** Expression passed to JMESPath (no builder wrapper). */
+    evaluationExpression: string;
+    /** Present when the stored value was saved from the mapping builder. */
+    builderState: { claimPath: string; rules: MappingBuilderRule[] } | null;
+};
+
+/**
+ * Split stored DB value into evaluation expression and optional builder metadata.
+ * Legacy values (no prefix) are returned as-is for evaluation.
+ */
+export function unwrapRoleMapping(
+    stored: string | null | undefined
+): UnwrappedRoleMapping {
+    const trimmed = stored?.trim() ?? "";
+    if (!trimmed.startsWith(PANGOLIN_ROLE_MAP_BUILDER_PREFIX)) {
+        return {
+            evaluationExpression: trimmed,
+            builderState: null
+        };
+    }
+
+    let rest = trimmed.slice(PANGOLIN_ROLE_MAP_BUILDER_PREFIX.length);
+    if (rest.startsWith("\n")) {
+        rest = rest.slice(1);
+    }
+
+    const sepIdx = rest.indexOf(BUILDER_METADATA_SEPARATOR);
+    if (sepIdx === -1) {
+        return {
+            evaluationExpression: trimmed,
+            builderState: null
+        };
+    }
+
+    const jsonPart = rest.slice(0, sepIdx).trim();
+    const inner = rest.slice(sepIdx + BUILDER_METADATA_SEPARATOR.length).trim();
+
+    try {
+        const meta = JSON.parse(jsonPart) as {
+            claimPath?: unknown;
+            rules?: unknown;
+        };
+        if (
+            typeof meta.claimPath === "string" &&
+            Array.isArray(meta.rules)
+        ) {
+            const rules: MappingBuilderRule[] = meta.rules.map(
+                (r: unknown) => {
+                    const row = r as {
+                        matchValue?: unknown;
+                        roleNames?: unknown;
+                    };
+                    return {
+                        matchValue:
+                            typeof row.matchValue === "string"
+                                ? row.matchValue
+                                : "",
+                        roleNames: Array.isArray(row.roleNames)
+                            ? row.roleNames.filter(
+                                  (n): n is string => typeof n === "string"
+                              )
+                            : []
+                    };
+                }
+            );
+            return {
+                evaluationExpression: inner,
+                builderState: {
+                    claimPath: meta.claimPath,
+                    rules: ensureMappingBuilderRuleIds(rules)
+                }
+            };
+        }
+    } catch {
+        /* fall through */
+    }
+
+    return {
+        evaluationExpression: inner.length ? inner : trimmed,
+        builderState: null
+    };
+}
+
+function escapeSingleQuotes(value: string): string {
+    return value.replace(/'/g, "\\'");
+}
+
+export function compileRoleMappingExpression(config: RoleMappingConfig): string {
+    if (config.mode === "rawExpression") {
+        return config.rawExpression.trim();
+    }
+
+    if (config.mode === "fixedRoles") {
+        const roleNames = dedupeNonEmpty(config.fixedRoleNames);
+        if (!roleNames.length) {
+            return "";
+        }
+
+        if (roleNames.length === 1) {
+            return `'${escapeSingleQuotes(roleNames[0])}'`;
+        }
+
+        return `[${roleNames.map((name) => `'${escapeSingleQuotes(name)}'`).join(", ")}]`;
+    }
+
+    const claimPath = config.mappingBuilder.claimPath.trim();
+    const rules = config.mappingBuilder.rules
+        .map((rule) => ({
+            matchValue: rule.matchValue.trim(),
+            roleNames: dedupeNonEmpty(rule.roleNames)
+        }))
+        .filter((rule) => Boolean(rule.matchValue) && rule.roleNames.length > 0);
+
+    if (!claimPath || !rules.length) {
+        return "";
+    }
+
+    const compiledRules = rules.map((rule) => {
+        const mappedRoles = `[${rule.roleNames
+            .map((name) => `'${escapeSingleQuotes(name)}'`)
+            .join(", ")}]`;
+        return `contains(${claimPath}, '${escapeSingleQuotes(rule.matchValue)}') && ${mappedRoles} || []`;
+    });
+
+    const inner = `[${compiledRules.join(", ")}][]`;
+    const metadata = {
+        claimPath,
+        rules: rules.map((r) => ({
+            matchValue: r.matchValue,
+            roleNames: r.roleNames
+        }))
+    };
+
+    return `${PANGOLIN_ROLE_MAP_BUILDER_PREFIX}\n${JSON.stringify(metadata)}${BUILDER_METADATA_SEPARATOR}${inner}`;
+}
+
+export function detectRoleMappingConfig(
+    expression: string | null | undefined
+): RoleMappingConfig {
+    const stored = expression?.trim() || "";
+
+    if (!stored) {
+        return defaultRoleMappingConfig();
+    }
+
+    const { evaluationExpression, builderState } = unwrapRoleMapping(stored);
+
+    if (builderState) {
+        return {
+            mode: "mappingBuilder",
+            fixedRoleNames: [],
+            mappingBuilder: {
+                claimPath: builderState.claimPath,
+                rules: builderState.rules
+            },
+            rawExpression: evaluationExpression
+        };
+    }
+
+    const tail = evaluationExpression.trim();
+
+    const singleMatch = tail.match(SINGLE_QUOTED_ROLE_REGEX);
+    if (singleMatch?.[1]) {
+        return {
+            mode: "fixedRoles",
+            fixedRoleNames: [singleMatch[1]],
+            mappingBuilder: defaultRoleMappingConfig().mappingBuilder,
+            rawExpression: tail
+        };
+    }
+
+    const arrayMatch = tail.match(QUOTED_ROLE_ARRAY_REGEX);
+    if (arrayMatch?.[1]) {
+        const roleNames = arrayMatch[1]
+            .split(",")
+            .map((entry) => entry.trim())
+            .map((entry) => entry.match(SINGLE_QUOTED_ROLE_REGEX)?.[1] || "")
+            .filter(Boolean);
+
+        if (roleNames.length > 0) {
+            return {
+                mode: "fixedRoles",
+                fixedRoleNames: roleNames,
+                mappingBuilder: defaultRoleMappingConfig().mappingBuilder,
+                rawExpression: tail
+            };
+        }
+    }
+
+    return {
+        mode: "rawExpression",
+        fixedRoleNames: [],
+        mappingBuilder: defaultRoleMappingConfig().mappingBuilder,
+        rawExpression: tail
+    };
+}
+
+export function defaultRoleMappingConfig(): RoleMappingConfig {
+    return {
+        mode: "fixedRoles",
+        fixedRoleNames: [],
+        mappingBuilder: {
+            claimPath: "groups",
+            rules: [createMappingBuilderRule()]
+        },
+        rawExpression: ""
+    };
+}
+
+function dedupeNonEmpty(values: string[]): string[] {
+    return [...new Set(values.map((value) => value.trim()).filter(Boolean))];
+}

From 04dfbd0a14e03e504551f71083a40a1c1a89d3b1 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 27 Mar 2026 12:04:41 -0700
Subject: [PATCH 056/122] Chainid send through

---
 server/routers/newt/handleGetConfigMessage.ts    | 8 +++++---
 server/routers/newt/handleNewtRegisterMessage.ts | 5 +++--
 server/routers/olm/handleOlmRegisterMessage.ts   | 6 ++++--
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index 98be479c0..c73098ce4 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -11,7 +11,8 @@ import { canCompress } from "@server/lib/clientVersionChecks";
 
 const inputSchema = z.object({
     publicKey: z.string(),
-    port: z.int().positive()
+    port: z.int().positive(),
+    chainId: z.string()
 });
 
 type Input = z.infer<typeof inputSchema>;
@@ -43,7 +44,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         return;
     }
 
-    const { publicKey, port } = message.data as Input;
+    const { publicKey, port, chainId } = message.data as Input;
     const siteId = newt.siteId;
 
     // Get the current site data
@@ -136,7 +137,8 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
             data: {
                 ipAddress: site.address,
                 peers,
-                targets: targetsToSend
+                targets: targetsToSend,
+                chainId: chainId
             }
         },
         options: {
diff --git a/server/routers/newt/handleNewtRegisterMessage.ts b/server/routers/newt/handleNewtRegisterMessage.ts
index 90034cfbf..fce42caa3 100644
--- a/server/routers/newt/handleNewtRegisterMessage.ts
+++ b/server/routers/newt/handleNewtRegisterMessage.ts
@@ -43,7 +43,7 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
 
     const siteId = newt.siteId;
 
-    const { publicKey, pingResults, newtVersion, backwardsCompatible } =
+    const { publicKey, pingResults, newtVersion, backwardsCompatible, chainId } =
         message.data;
     if (!publicKey) {
         logger.warn("Public key not provided");
@@ -211,7 +211,8 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
                     udp: udpTargets,
                     tcp: tcpTargets
                 },
-                healthCheckTargets: validHealthCheckTargets
+                healthCheckTargets: validHealthCheckTargets,
+                chainId: chainId
             }
         },
         options: {
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 5439245c4..26dbff1bd 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -41,7 +41,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         orgId,
         userToken,
         fingerprint,
-        postures
+        postures,
+        chainId
     } = message.data;
 
     if (!olm.clientId) {
@@ -293,7 +294,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             data: {
                 sites: siteConfigurations,
                 tunnelIP: client.subnet,
-                utilitySubnet: org.utilitySubnet
+                utilitySubnet: org.utilitySubnet,
+                chainId: chainId
             }
         },
         options: {

From 177926932b79d1162987a9a7d4e3d78121bb4022 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 27 Mar 2026 17:07:58 -0700
Subject: [PATCH 057/122] Update hybrid for multi role

---
 server/private/routers/hybrid.ts | 90 +++++++++++++++++++++++++++-----
 1 file changed, 77 insertions(+), 13 deletions(-)

diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index a38385b0c..5ca720594 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -52,7 +52,9 @@ import {
     userOrgs,
     roleResources,
     userResources,
-    resourceRules
+    resourceRules,
+    userOrgRoles,
+    roles
 } from "@server/db";
 import { eq, and, inArray, isNotNull, ne } from "drizzle-orm";
 import { response } from "@server/lib/response";
@@ -104,6 +106,13 @@ const getUserOrgSessionVerifySchema = z.strictObject({
     sessionId: z.string().min(1, "Session ID is required")
 });
 
+const getRoleNameParamsSchema = z.strictObject({
+    roleId: z
+        .string()
+        .transform(Number)
+        .pipe(z.int().positive("Role ID must be a positive integer"))
+});
+
 const getRoleResourceAccessParamsSchema = z.strictObject({
     roleId: z
         .string()
@@ -796,23 +805,26 @@ hybridRouter.get(
                 );
             }
 
-            const userOrgRole = await db
-                .select()
-                .from(userOrgs)
+            const userOrgRoleRows = await db
+                .select({ roleId: userOrgRoles.roleId })
+                .from(userOrgRoles)
                 .where(
-                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
-                )
-                .limit(1);
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
 
-            const result = userOrgRole.length > 0 ? userOrgRole[0] : null;
+            const roleIds = userOrgRoleRows.map((r) => r.roleId);
 
-            return response<typeof userOrgs.$inferSelect | null>(res, {
-                data: result,
+            return response<number[]>(res, {
+                data: roleIds,
                 success: true,
                 error: false,
-                message: result
-                    ? "User org role retrieved successfully"
-                    : "User org role not found",
+                message:
+                    roleIds.length > 0
+                        ? "User org roles retrieved successfully"
+                        : "User has no roles in this organization",
                 status: HttpCode.OK
             });
         } catch (error) {
@@ -890,6 +902,58 @@ hybridRouter.get(
     }
 );
 
+// Get role name by ID
+hybridRouter.get(
+    "/role/:roleId/name",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getRoleNameParamsSchema.safeParse(req.params);
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { roleId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode?.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            const [role] = await db
+                .select({ name: roles.name })
+                .from(roles)
+                .where(eq(roles.roleId, roleId))
+                .limit(1);
+
+            return response<string | null>(res, {
+                data: role?.name ?? null,
+                success: true,
+                error: false,
+                message: role ? "Role name retrieved successfully" : "Role not found",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get role name"
+                )
+            );
+        }
+    }
+);
+
 // Check if role has access to resource
 hybridRouter.get(
     "/role/:roleId/resource/:resourceId/access",

From bea20674a8efd8ab9e7b1b048d6e76a89d8b3ec6 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 27 Mar 2026 17:35:35 -0700
Subject: [PATCH 058/122] support policy buildiner in global idp

---
 messages/en-US.json                          |  31 +-
 src/app/admin/idp/[idpId]/general/page.tsx   |  64 ++-
 src/app/admin/idp/[idpId]/layout.tsx         |   2 +-
 src/app/admin/idp/[idpId]/policies/page.tsx  | 385 +++++++++++++------
 src/app/admin/idp/create/page.tsx            |  33 --
 src/components/AutoProvisionConfigWidget.tsx | 293 +-------------
 src/components/RoleMappingConfigFields.tsx   | 366 ++++++++++++++++++
 7 files changed, 703 insertions(+), 471 deletions(-)
 create mode 100644 src/components/RoleMappingConfigFields.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 361771d87..7d00c8105 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -509,6 +509,7 @@
     "userSaved": "User saved",
     "userSavedDescription": "The user has been updated.",
     "autoProvisioned": "Auto Provisioned",
+    "autoProvisionSettings": "Auto Provision Settings",
     "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
     "accessControlsDescription": "Manage what this user can access and do in the organization",
     "accessControlsSubmit": "Save Access Controls",
@@ -1042,7 +1043,6 @@
     "pageNotFoundDescription": "Oops! The page you're looking for doesn't exist.",
     "overview": "Overview",
     "home": "Home",
-    "accessControl": "Access Control",
     "settings": "Settings",
     "usersAll": "All Users",
     "license": "License",
@@ -1942,6 +1942,24 @@
     "invalidValue": "Invalid value",
     "idpTypeLabel": "Identity Provider Type",
     "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Fixed roles",
+    "roleMappingModeMappingBuilder": "Mapping builder",
+    "roleMappingModeRawExpression": "Raw expression",
+    "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
+    "roleMappingClaimPath": "Claim path",
+    "roleMappingClaimPathPlaceholder": "groups",
+    "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
+    "roleMappingMatchValue": "Match value",
+    "roleMappingAssignRoles": "Assign roles",
+    "roleMappingAddMappingRule": "Add mapping rule",
+    "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
+    "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
+    "roleMappingRemoveRule": "Remove",
     "idpGoogleConfiguration": "Google Configuration",
     "idpGoogleConfigurationDescription": "Configure the Google OAuth2 credentials",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2514,9 +2532,9 @@
     "remoteExitNodeRegenerateCredentialsConfirmation": "Are you sure you want to regenerate the credentials for this remote exit node?",
     "remoteExitNodeRegenerateCredentialsWarning": "This will regenerate the credentials. The remote exit node will stay connected until you manually restart it and use the new credentials.",
     "agent": "Agent",
-    "personalUseOnly":  "Personal Use Only",
-    "loginPageLicenseWatermark":  "This instance is licensed for personal use only.",
-    "instanceIsUnlicensed":  "This instance is unlicensed.",
+    "personalUseOnly": "Personal Use Only",
+    "loginPageLicenseWatermark": "This instance is licensed for personal use only.",
+    "instanceIsUnlicensed": "This instance is unlicensed.",
     "portRestrictions": "Port Restrictions",
     "allPorts": "All",
     "custom": "Custom",
@@ -2570,7 +2588,7 @@
     "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
     "forced": "Forced",
     "forcedModeDescription": "Always show the maintenance page regardless of backend health. Use this for planned maintenance when you want to prevent all access.",
-    "warning:" : "Warning:",
+    "warning:": "Warning:",
     "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
     "pageTitle": "Page Title",
     "pageTitleDescription": "The main heading displayed on the maintenance page",
@@ -2687,5 +2705,6 @@
     "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
     "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
     "approvalsEmptyStateButtonText": "Manage Roles",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "We are having trouble verifying your domain",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab."
 }
diff --git a/src/app/admin/idp/[idpId]/general/page.tsx b/src/app/admin/idp/[idpId]/general/page.tsx
index d431efa2d..a5ed14a6e 100644
--- a/src/app/admin/idp/[idpId]/general/page.tsx
+++ b/src/app/admin/idp/[idpId]/general/page.tsx
@@ -15,7 +15,8 @@ import {
 import { Input } from "@app/components/ui/input";
 import { useForm } from "react-hook-form";
 import { toast } from "@app/hooks/useToast";
-import { useRouter, useParams, redirect } from "next/navigation";
+import { useRouter, useParams } from "next/navigation";
+import Link from "next/link";
 import {
     SettingsContainer,
     SettingsSection,
@@ -189,15 +190,6 @@ export default function GeneralPage() {
                             </InfoSection>
                         </InfoSections>
 
-                        <Alert variant="neutral" className="">
-                            <InfoIcon className="h-4 w-4" />
-                            <AlertTitle className="font-semibold">
-                                {t("redirectUrlAbout")}
-                            </AlertTitle>
-                            <AlertDescription>
-                                {t("redirectUrlAboutDescription")}
-                            </AlertDescription>
-                        </Alert>
                         <SettingsSectionForm>
                             <Form {...form}>
                                 <form
@@ -239,9 +231,32 @@ export default function GeneralPage() {
                                             }}
                                         />
                                     </div>
-                                    <span className="text-sm text-muted-foreground">
-                                        {t("idpAutoProvisionUsersDescription")}
-                                    </span>
+                                    <div className="flex flex-col gap-2">
+                                        <span className="text-sm text-muted-foreground">
+                                            {t(
+                                                "idpAutoProvisionUsersDescription"
+                                            )}
+                                        </span>
+                                        {form.watch("autoProvision") && (
+                                            <FormDescription>
+                                                {t.rich(
+                                                    "idpAdminAutoProvisionPoliciesTabHint",
+                                                    {
+                                                        policiesTabLink: (
+                                                            chunks
+                                                        ) => (
+                                                            <Link
+                                                                href={`/admin/idp/${idpId}/policies`}
+                                                                className="text-primary hover:underline inline-flex items-center gap-1"
+                                                            >
+                                                                {chunks}
+                                                            </Link>
+                                                        )
+                                                    }
+                                                )}
+                                            </FormDescription>
+                                        )}
+                                    </div>
                                 </form>
                             </Form>
                         </SettingsSectionForm>
@@ -375,29 +390,6 @@ export default function GeneralPage() {
                                         className="space-y-4"
                                         id="general-settings-form"
                                     >
-                                        <Alert variant="neutral">
-                                            <InfoIcon className="h-4 w-4" />
-                                            <AlertTitle className="font-semibold">
-                                                {t("idpJmespathAbout")}
-                                            </AlertTitle>
-                                            <AlertDescription>
-                                                {t(
-                                                    "idpJmespathAboutDescription"
-                                                )}
-                                                <a
-                                                    href="https://jmespath.org"
-                                                    target="_blank"
-                                                    rel="noopener noreferrer"
-                                                    className="text-primary hover:underline inline-flex items-center"
-                                                >
-                                                    {t(
-                                                        "idpJmespathAboutDescriptionLink"
-                                                    )}{" "}
-                                                    <ExternalLink className="ml-1 h-4 w-4" />
-                                                </a>
-                                            </AlertDescription>
-                                        </Alert>
-
                                         <FormField
                                             control={form.control}
                                             name="identifierPath"
diff --git a/src/app/admin/idp/[idpId]/layout.tsx b/src/app/admin/idp/[idpId]/layout.tsx
index 9634a3de2..93ca08bd7 100644
--- a/src/app/admin/idp/[idpId]/layout.tsx
+++ b/src/app/admin/idp/[idpId]/layout.tsx
@@ -34,7 +34,7 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
             href: `/admin/idp/${params.idpId}/general`
         },
         {
-            title: t("orgPolicies"),
+            title: t("autoProvisionSettings"),
             href: `/admin/idp/${params.idpId}/policies`
         }
     ];
diff --git a/src/app/admin/idp/[idpId]/policies/page.tsx b/src/app/admin/idp/[idpId]/policies/page.tsx
index bf17abe98..086074e2d 100644
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import { useEffect, useState } from "react";
-import { useParams, useRouter } from "next/navigation";
+import { useParams } from "next/navigation";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
@@ -34,6 +34,7 @@ import { InfoIcon, ExternalLink, CheckIcon } from "lucide-react";
 import PolicyTable, { PolicyRow } from "../../../../../components/PolicyTable";
 import { AxiosResponse } from "axios";
 import { ListOrgsResponse } from "@server/routers/org";
+import { ListRolesResponse } from "@server/routers/role";
 import {
     Popover,
     PopoverContent,
@@ -50,8 +51,6 @@ import {
 } from "@app/components/ui/command";
 import { CaretSortIcon } from "@radix-ui/react-icons";
 import Link from "next/link";
-import { Textarea } from "@app/components/ui/textarea";
-import { InfoPopup } from "@app/components/ui/info-popup";
 import { GetIdpResponse } from "@server/routers/idp";
 import {
     SettingsContainer,
@@ -64,16 +63,40 @@ import {
     SettingsSectionForm
 } from "@app/components/Settings";
 import { useTranslations } from "next-intl";
+import RoleMappingConfigFields from "@app/components/RoleMappingConfigFields";
+import {
+    compileRoleMappingExpression,
+    createMappingBuilderRule,
+    defaultRoleMappingConfig,
+    detectRoleMappingConfig,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
 
 type Organization = {
     orgId: string;
     name: string;
 };
 
+function resetRoleMappingStateFromDetected(
+    setMode: (m: RoleMappingMode) => void,
+    setFixed: (v: string[]) => void,
+    setClaim: (v: string) => void,
+    setRules: (v: MappingBuilderRule[]) => void,
+    setRaw: (v: string) => void,
+    stored: string | null | undefined
+) {
+    const d = detectRoleMappingConfig(stored);
+    setMode(d.mode);
+    setFixed(d.fixedRoleNames);
+    setClaim(d.mappingBuilder.claimPath);
+    setRules(d.mappingBuilder.rules);
+    setRaw(d.rawExpression);
+}
+
 export default function PoliciesPage() {
     const { env } = useEnvContext();
     const api = createApiClient({ env });
-    const router = useRouter();
     const { idpId } = useParams();
     const t = useTranslations();
 
@@ -88,14 +111,39 @@ export default function PoliciesPage() {
     const [showAddDialog, setShowAddDialog] = useState(false);
     const [editingPolicy, setEditingPolicy] = useState<PolicyRow | null>(null);
 
+    const [defaultRoleMappingMode, setDefaultRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [defaultFixedRoleNames, setDefaultFixedRoleNames] = useState<
+        string[]
+    >([]);
+    const [defaultMappingBuilderClaimPath, setDefaultMappingBuilderClaimPath] =
+        useState("groups");
+    const [defaultMappingBuilderRules, setDefaultMappingBuilderRules] =
+        useState<MappingBuilderRule[]>([createMappingBuilderRule()]);
+    const [defaultRawRoleExpression, setDefaultRawRoleExpression] =
+        useState("");
+
+    const [policyRoleMappingMode, setPolicyRoleMappingMode] =
+        useState<RoleMappingMode>("fixedRoles");
+    const [policyFixedRoleNames, setPolicyFixedRoleNames] = useState<string[]>(
+        []
+    );
+    const [policyMappingBuilderClaimPath, setPolicyMappingBuilderClaimPath] =
+        useState("groups");
+    const [policyMappingBuilderRules, setPolicyMappingBuilderRules] = useState<
+        MappingBuilderRule[]
+    >([createMappingBuilderRule()]);
+    const [policyRawRoleExpression, setPolicyRawRoleExpression] = useState("");
+    const [policyOrgRoles, setPolicyOrgRoles] = useState<
+        { roleId: number; name: string }[]
+    >([]);
+
     const policyFormSchema = z.object({
         orgId: z.string().min(1, { message: t("orgRequired") }),
-        roleMapping: z.string().optional(),
         orgMapping: z.string().optional()
     });
 
     const defaultMappingsSchema = z.object({
-        defaultRoleMapping: z.string().optional(),
         defaultOrgMapping: z.string().optional()
     });
 
@@ -106,15 +154,15 @@ export default function PoliciesPage() {
         resolver: zodResolver(policyFormSchema),
         defaultValues: {
             orgId: "",
-            roleMapping: "",
             orgMapping: ""
         }
     });
 
+    const policyFormOrgId = form.watch("orgId");
+
     const defaultMappingsForm = useForm({
         resolver: zodResolver(defaultMappingsSchema),
         defaultValues: {
-            defaultRoleMapping: "",
             defaultOrgMapping: ""
         }
     });
@@ -127,9 +175,16 @@ export default function PoliciesPage() {
             if (res.status === 200) {
                 const data = res.data.data;
                 defaultMappingsForm.reset({
-                    defaultRoleMapping: data.idp.defaultRoleMapping || "",
                     defaultOrgMapping: data.idp.defaultOrgMapping || ""
                 });
+                resetRoleMappingStateFromDetected(
+                    setDefaultRoleMappingMode,
+                    setDefaultFixedRoleNames,
+                    setDefaultMappingBuilderClaimPath,
+                    setDefaultMappingBuilderRules,
+                    setDefaultRawRoleExpression,
+                    data.idp.defaultRoleMapping
+                );
             }
         } catch (e) {
             toast({
@@ -184,11 +239,67 @@ export default function PoliciesPage() {
         load();
     }, [idpId]);
 
+    useEffect(() => {
+        if (!showAddDialog) {
+            return;
+        }
+
+        const orgId = editingPolicy?.orgId || policyFormOrgId;
+        if (!orgId) {
+            setPolicyOrgRoles([]);
+            return;
+        }
+
+        let cancelled = false;
+        (async () => {
+            const res = await api
+                .get<AxiosResponse<ListRolesResponse>>(`/org/${orgId}/roles`)
+                .catch((e) => {
+                    console.error(e);
+                    toast({
+                        variant: "destructive",
+                        title: t("accessRoleErrorFetch"),
+                        description: formatAxiosError(
+                            e,
+                            t("accessRoleErrorFetchDescription")
+                        )
+                    });
+                    return null;
+                });
+            if (!cancelled && res?.status === 200) {
+                setPolicyOrgRoles(res.data.data.roles);
+            }
+        })();
+
+        return () => {
+            cancelled = true;
+        };
+    }, [showAddDialog, editingPolicy?.orgId, policyFormOrgId, api, t]);
+
+    function resetPolicyDialogRoleMappingState() {
+        const d = defaultRoleMappingConfig();
+        setPolicyRoleMappingMode(d.mode);
+        setPolicyFixedRoleNames(d.fixedRoleNames);
+        setPolicyMappingBuilderClaimPath(d.mappingBuilder.claimPath);
+        setPolicyMappingBuilderRules(d.mappingBuilder.rules);
+        setPolicyRawRoleExpression(d.rawExpression);
+    }
+
     const onAddPolicy = async (data: PolicyFormValues) => {
+        const roleMappingExpression = compileRoleMappingExpression({
+            mode: policyRoleMappingMode,
+            fixedRoleNames: policyFixedRoleNames,
+            mappingBuilder: {
+                claimPath: policyMappingBuilderClaimPath,
+                rules: policyMappingBuilderRules
+            },
+            rawExpression: policyRawRoleExpression
+        });
+
         setAddPolicyLoading(true);
         try {
             const res = await api.put(`/idp/${idpId}/org/${data.orgId}`, {
-                roleMapping: data.roleMapping,
+                roleMapping: roleMappingExpression,
                 orgMapping: data.orgMapping
             });
             if (res.status === 201) {
@@ -197,7 +308,7 @@ export default function PoliciesPage() {
                     name:
                         organizations.find((org) => org.orgId === data.orgId)
                             ?.name || "",
-                    roleMapping: data.roleMapping,
+                    roleMapping: roleMappingExpression,
                     orgMapping: data.orgMapping
                 };
                 setPolicies([...policies, newPolicy]);
@@ -207,6 +318,7 @@ export default function PoliciesPage() {
                 });
                 setShowAddDialog(false);
                 form.reset();
+                resetPolicyDialogRoleMappingState();
             }
         } catch (e) {
             toast({
@@ -222,12 +334,22 @@ export default function PoliciesPage() {
     const onEditPolicy = async (data: PolicyFormValues) => {
         if (!editingPolicy) return;
 
+        const roleMappingExpression = compileRoleMappingExpression({
+            mode: policyRoleMappingMode,
+            fixedRoleNames: policyFixedRoleNames,
+            mappingBuilder: {
+                claimPath: policyMappingBuilderClaimPath,
+                rules: policyMappingBuilderRules
+            },
+            rawExpression: policyRawRoleExpression
+        });
+
         setEditPolicyLoading(true);
         try {
             const res = await api.post(
                 `/idp/${idpId}/org/${editingPolicy.orgId}`,
                 {
-                    roleMapping: data.roleMapping,
+                    roleMapping: roleMappingExpression,
                     orgMapping: data.orgMapping
                 }
             );
@@ -237,7 +359,7 @@ export default function PoliciesPage() {
                         policy.orgId === editingPolicy.orgId
                             ? {
                                   ...policy,
-                                  roleMapping: data.roleMapping,
+                                  roleMapping: roleMappingExpression,
                                   orgMapping: data.orgMapping
                               }
                             : policy
@@ -250,6 +372,7 @@ export default function PoliciesPage() {
                 setShowAddDialog(false);
                 setEditingPolicy(null);
                 form.reset();
+                resetPolicyDialogRoleMappingState();
             }
         } catch (e) {
             toast({
@@ -287,10 +410,20 @@ export default function PoliciesPage() {
     };
 
     const onUpdateDefaultMappings = async (data: DefaultMappingsValues) => {
+        const defaultRoleMappingExpression = compileRoleMappingExpression({
+            mode: defaultRoleMappingMode,
+            fixedRoleNames: defaultFixedRoleNames,
+            mappingBuilder: {
+                claimPath: defaultMappingBuilderClaimPath,
+                rules: defaultMappingBuilderRules
+            },
+            rawExpression: defaultRawRoleExpression
+        });
+
         setUpdateDefaultMappingsLoading(true);
         try {
             const res = await api.post(`/idp/${idpId}/oidc`, {
-                defaultRoleMapping: data.defaultRoleMapping,
+                defaultRoleMapping: defaultRoleMappingExpression,
                 defaultOrgMapping: data.defaultOrgMapping
             });
             if (res.status === 200) {
@@ -317,25 +450,36 @@ export default function PoliciesPage() {
     return (
         <>
             <SettingsContainer>
-                <Alert variant="neutral" className="mb-6">
-                    <InfoIcon className="h-4 w-4" />
-                    <AlertTitle className="font-semibold">
-                        {t("orgPoliciesAbout")}
-                    </AlertTitle>
-                    <AlertDescription>
-                        {/*TODO(vlalx): Validate replacing */}
-                        {t("orgPoliciesAboutDescription")}{" "}
-                        <Link
-                            href="https://docs.pangolin.net/manage/identity-providers/auto-provisioning"
-                            target="_blank"
-                            rel="noopener noreferrer"
-                            className="text-primary hover:underline"
-                        >
-                            {t("orgPoliciesAboutDescriptionLink")}
-                            <ExternalLink className="ml-1 h-4 w-4 inline" />
-                        </Link>
-                    </AlertDescription>
-                </Alert>
+                <PolicyTable
+                    policies={policies}
+                    onDelete={onDeletePolicy}
+                    onAdd={() => {
+                        loadOrganizations();
+                        form.reset({
+                            orgId: "",
+                            orgMapping: ""
+                        });
+                        setEditingPolicy(null);
+                        resetPolicyDialogRoleMappingState();
+                        setShowAddDialog(true);
+                    }}
+                    onEdit={(policy) => {
+                        setEditingPolicy(policy);
+                        form.reset({
+                            orgId: policy.orgId,
+                            orgMapping: policy.orgMapping || ""
+                        });
+                        resetRoleMappingStateFromDetected(
+                            setPolicyRoleMappingMode,
+                            setPolicyFixedRoleNames,
+                            setPolicyMappingBuilderClaimPath,
+                            setPolicyMappingBuilderRules,
+                            setPolicyRawRoleExpression,
+                            policy.roleMapping
+                        );
+                        setShowAddDialog(true);
+                    }}
+                />
 
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -353,51 +497,58 @@ export default function PoliciesPage() {
                                     onUpdateDefaultMappings
                                 )}
                                 id="policy-default-mappings-form"
-                                className="space-y-4"
+                                className="space-y-6"
                             >
-                                <div className="grid gap-6 md:grid-cols-2">
-                                    <FormField
-                                        control={defaultMappingsForm.control}
-                                        name="defaultRoleMapping"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("defaultMappingsRole")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormDescription>
-                                                    {t(
-                                                        "defaultMappingsRoleDescription"
-                                                    )}
-                                                </FormDescription>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
+                                <RoleMappingConfigFields
+                                    fieldIdPrefix="admin-idp-default-role"
+                                    showFreeformRoleNamesHint={true}
+                                    roleMappingMode={defaultRoleMappingMode}
+                                    onRoleMappingModeChange={
+                                        setDefaultRoleMappingMode
+                                    }
+                                    roles={[]}
+                                    fixedRoleNames={defaultFixedRoleNames}
+                                    onFixedRoleNamesChange={
+                                        setDefaultFixedRoleNames
+                                    }
+                                    mappingBuilderClaimPath={
+                                        defaultMappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setDefaultMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={
+                                        defaultMappingBuilderRules
+                                    }
+                                    onMappingBuilderRulesChange={
+                                        setDefaultMappingBuilderRules
+                                    }
+                                    rawExpression={defaultRawRoleExpression}
+                                    onRawExpressionChange={
+                                        setDefaultRawRoleExpression
+                                    }
+                                />
 
-                                    <FormField
-                                        control={defaultMappingsForm.control}
-                                        name="defaultOrgMapping"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("defaultMappingsOrg")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormDescription>
-                                                    {t(
-                                                        "defaultMappingsOrgDescription"
-                                                    )}
-                                                </FormDescription>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
-                                </div>
+                                <FormField
+                                    control={defaultMappingsForm.control}
+                                    name="defaultOrgMapping"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("defaultMappingsOrg")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input {...field} />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t(
+                                                    "defaultMappingsOrgDescription"
+                                                )}
+                                            </FormDescription>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
                             </form>
                         </Form>
                         <SettingsSectionFooter>
@@ -411,41 +562,20 @@ export default function PoliciesPage() {
                         </SettingsSectionFooter>
                     </SettingsSectionBody>
                 </SettingsSection>
-
-                <PolicyTable
-                    policies={policies}
-                    onDelete={onDeletePolicy}
-                    onAdd={() => {
-                        loadOrganizations();
-                        form.reset({
-                            orgId: "",
-                            roleMapping: "",
-                            orgMapping: ""
-                        });
-                        setEditingPolicy(null);
-                        setShowAddDialog(true);
-                    }}
-                    onEdit={(policy) => {
-                        setEditingPolicy(policy);
-                        form.reset({
-                            orgId: policy.orgId,
-                            roleMapping: policy.roleMapping || "",
-                            orgMapping: policy.orgMapping || ""
-                        });
-                        setShowAddDialog(true);
-                    }}
-                />
             </SettingsContainer>
 
             <Credenza
                 open={showAddDialog}
                 onOpenChange={(val) => {
                     setShowAddDialog(val);
-                    setEditingPolicy(null);
-                    form.reset();
+                    if (!val) {
+                        setEditingPolicy(null);
+                        form.reset();
+                        resetPolicyDialogRoleMappingState();
+                    }
                 }}
             >
-                <CredenzaContent>
+                <CredenzaContent className="max-w-4xl w-[calc(100vw-2rem)] sm:w-full">
                     <CredenzaHeader>
                         <CredenzaTitle>
                             {editingPolicy
@@ -456,7 +586,7 @@ export default function PoliciesPage() {
                             {t("orgPolicyConfig")}
                         </CredenzaDescription>
                     </CredenzaHeader>
-                    <CredenzaBody>
+                    <CredenzaBody className="min-w-0 overflow-x-auto">
                         <Form {...form}>
                             <form
                                 onSubmit={form.handleSubmit(
@@ -557,25 +687,34 @@ export default function PoliciesPage() {
                                     )}
                                 />
 
-                                <FormField
-                                    control={form.control}
-                                    name="roleMapping"
-                                    render={({ field }) => (
-                                        <FormItem>
-                                            <FormLabel>
-                                                {t("roleMappingPathOptional")}
-                                            </FormLabel>
-                                            <FormControl>
-                                                <Input {...field} />
-                                            </FormControl>
-                                            <FormDescription>
-                                                {t(
-                                                    "defaultMappingsRoleDescription"
-                                                )}
-                                            </FormDescription>
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
+                                <RoleMappingConfigFields
+                                    fieldIdPrefix="admin-idp-policy-role"
+                                    showFreeformRoleNamesHint={false}
+                                    roleMappingMode={policyRoleMappingMode}
+                                    onRoleMappingModeChange={
+                                        setPolicyRoleMappingMode
+                                    }
+                                    roles={policyOrgRoles}
+                                    fixedRoleNames={policyFixedRoleNames}
+                                    onFixedRoleNamesChange={
+                                        setPolicyFixedRoleNames
+                                    }
+                                    mappingBuilderClaimPath={
+                                        policyMappingBuilderClaimPath
+                                    }
+                                    onMappingBuilderClaimPathChange={
+                                        setPolicyMappingBuilderClaimPath
+                                    }
+                                    mappingBuilderRules={
+                                        policyMappingBuilderRules
+                                    }
+                                    onMappingBuilderRulesChange={
+                                        setPolicyMappingBuilderRules
+                                    }
+                                    rawExpression={policyRawRoleExpression}
+                                    onRawExpressionChange={
+                                        setPolicyRawRoleExpression
+                                    }
                                 />
 
                                 <FormField
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index acb2f3582..91b55da23 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -340,16 +340,6 @@ export default function Page() {
                                         />
                                     </form>
                                 </Form>
-
-                                <Alert variant="neutral">
-                                    <InfoIcon className="h-4 w-4" />
-                                    <AlertTitle className="font-semibold">
-                                        {t("idpOidcConfigureAlert")}
-                                    </AlertTitle>
-                                    <AlertDescription>
-                                        {t("idpOidcConfigureAlertDescription")}
-                                    </AlertDescription>
-                                </Alert>
                             </SettingsSectionBody>
                         </SettingsSection>
 
@@ -369,29 +359,6 @@ export default function Page() {
                                         id="create-idp-form"
                                         onSubmit={form.handleSubmit(onSubmit)}
                                     >
-                                        <Alert variant="neutral">
-                                            <InfoIcon className="h-4 w-4" />
-                                            <AlertTitle className="font-semibold">
-                                                {t("idpJmespathAbout")}
-                                            </AlertTitle>
-                                            <AlertDescription>
-                                                {t(
-                                                    "idpJmespathAboutDescription"
-                                                )}{" "}
-                                                <a
-                                                    href="https://jmespath.org"
-                                                    target="_blank"
-                                                    rel="noopener noreferrer"
-                                                    className="text-primary hover:underline inline-flex items-center"
-                                                >
-                                                    {t(
-                                                        "idpJmespathAboutDescriptionLink"
-                                                    )}{" "}
-                                                    <ExternalLink className="ml-1 h-4 w-4" />
-                                                </a>
-                                            </AlertDescription>
-                                        </Alert>
-
                                         <FormField
                                             control={form.control}
                                             name="identifierPath"
diff --git a/src/components/AutoProvisionConfigWidget.tsx b/src/components/AutoProvisionConfigWidget.tsx
index 44ee8c6e0..59849989a 100644
--- a/src/components/AutoProvisionConfigWidget.tsx
+++ b/src/components/AutoProvisionConfigWidget.tsx
@@ -1,23 +1,15 @@
 "use client";
 
-import {
-    FormLabel,
-    FormDescription
-} from "@app/components/ui/form";
+import { FormDescription } from "@app/components/ui/form";
 import { SwitchInput } from "@app/components/SwitchInput";
-import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import { Button } from "@app/components/ui/button";
-import { Input } from "@app/components/ui/input";
 import { useTranslations } from "next-intl";
-import { useMemo, useState } from "react";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { Tag, TagInput } from "@app/components/tags/tag-input";
 import {
-    createMappingBuilderRule,
     MappingBuilderRule,
     RoleMappingMode
 } from "@app/lib/idpRoleMapping";
+import RoleMappingConfigFields from "@app/components/RoleMappingConfigFields";
 
 type Role = {
     roleId: number;
@@ -57,18 +49,6 @@ export default function AutoProvisionConfigWidget({
 }: AutoProvisionConfigWidgetProps) {
     const t = useTranslations();
     const { isPaidUser } = usePaidStatus();
-    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
-        number | null
-    >(null);
-
-    const roleOptions = useMemo(
-        () =>
-            roles.map((role) => ({
-                id: role.name,
-                text: role.name
-            })),
-        [roles]
-    );
 
     return (
         <div className="space-y-4">
@@ -80,261 +60,30 @@ export default function AutoProvisionConfigWidget({
                     onCheckedChange={onAutoProvisionChange}
                     disabled={!isPaidUser(tierMatrix.autoProvisioning)}
                 />
-                <span className="text-sm text-muted-foreground">
+                <FormDescription className="text-sm text-muted-foreground">
                     {t("idpAutoProvisionUsersDescription")}
-                </span>
+                </FormDescription>
             </div>
 
             {autoProvision && (
-                <div className="space-y-4">
-                    <div>
-                        <FormLabel className="mb-2">
-                            {t("roleMapping")}
-                        </FormLabel>
-                        <FormDescription className="mb-4">
-                            {t("roleMappingDescription")}
-                        </FormDescription>
-
-                        <RadioGroup
-                            value={roleMappingMode}
-                            onValueChange={onRoleMappingModeChange}
-                            className="flex flex-wrap gap-x-6 gap-y-2"
-                        >
-                            <div className="flex items-center space-x-2">
-                                <RadioGroupItem
-                                    value="fixedRoles"
-                                    id="fixed-roles-mode"
-                                />
-                                <label
-                                    htmlFor="fixed-roles-mode"
-                                    className="text-sm font-medium"
-                                >
-                                    Fixed roles
-                                </label>
-                            </div>
-                            <div className="flex items-center space-x-2">
-                                <RadioGroupItem
-                                    value="mappingBuilder"
-                                    id="mapping-builder-mode"
-                                />
-                                <label
-                                    htmlFor="mapping-builder-mode"
-                                    className="text-sm font-medium"
-                                >
-                                    Mapping builder
-                                </label>
-                            </div>
-                            <div className="flex items-center space-x-2">
-                                <RadioGroupItem
-                                    value="rawExpression"
-                                    id="expression-mode"
-                                />
-                                <label
-                                    htmlFor="expression-mode"
-                                    className="text-sm font-medium"
-                                >
-                                    Raw expression
-                                </label>
-                            </div>
-                        </RadioGroup>
-                    </div>
-
-                    {roleMappingMode === "fixedRoles" && (
-                        <div className="space-y-2">
-                            <TagInput
-                                tags={fixedRoleNames.map((name) => ({
-                                    id: name,
-                                    text: name
-                                }))}
-                                setTags={(nextTags) => {
-                                    const next =
-                                        typeof nextTags === "function"
-                                            ? nextTags(
-                                                  fixedRoleNames.map((name) => ({
-                                                      id: name,
-                                                      text: name
-                                                  }))
-                                              )
-                                            : nextTags;
-
-                                    onFixedRoleNamesChange(
-                                        [...new Set(next.map((tag) => tag.text))]
-                                    );
-                                }}
-                                activeTagIndex={activeFixedRoleTagIndex}
-                                setActiveTagIndex={setActiveFixedRoleTagIndex}
-                                placeholder="Select one or more roles"
-                                enableAutocomplete={true}
-                                autocompleteOptions={roleOptions}
-                                restrictTagsToAutocompleteOptions={true}
-                                allowDuplicates={false}
-                                sortTags={true}
-                                size="sm"
-                            />
-                            <FormDescription>
-                                Assign the same role set to every auto-provisioned
-                                user.
-                            </FormDescription>
-                        </div>
-                    )}
-
-                    {roleMappingMode === "mappingBuilder" && (
-                        <div className="space-y-4 rounded-md border p-3">
-                            <div className="space-y-2">
-                                <FormLabel>Claim path</FormLabel>
-                                <Input
-                                    value={mappingBuilderClaimPath}
-                                    onChange={(e) =>
-                                        onMappingBuilderClaimPathChange(
-                                            e.target.value
-                                        )
-                                    }
-                                    placeholder="groups"
-                                />
-                                <FormDescription>
-                                    Path in the token payload that contains source
-                                    values (for example, groups).
-                                </FormDescription>
-                            </div>
-
-                            <div className="space-y-3">
-                                <div className="hidden md:grid md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:gap-3">
-                                    <FormLabel>Match value</FormLabel>
-                                    <FormLabel>Assign roles</FormLabel>
-                                    <span />
-                                </div>
-
-                                {mappingBuilderRules.map((rule, index) => (
-                                    <BuilderRuleRow
-                                        key={rule.id ?? `mapping-rule-${index}`}
-                                        roleOptions={roleOptions}
-                                        rule={rule}
-                                        onChange={(nextRule) => {
-                                            const nextRules =
-                                                mappingBuilderRules.map(
-                                                    (row, i) =>
-                                                        i === index
-                                                            ? nextRule
-                                                            : row
-                                                );
-                                            onMappingBuilderRulesChange(
-                                                nextRules
-                                            );
-                                        }}
-                                        onRemove={() => {
-                                            const nextRules =
-                                                mappingBuilderRules.filter(
-                                                    (_, i) => i !== index
-                                                );
-                                            onMappingBuilderRulesChange(
-                                                nextRules.length
-                                                    ? nextRules
-                                                    : [createMappingBuilderRule()]
-                                            );
-                                        }}
-                                    />
-                                ))}
-                            </div>
-
-                            <Button
-                                type="button"
-                                variant="outline"
-                                onClick={() => {
-                                    onMappingBuilderRulesChange([
-                                        ...mappingBuilderRules,
-                                        createMappingBuilderRule()
-                                    ]);
-                                }}
-                            >
-                                Add mapping rule
-                            </Button>
-                        </div>
-                    )}
-
-                    {roleMappingMode === "rawExpression" && (
-                        <div className="space-y-2">
-                            <Input
-                                value={rawExpression}
-                                onChange={(e) =>
-                                    onRawExpressionChange(e.target.value)
-                                }
-                                placeholder={t("roleMappingExpressionPlaceholder")}
-                            />
-                            <FormDescription>
-                                Expression must evaluate to a string or string
-                                array.
-                            </FormDescription>
-                        </div>
-                    )}
-                </div>
+                <RoleMappingConfigFields
+                    fieldIdPrefix="org-idp-auto-provision"
+                    showFreeformRoleNamesHint={false}
+                    roleMappingMode={roleMappingMode}
+                    onRoleMappingModeChange={onRoleMappingModeChange}
+                    roles={roles}
+                    fixedRoleNames={fixedRoleNames}
+                    onFixedRoleNamesChange={onFixedRoleNamesChange}
+                    mappingBuilderClaimPath={mappingBuilderClaimPath}
+                    onMappingBuilderClaimPathChange={
+                        onMappingBuilderClaimPathChange
+                    }
+                    mappingBuilderRules={mappingBuilderRules}
+                    onMappingBuilderRulesChange={onMappingBuilderRulesChange}
+                    rawExpression={rawExpression}
+                    onRawExpressionChange={onRawExpressionChange}
+                />
             )}
         </div>
     );
 }
-
-function BuilderRuleRow({
-    rule,
-    roleOptions,
-    onChange,
-    onRemove
-}: {
-    rule: MappingBuilderRule;
-    roleOptions: Tag[];
-    onChange: (rule: MappingBuilderRule) => void;
-    onRemove: () => void;
-}) {
-    const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
-
-    return (
-        <div className="grid gap-3 rounded-md border p-3 md:grid-cols-[minmax(220px,1fr)_minmax(340px,2fr)_auto] md:items-start">
-            <div className="space-y-1">
-                <FormLabel className="text-xs md:hidden">Match value</FormLabel>
-                <Input
-                    value={rule.matchValue}
-                    onChange={(e) =>
-                        onChange({
-                            ...rule,
-                            matchValue: e.target.value
-                        })
-                    }
-                    placeholder="Match value (for example: admin)"
-                />
-            </div>
-            <div className="space-y-1 min-w-0">
-                <FormLabel className="text-xs md:hidden">Assign roles</FormLabel>
-                <TagInput
-                    tags={rule.roleNames.map((name) => ({ id: name, text: name }))}
-                    setTags={(nextTags) => {
-                        const next =
-                            typeof nextTags === "function"
-                                ? nextTags(
-                                      rule.roleNames.map((name) => ({
-                                          id: name,
-                                          text: name
-                                      }))
-                                  )
-                                : nextTags;
-                        onChange({
-                            ...rule,
-                            roleNames: [...new Set(next.map((tag) => tag.text))]
-                        });
-                    }}
-                    activeTagIndex={activeTagIndex}
-                    setActiveTagIndex={setActiveTagIndex}
-                    placeholder="Assign roles"
-                    enableAutocomplete={true}
-                    autocompleteOptions={roleOptions}
-                    restrictTagsToAutocompleteOptions={true}
-                    allowDuplicates={false}
-                    sortTags={true}
-                    size="sm"
-                />
-            </div>
-            <div className="flex justify-end md:justify-start">
-                <Button type="button" variant="ghost" onClick={onRemove}>
-                    Remove
-                </Button>
-            </div>
-        </div>
-    );
-}
diff --git a/src/components/RoleMappingConfigFields.tsx b/src/components/RoleMappingConfigFields.tsx
new file mode 100644
index 000000000..4fe1a037b
--- /dev/null
+++ b/src/components/RoleMappingConfigFields.tsx
@@ -0,0 +1,366 @@
+"use client";
+
+import { FormLabel, FormDescription } from "@app/components/ui/form";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { useTranslations } from "next-intl";
+import { useMemo, useState } from "react";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import {
+    createMappingBuilderRule,
+    MappingBuilderRule,
+    RoleMappingMode
+} from "@app/lib/idpRoleMapping";
+
+export type RoleMappingRoleOption = {
+    roleId: number;
+    name: string;
+};
+
+export type RoleMappingConfigFieldsProps = {
+    roleMappingMode: RoleMappingMode;
+    onRoleMappingModeChange: (mode: RoleMappingMode) => void;
+    roles: RoleMappingRoleOption[];
+    fixedRoleNames: string[];
+    onFixedRoleNamesChange: (roleNames: string[]) => void;
+    mappingBuilderClaimPath: string;
+    onMappingBuilderClaimPathChange: (claimPath: string) => void;
+    mappingBuilderRules: MappingBuilderRule[];
+    onMappingBuilderRulesChange: (rules: MappingBuilderRule[]) => void;
+    rawExpression: string;
+    onRawExpressionChange: (expression: string) => void;
+    /** Unique prefix for radio `id`/`htmlFor` when multiple instances exist on one page. */
+    fieldIdPrefix?: string;
+    /** When true, show extra hint for global default policies (no org role list). */
+    showFreeformRoleNamesHint?: boolean;
+};
+
+export default function RoleMappingConfigFields({
+    roleMappingMode,
+    onRoleMappingModeChange,
+    roles,
+    fixedRoleNames,
+    onFixedRoleNamesChange,
+    mappingBuilderClaimPath,
+    onMappingBuilderClaimPathChange,
+    mappingBuilderRules,
+    onMappingBuilderRulesChange,
+    rawExpression,
+    onRawExpressionChange,
+    fieldIdPrefix = "role-mapping",
+    showFreeformRoleNamesHint = false
+}: RoleMappingConfigFieldsProps) {
+    const t = useTranslations();
+    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
+        number | null
+    >(null);
+
+    const restrictToOrgRoles = roles.length > 0;
+
+    const roleOptions = useMemo(
+        () =>
+            roles.map((role) => ({
+                id: role.name,
+                text: role.name
+            })),
+        [roles]
+    );
+
+    const fixedRadioId = `${fieldIdPrefix}-fixed-roles-mode`;
+    const builderRadioId = `${fieldIdPrefix}-mapping-builder-mode`;
+    const rawRadioId = `${fieldIdPrefix}-raw-expression-mode`;
+
+    /** Same template on header + rows so 1fr/1.75fr columns line up (auto third col differs per row otherwise). */
+    const mappingRulesGridClass =
+        "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)_6rem] md:gap-x-3";
+
+    return (
+        <div className="space-y-4">
+            <div>
+                <FormLabel className="mb-2">{t("roleMapping")}</FormLabel>
+                <FormDescription className="mb-4">
+                    {t("roleMappingDescription")}
+                </FormDescription>
+
+                <RadioGroup
+                    value={roleMappingMode}
+                    onValueChange={onRoleMappingModeChange}
+                    className="flex flex-wrap gap-x-6 gap-y-2"
+                >
+                    <div className="flex items-center space-x-2">
+                        <RadioGroupItem value="fixedRoles" id={fixedRadioId} />
+                        <label
+                            htmlFor={fixedRadioId}
+                            className="text-sm font-medium"
+                        >
+                            {t("roleMappingModeFixedRoles")}
+                        </label>
+                    </div>
+                    <div className="flex items-center space-x-2">
+                        <RadioGroupItem
+                            value="mappingBuilder"
+                            id={builderRadioId}
+                        />
+                        <label
+                            htmlFor={builderRadioId}
+                            className="text-sm font-medium"
+                        >
+                            {t("roleMappingModeMappingBuilder")}
+                        </label>
+                    </div>
+                    <div className="flex items-center space-x-2">
+                        <RadioGroupItem value="rawExpression" id={rawRadioId} />
+                        <label
+                            htmlFor={rawRadioId}
+                            className="text-sm font-medium"
+                        >
+                            {t("roleMappingModeRawExpression")}
+                        </label>
+                    </div>
+                </RadioGroup>
+            </div>
+
+            {roleMappingMode === "fixedRoles" && (
+                <div className="space-y-2 min-w-0 max-w-full">
+                    <TagInput
+                        tags={fixedRoleNames.map((name) => ({
+                            id: name,
+                            text: name
+                        }))}
+                        setTags={(nextTags) => {
+                            const next =
+                                typeof nextTags === "function"
+                                    ? nextTags(
+                                          fixedRoleNames.map((name) => ({
+                                              id: name,
+                                              text: name
+                                          }))
+                                      )
+                                    : nextTags;
+
+                            onFixedRoleNamesChange([
+                                ...new Set(next.map((tag) => tag.text))
+                            ]);
+                        }}
+                        activeTagIndex={activeFixedRoleTagIndex}
+                        setActiveTagIndex={setActiveFixedRoleTagIndex}
+                        placeholder={
+                            restrictToOrgRoles
+                                ? t("roleMappingFixedRolesPlaceholderSelect")
+                                : t("roleMappingFixedRolesPlaceholderFreeform")
+                        }
+                        enableAutocomplete={restrictToOrgRoles}
+                        autocompleteOptions={roleOptions}
+                        restrictTagsToAutocompleteOptions={restrictToOrgRoles}
+                        allowDuplicates={false}
+                        sortTags={true}
+                        size="sm"
+                    />
+                    <FormDescription>
+                        {showFreeformRoleNamesHint
+                            ? t("roleMappingFixedRolesDescriptionDefaultPolicy")
+                            : t("roleMappingFixedRolesDescriptionSameForAll")}
+                    </FormDescription>
+                </div>
+            )}
+
+            {roleMappingMode === "mappingBuilder" && (
+                <div className="space-y-4 rounded-md border p-3 min-w-0 max-w-full">
+                    <div className="space-y-2">
+                        <FormLabel>{t("roleMappingClaimPath")}</FormLabel>
+                        <Input
+                            value={mappingBuilderClaimPath}
+                            onChange={(e) =>
+                                onMappingBuilderClaimPathChange(e.target.value)
+                            }
+                            placeholder={t("roleMappingClaimPathPlaceholder")}
+                        />
+                        <FormDescription>
+                            {t("roleMappingClaimPathDescription")}
+                        </FormDescription>
+                    </div>
+
+                    <div className="space-y-3">
+                        <div
+                            className={`hidden ${mappingRulesGridClass} md:items-end`}
+                        >
+                            <FormLabel className="min-w-0">
+                                {t("roleMappingMatchValue")}
+                            </FormLabel>
+                            <FormLabel className="min-w-0">
+                                {t("roleMappingAssignRoles")}
+                            </FormLabel>
+                            <span aria-hidden className="min-w-0" />
+                        </div>
+
+                        {mappingBuilderRules.map((rule, index) => (
+                            <BuilderRuleRow
+                                key={rule.id ?? `mapping-rule-${index}`}
+                                mappingRulesGridClass={mappingRulesGridClass}
+                                fieldIdPrefix={`${fieldIdPrefix}-rule-${index}`}
+                                roleOptions={roleOptions}
+                                restrictToOrgRoles={restrictToOrgRoles}
+                                showFreeformRoleNamesHint={
+                                    showFreeformRoleNamesHint
+                                }
+                                rule={rule}
+                                onChange={(nextRule) => {
+                                    const nextRules = mappingBuilderRules.map(
+                                        (row, i) =>
+                                            i === index ? nextRule : row
+                                    );
+                                    onMappingBuilderRulesChange(nextRules);
+                                }}
+                                onRemove={() => {
+                                    const nextRules =
+                                        mappingBuilderRules.filter(
+                                            (_, i) => i !== index
+                                        );
+                                    onMappingBuilderRulesChange(
+                                        nextRules.length
+                                            ? nextRules
+                                            : [createMappingBuilderRule()]
+                                    );
+                                }}
+                            />
+                        ))}
+                    </div>
+
+                    <Button
+                        type="button"
+                        variant="outline"
+                        onClick={() => {
+                            onMappingBuilderRulesChange([
+                                ...mappingBuilderRules,
+                                createMappingBuilderRule()
+                            ]);
+                        }}
+                    >
+                        {t("roleMappingAddMappingRule")}
+                    </Button>
+                </div>
+            )}
+
+            {roleMappingMode === "rawExpression" && (
+                <div className="space-y-2">
+                    <Input
+                        value={rawExpression}
+                        onChange={(e) => onRawExpressionChange(e.target.value)}
+                        placeholder={t("roleMappingExpressionPlaceholder")}
+                    />
+                    <FormDescription>
+                        {t("roleMappingRawExpressionResultDescription")}
+                    </FormDescription>
+                </div>
+            )}
+        </div>
+    );
+}
+
+function BuilderRuleRow({
+    rule,
+    roleOptions,
+    restrictToOrgRoles,
+    showFreeformRoleNamesHint,
+    fieldIdPrefix,
+    mappingRulesGridClass,
+    onChange,
+    onRemove
+}: {
+    rule: MappingBuilderRule;
+    roleOptions: Tag[];
+    restrictToOrgRoles: boolean;
+    showFreeformRoleNamesHint: boolean;
+    fieldIdPrefix: string;
+    mappingRulesGridClass: string;
+    onChange: (rule: MappingBuilderRule) => void;
+    onRemove: () => void;
+}) {
+    const t = useTranslations();
+    const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
+
+    return (
+        <div
+            className={`grid gap-3 min-w-0 ${mappingRulesGridClass} md:items-start`}
+        >
+            <div className="space-y-1 min-w-0">
+                <FormLabel className="text-xs md:hidden">
+                    {t("roleMappingMatchValue")}
+                </FormLabel>
+                <Input
+                    id={`${fieldIdPrefix}-match`}
+                    value={rule.matchValue}
+                    onChange={(e) =>
+                        onChange({
+                            ...rule,
+                            matchValue: e.target.value
+                        })
+                    }
+                    placeholder={t("roleMappingMatchValuePlaceholder")}
+                />
+            </div>
+            <div className="space-y-1 min-w-0 w-full max-w-full">
+                <FormLabel className="text-xs md:hidden">
+                    {t("roleMappingAssignRoles")}
+                </FormLabel>
+                <div className="min-w-0 max-w-full">
+                    <TagInput
+                        tags={rule.roleNames.map((name) => ({
+                            id: name,
+                            text: name
+                        }))}
+                        setTags={(nextTags) => {
+                            const next =
+                                typeof nextTags === "function"
+                                    ? nextTags(
+                                          rule.roleNames.map((name) => ({
+                                              id: name,
+                                              text: name
+                                          }))
+                                      )
+                                    : nextTags;
+                            onChange({
+                                ...rule,
+                                roleNames: [
+                                    ...new Set(next.map((tag) => tag.text))
+                                ]
+                            });
+                        }}
+                        activeTagIndex={activeTagIndex}
+                        setActiveTagIndex={setActiveTagIndex}
+                        placeholder={
+                            restrictToOrgRoles
+                                ? t("roleMappingAssignRoles")
+                                : t("roleMappingAssignRolesPlaceholderFreeform")
+                        }
+                        enableAutocomplete={restrictToOrgRoles}
+                        autocompleteOptions={roleOptions}
+                        restrictTagsToAutocompleteOptions={restrictToOrgRoles}
+                        allowDuplicates={false}
+                        sortTags={true}
+                        size="sm"
+                        styleClasses={{
+                            inlineTagsContainer: "min-w-0 max-w-full"
+                        }}
+                    />
+                </div>
+                {showFreeformRoleNamesHint && (
+                    <p className="text-sm text-muted-foreground">
+                        {t("roleMappingBuilderFreeformRowHint")}
+                    </p>
+                )}
+            </div>
+            <div className="flex min-w-0 justify-end md:justify-start md:pt-0">
+                <Button
+                    type="button"
+                    variant="outline"
+                    className="h-9 shrink-0 px-2"
+                    onClick={onRemove}
+                >
+                    {t("roleMappingRemoveRule")}
+                </Button>
+            </div>
+        </div>
+    );
+}

From 7bcb852dba81b20d3d38469c88c8cad1dba8495d Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 27 Mar 2026 18:10:19 -0700
Subject: [PATCH 059/122] add google and azure templates to global idp

---
 messages/en-US.json                           |  16 +-
 server/routers/idp/createOidcIdp.ts           |   9 +-
 server/routers/idp/updateOidcIdp.ts           |   9 +-
 .../(private)/idp/[idpId]/general/page.tsx    |  33 -
 .../settings/(private)/idp/create/page.tsx    | 124 +---
 src/app/admin/idp/[idpId]/general/page.tsx    | 638 +++++++++++++-----
 src/app/admin/idp/[idpId]/policies/page.tsx   |   2 +-
 src/app/admin/idp/create/page.tsx             | 282 ++++++--
 src/app/admin/layout.tsx                      |  13 +-
 src/components/RoleMappingConfigFields.tsx    |   2 +-
 .../idp/OidcIdpProviderTypeSelect.tsx         |  75 ++
 src/lib/idp/oidcIdpProviderDefaults.ts        |  46 ++
 12 files changed, 870 insertions(+), 379 deletions(-)
 create mode 100644 src/components/idp/OidcIdpProviderTypeSelect.tsx
 create mode 100644 src/lib/idp/oidcIdpProviderDefaults.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index 7d00c8105..505378b7f 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -890,7 +890,7 @@
     "defaultMappingsRole": "Default Role Mapping",
     "defaultMappingsRoleDescription": "The result of this expression must return the role name as defined in the organization as a string.",
     "defaultMappingsOrg": "Default Organization Mapping",
-    "defaultMappingsOrgDescription": "This expression must return the org ID or true for the user to be allowed to access the organization.",
+    "defaultMappingsOrgDescription": "When set, this expression must return the organization ID or true for the user to access that organization. When unset, defining an organization policy for that org is enough: the user is allowed in as long as a valid role mapping can be resolved for them within the organization.",
     "defaultMappingsSubmit": "Save Default Mappings",
     "orgPoliciesEdit": "Edit Organization Policy",
     "org": "Organization",
@@ -1942,19 +1942,19 @@
     "invalidValue": "Invalid value",
     "idpTypeLabel": "Identity Provider Type",
     "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
-    "roleMappingModeFixedRoles": "Fixed roles",
-    "roleMappingModeMappingBuilder": "Mapping builder",
-    "roleMappingModeRawExpression": "Raw expression",
+    "roleMappingModeFixedRoles": "Fixed Roles",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Raw Expression",
     "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
     "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
     "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
     "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
-    "roleMappingClaimPath": "Claim path",
+    "roleMappingClaimPath": "Claim Path",
     "roleMappingClaimPathPlaceholder": "groups",
     "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
-    "roleMappingMatchValue": "Match value",
-    "roleMappingAssignRoles": "Assign roles",
-    "roleMappingAddMappingRule": "Add mapping rule",
+    "roleMappingMatchValue": "Match Value",
+    "roleMappingAssignRoles": "Assign Roles",
+    "roleMappingAddMappingRule": "Add Mapping Rule",
     "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
     "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
     "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
diff --git a/server/routers/idp/createOidcIdp.ts b/server/routers/idp/createOidcIdp.ts
index 5b53f6820..0f0cc0cce 100644
--- a/server/routers/idp/createOidcIdp.ts
+++ b/server/routers/idp/createOidcIdp.ts
@@ -25,7 +25,8 @@ const bodySchema = z.strictObject({
     namePath: z.string().optional(),
     scopes: z.string().nonempty(),
     autoProvision: z.boolean().optional(),
-    tags: z.string().optional()
+    tags: z.string().optional(),
+    variant: z.enum(["oidc", "google", "azure"]).optional().default("oidc")
 });
 
 export type CreateIdpResponse = {
@@ -77,7 +78,8 @@ export async function createOidcIdp(
             namePath,
             name,
             autoProvision,
-            tags
+            tags,
+            variant
         } = parsedBody.data;
 
         if (
@@ -121,7 +123,8 @@ export async function createOidcIdp(
                 scopes,
                 identifierPath,
                 emailPath,
-                namePath
+                namePath,
+                variant
             });
         });
 
diff --git a/server/routers/idp/updateOidcIdp.ts b/server/routers/idp/updateOidcIdp.ts
index fe32a8b08..905b32013 100644
--- a/server/routers/idp/updateOidcIdp.ts
+++ b/server/routers/idp/updateOidcIdp.ts
@@ -31,7 +31,8 @@ const bodySchema = z.strictObject({
     autoProvision: z.boolean().optional(),
     defaultRoleMapping: z.string().optional(),
     defaultOrgMapping: z.string().optional(),
-    tags: z.string().optional()
+    tags: z.string().optional(),
+    variant: z.enum(["oidc", "google", "azure"]).optional()
 });
 
 export type UpdateIdpResponse = {
@@ -96,7 +97,8 @@ export async function updateOidcIdp(
             autoProvision,
             defaultRoleMapping,
             defaultOrgMapping,
-            tags
+            tags,
+            variant
         } = parsedBody.data;
 
         if (process.env.IDENTITY_PROVIDER_MODE === "org") {
@@ -159,7 +161,8 @@ export async function updateOidcIdp(
                 scopes,
                 identifierPath,
                 emailPath,
-                namePath
+                namePath,
+                variant
             };
 
             keysToUpdate = Object.keys(configData).filter(
diff --git a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
index 9754b07e5..37cf400a5 100644
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -448,16 +448,6 @@ export default function GeneralPage() {
                             </InfoSection>
                         </InfoSections>
 
-                        <Alert variant="neutral" className="">
-                            <InfoIcon className="h-4 w-4" />
-                            <AlertTitle className="font-semibold">
-                                {t("redirectUrlAbout")}
-                            </AlertTitle>
-                            <AlertDescription>
-                                {t("redirectUrlAboutDescription")}
-                            </AlertDescription>
-                        </Alert>
-
                         {/* IDP Type Indicator */}
                         <div className="flex items-center space-x-2 mb-4">
                             <span className="text-sm font-medium text-muted-foreground">
@@ -843,29 +833,6 @@ export default function GeneralPage() {
                                             className="space-y-4"
                                             id="general-settings-form"
                                         >
-                                            <Alert variant="neutral">
-                                                <InfoIcon className="h-4 w-4" />
-                                                <AlertTitle className="font-semibold">
-                                                    {t("idpJmespathAbout")}
-                                                </AlertTitle>
-                                                <AlertDescription>
-                                                    {t(
-                                                        "idpJmespathAboutDescription"
-                                                    )}{" "}
-                                                    <a
-                                                        href="https://jmespath.org"
-                                                        target="_blank"
-                                                        rel="noopener noreferrer"
-                                                        className="text-primary hover:underline inline-flex items-center"
-                                                    >
-                                                        {t(
-                                                            "idpJmespathAboutDescriptionLink"
-                                                        )}{" "}
-                                                        <ExternalLink className="ml-1 h-4 w-4" />
-                                                    </a>
-                                                </AlertDescription>
-                                            </Alert>
-
                                             <FormField
                                                 control={form.control}
                                                 name="identifierPath"
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 970f9f970..17adcb6b6 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -13,7 +13,7 @@ import {
     SettingsSectionTitle
 } from "@app/components/Settings";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
-import { StrategySelect } from "@app/components/StrategySelect";
+import { OidcIdpProviderTypeSelect } from "@app/components/idp/OidcIdpProviderTypeSelect";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
 import {
@@ -27,17 +27,16 @@ import {
 } from "@app/components/ui/form";
 import { Input } from "@app/components/ui/input";
 import { useEnvContext } from "@app/hooks/useEnvContext";
-import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { applyOidcIdpProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { ListRolesResponse } from "@server/routers/role";
 import { AxiosResponse } from "axios";
 import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
-import Image from "next/image";
 import { useParams, useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -96,49 +95,6 @@ export default function Page() {
 
     type CreateIdpFormValues = z.infer<typeof createIdpFormSchema>;
 
-    interface ProviderTypeOption {
-        id: "oidc" | "google" | "azure";
-        title: string;
-        description: string;
-        icon?: React.ReactNode;
-    }
-
-    const providerTypes: ReadonlyArray<ProviderTypeOption> = [
-        {
-            id: "oidc",
-            title: "OAuth2/OIDC",
-            description: t("idpOidcDescription")
-        },
-        {
-            id: "google",
-            title: t("idpGoogleTitle"),
-            description: t("idpGoogleDescription"),
-            icon: (
-                <Image
-                    src="/idp/google.png"
-                    alt={t("idpGoogleAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
-        },
-        {
-            id: "azure",
-            title: t("idpAzureTitle"),
-            description: t("idpAzureDescription"),
-            icon: (
-                <Image
-                    src="/idp/azure.png"
-                    alt={t("idpAzureAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
-        }
-    ];
-
     const form = useForm({
         resolver: zodResolver(createIdpFormSchema),
         defaultValues: {
@@ -186,47 +142,6 @@ export default function Page() {
         fetchRoles();
     }, []);
 
-    // Handle provider type changes and set defaults
-    const handleProviderChange = (value: "oidc" | "google" | "azure") => {
-        form.setValue("type", value);
-
-        if (value === "google") {
-            // Set Google defaults
-            form.setValue(
-                "authUrl",
-                "https://accounts.google.com/o/oauth2/v2/auth"
-            );
-            form.setValue("tokenUrl", "https://oauth2.googleapis.com/token");
-            form.setValue("identifierPath", "email");
-            form.setValue("emailPath", "email");
-            form.setValue("namePath", "name");
-            form.setValue("scopes", "openid profile email");
-        } else if (value === "azure") {
-            // Set Azure Entra ID defaults (URLs will be constructed dynamically)
-            form.setValue(
-                "authUrl",
-                "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/authorize"
-            );
-            form.setValue(
-                "tokenUrl",
-                "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/token"
-            );
-            form.setValue("identifierPath", "email");
-            form.setValue("emailPath", "email");
-            form.setValue("namePath", "name");
-            form.setValue("scopes", "openid profile email");
-            form.setValue("tenantId", "");
-        } else {
-            // Reset to OIDC defaults
-            form.setValue("authUrl", "");
-            form.setValue("tokenUrl", "");
-            form.setValue("identifierPath", "sub");
-            form.setValue("namePath", "name");
-            form.setValue("emailPath", "email");
-            form.setValue("scopes", "openid profile email");
-        }
-    };
-
     async function onSubmit(data: CreateIdpFormValues) {
         setCreateLoading(true);
 
@@ -304,6 +219,7 @@ export default function Page() {
     }
 
     const disabled = !isPaidUser(tierMatrix.orgOidc);
+    const templatesPaid = isPaidUser(tierMatrix.orgOidc);
 
     return (
         <>
@@ -336,23 +252,13 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
-                        <div>
-                            <div className="mb-2">
-                                <span className="text-sm font-medium">
-                                    {t("idpType")}
-                                </span>
-                            </div>
-                            <StrategySelect
-                                options={providerTypes}
-                                defaultValue={form.getValues("type")}
-                                onChange={(value) => {
-                                    handleProviderChange(
-                                        value as "oidc" | "google" | "azure"
-                                    );
-                                }}
-                                cols={3}
-                            />
-                        </div>
+                        <OidcIdpProviderTypeSelect
+                            value={form.watch("type")}
+                            templatesPaid={templatesPaid}
+                            onTypeChange={(next) => {
+                                applyOidcIdpProviderType(form.setValue, next);
+                            }}
+                        />
 
                         <SettingsSectionForm>
                             <Form {...form}>
@@ -708,16 +614,6 @@ export default function Page() {
                                         />
                                     </form>
                                 </Form>
-
-                                <Alert variant="neutral">
-                                    <InfoIcon className="h-4 w-4" />
-                                    <AlertTitle className="font-semibold">
-                                        {t("idpOidcConfigureAlert")}
-                                    </AlertTitle>
-                                    <AlertDescription>
-                                        {t("idpOidcConfigureAlertDescription")}
-                                    </AlertDescription>
-                                </Alert>
                             </SettingsSectionBody>
                         </SettingsSection>
 
diff --git a/src/app/admin/idp/[idpId]/general/page.tsx b/src/app/admin/idp/[idpId]/general/page.tsx
index a5ed14a6e..d02925976 100644
--- a/src/app/admin/idp/[idpId]/general/page.tsx
+++ b/src/app/admin/idp/[idpId]/general/page.tsx
@@ -25,7 +25,6 @@ import {
     SettingsSectionDescription,
     SettingsSectionBody,
     SettingsSectionForm,
-    SettingsSectionFooter,
     SettingsSectionGrid
 } from "@app/components/Settings";
 import { formatAxiosError } from "@app/lib/api";
@@ -33,8 +32,6 @@ import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useState, useEffect } from "react";
 import { SwitchInput } from "@app/components/SwitchInput";
-import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
-import { InfoIcon, ExternalLink } from "lucide-react";
 import {
     InfoSection,
     InfoSectionContent,
@@ -42,8 +39,7 @@ import {
     InfoSectionTitle
 } from "@app/components/InfoSection";
 import CopyToClipboard from "@app/components/CopyToClipboard";
-import { Badge } from "@app/components/ui/badge";
-import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
+import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { useTranslations } from "next-intl";
 
 export default function GeneralPage() {
@@ -53,12 +49,12 @@ export default function GeneralPage() {
     const { idpId } = useParams();
     const [loading, setLoading] = useState(false);
     const [initialLoading, setInitialLoading] = useState(true);
-    const { isUnlocked } = useLicenseStatusContext();
+    const [variant, setVariant] = useState<"oidc" | "google" | "azure">("oidc");
 
     const redirectUrl = `${env.app.dashboardUrl}/auth/idp/${idpId}/oidc/callback`;
     const t = useTranslations();
 
-    const GeneralFormSchema = z.object({
+    const OidcFormSchema = z.object({
         name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
         clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
         clientSecret: z
@@ -73,10 +69,46 @@ export default function GeneralPage() {
         autoProvision: z.boolean().default(false)
     });
 
-    type GeneralFormValues = z.infer<typeof GeneralFormSchema>;
+    const GoogleFormSchema = z.object({
+        name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
+        clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
+        clientSecret: z
+            .string()
+            .min(1, { message: t("idpClientSecretRequired") }),
+        autoProvision: z.boolean().default(false)
+    });
 
-    const form = useForm({
-        resolver: zodResolver(GeneralFormSchema),
+    const AzureFormSchema = z.object({
+        name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
+        clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
+        clientSecret: z
+            .string()
+            .min(1, { message: t("idpClientSecretRequired") }),
+        tenantId: z.string().min(1, { message: t("idpTenantIdRequired") }),
+        autoProvision: z.boolean().default(false)
+    });
+
+    type OidcFormValues = z.infer<typeof OidcFormSchema>;
+    type GoogleFormValues = z.infer<typeof GoogleFormSchema>;
+    type AzureFormValues = z.infer<typeof AzureFormSchema>;
+    type GeneralFormValues =
+        | OidcFormValues
+        | GoogleFormValues
+        | AzureFormValues;
+
+    const getFormSchema = () => {
+        switch (variant) {
+            case "google":
+                return GoogleFormSchema;
+            case "azure":
+                return AzureFormSchema;
+            default:
+                return OidcFormSchema;
+        }
+    };
+
+    const form = useForm<GeneralFormValues>({
+        resolver: zodResolver(getFormSchema()) as never,
         defaultValues: {
             name: "",
             clientId: "",
@@ -87,28 +119,60 @@ export default function GeneralPage() {
             emailPath: "email",
             namePath: "name",
             scopes: "openid profile email",
-            autoProvision: true
+            autoProvision: true,
+            tenantId: ""
         }
     });
 
+    useEffect(() => {
+        form.clearErrors();
+    }, [variant, form]);
+
     useEffect(() => {
         const loadIdp = async () => {
             try {
                 const res = await api.get(`/idp/${idpId}`);
                 if (res.status === 200) {
                     const data = res.data.data;
-                    form.reset({
+                    const idpVariant =
+                        (data.idpOidcConfig?.variant as
+                            | "oidc"
+                            | "google"
+                            | "azure") || "oidc";
+                    setVariant(idpVariant);
+
+                    let tenantId = "";
+                    if (idpVariant === "azure" && data.idpOidcConfig?.authUrl) {
+                        const tenantMatch = data.idpOidcConfig.authUrl.match(
+                            /login\.microsoftonline\.com\/([^/]+)\/oauth2/
+                        );
+                        if (tenantMatch) {
+                            tenantId = tenantMatch[1];
+                        }
+                    }
+
+                    const formData: Record<string, unknown> = {
                         name: data.idp.name,
                         clientId: data.idpOidcConfig.clientId,
                         clientSecret: data.idpOidcConfig.clientSecret,
-                        authUrl: data.idpOidcConfig.authUrl,
-                        tokenUrl: data.idpOidcConfig.tokenUrl,
-                        identifierPath: data.idpOidcConfig.identifierPath,
-                        emailPath: data.idpOidcConfig.emailPath,
-                        namePath: data.idpOidcConfig.namePath,
-                        scopes: data.idpOidcConfig.scopes,
                         autoProvision: data.idp.autoProvision
-                    });
+                    };
+
+                    if (idpVariant === "oidc") {
+                        formData.authUrl = data.idpOidcConfig.authUrl;
+                        formData.tokenUrl = data.idpOidcConfig.tokenUrl;
+                        formData.identifierPath =
+                            data.idpOidcConfig.identifierPath;
+                        formData.emailPath =
+                            data.idpOidcConfig.emailPath ?? undefined;
+                        formData.namePath =
+                            data.idpOidcConfig.namePath ?? undefined;
+                        formData.scopes = data.idpOidcConfig.scopes;
+                    } else if (idpVariant === "azure") {
+                        formData.tenantId = tenantId;
+                    }
+
+                    form.reset(formData as GeneralFormValues);
                 }
             } catch (e) {
                 toast({
@@ -123,25 +187,76 @@ export default function GeneralPage() {
         };
 
         loadIdp();
-    }, [idpId, api, form, router]);
+    }, [idpId]);
 
     async function onSubmit(data: GeneralFormValues) {
         setLoading(true);
 
         try {
-            const payload = {
+            const schema = getFormSchema();
+            const validationResult = schema.safeParse(data);
+
+            if (!validationResult.success) {
+                const errors = validationResult.error.flatten().fieldErrors;
+                Object.keys(errors).forEach((key) => {
+                    const fieldName = key as keyof GeneralFormValues;
+                    const errorMessage =
+                        (errors as Record<string, string[] | undefined>)[
+                            key
+                        ]?.[0] || t("invalidValue");
+                    form.setError(fieldName, {
+                        type: "manual",
+                        message: errorMessage
+                    });
+                });
+                setLoading(false);
+                return;
+            }
+
+            let payload: Record<string, unknown> = {
                 name: data.name,
                 clientId: data.clientId,
                 clientSecret: data.clientSecret,
-                authUrl: data.authUrl,
-                tokenUrl: data.tokenUrl,
-                identifierPath: data.identifierPath,
-                emailPath: data.emailPath,
-                namePath: data.namePath,
                 autoProvision: data.autoProvision,
-                scopes: data.scopes
+                variant
             };
 
+            if (variant === "oidc") {
+                const oidcData = data as OidcFormValues;
+                payload = {
+                    ...payload,
+                    authUrl: oidcData.authUrl,
+                    tokenUrl: oidcData.tokenUrl,
+                    identifierPath: oidcData.identifierPath,
+                    emailPath: oidcData.emailPath ?? "",
+                    namePath: oidcData.namePath ?? "",
+                    scopes: oidcData.scopes
+                };
+            } else if (variant === "azure") {
+                const azureData = data as AzureFormValues;
+                const authUrl = `https://login.microsoftonline.com/${azureData.tenantId}/oauth2/v2.0/authorize`;
+                const tokenUrl = `https://login.microsoftonline.com/${azureData.tenantId}/oauth2/v2.0/token`;
+                payload = {
+                    ...payload,
+                    authUrl,
+                    tokenUrl,
+                    identifierPath: "email",
+                    emailPath: "email",
+                    namePath: "name",
+                    scopes: "openid profile email"
+                };
+            } else if (variant === "google") {
+                payload = {
+                    ...payload,
+                    authUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+                    tokenUrl: "https://oauth2.googleapis.com/token",
+                    identifierPath: "email",
+                    emailPath: "email",
+                    namePath: "name",
+                    scopes: "openid profile email"
+                };
+            }
+
             const res = await api.post(`/idp/${idpId}/oidc`, payload);
 
             if (res.status === 200) {
@@ -190,6 +305,13 @@ export default function GeneralPage() {
                             </InfoSection>
                         </InfoSections>
 
+                        <div className="flex items-center space-x-2 mb-4">
+                            <span className="text-sm font-medium text-muted-foreground">
+                                {t("idpTypeLabel")}:
+                            </span>
+                            <IdpTypeBadge type={variant} />
+                        </div>
+
                         <SettingsSectionForm>
                             <Form {...form}>
                                 <form
@@ -215,62 +337,80 @@ export default function GeneralPage() {
                                             </FormItem>
                                         )}
                                     />
-
-                                    <div className="flex items-start mb-0">
-                                        <SwitchInput
-                                            id="auto-provision-toggle"
-                                            label={t("idpAutoProvisionUsers")}
-                                            defaultChecked={form.getValues(
-                                                "autoProvision"
-                                            )}
-                                            onCheckedChange={(checked) => {
-                                                form.setValue(
-                                                    "autoProvision",
-                                                    checked
-                                                );
-                                            }}
-                                        />
-                                    </div>
-                                    <div className="flex flex-col gap-2">
-                                        <span className="text-sm text-muted-foreground">
-                                            {t(
-                                                "idpAutoProvisionUsersDescription"
-                                            )}
-                                        </span>
-                                        {form.watch("autoProvision") && (
-                                            <FormDescription>
-                                                {t.rich(
-                                                    "idpAdminAutoProvisionPoliciesTabHint",
-                                                    {
-                                                        policiesTabLink: (
-                                                            chunks
-                                                        ) => (
-                                                            <Link
-                                                                href={`/admin/idp/${idpId}/policies`}
-                                                                className="text-primary hover:underline inline-flex items-center gap-1"
-                                                            >
-                                                                {chunks}
-                                                            </Link>
-                                                        )
-                                                    }
-                                                )}
-                                            </FormDescription>
-                                        )}
-                                    </div>
                                 </form>
                             </Form>
                         </SettingsSectionForm>
                     </SettingsSectionBody>
                 </SettingsSection>
 
-                <SettingsSectionGrid cols={2}>
+                <SettingsSection>
+                    <SettingsSectionHeader>
+                        <SettingsSectionTitle>
+                            {t("idpAutoProvisionUsers")}
+                        </SettingsSectionTitle>
+                        <SettingsSectionDescription>
+                            {t("idpAutoProvisionUsersDescription")}
+                        </SettingsSectionDescription>
+                    </SettingsSectionHeader>
+                    <SettingsSectionBody>
+                        <Form {...form}>
+                            <form
+                                onSubmit={form.handleSubmit(onSubmit)}
+                                className="space-y-4"
+                                id="general-settings-form"
+                            >
+                                <div className="flex items-start mb-0">
+                                    <SwitchInput
+                                        id="auto-provision-toggle"
+                                        label={t("idpAutoProvisionUsers")}
+                                        defaultChecked={form.getValues(
+                                            "autoProvision"
+                                        )}
+                                        onCheckedChange={(checked) => {
+                                            form.setValue(
+                                                "autoProvision",
+                                                checked
+                                            );
+                                        }}
+                                    />
+                                </div>
+                                <div className="flex flex-col gap-2">
+                                    <span className="text-sm text-muted-foreground">
+                                        {t("idpAutoProvisionUsersDescription")}
+                                    </span>
+                                    {form.watch("autoProvision") && (
+                                        <FormDescription>
+                                            {t.rich(
+                                                "idpAdminAutoProvisionPoliciesTabHint",
+                                                {
+                                                    policiesTabLink: (
+                                                        chunks
+                                                    ) => (
+                                                        <Link
+                                                            href={`/admin/idp/${idpId}/policies`}
+                                                            className="text-primary hover:underline inline-flex items-center gap-1"
+                                                        >
+                                                            {chunks}
+                                                        </Link>
+                                                    )
+                                                }
+                                            )}
+                                        </FormDescription>
+                                    )}
+                                </div>
+                            </form>
+                        </Form>
+                    </SettingsSectionBody>
+                </SettingsSection>
+
+                {variant === "google" && (
                     <SettingsSection>
                         <SettingsSectionHeader>
                             <SettingsSectionTitle>
-                                {t("idpOidcConfigure")}
+                                {t("idpGoogleConfiguration")}
                             </SettingsSectionTitle>
                             <SettingsSectionDescription>
-                                {t("idpOidcConfigureDescription")}
+                                {t("idpGoogleConfigurationDescription")}
                             </SettingsSectionDescription>
                         </SettingsSectionHeader>
                         <SettingsSectionBody>
@@ -294,7 +434,7 @@ export default function GeneralPage() {
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpClientIdDescription"
+                                                            "idpGoogleClientIdDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -318,49 +458,7 @@ export default function GeneralPage() {
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpClientSecretDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="authUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpAuthUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAuthUrlDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="tokenUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpTokenUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpTokenUrlDescription"
+                                                            "idpGoogleClientSecretDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -372,14 +470,16 @@ export default function GeneralPage() {
                             </SettingsSectionForm>
                         </SettingsSectionBody>
                     </SettingsSection>
+                )}
 
+                {variant === "azure" && (
                     <SettingsSection>
                         <SettingsSectionHeader>
                             <SettingsSectionTitle>
-                                {t("idpToken")}
+                                {t("idpAzureConfiguration")}
                             </SettingsSectionTitle>
                             <SettingsSectionDescription>
-                                {t("idpTokenDescription")}
+                                {t("idpAzureConfigurationDescription")}
                             </SettingsSectionDescription>
                         </SettingsSectionHeader>
                         <SettingsSectionBody>
@@ -392,18 +492,18 @@ export default function GeneralPage() {
                                     >
                                         <FormField
                                             control={form.control}
-                                            name="identifierPath"
+                                            name="tenantId"
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>
-                                                        {t("idpJmespathLabel")}
+                                                        {t("idpTenantId")}
                                                     </FormLabel>
                                                     <FormControl>
                                                         <Input {...field} />
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpJmespathLabelDescription"
+                                                            "idpAzureTenantIdDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -413,20 +513,18 @@ export default function GeneralPage() {
 
                                         <FormField
                                             control={form.control}
-                                            name="emailPath"
+                                            name="clientId"
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>
-                                                        {t(
-                                                            "idpJmespathEmailPathOptional"
-                                                        )}
+                                                        {t("idpClientId")}
                                                     </FormLabel>
                                                     <FormControl>
                                                         <Input {...field} />
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpJmespathEmailPathOptionalDescription"
+                                                            "idpAzureClientIdDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -436,43 +534,21 @@ export default function GeneralPage() {
 
                                         <FormField
                                             control={form.control}
-                                            name="namePath"
+                                            name="clientSecret"
                                             render={({ field }) => (
                                                 <FormItem>
                                                     <FormLabel>
-                                                        {t(
-                                                            "idpJmespathNamePathOptional"
-                                                        )}
+                                                        {t("idpClientSecret")}
                                                     </FormLabel>
                                                     <FormControl>
-                                                        <Input {...field} />
+                                                        <Input
+                                                            type="password"
+                                                            {...field}
+                                                        />
                                                     </FormControl>
                                                     <FormDescription>
                                                         {t(
-                                                            "idpJmespathNamePathOptionalDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="scopes"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpOidcConfigureScopes"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpOidcConfigureScopesDescription"
+                                                            "idpAzureClientSecretDescription"
                                                         )}
                                                     </FormDescription>
                                                     <FormMessage />
@@ -484,15 +560,263 @@ export default function GeneralPage() {
                             </SettingsSectionForm>
                         </SettingsSectionBody>
                     </SettingsSection>
-                </SettingsSectionGrid>
+                )}
+
+                {variant === "oidc" && (
+                    <SettingsSectionGrid cols={2}>
+                        <SettingsSection>
+                            <SettingsSectionHeader>
+                                <SettingsSectionTitle>
+                                    {t("idpOidcConfigure")}
+                                </SettingsSectionTitle>
+                                <SettingsSectionDescription>
+                                    {t("idpOidcConfigureDescription")}
+                                </SettingsSectionDescription>
+                            </SettingsSectionHeader>
+                            <SettingsSectionBody>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                            className="space-y-4"
+                                            id="general-settings-form"
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientSecretDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="authUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpAuthUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAuthUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="tokenUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpTokenUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpTokenUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
+                            </SettingsSectionBody>
+                        </SettingsSection>
+
+                        <SettingsSection>
+                            <SettingsSectionHeader>
+                                <SettingsSectionTitle>
+                                    {t("idpToken")}
+                                </SettingsSectionTitle>
+                                <SettingsSectionDescription>
+                                    {t("idpTokenDescription")}
+                                </SettingsSectionDescription>
+                            </SettingsSectionHeader>
+                            <SettingsSectionBody>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                            className="space-y-4"
+                                            id="general-settings-form"
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="identifierPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathLabel"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathLabelDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="emailPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                {...field}
+                                                                value={
+                                                                    field.value ||
+                                                                    ""
+                                                                }
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="namePath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathNamePathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                {...field}
+                                                                value={
+                                                                    field.value ||
+                                                                    ""
+                                                                }
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathNamePathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="scopes"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpOidcConfigureScopes"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpOidcConfigureScopesDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
+                            </SettingsSectionBody>
+                        </SettingsSection>
+                    </SettingsSectionGrid>
+                )}
             </SettingsContainer>
 
             <div className="flex justify-end mt-8">
                 <Button
-                    type="submit"
+                    type="button"
                     form="general-settings-form"
                     loading={loading}
                     disabled={loading}
+                    onClick={() => {
+                        form.handleSubmit(onSubmit)();
+                    }}
                 >
                     {t("saveGeneralSettings")}
                 </Button>
diff --git a/src/app/admin/idp/[idpId]/policies/page.tsx b/src/app/admin/idp/[idpId]/policies/page.tsx
index 086074e2d..57ee3cf7b 100644
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -575,7 +575,7 @@ export default function PoliciesPage() {
                     }
                 }}
             >
-                <CredenzaContent className="max-w-4xl w-[calc(100vw-2rem)] sm:w-full">
+                <CredenzaContent className="max-w-4xl sm:w-full">
                     <CredenzaHeader>
                         <CredenzaTitle>
                             {editingPolicy
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index 91b55da23..40d4a3b32 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -1,5 +1,7 @@
 "use client";
 
+import { OidcIdpProviderTypeSelect } from "@app/components/idp/OidcIdpProviderTypeSelect";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import {
     SettingsContainer,
     SettingsSection,
@@ -20,70 +22,63 @@ import {
     FormMessage
 } from "@app/components/ui/form";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
-import { z } from "zod";
-import { createElement, useEffect, useState } from "react";
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { Input } from "@app/components/ui/input";
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
-import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { Input } from "@app/components/ui/input";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
-import { useRouter } from "next/navigation";
-import { Checkbox } from "@app/components/ui/checkbox";
-import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
-import { InfoIcon, ExternalLink } from "lucide-react";
-import { StrategySelect } from "@app/components/StrategySelect";
-import { SwitchInput } from "@app/components/SwitchInput";
-import { Badge } from "@app/components/ui/badge";
-import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { applyOidcIdpProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
 
 export default function Page() {
     const { env } = useEnvContext();
     const api = createApiClient({ env });
     const router = useRouter();
     const [createLoading, setCreateLoading] = useState(false);
-    const { isUnlocked } = useLicenseStatusContext();
     const t = useTranslations();
+    const { isPaidUser } = usePaidStatus();
+    const templatesPaid = isPaidUser(tierMatrix.orgOidc);
 
     const createIdpFormSchema = z.object({
         name: z.string().min(2, { message: t("nameMin", { len: 2 }) }),
-        type: z.enum(["oidc"]),
+        type: z.enum(["oidc", "google", "azure"]),
         clientId: z.string().min(1, { message: t("idpClientIdRequired") }),
         clientSecret: z
             .string()
             .min(1, { message: t("idpClientSecretRequired") }),
-        authUrl: z.url({ message: t("idpErrorAuthUrlInvalid") }),
-        tokenUrl: z.url({ message: t("idpErrorTokenUrlInvalid") }),
-        identifierPath: z.string().min(1, { message: t("idpPathRequired") }),
+        authUrl: z.url({ message: t("idpErrorAuthUrlInvalid") }).optional(),
+        tokenUrl: z.url({ message: t("idpErrorTokenUrlInvalid") }).optional(),
+        identifierPath: z
+            .string()
+            .min(1, { message: t("idpPathRequired") })
+            .optional(),
         emailPath: z.string().optional(),
         namePath: z.string().optional(),
-        scopes: z.string().min(1, { message: t("idpScopeRequired") }),
+        scopes: z
+            .string()
+            .min(1, { message: t("idpScopeRequired") })
+            .optional(),
+        tenantId: z.string().optional(),
         autoProvision: z.boolean().default(false)
     });
 
     type CreateIdpFormValues = z.infer<typeof createIdpFormSchema>;
 
-    interface ProviderTypeOption {
-        id: "oidc";
-        title: string;
-        description: string;
-    }
-
-    const providerTypes: ReadonlyArray<ProviderTypeOption> = [
-        {
-            id: "oidc",
-            title: "OAuth2/OIDC",
-            description: t("idpOidcDescription")
-        }
-    ];
-
     const form = useForm({
         resolver: zodResolver(createIdpFormSchema),
         defaultValues: {
             name: "",
-            type: "oidc",
+            type: "oidc" as const,
             clientId: "",
             clientSecret: "",
             authUrl: "",
@@ -92,25 +87,46 @@ export default function Page() {
             namePath: "name",
             emailPath: "email",
             scopes: "openid profile email",
+            tenantId: "",
             autoProvision: false
         }
     });
 
+    const watchedType = form.watch("type");
+
+    useEffect(() => {
+        if (
+            !templatesPaid &&
+            (watchedType === "google" || watchedType === "azure")
+        ) {
+            applyOidcIdpProviderType(form.setValue, "oidc");
+        }
+    }, [templatesPaid, watchedType, form.setValue]);
+
     async function onSubmit(data: CreateIdpFormValues) {
         setCreateLoading(true);
 
         try {
+            let authUrl = data.authUrl;
+            let tokenUrl = data.tokenUrl;
+
+            if (data.type === "azure" && data.tenantId) {
+                authUrl = authUrl?.replace("{{TENANT_ID}}", data.tenantId);
+                tokenUrl = tokenUrl?.replace("{{TENANT_ID}}", data.tenantId);
+            }
+
             const payload = {
                 name: data.name,
                 clientId: data.clientId,
                 clientSecret: data.clientSecret,
-                authUrl: data.authUrl,
-                tokenUrl: data.tokenUrl,
+                authUrl: authUrl,
+                tokenUrl: tokenUrl,
                 identifierPath: data.identifierPath,
                 emailPath: data.emailPath,
                 namePath: data.namePath,
                 autoProvision: data.autoProvision,
-                scopes: data.scopes
+                scopes: data.scopes,
+                variant: data.type
             };
 
             const res = await api.put("/idp/oidc", payload);
@@ -150,6 +166,10 @@ export default function Page() {
                 </Button>
             </div>
 
+            {!templatesPaid ? (
+                <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+            ) : null}
+
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -161,6 +181,14 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
+                        <OidcIdpProviderTypeSelect
+                            value={watchedType}
+                            templatesPaid={templatesPaid}
+                            onTypeChange={(next) => {
+                                applyOidcIdpProviderType(form.setValue, next);
+                            }}
+                        />
+
                         <SettingsSectionForm>
                             <Form {...form}>
                                 <form
@@ -208,27 +236,169 @@ export default function Page() {
                                 </form>
                             </Form>
                         </SettingsSectionForm>
-
-                        {/* <div> */}
-                        {/*     <div className="mb-2"> */}
-                        {/*         <span className="text-sm font-medium"> */}
-                        {/*             {t("idpType")} */}
-                        {/*         </span> */}
-                        {/*     </div> */}
-                        {/*  */}
-                        {/*     <StrategySelect */}
-                        {/*         options={providerTypes} */}
-                        {/*         defaultValue={form.getValues("type")} */}
-                        {/*         onChange={(value) => { */}
-                        {/*             form.setValue("type", value as "oidc"); */}
-                        {/*         }} */}
-                        {/*         cols={3} */}
-                        {/*     /> */}
-                        {/* </div> */}
                     </SettingsSectionBody>
                 </SettingsSection>
 
-                {form.watch("type") === "oidc" && (
+                {watchedType === "google" && (
+                    <SettingsSection>
+                        <SettingsSectionHeader>
+                            <SettingsSectionTitle>
+                                {t("idpGoogleConfigurationTitle")}
+                            </SettingsSectionTitle>
+                            <SettingsSectionDescription>
+                                {t("idpGoogleConfigurationDescription")}
+                            </SettingsSectionDescription>
+                        </SettingsSectionHeader>
+                        <SettingsSectionBody>
+                            <SettingsSectionForm>
+                                <Form {...form}>
+                                    <form
+                                        className="space-y-4"
+                                        id="create-idp-form"
+                                        onSubmit={form.handleSubmit(onSubmit)}
+                                    >
+                                        <FormField
+                                            control={form.control}
+                                            name="clientId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientId")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpGoogleClientIdDescription"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+
+                                        <FormField
+                                            control={form.control}
+                                            name="clientSecret"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientSecret")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            type="password"
+                                                            {...field}
+                                                        />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpGoogleClientSecretDescription"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+                                    </form>
+                                </Form>
+                            </SettingsSectionForm>
+                        </SettingsSectionBody>
+                    </SettingsSection>
+                )}
+
+                {watchedType === "azure" && (
+                    <SettingsSection>
+                        <SettingsSectionHeader>
+                            <SettingsSectionTitle>
+                                {t("idpAzureConfigurationTitle")}
+                            </SettingsSectionTitle>
+                            <SettingsSectionDescription>
+                                {t("idpAzureConfigurationDescription")}
+                            </SettingsSectionDescription>
+                        </SettingsSectionHeader>
+                        <SettingsSectionBody>
+                            <SettingsSectionForm>
+                                <Form {...form}>
+                                    <form
+                                        className="space-y-4"
+                                        id="create-idp-form"
+                                        onSubmit={form.handleSubmit(onSubmit)}
+                                    >
+                                        <FormField
+                                            control={form.control}
+                                            name="tenantId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpTenantIdLabel")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpAzureTenantIdDescription"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+
+                                        <FormField
+                                            control={form.control}
+                                            name="clientId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientId")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpAzureClientIdDescription2"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+
+                                        <FormField
+                                            control={form.control}
+                                            name="clientSecret"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("idpClientSecret")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            type="password"
+                                                            {...field}
+                                                        />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t(
+                                                            "idpAzureClientSecretDescription2"
+                                                        )}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+                                    </form>
+                                </Form>
+                            </SettingsSectionForm>
+                        </SettingsSectionBody>
+                    </SettingsSection>
+                )}
+
+                {watchedType === "oidc" && (
                     <SettingsSectionGrid cols={2}>
                         <SettingsSection>
                             <SettingsSectionHeader>
diff --git a/src/app/admin/layout.tsx b/src/app/admin/layout.tsx
index 44d85b99e..5f35ee4cd 100644
--- a/src/app/admin/layout.tsx
+++ b/src/app/admin/layout.tsx
@@ -12,6 +12,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { Layout } from "@app/components/Layout";
 import { adminNavSections } from "../navigation";
 import { pullEnv } from "@app/lib/pullEnv";
+import SubscriptionStatusProvider from "@app/providers/SubscriptionStatusProvider";
 
 export const dynamic = "force-dynamic";
 
@@ -51,9 +52,15 @@ export default async function AdminLayout(props: LayoutProps) {
 
     return (
         <UserProvider user={user}>
-            <Layout orgs={orgs} navItems={adminNavSections(env)}>
-                {props.children}
-            </Layout>
+            <SubscriptionStatusProvider
+                subscriptionStatus={null}
+                env={env.app.environment}
+                sandbox_mode={env.app.sandbox_mode}
+            >
+                <Layout orgs={orgs} navItems={adminNavSections(env)}>
+                    {props.children}
+                </Layout>
+            </SubscriptionStatusProvider>
         </UserProvider>
     );
 }
diff --git a/src/components/RoleMappingConfigFields.tsx b/src/components/RoleMappingConfigFields.tsx
index 4fe1a037b..deb2cc9ac 100644
--- a/src/components/RoleMappingConfigFields.tsx
+++ b/src/components/RoleMappingConfigFields.tsx
@@ -166,7 +166,7 @@ export default function RoleMappingConfigFields({
             )}
 
             {roleMappingMode === "mappingBuilder" && (
-                <div className="space-y-4 rounded-md border p-3 min-w-0 max-w-full">
+                <div className="space-y-4 min-w-0 max-w-full">
                     <div className="space-y-2">
                         <FormLabel>{t("roleMappingClaimPath")}</FormLabel>
                         <Input
diff --git a/src/components/idp/OidcIdpProviderTypeSelect.tsx b/src/components/idp/OidcIdpProviderTypeSelect.tsx
new file mode 100644
index 000000000..f69c005ad
--- /dev/null
+++ b/src/components/idp/OidcIdpProviderTypeSelect.tsx
@@ -0,0 +1,75 @@
+"use client";
+
+import {
+    StrategySelect,
+    type StrategyOption
+} from "@app/components/StrategySelect";
+import type { IdpOidcProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
+import { useTranslations } from "next-intl";
+import Image from "next/image";
+
+type Props = {
+    value: IdpOidcProviderType;
+    onTypeChange: (type: IdpOidcProviderType) => void;
+    templatesPaid: boolean;
+};
+
+export function OidcIdpProviderTypeSelect({
+    value,
+    onTypeChange,
+    templatesPaid
+}: Props) {
+    const t = useTranslations();
+
+    const options: ReadonlyArray<StrategyOption<IdpOidcProviderType>> = [
+        {
+            id: "oidc",
+            title: "OAuth2/OIDC",
+            description: t("idpOidcDescription")
+        },
+        {
+            id: "google",
+            title: t("idpGoogleTitle"),
+            description: t("idpGoogleDescription"),
+            disabled: !templatesPaid,
+            icon: (
+                <Image
+                    src="/idp/google.png"
+                    alt={t("idpGoogleAlt")}
+                    width={24}
+                    height={24}
+                    className="rounded"
+                />
+            )
+        },
+        {
+            id: "azure",
+            title: t("idpAzureTitle"),
+            description: t("idpAzureDescription"),
+            disabled: !templatesPaid,
+            icon: (
+                <Image
+                    src="/idp/azure.png"
+                    alt={t("idpAzureAlt")}
+                    width={24}
+                    height={24}
+                    className="rounded"
+                />
+            )
+        }
+    ];
+
+    return (
+        <div>
+            <div className="mb-2">
+                <span className="text-sm font-medium">{t("idpType")}</span>
+            </div>
+            <StrategySelect
+                value={value}
+                options={options}
+                onChange={onTypeChange}
+                cols={3}
+            />
+        </div>
+    );
+}
diff --git a/src/lib/idp/oidcIdpProviderDefaults.ts b/src/lib/idp/oidcIdpProviderDefaults.ts
new file mode 100644
index 000000000..3608c6882
--- /dev/null
+++ b/src/lib/idp/oidcIdpProviderDefaults.ts
@@ -0,0 +1,46 @@
+import type { FieldValues, UseFormSetValue } from "react-hook-form";
+
+export type IdpOidcProviderType = "oidc" | "google" | "azure";
+
+export function applyOidcIdpProviderType<T extends FieldValues>(
+    setValue: UseFormSetValue<T>,
+    provider: IdpOidcProviderType
+): void {
+    setValue("type" as never, provider as never);
+
+    if (provider === "google") {
+        setValue(
+            "authUrl" as never,
+            "https://accounts.google.com/o/oauth2/v2/auth" as never
+        );
+        setValue(
+            "tokenUrl" as never,
+            "https://oauth2.googleapis.com/token" as never
+        );
+        setValue("identifierPath" as never, "email" as never);
+        setValue("emailPath" as never, "email" as never);
+        setValue("namePath" as never, "name" as never);
+        setValue("scopes" as never, "openid profile email" as never);
+    } else if (provider === "azure") {
+        setValue(
+            "authUrl" as never,
+            "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/authorize" as never
+        );
+        setValue(
+            "tokenUrl" as never,
+            "https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/token" as never
+        );
+        setValue("identifierPath" as never, "email" as never);
+        setValue("emailPath" as never, "email" as never);
+        setValue("namePath" as never, "name" as never);
+        setValue("scopes" as never, "openid profile email" as never);
+        setValue("tenantId" as never, "" as never);
+    } else {
+        setValue("authUrl" as never, "" as never);
+        setValue("tokenUrl" as never, "" as never);
+        setValue("identifierPath" as never, "sub" as never);
+        setValue("namePath" as never, "name" as never);
+        setValue("emailPath" as never, "email" as never);
+        setValue("scopes" as never, "openid profile email" as never);
+    }
+}

From c6f269b3fa4a5c9b11c41e52942e4fb75b132179 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 17:29:01 -0700
Subject: [PATCH 060/122] set roles 1:1 on auto provision

---
 server/routers/idp/validateOidcCallback.ts | 34 ++++++++++------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 86545269b..7f39aa38d 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -579,30 +579,28 @@ export async function validateOidcCallback(
                     }
                 }
 
-                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
-                const userRolesInOrgs = await trx
-                    .select()
-                    .from(userOrgRoles)
-                    .where(eq(userOrgRoles.userId, userId!));
+                // Sync roles 1:1 with IdP policy for existing auto-provisioned orgs
                 for (const currentOrg of autoProvisionedOrgs) {
                     const newRole = userOrgInfo.find(
                         (newOrg) => newOrg.orgId === currentOrg.orgId
                     );
                     if (!newRole) continue;
-                    const currentRolesInOrg = userRolesInOrgs.filter(
-                        (r) => r.orgId === currentOrg.orgId
-                    );
-                    for (const roleId of newRole.roleIds) {
-                        const hasIdpRole = currentRolesInOrg.some(
-                            (r) => r.roleId === roleId
+
+                    await trx
+                        .delete(userOrgRoles)
+                        .where(
+                            and(
+                                eq(userOrgRoles.userId, userId!),
+                                eq(userOrgRoles.orgId, currentOrg.orgId)
+                            )
                         );
-                        if (!hasIdpRole) {
-                            await trx.insert(userOrgRoles).values({
-                                userId: userId!,
-                                orgId: currentOrg.orgId,
-                                roleId
-                            });
-                        }
+
+                    for (const roleId of newRole.roleIds) {
+                        await trx.insert(userOrgRoles).values({
+                            userId: userId!,
+                            orgId: currentOrg.orgId,
+                            roleId
+                        });
                     }
                 }
 

From 6ab05551487a4ff5f5f2cec85177be512ddf0c69 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:09:36 -0700
Subject: [PATCH 061/122] respect full rbac feature in auto provisioning

---
 messages/en-US.json                           |   1 +
 server/lib/billing/tierMatrix.ts              |   6 +-
 .../routers/billing/featureLifecycle.ts       |  13 +-
 server/routers/idp/validateOidcCallback.ts    |  15 +-
 .../users/[userId]/access-controls/page.tsx   |   5 +-
 src/components/RoleMappingConfigFields.tsx    | 193 ++++++++++++++----
 6 files changed, 178 insertions(+), 55 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 505378b7f..673ce4949 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1956,6 +1956,7 @@
     "roleMappingAssignRoles": "Assign Roles",
     "roleMappingAddMappingRule": "Add Mapping Rule",
     "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expression must evaluate to a string (a single role name).",
     "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
     "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
     "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index c08bcea71..a66f566a9 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -15,7 +15,8 @@ export enum TierFeature {
     SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
     PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
     AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam"
+    SshPam = "sshPam",
+    FullRbac = "fullRbac"
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -48,5 +49,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
         "enterprise"
     ],
     [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"]
 };
diff --git a/server/private/routers/billing/featureLifecycle.ts b/server/private/routers/billing/featureLifecycle.ts
index 9536a87f0..330cf6e03 100644
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -26,9 +26,10 @@ import {
     orgs,
     resources,
     roles,
-    siteResources
+    siteResources,
+    userOrgRoles
 } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 
 /**
  * Get the maximum allowed retention days for a given tier
@@ -291,6 +292,10 @@ async function disableFeature(
                 await disableSshPam(orgId);
                 break;
 
+            case TierFeature.FullRbac:
+                await disableFullRbac(orgId);
+                break;
+
             default:
                 logger.warn(
                     `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -326,6 +331,10 @@ async function disableSshPam(orgId: string): Promise<void> {
     );
 }
 
+async function disableFullRbac(orgId: string): Promise<void> {
+    logger.info(`Disabled full RBAC for org ${orgId}`);
+}
+
 async function disableLoginPageBranding(orgId: string): Promise<void> {
     const [existingBranding] = await db
         .select()
diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 7f39aa38d..4de52f530 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -36,6 +36,7 @@ import { usageService } from "@server/lib/billing/usageService";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
     assignUserToOrg,
@@ -415,7 +416,15 @@ export async function validateOidcCallback(
                         roleMappingResult
                     );
 
-                    if (!roleNames.length) {
+                    const supportsMultiRole = await isLicensedOrSubscribed(
+                        org.orgId,
+                        tierMatrix.fullRbac
+                    );
+                    const effectiveRoleNames = supportsMultiRole
+                        ? roleNames
+                        : roleNames.slice(0, 1);
+
+                    if (!effectiveRoleNames.length) {
                         logger.error("Role mapping returned no valid roles", {
                             roleMappingResult
                         });
@@ -428,14 +437,14 @@ export async function validateOidcCallback(
                         .where(
                             and(
                                 eq(roles.orgId, org.orgId),
-                                inArray(roles.name, roleNames)
+                                inArray(roles.name, effectiveRoleNames)
                             )
                         );
 
                     if (!roleRes.length) {
                         logger.error("No mapped roles found in organization", {
                             orgId: org.orgId,
-                            roleNames
+                            roleNames: effectiveRoleNames
                         });
                         continue;
                     }
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index c9ed7d561..eb280f2f3 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -69,10 +69,7 @@ export default function AccessControlsPage() {
     const t = useTranslations();
     const { isPaidUser, hasSaasSubscription, hasEnterpriseLicense } =
         usePaidStatus();
-    const multiRoleFeatureTiers = Array.from(
-        new Set([...tierMatrix.sshPam, ...tierMatrix.orgOidc])
-    );
-    const isPaid = isPaidUser(multiRoleFeatureTiers);
+    const isPaid = isPaidUser(tierMatrix.fullRbac);
     const supportsMultipleRolesPerUser = isPaid;
     const showMultiRolePaywallMessage =
         !env.flags.disableEnterpriseFeatures &&
diff --git a/src/components/RoleMappingConfigFields.tsx b/src/components/RoleMappingConfigFields.tsx
index deb2cc9ac..12790d4aa 100644
--- a/src/components/RoleMappingConfigFields.tsx
+++ b/src/components/RoleMappingConfigFields.tsx
@@ -5,13 +5,17 @@ import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { useTranslations } from "next-intl";
-import { useMemo, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { Tag, TagInput } from "@app/components/tags/tag-input";
 import {
     createMappingBuilderRule,
     MappingBuilderRule,
     RoleMappingMode
 } from "@app/lib/idpRoleMapping";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { build } from "@server/build";
 
 export type RoleMappingRoleOption = {
     roleId: number;
@@ -52,10 +56,17 @@ export default function RoleMappingConfigFields({
     showFreeformRoleNamesHint = false
 }: RoleMappingConfigFieldsProps) {
     const t = useTranslations();
+    const { env } = useEnvContext();
+    const { isPaidUser } = usePaidStatus();
     const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
         number | null
     >(null);
 
+    const supportsMultipleRolesPerUser = isPaidUser(tierMatrix.fullRbac);
+    const showSingleRoleDisclaimer =
+        !env.flags.disableEnterpriseFeatures &&
+        !isPaidUser(tierMatrix.fullRbac);
+
     const restrictToOrgRoles = roles.length > 0;
 
     const roleOptions = useMemo(
@@ -67,13 +78,40 @@ export default function RoleMappingConfigFields({
         [roles]
     );
 
+    useEffect(() => {
+        if (
+            !supportsMultipleRolesPerUser &&
+            mappingBuilderRules.length > 1
+        ) {
+            onMappingBuilderRulesChange([mappingBuilderRules[0]]);
+        }
+    }, [
+        supportsMultipleRolesPerUser,
+        mappingBuilderRules,
+        onMappingBuilderRulesChange
+    ]);
+
+    useEffect(() => {
+        if (!supportsMultipleRolesPerUser && fixedRoleNames.length > 1) {
+            onFixedRoleNamesChange([fixedRoleNames[0]]);
+        }
+    }, [
+        supportsMultipleRolesPerUser,
+        fixedRoleNames,
+        onFixedRoleNamesChange
+    ]);
+
     const fixedRadioId = `${fieldIdPrefix}-fixed-roles-mode`;
     const builderRadioId = `${fieldIdPrefix}-mapping-builder-mode`;
     const rawRadioId = `${fieldIdPrefix}-raw-expression-mode`;
 
+    const mappingBuilderShowsRemoveColumn =
+        supportsMultipleRolesPerUser || mappingBuilderRules.length > 1;
+
     /** Same template on header + rows so 1fr/1.75fr columns line up (auto third col differs per row otherwise). */
-    const mappingRulesGridClass =
-        "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)_6rem] md:gap-x-3";
+    const mappingRulesGridClass = mappingBuilderShowsRemoveColumn
+        ? "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)_6rem] md:gap-x-3"
+        : "md:grid md:grid-cols-[minmax(0,1fr)_minmax(0,1.75fr)] md:gap-x-3";
 
     return (
         <div className="space-y-4">
@@ -119,6 +157,13 @@ export default function RoleMappingConfigFields({
                         </label>
                     </div>
                 </RadioGroup>
+                {showSingleRoleDisclaimer && (
+                    <FormDescription className="mt-3">
+                        {build === "saas"
+                            ? t("singleRolePerUserPlanNotice")
+                            : t("singleRolePerUserEditionNotice")}
+                    </FormDescription>
+                )}
             </div>
 
             {roleMappingMode === "fixedRoles" && (
@@ -129,19 +174,37 @@ export default function RoleMappingConfigFields({
                             text: name
                         }))}
                         setTags={(nextTags) => {
+                            const prevTags = fixedRoleNames.map((name) => ({
+                                id: name,
+                                text: name
+                            }));
                             const next =
                                 typeof nextTags === "function"
-                                    ? nextTags(
-                                          fixedRoleNames.map((name) => ({
-                                              id: name,
-                                              text: name
-                                          }))
-                                      )
+                                    ? nextTags(prevTags)
                                     : nextTags;
 
-                            onFixedRoleNamesChange([
+                            let names = [
                                 ...new Set(next.map((tag) => tag.text))
-                            ]);
+                            ];
+
+                            if (!supportsMultipleRolesPerUser) {
+                                if (
+                                    names.length === 0 &&
+                                    fixedRoleNames.length > 0
+                                ) {
+                                    onFixedRoleNamesChange([
+                                        fixedRoleNames[
+                                            fixedRoleNames.length - 1
+                                        ]!
+                                    ]);
+                                    return;
+                                }
+                                if (names.length > 1) {
+                                    names = [names[names.length - 1]!];
+                                }
+                            }
+
+                            onFixedRoleNamesChange(names);
                         }}
                         activeTagIndex={activeFixedRoleTagIndex}
                         setActiveTagIndex={setActiveFixedRoleTagIndex}
@@ -191,7 +254,9 @@ export default function RoleMappingConfigFields({
                             <FormLabel className="min-w-0">
                                 {t("roleMappingAssignRoles")}
                             </FormLabel>
-                            <span aria-hidden className="min-w-0" />
+                            {mappingBuilderShowsRemoveColumn ? (
+                                <span aria-hidden className="min-w-0" />
+                            ) : null}
                         </div>
 
                         {mappingBuilderRules.map((rule, index) => (
@@ -204,6 +269,10 @@ export default function RoleMappingConfigFields({
                                 showFreeformRoleNamesHint={
                                     showFreeformRoleNamesHint
                                 }
+                                supportsMultipleRolesPerUser={
+                                    supportsMultipleRolesPerUser
+                                }
+                                showRemoveButton={mappingBuilderShowsRemoveColumn}
                                 rule={rule}
                                 onChange={(nextRule) => {
                                     const nextRules = mappingBuilderRules.map(
@@ -227,18 +296,20 @@ export default function RoleMappingConfigFields({
                         ))}
                     </div>
 
-                    <Button
-                        type="button"
-                        variant="outline"
-                        onClick={() => {
-                            onMappingBuilderRulesChange([
-                                ...mappingBuilderRules,
-                                createMappingBuilderRule()
-                            ]);
-                        }}
-                    >
-                        {t("roleMappingAddMappingRule")}
-                    </Button>
+                    {supportsMultipleRolesPerUser ? (
+                        <Button
+                            type="button"
+                            variant="outline"
+                            onClick={() => {
+                                onMappingBuilderRulesChange([
+                                    ...mappingBuilderRules,
+                                    createMappingBuilderRule()
+                                ]);
+                            }}
+                        >
+                            {t("roleMappingAddMappingRule")}
+                        </Button>
+                    ) : null}
                 </div>
             )}
 
@@ -250,7 +321,11 @@ export default function RoleMappingConfigFields({
                         placeholder={t("roleMappingExpressionPlaceholder")}
                     />
                     <FormDescription>
-                        {t("roleMappingRawExpressionResultDescription")}
+                        {supportsMultipleRolesPerUser
+                            ? t("roleMappingRawExpressionResultDescription")
+                            : t(
+                                  "roleMappingRawExpressionResultDescriptionSingleRole"
+                              )}
                     </FormDescription>
                 </div>
             )}
@@ -265,6 +340,8 @@ function BuilderRuleRow({
     showFreeformRoleNamesHint,
     fieldIdPrefix,
     mappingRulesGridClass,
+    supportsMultipleRolesPerUser,
+    showRemoveButton,
     onChange,
     onRemove
 }: {
@@ -274,6 +351,8 @@ function BuilderRuleRow({
     showFreeformRoleNamesHint: boolean;
     fieldIdPrefix: string;
     mappingRulesGridClass: string;
+    supportsMultipleRolesPerUser: boolean;
+    showRemoveButton: boolean;
     onChange: (rule: MappingBuilderRule) => void;
     onRemove: () => void;
 }) {
@@ -311,20 +390,44 @@ function BuilderRuleRow({
                             text: name
                         }))}
                         setTags={(nextTags) => {
+                            const prevRoleTags = rule.roleNames.map(
+                                (name) => ({
+                                    id: name,
+                                    text: name
+                                })
+                            );
                             const next =
                                 typeof nextTags === "function"
-                                    ? nextTags(
-                                          rule.roleNames.map((name) => ({
-                                              id: name,
-                                              text: name
-                                          }))
-                                      )
+                                    ? nextTags(prevRoleTags)
                                     : nextTags;
+
+                            let names = [
+                                ...new Set(next.map((tag) => tag.text))
+                            ];
+
+                            if (!supportsMultipleRolesPerUser) {
+                                if (
+                                    names.length === 0 &&
+                                    rule.roleNames.length > 0
+                                ) {
+                                    onChange({
+                                        ...rule,
+                                        roleNames: [
+                                            rule.roleNames[
+                                                rule.roleNames.length - 1
+                                            ]!
+                                        ]
+                                    });
+                                    return;
+                                }
+                                if (names.length > 1) {
+                                    names = [names[names.length - 1]!];
+                                }
+                            }
+
                             onChange({
                                 ...rule,
-                                roleNames: [
-                                    ...new Set(next.map((tag) => tag.text))
-                                ]
+                                roleNames: names
                             });
                         }}
                         activeTagIndex={activeTagIndex}
@@ -351,16 +454,18 @@ function BuilderRuleRow({
                     </p>
                 )}
             </div>
-            <div className="flex min-w-0 justify-end md:justify-start md:pt-0">
-                <Button
-                    type="button"
-                    variant="outline"
-                    className="h-9 shrink-0 px-2"
-                    onClick={onRemove}
-                >
-                    {t("roleMappingRemoveRule")}
-                </Button>
-            </div>
+            {showRemoveButton ? (
+                <div className="flex min-w-0 justify-end md:justify-start md:pt-0">
+                    <Button
+                        type="button"
+                        variant="outline"
+                        className="h-9 shrink-0 px-2"
+                        onClick={onRemove}
+                    >
+                        {t("roleMappingRemoveRule")}
+                    </Button>
+                </div>
+            ) : null}
         </div>
     );
 }

From ba529ad14ed582b1e23f01656e70168b9b54b7e1 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:20:56 -0700
Subject: [PATCH 062/122] hide google and azure idp properly

---
 .../settings/(private)/idp/create/page.tsx    |   2 -
 src/app/admin/idp/create/page.tsx             | 135 ++++++++++--------
 .../idp/OidcIdpProviderTypeSelect.tsx         |  96 +++++++------
 3 files changed, 128 insertions(+), 105 deletions(-)

diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 17adcb6b6..c0fc30a8f 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -219,7 +219,6 @@ export default function Page() {
     }
 
     const disabled = !isPaidUser(tierMatrix.orgOidc);
-    const templatesPaid = isPaidUser(tierMatrix.orgOidc);
 
     return (
         <>
@@ -254,7 +253,6 @@ export default function Page() {
                     <SettingsSectionBody>
                         <OidcIdpProviderTypeSelect
                             value={form.watch("type")}
-                            templatesPaid={templatesPaid}
                             onTypeChange={(next) => {
                                 applyOidcIdpProviderType(form.setValue, next);
                             }}
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index 40d4a3b32..5039d255c 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -36,7 +36,7 @@ import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { InfoIcon } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
-import { useEffect, useState } from "react";
+import { useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 
@@ -93,17 +93,18 @@ export default function Page() {
     });
 
     const watchedType = form.watch("type");
-
-    useEffect(() => {
-        if (
-            !templatesPaid &&
-            (watchedType === "google" || watchedType === "azure")
-        ) {
-            applyOidcIdpProviderType(form.setValue, "oidc");
-        }
-    }, [templatesPaid, watchedType, form.setValue]);
+    const templatesLocked =
+        !templatesPaid &&
+        (watchedType === "google" || watchedType === "azure");
 
     async function onSubmit(data: CreateIdpFormValues) {
+        if (
+            !templatesPaid &&
+            (data.type === "google" || data.type === "azure")
+        ) {
+            return;
+        }
+
         setCreateLoading(true);
 
         try {
@@ -166,10 +167,6 @@ export default function Page() {
                 </Button>
             </div>
 
-            {!templatesPaid ? (
-                <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
-            ) : null}
-
             <SettingsContainer>
                 <SettingsSection>
                     <SettingsSectionHeader>
@@ -181,64 +178,79 @@ export default function Page() {
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
+                        {templatesLocked ? (
+                            <div className="mb-4">
+                                <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
+                            </div>
+                        ) : null}
                         <OidcIdpProviderTypeSelect
                             value={watchedType}
-                            templatesPaid={templatesPaid}
                             onTypeChange={(next) => {
                                 applyOidcIdpProviderType(form.setValue, next);
                             }}
                         />
 
-                        <SettingsSectionForm>
-                            <Form {...form}>
-                                <form
-                                    className="space-y-4"
-                                    id="create-idp-form"
-                                    onSubmit={form.handleSubmit(onSubmit)}
-                                >
-                                    <FormField
-                                        control={form.control}
-                                        name="name"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("name")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormDescription>
-                                                    {t("idpDisplayName")}
-                                                </FormDescription>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
-
-                                    <div className="flex items-start mb-0">
-                                        <SwitchInput
-                                            id="auto-provision-toggle"
-                                            label={t("idpAutoProvisionUsers")}
-                                            defaultChecked={form.getValues(
-                                                "autoProvision"
+                        <fieldset
+                            disabled={templatesLocked}
+                            className="min-w-0 border-0 p-0 m-0 disabled:pointer-events-none disabled:opacity-60"
+                        >
+                            <SettingsSectionForm>
+                                <Form {...form}>
+                                    <form
+                                        className="space-y-4"
+                                        id="create-idp-form"
+                                        onSubmit={form.handleSubmit(onSubmit)}
+                                    >
+                                        <FormField
+                                            control={form.control}
+                                            name="name"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("name")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormDescription>
+                                                        {t("idpDisplayName")}
+                                                    </FormDescription>
+                                                    <FormMessage />
+                                                </FormItem>
                                             )}
-                                            onCheckedChange={(checked) => {
-                                                form.setValue(
-                                                    "autoProvision",
-                                                    checked
-                                                );
-                                            }}
                                         />
-                                    </div>
-                                    <span className="text-sm text-muted-foreground">
-                                        {t("idpAutoProvisionUsersDescription")}
-                                    </span>
-                                </form>
-                            </Form>
-                        </SettingsSectionForm>
+
+                                        <div className="flex items-start mb-0">
+                                            <SwitchInput
+                                                id="auto-provision-toggle"
+                                                label={t("idpAutoProvisionUsers")}
+                                                defaultChecked={form.getValues(
+                                                    "autoProvision"
+                                                )}
+                                                onCheckedChange={(checked) => {
+                                                    form.setValue(
+                                                        "autoProvision",
+                                                        checked
+                                                    );
+                                                }}
+                                            />
+                                        </div>
+                                        <span className="text-sm text-muted-foreground">
+                                            {t(
+                                                "idpAutoProvisionUsersDescription"
+                                            )}
+                                        </span>
+                                    </form>
+                                </Form>
+                            </SettingsSectionForm>
+                        </fieldset>
                     </SettingsSectionBody>
                 </SettingsSection>
 
+                <fieldset
+                    disabled={templatesLocked}
+                    className="min-w-0 border-0 p-0 m-0 disabled:pointer-events-none disabled:opacity-60"
+                >
                 {watchedType === "google" && (
                     <SettingsSection>
                         <SettingsSectionHeader>
@@ -624,6 +636,7 @@ export default function Page() {
                         </SettingsSection>
                     </SettingsSectionGrid>
                 )}
+                </fieldset>
             </SettingsContainer>
 
             <div className="flex justify-end space-x-2 mt-8">
@@ -638,7 +651,7 @@ export default function Page() {
                 </Button>
                 <Button
                     type="submit"
-                    disabled={createLoading}
+                    disabled={createLoading || templatesLocked}
                     loading={createLoading}
                     onClick={form.handleSubmit(onSubmit)}
                 >
diff --git a/src/components/idp/OidcIdpProviderTypeSelect.tsx b/src/components/idp/OidcIdpProviderTypeSelect.tsx
index f69c005ad..4665d9c0d 100644
--- a/src/components/idp/OidcIdpProviderTypeSelect.tsx
+++ b/src/components/idp/OidcIdpProviderTypeSelect.tsx
@@ -4,60 +4,72 @@ import {
     StrategySelect,
     type StrategyOption
 } from "@app/components/StrategySelect";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 import type { IdpOidcProviderType } from "@app/lib/idp/oidcIdpProviderDefaults";
 import { useTranslations } from "next-intl";
 import Image from "next/image";
+import { useEffect, useMemo } from "react";
 
 type Props = {
     value: IdpOidcProviderType;
     onTypeChange: (type: IdpOidcProviderType) => void;
-    templatesPaid: boolean;
 };
 
-export function OidcIdpProviderTypeSelect({
-    value,
-    onTypeChange,
-    templatesPaid
-}: Props) {
+export function OidcIdpProviderTypeSelect({ value, onTypeChange }: Props) {
     const t = useTranslations();
+    const { env } = useEnvContext();
+    const hideTemplates = env.flags.disableEnterpriseFeatures;
 
-    const options: ReadonlyArray<StrategyOption<IdpOidcProviderType>> = [
-        {
-            id: "oidc",
-            title: "OAuth2/OIDC",
-            description: t("idpOidcDescription")
-        },
-        {
-            id: "google",
-            title: t("idpGoogleTitle"),
-            description: t("idpGoogleDescription"),
-            disabled: !templatesPaid,
-            icon: (
-                <Image
-                    src="/idp/google.png"
-                    alt={t("idpGoogleAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
-        },
-        {
-            id: "azure",
-            title: t("idpAzureTitle"),
-            description: t("idpAzureDescription"),
-            disabled: !templatesPaid,
-            icon: (
-                <Image
-                    src="/idp/azure.png"
-                    alt={t("idpAzureAlt")}
-                    width={24}
-                    height={24}
-                    className="rounded"
-                />
-            )
+    useEffect(() => {
+        if (hideTemplates && (value === "google" || value === "azure")) {
+            onTypeChange("oidc");
         }
-    ];
+    }, [hideTemplates, value, onTypeChange]);
+
+    const options: ReadonlyArray<StrategyOption<IdpOidcProviderType>> =
+        useMemo(() => {
+            const base: StrategyOption<IdpOidcProviderType>[] = [
+                {
+                    id: "oidc",
+                    title: "OAuth2/OIDC",
+                    description: t("idpOidcDescription")
+                }
+            ];
+            if (hideTemplates) {
+                return base;
+            }
+            return [
+                ...base,
+                {
+                    id: "google",
+                    title: t("idpGoogleTitle"),
+                    description: t("idpGoogleDescription"),
+                    icon: (
+                        <Image
+                            src="/idp/google.png"
+                            alt={t("idpGoogleAlt")}
+                            width={24}
+                            height={24}
+                            className="rounded"
+                        />
+                    )
+                },
+                {
+                    id: "azure",
+                    title: t("idpAzureTitle"),
+                    description: t("idpAzureDescription"),
+                    icon: (
+                        <Image
+                            src="/idp/azure.png"
+                            alt={t("idpAzureAlt")}
+                            width={24}
+                            height={24}
+                            className="rounded"
+                        />
+                    )
+                }
+            ];
+        }, [hideTemplates, t]);
 
     return (
         <div>

From 50ee28b1f7c4be179e2e698592fdb3d7ce12176b Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:23:07 -0700
Subject: [PATCH 063/122] fix no admin user in roles dropdown

---
 .../access/users/[userId]/access-controls/page.tsx | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index eb280f2f3..16ae0b3a5 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -126,16 +126,10 @@ export default function AccessControlsPage() {
         form.setValue("autoProvisioned", user.autoProvisioned || false);
     }, []);
 
-    const allRoleOptions = useMemo(
-        () =>
-            roles
-                .map((role) => ({
-                    id: role.roleId.toString(),
-                    text: role.name
-                }))
-                .filter((role) => role.text !== "Admin"),
-        [roles]
-    );
+    const allRoleOptions = roles.map((role) => ({
+        id: role.roleId.toString(),
+        text: role.name
+    }));
 
     function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
         const prev = form.getValues("roles");

From d1b2105c805ad360585477e0dd9fb8dc9042b89c Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sat, 28 Mar 2026 18:29:40 -0700
Subject: [PATCH 064/122] support search in tags input

---
 src/components/tags/autocomplete.tsx | 277 ++++++++++++---------------
 src/components/tags/tag-input.tsx    |  16 +-
 src/components/tags/tag-popover.tsx  |  99 +++++-----
 3 files changed, 177 insertions(+), 215 deletions(-)

diff --git a/src/components/tags/autocomplete.tsx b/src/components/tags/autocomplete.tsx
index ee865eb61..916e7aeed 100644
--- a/src/components/tags/autocomplete.tsx
+++ b/src/components/tags/autocomplete.tsx
@@ -1,10 +1,23 @@
-import React, { useCallback, useEffect, useRef, useState } from "react";
-// import { Command, CommandList, CommandItem, CommandGroup, CommandEmpty } from '../ui/command';
+import React, { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { TagInputStyleClassesProps, type Tag as TagType } from "./tag-input";
-import { Popover, PopoverContent, PopoverTrigger } from "../ui/popover";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "../ui/command";
+import {
+    Popover,
+    PopoverAnchor,
+    PopoverContent,
+    PopoverTrigger
+} from "../ui/popover";
 import { Button } from "../ui/button";
 import { cn } from "@app/lib/cn";
 import { useTranslations } from "next-intl";
+import { Check } from "lucide-react";
 
 type AutocompleteProps = {
     tags: TagType[];
@@ -20,6 +33,8 @@ type AutocompleteProps = {
     inlineTags?: boolean;
     classStyleProps: TagInputStyleClassesProps["autoComplete"];
     usePortal?: boolean;
+    /** Narrows the dropdown list from the main field (cmdk search filters further). */
+    filterQuery?: string;
 };
 
 export const Autocomplete: React.FC<AutocompleteProps> = ({
@@ -35,10 +50,10 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
     inlineTags,
     children,
     classStyleProps,
-    usePortal
+    usePortal,
+    filterQuery = ""
 }) => {
     const triggerContainerRef = useRef<HTMLDivElement | null>(null);
-    const triggerRef = useRef<HTMLButtonElement | null>(null);
     const inputRef = useRef<HTMLInputElement | null>(null);
     const popoverContentRef = useRef<HTMLDivElement | null>(null);
     const t = useTranslations();
@@ -46,17 +61,21 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
     const [popoverWidth, setPopoverWidth] = useState<number>(0);
     const [isPopoverOpen, setIsPopoverOpen] = useState(false);
     const [inputFocused, setInputFocused] = useState(false);
-    const [popooverContentTop, setPopoverContentTop] = useState<number>(0);
-    const [selectedIndex, setSelectedIndex] = useState<number>(-1);
+    const [commandResetKey, setCommandResetKey] = useState(0);
 
-    // Dynamically calculate the top position for the popover content
-    useEffect(() => {
-        if (!triggerContainerRef.current || !triggerRef.current) return;
-        setPopoverContentTop(
-            triggerContainerRef.current?.getBoundingClientRect().bottom -
-                triggerRef.current?.getBoundingClientRect().bottom
+    const visibleOptions = useMemo(() => {
+        const q = filterQuery.trim().toLowerCase();
+        if (!q) return autocompleteOptions;
+        return autocompleteOptions.filter((option) =>
+            option.text.toLowerCase().includes(q)
         );
-    }, [tags]);
+    }, [autocompleteOptions, filterQuery]);
+
+    useEffect(() => {
+        if (isPopoverOpen) {
+            setCommandResetKey((k) => k + 1);
+        }
+    }, [isPopoverOpen]);
 
     // Close the popover when clicking outside of it
     useEffect(() => {
@@ -135,36 +154,6 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
         if (userOnBlur) userOnBlur(event);
     };
 
-    const handleKeyDown = (event: React.KeyboardEvent<HTMLInputElement>) => {
-        if (!isPopoverOpen) return;
-
-        switch (event.key) {
-            case "ArrowUp":
-                event.preventDefault();
-                setSelectedIndex((prevIndex) =>
-                    prevIndex <= 0
-                        ? autocompleteOptions.length - 1
-                        : prevIndex - 1
-                );
-                break;
-            case "ArrowDown":
-                event.preventDefault();
-                setSelectedIndex((prevIndex) =>
-                    prevIndex === autocompleteOptions.length - 1
-                        ? 0
-                        : prevIndex + 1
-                );
-                break;
-            case "Enter":
-                event.preventDefault();
-                if (selectedIndex !== -1) {
-                    toggleTag(autocompleteOptions[selectedIndex]);
-                    setSelectedIndex(-1);
-                }
-                break;
-        }
-    };
-
     const toggleTag = (option: TagType) => {
         // Check if the tag already exists in the array
         const index = tags.findIndex((tag) => tag.text === option.text);
@@ -197,18 +186,25 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
                 }
             }
         }
-        setSelectedIndex(-1);
     };
 
-    const childrenWithProps = React.cloneElement(
-        children as React.ReactElement<any>,
-        {
-            onKeyDown: handleKeyDown,
-            onFocus: handleInputFocus,
-            onBlur: handleInputBlur,
-            ref: inputRef
+    const child = children as React.ReactElement<
+        React.InputHTMLAttributes<HTMLInputElement> & {
+            ref?: React.Ref<HTMLInputElement>;
         }
-    );
+    >;
+    const userOnKeyDown = child.props.onKeyDown;
+
+    const childrenWithProps = React.cloneElement(child, {
+        onKeyDown: userOnKeyDown,
+        onFocus: handleInputFocus,
+        onBlur: handleInputBlur,
+        ref: inputRef
+    } as Partial<
+        React.InputHTMLAttributes<HTMLInputElement> & {
+            ref?: React.Ref<HTMLInputElement>;
+        }
+    >);
 
     return (
         <div
@@ -222,132 +218,105 @@ export const Autocomplete: React.FC<AutocompleteProps> = ({
                 onOpenChange={handleOpenChange}
                 modal={usePortal}
             >
-                <div
-                    className="relative h-full flex items-center rounded-md border border-input bg-transparent pr-3"
-                    ref={triggerContainerRef}
-                >
-                    {childrenWithProps}
-                    <PopoverTrigger asChild ref={triggerRef}>
-                        <Button
-                            variant="ghost"
-                            size="icon"
-                            role="combobox"
-                            className={cn(
-                                `hover:bg-transparent ${!inlineTags ? "ml-auto" : ""}`,
-                                classStyleProps?.popoverTrigger
-                            )}
-                            onClick={() => {
-                                setIsPopoverOpen(!isPopoverOpen);
-                            }}
-                        >
-                            <svg
-                                xmlns="http://www.w3.org/2000/svg"
-                                width="24"
-                                height="24"
-                                viewBox="0 0 24 24"
-                                fill="none"
-                                stroke="currentColor"
-                                strokeWidth="2"
-                                strokeLinecap="round"
-                                strokeLinejoin="round"
-                                className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+                <PopoverAnchor asChild>
+                    <div
+                        className="relative h-full flex items-center rounded-md border border-input bg-transparent pr-3"
+                        ref={triggerContainerRef}
+                    >
+                        {childrenWithProps}
+                        <PopoverTrigger asChild>
+                            <Button
+                                variant="ghost"
+                                size="icon"
+                                role="combobox"
+                                className={cn(
+                                    `hover:bg-transparent ${!inlineTags ? "ml-auto" : ""}`,
+                                    classStyleProps?.popoverTrigger
+                                )}
+                                onClick={() => {
+                                    setIsPopoverOpen(!isPopoverOpen);
+                                }}
                             >
-                                <path d="m6 9 6 6 6-6"></path>
-                            </svg>
-                        </Button>
-                    </PopoverTrigger>
-                </div>
+                                <svg
+                                    xmlns="http://www.w3.org/2000/svg"
+                                    width="24"
+                                    height="24"
+                                    viewBox="0 0 24 24"
+                                    fill="none"
+                                    stroke="currentColor"
+                                    strokeWidth="2"
+                                    strokeLinecap="round"
+                                    strokeLinejoin="round"
+                                    className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+                                >
+                                    <path d="m6 9 6 6 6-6"></path>
+                                </svg>
+                            </Button>
+                        </PopoverTrigger>
+                    </div>
+                </PopoverAnchor>
                 <PopoverContent
                     ref={popoverContentRef}
                     side="bottom"
                     align="start"
                     forceMount
                     className={cn(
-                        `p-0 relative`,
+                        "p-0",
                         classStyleProps?.popoverContent
                     )}
                     style={{
-                        top: `${popooverContentTop}px`,
-                        marginLeft: `calc(-${popoverWidth}px + 36px)`,
                         width: `${popoverWidth}px`,
                         minWidth: `${popoverWidth}px`,
                         zIndex: 9999
                     }}
                 >
-                    <div
+                    <Command
+                        key={commandResetKey}
                         className={cn(
-                            "max-h-[300px] overflow-y-auto overflow-x-hidden",
-                            classStyleProps?.commandList
+                            "rounded-lg border-0 shadow-none",
+                            classStyleProps?.command
                         )}
-                        style={{
-                            minHeight: "68px"
-                        }}
-                        key={autocompleteOptions.length}
                     >
-                        {autocompleteOptions.length > 0 ? (
-                            <div
-                                key={autocompleteOptions.length}
-                                role="group"
-                                className={cn(
-                                    "overflow-y-auto overflow-hidden p-1 text-foreground",
-                                    classStyleProps?.commandGroup
-                                )}
-                                style={{
-                                    minHeight: "68px"
-                                }}
+                        <CommandInput
+                            placeholder={t("searchPlaceholder")}
+                            className="h-9"
+                        />
+                        <CommandList
+                            className={cn(
+                                "max-h-[300px]",
+                                classStyleProps?.commandList
+                            )}
+                        >
+                            <CommandEmpty>{t("noResults")}</CommandEmpty>
+                            <CommandGroup
+                                className={classStyleProps?.commandGroup}
                             >
-                                <span className="text-muted-foreground font-medium text-sm py-1.5 px-2 pb-2">
-                                    Suggestions
-                                </span>
-                                <div role="separator" className="py-0.5" />
-                                {autocompleteOptions.map((option, index) => {
-                                    const isSelected = index === selectedIndex;
+                                {visibleOptions.map((option) => {
+                                    const isChosen = tags.some(
+                                        (tag) => tag.text === option.text
+                                    );
                                     return (
-                                        <div
+                                        <CommandItem
                                             key={option.id}
-                                            role="option"
-                                            aria-selected={isSelected}
-                                            className={cn(
-                                                "relative flex cursor-pointer select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none aria-selected:bg-accent aria-selected:text-accent-foreground data-disabled:pointer-events-none data-disabled:opacity-50 hover:bg-accent",
-                                                isSelected &&
-                                                    "bg-accent text-accent-foreground",
-                                                classStyleProps?.commandItem
-                                            )}
-                                            data-value={option.text}
-                                            onClick={() => toggleTag(option)}
+                                            value={`${option.text} ${option.id}`}
+                                            onSelect={() => toggleTag(option)}
+                                            className={classStyleProps?.commandItem}
                                         >
-                                            <div className="w-full flex items-center gap-2">
-                                                {option.text}
-                                                {tags.some(
-                                                    (tag) =>
-                                                        tag.text === option.text
-                                                ) && (
-                                                    <svg
-                                                        xmlns="http://www.w3.org/2000/svg"
-                                                        width="14"
-                                                        height="14"
-                                                        viewBox="0 0 24 24"
-                                                        fill="none"
-                                                        stroke="currentColor"
-                                                        strokeWidth="2"
-                                                        strokeLinecap="round"
-                                                        strokeLinejoin="round"
-                                                        className="lucide lucide-check"
-                                                    >
-                                                        <path d="M20 6 9 17l-5-5"></path>
-                                                    </svg>
+                                            <Check
+                                                className={cn(
+                                                    "mr-2 h-4 w-4 shrink-0",
+                                                    isChosen
+                                                        ? "opacity-100"
+                                                        : "opacity-0"
                                                 )}
-                                            </div>
-                                        </div>
+                                            />
+                                            {option.text}
+                                        </CommandItem>
                                     );
                                 })}
-                            </div>
-                        ) : (
-                            <div className="py-6 text-center text-sm">
-                                {t("noResults")}
-                            </div>
-                        )}
-                    </div>
+                            </CommandGroup>
+                        </CommandList>
+                    </Command>
                 </PopoverContent>
             </Popover>
         </div>
diff --git a/src/components/tags/tag-input.tsx b/src/components/tags/tag-input.tsx
index 269967ccb..e8cfa370a 100644
--- a/src/components/tags/tag-input.tsx
+++ b/src/components/tags/tag-input.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import React, { useMemo } from "react";
+import React from "react";
 import { Input } from "../ui/input";
 import { Button } from "../ui/button";
 import { type VariantProps } from "class-variance-authority";
@@ -434,14 +434,6 @@ const TagInput = React.forwardRef<HTMLInputElement, TagInputProps>(
         // const filteredAutocompleteOptions = autocompleteFilter
         //   ? autocompleteOptions?.filter((option) => autocompleteFilter(option.text))
         //   : autocompleteOptions;
-        const filteredAutocompleteOptions = useMemo(() => {
-            return (autocompleteOptions || []).filter((option) =>
-                option.text
-                    .toLowerCase()
-                    .includes(inputValue ? inputValue.toLowerCase() : "")
-            );
-        }, [inputValue, autocompleteOptions]);
-
         const displayedTags = sortTags ? [...tags].sort() : tags;
 
         const truncatedTags = truncate
@@ -571,9 +563,9 @@ const TagInput = React.forwardRef<HTMLInputElement, TagInputProps>(
                             tags={tags}
                             setTags={setTags}
                             setInputValue={setInputValue}
-                            autocompleteOptions={
-                                filteredAutocompleteOptions as Tag[]
-                            }
+                            autocompleteOptions={(autocompleteOptions ||
+                                []) as Tag[]}
+                            filterQuery={inputValue}
                             setTagCount={setTagCount}
                             maxTags={maxTags}
                             onTagAdd={onTagAdd}
diff --git a/src/components/tags/tag-popover.tsx b/src/components/tags/tag-popover.tsx
index 533619a7c..93f5e2c04 100644
--- a/src/components/tags/tag-popover.tsx
+++ b/src/components/tags/tag-popover.tsx
@@ -1,5 +1,10 @@
 import React, { useCallback, useEffect, useRef, useState } from "react";
-import { Popover, PopoverContent, PopoverTrigger } from "../ui/popover";
+import {
+    Popover,
+    PopoverAnchor,
+    PopoverContent,
+    PopoverTrigger
+} from "../ui/popover";
 import { TagInputStyleClassesProps, type Tag as TagType } from "./tag-input";
 import { TagList, TagListProps } from "./tag-list";
 import { Button } from "../ui/button";
@@ -33,33 +38,27 @@ export const TagPopover: React.FC<TagPopoverProps> = ({
     ...tagProps
 }) => {
     const triggerContainerRef = useRef<HTMLDivElement | null>(null);
-    const triggerRef = useRef<HTMLButtonElement | null>(null);
     const popoverContentRef = useRef<HTMLDivElement | null>(null);
     const inputRef = useRef<HTMLInputElement | null>(null);
 
     const [popoverWidth, setPopoverWidth] = useState<number>(0);
     const [isPopoverOpen, setIsPopoverOpen] = useState(false);
     const [inputFocused, setInputFocused] = useState(false);
-    const [sideOffset, setSideOffset] = useState<number>(0);
 
     const t = useTranslations();
 
     useEffect(() => {
         const handleResize = () => {
-            if (triggerContainerRef.current && triggerRef.current) {
+            if (triggerContainerRef.current) {
                 setPopoverWidth(triggerContainerRef.current.offsetWidth);
-                setSideOffset(
-                    triggerContainerRef.current.offsetWidth -
-                        triggerRef?.current?.offsetWidth
-                );
             }
         };
 
-        handleResize(); // Call on mount and layout changes
+        handleResize();
 
-        window.addEventListener("resize", handleResize); // Adjust on window resize
+        window.addEventListener("resize", handleResize);
         return () => window.removeEventListener("resize", handleResize);
-    }, [triggerContainerRef, triggerRef]);
+    }, []);
 
     // Close the popover when clicking outside of it
     useEffect(() => {
@@ -135,52 +134,54 @@ export const TagPopover: React.FC<TagPopoverProps> = ({
             onOpenChange={handleOpenChange}
             modal={usePortal}
         >
-            <div
-                className="relative flex items-center rounded-md border border-input bg-transparent pr-3"
-                ref={triggerContainerRef}
-            >
-                {React.cloneElement(children as React.ReactElement<any>, {
-                    onFocus: handleInputFocus,
-                    onBlur: handleInputBlur,
-                    ref: inputRef
-                })}
-                <PopoverTrigger asChild>
-                    <Button
-                        ref={triggerRef}
-                        variant="ghost"
-                        size="icon"
-                        role="combobox"
-                        className={cn(
-                            `hover:bg-transparent`,
-                            classStyleProps?.popoverClasses?.popoverTrigger
-                        )}
-                        onClick={() => setIsPopoverOpen(!isPopoverOpen)}
-                    >
-                        <svg
-                            xmlns="http://www.w3.org/2000/svg"
-                            width="24"
-                            height="24"
-                            viewBox="0 0 24 24"
-                            fill="none"
-                            stroke="currentColor"
-                            strokeWidth="2"
-                            strokeLinecap="round"
-                            strokeLinejoin="round"
-                            className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+            <PopoverAnchor asChild>
+                <div
+                    className="relative flex items-center rounded-md border border-input bg-transparent pr-3"
+                    ref={triggerContainerRef}
+                >
+                    {React.cloneElement(children as React.ReactElement<any>, {
+                        onFocus: handleInputFocus,
+                        onBlur: handleInputBlur,
+                        ref: inputRef
+                    })}
+                    <PopoverTrigger asChild>
+                        <Button
+                            variant="ghost"
+                            size="icon"
+                            role="combobox"
+                            className={cn(
+                                `hover:bg-transparent`,
+                                classStyleProps?.popoverClasses?.popoverTrigger
+                            )}
+                            onClick={() => setIsPopoverOpen(!isPopoverOpen)}
                         >
-                            <path d="m6 9 6 6 6-6"></path>
-                        </svg>
-                    </Button>
-                </PopoverTrigger>
-            </div>
+                            <svg
+                                xmlns="http://www.w3.org/2000/svg"
+                                width="24"
+                                height="24"
+                                viewBox="0 0 24 24"
+                                fill="none"
+                                stroke="currentColor"
+                                strokeWidth="2"
+                                strokeLinecap="round"
+                                strokeLinejoin="round"
+                                className={`lucide lucide-chevron-down h-4 w-4 shrink-0 opacity-50 ${isPopoverOpen ? "rotate-180" : "rotate-0"}`}
+                            >
+                                <path d="m6 9 6 6 6-6"></path>
+                            </svg>
+                        </Button>
+                    </PopoverTrigger>
+                </div>
+            </PopoverAnchor>
             <PopoverContent
                 ref={popoverContentRef}
+                align="start"
+                side="bottom"
                 className={cn(
                     `w-full space-y-3`,
                     classStyleProps?.popoverClasses?.popoverContent
                 )}
                 style={{
-                    marginLeft: `-${sideOffset}px`,
                     width: `${popoverWidth}px`
                 }}
             >

From 00ef6d617f3ff321482941e4146ce72ac6a71e17 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 17:12:21 -0700
Subject: [PATCH 065/122] Handle the roles better in the verify session

---
 server/db/queries/verifySessionQueries.ts |  23 ++-
 server/lib/userOrgRoles.ts                |  16 +-
 server/private/routers/hybrid.ts          | 226 +++++++++++++++++++++-
 server/routers/badger/verifySession.ts    |  39 ++--
 4 files changed, 266 insertions(+), 38 deletions(-)

diff --git a/server/db/queries/verifySessionQueries.ts b/server/db/queries/verifySessionQueries.ts
index 66f968b02..989e111a7 100644
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,12 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
+import {
+    db,
+    loginPage,
+    LoginPage,
+    loginPageOrg,
+    Org,
+    orgs,
+    roles
+} from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -12,14 +20,12 @@ import {
     resources,
     roleResources,
     sessions,
-    userOrgRoles,
-    userOrgs,
     userResources,
     users,
     ResourceHeaderAuthExtendedCompatibility,
     resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 
 export type ResourceWithAuth = {
     resource: Resource | null;
@@ -121,7 +127,7 @@ export async function getRoleName(roleId: number): Promise<string | null> {
  */
 export async function getRoleResourceAccess(
     resourceId: number,
-    roleId: number
+    roleIds: number[]
 ) {
     const roleResourceAccess = await db
         .select()
@@ -129,12 +135,11 @@ export async function getRoleResourceAccess(
         .where(
             and(
                 eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                inArray(roleResources.roleId, roleIds)
             )
-        )
-        .limit(1);
+        );
 
-    return roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
 }
 
 /**
diff --git a/server/lib/userOrgRoles.ts b/server/lib/userOrgRoles.ts
index 5a4d75659..c3db64af3 100644
--- a/server/lib/userOrgRoles.ts
+++ b/server/lib/userOrgRoles.ts
@@ -1,4 +1,4 @@
-import { db, userOrgRoles } from "@server/db";
+import { db, roles, userOrgRoles } from "@server/db";
 import { and, eq } from "drizzle-orm";
 
 /**
@@ -20,3 +20,17 @@ export async function getUserOrgRoleIds(
         );
     return rows.map((r) => r.roleId);
 }
+
+export async function getUserOrgRoles(
+    userId: string,
+    orgId: string
+): Promise<{ roleId: number; roleName: string }[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
+        .from(userOrgRoles)
+        .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(eq(userOrgRoles.userId, userId), eq(userOrgRoles.orgId, orgId))
+        );
+    return rows;
+}
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index 5ca720594..71fdc7e72 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -124,6 +124,23 @@ const getRoleResourceAccessParamsSchema = z.strictObject({
         .pipe(z.int().positive("Resource ID must be a positive integer"))
 });
 
+const getResourceAccessParamsSchema = z.strictObject({
+    resourceId: z
+        .string()
+        .transform(Number)
+        .pipe(z.int().positive("Resource ID must be a positive integer"))
+});
+
+const getResourceAccessQuerySchema = z.strictObject({
+    roleIds: z
+        .union([z.array(z.string()), z.string()])
+        .transform((val) =>
+            (Array.isArray(val) ? val : [val])
+                .map(Number)
+                .filter((n) => !isNaN(n))
+        )
+});
+
 const getUserResourceAccessParamsSchema = z.strictObject({
     userId: z.string().min(1, "User ID is required"),
     resourceId: z
@@ -769,7 +786,7 @@ hybridRouter.get(
 
 // Get user organization role
 hybridRouter.get(
-    "/user/:userId/org/:orgId/role",
+    "/user/:userId/org/:orgId/roles",
     async (req: Request, res: Response, next: NextFunction) => {
         try {
             const parsedParams = getUserOrgRoleParamsSchema.safeParse(
@@ -805,6 +822,80 @@ hybridRouter.get(
                 );
             }
 
+            const userOrgRoleRows = await db
+                .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
+                .from(userOrgRoles)
+                .innerJoin(roles, eq(roles.roleId, userOrgRoles.roleId))
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
+
+            return response<{ roleId: number, roleName: string }[]>(res, {
+                data: userOrgRoleRows,
+                success: true,
+                error: false,
+                message:
+                    userOrgRoleRows.length > 0
+                        ? "User org roles retrieved successfully"
+                        : "User has no roles in this organization",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get user org role"
+                )
+            );
+        }
+    }
+);
+
+// DEPRICATED Get user organization role
+// used for backward compatibility with old remote nodes
+hybridRouter.get(
+    "/user/:userId/org/:orgId/role", // <- note the missing s
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getUserOrgRoleParamsSchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { userId, orgId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "User is not authorized to access this organization"
+                    )
+                );
+            }
+
+            // get the roles on the user
+
             const userOrgRoleRows = await db
                 .select({ roleId: userOrgRoles.roleId })
                 .from(userOrgRoles)
@@ -817,8 +908,35 @@ hybridRouter.get(
 
             const roleIds = userOrgRoleRows.map((r) => r.roleId);
 
-            return response<number[]>(res, {
-                data: roleIds,
+            let roleId: number | null = null;
+
+            if (userOrgRoleRows.length === 0) {
+                // User has no roles in this organization
+                roleId = null;
+            } else if (userOrgRoleRows.length === 1) {
+                // User has exactly one role, return it
+                roleId = userOrgRoleRows[0].roleId;
+            } else {
+                // User has multiple roles
+                // Check if any of these roles are also assigned to a resource
+                // If we find a match, prefer that role; otherwise return the first role
+                // Get all resources that have any of these roles assigned
+                const roleResourceMatches = await db
+                    .select({ roleId: roleResources.roleId })
+                    .from(roleResources)
+                    .where(inArray(roleResources.roleId, roleIds))
+                    .limit(1);
+                if (roleResourceMatches.length > 0) {
+                    // Return the first role that's also on a resource
+                    roleId = roleResourceMatches[0].roleId;
+                } else {
+                    // No resource match found, return the first role
+                    roleId = userOrgRoleRows[0].roleId;
+                }
+            }
+
+            return response<{ roleId: number | null }>(res, {
+                data: { roleId },
                 success: true,
                 error: false,
                 message:
@@ -939,7 +1057,9 @@ hybridRouter.get(
                 data: role?.name ?? null,
                 success: true,
                 error: false,
-                message: role ? "Role name retrieved successfully" : "Role not found",
+                message: role
+                    ? "Role name retrieved successfully"
+                    : "Role not found",
                 status: HttpCode.OK
             });
         } catch (error) {
@@ -1039,6 +1159,101 @@ hybridRouter.get(
     }
 );
 
+// Check if role has access to resource
+hybridRouter.get(
+    "/resource/:resourceId/access",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getResourceAccessParamsSchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { resourceId } = parsedParams.data;
+            const parsedQuery = getResourceAccessQuerySchema.safeParse(
+                req.query
+            );
+            const roleIds = parsedQuery.success ? parsedQuery.data.roleIds : [];
+
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode?.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            const [resource] = await db
+                .select()
+                .from(resources)
+                .where(eq(resources.resourceId, resourceId))
+                .limit(1);
+
+            if (
+                await checkExitNodeOrg(
+                    remoteExitNode.exitNodeId,
+                    resource.orgId
+                )
+            ) {
+                // If the exit node is not allowed for the org, return an error
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Exit node not allowed for this organization"
+                    )
+                );
+            }
+
+            const roleResourceAccess = await db
+                .select({
+                    resourceId: roleResources.resourceId,
+                    roleId: roleResources.roleId
+                })
+                .from(roleResources)
+                .where(
+                    and(
+                        eq(roleResources.resourceId, resourceId),
+                        inArray(roleResources.roleId, roleIds)
+                    )
+                );
+
+            const result =
+                roleResourceAccess.length > 0 ? roleResourceAccess : null;
+
+            return response<{ resourceId: number; roleId: number }[] | null>(
+                res,
+                {
+                    data: result,
+                    success: true,
+                    error: false,
+                    message: result
+                        ? "Role resource access retrieved successfully"
+                        : "Role resource access not found",
+                    status: HttpCode.OK
+                }
+            );
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get role resource access"
+                )
+            );
+        }
+    }
+);
+
 // Check if user has direct access to resource
 hybridRouter.get(
     "/user/:userId/resource/:resourceId/access",
@@ -1937,7 +2152,8 @@ hybridRouter.post(
                     // userAgent: data.userAgent, // TODO: add this
                     // headers: data.body.headers,
                     // query: data.body.query,
-                    originalRequestURL: sanitizeString(logEntry.originalRequestURL) ?? "",
+                    originalRequestURL:
+                        sanitizeString(logEntry.originalRequestURL) ?? "",
                     scheme: sanitizeString(logEntry.scheme) ?? "",
                     host: sanitizeString(logEntry.host) ?? "",
                     path: sanitizeString(logEntry.path) ?? "",
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 182b35dcb..7ea281c9b 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -9,7 +9,7 @@ import {
     getOrgLoginPage,
     getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getUserOrgRoles } from "@server/lib/userOrgRoles";
 import {
     LoginPage,
     Org,
@@ -798,7 +798,8 @@ async function notAllowed(
 ) {
     let loginPage: LoginPage | null = null;
     if (orgId) {
-        const subscribed = await isSubscribed( // this is fine because the org login page is only a saas feature
+        const subscribed = await isSubscribed(
+            // this is fine because the org login page is only a saas feature
             orgId,
             tierMatrix.loginPageDomain
         );
@@ -855,7 +856,10 @@ async function headerAuthChallenged(
 ) {
     let loginPage: LoginPage | null = null;
     if (orgId) {
-        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain); // this is fine because the org login page is only a saas feature
+        const subscribed = await isSubscribed(
+            orgId,
+            tierMatrix.loginPageDomain
+        ); // this is fine because the org login page is only a saas feature
         if (subscribed) {
             loginPage = await getOrgLoginPage(orgId);
         }
@@ -917,9 +921,9 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
+    const userOrgRoles = await getUserOrgRoles(user.userId, resource.orgId);
 
-    if (!userOrgRoleIds.length) {
+    if (!userOrgRoles.length) {
         return null;
     }
 
@@ -935,23 +939,16 @@ async function isUserAllowedToAccessResource(
         return null;
     }
 
-    const roleNames: string[] = [];
-    for (const roleId of userOrgRoleIds) {
-        const roleResourceAccess = await getRoleResourceAccess(
-            resource.resourceId,
-            roleId
-        );
-        if (roleResourceAccess) {
-            const roleName = await getRoleName(roleId);
-            if (roleName) roleNames.push(roleName);
-        }
-    }
-    if (roleNames.length > 0) {
+    const roleResourceAccess = await getRoleResourceAccess(
+        resource.resourceId,
+        userOrgRoles.map((r) => r.roleId)
+    );
+    if (roleResourceAccess && roleResourceAccess.length > 0) {
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role: roleNames.join(", ")
+            role: userOrgRoles.map((r) => r.roleName).join(", ")
         };
     }
 
@@ -961,15 +958,11 @@ async function isUserAllowedToAccessResource(
     );
 
     if (userResourceAccess) {
-        const names = await Promise.all(
-            userOrgRoleIds.map((id) => getRoleName(id))
-        );
-        const role = names.filter(Boolean).join(", ") || "";
         return {
             username: user.username,
             email: user.email,
             name: user.name,
-            role
+            role: userOrgRoles.map((r) => r.roleName).join(", ")
         };
     }
 

From 757bb39622182378fc49a75584306ae69b23f356 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 21:23:59 -0700
Subject: [PATCH 066/122] Support overriding badger for testing

---
 server/lib/readConfigFile.ts                    |  1 +
 server/private/routers/hybrid.ts                |  2 ++
 server/routers/badger/verifySession.ts          |  2 --
 server/routers/traefik/traefikConfigProvider.ts | 17 ++++++++++-------
 4 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts
index f6c8592e9..c3e796fc1 100644
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -79,6 +79,7 @@ export const configSchema = z
                     .default(3001)
                     .transform(stoi)
                     .pipe(portSchema),
+                badger_override: z.string().optional(),
                 next_port: portSchema
                     .optional()
                     .default(3002)
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index 71fdc7e72..13a6f70e0 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -833,6 +833,8 @@ hybridRouter.get(
                     )
                 );
 
+            logger.debug(`User ${userId} has roles in org ${orgId}:`, userOrgRoleRows);
+
             return response<{ roleId: number, roleName: string }[]>(res, {
                 data: userOrgRoleRows,
                 success: true,
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 7ea281c9b..0b1cc1183 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -3,7 +3,6 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
     getResourceByDomain,
     getResourceRules,
-    getRoleName,
     getRoleResourceAccess,
     getUserResourceAccess,
     getOrgLoginPage,
@@ -31,7 +30,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import { getAsnForIp } from "@server/lib/asn";
-import { getOrgTierData } from "#dynamic/lib/billing";
 import { verifyPassword } from "@server/auth/password";
 import {
     checkOrgAccessPolicy,
diff --git a/server/routers/traefik/traefikConfigProvider.ts b/server/routers/traefik/traefikConfigProvider.ts
index fa76190ff..02f890604 100644
--- a/server/routers/traefik/traefikConfigProvider.ts
+++ b/server/routers/traefik/traefikConfigProvider.ts
@@ -30,12 +30,15 @@ export async function traefikConfigProvider(
             traefikConfig.http.middlewares[badgerMiddlewareName] = {
                 plugin: {
                     [badgerMiddlewareName]: {
-                        apiBaseUrl: new URL(
-                            "/api/v1",
-                            `http://${
-                                config.getRawConfig().server.internal_hostname
-                            }:${config.getRawConfig().server.internal_port}`
-                        ).href,
+                        apiBaseUrl:
+                            config.getRawConfig().server.badger_override ||
+                            new URL(
+                                "/api/v1",
+                                `http://${
+                                    config.getRawConfig().server
+                                        .internal_hostname
+                                }:${config.getRawConfig().server.internal_port}`
+                            ).href,
                         userSessionCookieName:
                             config.getRawConfig().server.session_cookie_name,
 
@@ -61,7 +64,7 @@ export async function traefikConfigProvider(
 
         return res.status(HttpCode.OK).json(traefikConfig);
     } catch (e) {
-        logger.error(`Failed to build Traefik config: ${e}`);
+        logger.error(e);
         return res.status(HttpCode.INTERNAL_SERVER_ERROR).json({
             error: "Failed to build Traefik config"
         });

From 6f71af278e3e6192aec9e61417d17be9f7fa329a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 21:29:32 -0700
Subject: [PATCH 067/122] Add basic migration files

---
 server/setup/migrationsPg.ts         |  4 +++-
 server/setup/migrationsSqlite.ts     |  4 +++-
 server/setup/scriptsPg/1.17.0.ts     | 22 ++++++++++++++++++++++
 server/setup/scriptsSqlite/1.17.0.ts | 28 ++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 server/setup/scriptsPg/1.17.0.ts
 create mode 100644 server/setup/scriptsSqlite/1.17.0.ts

diff --git a/server/setup/migrationsPg.ts b/server/setup/migrationsPg.ts
index 1ace73474..9ba0b9767 100644
--- a/server/setup/migrationsPg.ts
+++ b/server/setup/migrationsPg.ts
@@ -21,6 +21,7 @@ import m12 from "./scriptsPg/1.15.0";
 import m13 from "./scriptsPg/1.15.3";
 import m14 from "./scriptsPg/1.15.4";
 import m15 from "./scriptsPg/1.16.0";
+import m16 from "./scriptsPg/1.17.0";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -41,7 +42,8 @@ const migrations = [
     { version: "1.15.0", run: m12 },
     { version: "1.15.3", run: m13 },
     { version: "1.15.4", run: m14 },
-    { version: "1.16.0", run: m15 }
+    { version: "1.16.0", run: m15 },
+    { version: "1.17.0", run: m16 }
     // Add new migrations here as they are created
 ] as {
     version: string;
diff --git a/server/setup/migrationsSqlite.ts b/server/setup/migrationsSqlite.ts
index da7e6b6d1..45a29ec29 100644
--- a/server/setup/migrationsSqlite.ts
+++ b/server/setup/migrationsSqlite.ts
@@ -39,6 +39,7 @@ import m33 from "./scriptsSqlite/1.15.0";
 import m34 from "./scriptsSqlite/1.15.3";
 import m35 from "./scriptsSqlite/1.15.4";
 import m36 from "./scriptsSqlite/1.16.0";
+import m37 from "./scriptsSqlite/1.17.0";
 
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -75,7 +76,8 @@ const migrations = [
     { version: "1.15.0", run: m33 },
     { version: "1.15.3", run: m34 },
     { version: "1.15.4", run: m35 },
-    { version: "1.16.0", run: m36 }
+    { version: "1.16.0", run: m36 },
+    { version: "1.17.0", run: m37 }
     // Add new migrations here as they are created
 ] as const;
 
diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
new file mode 100644
index 000000000..6fb3105d5
--- /dev/null
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -0,0 +1,22 @@
+import { db } from "@server/db/pg/driver";
+import { sql } from "drizzle-orm";
+
+const version = "1.17.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    try {
+        await db.execute(sql`BEGIN`);
+
+        await db.execute(sql`COMMIT`);
+        console.log("Migrated database");
+    } catch (e) {
+        await db.execute(sql`ROLLBACK`);
+        console.log("Unable to migrate database");
+        console.log(e);
+        throw e;
+    }
+
+    console.log(`${version} migration complete`);
+}
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
new file mode 100644
index 000000000..07bd44aec
--- /dev/null
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -0,0 +1,28 @@
+import { APP_PATH } from "@server/lib/consts";
+import Database from "better-sqlite3";
+import path from "path";
+
+const version = "1.17.0";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    const location = path.join(APP_PATH, "db", "db.sqlite");
+    const db = new Database(location);
+
+    try {
+        db.pragma("foreign_keys = OFF");
+
+        db.transaction(() => {
+        })();
+
+        db.pragma("foreign_keys = ON");
+
+        console.log(`Migrated database`);
+    } catch (e) {
+        console.log("Failed to migrate db:", e);
+        throw e;
+    }
+
+    console.log(`${version} migration complete`);
+}

From 8e821b397fec1b6a57f8a0a434ec6f2831fa3a63 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sat, 28 Mar 2026 21:41:21 -0700
Subject: [PATCH 068/122] Add migration

---
 server/setup/scriptsPg/1.17.0.ts     | 53 ++++++++++++++++++++-
 server/setup/scriptsSqlite/1.17.0.ts | 70 +++++++++++++++++++++++++++-
 2 files changed, 121 insertions(+), 2 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 6fb3105d5..81c42e1a9 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -6,9 +6,37 @@ const version = "1.17.0";
 export default async function migration() {
     console.log(`Running setup script ${version}...`);
 
+    // Query existing roleId data from userOrgs before the transaction destroys it
+    const existingRolesQuery = await db.execute(
+        sql`SELECT "userId", "orgId", "roleId" FROM "userOrgs" WHERE "roleId" IS NOT NULL`
+    );
+    const existingUserOrgRoles = existingRolesQuery.rows as {
+        userId: string;
+        orgId: string;
+        roleId: number;
+    }[];
+
+    console.log(
+        `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
+    );
+
     try {
         await db.execute(sql`BEGIN`);
 
+        await db.execute(sql`
+            CREATE TABLE "userOrgRoles" (
+               	"userId" varchar NOT NULL,
+               	"orgId" varchar NOT NULL,
+               	"roleId" integer NOT NULL,
+               	CONSTRAINT "userOrgRoles_userId_orgId_roleId_unique" UNIQUE("userId","orgId","roleId")
+            );
+        `);
+        await db.execute(sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`);
+        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(sql`ALTER TABLE "userOrgs" DROP COLUMN "roleId";`);
+
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
     } catch (e) {
@@ -18,5 +46,28 @@ export default async function migration() {
         throw e;
     }
 
+    // Re-insert the preserved role assignments into the new userOrgRoles table
+    if (existingUserOrgRoles.length > 0) {
+        try {
+            for (const row of existingUserOrgRoles) {
+                await db.execute(sql`
+                    INSERT INTO "userOrgRoles" ("userId", "orgId", "roleId")
+                    VALUES (${row.userId}, ${row.orgId}, ${row.roleId})
+                    ON CONFLICT DO NOTHING
+                `);
+            }
+
+            console.log(
+                `Migrated ${existingUserOrgRoles.length} role assignment(s) into userOrgRoles`
+            );
+        } catch (e) {
+            console.error(
+                "Error while migrating role assignments into userOrgRoles:",
+                e
+            );
+            throw e;
+        }
+    }
+
     console.log(`${version} migration complete`);
-}
+}
\ No newline at end of file
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 07bd44aec..fe7d82de0 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -13,11 +13,79 @@ export default async function migration() {
     try {
         db.pragma("foreign_keys = OFF");
 
+        // Query existing roleId data from userOrgs before the transaction destroys it
+        const existingUserOrgRoles = db
+            .prepare(
+                `SELECT "userId", "orgId", "roleId" FROM 'userOrgs' WHERE "roleId" IS NOT NULL`
+            )
+            .all() as { userId: string; orgId: string; roleId: number }[];
+
+        console.log(
+            `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
+        );
+
         db.transaction(() => {
+            db.prepare(
+                `
+                CREATE TABLE 'userOrgRoles' (
+                   	'userId' text NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'roleId' integer NOT NULL,
+                   	FOREIGN KEY ('userId') REFERENCES 'user'('id') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('roleId') REFERENCES 'roles'('roleId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+
+            db.prepare(
+                `CREATE UNIQUE INDEX 'userOrgRoles_userId_orgId_roleId_unique' ON 'userOrgRoles' ('userId','orgId','roleId');`
+            ).run();
+
+            db.prepare(
+                `
+                CREATE TABLE '__new_userOrgs' (
+                   	'userId' text NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'isOwner' integer DEFAULT false NOT NULL,
+                   	'autoProvisioned' integer DEFAULT false,
+                   	'pamUsername' text,
+                   	FOREIGN KEY ('userId') REFERENCES 'user'('id') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+
+            db.prepare(
+                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs';`
+            ).run();
+            db.prepare(`DROP TABLE 'userOrgs';`).run();
+            db.prepare(
+                `ALTER TABLE '__new_userOrgs' RENAME TO 'userOrgs';`
+            ).run();
         })();
 
         db.pragma("foreign_keys = ON");
 
+        // Re-insert the preserved role assignments into the new userOrgRoles table
+        if (existingUserOrgRoles.length > 0) {
+            const insertUserOrgRole = db.prepare(
+                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId") VALUES (?, ?, ?)`
+            );
+
+            const insertAll = db.transaction(() => {
+                for (const row of existingUserOrgRoles) {
+                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId);
+                }
+            });
+
+            insertAll();
+
+            console.log(
+                `Migrated ${existingUserOrgRoles.length} role assignment(s) into userOrgRoles`
+            );
+        }
+
         console.log(`Migrated database`);
     } catch (e) {
         console.log("Failed to migrate db:", e);
@@ -25,4 +93,4 @@ export default async function migration() {
     }
 
     console.log(`${version} migration complete`);
-}
+}
\ No newline at end of file

From bff2ba7cc2ad7706582abeb68eb90c74d53e5460 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sun, 29 Mar 2026 11:34:07 -0700
Subject: [PATCH 069/122] add learn more link

---
 .../(private)/idp/[idpId]/general/page.tsx    |   3 +-
 .../settings/(private)/idp/create/page.tsx    |   3 +-
 src/app/admin/idp/[idpId]/general/page.tsx    |   6 +-
 src/app/admin/idp/create/page.tsx             | 749 +++++++++---------
 src/components/AutoProvisionConfigWidget.tsx  |   9 +-
 .../IdpAutoProvisionUsersDescription.tsx      |  29 +
 src/components/IdpCreateWizard.tsx            |   4 +-
 7 files changed, 420 insertions(+), 383 deletions(-)
 create mode 100644 src/components/IdpAutoProvisionUsersDescription.tsx

diff --git a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
index 37cf400a5..37334e342 100644
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -45,6 +45,7 @@ import { useTranslations } from "next-intl";
 import { AxiosResponse } from "axios";
 import { ListRolesResponse } from "@server/routers/role";
 import AutoProvisionConfigWidget from "@app/components/AutoProvisionConfigWidget";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
@@ -493,7 +494,7 @@ export default function GeneralPage() {
                             {t("idpAutoProvisionUsers")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            {t("idpAutoProvisionUsersDescription")}
+                            <IdpAutoProvisionUsersDescription />
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index c0fc30a8f..10d86b976 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -1,6 +1,7 @@
 "use client";
 
 import AutoProvisionConfigWidget from "@app/components/AutoProvisionConfigWidget";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import {
     SettingsContainer,
@@ -296,7 +297,7 @@ export default function Page() {
                             {t("idpAutoProvisionUsers")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            {t("idpAutoProvisionUsersDescription")}
+                            <IdpAutoProvisionUsersDescription />
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
diff --git a/src/app/admin/idp/[idpId]/general/page.tsx b/src/app/admin/idp/[idpId]/general/page.tsx
index d02925976..c9506b027 100644
--- a/src/app/admin/idp/[idpId]/general/page.tsx
+++ b/src/app/admin/idp/[idpId]/general/page.tsx
@@ -31,6 +31,7 @@ import { formatAxiosError } from "@app/lib/api";
 import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useState, useEffect } from "react";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { SwitchInput } from "@app/components/SwitchInput";
 import {
     InfoSection,
@@ -349,7 +350,7 @@ export default function GeneralPage() {
                             {t("idpAutoProvisionUsers")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            {t("idpAutoProvisionUsersDescription")}
+                            <IdpAutoProvisionUsersDescription />
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
@@ -375,9 +376,6 @@ export default function GeneralPage() {
                                     />
                                 </div>
                                 <div className="flex flex-col gap-2">
-                                    <span className="text-sm text-muted-foreground">
-                                        {t("idpAutoProvisionUsersDescription")}
-                                    </span>
                                     {form.watch("autoProvision") && (
                                         <FormDescription>
                                             {t.rich(
diff --git a/src/app/admin/idp/create/page.tsx b/src/app/admin/idp/create/page.tsx
index 5039d255c..82036c510 100644
--- a/src/app/admin/idp/create/page.tsx
+++ b/src/app/admin/idp/create/page.tsx
@@ -22,6 +22,7 @@ import {
     FormMessage
 } from "@app/components/ui/form";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
@@ -94,8 +95,7 @@ export default function Page() {
 
     const watchedType = form.watch("type");
     const templatesLocked =
-        !templatesPaid &&
-        (watchedType === "google" || watchedType === "azure");
+        !templatesPaid && (watchedType === "google" || watchedType === "azure");
 
     async function onSubmit(data: CreateIdpFormValues) {
         if (
@@ -223,7 +223,9 @@ export default function Page() {
                                         <div className="flex items-start mb-0">
                                             <SwitchInput
                                                 id="auto-provision-toggle"
-                                                label={t("idpAutoProvisionUsers")}
+                                                label={t(
+                                                    "idpAutoProvisionUsers"
+                                                )}
                                                 defaultChecked={form.getValues(
                                                     "autoProvision"
                                                 )}
@@ -235,11 +237,6 @@ export default function Page() {
                                                 }}
                                             />
                                         </div>
-                                        <span className="text-sm text-muted-foreground">
-                                            {t(
-                                                "idpAutoProvisionUsersDescription"
-                                            )}
-                                        </span>
                                     </form>
                                 </Form>
                             </SettingsSectionForm>
@@ -251,391 +248,409 @@ export default function Page() {
                     disabled={templatesLocked}
                     className="min-w-0 border-0 p-0 m-0 disabled:pointer-events-none disabled:opacity-60"
                 >
-                {watchedType === "google" && (
-                    <SettingsSection>
-                        <SettingsSectionHeader>
-                            <SettingsSectionTitle>
-                                {t("idpGoogleConfigurationTitle")}
-                            </SettingsSectionTitle>
-                            <SettingsSectionDescription>
-                                {t("idpGoogleConfigurationDescription")}
-                            </SettingsSectionDescription>
-                        </SettingsSectionHeader>
-                        <SettingsSectionBody>
-                            <SettingsSectionForm>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="clientId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientId")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpGoogleClientIdDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="clientSecret"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientSecret")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            type="password"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpGoogleClientSecretDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
-                            </SettingsSectionForm>
-                        </SettingsSectionBody>
-                    </SettingsSection>
-                )}
-
-                {watchedType === "azure" && (
-                    <SettingsSection>
-                        <SettingsSectionHeader>
-                            <SettingsSectionTitle>
-                                {t("idpAzureConfigurationTitle")}
-                            </SettingsSectionTitle>
-                            <SettingsSectionDescription>
-                                {t("idpAzureConfigurationDescription")}
-                            </SettingsSectionDescription>
-                        </SettingsSectionHeader>
-                        <SettingsSectionBody>
-                            <SettingsSectionForm>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="tenantId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpTenantIdLabel")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAzureTenantIdDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="clientId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientId")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAzureClientIdDescription2"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="clientSecret"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientSecret")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            type="password"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAzureClientSecretDescription2"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
-                            </SettingsSectionForm>
-                        </SettingsSectionBody>
-                    </SettingsSection>
-                )}
-
-                {watchedType === "oidc" && (
-                    <SettingsSectionGrid cols={2}>
+                    {watchedType === "google" && (
                         <SettingsSection>
                             <SettingsSectionHeader>
                                 <SettingsSectionTitle>
-                                    {t("idpOidcConfigure")}
+                                    {t("idpGoogleConfigurationTitle")}
                                 </SettingsSectionTitle>
                                 <SettingsSectionDescription>
-                                    {t("idpOidcConfigureDescription")}
+                                    {t("idpGoogleConfigurationDescription")}
                                 </SettingsSectionDescription>
                             </SettingsSectionHeader>
                             <SettingsSectionBody>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="clientId"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientId")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpClientIdDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
                                             )}
-                                        />
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpGoogleClientIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
 
-                                        <FormField
-                                            control={form.control}
-                                            name="clientSecret"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpClientSecret")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            type="password"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpClientSecretDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="authUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpAuthUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            placeholder="https://your-idp.com/oauth2/authorize"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpAuthUrlDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="tokenUrl"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpTokenUrl")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input
-                                                            placeholder="https://your-idp.com/oauth2/token"
-                                                            {...field}
-                                                        />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpTokenUrlDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpGoogleClientSecretDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
                             </SettingsSectionBody>
                         </SettingsSection>
+                    )}
 
+                    {watchedType === "azure" && (
                         <SettingsSection>
                             <SettingsSectionHeader>
                                 <SettingsSectionTitle>
-                                    {t("idpToken")}
+                                    {t("idpAzureConfigurationTitle")}
                                 </SettingsSectionTitle>
                                 <SettingsSectionDescription>
-                                    {t("idpTokenDescription")}
+                                    {t("idpAzureConfigurationDescription")}
                                 </SettingsSectionDescription>
                             </SettingsSectionHeader>
                             <SettingsSectionBody>
-                                <Form {...form}>
-                                    <form
-                                        className="space-y-4"
-                                        id="create-idp-form"
-                                        onSubmit={form.handleSubmit(onSubmit)}
-                                    >
-                                        <FormField
-                                            control={form.control}
-                                            name="identifierPath"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t("idpJmespathLabel")}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpJmespathLabelDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
+                                <SettingsSectionForm>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
                                             )}
-                                        />
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="tenantId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpTenantIdLabel"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAzureTenantIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
 
-                                        <FormField
-                                            control={form.control}
-                                            name="emailPath"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpJmespathEmailPathOptional"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpJmespathEmailPathOptionalDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAzureClientIdDescription2"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
 
-                                        <FormField
-                                            control={form.control}
-                                            name="namePath"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpJmespathNamePathOptional"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpJmespathNamePathOptionalDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-
-                                        <FormField
-                                            control={form.control}
-                                            name="scopes"
-                                            render={({ field }) => (
-                                                <FormItem>
-                                                    <FormLabel>
-                                                        {t(
-                                                            "idpOidcConfigureScopes"
-                                                        )}
-                                                    </FormLabel>
-                                                    <FormControl>
-                                                        <Input {...field} />
-                                                    </FormControl>
-                                                    <FormDescription>
-                                                        {t(
-                                                            "idpOidcConfigureScopesDescription"
-                                                        )}
-                                                    </FormDescription>
-                                                    <FormMessage />
-                                                </FormItem>
-                                            )}
-                                        />
-                                    </form>
-                                </Form>
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAzureClientSecretDescription2"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionForm>
                             </SettingsSectionBody>
                         </SettingsSection>
-                    </SettingsSectionGrid>
-                )}
+                    )}
+
+                    {watchedType === "oidc" && (
+                        <SettingsSectionGrid cols={2}>
+                            <SettingsSection>
+                                <SettingsSectionHeader>
+                                    <SettingsSectionTitle>
+                                        {t("idpOidcConfigure")}
+                                    </SettingsSectionTitle>
+                                    <SettingsSectionDescription>
+                                        {t("idpOidcConfigureDescription")}
+                                    </SettingsSectionDescription>
+                                </SettingsSectionHeader>
+                                <SettingsSectionBody>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="clientId"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpClientId")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientIdDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="clientSecret"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpClientSecret"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                type="password"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpClientSecretDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="authUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpAuthUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                placeholder="https://your-idp.com/oauth2/authorize"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpAuthUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="tokenUrl"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t("idpTokenUrl")}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input
+                                                                placeholder="https://your-idp.com/oauth2/token"
+                                                                {...field}
+                                                            />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpTokenUrlDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionBody>
+                            </SettingsSection>
+
+                            <SettingsSection>
+                                <SettingsSectionHeader>
+                                    <SettingsSectionTitle>
+                                        {t("idpToken")}
+                                    </SettingsSectionTitle>
+                                    <SettingsSectionDescription>
+                                        {t("idpTokenDescription")}
+                                    </SettingsSectionDescription>
+                                </SettingsSectionHeader>
+                                <SettingsSectionBody>
+                                    <Form {...form}>
+                                        <form
+                                            className="space-y-4"
+                                            id="create-idp-form"
+                                            onSubmit={form.handleSubmit(
+                                                onSubmit
+                                            )}
+                                        >
+                                            <FormField
+                                                control={form.control}
+                                                name="identifierPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathLabel"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathLabelDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="emailPath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathEmailPathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="namePath"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpJmespathNamePathOptional"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpJmespathNamePathOptionalDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <FormField
+                                                control={form.control}
+                                                name="scopes"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>
+                                                            {t(
+                                                                "idpOidcConfigureScopes"
+                                                            )}
+                                                        </FormLabel>
+                                                        <FormControl>
+                                                            <Input {...field} />
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            {t(
+                                                                "idpOidcConfigureScopesDescription"
+                                                            )}
+                                                        </FormDescription>
+                                                        <FormMessage />
+                                                    </FormItem>
+                                                )}
+                                            />
+                                        </form>
+                                    </Form>
+                                </SettingsSectionBody>
+                            </SettingsSection>
+                        </SettingsSectionGrid>
+                    )}
                 </fieldset>
             </SettingsContainer>
 
diff --git a/src/components/AutoProvisionConfigWidget.tsx b/src/components/AutoProvisionConfigWidget.tsx
index 59849989a..d4df3f50d 100644
--- a/src/components/AutoProvisionConfigWidget.tsx
+++ b/src/components/AutoProvisionConfigWidget.tsx
@@ -1,14 +1,12 @@
 "use client";
 
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { FormDescription } from "@app/components/ui/form";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { useTranslations } from "next-intl";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import {
-    MappingBuilderRule,
-    RoleMappingMode
-} from "@app/lib/idpRoleMapping";
+import { MappingBuilderRule, RoleMappingMode } from "@app/lib/idpRoleMapping";
 import RoleMappingConfigFields from "@app/components/RoleMappingConfigFields";
 
 type Role = {
@@ -60,9 +58,6 @@ export default function AutoProvisionConfigWidget({
                     onCheckedChange={onAutoProvisionChange}
                     disabled={!isPaidUser(tierMatrix.autoProvisioning)}
                 />
-                <FormDescription className="text-sm text-muted-foreground">
-                    {t("idpAutoProvisionUsersDescription")}
-                </FormDescription>
             </div>
 
             {autoProvision && (
diff --git a/src/components/IdpAutoProvisionUsersDescription.tsx b/src/components/IdpAutoProvisionUsersDescription.tsx
new file mode 100644
index 000000000..6839ff245
--- /dev/null
+++ b/src/components/IdpAutoProvisionUsersDescription.tsx
@@ -0,0 +1,29 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+
+const AUTO_PROVISION_DOCS_URL =
+    "https://docs.pangolin.net/manage/identity-providers/auto-provisioning";
+
+type IdpAutoProvisionUsersDescriptionProps = {
+    className?: string;
+};
+
+export default function IdpAutoProvisionUsersDescription({
+    className
+}: IdpAutoProvisionUsersDescriptionProps) {
+    const t = useTranslations();
+    return (
+        <span className={className}>
+            {t("idpAutoProvisionUsersDescription")}{" "}
+            <a
+                href={AUTO_PROVISION_DOCS_URL}
+                target="_blank"
+                rel="noopener noreferrer"
+                className="text-primary hover:underline"
+            >
+                {t("learnMore")}
+            </a>
+        </span>
+    );
+}
diff --git a/src/components/IdpCreateWizard.tsx b/src/components/IdpCreateWizard.tsx
index 3fe7e174f..cddad3287 100644
--- a/src/components/IdpCreateWizard.tsx
+++ b/src/components/IdpCreateWizard.tsx
@@ -27,6 +27,7 @@ import { Checkbox } from "@app/components/ui/checkbox";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { InfoIcon, ExternalLink } from "lucide-react";
 import { StrategySelect } from "@app/components/StrategySelect";
+import IdpAutoProvisionUsersDescription from "@app/components/IdpAutoProvisionUsersDescription";
 import { SwitchInput } from "@app/components/SwitchInput";
 import { Badge } from "@app/components/ui/badge";
 import { useTranslations } from "next-intl";
@@ -163,9 +164,6 @@ export function IdpCreateWizard({
                                         disabled={loading}
                                     />
                                 </div>
-                                <span className="text-sm text-muted-foreground">
-                                    {t("idpAutoProvisionUsersDescription")}
-                                </span>
                             </form>
                         </Form>
                     </SettingsSectionForm>

From 2828dee94c9fa6ed4f2df1867bc97a207558f037 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sun, 29 Mar 2026 12:11:22 -0700
Subject: [PATCH 070/122] support multi role on create user and invites

---
 server/db/pg/schema/schema.ts                 |  20 +-
 server/db/sqlite/schema/schema.ts             |  20 +-
 server/lib/userOrg.ts                         |  19 +-
 server/routers/idp/validateOidcCallback.ts    |  14 +-
 server/routers/user/acceptInvite.ts           |  43 ++-
 server/routers/user/createOrgUser.ts          |  94 ++++--
 server/routers/user/inviteUser.ts             |  83 +++--
 server/routers/user/listInvitations.ts        |  64 +++-
 .../settings/access/invitations/page.tsx      |  12 +-
 .../users/[userId]/access-controls/page.tsx   | 107 ++-----
 .../settings/access/users/create/page.tsx     | 288 ++++++++----------
 src/components/InvitationsTable.tsx           |  14 +-
 src/components/OrgRolesTagField.tsx           | 117 +++++++
 src/components/RegenerateInvitationForm.tsx   |  18 +-
 src/components/UserRoleBadges.tsx             |  69 +++++
 src/components/UsersTable.tsx                 |  63 +---
 16 files changed, 629 insertions(+), 416 deletions(-)
 create mode 100644 src/components/OrgRolesTagField.tsx
 create mode 100644 src/components/UserRoleBadges.tsx

diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index 0346495e3..2bd9624e7 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -6,6 +6,7 @@ import {
     index,
     integer,
     pgTable,
+    primaryKey,
     real,
     serial,
     text,
@@ -467,12 +468,22 @@ export const userInvites = pgTable("userInvites", {
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: varchar("email").notNull(),
     expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
-    tokenHash: varchar("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: varchar("token").notNull()
 });
 
+export const userInviteRoles = pgTable(
+    "userInviteRoles",
+    {
+        inviteId: varchar("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = pgTable("resourcePincode", {
     pincodeId: serial("pincodeId").primaryKey(),
     resourceId: integer("resourceId")
@@ -1048,6 +1059,7 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index a4a0c6b8e..b43f3b4a6 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -3,6 +3,7 @@ import { InferSelectModel } from "drizzle-orm";
 import {
     index,
     integer,
+    primaryKey,
     sqliteTable,
     text,
     unique
@@ -804,12 +805,22 @@ export const userInvites = sqliteTable("userInvites", {
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: text("email").notNull(),
     expiresAt: integer("expiresAt").notNull(),
-    tokenHash: text("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: text("token").notNull()
 });
 
+export const userInviteRoles = sqliteTable(
+    "userInviteRoles",
+    {
+        inviteId: text("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = sqliteTable("resourcePincode", {
     pincodeId: integer("pincodeId").primaryKey({
         autoIncrement: true
@@ -1152,6 +1163,7 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
diff --git a/server/lib/userOrg.ts b/server/lib/userOrg.ts
index fb0b88c2b..809266b73 100644
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -19,15 +19,22 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
     org: Org,
     values: typeof userOrgs.$inferInsert,
-    roleId: number,
+    roleIds: number[],
     trx: Transaction | typeof db = db
 ) {
+    const uniqueRoleIds = [...new Set(roleIds)];
+    if (uniqueRoleIds.length === 0) {
+        throw new Error("assignUserToOrg requires at least one roleId");
+    }
+
     const [userOrg] = await trx.insert(userOrgs).values(values).returning();
-    await trx.insert(userOrgRoles).values({
-        userId: userOrg.userId,
-        orgId: userOrg.orgId,
-        roleId
-    });
+    await trx.insert(userOrgRoles).values(
+        uniqueRoleIds.map((roleId) => ({
+            userId: userOrg.userId,
+            orgId: userOrg.orgId,
+            roleId
+        }))
+    );
 
     // calculate if the user is in any other of the orgs before we count it as an add to the billing org
     if (org.billingOrgId) {
diff --git a/server/routers/idp/validateOidcCallback.ts b/server/routers/idp/validateOidcCallback.ts
index 4de52f530..7c9e53cf2 100644
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -623,9 +623,7 @@ export async function validateOidcCallback(
 
                 if (orgsToAdd.length > 0) {
                     for (const org of orgsToAdd) {
-                        const [initialRoleId, ...additionalRoleIds] =
-                            org.roleIds;
-                        if (!initialRoleId) {
+                        if (org.roleIds.length === 0) {
                             continue;
                         }
 
@@ -641,17 +639,9 @@ export async function validateOidcCallback(
                                     userId: userId!,
                                     autoProvisioned: true,
                                 },
-                                initialRoleId,
+                                org.roleIds,
                                 trx
                             );
-
-                            for (const roleId of additionalRoleIds) {
-                                await trx.insert(userOrgRoles).values({
-                                    userId: userId!,
-                                    orgId: org.orgId,
-                                    roleId
-                                });
-                            }
                         }
                     }
                 }
diff --git a/server/routers/user/acceptInvite.ts b/server/routers/user/acceptInvite.ts
index 30d3be7b9..88010e580 100644
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs, UserOrg } from "@server/db";
-import { roles, userInvites, userOrgs, users } from "@server/db";
-import { eq, and, inArray, ne } from "drizzle-orm";
+import { db, orgs } from "@server/db";
+import { roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -141,17 +141,34 @@ export async function acceptInvite(
             );
         }
 
-        let roleId: number;
-        // get the role to make sure it exists
-        const existingRole = await db
+        const inviteRoleRows = await db
+            .select({ roleId: userInviteRoles.roleId })
+            .from(userInviteRoles)
+            .where(eq(userInviteRoles.inviteId, inviteId));
+
+        const inviteRoleIds = [
+            ...new Set(inviteRoleRows.map((r) => r.roleId))
+        ];
+        if (inviteRoleIds.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "This invitation has no roles. Please contact an admin."
+                )
+            );
+        }
+
+        const existingRoles = await db
             .select()
             .from(roles)
-            .where(eq(roles.roleId, existingInvite.roleId))
-            .limit(1);
-        if (existingRole.length) {
-            roleId = existingRole[0].roleId;
-        } else {
-            // TODO: use the default role on the org instead of failing
+            .where(
+                and(
+                    eq(roles.orgId, existingInvite.orgId),
+                    inArray(roles.roleId, inviteRoleIds)
+                )
+            );
+
+        if (existingRoles.length !== inviteRoleIds.length) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
@@ -167,7 +184,7 @@ export async function acceptInvite(
                     userId: existingUser[0].userId,
                     orgId: existingInvite.orgId
                 },
-                existingInvite.roleId,
+                inviteRoleIds,
                 trx
             );
 
diff --git a/server/routers/user/createOrgUser.ts b/server/routers/user/createOrgUser.ts
index 237b7111e..ddc37d3a2 100644
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -6,8 +6,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { db, orgs, UserOrg } from "@server/db";
-import { and, eq, inArray, ne } from "drizzle-orm";
+import { db, orgs } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import { idp, idpOidcConfig, roles, userOrgs, users } from "@server/db";
 import { generateId } from "@server/auth/sessions/app";
 import { usageService } from "@server/lib/billing/usageService";
@@ -15,21 +15,43 @@ import { FeatureId } from "@server/lib/billing";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { assignUserToOrg } from "@server/lib/userOrg";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
 });
 
-const bodySchema = z.strictObject({
-    email: z.string().email().toLowerCase().optional(),
-    username: z.string().nonempty().toLowerCase(),
-    name: z.string().optional(),
-    type: z.enum(["internal", "oidc"]).optional(),
-    idpId: z.number().optional(),
-    roleId: z.number()
-});
+const bodySchema = z
+    .strictObject({
+        email: z.string().email().toLowerCase().optional(),
+        username: z.string().nonempty().toLowerCase(),
+        name: z.string().optional(),
+        type: z.enum(["internal", "oidc"]).optional(),
+        idpId: z.number().optional(),
+        roleIds: z.array(z.number().int().positive()).min(1).optional(),
+        roleId: z.number().int().positive().optional()
+    })
+    .refine(
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        { message: "roleIds or roleId is required", path: ["roleIds"] }
+    )
+    .transform((data) => ({
+        email: data.email,
+        username: data.username,
+        name: data.name,
+        type: data.type,
+        idpId: data.idpId,
+        roleIds: [
+            ...new Set(
+                data.roleIds && data.roleIds.length > 0
+                    ? data.roleIds
+                    : [data.roleId!]
+            )
+        ]
+    }));
 
 export type CreateOrgUserResponse = {};
 
@@ -78,7 +100,8 @@ export async function createOrgUser(
         }
 
         const { orgId } = parsedParams.data;
-        const { username, email, name, type, idpId, roleId } = parsedBody.data;
+        const { username, email, name, type, idpId, roleIds: uniqueRoleIds } =
+            parsedBody.data;
 
         if (build == "saas") {
             const usage = await usageService.getUsage(orgId, FeatureId.USERS);
@@ -109,17 +132,6 @@ export async function createOrgUser(
             }
         }
 
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, roleId));
-
-        if (!role) {
-            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Role ID not found")
-            );
-        }
-
         if (type === "internal") {
             return next(
                 createHttpError(
@@ -152,6 +164,38 @@ export async function createOrgUser(
                 );
             }
 
+            const supportsMultiRole = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix[TierFeature.FullRbac]
+            );
+            if (!supportsMultiRole && uniqueRoleIds.length > 1) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Multiple roles per user require a subscription or license that includes full RBAC."
+                    )
+                );
+            }
+
+            const orgRoles = await db
+                .select({ roleId: roles.roleId })
+                .from(roles)
+                .where(
+                    and(
+                        eq(roles.orgId, orgId),
+                        inArray(roles.roleId, uniqueRoleIds)
+                    )
+                );
+
+            if (orgRoles.length !== uniqueRoleIds.length) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid role ID or role does not belong to this organization"
+                    )
+                );
+            }
+
             const [org] = await db
                 .select()
                 .from(orgs)
@@ -228,7 +272,7 @@ export async function createOrgUser(
                             userId: existingUser.userId,
                             autoProvisioned: false,
                         },
-                        role.roleId,
+                        uniqueRoleIds,
                         trx
                     );
                 } else {
@@ -255,7 +299,7 @@ export async function createOrgUser(
                                 userId: newUser.userId,
                                 autoProvisioned: false,
                             },
-                            role.roleId,
+                            uniqueRoleIds,
                             trx
                         );
                 }
diff --git a/server/routers/user/inviteUser.ts b/server/routers/user/inviteUser.ts
index b0632da9e..7ac1849b9 100644
--- a/server/routers/user/inviteUser.ts
+++ b/server/routers/user/inviteUser.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { orgs, roles, userInvites, userOrgs, users } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { orgs, roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -18,22 +18,44 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { UserType } from "@server/types/UserTypes";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { build } from "@server/build";
 import cache from "#dynamic/lib/cache";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 
 const inviteUserParamsSchema = z.strictObject({
     orgId: z.string()
 });
 
-const inviteUserBodySchema = z.strictObject({
-    email: z.email().toLowerCase(),
-    roleId: z.number(),
-    validHours: z.number().gt(0).lte(168),
-    sendEmail: z.boolean().optional(),
-    regenerate: z.boolean().optional()
-});
+const inviteUserBodySchema = z
+    .strictObject({
+        email: z.email().toLowerCase(),
+        roleIds: z.array(z.number().int().positive()).min(1).optional(),
+        roleId: z.number().int().positive().optional(),
+        validHours: z.number().gt(0).lte(168),
+        sendEmail: z.boolean().optional(),
+        regenerate: z.boolean().optional()
+    })
+    .refine(
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        { message: "roleIds or roleId is required", path: ["roleIds"] }
+    )
+    .transform((data) => ({
+        email: data.email,
+        validHours: data.validHours,
+        sendEmail: data.sendEmail,
+        regenerate: data.regenerate,
+        roleIds: [
+            ...new Set(
+                data.roleIds && data.roleIds.length > 0
+                    ? data.roleIds
+                    : [data.roleId!]
+            )
+        ]
+    }));
 
-export type InviteUserBody = z.infer<typeof inviteUserBodySchema>;
+export type InviteUserBody = z.input<typeof inviteUserBodySchema>;
 
 export type InviteUserResponse = {
     inviteLink: string;
@@ -88,7 +110,7 @@ export async function inviteUser(
         const {
             email,
             validHours,
-            roleId,
+            roleIds: uniqueRoleIds,
             sendEmail: doEmail,
             regenerate
         } = parsedBody.data;
@@ -105,14 +127,30 @@ export async function inviteUser(
             );
         }
 
-        // Validate that the roleId belongs to the target organization
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, orgId)))
-            .limit(1);
+        const supportsMultiRole = await isLicensedOrSubscribed(
+            orgId,
+            tierMatrix[TierFeature.FullRbac]
+        );
+        if (!supportsMultiRole && uniqueRoleIds.length > 1) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Multiple roles per user require a subscription or license that includes full RBAC."
+                )
+            );
+        }
 
-        if (!role) {
+        const orgRoles = await db
+            .select({ roleId: roles.roleId })
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.orgId, orgId),
+                    inArray(roles.roleId, uniqueRoleIds)
+                )
+            );
+
+        if (orgRoles.length !== uniqueRoleIds.length) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
@@ -191,7 +229,8 @@ export async function inviteUser(
         }
 
         if (existingInvite.length) {
-            const attempts = (await cache.get<number>(email)) || 0;
+            const attempts =
+                (await cache.get<number>("regenerateInvite:" + email)) || 0;
             if (attempts >= 3) {
                 return next(
                     createHttpError(
@@ -273,9 +312,11 @@ export async function inviteUser(
                 orgId,
                 email,
                 expiresAt,
-                tokenHash,
-                roleId
+                tokenHash
             });
+            await trx.insert(userInviteRoles).values(
+                uniqueRoleIds.map((roleId) => ({ inviteId, roleId }))
+            );
         });
 
         const inviteLink = `${config.getRawConfig().app.dashboard_url}/invite?token=${inviteId}-${token}&email=${encodeURIComponent(email)}`;
diff --git a/server/routers/user/listInvitations.ts b/server/routers/user/listInvitations.ts
index 2733c8395..1f4bcc02c 100644
--- a/server/routers/user/listInvitations.ts
+++ b/server/routers/user/listInvitations.ts
@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userInvites, roles } from "@server/db";
+import { userInvites, userInviteRoles, roles } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { sql, eq, and, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -29,24 +29,66 @@ const listInvitationsQuerySchema = z.strictObject({
         .pipe(z.int().nonnegative())
 });
 
-async function queryInvitations(orgId: string, limit: number, offset: number) {
-    return await db
+export type InvitationListRow = {
+    inviteId: string;
+    email: string;
+    expiresAt: number;
+    roles: { roleId: number; roleName: string | null }[];
+};
+
+async function queryInvitations(
+    orgId: string,
+    limit: number,
+    offset: number
+): Promise<InvitationListRow[]> {
+    const inviteRows = await db
         .select({
             inviteId: userInvites.inviteId,
             email: userInvites.email,
-            expiresAt: userInvites.expiresAt,
-            roleId: userInvites.roleId,
-            roleName: roles.name
+            expiresAt: userInvites.expiresAt
         })
         .from(userInvites)
-        .leftJoin(roles, sql`${userInvites.roleId} = ${roles.roleId}`)
-        .where(sql`${userInvites.orgId} = ${orgId}`)
+        .where(eq(userInvites.orgId, orgId))
         .limit(limit)
         .offset(offset);
+
+    if (inviteRows.length === 0) {
+        return [];
+    }
+
+    const inviteIds = inviteRows.map((r) => r.inviteId);
+    const roleRows = await db
+        .select({
+            inviteId: userInviteRoles.inviteId,
+            roleId: userInviteRoles.roleId,
+            roleName: roles.name
+        })
+        .from(userInviteRoles)
+        .innerJoin(roles, eq(userInviteRoles.roleId, roles.roleId))
+        .where(
+            and(eq(roles.orgId, orgId), inArray(userInviteRoles.inviteId, inviteIds))
+        );
+
+    const rolesByInvite = new Map<
+        string,
+        { roleId: number; roleName: string | null }[]
+    >();
+    for (const row of roleRows) {
+        const list = rolesByInvite.get(row.inviteId) ?? [];
+        list.push({ roleId: row.roleId, roleName: row.roleName });
+        rolesByInvite.set(row.inviteId, list);
+    }
+
+    return inviteRows.map((inv) => ({
+        inviteId: inv.inviteId,
+        email: inv.email,
+        expiresAt: inv.expiresAt,
+        roles: rolesByInvite.get(inv.inviteId) ?? []
+    }));
 }
 
 export type ListInvitationsResponse = {
-    invitations: NonNullable<Awaited<ReturnType<typeof queryInvitations>>>;
+    invitations: InvitationListRow[];
     pagination: { total: number; limit: number; offset: number };
 };
 
@@ -95,7 +137,7 @@ export async function listInvitations(
         const [{ count }] = await db
             .select({ count: sql<number>`count(*)` })
             .from(userInvites)
-            .where(sql`${userInvites.orgId} = ${orgId}`);
+            .where(eq(userInvites.orgId, orgId));
 
         return response<ListInvitationsResponse>(res, {
             data: {
diff --git a/src/app/[orgId]/settings/access/invitations/page.tsx b/src/app/[orgId]/settings/access/invitations/page.tsx
index b6ee14484..00cb0ffc8 100644
--- a/src/app/[orgId]/settings/access/invitations/page.tsx
+++ b/src/app/[orgId]/settings/access/invitations/page.tsx
@@ -29,9 +29,8 @@ export default async function InvitationsPage(props: InvitationsPageProps) {
     let invitations: {
         inviteId: string;
         email: string;
-        expiresAt: string;
-        roleId: number;
-        roleName?: string;
+        expiresAt: number;
+        roles: { roleId: number; roleName: string | null }[];
     }[] = [];
     let hasInvitations = false;
 
@@ -66,12 +65,15 @@ export default async function InvitationsPage(props: InvitationsPageProps) {
     }
 
     const invitationRows: InvitationRow[] = invitations.map((invite) => {
+        const names = invite.roles
+            .map((r) => r.roleName || t("accessRoleUnknown"))
+            .filter(Boolean);
         return {
             id: invite.inviteId,
             email: invite.email,
             expiresAt: new Date(Number(invite.expiresAt)).toISOString(),
-            role: invite.roleName || t("accessRoleUnknown"),
-            roleId: invite.roleId
+            roleLabels: names,
+            roleIds: invite.roles.map((r) => r.roleId)
         };
     });
 
diff --git a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
index 16ae0b3a5..9ab9e93fa 100644
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -3,18 +3,17 @@
 import {
     Form,
     FormControl,
-    FormDescription,
     FormField,
     FormItem,
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
 import { Checkbox } from "@app/components/ui/checkbox";
-import { Tag, TagInput } from "@app/components/tags/tag-input";
+import OrgRolesTagField from "@app/components/OrgRolesTagField";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { AxiosResponse } from "axios";
-import { useEffect, useMemo, useState } from "react";
+import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
 import { ListRolesResponse } from "@server/routers/role";
@@ -67,8 +66,7 @@ export default function AccessControlsPage() {
     );
 
     const t = useTranslations();
-    const { isPaidUser, hasSaasSubscription, hasEnterpriseLicense } =
-        usePaidStatus();
+    const { isPaidUser } = usePaidStatus();
     const isPaid = isPaidUser(tierMatrix.fullRbac);
     const supportsMultipleRolesPerUser = isPaid;
     const showMultiRolePaywallMessage =
@@ -131,40 +129,10 @@ export default function AccessControlsPage() {
         text: role.name
     }));
 
-    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
-        const prev = form.getValues("roles");
-        const nextValue =
-            typeof updater === "function" ? updater(prev) : updater;
-        const next = supportsMultipleRolesPerUser
-            ? nextValue
-            : nextValue.length > 1
-              ? [nextValue[nextValue.length - 1]]
-              : nextValue;
-
-        // In single-role mode, selecting the currently selected role can transiently
-        // emit an empty tag list from TagInput; keep the prior selection.
-        if (
-            !supportsMultipleRolesPerUser &&
-            next.length === 0 &&
-            prev.length > 0
-        ) {
-            form.setValue("roles", [prev[prev.length - 1]], {
-                shouldDirty: true
-            });
-            return;
-        }
-
-        if (next.length === 0) {
-            toast({
-                variant: "destructive",
-                title: t("accessRoleErrorAdd"),
-                description: t("accessRoleSelectPlease")
-            });
-            return;
-        }
-
-        form.setValue("roles", next, { shouldDirty: true });
-    }
+    const paywallMessage =
+        build === "saas"
+            ? t("singleRolePerUserPlanNotice")
+            : t("singleRolePerUserEditionNotice");
 
     async function onSubmit(values: z.infer<typeof accessControlsFormSchema>) {
         if (values.roles.length === 0) {
@@ -255,53 +223,22 @@ export default function AccessControlsPage() {
                                         </div>
                                     )}
 
-                                <FormField
-                                    control={form.control}
+                                <OrgRolesTagField
+                                    form={form}
                                     name="roles"
-                                    render={({ field }) => (
-                                        <FormItem className="flex flex-col items-start">
-                                            <FormLabel>{t("roles")}</FormLabel>
-                                            <FormControl>
-                                                <TagInput
-                                                    {...field}
-                                                    activeTagIndex={
-                                                        activeRoleTagIndex
-                                                    }
-                                                    setActiveTagIndex={
-                                                        setActiveRoleTagIndex
-                                                    }
-                                                    placeholder={t(
-                                                        "accessRoleSelect2"
-                                                    )}
-                                                    size="sm"
-                                                    tags={field.value}
-                                                    setTags={setRoleTags}
-                                                    enableAutocomplete={true}
-                                                    autocompleteOptions={
-                                                        allRoleOptions
-                                                    }
-                                                    allowDuplicates={false}
-                                                    restrictTagsToAutocompleteOptions={
-                                                        true
-                                                    }
-                                                    sortTags={true}
-                                                    disabled={loading}
-                                                />
-                                            </FormControl>
-                                            {showMultiRolePaywallMessage && (
-                                                <FormDescription>
-                                                    {build === "saas"
-                                                        ? t(
-                                                              "singleRolePerUserPlanNotice"
-                                                          )
-                                                        : t(
-                                                              "singleRolePerUserEditionNotice"
-                                                          )}
-                                                </FormDescription>
-                                            )}
-                                            <FormMessage />
-                                        </FormItem>
-                                    )}
+                                    label={t("roles")}
+                                    placeholder={t("accessRoleSelect2")}
+                                    allRoleOptions={allRoleOptions}
+                                    supportsMultipleRolesPerUser={
+                                        supportsMultipleRolesPerUser
+                                    }
+                                    showMultiRolePaywallMessage={
+                                        showMultiRolePaywallMessage
+                                    }
+                                    paywallMessage={paywallMessage}
+                                    loading={loading}
+                                    activeTagIndex={activeRoleTagIndex}
+                                    setActiveTagIndex={setActiveRoleTagIndex}
                                 />
 
                                 {user.idpAutoProvision && (
diff --git a/src/app/[orgId]/settings/access/users/create/page.tsx b/src/app/[orgId]/settings/access/users/create/page.tsx
index 08737f5e2..0263d2b72 100644
--- a/src/app/[orgId]/settings/access/users/create/page.tsx
+++ b/src/app/[orgId]/settings/access/users/create/page.tsx
@@ -32,7 +32,7 @@ import {
 } from "@app/components/ui/select";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { InviteUserBody, InviteUserResponse } from "@server/routers/user";
+import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect } from "react";
 import { useForm } from "react-hook-form";
@@ -49,6 +49,7 @@ import { build } from "@server/build";
 import Image from "next/image";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import OrgRolesTagField from "@app/components/OrgRolesTagField";
 
 type UserType = "internal" | "oidc";
 
@@ -76,7 +77,14 @@ export default function Page() {
     const api = createApiClient({ env });
     const t = useTranslations();
 
-    const { hasSaasSubscription } = usePaidStatus();
+    const { hasSaasSubscription, isPaidUser } = usePaidStatus();
+    const isPaid = isPaidUser(tierMatrix.fullRbac);
+    const supportsMultipleRolesPerUser = isPaid;
+    const showMultiRolePaywallMessage =
+        !env.flags.disableEnterpriseFeatures &&
+        ((build === "saas" && !isPaid) ||
+            (build === "enterprise" && !isPaid) ||
+            (build === "oss" && !isPaid));
 
     const [selectedOption, setSelectedOption] = useState<string | null>(
         "internal"
@@ -89,19 +97,34 @@ export default function Page() {
     const [sendEmail, setSendEmail] = useState(env.email.emailEnabled);
     const [userOptions, setUserOptions] = useState<UserOption[]>([]);
     const [dataLoaded, setDataLoaded] = useState(false);
+    const [activeInviteRoleTagIndex, setActiveInviteRoleTagIndex] = useState<
+        number | null
+    >(null);
+    const [activeOidcRoleTagIndex, setActiveOidcRoleTagIndex] = useState<
+        number | null
+    >(null);
+
+    const roleTagsFieldSchema = z
+        .array(
+            z.object({
+                id: z.string(),
+                text: z.string()
+            })
+        )
+        .min(1, { message: t("accessRoleSelectPlease") });
 
     const internalFormSchema = z.object({
         email: z.email({ message: t("emailInvalid") }),
         validForHours: z
             .string()
             .min(1, { message: t("inviteValidityDuration") }),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") })
+        roles: roleTagsFieldSchema
     });
 
     const googleAzureFormSchema = z.object({
         email: z.email({ message: t("emailInvalid") }),
         name: z.string().optional(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") })
+        roles: roleTagsFieldSchema
     });
 
     const genericOidcFormSchema = z.object({
@@ -111,7 +134,7 @@ export default function Page() {
             .optional()
             .or(z.literal("")),
         name: z.string().optional(),
-        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") })
+        roles: roleTagsFieldSchema
     });
 
     const formatIdpType = (type: string) => {
@@ -166,12 +189,22 @@ export default function Page() {
         { hours: 168, name: t("day", { count: 7 }) }
     ];
 
+    const allRoleOptions = roles.map((role) => ({
+        id: role.roleId.toString(),
+        text: role.name
+    }));
+
+    const invitePaywallMessage =
+        build === "saas"
+            ? t("singleRolePerUserPlanNotice")
+            : t("singleRolePerUserEditionNotice");
+
     const internalForm = useForm({
         resolver: zodResolver(internalFormSchema),
         defaultValues: {
             email: "",
             validForHours: "72",
-            roleId: ""
+            roles: [] as { id: string; text: string }[]
         }
     });
 
@@ -180,7 +213,7 @@ export default function Page() {
         defaultValues: {
             email: "",
             name: "",
-            roleId: ""
+            roles: [] as { id: string; text: string }[]
         }
     });
 
@@ -190,7 +223,7 @@ export default function Page() {
             username: "",
             email: "",
             name: "",
-            roleId: ""
+            roles: [] as { id: string; text: string }[]
         }
     });
 
@@ -305,16 +338,17 @@ export default function Page() {
     ) {
         setLoading(true);
 
-        const res = await api
-            .post<AxiosResponse<InviteUserResponse>>(
-                `/org/${orgId}/create-invite`,
-                {
-                    email: values.email,
-                    roleId: parseInt(values.roleId),
-                    validHours: parseInt(values.validForHours),
-                    sendEmail: sendEmail
-                } as InviteUserBody
-            )
+        const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
+        const res = await api.post<AxiosResponse<InviteUserResponse>>(
+            `/org/${orgId}/create-invite`,
+            {
+                email: values.email,
+                roleIds,
+                validHours: parseInt(values.validForHours),
+                sendEmail
+            }
+        )
             .catch((e) => {
                 if (e.response?.status === 409) {
                     toast({
@@ -358,6 +392,8 @@ export default function Page() {
 
         setLoading(true);
 
+        const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
         const res = await api
             .put(`/org/${orgId}/user`, {
                 username: values.email, // Use email as username for Google/Azure
@@ -365,7 +401,7 @@ export default function Page() {
                 name: values.name,
                 type: "oidc",
                 idpId: selectedUserOption.idpId,
-                roleId: parseInt(values.roleId)
+                roleIds
             })
             .catch((e) => {
                 toast({
@@ -400,6 +436,8 @@ export default function Page() {
 
         setLoading(true);
 
+        const roleIds = values.roles.map((r) => parseInt(r.id, 10));
+
         const res = await api
             .put(`/org/${orgId}/user`, {
                 username: values.username,
@@ -407,7 +445,7 @@ export default function Page() {
                 name: values.name,
                 type: "oidc",
                 idpId: selectedUserOption.idpId,
-                roleId: parseInt(values.roleId)
+                roleIds
             })
             .catch((e) => {
                 toast({
@@ -575,52 +613,32 @@ export default function Page() {
                                                         )}
                                                     />
 
-                                                    <FormField
-                                                        control={
-                                                            internalForm.control
-                                                        }
-                                                        name="roleId"
-                                                        render={({ field }) => (
-                                                            <FormItem>
-                                                                <FormLabel>
-                                                                    {t("role")}
-                                                                </FormLabel>
-                                                                <Select
-                                                                    onValueChange={
-                                                                        field.onChange
-                                                                    }
-                                                                >
-                                                                    <FormControl>
-                                                                        <SelectTrigger className="w-full">
-                                                                            <SelectValue
-                                                                                placeholder={t(
-                                                                                    "accessRoleSelect"
-                                                                                )}
-                                                                            />
-                                                                        </SelectTrigger>
-                                                                    </FormControl>
-                                                                    <SelectContent>
-                                                                        {roles.map(
-                                                                            (
-                                                                                role
-                                                                            ) => (
-                                                                                <SelectItem
-                                                                                    key={
-                                                                                        role.roleId
-                                                                                    }
-                                                                                    value={role.roleId.toString()}
-                                                                                >
-                                                                                    {
-                                                                                        role.name
-                                                                                    }
-                                                                                </SelectItem>
-                                                                            )
-                                                                        )}
-                                                                    </SelectContent>
-                                                                </Select>
-                                                                <FormMessage />
-                                                            </FormItem>
+                                                    <OrgRolesTagField
+                                                        form={internalForm}
+                                                        name="roles"
+                                                        label={t("roles")}
+                                                        placeholder={t(
+                                                            "accessRoleSelect2"
                                                         )}
+                                                        allRoleOptions={
+                                                            allRoleOptions
+                                                        }
+                                                        supportsMultipleRolesPerUser={
+                                                            supportsMultipleRolesPerUser
+                                                        }
+                                                        showMultiRolePaywallMessage={
+                                                            showMultiRolePaywallMessage
+                                                        }
+                                                        paywallMessage={
+                                                            invitePaywallMessage
+                                                        }
+                                                        loading={loading}
+                                                        activeTagIndex={
+                                                            activeInviteRoleTagIndex
+                                                        }
+                                                        setActiveTagIndex={
+                                                            setActiveInviteRoleTagIndex
+                                                        }
                                                     />
 
                                                     {env.email.emailEnabled && (
@@ -764,52 +782,32 @@ export default function Page() {
                                                         )}
                                                     />
 
-                                                    <FormField
-                                                        control={
-                                                            googleAzureForm.control
-                                                        }
-                                                        name="roleId"
-                                                        render={({ field }) => (
-                                                            <FormItem>
-                                                                <FormLabel>
-                                                                    {t("role")}
-                                                                </FormLabel>
-                                                                <Select
-                                                                    onValueChange={
-                                                                        field.onChange
-                                                                    }
-                                                                >
-                                                                    <FormControl>
-                                                                        <SelectTrigger className="w-full">
-                                                                            <SelectValue
-                                                                                placeholder={t(
-                                                                                    "accessRoleSelect"
-                                                                                )}
-                                                                            />
-                                                                        </SelectTrigger>
-                                                                    </FormControl>
-                                                                    <SelectContent>
-                                                                        {roles.map(
-                                                                            (
-                                                                                role
-                                                                            ) => (
-                                                                                <SelectItem
-                                                                                    key={
-                                                                                        role.roleId
-                                                                                    }
-                                                                                    value={role.roleId.toString()}
-                                                                                >
-                                                                                    {
-                                                                                        role.name
-                                                                                    }
-                                                                                </SelectItem>
-                                                                            )
-                                                                        )}
-                                                                    </SelectContent>
-                                                                </Select>
-                                                                <FormMessage />
-                                                            </FormItem>
+                                                    <OrgRolesTagField
+                                                        form={googleAzureForm}
+                                                        name="roles"
+                                                        label={t("roles")}
+                                                        placeholder={t(
+                                                            "accessRoleSelect2"
                                                         )}
+                                                        allRoleOptions={
+                                                            allRoleOptions
+                                                        }
+                                                        supportsMultipleRolesPerUser={
+                                                            supportsMultipleRolesPerUser
+                                                        }
+                                                        showMultiRolePaywallMessage={
+                                                            showMultiRolePaywallMessage
+                                                        }
+                                                        paywallMessage={
+                                                            invitePaywallMessage
+                                                        }
+                                                        loading={loading}
+                                                        activeTagIndex={
+                                                            activeOidcRoleTagIndex
+                                                        }
+                                                        setActiveTagIndex={
+                                                            setActiveOidcRoleTagIndex
+                                                        }
                                                     />
                                                 </form>
                                             </Form>
@@ -909,52 +907,32 @@ export default function Page() {
                                                         )}
                                                     />
 
-                                                    <FormField
-                                                        control={
-                                                            genericOidcForm.control
-                                                        }
-                                                        name="roleId"
-                                                        render={({ field }) => (
-                                                            <FormItem>
-                                                                <FormLabel>
-                                                                    {t("role")}
-                                                                </FormLabel>
-                                                                <Select
-                                                                    onValueChange={
-                                                                        field.onChange
-                                                                    }
-                                                                >
-                                                                    <FormControl>
-                                                                        <SelectTrigger className="w-full">
-                                                                            <SelectValue
-                                                                                placeholder={t(
-                                                                                    "accessRoleSelect"
-                                                                                )}
-                                                                            />
-                                                                        </SelectTrigger>
-                                                                    </FormControl>
-                                                                    <SelectContent>
-                                                                        {roles.map(
-                                                                            (
-                                                                                role
-                                                                            ) => (
-                                                                                <SelectItem
-                                                                                    key={
-                                                                                        role.roleId
-                                                                                    }
-                                                                                    value={role.roleId.toString()}
-                                                                                >
-                                                                                    {
-                                                                                        role.name
-                                                                                    }
-                                                                                </SelectItem>
-                                                                            )
-                                                                        )}
-                                                                    </SelectContent>
-                                                                </Select>
-                                                                <FormMessage />
-                                                            </FormItem>
+                                                    <OrgRolesTagField
+                                                        form={genericOidcForm}
+                                                        name="roles"
+                                                        label={t("roles")}
+                                                        placeholder={t(
+                                                            "accessRoleSelect2"
                                                         )}
+                                                        allRoleOptions={
+                                                            allRoleOptions
+                                                        }
+                                                        supportsMultipleRolesPerUser={
+                                                            supportsMultipleRolesPerUser
+                                                        }
+                                                        showMultiRolePaywallMessage={
+                                                            showMultiRolePaywallMessage
+                                                        }
+                                                        paywallMessage={
+                                                            invitePaywallMessage
+                                                        }
+                                                        loading={loading}
+                                                        activeTagIndex={
+                                                            activeOidcRoleTagIndex
+                                                        }
+                                                        setActiveTagIndex={
+                                                            setActiveOidcRoleTagIndex
+                                                        }
                                                     />
                                                 </form>
                                             </Form>
diff --git a/src/components/InvitationsTable.tsx b/src/components/InvitationsTable.tsx
index 0d2d3e9b6..4fec9e5fc 100644
--- a/src/components/InvitationsTable.tsx
+++ b/src/components/InvitationsTable.tsx
@@ -1,6 +1,5 @@
 "use client";
 
-import { ColumnDef } from "@tanstack/react-table";
 import { ExtendedColumnDef } from "@app/components/ui/data-table";
 import {
     DropdownMenu,
@@ -21,13 +20,14 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import moment from "moment";
 import { useRouter } from "next/navigation";
+import UserRoleBadges from "@app/components/UserRoleBadges";
 
 export type InvitationRow = {
     id: string;
     email: string;
     expiresAt: string;
-    role: string;
-    roleId: number;
+    roleLabels: string[];
+    roleIds: number[];
 };
 
 type InvitationsTableProps = {
@@ -90,9 +90,13 @@ export default function InvitationsTable({
             }
         },
         {
-            accessorKey: "role",
+            id: "roles",
+            accessorFn: (row) => row.roleLabels.join(", "),
             friendlyName: t("role"),
-            header: () => <span className="p-3">{t("role")}</span>
+            header: () => <span className="p-3">{t("role")}</span>,
+            cell: ({ row }) => (
+                <UserRoleBadges roleLabels={row.original.roleLabels} />
+            )
         },
         {
             id: "dots",
diff --git a/src/components/OrgRolesTagField.tsx b/src/components/OrgRolesTagField.tsx
new file mode 100644
index 000000000..dcd679663
--- /dev/null
+++ b/src/components/OrgRolesTagField.tsx
@@ -0,0 +1,117 @@
+"use client";
+
+import {
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import { toast } from "@app/hooks/useToast";
+import { useTranslations } from "next-intl";
+import type { Dispatch, SetStateAction } from "react";
+import type { FieldValues, Path, UseFormReturn } from "react-hook-form";
+
+export type RoleTag = {
+    id: string;
+    text: string;
+};
+
+type OrgRolesTagFieldProps<TFieldValues extends FieldValues> = {
+    form: Pick<UseFormReturn<TFieldValues>, "control" | "getValues" | "setValue">;
+    /** Field in the form that holds Tag[] (role tags). Default: `"roles"`. */
+    name?: Path<TFieldValues>;
+    label: string;
+    placeholder: string;
+    allRoleOptions: Tag[];
+    supportsMultipleRolesPerUser: boolean;
+    showMultiRolePaywallMessage: boolean;
+    paywallMessage: string;
+    loading?: boolean;
+    activeTagIndex: number | null;
+    setActiveTagIndex: Dispatch<SetStateAction<number | null>>;
+};
+
+export default function OrgRolesTagField<TFieldValues extends FieldValues>({
+    form,
+    name = "roles" as Path<TFieldValues>,
+    label,
+    placeholder,
+    allRoleOptions,
+    supportsMultipleRolesPerUser,
+    showMultiRolePaywallMessage,
+    paywallMessage,
+    loading = false,
+    activeTagIndex,
+    setActiveTagIndex
+}: OrgRolesTagFieldProps<TFieldValues>) {
+    const t = useTranslations();
+
+    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
+        const prev = form.getValues(name) as Tag[];
+        const nextValue =
+            typeof updater === "function" ? updater(prev) : updater;
+        const next = supportsMultipleRolesPerUser
+            ? nextValue
+            : nextValue.length > 1
+              ? [nextValue[nextValue.length - 1]]
+              : nextValue;
+
+        if (
+            !supportsMultipleRolesPerUser &&
+            next.length === 0 &&
+            prev.length > 0
+        ) {
+            form.setValue(name, [prev[prev.length - 1]] as never, {
+                shouldDirty: true
+            });
+            return;
+        }
+
+        if (next.length === 0) {
+            toast({
+                variant: "destructive",
+                title: t("accessRoleErrorAdd"),
+                description: t("accessRoleSelectPlease")
+            });
+            return;
+        }
+
+        form.setValue(name, next as never, { shouldDirty: true });
+    }
+
+    return (
+        <FormField
+            control={form.control}
+            name={name}
+            render={({ field }) => (
+                <FormItem className="flex flex-col items-start">
+                    <FormLabel>{label}</FormLabel>
+                    <FormControl>
+                        <TagInput
+                            {...field}
+                            activeTagIndex={activeTagIndex}
+                            setActiveTagIndex={setActiveTagIndex}
+                            placeholder={placeholder}
+                            size="sm"
+                            tags={field.value}
+                            setTags={setRoleTags}
+                            enableAutocomplete={true}
+                            autocompleteOptions={allRoleOptions}
+                            allowDuplicates={false}
+                            restrictTagsToAutocompleteOptions={true}
+                            sortTags={true}
+                            disabled={loading}
+                        />
+                    </FormControl>
+                    {showMultiRolePaywallMessage && (
+                        <FormDescription>{paywallMessage}</FormDescription>
+                    )}
+                    <FormMessage />
+                </FormItem>
+            )}
+        />
+    );
+}
diff --git a/src/components/RegenerateInvitationForm.tsx b/src/components/RegenerateInvitationForm.tsx
index 5d067e7d8..ce261d02e 100644
--- a/src/components/RegenerateInvitationForm.tsx
+++ b/src/components/RegenerateInvitationForm.tsx
@@ -32,15 +32,15 @@ type RegenerateInvitationFormProps = {
     invitation: {
         id: string;
         email: string;
-        roleId: number;
-        role: string;
+        roleIds: number[];
+        roleLabels: string[];
     } | null;
     onRegenerate: (updatedInvitation: {
         id: string;
         email: string;
         expiresAt: string;
-        role: string;
-        roleId: number;
+        roleLabels: string[];
+        roleIds: number[];
     }) => void;
 };
 
@@ -94,7 +94,7 @@ export default function RegenerateInvitationForm({
         try {
             const res = await api.post(`/org/${org.org.orgId}/create-invite`, {
                 email: invitation.email,
-                roleId: invitation.roleId,
+                roleIds: invitation.roleIds,
                 validHours,
                 sendEmail,
                 regenerate: true
@@ -127,9 +127,11 @@ export default function RegenerateInvitationForm({
                 onRegenerate({
                     id: invitation.id,
                     email: invitation.email,
-                    expiresAt: res.data.data.expiresAt,
-                    role: invitation.role,
-                    roleId: invitation.roleId
+                    expiresAt: new Date(
+                        res.data.data.expiresAt
+                    ).toISOString(),
+                    roleLabels: invitation.roleLabels,
+                    roleIds: invitation.roleIds
                 });
             }
         } catch (error: any) {
diff --git a/src/components/UserRoleBadges.tsx b/src/components/UserRoleBadges.tsx
new file mode 100644
index 000000000..4888aa107
--- /dev/null
+++ b/src/components/UserRoleBadges.tsx
@@ -0,0 +1,69 @@
+"use client";
+
+import { useState } from "react";
+import { Badge, badgeVariants } from "@app/components/ui/badge";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@app/components/ui/popover";
+import { cn } from "@app/lib/cn";
+
+const MAX_ROLE_BADGES = 3;
+
+export default function UserRoleBadges({
+    roleLabels
+}: {
+    roleLabels: string[];
+}) {
+    const visible = roleLabels.slice(0, MAX_ROLE_BADGES);
+    const overflow = roleLabels.slice(MAX_ROLE_BADGES);
+
+    return (
+        <div className="flex flex-wrap items-center gap-1">
+            {visible.map((label, i) => (
+                <Badge key={`${label}-${i}`} variant="secondary">
+                    {label}
+                </Badge>
+            ))}
+            {overflow.length > 0 && (
+                <OverflowRolesPopover labels={overflow} />
+            )}
+        </div>
+    );
+}
+
+function OverflowRolesPopover({ labels }: { labels: string[] }) {
+    const [open, setOpen] = useState(false);
+
+    return (
+        <Popover open={open} onOpenChange={setOpen}>
+            <PopoverTrigger asChild>
+                <button
+                    type="button"
+                    className={cn(
+                        badgeVariants({ variant: "secondary" }),
+                        "border-dashed"
+                    )}
+                    onMouseEnter={() => setOpen(true)}
+                    onMouseLeave={() => setOpen(false)}
+                >
+                    +{labels.length}
+                </button>
+            </PopoverTrigger>
+            <PopoverContent
+                align="start"
+                side="top"
+                className="w-auto max-w-xs p-2"
+                onMouseEnter={() => setOpen(true)}
+                onMouseLeave={() => setOpen(false)}
+            >
+                <ul className="space-y-1 text-sm">
+                    {labels.map((label, i) => (
+                        <li key={`${label}-${i}`}>{label}</li>
+                    ))}
+                </ul>
+            </PopoverContent>
+        </Popover>
+    );
+}
diff --git a/src/components/UsersTable.tsx b/src/components/UsersTable.tsx
index be1d6a345..3e2d4e578 100644
--- a/src/components/UsersTable.tsx
+++ b/src/components/UsersTable.tsx
@@ -12,13 +12,6 @@ import { Button } from "@app/components/ui/button";
 import { ArrowRight, ArrowUpDown, Crown, MoreHorizontal } from "lucide-react";
 import { UsersDataTable } from "@app/components/UsersDataTable";
 import { useState, useEffect } from "react";
-import {
-    Popover,
-    PopoverContent,
-    PopoverTrigger
-} from "@app/components/ui/popover";
-import { Badge, badgeVariants } from "@app/components/ui/badge";
-import { cn } from "@app/lib/cn";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { toast } from "@app/hooks/useToast";
@@ -31,6 +24,7 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useUserContext } from "@app/hooks/useUserContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "./IdpTypeBadge";
+import UserRoleBadges from "./UserRoleBadges";
 
 export type UserRow = {
     id: string;
@@ -47,61 +41,6 @@ export type UserRow = {
     isOwner: boolean;
 };
 
-const MAX_ROLE_BADGES = 3;
-
-function UserRoleBadges({ roleLabels }: { roleLabels: string[] }) {
-    const visible = roleLabels.slice(0, MAX_ROLE_BADGES);
-    const overflow = roleLabels.slice(MAX_ROLE_BADGES);
-
-    return (
-        <div className="flex flex-wrap items-center gap-1">
-            {visible.map((label, i) => (
-                <Badge key={`${label}-${i}`} variant="secondary">
-                    {label}
-                </Badge>
-            ))}
-            {overflow.length > 0 && (
-                <OverflowRolesPopover labels={overflow} />
-            )}
-        </div>
-    );
-}
-
-function OverflowRolesPopover({ labels }: { labels: string[] }) {
-    const [open, setOpen] = useState(false);
-
-    return (
-        <Popover open={open} onOpenChange={setOpen}>
-            <PopoverTrigger asChild>
-                <button
-                    type="button"
-                    className={cn(
-                        badgeVariants({ variant: "secondary" }),
-                        "border-dashed"
-                    )}
-                    onMouseEnter={() => setOpen(true)}
-                    onMouseLeave={() => setOpen(false)}
-                >
-                    +{labels.length}
-                </button>
-            </PopoverTrigger>
-            <PopoverContent
-                align="start"
-                side="top"
-                className="w-auto max-w-xs p-2"
-                onMouseEnter={() => setOpen(true)}
-                onMouseLeave={() => setOpen(false)}
-            >
-                <ul className="space-y-1 text-sm">
-                    {labels.map((label, i) => (
-                        <li key={`${label}-${i}`}>{label}</li>
-                    ))}
-                </ul>
-            </PopoverContent>
-        </Popover>
-    );
-}
-
 type UsersTableProps = {
     users: UserRow[];
 };

From 77cef554bef6f0aa6097530ee2ffbee2b5c98ed7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 14:20:47 -0700
Subject: [PATCH 071/122] Provisioning room basics done

---
 messages/en-US.json                           |   5 +
 server/db/pg/schema/schema.ts                 |   3 +-
 server/db/sqlite/schema/schema.ts             |   3 +-
 server/routers/newt/registerNewt.ts           |   3 +-
 server/routers/site/createSite.ts             |   9 +-
 server/routers/site/listSites.ts              |  17 +-
 server/routers/site/updateSite.ts             |   3 +-
 .../settings/provisioning/keys/page.tsx       |  56 +++
 .../[orgId]/settings/provisioning/layout.tsx  |  38 ++
 .../[orgId]/settings/provisioning/page.tsx    |  56 +--
 .../settings/provisioning/pending/page.tsx    |  82 ++++
 src/app/[orgId]/settings/sites/page.tsx       |   1 +
 src/components/PendingSitesTable.tsx          | 440 ++++++++++++++++++
 13 files changed, 654 insertions(+), 62 deletions(-)
 create mode 100644 src/app/[orgId]/settings/provisioning/keys/page.tsx
 create mode 100644 src/app/[orgId]/settings/provisioning/layout.tsx
 create mode 100644 src/app/[orgId]/settings/provisioning/pending/page.tsx
 create mode 100644 src/components/PendingSitesTable.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 7a3fde1d4..ad64cb5e2 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -331,6 +331,11 @@
     "provisioningKeysTitle": "Provisioning Key",
     "provisioningKeysManage": "Manage Provisioning Keys",
     "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
+    "provisioningManage": "Provisioning",
+    "provisioningDescription": "Manage provisioning keys and review pending sites awaiting approval.",
+    "pendingSites": "Pending Sites",
+    "siteApproveSuccess": "Site approved successfully",
+    "siteApproveError": "Error approving site",
     "provisioningKeys": "Provisioning Keys",
     "searchProvisioningKeys": "Search provisioning keys...",
     "provisioningKeysAdd": "Generate Provisioning Key",
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index bb05ca358..a64aad2ef 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -100,7 +100,8 @@ export const sites = pgTable("sites", {
     publicKey: varchar("publicKey"),
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    status: varchar("status").$type<"pending" | "accepted">()
 });
 
 export const resources = pgTable("resources", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 5d7c01377..52969d183 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -110,7 +110,8 @@ export const sites = sqliteTable("sites", {
     listenPort: integer("listenPort"),
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
-        .default(true)
+        .default(true),
+    status: text("status").$type<"pending" | "accepted">()
 });
 
 export const resources = sqliteTable("resources", {
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 427ac173f..4923fb88e 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -196,7 +196,8 @@ export async function registerNewt(
                     name: niceId,
                     niceId,
                     type: "newt",
-                    dockerSocketEnabled: true
+                    dockerSocketEnabled: true,
+                    status: "pending"
                 })
                 .returning();
 
diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts
index 4edebb080..bf62e93cd 100644
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -298,7 +298,8 @@ export async function createSite(
                         niceId,
                         address: updatedAddress || null,
                         type,
-                        dockerSocketEnabled: true
+                        dockerSocketEnabled: true,
+                        status: "accepted"
                     })
                     .returning();
             } else if (type == "wireguard") {
@@ -355,7 +356,8 @@ export async function createSite(
                         niceId,
                         subnet,
                         type,
-                        pubKey: pubKey || null
+                        pubKey: pubKey || null,
+                        status: "accepted"
                     })
                     .returning();
             } else if (type == "local") {
@@ -370,7 +372,8 @@ export async function createSite(
                         type,
                         dockerSocketEnabled: false,
                         online: true,
-                        subnet: "0.0.0.0/32"
+                        subnet: "0.0.0.0/32",
+                        status: "accepted"
                     })
                     .returning();
             } else {
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index a244c650c..1d7e99042 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -135,6 +135,15 @@ const listSitesSchema = z.object({
         .openapi({
             type: "boolean",
             description: "Filter by online status"
+        }),
+    status: z
+        .enum(["pending", "accepted"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["pending", "accepted"],
+            description: "Filter by site status"
         })
 });
 
@@ -156,7 +165,8 @@ function querySitesBase() {
             exitNodeId: sites.exitNodeId,
             exitNodeName: exitNodes.name,
             exitNodeEndpoint: exitNodes.endpoint,
-            remoteExitNodeId: remoteExitNodes.remoteExitNodeId
+            remoteExitNodeId: remoteExitNodes.remoteExitNodeId,
+            status: sites.status
         })
         .from(sites)
         .leftJoin(orgs, eq(sites.orgId, orgs.orgId))
@@ -245,7 +255,7 @@ export async function listSites(
                 .where(eq(sites.orgId, orgId));
         }
 
-        const { pageSize, page, query, sort_by, order, online } =
+        const { pageSize, page, query, sort_by, order, online, status } =
             parsedQuery.data;
 
         const accessibleSiteIds = accessibleSites.map((site) => site.siteId);
@@ -273,6 +283,9 @@ export async function listSites(
         if (typeof online !== "undefined") {
             conditions.push(eq(sites.online, online));
         }
+        if (typeof status !== "undefined") {
+            conditions.push(eq(sites.status, status));
+        }
 
         const baseQuery = querySitesBase().where(and(...conditions));
 
diff --git a/server/routers/site/updateSite.ts b/server/routers/site/updateSite.ts
index ca0f76783..244adf7b8 100644
--- a/server/routers/site/updateSite.ts
+++ b/server/routers/site/updateSite.ts
@@ -19,7 +19,8 @@ const updateSiteBodySchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
         niceId: z.string().min(1).max(255).optional(),
-        dockerSocketEnabled: z.boolean().optional()
+        dockerSocketEnabled: z.boolean().optional(),
+        status: z.enum(["pending", "accepted"]).optional(),
         // remoteSubnets: z.string().optional()
         // subdomain: z
         //     .string()
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
new file mode 100644
index 000000000..1cfbf5b05
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -0,0 +1,56 @@
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { AxiosResponse } from "axios";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import SiteProvisioningKeysTable, {
+    SiteProvisioningKeyRow
+} from "../../../../../components/SiteProvisioningKeysTable";
+import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
+import { getTranslations } from "next-intl/server";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+
+type ProvisioningKeysPageProps = {
+    params: Promise<{ orgId: string }>;
+};
+
+export const dynamic = "force-dynamic";
+
+export default async function ProvisioningKeysPage(
+    props: ProvisioningKeysPageProps
+) {
+    const params = await props.params;
+    const t = await getTranslations();
+
+    let siteProvisioningKeys: ListSiteProvisioningKeysResponse["siteProvisioningKeys"] =
+        [];
+    try {
+        const res = await internal.get<
+            AxiosResponse<ListSiteProvisioningKeysResponse>
+        >(
+            `/org/${params.orgId}/site-provisioning-keys`,
+            await authCookieHeader()
+        );
+        siteProvisioningKeys = res.data.data.siteProvisioningKeys;
+    } catch (e) {}
+
+    const rows: SiteProvisioningKeyRow[] = siteProvisioningKeys.map((k) => ({
+        name: k.name,
+        id: k.siteProvisioningKeyId,
+        key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
+        createdAt: k.createdAt,
+        lastUsed: k.lastUsed,
+        maxBatchSize: k.maxBatchSize,
+        numUsed: k.numUsed,
+        validUntil: k.validUntil
+    }));
+
+    return (
+        <>
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
+            />
+
+            <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
+        </>
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/provisioning/layout.tsx b/src/app/[orgId]/settings/provisioning/layout.tsx
new file mode 100644
index 000000000..bd2da7812
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/layout.tsx
@@ -0,0 +1,38 @@
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
+import { getTranslations } from "next-intl/server";
+
+interface ProvisioningLayoutProps {
+    children: React.ReactNode;
+    params: Promise<{ orgId: string }>;
+}
+
+export default async function ProvisioningLayout({
+    children,
+    params
+}: ProvisioningLayoutProps) {
+    const { orgId } = await params;
+    const t = await getTranslations();
+
+    const navItems = [
+        {
+            title: t("provisioningKeys"),
+            href: `/${orgId}/settings/provisioning/keys`
+        },
+        {
+            title: t("pendingSites"),
+            href: `/${orgId}/settings/provisioning/pending`
+        }
+    ];
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("provisioningManage")}
+                description={t("provisioningDescription")}
+            />
+
+            <HorizontalTabs items={navItems}>{children}</HorizontalTabs>
+        </>
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/provisioning/page.tsx b/src/app/[orgId]/settings/provisioning/page.tsx
index e8b53104f..51db66c2d 100644
--- a/src/app/[orgId]/settings/provisioning/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/page.tsx
@@ -1,60 +1,10 @@
-import { internal } from "@app/lib/api";
-import { authCookieHeader } from "@app/lib/api/cookies";
-import { AxiosResponse } from "axios";
-import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
-import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import SiteProvisioningKeysTable, {
-    SiteProvisioningKeyRow
-} from "../../../../components/SiteProvisioningKeysTable";
-import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
-import { getTranslations } from "next-intl/server";
-import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+import { redirect } from "next/navigation";
 
 type ProvisioningPageProps = {
     params: Promise<{ orgId: string }>;
 };
 
-export const dynamic = "force-dynamic";
-
 export default async function ProvisioningPage(props: ProvisioningPageProps) {
     const params = await props.params;
-    const t = await getTranslations();
-
-    let siteProvisioningKeys: ListSiteProvisioningKeysResponse["siteProvisioningKeys"] =
-        [];
-    try {
-        const res = await internal.get<
-            AxiosResponse<ListSiteProvisioningKeysResponse>
-        >(
-            `/org/${params.orgId}/site-provisioning-keys`,
-            await authCookieHeader()
-        );
-        siteProvisioningKeys = res.data.data.siteProvisioningKeys;
-    } catch (e) {}
-
-    const rows: SiteProvisioningKeyRow[] = siteProvisioningKeys.map((k) => ({
-        name: k.name,
-        id: k.siteProvisioningKeyId,
-        key: `${k.siteProvisioningKeyId}••••••••••••••••••••${k.lastChars}`,
-        createdAt: k.createdAt,
-        lastUsed: k.lastUsed,
-        maxBatchSize: k.maxBatchSize,
-        numUsed: k.numUsed,
-        validUntil: k.validUntil
-    }));
-
-    return (
-        <>
-            <SettingsSectionTitle
-                title={t("provisioningKeysManage")}
-                description={t("provisioningKeysDescription")}
-            />
-
-            <PaidFeaturesAlert
-                tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
-            />
-
-            <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
-        </>
-    );
-}
+    redirect(`/${params.orgId}/settings/provisioning/keys`);
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/provisioning/pending/page.tsx b/src/app/[orgId]/settings/provisioning/pending/page.tsx
new file mode 100644
index 000000000..78178cb14
--- /dev/null
+++ b/src/app/[orgId]/settings/provisioning/pending/page.tsx
@@ -0,0 +1,82 @@
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { ListSitesResponse } from "@server/routers/site";
+import { AxiosResponse } from "axios";
+import { SiteRow } from "@app/components/SitesTable";
+import PendingSitesTable from "@app/components/PendingSitesTable";
+import { getTranslations } from "next-intl/server";
+
+type PendingSitesPageProps = {
+    params: Promise<{ orgId: string }>;
+    searchParams: Promise<Record<string, string>>;
+};
+
+export const dynamic = "force-dynamic";
+
+export default async function PendingSitesPage(props: PendingSitesPageProps) {
+    const params = await props.params;
+
+    const incomingSearchParams = new URLSearchParams(await props.searchParams);
+    incomingSearchParams.set("status", "pending");
+
+    let sites: ListSitesResponse["sites"] = [];
+    let pagination: ListSitesResponse["pagination"] = {
+        total: 0,
+        page: 1,
+        pageSize: 20
+    };
+
+    try {
+        const res = await internal.get<AxiosResponse<ListSitesResponse>>(
+            `/org/${params.orgId}/sites?${incomingSearchParams.toString()}`,
+            await authCookieHeader()
+        );
+        const responseData = res.data.data;
+        sites = responseData.sites;
+        pagination = responseData.pagination;
+    } catch (e) {}
+
+    const t = await getTranslations();
+
+    function formatSize(mb: number, type: string): string {
+        if (type === "local") {
+            return "-";
+        }
+        if (mb >= 1024 * 1024) {
+            return t("terabytes", { count: (mb / (1024 * 1024)).toFixed(2) });
+        } else if (mb >= 1024) {
+            return t("gigabytes", { count: (mb / 1024).toFixed(2) });
+        } else {
+            return t("megabytes", { count: mb.toFixed(2) });
+        }
+    }
+
+    const siteRows: SiteRow[] = sites.map((site) => ({
+        name: site.name,
+        id: site.siteId,
+        nice: site.niceId.toString(),
+        address: site.address?.split("/")[0],
+        mbIn: formatSize(site.megabytesIn || 0, site.type),
+        mbOut: formatSize(site.megabytesOut || 0, site.type),
+        orgId: params.orgId,
+        type: site.type as any,
+        online: site.online,
+        newtVersion: site.newtVersion || undefined,
+        newtUpdateAvailable: site.newtUpdateAvailable || false,
+        exitNodeName: site.exitNodeName || undefined,
+        exitNodeEndpoint: site.exitNodeEndpoint || undefined,
+        remoteExitNodeId: (site as any).remoteExitNodeId || undefined
+    }));
+
+    return (
+        <PendingSitesTable
+            sites={siteRows}
+            orgId={params.orgId}
+            rowCount={pagination.total}
+            pagination={{
+                pageIndex: pagination.page - 1,
+                pageSize: pagination.pageSize
+            }}
+        />
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/sites/page.tsx b/src/app/[orgId]/settings/sites/page.tsx
index 161c757f6..5839ba2be 100644
--- a/src/app/[orgId]/settings/sites/page.tsx
+++ b/src/app/[orgId]/settings/sites/page.tsx
@@ -18,6 +18,7 @@ export default async function SitesPage(props: SitesPageProps) {
     const params = await props.params;
 
     const searchParams = new URLSearchParams(await props.searchParams);
+    searchParams.set("status", "accepted");
 
     let sites: ListSitesResponse["sites"] = [];
     let pagination: ListSitesResponse["pagination"] = {
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
new file mode 100644
index 000000000..f9126a091
--- /dev/null
+++ b/src/components/PendingSitesTable.tsx
@@ -0,0 +1,440 @@
+"use client";
+
+import { Badge } from "@app/components/ui/badge";
+import { Button } from "@app/components/ui/button";
+import { InfoPopup } from "@app/components/ui/info-popup";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { useNavigationContext } from "@app/hooks/useNavigationContext";
+import { getNextSortOrder, getSortDirection } from "@app/lib/sortColumn";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { build } from "@server/build";
+import { type PaginationState } from "@tanstack/react-table";
+import {
+    ArrowDown01Icon,
+    ArrowUp10Icon,
+    ArrowUpRight,
+    Check,
+    ChevronsUpDownIcon
+} from "lucide-react";
+import { useTranslations } from "next-intl";
+import Link from "next/link";
+import { usePathname, useRouter } from "next/navigation";
+import { useState, useTransition } from "react";
+import { useDebouncedCallback } from "use-debounce";
+import z from "zod";
+import { ColumnFilterButton } from "./ColumnFilterButton";
+import {
+    ControlledDataTable,
+    type ExtendedColumnDef
+} from "./ui/controlled-data-table";
+import { SiteRow } from "./SitesTable";
+
+type PendingSitesTableProps = {
+    sites: SiteRow[];
+    pagination: PaginationState;
+    orgId: string;
+    rowCount: number;
+};
+
+export default function PendingSitesTable({
+    sites,
+    orgId,
+    pagination,
+    rowCount
+}: PendingSitesTableProps) {
+    const router = useRouter();
+    const pathname = usePathname();
+    const {
+        navigate: filter,
+        isNavigating: isFiltering,
+        searchParams
+    } = useNavigationContext();
+
+    const [isRefreshing, startTransition] = useTransition();
+    const [approvingIds, setApprovingIds] = useState<Set<number>>(new Set());
+
+    const api = createApiClient(useEnvContext());
+    const t = useTranslations();
+
+    const booleanSearchFilterSchema = z
+        .enum(["true", "false"])
+        .optional()
+        .catch(undefined);
+
+    function handleFilterChange(
+        column: string,
+        value: string | undefined | null
+    ) {
+        const sp = new URLSearchParams(searchParams);
+        sp.delete(column);
+        sp.delete("page");
+
+        if (value) {
+            sp.set(column, value);
+        }
+        startTransition(() => router.push(`${pathname}?${sp.toString()}`));
+    }
+
+    function refreshData() {
+        startTransition(async () => {
+            try {
+                router.refresh();
+            } catch (error) {
+                toast({
+                    title: t("error"),
+                    description: t("refreshError"),
+                    variant: "destructive"
+                });
+            }
+        });
+    }
+
+    async function approveSite(siteId: number) {
+        setApprovingIds((prev) => new Set(prev).add(siteId));
+        try {
+            await api.post(`/site/${siteId}`, { status: "accepted" });
+            toast({
+                title: t("success"),
+                description: t("siteApproveSuccess"),
+                variant: "default"
+            });
+            router.refresh();
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("siteApproveError"),
+                description: formatAxiosError(e, t("siteApproveError"))
+            });
+        } finally {
+            setApprovingIds((prev) => {
+                const next = new Set(prev);
+                next.delete(siteId);
+                return next;
+            });
+        }
+    }
+
+    const columns: ExtendedColumnDef<SiteRow>[] = [
+        {
+            accessorKey: "name",
+            enableHiding: false,
+            header: () => {
+                const nameOrder = getSortDirection("name", searchParams);
+                const Icon =
+                    nameOrder === "asc"
+                        ? ArrowDown01Icon
+                        : nameOrder === "desc"
+                          ? ArrowUp10Icon
+                          : ChevronsUpDownIcon;
+
+                return (
+                    <Button
+                        variant="ghost"
+                        className="p-3"
+                        onClick={() => toggleSort("name")}
+                    >
+                        {t("name")}
+                        <Icon className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            id: "niceId",
+            accessorKey: "nice",
+            friendlyName: t("identifier"),
+            enableHiding: true,
+            header: () => {
+                return <span className="p-3">{t("identifier")}</span>;
+            },
+            cell: ({ row }) => {
+                return <span>{row.original.nice || "-"}</span>;
+            }
+        },
+        {
+            accessorKey: "online",
+            friendlyName: t("online"),
+            header: () => {
+                return (
+                    <ColumnFilterButton
+                        options={[
+                            { value: "true", label: t("online") },
+                            { value: "false", label: t("offline") }
+                        ]}
+                        selectedValue={booleanSearchFilterSchema.parse(
+                            searchParams.get("online")
+                        )}
+                        onValueChange={(value) =>
+                            handleFilterChange("online", value)
+                        }
+                        searchPlaceholder={t("searchPlaceholder")}
+                        emptyMessage={t("emptySearchOptions")}
+                        label={t("online")}
+                        className="p-3"
+                    />
+                );
+            },
+            cell: ({ row }) => {
+                const originalRow = row.original;
+                if (
+                    originalRow.type == "newt" ||
+                    originalRow.type == "wireguard"
+                ) {
+                    if (originalRow.online) {
+                        return (
+                            <span className="text-green-500 flex items-center space-x-2">
+                                <div className="w-2 h-2 bg-green-500 rounded-full"></div>
+                                <span>{t("online")}</span>
+                            </span>
+                        );
+                    } else {
+                        return (
+                            <span className="text-neutral-500 flex items-center space-x-2">
+                                <div className="w-2 h-2 bg-gray-500 rounded-full"></div>
+                                <span>{t("offline")}</span>
+                            </span>
+                        );
+                    }
+                } else {
+                    return <span>-</span>;
+                }
+            }
+        },
+        {
+            accessorKey: "mbIn",
+            friendlyName: t("dataIn"),
+            header: () => {
+                const dataInOrder = getSortDirection(
+                    "megabytesIn",
+                    searchParams
+                );
+                const Icon =
+                    dataInOrder === "asc"
+                        ? ArrowDown01Icon
+                        : dataInOrder === "desc"
+                          ? ArrowUp10Icon
+                          : ChevronsUpDownIcon;
+                return (
+                    <Button
+                        variant="ghost"
+                        onClick={() => toggleSort("megabytesIn")}
+                    >
+                        {t("dataIn")}
+                        <Icon className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            accessorKey: "mbOut",
+            friendlyName: t("dataOut"),
+            header: () => {
+                const dataOutOrder = getSortDirection(
+                    "megabytesOut",
+                    searchParams
+                );
+                const Icon =
+                    dataOutOrder === "asc"
+                        ? ArrowDown01Icon
+                        : dataOutOrder === "desc"
+                          ? ArrowUp10Icon
+                          : ChevronsUpDownIcon;
+                return (
+                    <Button
+                        variant="ghost"
+                        onClick={() => toggleSort("megabytesOut")}
+                    >
+                        {t("dataOut")}
+                        <Icon className="ml-2 h-4 w-4" />
+                    </Button>
+                );
+            }
+        },
+        {
+            accessorKey: "type",
+            friendlyName: t("type"),
+            header: () => {
+                return <span className="p-3">{t("type")}</span>;
+            },
+            cell: ({ row }) => {
+                const originalRow = row.original;
+
+                if (originalRow.type === "newt") {
+                    return (
+                        <div className="flex items-center space-x-1">
+                            <Badge variant="secondary">
+                                <div className="flex items-center space-x-1">
+                                    <span>Newt</span>
+                                    {originalRow.newtVersion && (
+                                        <span>v{originalRow.newtVersion}</span>
+                                    )}
+                                </div>
+                            </Badge>
+                            {originalRow.newtUpdateAvailable && (
+                                <InfoPopup
+                                    info={t("newtUpdateAvailableInfo")}
+                                />
+                            )}
+                        </div>
+                    );
+                }
+
+                if (originalRow.type === "wireguard") {
+                    return (
+                        <div className="flex items-center space-x-2">
+                            <Badge variant="secondary">WireGuard</Badge>
+                        </div>
+                    );
+                }
+
+                if (originalRow.type === "local") {
+                    return (
+                        <div className="flex items-center space-x-2">
+                            <Badge variant="secondary">Local</Badge>
+                        </div>
+                    );
+                }
+            }
+        },
+        {
+            accessorKey: "exitNode",
+            friendlyName: t("exitNode"),
+            header: () => {
+                return <span className="p-3">{t("exitNode")}</span>;
+            },
+            cell: ({ row }) => {
+                const originalRow = row.original;
+                if (!originalRow.exitNodeName) {
+                    return "-";
+                }
+
+                const isCloudNode =
+                    build == "saas" &&
+                    originalRow.exitNodeName &&
+                    [
+                        "mercury",
+                        "venus",
+                        "earth",
+                        "mars",
+                        "jupiter",
+                        "saturn",
+                        "uranus",
+                        "neptune"
+                    ].includes(originalRow.exitNodeName.toLowerCase());
+
+                if (isCloudNode) {
+                    const capitalizedName =
+                        originalRow.exitNodeName.charAt(0).toUpperCase() +
+                        originalRow.exitNodeName.slice(1).toLowerCase();
+                    return (
+                        <Badge variant="secondary">
+                            Pangolin {capitalizedName}
+                        </Badge>
+                    );
+                }
+
+                if (originalRow.remoteExitNodeId) {
+                    return (
+                        <Link
+                            href={`/${originalRow.orgId}/settings/remote-exit-nodes/${originalRow.remoteExitNodeId}`}
+                        >
+                            <Button variant="outline">
+                                {originalRow.exitNodeName}
+                                <ArrowUpRight className="ml-2 h-4 w-4" />
+                            </Button>
+                        </Link>
+                    );
+                }
+
+                return <span>{originalRow.exitNodeName}</span>;
+            }
+        },
+        {
+            accessorKey: "address",
+            header: () => {
+                return <span className="p-3">{t("address")}</span>;
+            },
+            cell: ({ row }: { row: any }) => {
+                const originalRow = row.original;
+                return originalRow.address ? (
+                    <div className="flex items-center space-x-2">
+                        <span>{originalRow.address}</span>
+                    </div>
+                ) : (
+                    "-"
+                );
+            }
+        },
+        {
+            id: "actions",
+            enableHiding: false,
+            header: () => <span className="p-3"></span>,
+            cell: ({ row }) => {
+                const siteRow = row.original;
+                const isApproving = approvingIds.has(siteRow.id);
+                return (
+                    <div className="flex items-center gap-2 justify-end">
+                        <Button
+                            variant="outline"
+                            disabled={isApproving}
+                            onClick={() => approveSite(siteRow.id)}
+                        >
+                            <Check className="mr-2 w-4 h-4" />
+                            {t("approve")}
+                        </Button>
+                    </div>
+                );
+            }
+        }
+    ];
+
+    function toggleSort(column: string) {
+        const newSearch = getNextSortOrder(column, searchParams);
+
+        filter({
+            searchParams: newSearch
+        });
+    }
+
+    const handlePaginationChange = (newPage: PaginationState) => {
+        searchParams.set("page", (newPage.pageIndex + 1).toString());
+        searchParams.set("pageSize", newPage.pageSize.toString());
+        filter({
+            searchParams
+        });
+    };
+
+    const handleSearchChange = useDebouncedCallback((query: string) => {
+        searchParams.set("query", query);
+        searchParams.delete("page");
+        filter({
+            searchParams
+        });
+    }, 300);
+
+    return (
+        <ControlledDataTable
+            columns={columns}
+            rows={sites}
+            tableId="pending-sites-table"
+            searchPlaceholder={t("searchSitesProgress")}
+            pagination={pagination}
+            onPaginationChange={handlePaginationChange}
+            searchQuery={searchParams.get("query")?.toString()}
+            onSearch={handleSearchChange}
+            onRefresh={refreshData}
+            isRefreshing={isRefreshing || isFiltering}
+            rowCount={rowCount}
+            columnVisibility={{
+                niceId: false,
+                nice: false,
+                exitNode: false,
+                address: false
+            }}
+            enableColumnVisibility
+            stickyLeftColumn="name"
+            stickyRightColumn="actions"
+        />
+    );
+}
\ No newline at end of file

From fcf92d4e2c910efbe24ed650222f218eba6c18d6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 16:28:51 -0700
Subject: [PATCH 072/122] Add basic provisioning room v1 and update keys

---
 messages/en-US.json                           |  8 ++
 server/db/pg/schema/privateSchema.ts          |  3 +-
 server/db/pg/schema/schema.ts                 |  2 +-
 server/db/sqlite/schema/privateSchema.ts      |  5 +-
 server/db/sqlite/schema/schema.ts             |  2 +-
 .../createSiteProvisioningKey.ts              | 11 ++-
 .../listSiteProvisioningKeys.ts               |  3 +-
 .../updateSiteProvisioningKey.ts              | 15 ++-
 server/routers/newt/registerNewt.ts           |  5 +-
 server/routers/site/createSite.ts             |  6 +-
 server/routers/site/listSites.ts              |  4 +-
 server/routers/site/updateSite.ts             |  2 +-
 server/routers/siteProvisioning/types.ts      |  3 +
 .../settings/provisioning/keys/page.tsx       | 29 +++++-
 .../settings/provisioning/pending/page.tsx    | 48 ++++++++--
 src/app/[orgId]/settings/sites/page.tsx       |  2 +-
 .../CreateSiteProvisioningKeyCredenza.tsx     | 93 ++++++++++++-------
 .../EditSiteProvisioningKeyCredenza.tsx       | 45 ++++++++-
 src/components/PendingSitesTable.tsx          |  4 +-
 19 files changed, 219 insertions(+), 71 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index ad64cb5e2..b53c61ebe 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -365,9 +365,17 @@
     "provisioningKeysNeverUsed": "Never",
     "provisioningKeysEdit": "Edit Provisioning Key",
     "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
+    "provisioningKeysApproveNewSites": "Approve new sites",
+    "provisioningKeysApproveNewSitesDescription": "Automatically approve sites that register with this key.",
     "provisioningKeysUpdateError": "Error updating provisioning key",
     "provisioningKeysUpdated": "Provisioning key updated",
     "provisioningKeysUpdatedDescription": "Your changes have been saved.",
+    "provisioningKeysBannerTitle": "Site Provisioning Keys",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup — no need to set up separate credentials for each site.",
+    "provisioningKeysBannerButtonText": "Learn More",
+    "pendingSitesBannerTitle": "Pending Sites",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review. Approve each site before it becomes active and gains access to your resources.",
+    "pendingSitesBannerButtonText": "Learn More",
     "apiKeysSettings": "{apiKeyName} Settings",
     "userTitle": "Manage All Users",
     "userDescription": "View and manage all users in the system",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index bb1e866c4..c83d420a2 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -391,7 +391,8 @@ export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
     lastUsed: varchar("lastUsed", { length: 255 }),
     maxBatchSize: integer("maxBatchSize"), // null = no limit
     numUsed: integer("numUsed").notNull().default(0),
-    validUntil: varchar("validUntil", { length: 255 })
+    validUntil: varchar("validUntil", { length: 255 }),
+    approveNewSites: boolean("approveNewSites").notNull().default(true)
 });
 
 export const siteProvisioningKeyOrg = pgTable(
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index a64aad2ef..29e25bbdd 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -101,7 +101,7 @@ export const sites = pgTable("sites", {
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
     dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
-    status: varchar("status").$type<"pending" | "accepted">()
+    status: varchar("status").$type<"pending" | "approved">()
 });
 
 export const resources = pgTable("resources", {
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 5913497b3..287c53884 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -375,7 +375,10 @@ export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
     lastUsed: text("lastUsed"),
     maxBatchSize: integer("maxBatchSize"), // null = no limit
     numUsed: integer("numUsed").notNull().default(0),
-    validUntil: text("validUntil")
+    validUntil: text("validUntil"),
+    approveNewSites: integer("approveNewSites", { mode: "boolean" })
+        .notNull()
+        .default(true)
 });
 
 export const siteProvisioningKeyOrg = sqliteTable(
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 52969d183..880fab3fd 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -111,7 +111,7 @@ export const sites = sqliteTable("sites", {
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
         .default(true),
-    status: text("status").$type<"pending" | "accepted">()
+    status: text("status").$type<"pending" | "approved">()
 });
 
 export const resources = sqliteTable("resources", {
diff --git a/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
index abed27550..e521eaa22 100644
--- a/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -38,7 +38,8 @@ const bodySchema = z
             z.null(),
             z.coerce.number().int().positive().max(1_000_000)
         ]),
-        validUntil: z.string().max(255).optional()
+        validUntil: z.string().max(255).optional(),
+        approveNewSites: z.boolean().optional().default(true)
     })
     .superRefine((data, ctx) => {
         const v = data.validUntil;
@@ -82,7 +83,7 @@ export async function createSiteProvisioningKey(
     }
 
     const { orgId } = parsedParams.data;
-    const { name, maxBatchSize } = parsedBody.data;
+    const { name, maxBatchSize, approveNewSites } = parsedBody.data;
     const vuRaw = parsedBody.data.validUntil;
     const validUntil =
         vuRaw == null || vuRaw.trim() === ""
@@ -106,7 +107,8 @@ export async function createSiteProvisioningKey(
             lastUsed: null,
             maxBatchSize,
             numUsed: 0,
-            validUntil
+            validUntil,
+            approveNewSites
         });
 
         await trx.insert(siteProvisioningKeyOrg).values({
@@ -127,7 +129,8 @@ export async function createSiteProvisioningKey(
                 lastUsed: null,
                 maxBatchSize,
                 numUsed: 0,
-                validUntil
+                validUntil,
+                approveNewSites
             },
             success: true,
             error: false,
diff --git a/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
index 5f7531a2c..dd51179d3 100644
--- a/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
+++ b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -57,7 +57,8 @@ function querySiteProvisioningKeys(orgId: string) {
             lastUsed: siteProvisioningKeys.lastUsed,
             maxBatchSize: siteProvisioningKeys.maxBatchSize,
             numUsed: siteProvisioningKeys.numUsed,
-            validUntil: siteProvisioningKeys.validUntil
+            validUntil: siteProvisioningKeys.validUntil,
+            approveNewSites: siteProvisioningKeys.approveNewSites
         })
         .from(siteProvisioningKeyOrg)
         .innerJoin(
diff --git a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
index 526d8bfb8..2f4dafbdf 100644
--- a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
@@ -39,16 +39,18 @@ const bodySchema = z
                 z.coerce.number().int().positive().max(1_000_000)
             ])
             .optional(),
-        validUntil: z.string().max(255).optional()
+        validUntil: z.string().max(255).optional(),
+        approveNewSites: z.boolean().optional()
     })
     .superRefine((data, ctx) => {
         if (
             data.maxBatchSize === undefined &&
-            data.validUntil === undefined
+            data.validUntil === undefined &&
+            data.approveNewSites === undefined
         ) {
             ctx.addIssue({
                 code: "custom",
-                message: "Provide maxBatchSize and/or validUntil",
+                message: "Provide maxBatchSize and/or validUntil and/or approveNewSites",
                 path: ["maxBatchSize"]
             });
         }
@@ -129,6 +131,7 @@ export async function updateSiteProvisioningKey(
         const setValues: {
             maxBatchSize?: number | null;
             validUntil?: string | null;
+            approveNewSites?: boolean;
         } = {};
         if (body.maxBatchSize !== undefined) {
             setValues.maxBatchSize = body.maxBatchSize;
@@ -139,6 +142,9 @@ export async function updateSiteProvisioningKey(
                     ? null
                     : new Date(Date.parse(body.validUntil)).toISOString();
         }
+        if (body.approveNewSites !== undefined) {
+            setValues.approveNewSites = body.approveNewSites;
+        }
 
         await db
             .update(siteProvisioningKeys)
@@ -160,7 +166,8 @@ export async function updateSiteProvisioningKey(
                 lastUsed: siteProvisioningKeys.lastUsed,
                 maxBatchSize: siteProvisioningKeys.maxBatchSize,
                 numUsed: siteProvisioningKeys.numUsed,
-                validUntil: siteProvisioningKeys.validUntil
+                validUntil: siteProvisioningKeys.validUntil,
+                approveNewSites: siteProvisioningKeys.approveNewSites
             })
             .from(siteProvisioningKeys)
             .where(
diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 4923fb88e..6ad7c30a8 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -82,7 +82,8 @@ export async function registerNewt(
                 orgId: siteProvisioningKeyOrg.orgId,
                 maxBatchSize: siteProvisioningKeys.maxBatchSize,
                 numUsed: siteProvisioningKeys.numUsed,
-                validUntil: siteProvisioningKeys.validUntil
+                validUntil: siteProvisioningKeys.validUntil,
+                approveNewSites: siteProvisioningKeys.approveNewSites,
             })
             .from(siteProvisioningKeys)
             .innerJoin(
@@ -197,7 +198,7 @@ export async function registerNewt(
                     niceId,
                     type: "newt",
                     dockerSocketEnabled: true,
-                    status: "pending"
+                    status: keyRecord.approveNewSites ? "approved" : "pending",
                 })
                 .returning();
 
diff --git a/server/routers/site/createSite.ts b/server/routers/site/createSite.ts
index bf62e93cd..d397b2784 100644
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -299,7 +299,7 @@ export async function createSite(
                         address: updatedAddress || null,
                         type,
                         dockerSocketEnabled: true,
-                        status: "accepted"
+                        status: "approved"
                     })
                     .returning();
             } else if (type == "wireguard") {
@@ -357,7 +357,7 @@ export async function createSite(
                         subnet,
                         type,
                         pubKey: pubKey || null,
-                        status: "accepted"
+                        status: "approved"
                     })
                     .returning();
             } else if (type == "local") {
@@ -373,7 +373,7 @@ export async function createSite(
                         dockerSocketEnabled: false,
                         online: true,
                         subnet: "0.0.0.0/32",
-                        status: "accepted"
+                        status: "approved"
                     })
                     .returning();
             } else {
diff --git a/server/routers/site/listSites.ts b/server/routers/site/listSites.ts
index 1d7e99042..6f085d74d 100644
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -137,12 +137,12 @@ const listSitesSchema = z.object({
             description: "Filter by online status"
         }),
     status: z
-        .enum(["pending", "accepted"])
+        .enum(["pending", "approved"])
         .optional()
         .catch(undefined)
         .openapi({
             type: "string",
-            enum: ["pending", "accepted"],
+            enum: ["pending", "approved"],
             description: "Filter by site status"
         })
 });
diff --git a/server/routers/site/updateSite.ts b/server/routers/site/updateSite.ts
index 244adf7b8..34d1341d7 100644
--- a/server/routers/site/updateSite.ts
+++ b/server/routers/site/updateSite.ts
@@ -20,7 +20,7 @@ const updateSiteBodySchema = z
         name: z.string().min(1).max(255).optional(),
         niceId: z.string().min(1).max(255).optional(),
         dockerSocketEnabled: z.boolean().optional(),
-        status: z.enum(["pending", "accepted"]).optional(),
+        status: z.enum(["pending", "approved"]).optional(),
         // remoteSubnets: z.string().optional()
         // subdomain: z
         //     .string()
diff --git a/server/routers/siteProvisioning/types.ts b/server/routers/siteProvisioning/types.ts
index d06c1fe26..785d9dfff 100644
--- a/server/routers/siteProvisioning/types.ts
+++ b/server/routers/siteProvisioning/types.ts
@@ -8,6 +8,7 @@ export type SiteProvisioningKeyListItem = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 export type ListSiteProvisioningKeysResponse = {
@@ -26,6 +27,7 @@ export type CreateSiteProvisioningKeyResponse = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 export type UpdateSiteProvisioningKeyResponse = {
@@ -38,4 +40,5 @@ export type UpdateSiteProvisioningKeyResponse = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
index 1cfbf5b05..021bb97b7 100644
--- a/src/app/[orgId]/settings/provisioning/keys/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -8,6 +8,10 @@ import SiteProvisioningKeysTable, {
 import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 import { getTranslations } from "next-intl/server";
 import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
+import DismissableBanner from "@app/components/DismissableBanner";
+import Link from "next/link";
+import { Button } from "@app/components/ui/button";
+import { ArrowRight, Plug } from "lucide-react";
 
 type ProvisioningKeysPageProps = {
     params: Promise<{ orgId: string }>;
@@ -46,6 +50,29 @@ export default async function ProvisioningKeysPage(
 
     return (
         <>
+            <DismissableBanner
+                storageKey="sites-banner-dismissed"
+                version={1}
+                title={t("provisioningKeysBannerTitle")}
+                titleIcon={<Plug className="w-5 h-5 text-primary" />}
+                description={t("provisioningKeysBannerDescription")}
+            >
+                <Link
+                    href="https://docs.pangolin.net/manage/sites/install-site"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                >
+                    <Button
+                        variant="outline"
+                        size="sm"
+                        className="gap-2 hover:bg-primary/10 hover:border-primary/50 transition-colors"
+                    >
+                        {t("provisioningKeysBannerButtonText")}
+                        <ArrowRight className="w-4 h-4" />
+                    </Button>
+                </Link>
+            </DismissableBanner>
+
             <PaidFeaturesAlert
                 tiers={tierMatrix[TierFeature.SiteProvisioningKeys]}
             />
@@ -53,4 +80,4 @@ export default async function ProvisioningKeysPage(
             <SiteProvisioningKeysTable keys={rows} orgId={params.orgId} />
         </>
     );
-}
\ No newline at end of file
+}
diff --git a/src/app/[orgId]/settings/provisioning/pending/page.tsx b/src/app/[orgId]/settings/provisioning/pending/page.tsx
index 78178cb14..637f828b8 100644
--- a/src/app/[orgId]/settings/provisioning/pending/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/pending/page.tsx
@@ -5,6 +5,10 @@ import { AxiosResponse } from "axios";
 import { SiteRow } from "@app/components/SitesTable";
 import PendingSitesTable from "@app/components/PendingSitesTable";
 import { getTranslations } from "next-intl/server";
+import DismissableBanner from "@app/components/DismissableBanner";
+import Link from "next/link";
+import { Button } from "@app/components/ui/button";
+import { ArrowRight, Plug } from "lucide-react";
 
 type PendingSitesPageProps = {
     params: Promise<{ orgId: string }>;
@@ -69,14 +73,38 @@ export default async function PendingSitesPage(props: PendingSitesPageProps) {
     }));
 
     return (
-        <PendingSitesTable
-            sites={siteRows}
-            orgId={params.orgId}
-            rowCount={pagination.total}
-            pagination={{
-                pageIndex: pagination.page - 1,
-                pageSize: pagination.pageSize
-            }}
-        />
+        <>
+            <DismissableBanner
+                storageKey="sites-banner-dismissed"
+                version={1}
+                title={t("pendingSitesBannerTitle")}
+                titleIcon={<Plug className="w-5 h-5 text-primary" />}
+                description={t("pendingSitesBannerDescription")}
+            >
+                <Link
+                    href="https://docs.pangolin.net/manage/sites/install-site"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                >
+                    <Button
+                        variant="outline"
+                        size="sm"
+                        className="gap-2 hover:bg-primary/10 hover:border-primary/50 transition-colors"
+                    >
+                        {t("pendingSitesBannerButtonText")}
+                        <ArrowRight className="w-4 h-4" />
+                    </Button>
+                </Link>
+            </DismissableBanner>
+            <PendingSitesTable
+                sites={siteRows}
+                orgId={params.orgId}
+                rowCount={pagination.total}
+                pagination={{
+                    pageIndex: pagination.page - 1,
+                    pageSize: pagination.pageSize
+                }}
+            />
+        </>
     );
-}
\ No newline at end of file
+}
diff --git a/src/app/[orgId]/settings/sites/page.tsx b/src/app/[orgId]/settings/sites/page.tsx
index 5839ba2be..38083325b 100644
--- a/src/app/[orgId]/settings/sites/page.tsx
+++ b/src/app/[orgId]/settings/sites/page.tsx
@@ -18,7 +18,7 @@ export default async function SitesPage(props: SitesPageProps) {
     const params = await props.params;
 
     const searchParams = new URLSearchParams(await props.searchParams);
-    searchParams.set("status", "accepted");
+    searchParams.set("status", "approved");
 
     let sites: ListSitesResponse["sites"] = [];
     let pagination: ListSitesResponse["pagination"] = {
diff --git a/src/components/CreateSiteProvisioningKeyCredenza.tsx b/src/components/CreateSiteProvisioningKeyCredenza.tsx
index 3a1c7c372..f6b80a964 100644
--- a/src/components/CreateSiteProvisioningKeyCredenza.tsx
+++ b/src/components/CreateSiteProvisioningKeyCredenza.tsx
@@ -79,7 +79,8 @@ export default function CreateSiteProvisioningKeyCredenza({
                 .max(1_000_000, {
                     message: t("provisioningKeysMaxBatchSizeInvalid")
                 }),
-            validUntil: z.string().optional()
+            validUntil: z.string().optional(),
+            approveNewSites: z.boolean()
         })
         .superRefine((data, ctx) => {
             const v = data.validUntil;
@@ -103,7 +104,8 @@ export default function CreateSiteProvisioningKeyCredenza({
             name: "",
             unlimitedBatchSize: false,
             maxBatchSize: 100,
-            validUntil: ""
+            validUntil: "",
+            approveNewSites: true
         }
     });
 
@@ -114,7 +116,8 @@ export default function CreateSiteProvisioningKeyCredenza({
                 name: "",
                 unlimitedBatchSize: false,
                 maxBatchSize: 100,
-                validUntil: ""
+                validUntil: "",
+                approveNewSites: true
             });
         }
     }, [open, form]);
@@ -123,18 +126,21 @@ export default function CreateSiteProvisioningKeyCredenza({
         setLoading(true);
         try {
             const res = await api
-                .put<
-                    AxiosResponse<CreateSiteProvisioningKeyResponse>
-                >(`/org/${orgId}/site-provisioning-key`, {
-                    name: data.name,
-                    maxBatchSize: data.unlimitedBatchSize
-                        ? null
-                        : data.maxBatchSize,
-                    validUntil:
-                        data.validUntil == null || data.validUntil.trim() === ""
-                            ? undefined
-                            : data.validUntil
-                })
+                .put<AxiosResponse<CreateSiteProvisioningKeyResponse>>(
+                    `/org/${orgId}/site-provisioning-key`,
+                    {
+                        name: data.name,
+                        maxBatchSize: data.unlimitedBatchSize
+                            ? null
+                            : data.maxBatchSize,
+                        validUntil:
+                            data.validUntil == null ||
+                            data.validUntil.trim() === ""
+                                ? undefined
+                                : data.validUntil,
+                        approveNewSites: data.approveNewSites
+                    }
+                )
                 .catch((e) => {
                     toast({
                         variant: "destructive",
@@ -152,9 +158,7 @@ export default function CreateSiteProvisioningKeyCredenza({
         }
     }
 
-    const credential =
-        created &&
-        created.siteProvisioningKey;
+    const credential = created && created.siteProvisioningKey;
 
     const unlimitedBatchSize = form.watch("unlimitedBatchSize");
 
@@ -213,15 +217,12 @@ export default function CreateSiteProvisioningKeyCredenza({
                                                     min={1}
                                                     max={1_000_000}
                                                     autoComplete="off"
-                                                    disabled={
-                                                        unlimitedBatchSize
-                                                    }
+                                                    disabled={unlimitedBatchSize}
                                                     name={field.name}
                                                     ref={field.ref}
                                                     onBlur={field.onBlur}
                                                     onChange={(e) => {
-                                                        const v =
-                                                            e.target.value;
+                                                        const v = e.target.value;
                                                         field.onChange(
                                                             v === ""
                                                                 ? 100
@@ -269,9 +270,7 @@ export default function CreateSiteProvisioningKeyCredenza({
                                         const dateTimeValue: DateTimeValue =
                                             (() => {
                                                 if (!field.value) return {};
-                                                const d = new Date(
-                                                    field.value
-                                                );
+                                                const d = new Date(field.value);
                                                 if (isNaN(d.getTime()))
                                                     return {};
                                                 const hours = d
@@ -313,11 +312,7 @@ export default function CreateSiteProvisioningKeyCredenza({
                                                                 value.date
                                                             );
                                                             if (value.time) {
-                                                                const [
-                                                                    h,
-                                                                    m,
-                                                                    s
-                                                                ] =
+                                                                const [h, m, s] =
                                                                     value.time.split(
                                                                         ":"
                                                                     );
@@ -352,6 +347,40 @@ export default function CreateSiteProvisioningKeyCredenza({
                                         );
                                     }}
                                 />
+                                <FormField
+                                    control={form.control}
+                                    name="approveNewSites"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-row items-start gap-3 space-y-0">
+                                            <FormControl>
+                                                <Checkbox
+                                                    id="provisioning-approve-new-sites"
+                                                    checked={field.value}
+                                                    onCheckedChange={(c) =>
+                                                        field.onChange(
+                                                            c === true
+                                                        )
+                                                    }
+                                                />
+                                            </FormControl>
+                                            <div className="flex flex-col gap-1">
+                                                <FormLabel
+                                                    htmlFor="provisioning-approve-new-sites"
+                                                    className="cursor-pointer font-normal !mt-0"
+                                                >
+                                                    {t(
+                                                        "provisioningKeysApproveNewSites"
+                                                    )}
+                                                </FormLabel>
+                                                <FormDescription>
+                                                    {t(
+                                                        "provisioningKeysApproveNewSitesDescription"
+                                                    )}
+                                                </FormDescription>
+                                            </div>
+                                        </FormItem>
+                                    )}
+                                />
                             </form>
                         </Form>
                     )}
@@ -395,4 +424,4 @@ export default function CreateSiteProvisioningKeyCredenza({
             </CredenzaContent>
         </Credenza>
     );
-}
+}
\ No newline at end of file
diff --git a/src/components/EditSiteProvisioningKeyCredenza.tsx b/src/components/EditSiteProvisioningKeyCredenza.tsx
index 138190edc..e0e9cdde0 100644
--- a/src/components/EditSiteProvisioningKeyCredenza.tsx
+++ b/src/components/EditSiteProvisioningKeyCredenza.tsx
@@ -45,6 +45,7 @@ export type EditableSiteProvisioningKey = {
     name: string;
     maxBatchSize: number | null;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 type EditSiteProvisioningKeyCredenzaProps = {
@@ -76,7 +77,8 @@ export default function EditSiteProvisioningKeyCredenza({
                 .max(1_000_000, {
                     message: t("provisioningKeysMaxBatchSizeInvalid")
                 }),
-            validUntil: z.string().optional()
+            validUntil: z.string().optional(),
+            approveNewSites: z.boolean()
         })
         .superRefine((data, ctx) => {
             const v = data.validUntil;
@@ -100,7 +102,8 @@ export default function EditSiteProvisioningKeyCredenza({
             name: "",
             unlimitedBatchSize: false,
             maxBatchSize: 100,
-            validUntil: ""
+            validUntil: "",
+            approveNewSites: true
         }
     });
 
@@ -112,7 +115,8 @@ export default function EditSiteProvisioningKeyCredenza({
             name: provisioningKey.name,
             unlimitedBatchSize: provisioningKey.maxBatchSize == null,
             maxBatchSize: provisioningKey.maxBatchSize ?? 100,
-            validUntil: provisioningKey.validUntil ?? ""
+            validUntil: provisioningKey.validUntil ?? "",
+            approveNewSites: provisioningKey.approveNewSites
         });
     }, [open, provisioningKey, form]);
 
@@ -135,7 +139,8 @@ export default function EditSiteProvisioningKeyCredenza({
                             data.validUntil == null ||
                             data.validUntil.trim() === ""
                                 ? ""
-                                : data.validUntil
+                                : data.validUntil,
+                        approveNewSites: data.approveNewSites
                     }
                 )
                 .catch((e) => {
@@ -255,6 +260,38 @@ export default function EditSiteProvisioningKeyCredenza({
                                     </FormItem>
                                 )}
                             />
+                            <FormField
+                                control={form.control}
+                                name="approveNewSites"
+                                render={({ field }) => (
+                                    <FormItem className="flex flex-row items-start gap-3 space-y-0">
+                                        <FormControl>
+                                            <Checkbox
+                                                id="provisioning-edit-approve-new-sites"
+                                                checked={field.value}
+                                                onCheckedChange={(c) =>
+                                                    field.onChange(c === true)
+                                                }
+                                            />
+                                        </FormControl>
+                                        <div className="flex flex-col gap-1">
+                                            <FormLabel
+                                                htmlFor="provisioning-edit-approve-new-sites"
+                                                className="cursor-pointer font-normal !mt-0"
+                                            >
+                                                {t(
+                                                    "provisioningKeysApproveNewSites"
+                                                )}
+                                            </FormLabel>
+                                            <FormDescription>
+                                                {t(
+                                                    "provisioningKeysApproveNewSitesDescription"
+                                                )}
+                                            </FormDescription>
+                                        </div>
+                                    </FormItem>
+                                )}
+                            />
                             <FormField
                                 control={form.control}
                                 name="validUntil"
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index f9126a091..ae22c1bc1 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -93,7 +93,7 @@ export default function PendingSitesTable({
     async function approveSite(siteId: number) {
         setApprovingIds((prev) => new Set(prev).add(siteId));
         try {
-            await api.post(`/site/${siteId}`, { status: "accepted" });
+            await api.post(`/site/${siteId}`, { status: "approved" });
             toast({
                 title: t("success"),
                 description: t("siteApproveSuccess"),
@@ -437,4 +437,4 @@ export default function PendingSitesTable({
             stickyRightColumn="actions"
         />
     );
-}
\ No newline at end of file
+}

From 1e9544af0773307ed1fceae9730648cf86290270 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 20:29:31 -0700
Subject: [PATCH 073/122] Customize table a little more

---
 src/components/PendingSitesTable.tsx | 129 ++++++++++++++++-----------
 1 file changed, 77 insertions(+), 52 deletions(-)

diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index ae22c1bc1..2d1ac8769 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -2,6 +2,12 @@
 
 import { Badge } from "@app/components/ui/badge";
 import { Button } from "@app/components/ui/button";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "@app/components/ui/dropdown-menu";
 import { InfoPopup } from "@app/components/ui/info-popup";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useNavigationContext } from "@app/hooks/useNavigationContext";
@@ -15,7 +21,8 @@ import {
     ArrowUp10Icon,
     ArrowUpRight,
     Check,
-    ChevronsUpDownIcon
+    ChevronsUpDownIcon,
+    MoreHorizontal
 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
@@ -93,7 +100,7 @@ export default function PendingSitesTable({
     async function approveSite(siteId: number) {
         setApprovingIds((prev) => new Set(prev).add(siteId));
         try {
-            await api.post(`/site/${siteId}`, { status: "approved" });
+            await api.post(`/site/${siteId}`, { status: "accepted" });
             toast({
                 title: t("success"),
                 description: t("siteApproveSuccess"),
@@ -201,56 +208,56 @@ export default function PendingSitesTable({
                 }
             }
         },
-        {
-            accessorKey: "mbIn",
-            friendlyName: t("dataIn"),
-            header: () => {
-                const dataInOrder = getSortDirection(
-                    "megabytesIn",
-                    searchParams
-                );
-                const Icon =
-                    dataInOrder === "asc"
-                        ? ArrowDown01Icon
-                        : dataInOrder === "desc"
-                          ? ArrowUp10Icon
-                          : ChevronsUpDownIcon;
-                return (
-                    <Button
-                        variant="ghost"
-                        onClick={() => toggleSort("megabytesIn")}
-                    >
-                        {t("dataIn")}
-                        <Icon className="ml-2 h-4 w-4" />
-                    </Button>
-                );
-            }
-        },
-        {
-            accessorKey: "mbOut",
-            friendlyName: t("dataOut"),
-            header: () => {
-                const dataOutOrder = getSortDirection(
-                    "megabytesOut",
-                    searchParams
-                );
-                const Icon =
-                    dataOutOrder === "asc"
-                        ? ArrowDown01Icon
-                        : dataOutOrder === "desc"
-                          ? ArrowUp10Icon
-                          : ChevronsUpDownIcon;
-                return (
-                    <Button
-                        variant="ghost"
-                        onClick={() => toggleSort("megabytesOut")}
-                    >
-                        {t("dataOut")}
-                        <Icon className="ml-2 h-4 w-4" />
-                    </Button>
-                );
-            }
-        },
+        // {
+        //     accessorKey: "mbIn",
+        //     friendlyName: t("dataIn"),
+        //     header: () => {
+        //         const dataInOrder = getSortDirection(
+        //             "megabytesIn",
+        //             searchParams
+        //         );
+        //         const Icon =
+        //             dataInOrder === "asc"
+        //                 ? ArrowDown01Icon
+        //                 : dataInOrder === "desc"
+        //                   ? ArrowUp10Icon
+        //                   : ChevronsUpDownIcon;
+        //         return (
+        //             <Button
+        //                 variant="ghost"
+        //                 onClick={() => toggleSort("megabytesIn")}
+        //             >
+        //                 {t("dataIn")}
+        //                 <Icon className="ml-2 h-4 w-4" />
+        //             </Button>
+        //         );
+        //     }
+        // },
+        // {
+        //     accessorKey: "mbOut",
+        //     friendlyName: t("dataOut"),
+        //     header: () => {
+        //         const dataOutOrder = getSortDirection(
+        //             "megabytesOut",
+        //             searchParams
+        //         );
+        //         const Icon =
+        //             dataOutOrder === "asc"
+        //                 ? ArrowDown01Icon
+        //                 : dataOutOrder === "desc"
+        //                   ? ArrowUp10Icon
+        //                   : ChevronsUpDownIcon;
+        //         return (
+        //             <Button
+        //                 variant="ghost"
+        //                 onClick={() => toggleSort("megabytesOut")}
+        //             >
+        //                 {t("dataOut")}
+        //                 <Icon className="ml-2 h-4 w-4" />
+        //             </Button>
+        //         );
+        //     }
+        // },
         {
             accessorKey: "type",
             friendlyName: t("type"),
@@ -375,6 +382,24 @@ export default function PendingSitesTable({
                 const isApproving = approvingIds.has(siteRow.id);
                 return (
                     <div className="flex items-center gap-2 justify-end">
+                        <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                                <Button variant="ghost" className="h-8 w-8 p-0">
+                                    <span className="sr-only">Open menu</span>
+                                    <MoreHorizontal className="h-4 w-4" />
+                                </Button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align="end">
+                                <Link
+                                    className="block w-full"
+                                    href={`/${siteRow.orgId}/settings/sites/${siteRow.nice}`}
+                                >
+                                    <DropdownMenuItem>
+                                        {t("viewSettings")}
+                                    </DropdownMenuItem>
+                                </Link>
+                            </DropdownMenuContent>
+                        </DropdownMenu>
                         <Button
                             variant="outline"
                             disabled={isApproving}

From c995c5a6748c7181930067097aec24094a95a324 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:02:09 -0700
Subject: [PATCH 074/122] Dont batch set on sqlite

---
 server/routers/gerbil/receiveBandwidth.ts | 44 ++++++++++++++++++-----
 1 file changed, 35 insertions(+), 9 deletions(-)

diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index 042c844aa..787b7b702 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -96,6 +96,14 @@ async function dbQueryRows<T extends Record<string, unknown>>(
     return (await anyDb.all(query)) as T[];
 }
 
+/**
+ * Returns true when the active database driver is SQLite (better-sqlite3).
+ * Used to select the appropriate bulk-update strategy.
+ */
+function isSQLite(): boolean {
+    return typeof (db as any).execute !== "function";
+}
+
 /**
  * Flush all accumulated site bandwidth data to the database.
  *
@@ -141,19 +149,37 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
         const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
         const chunkEnd = i + chunk.length - 1;
 
-        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
-        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
-        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
-        // in a single query instead of N individual round-trips.
-        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
-            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
-        );
-        const valuesClause = sql.join(valuesList, sql`, `);
-
         let rows: { orgId: string; pubKey: string }[] = [];
 
         try {
             rows = await withDeadlockRetry(async () => {
+                if (isSQLite()) {
+                    // SQLite: one UPDATE per row — no need for batch efficiency here.
+                    const results: { orgId: string; pubKey: string }[] = [];
+                    for (const [publicKey, { bytesIn, bytesOut }] of chunk) {
+                        const result = await dbQueryRows<{
+                            orgId: string;
+                            pubKey: string;
+                        }>(sql`
+                            UPDATE sites
+                            SET
+                                "bytesOut"            = COALESCE("bytesOut", 0) + ${bytesIn},
+                                "bytesIn"             = COALESCE("bytesIn", 0)  + ${bytesOut},
+                                "lastBandwidthUpdate" = ${currentTime}
+                            WHERE "pubKey" = ${publicKey}
+                            RETURNING "orgId", "pubKey"
+                        `);
+                        results.push(...result);
+                    }
+                    return results;
+                }
+
+                // PostgreSQL: batch UPDATE … FROM (VALUES …) — single round-trip per chunk.
+                const valuesList = chunk.map(
+                    ([publicKey, { bytesIn, bytesOut }]) =>
+                        sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
+                );
+                const valuesClause = sql.join(valuesList, sql`, `);
                 return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
                     UPDATE sites
                     SET

From caacd1e6778433eaeff5de113c82872f57fb0455 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:11:18 -0700
Subject: [PATCH 075/122] Remove rewrite if match is removed

---
 server/routers/target/updateTarget.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/routers/target/updateTarget.ts b/server/routers/target/updateTarget.ts
index dd31f5f1b..1f9eff716 100644
--- a/server/routers/target/updateTarget.ts
+++ b/server/routers/target/updateTarget.ts
@@ -188,6 +188,8 @@ export async function updateTarget(
             );
         }
 
+        const pathMatchTypeRemoved = parsedBody.data.pathMatchType === null;
+
         const [updatedTarget] = await db
             .update(targets)
             .set({
@@ -200,8 +202,8 @@ export async function updateTarget(
                 path: parsedBody.data.path,
                 pathMatchType: parsedBody.data.pathMatchType,
                 priority: parsedBody.data.priority,
-                rewritePath: parsedBody.data.rewritePath,
-                rewritePathType: parsedBody.data.rewritePathType
+                rewritePath: pathMatchTypeRemoved ? null : parsedBody.data.rewritePath,
+                rewritePathType: pathMatchTypeRemoved ? null : parsedBody.data.rewritePathType
             })
             .where(eq(targets.targetId, targetId))
             .returning();

From e0c96e722429831b7593eb997d03440852822b11 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:31:46 -0700
Subject: [PATCH 076/122] Configure connection log retention time

---
 messages/en-US.json                           |   2 +
 server/db/pg/schema/privateSchema.ts          |   1 +
 server/db/sqlite/schema/privateSchema.ts      |   1 +
 server/private/lib/logAccessAudit.ts          |   2 +
 .../routers/billing/featureLifecycle.ts       |  25 ++++
 server/private/routers/ssh/signSshKey.ts      |   2 +-
 server/routers/org/updateOrg.ts               |  20 ++-
 .../settings/general/security/page.tsx        | 115 +++++++++++++++++-
 8 files changed, 162 insertions(+), 6 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 7a3fde1d4..11c87f798 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2398,6 +2398,8 @@
     "logRetentionAccessDescription": "How long to retain access logs",
     "logRetentionActionLabel": "Action Log Retention",
     "logRetentionActionDescription": "How long to retain action logs",
+    "logRetentionConnectionLabel": "Connection Log Retention",
+    "logRetentionConnectionDescription": "How long to retain connection logs",
     "logRetentionDisabled": "Disabled",
     "logRetention3Days": "3 days",
     "logRetention7Days": "7 days",
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index bb1e866c4..1f0de4e7d 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -291,6 +291,7 @@ export const accessAuditLog = pgTable(
         actor: varchar("actor", { length: 255 }),
         actorId: varchar("actorId", { length: 255 }),
         resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
         ip: varchar("ip", { length: 45 }),
         type: varchar("type", { length: 100 }).notNull(),
         action: boolean("action").notNull(),
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 5913497b3..d651c1a38 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -279,6 +279,7 @@ export const accessAuditLog = sqliteTable(
         actor: text("actor"),
         actorId: text("actorId"),
         resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
         ip: text("ip"),
         location: text("location"),
         type: text("type").notNull(),
diff --git a/server/private/lib/logAccessAudit.ts b/server/private/lib/logAccessAudit.ts
index 91db548f7..e56490795 100644
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -74,6 +74,7 @@ export async function logAccessAudit(data: {
     type: string;
     orgId: string;
     resourceId?: number;
+    siteResourceId?: number;
     user?: { username: string; userId: string };
     apiKey?: { name: string | null; apiKeyId: string };
     metadata?: any;
@@ -134,6 +135,7 @@ export async function logAccessAudit(data: {
             type: data.type,
             metadata,
             resourceId: data.resourceId,
+            siteResourceId: data.siteResourceId,
             userAgent: data.userAgent,
             ip: clientIp,
             location: countryCode
diff --git a/server/private/routers/billing/featureLifecycle.ts b/server/private/routers/billing/featureLifecycle.ts
index f6f2d513a..d86e23cf0 100644
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -120,6 +120,18 @@ async function capRetentionDays(
         );
     }
 
+    // Cap action log retention if it exceeds the limit
+    if (
+        org.settingsLogRetentionDaysConnection !== null &&
+        org.settingsLogRetentionDaysConnection > maxRetentionDays
+    ) {
+        updates.settingsLogRetentionDaysConnection = maxRetentionDays;
+        needsUpdate = true;
+        logger.info(
+            `Capping connection log retention from ${org.settingsLogRetentionDaysConnection} to ${maxRetentionDays} days for org ${orgId}`
+        );
+    }
+
     // Apply updates if needed
     if (needsUpdate) {
         await db.update(orgs).set(updates).where(eq(orgs.orgId, orgId));
@@ -262,6 +274,10 @@ async function disableFeature(
                 await disableActionLogs(orgId);
                 break;
 
+            case TierFeature.ConnectionLogs:
+                await disableConnectionLogs(orgId);
+                break;
+
             case TierFeature.RotateCredentials:
                 await disableRotateCredentials(orgId);
                 break;
@@ -458,6 +474,15 @@ async function disableActionLogs(orgId: string): Promise<void> {
     logger.info(`Disabled action logs for org ${orgId}`);
 }
 
+async function disableConnectionLogs(orgId: string): Promise<void> {
+    await db
+        .update(orgs)
+        .set({ settingsLogRetentionDaysConnection: 0 })
+        .where(eq(orgs.orgId, orgId));
+
+    logger.info(`Disabled connection logs for org ${orgId}`);
+}
+
 async function disableRotateCredentials(orgId: string): Promise<void> {}
 
 async function disableMaintencePage(orgId: string): Promise<void> {
diff --git a/server/private/routers/ssh/signSshKey.ts b/server/private/routers/ssh/signSshKey.ts
index e8de55c54..b02d2b23c 100644
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -488,7 +488,7 @@ export async function signSshKey(
             action: true,
             type: "ssh",
             orgId: orgId,
-            resourceId: resource.siteResourceId,
+            siteResourceId: resource.siteResourceId,
             user: req.user
                 ? { username: req.user.username ?? "", userId: req.user.userId }
                 : undefined,
diff --git a/server/routers/org/updateOrg.ts b/server/routers/org/updateOrg.ts
index 5049ac1fa..4eca9a9a6 100644
--- a/server/routers/org/updateOrg.ts
+++ b/server/routers/org/updateOrg.ts
@@ -34,6 +34,10 @@ const updateOrgBodySchema = z
             .min(build === "saas" ? 0 : -1)
             .optional(),
         settingsLogRetentionDaysAction: z
+            .number()
+            .min(build === "saas" ? 0 : -1)
+            .optional(),
+        settingsLogRetentionDaysConnection: z
             .number()
             .min(build === "saas" ? 0 : -1)
             .optional()
@@ -164,6 +168,17 @@ export async function updateOrg(
                         )
                     );
                 }
+                if (
+                    parsedBody.data.settingsLogRetentionDaysConnection !== undefined &&
+                    parsedBody.data.settingsLogRetentionDaysConnection > maxRetentionDays
+                ) {
+                    return next(
+                        createHttpError(
+                            HttpCode.FORBIDDEN,
+                            `You are not allowed to set log retention days greater than ${maxRetentionDays} with your current subscription`
+                        )
+                    );
+                }
             }
         }
 
@@ -179,7 +194,9 @@ export async function updateOrg(
                 settingsLogRetentionDaysAccess:
                     parsedBody.data.settingsLogRetentionDaysAccess,
                 settingsLogRetentionDaysAction:
-                    parsedBody.data.settingsLogRetentionDaysAction
+                    parsedBody.data.settingsLogRetentionDaysAction,
+                settingsLogRetentionDaysConnection:
+                    parsedBody.data.settingsLogRetentionDaysConnection
             })
             .where(eq(orgs.orgId, orgId))
             .returning();
@@ -197,6 +214,7 @@ export async function updateOrg(
         await cache.del(`org_${orgId}_retentionDays`);
         await cache.del(`org_${orgId}_actionDays`);
         await cache.del(`org_${orgId}_accessDays`);
+        await cache.del(`org_${orgId}_connectionDays`);
 
         return response(res, {
             data: updatedOrg[0],
diff --git a/src/app/[orgId]/settings/general/security/page.tsx b/src/app/[orgId]/settings/general/security/page.tsx
index 2c51e9ecb..e7d0d85c8 100644
--- a/src/app/[orgId]/settings/general/security/page.tsx
+++ b/src/app/[orgId]/settings/general/security/page.tsx
@@ -79,7 +79,8 @@ const SecurityFormSchema = z.object({
     passwordExpiryDays: z.number().nullable().optional(),
     settingsLogRetentionDaysRequest: z.number(),
     settingsLogRetentionDaysAccess: z.number(),
-    settingsLogRetentionDaysAction: z.number()
+    settingsLogRetentionDaysAction: z.number(),
+    settingsLogRetentionDaysConnection: z.number()
 });
 
 const LOG_RETENTION_OPTIONS = [
@@ -120,7 +121,8 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
             SecurityFormSchema.pick({
                 settingsLogRetentionDaysRequest: true,
                 settingsLogRetentionDaysAccess: true,
-                settingsLogRetentionDaysAction: true
+                settingsLogRetentionDaysAction: true,
+                settingsLogRetentionDaysConnection: true
             })
         ),
         defaultValues: {
@@ -129,7 +131,9 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
             settingsLogRetentionDaysAccess:
                 org.settingsLogRetentionDaysAccess ?? 15,
             settingsLogRetentionDaysAction:
-                org.settingsLogRetentionDaysAction ?? 15
+                org.settingsLogRetentionDaysAction ?? 15,
+            settingsLogRetentionDaysConnection:
+                org.settingsLogRetentionDaysConnection ?? 15
         },
         mode: "onChange"
     });
@@ -155,7 +159,9 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
                 settingsLogRetentionDaysAccess:
                     data.settingsLogRetentionDaysAccess,
                 settingsLogRetentionDaysAction:
-                    data.settingsLogRetentionDaysAction
+                    data.settingsLogRetentionDaysAction,
+                settingsLogRetentionDaysConnection:
+                    data.settingsLogRetentionDaysConnection
             } as any;
 
             // Update organization
@@ -473,6 +479,107 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
                                             );
                                         }}
                                     />
+                                    <FormField
+                                        control={form.control}
+                                        name="settingsLogRetentionDaysConnection"
+                                        render={({ field }) => {
+                                            const isDisabled = !isPaidUser(
+                                                tierMatrix.connectionLogs
+                                            );
+
+                                            return (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t(
+                                                            "logRetentionConnectionLabel"
+                                                        )}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Select
+                                                            value={field.value.toString()}
+                                                            onValueChange={(
+                                                                value
+                                                            ) => {
+                                                                if (
+                                                                    !isDisabled
+                                                                ) {
+                                                                    field.onChange(
+                                                                        parseInt(
+                                                                            value,
+                                                                            10
+                                                                        )
+                                                                    );
+                                                                }
+                                                            }}
+                                                            disabled={
+                                                                isDisabled
+                                                            }
+                                                        >
+                                                            <SelectTrigger>
+                                                                <SelectValue
+                                                                    placeholder={t(
+                                                                        "selectLogRetention"
+                                                                    )}
+                                                                />
+                                                            </SelectTrigger>
+                                                            <SelectContent>
+                                                                {LOG_RETENTION_OPTIONS.filter(
+                                                                    (option) => {
+                                                                        if (build != "saas") {
+                                                                            return true;
+                                                                        }
+
+                                                                        let maxDays: number;
+
+                                                                        if (!subscriptionTier) {
+                                                                            // No tier
+                                                                            maxDays = 3;
+                                                                        } else if (subscriptionTier == "enterprise") {
+                                                                            // Enterprise - no limit
+                                                                            return true;
+                                                                        } else if (subscriptionTier == "tier3") {
+                                                                            maxDays = 90;
+                                                                        } else if (subscriptionTier == "tier2") {
+                                                                            maxDays = 30;
+                                                                        } else if (subscriptionTier == "tier1") {
+                                                                            maxDays = 7;
+                                                                        } else {
+                                                                            // Default to most restrictive
+                                                                            maxDays = 3;
+                                                                        }
+
+                                                                        // Filter out options that exceed the max
+                                                                        // Special values: -1 (forever) and 9001 (end of year) should be filtered
+                                                                        if (option.value < 0 || option.value > maxDays) {
+                                                                            return false;
+                                                                        }
+
+                                                                        return true;
+                                                                    }
+                                                                ).map(
+                                                                    (
+                                                                        option
+                                                                    ) => (
+                                                                        <SelectItem
+                                                                            key={
+                                                                                option.value
+                                                                            }
+                                                                            value={option.value.toString()}
+                                                                        >
+                                                                            {t(
+                                                                                option.label
+                                                                            )}
+                                                                        </SelectItem>
+                                                                    )
+                                                                )}
+                                                            </SelectContent>
+                                                        </Select>
+                                                    </FormControl>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            );
+                                        }}
+                                    />
                                 </>
                             )}
                         </form>

From 04943fb4a6dc7c4a8a83d082f3ed1fba221833e2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 11:58:48 -0700
Subject: [PATCH 077/122] Fix access log

---
 .../routers/auditLogs/queryAccessAuditLog.ts  | 124 ++++++++++++++----
 src/app/[orgId]/settings/logs/access/page.tsx |   6 +-
 2 files changed, 102 insertions(+), 28 deletions(-)

diff --git a/server/private/routers/auditLogs/queryAccessAuditLog.ts b/server/private/routers/auditLogs/queryAccessAuditLog.ts
index f0f45a826..f9951c1ab 100644
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -11,11 +11,11 @@
  * This file is not licensed under the AGPLv3.
  */
 
-import { accessAuditLog, logsDb, resources, db, primaryDb } from "@server/db";
+import { accessAuditLog, logsDb, resources, siteResources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc, inArray, isNull } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -122,6 +122,7 @@ export function queryAccess(data: Q) {
             actorType: accessAuditLog.actorType,
             actorId: accessAuditLog.actorId,
             resourceId: accessAuditLog.resourceId,
+            siteResourceId: accessAuditLog.siteResourceId,
             ip: accessAuditLog.ip,
             location: accessAuditLog.location,
             userAgent: accessAuditLog.userAgent,
@@ -136,37 +137,73 @@ export function queryAccess(data: Q) {
 }
 
 async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
-    // If logs database is the same as main database, we can do a join
-    // Otherwise, we need to fetch resource details separately
     const resourceIds = logs
         .map(log => log.resourceId)
         .filter((id): id is number => id !== null && id !== undefined);
 
-    if (resourceIds.length === 0) {
+    const siteResourceIds = logs
+        .filter(log => log.resourceId == null && log.siteResourceId != null)
+        .map(log => log.siteResourceId)
+        .filter((id): id is number => id !== null && id !== undefined);
+
+    if (resourceIds.length === 0 && siteResourceIds.length === 0) {
         return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
     }
 
-    // Fetch resource details from main database
-    const resourceDetails = await primaryDb
-        .select({
-            resourceId: resources.resourceId,
-            name: resources.name,
-            niceId: resources.niceId
-        })
-        .from(resources)
-        .where(inArray(resources.resourceId, resourceIds));
+    const resourceMap = new Map<number, { name: string | null; niceId: string | null }>();
 
-    // Create a map for quick lookup
-    const resourceMap = new Map(
-        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
-    );
+    if (resourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                resourceId: resources.resourceId,
+                name: resources.name,
+                niceId: resources.niceId
+            })
+            .from(resources)
+            .where(inArray(resources.resourceId, resourceIds));
+
+        for (const r of resourceDetails) {
+            resourceMap.set(r.resourceId, { name: r.name, niceId: r.niceId });
+        }
+    }
+
+    const siteResourceMap = new Map<number, { name: string | null; niceId: string | null }>();
+
+    if (siteResourceIds.length > 0) {
+        const siteResourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name,
+                niceId: siteResources.niceId
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, siteResourceIds));
+
+        for (const r of siteResourceDetails) {
+            siteResourceMap.set(r.siteResourceId, { name: r.name, niceId: r.niceId });
+        }
+    }
 
     // Enrich logs with resource details
-    return logs.map(log => ({
-        ...log,
-        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
-        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
-    }));
+    return logs.map(log => {
+        if (log.resourceId != null) {
+            const details = resourceMap.get(log.resourceId);
+            return {
+                ...log,
+                resourceName: details?.name ?? null,
+                resourceNiceId: details?.niceId ?? null
+            };
+        } else if (log.siteResourceId != null) {
+            const details = siteResourceMap.get(log.siteResourceId);
+            return {
+                ...log,
+                resourceId: log.siteResourceId,
+                resourceName: details?.name ?? null,
+                resourceNiceId: details?.niceId ?? null
+            };
+        }
+        return { ...log, resourceName: null, resourceNiceId: null };
+    });
 }
 
 export function countAccessQuery(data: Q) {
@@ -212,11 +249,23 @@ async function queryUniqueFilterAttributes(
         .from(accessAuditLog)
         .where(baseConditions);
 
+    // Get unique siteResources (only for logs where resourceId is null)
+    const uniqueSiteResources = await logsDb
+        .selectDistinct({
+            id: accessAuditLog.siteResourceId
+        })
+        .from(accessAuditLog)
+        .where(and(baseConditions, isNull(accessAuditLog.resourceId)));
+
     // Fetch resource names from main database for the unique resource IDs
     const resourceIds = uniqueResources
         .map(row => row.id)
         .filter((id): id is number => id !== null);
 
+    const siteResourceIds = uniqueSiteResources
+        .map(row => row.id)
+        .filter((id): id is number => id !== null);
+
     let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
 
     if (resourceIds.length > 0) {
@@ -228,10 +277,31 @@ async function queryUniqueFilterAttributes(
             .from(resources)
             .where(inArray(resources.resourceId, resourceIds));
 
-        resourcesWithNames = resourceDetails.map(r => ({
-            id: r.resourceId,
-            name: r.name
-        }));
+        resourcesWithNames = [
+            ...resourcesWithNames,
+            ...resourceDetails.map(r => ({
+                id: r.resourceId,
+                name: r.name
+            }))
+        ];
+    }
+
+    if (siteResourceIds.length > 0) {
+        const siteResourceDetails = await primaryDb
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                name: siteResources.name
+            })
+            .from(siteResources)
+            .where(inArray(siteResources.siteResourceId, siteResourceIds));
+
+        resourcesWithNames = [
+            ...resourcesWithNames,
+            ...siteResourceDetails.map(r => ({
+                id: r.siteResourceId,
+                name: r.name
+            }))
+        ];
     }
 
     return {
diff --git a/src/app/[orgId]/settings/logs/access/page.tsx b/src/app/[orgId]/settings/logs/access/page.tsx
index dbb7b6708..a0f1b5386 100644
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -465,7 +465,11 @@ export default function GeneralPage() {
             cell: ({ row }) => {
                 return (
                     <Link
-                        href={`/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`}
+                        href={
+                            row.original.type === "ssh"
+                                ? `/${row.original.orgId}/settings/resources/client?query=${row.original.resourceNiceId}`
+                                : `/${row.original.orgId}/settings/resources/proxy/${row.original.resourceNiceId}`
+                        }
                     >
                         <Button
                             variant="outline"

From 073b89b355b3003ef8d93cd7f987962517110ce2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 14:18:10 -0700
Subject: [PATCH 078/122] make path the default

---
 .../[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
index 2b6a16870..a3a7e0197 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx
@@ -150,7 +150,7 @@ export default function ResourceRules(props: {
         resolver: zodResolver(addRuleSchema),
         defaultValues: {
             action: "ACCEPT",
-            match: "IP",
+            match: "PATH",
             value: ""
         }
     });

From cb6c47678b3b41dc89034af5353d5366d712ab5c Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 14:43:49 -0700
Subject: [PATCH 079/122] Add regions to blueprints

---
 server/lib/blueprints/proxyResources.ts |  5 +++++
 server/lib/blueprints/types.ts          | 16 +++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/server/lib/blueprints/proxyResources.ts b/server/lib/blueprints/proxyResources.ts
index 2696b68c8..e16da2ea5 100644
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -31,6 +31,7 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
+import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "../billing/tierMatrix";
 
@@ -863,6 +864,10 @@ function validateRule(rule: any) {
         if (!isValidUrlGlobPattern(rule.value)) {
             throw new Error(`Invalid URL glob pattern: ${rule.value}`);
         }
+    } else if (rule.match === "region") {
+        if (!isValidRegionId(rule.value)) {
+            throw new Error(`Invalid region ID provided: ${rule.value}`);
+        }
     }
 }
 
diff --git a/server/lib/blueprints/types.ts b/server/lib/blueprints/types.ts
index 2239e4f9a..6ebc509b8 100644
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
+import { isValidRegionId } from "@server/db/regions";
 
 export const SiteSchema = z.object({
     name: z.string().min(1).max(100),
@@ -77,7 +78,7 @@ export const AuthSchema = z.object({
 export const RuleSchema = z
     .object({
         action: z.enum(["allow", "deny", "pass"]),
-        match: z.enum(["cidr", "path", "ip", "country", "asn"]),
+        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
         value: z.string(),
         priority: z.int().optional()
     })
@@ -137,6 +138,19 @@ export const RuleSchema = z
             message:
                 "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
         }
+    )
+    .refine(
+        (rule) => {
+            if (rule.match === "region") {
+                return isValidRegionId(rule.value);
+            }
+            return true;
+        },
+        {
+            path: ["value"],
+            message:
+                "Value must be a valid UN M.49 region or subregion ID when match is 'region'"
+        }
     );
 
 export const HeaderSchema = z.object({

From b01d2666290f36b9dc992b4c2c001c26fa58eda0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 16:38:19 -0700
Subject: [PATCH 080/122] Migration 1.17 first pass

---
 server/setup/scriptsPg/1.17.0.ts     | 138 ++++++++++++++++++++++++++-
 server/setup/scriptsSqlite/1.17.0.ts | 119 ++++++++++++++++++++++-
 2 files changed, 251 insertions(+), 6 deletions(-)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 81c42e1a9..d953b24fb 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -23,6 +23,66 @@ export default async function migration() {
     try {
         await db.execute(sql`BEGIN`);
 
+        await db.execute(sql`
+            CREATE TABLE "bannedEmails" (
+               	"email" varchar(255) PRIMARY KEY NOT NULL
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "bannedIps" (
+               	"ip" varchar(255) PRIMARY KEY NOT NULL
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "connectionAuditLog" (
+               	"id" serial PRIMARY KEY NOT NULL,
+               	"sessionId" text NOT NULL,
+               	"siteResourceId" integer,
+               	"orgId" text,
+               	"siteId" integer,
+               	"clientId" integer,
+               	"userId" text,
+               	"sourceAddr" text NOT NULL,
+               	"destAddr" text NOT NULL,
+               	"protocol" text NOT NULL,
+               	"startedAt" integer NOT NULL,
+               	"endedAt" integer,
+               	"bytesTx" integer,
+               	"bytesRx" integer
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "siteProvisioningKeyOrg" (
+               	"siteProvisioningKeyId" varchar(255) NOT NULL,
+               	"orgId" varchar(255) NOT NULL,
+               	CONSTRAINT "siteProvisioningKeyOrg_siteProvisioningKeyId_orgId_pk" PRIMARY KEY("siteProvisioningKeyId","orgId")
+            );
+        `);
+        await db.execute(sql`
+            CREATE TABLE "siteProvisioningKeys" (
+               	"siteProvisioningKeyId" varchar(255) PRIMARY KEY NOT NULL,
+               	"name" varchar(255) NOT NULL,
+               	"siteProvisioningKeyHash" text NOT NULL,
+               	"lastChars" varchar(4) NOT NULL,
+               	"dateCreated" varchar(255) NOT NULL,
+               	"lastUsed" varchar(255),
+               	"maxBatchSize" integer,
+               	"numUsed" integer DEFAULT 0 NOT NULL,
+               	"validUntil" varchar(255)
+            );
+        `);
+
+        await db.execute(sql`
+            CREATE TABLE "userInviteRoles" (
+               	"inviteId" varchar NOT NULL,
+               	"roleId" integer NOT NULL,
+               	CONSTRAINT "userInviteRoles_inviteId_roleId_pk" PRIMARY KEY("inviteId","roleId")
+            );
+        `);
+
         await db.execute(sql`
             CREATE TABLE "userOrgRoles" (
                	"userId" varchar NOT NULL,
@@ -31,12 +91,80 @@ export default async function migration() {
                	CONSTRAINT "userOrgRoles_userId_orgId_roleId_unique" UNIQUE("userId","orgId","roleId")
             );
         `);
-        await db.execute(sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`);
-        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`);
-        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`);
-        await db.execute(sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`);
+        await db.execute(
+            sql`ALTER TABLE "userOrgs" DROP CONSTRAINT "userOrgs_roleId_roles_roleId_fk";`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userOrgRoles" ADD CONSTRAINT "userOrgRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`
+        );
         await db.execute(sql`ALTER TABLE "userOrgs" DROP COLUMN "roleId";`);
 
+        await db.execute(
+            sql`ALTER TABLE "userInvites" DROP CONSTRAINT "userInvites_roleId_roles_roleId_fk";`
+        );
+        await db.execute(
+            sql`ALTER TABLE "accessAuditLog" ADD COLUMN "siteResourceId" integer;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "clientSitesAssociationsCache" ADD COLUMN "isJitMode" boolean DEFAULT false NOT NULL;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "domains" ADD COLUMN "errorMessage" text;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "orgs" ADD COLUMN "settingsLogRetentionDaysConnection" integer DEFAULT 0 NOT NULL;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "sites" ADD COLUMN "lastPing" integer;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "user" ADD COLUMN "marketingEmailConsent" boolean DEFAULT false;`
+        );
+        await db.execute(sql`ALTER TABLE "user" ADD COLUMN "locale" varchar;`);
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_siteResourceId_siteResources_siteResourceId_fk" FOREIGN KEY ("siteResourceId") REFERENCES "public"."siteResources"("siteResourceId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_siteId_sites_siteId_fk" FOREIGN KEY ("siteId") REFERENCES "public"."sites"("siteId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_clientId_clients_clientId_fk" FOREIGN KEY ("clientId") REFERENCES "public"."clients"("clientId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "connectionAuditLog" ADD CONSTRAINT "connectionAuditLog_userId_user_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "siteProvisioningKeyOrg" ADD CONSTRAINT "siteProvisioningKeyOrg_siteProvisioningKeyId_siteProvisioningKeys_siteProvisioningKeyId_fk" FOREIGN KEY ("siteProvisioningKeyId") REFERENCES "public"."siteProvisioningKeys"("siteProvisioningKeyId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "siteProvisioningKeyOrg" ADD CONSTRAINT "siteProvisioningKeyOrg_orgId_orgs_orgId_fk" FOREIGN KEY ("orgId") REFERENCES "public"."orgs"("orgId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userInviteRoles" ADD CONSTRAINT "userInviteRoles_inviteId_userInvites_inviteId_fk" FOREIGN KEY ("inviteId") REFERENCES "public"."userInvites"("inviteId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`ALTER TABLE "userInviteRoles" ADD CONSTRAINT "userInviteRoles_roleId_roles_roleId_fk" FOREIGN KEY ("roleId") REFERENCES "public"."roles"("roleId") ON DELETE cascade ON UPDATE no action;`
+        );
+        await db.execute(
+            sql`CREATE INDEX "idx_accessAuditLog_startedAt" ON "connectionAuditLog" USING btree ("startedAt");`
+        );
+        await db.execute(
+            sql`CREATE INDEX "idx_accessAuditLog_org_startedAt" ON "connectionAuditLog" USING btree ("orgId","startedAt");`
+        );
+        await db.execute(
+            sql`CREATE INDEX "idx_accessAuditLog_siteResourceId" ON "connectionAuditLog" USING btree ("siteResourceId");`
+        );
+        await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
+
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
     } catch (e) {
@@ -70,4 +198,4 @@ export default async function migration() {
     }
 
     console.log(`${version} migration complete`);
-}
\ No newline at end of file
+}
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index fe7d82de0..866eb8fe5 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -25,6 +25,77 @@ export default async function migration() {
         );
 
         db.transaction(() => {
+            db.prepare(
+                `
+                CREATE TABLE 'bannedEmails' (
+                   	'email' text PRIMARY KEY NOT NULL
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'bannedIps' (
+                   	'ip' text PRIMARY KEY NOT NULL
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'connectionAuditLog' (
+                   	'id' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                   	'sessionId' text NOT NULL,
+                   	'siteResourceId' integer,
+                   	'orgId' text,
+                   	'siteId' integer,
+                   	'clientId' integer,
+                   	'userId' text,
+                   	'sourceAddr' text NOT NULL,
+                   	'destAddr' text NOT NULL,
+                   	'protocol' text NOT NULL,
+                   	'startedAt' integer NOT NULL,
+                   	'endedAt' integer,
+                   	'bytesTx' integer,
+                   	'bytesRx' integer,
+                   	FOREIGN KEY ('siteResourceId') REFERENCES 'siteResources'('siteResourceId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('siteId') REFERENCES 'sites'('siteId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('clientId') REFERENCES 'clients'('clientId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('userId') REFERENCES 'user'('id') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+
+            db.prepare(`CREATE INDEX 'idx_accessAuditLog_startedAt' ON 'connectionAuditLog' ('startedAt');`).run();
+            db.prepare(`CREATE INDEX 'idx_accessAuditLog_org_startedAt' ON 'connectionAuditLog' ('orgId','startedAt');`).run();
+            db.prepare(`CREATE INDEX 'idx_accessAuditLog_siteResourceId' ON 'connectionAuditLog' ('siteResourceId');`).run();
+
+            db.prepare(
+                `
+                CREATE TABLE 'siteProvisioningKeyOrg' (
+                   	'siteProvisioningKeyId' text NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	PRIMARY KEY('siteProvisioningKeyId', 'orgId'),
+                   	FOREIGN KEY ('siteProvisioningKeyId') REFERENCES 'siteProvisioningKeys'('siteProvisioningKeyId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'siteProvisioningKeys' (
+                   	'siteProvisioningKeyId' text PRIMARY KEY NOT NULL,
+                   	'name' text NOT NULL,
+                   	'siteProvisioningKeyHash' text NOT NULL,
+                   	'lastChars' text NOT NULL,
+                   	'dateCreated' text NOT NULL,
+                   	'lastUsed' text,
+                   	'maxBatchSize' integer,
+                   	'numUsed' integer DEFAULT 0 NOT NULL,
+                   	'validUntil' text
+                );
+            `
+            ).run();
+
             db.prepare(
                 `
                 CREATE TABLE 'userOrgRoles' (
@@ -63,6 +134,52 @@ export default async function migration() {
             db.prepare(
                 `ALTER TABLE '__new_userOrgs' RENAME TO 'userOrgs';`
             ).run();
+            db.prepare(
+                `
+                CREATE TABLE 'userInviteRoles' (
+                   	'inviteId' text NOT NULL,
+                   	'roleId' integer NOT NULL,
+                   	PRIMARY KEY('inviteId', 'roleId'),
+                   	FOREIGN KEY ('inviteId') REFERENCES 'userInvites'('inviteId') ON UPDATE no action ON DELETE cascade,
+                   	FOREIGN KEY ('roleId') REFERENCES 'roles'('roleId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `
+                CREATE TABLE '__new_userInvites' (
+                   	'inviteId' text PRIMARY KEY NOT NULL,
+                   	'orgId' text NOT NULL,
+                   	'email' text NOT NULL,
+                   	'expiresAt' integer NOT NULL,
+                   	'token' text NOT NULL,
+                   	FOREIGN KEY ('orgId') REFERENCES 'orgs'('orgId') ON UPDATE no action ON DELETE cascade
+                );
+            `
+            ).run();
+            db.prepare(
+                `INSERT INTO '__new_userInvites'("inviteId", "orgId", "email", "expiresAt", "token") SELECT "inviteId", "orgId", "email", "expiresAt", "token" FROM 'userInvites';`
+            ).run();
+            db.prepare(`DROP TABLE 'userInvites';`).run();
+            db.prepare(
+                `ALTER TABLE '__new_userInvites' RENAME TO 'userInvites';`
+            ).run();
+
+            db.prepare(
+                `ALTER TABLE 'accessAuditLog' ADD 'siteResourceId' integer;`
+            ).run();
+            db.prepare(
+                `ALTER TABLE 'clientSitesAssociationsCache' ADD 'isJitMode' integer DEFAULT false NOT NULL;`
+            ).run();
+            db.prepare(`ALTER TABLE 'domains' ADD 'errorMessage' text;`).run();
+            db.prepare(
+                `ALTER TABLE 'orgs' ADD 'settingsLogRetentionDaysConnection' integer DEFAULT 0 NOT NULL;`
+            ).run();
+            db.prepare(`ALTER TABLE 'sites' ADD 'lastPing' integer;`).run();
+            db.prepare(
+                `ALTER TABLE 'user' ADD 'marketingEmailConsent' integer DEFAULT false;`
+            ).run();
+            db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
         })();
 
         db.pragma("foreign_keys = ON");
@@ -93,4 +210,4 @@ export default async function migration() {
     }
 
     console.log(`${version} migration complete`);
-}
\ No newline at end of file
+}

From 6484e8e3027a901f883636d870ecd7638ccc5f90 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 29 Mar 2026 22:02:19 -0700
Subject: [PATCH 081/122] Make work for demo

---
 server/lib/consts.ts                                  | 2 +-
 server/middlewares/verifySiteProvisioningKeyAccess.ts | 8 ++++++--
 server/private/cleanup.ts                             | 2 +-
 server/private/routers/ws/messageHandlers.ts          | 2 +-
 src/app/[orgId]/settings/provisioning/keys/page.tsx   | 3 ++-
 src/components/PendingSitesTable.tsx                  | 2 +-
 src/components/SiteProvisioningKeysTable.tsx          | 1 +
 7 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/server/lib/consts.ts b/server/lib/consts.ts
index d53bd70bb..8ad4f48e9 100644
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";
 
 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.16.0";
+export const APP_VERSION = "1.17.0";
 
 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
diff --git a/server/middlewares/verifySiteProvisioningKeyAccess.ts b/server/middlewares/verifySiteProvisioningKeyAccess.ts
index e0d446de6..bdf12c821 100644
--- a/server/middlewares/verifySiteProvisioningKeyAccess.ts
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -4,6 +4,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifySiteProvisioningKeyAccess(
     req: Request,
@@ -116,8 +117,11 @@ export async function verifySiteProvisioningKeyAccess(
             }
         }
 
-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            row.siteProvisioningKeyOrg.orgId
+        );
+        req.userOrgId = row.siteProvisioningKeyOrg.orgId;
 
         return next();
     } catch (error) {
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index 17d823491..f8032eb3b 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,7 +14,7 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
-import { flushConnectionLogToDb } from "#dynamic/routers/newt";
+import { flushConnectionLogToDb } from "#private/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 
diff --git a/server/private/routers/ws/messageHandlers.ts b/server/private/routers/ws/messageHandlers.ts
index a3c9c5bdb..5021cb966 100644
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,7 +18,7 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
-import { handleConnectionLogMessage } from "#dynamic/routers/newt";
+import { handleConnectionLogMessage } from "#private/routers/newt";
 
 export const messageHandlers: Record<string, MessageHandler> = {
     "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
index 021bb97b7..9637b03b3 100644
--- a/src/app/[orgId]/settings/provisioning/keys/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -45,7 +45,8 @@ export default async function ProvisioningKeysPage(
         lastUsed: k.lastUsed,
         maxBatchSize: k.maxBatchSize,
         numUsed: k.numUsed,
-        validUntil: k.validUntil
+        validUntil: k.validUntil,
+        approveNewSites: k.approveNewSites
     }));
 
     return (
diff --git a/src/components/PendingSitesTable.tsx b/src/components/PendingSitesTable.tsx
index 2d1ac8769..64417da7b 100644
--- a/src/components/PendingSitesTable.tsx
+++ b/src/components/PendingSitesTable.tsx
@@ -100,7 +100,7 @@ export default function PendingSitesTable({
     async function approveSite(siteId: number) {
         setApprovingIds((prev) => new Set(prev).add(siteId));
         try {
-            await api.post(`/site/${siteId}`, { status: "accepted" });
+            await api.post(`/site/${siteId}`, { status: "approved" });
             toast({
                 title: t("success"),
                 description: t("siteApproveSuccess"),
diff --git a/src/components/SiteProvisioningKeysTable.tsx b/src/components/SiteProvisioningKeysTable.tsx
index df7fd241c..fafbe725e 100644
--- a/src/components/SiteProvisioningKeysTable.tsx
+++ b/src/components/SiteProvisioningKeysTable.tsx
@@ -36,6 +36,7 @@ export type SiteProvisioningKeyRow = {
     maxBatchSize: number | null;
     numUsed: number;
     validUntil: string | null;
+    approveNewSites: boolean;
 };
 
 type SiteProvisioningKeysTableProps = {

From a651e507598940303fbd375a824135c343abe944 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 16:59:05 -0700
Subject: [PATCH 082/122] Fix merge from main

---
 server/routers/newt/handleGetConfigMessage.ts | 24 -------------------
 1 file changed, 24 deletions(-)

diff --git a/server/routers/newt/handleGetConfigMessage.ts b/server/routers/newt/handleGetConfigMessage.ts
index 23d95b61e..fced51818 100644
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -9,17 +9,6 @@ import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 import { convertTargetsIfNessicary } from "../client/targets";
 import { canCompress } from "@server/lib/clientVersionChecks";
 
-<<<<<<< HEAD
-const inputSchema = z.object({
-    publicKey: z.string(),
-    port: z.int().positive(),
-    chainId: z.string()
-});
-
-type Input = z.infer<typeof inputSchema>;
-
-=======
->>>>>>> main
 export const handleGetConfigMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;
     const newt = client as Newt;
@@ -38,20 +27,7 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         return;
     }
 
-<<<<<<< HEAD
-    const parsed = inputSchema.safeParse(message.data);
-    if (!parsed.success) {
-        logger.error(
-            "handleGetConfigMessage: Invalid input: " +
-                fromError(parsed.error).toString()
-        );
-        return;
-    }
-
-    const { publicKey, port, chainId } = message.data as Input;
-=======
     const { publicKey, port, chainId } = message.data;
->>>>>>> main
     const siteId = newt.siteId;
 
     // Get the current site data

From 673b8b7af5b03b51fbd0f90ff106eba88bd246c2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 17:03:12 -0700
Subject: [PATCH 083/122] Add userInviteRoles migration

---
 server/setup/scriptsPg/1.17.0.ts     | 36 ++++++++++++++++++++++++++++
 server/setup/scriptsSqlite/1.17.0.ts | 30 +++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index d953b24fb..c0489956f 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -20,6 +20,19 @@ export default async function migration() {
         `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
     );
 
+    // Query existing roleId data from userInvites before the transaction destroys it
+    const existingInviteRolesQuery = await db.execute(
+        sql`SELECT "inviteId", "roleId" FROM "userInvites" WHERE "roleId" IS NOT NULL`
+    );
+    const existingUserInviteRoles = existingInviteRolesQuery.rows as {
+        inviteId: string;
+        roleId: number;
+    }[];
+
+    console.log(
+        `Found ${existingUserInviteRoles.length} existing userInvites role assignment(s) to migrate`
+    );
+
     try {
         await db.execute(sql`BEGIN`);
 
@@ -174,6 +187,29 @@ export default async function migration() {
         throw e;
     }
 
+    // Re-insert the preserved invite role assignments into the new userInviteRoles table
+    if (existingUserInviteRoles.length > 0) {
+        try {
+            for (const row of existingUserInviteRoles) {
+                await db.execute(sql`
+                    INSERT INTO "userInviteRoles" ("inviteId", "roleId")
+                    VALUES (${row.inviteId}, ${row.roleId})
+                    ON CONFLICT DO NOTHING
+                `);
+            }
+
+            console.log(
+                `Migrated ${existingUserInviteRoles.length} role assignment(s) into userInviteRoles`
+            );
+        } catch (e) {
+            console.error(
+                "Error while migrating role assignments into userInviteRoles:",
+                e
+            );
+            throw e;
+        }
+    }
+
     // Re-insert the preserved role assignments into the new userOrgRoles table
     if (existingUserOrgRoles.length > 0) {
         try {
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 866eb8fe5..10cc0973d 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -24,6 +24,17 @@ export default async function migration() {
             `Found ${existingUserOrgRoles.length} existing userOrgs role assignment(s) to migrate`
         );
 
+        // Query existing roleId data from userInvites before the transaction destroys it
+        const existingUserInviteRoles = db
+            .prepare(
+                `SELECT "inviteId", "roleId" FROM 'userInvites' WHERE "roleId" IS NOT NULL`
+            )
+            .all() as { inviteId: string; roleId: number }[];
+
+        console.log(
+            `Found ${existingUserInviteRoles.length} existing userInvites role assignment(s) to migrate`
+        );
+
         db.transaction(() => {
             db.prepare(
                 `
@@ -184,6 +195,25 @@ export default async function migration() {
 
         db.pragma("foreign_keys = ON");
 
+        // Re-insert the preserved invite role assignments into the new userInviteRoles table
+        if (existingUserInviteRoles.length > 0) {
+            const insertUserInviteRole = db.prepare(
+                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId") VALUES (?, ?)`
+            );
+
+            const insertAll = db.transaction(() => {
+                for (const row of existingUserInviteRoles) {
+                    insertUserInviteRole.run(row.inviteId, row.roleId);
+                }
+            });
+
+            insertAll();
+
+            console.log(
+                `Migrated ${existingUserInviteRoles.length} role assignment(s) into userInviteRoles`
+            );
+        }
+
         // Re-insert the preserved role assignments into the new userOrgRoles table
         if (existingUserOrgRoles.length > 0) {
             const insertUserOrgRole = db.prepare(

From b8d7d5c910b903c69976fca9ab6e9779ae843288 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 17:18:38 -0700
Subject: [PATCH 084/122] Add name to provisioning

---
 server/routers/newt/registerNewt.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/routers/newt/registerNewt.ts b/server/routers/newt/registerNewt.ts
index 6ad7c30a8..954acca92 100644
--- a/server/routers/newt/registerNewt.ts
+++ b/server/routers/newt/registerNewt.ts
@@ -30,7 +30,8 @@ import { INSPECT_MAX_BYTES } from "buffer";
 import { v } from "@faker-js/faker/dist/airline-Dz1uGqgJ";
 
 const bodySchema = z.object({
-    provisioningKey: z.string().nonempty()
+    provisioningKey: z.string().nonempty(),
+    name: z.string().optional()
 });
 
 export type RegisterNewtBody = z.infer<typeof bodySchema>;
@@ -56,7 +57,7 @@ export async function registerNewt(
             );
         }
 
-        const { provisioningKey } = parsedBody.data;
+        const { provisioningKey, name } = parsedBody.data;
 
         // Keys are in the format "siteProvisioningKeyId.secret"
         const dotIndex = provisioningKey.indexOf(".");
@@ -194,7 +195,7 @@ export async function registerNewt(
                 .insert(sites)
                 .values({
                     orgId,
-                    name: niceId,
+                    name: name || niceId,
                     niceId,
                     type: "newt",
                     dockerSocketEnabled: true,

From 3ed72dd96b58eb5ada726d2864b3041b7c4bdd11 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 18:16:22 -0700
Subject: [PATCH 085/122] Add missing colums to migrations

---
 server/setup/scriptsPg/1.17.0.ts     | 2 ++
 server/setup/scriptsSqlite/1.17.0.ts | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index c0489956f..09d09261c 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -177,6 +177,8 @@ export default async function migration() {
             sql`CREATE INDEX "idx_accessAuditLog_siteResourceId" ON "connectionAuditLog" USING btree ("siteResourceId");`
         );
         await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
+        await db.execute(sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`);
+        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar;`);
 
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index 10cc0973d..b6515510f 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -191,6 +191,8 @@ export default async function migration() {
                 `ALTER TABLE 'user' ADD 'marketingEmailConsent' integer DEFAULT false;`
             ).run();
             db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
+            db.prepare(`ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`).run();
+            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text;`).run();
         })();
 
         db.pragma("foreign_keys = ON");

From 5e0e4f145214ae8dc1c53cff38c61817f2d45af9 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 20:16:35 -0700
Subject: [PATCH 086/122] Update book a demo

---
 messages/en-US.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 768796c12..6a137e2ba 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2463,8 +2463,8 @@
     "sourceAddress": "Source Address",
     "destinationAddress": "Destination Address",
     "duration": "Duration",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
     "certResolver": "Certificate Resolver",
     "certResolverDescription": "Select the certificate resolver to use for this resource.",
     "selectCertResolver": "Select Certificate Resolver",

From ca0dd09964fad0884aa6ceb24dac43fcac9b2400 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 20:35:00 -0700
Subject: [PATCH 087/122] Add crud

---
 server/auth/actions.ts                        |   6 +-
 server/db/pg/schema/privateSchema.ts          |  31 ++++
 server/db/sqlite/schema/privateSchema.ts      |  40 ++++-
 .../createEventStreamingDestination.ts        | 124 +++++++++++++++
 .../deleteEventStreamingDestination.ts        | 103 +++++++++++++
 .../eventStreamingDestination/index.ts        |  17 +++
 .../listEventStreamingDestinations.ts         | 144 ++++++++++++++++++
 .../updateEventStreamingDestination.ts        | 141 +++++++++++++++++
 server/private/routers/external.ts            |  38 +++++
 9 files changed, 642 insertions(+), 2 deletions(-)
 create mode 100644 server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
 create mode 100644 server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
 create mode 100644 server/private/routers/eventStreamingDestination/index.ts
 create mode 100644 server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
 create mode 100644 server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts

diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index fc5daa4f8..213dab9d3 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -140,7 +140,11 @@ export enum ActionsEnum {
     exportLogs = "exportLogs",
     listApprovals = "listApprovals",
     updateApprovals = "updateApprovals",
-    signSshKey = "signSshKey"
+    signSshKey = "signSshKey",
+    createEventStreamingDestination = "createEventStreamingDestination",
+    updateEventStreamingDestination = "updateEventStreamingDestination",
+    deleteEventStreamingDestination = "deleteEventStreamingDestination",
+    listEventStreamingDestinations = "listEventStreamingDestinations"
 }
 
 export async function checkUserActionPermission(
diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index 9d5955d51..1b031636f 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -417,6 +417,25 @@ export const siteProvisioningKeyOrg = pgTable(
     ]
 );
 
+export const eventStreamingDestinations = pgTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: serial("destinationId").primaryKey(),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: boolean("sendConnectionLogs").notNull().default(false),
+        sendRequestLogs: boolean("sendRequestLogs").notNull().default(false),
+        sendActionLogs: boolean("sendActionLogs").notNull().default(false),
+        sendAccessLogs: boolean("sendAccessLogs").notNull().default(false),
+        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: boolean("enabled").notNull().default(true),
+        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
+    }
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -439,3 +458,15 @@ export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type SessionTransferToken = InferSelectModel<
+    typeof sessionTransferToken
+>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type SiteProvisioningKeyOrg = InferSelectModel<
+    typeof siteProvisioningKeyOrg
+>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 809c0c45d..9bb994266 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -7,7 +7,16 @@ import {
     sqliteTable,
     text
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, siteResources, sites, users } from "./schema";
+import {
+    clients,
+    domains,
+    exitNodes,
+    orgs,
+    sessions,
+    siteResources,
+    sites,
+    users
+} from "./schema";
 
 export const certificates = sqliteTable("certificates", {
     certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -401,6 +410,29 @@ export const siteProvisioningKeyOrg = sqliteTable(
     ]
 );
 
+export const eventStreamingDestinations = sqliteTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: integer("destinationId").primaryKey({
+            autoIncrement: true
+        }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: integer("sendConnectionLogs", { mode: "boolean" }).notNull().default(false),
+        sendRequestLogs: integer("sendRequestLogs", { mode: "boolean" }).notNull().default(false),
+        sendActionLogs: integer("sendActionLogs", { mode: "boolean" }).notNull().default(false),
+        sendAccessLogs: integer("sendAccessLogs", { mode: "boolean" }).notNull().default(false),
+        type: text("type").notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: integer("enabled", { mode: "boolean" })
+            .notNull()
+            .default(true),
+        createdAt: integer("createdAt").notNull(),
+        updatedAt: integer("updatedAt").notNull()
+    }
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -423,3 +455,9 @@ export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
new file mode 100644
index 000000000..1c9de788a
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -0,0 +1,124 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.strictObject({
+    type: z.string().nonempty(),
+    config: z.string().nonempty(),
+    enabled: z.boolean().optional().default(true),
+    sendConnectionLogs: z.boolean().optional().default(false),
+    sendRequestLogs: z.boolean().optional().default(false),
+    sendActionLogs: z.boolean().optional().default(false),
+    sendAccessLogs: z.boolean().optional().default(false)
+});
+
+export type CreateEventStreamingDestinationResponse = {
+    destinationId: number;
+};
+
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/event-streaming-destination",
+    description: "Create an event streaming destination for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createEventStreamingDestination(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { type, config, enabled } = parsedBody.data;
+
+        const now = Date.now();
+
+        const [destination] = await db
+            .insert(eventStreamingDestinations)
+            .values({
+                orgId,
+                type,
+                config,
+                enabled,
+                createdAt: now,
+                updatedAt: now,
+                sendAccessLogs: parsedBody.data.sendAccessLogs,
+                sendActionLogs: parsedBody.data.sendActionLogs,
+                sendConnectionLogs: parsedBody.data.sendConnectionLogs,
+                sendRequestLogs: parsedBody.data.sendRequestLogs
+            })
+            .returning();
+
+        return response<CreateEventStreamingDestinationResponse>(res, {
+            data: {
+                destinationId: destination.destinationId
+            },
+            success: true,
+            error: false,
+            message: "Event streaming destination created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
new file mode 100644
index 000000000..d93bc4405
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
@@ -0,0 +1,103 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { and, eq } from "drizzle-orm";
+
+const paramsSchema = z
+    .object({
+        orgId: z.string().nonempty(),
+        destinationId: z.coerce.number<number>()
+    })
+    .strict();
+
+registry.registerPath({
+    method: "delete",
+    path: "/org/{orgId}/event-streaming-destination/{destinationId}",
+    description: "Delete an event streaming destination for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function deleteEventStreamingDestination(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, destinationId } = parsedParams.data;
+
+        const [existing] = await db
+            .select()
+            .from(eventStreamingDestinations)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Event streaming destination not found"
+                )
+            );
+        }
+
+        await db
+            .delete(eventStreamingDestinations)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Event streaming destination deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/eventStreamingDestination/index.ts b/server/private/routers/eventStreamingDestination/index.ts
new file mode 100644
index 000000000..595e9595b
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/index.ts
@@ -0,0 +1,17 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createEventStreamingDestination";
+export * from "./updateEventStreamingDestination";
+export * from "./deleteEventStreamingDestination";
+export * from "./listEventStreamingDestinations";
\ No newline at end of file
diff --git a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
new file mode 100644
index 000000000..b3f5ff149
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -0,0 +1,144 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { eq, sql } from "drizzle-orm";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const querySchema = z.strictObject({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative())
+});
+
+export type ListEventStreamingDestinationsResponse = {
+    destinations: {
+        destinationId: number;
+        orgId: string;
+        type: string;
+        config: string;
+        enabled: boolean;
+        createdAt: number;
+        updatedAt: number;
+        sendConnectionLogs: boolean;
+        sendRequestLogs: boolean;
+        sendActionLogs: boolean;
+        sendAccessLogs: boolean;
+    }[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+};
+
+async function query(orgId: string, limit: number, offset: number) {
+    const res = await db
+        .select()
+        .from(eventStreamingDestinations)
+        .where(eq(eventStreamingDestinations.orgId, orgId))
+        .orderBy(sql`${eventStreamingDestinations.createdAt} DESC`)
+        .limit(limit)
+        .offset(offset);
+    return res;
+}
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/event-streaming-destination",
+    description: "List all event streaming destinations for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        query: querySchema,
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function listEventStreamingDestinations(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+        const { orgId } = parsedParams.data;
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+        const { limit, offset } = parsedQuery.data;
+
+        const list = await query(orgId, limit, offset);
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(eventStreamingDestinations)
+            .where(eq(eventStreamingDestinations.orgId, orgId));
+
+        return response<ListEventStreamingDestinationsResponse>(res, {
+            data: {
+                destinations: list,
+                pagination: {
+                    total: count,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Event streaming destinations retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
new file mode 100644
index 000000000..1ad8f0081
--- /dev/null
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -0,0 +1,141 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { eventStreamingDestinations } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { and, eq } from "drizzle-orm";
+import { parse } from "zod/v4/core";
+
+const paramsSchema = z
+    .object({
+        orgId: z.string().nonempty(),
+        destinationId: z.coerce.number<number>()
+    })
+    .strict();
+
+const bodySchema = z.strictObject({
+    type: z.string().optional(),
+    config: z.string().optional(),
+    enabled: z.boolean().optional(),
+    sendConnectionLogs: z.boolean().optional().default(false),
+    sendRequestLogs: z.boolean().optional().default(false),
+    sendActionLogs: z.boolean().optional().default(false),
+    sendAccessLogs: z.boolean().optional().default(false)
+});
+
+export type UpdateEventStreamingDestinationResponse = {
+    destinationId: number;
+};
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/event-streaming-destination/{destinationId}",
+    description: "Update an event streaming destination for a specific organization.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateEventStreamingDestination(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, destinationId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const [existing] = await db
+            .select()
+            .from(eventStreamingDestinations)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Event streaming destination not found"
+                )
+            );
+        }
+
+        const updateData = parsedBody.data;
+
+        await db
+            .update(eventStreamingDestinations)
+            .set(updateData)
+            .where(
+                and(
+                    eq(eventStreamingDestinations.destinationId, destinationId),
+                    eq(eventStreamingDestinations.orgId, orgId)
+                )
+            );
+
+
+        return response<UpdateEventStreamingDestinationResponse>(res, {
+            data: {
+                destinationId
+            },
+            success: true,
+            error: false,
+            message: "Event streaming destination updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index 412895a41..41a4919a0 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -28,6 +28,7 @@ import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
 import * as user from "#private/routers/user";
 import * as siteProvisioning from "#private/routers/siteProvisioning";
+import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 
 import {
     verifyOrgAccess,
@@ -615,3 +616,40 @@ authenticated.patch(
     logActionAudit(ActionsEnum.updateSiteProvisioningKey),
     siteProvisioning.updateSiteProvisioningKey
 );
+
+authenticated.put(
+    "/org/:orgId/event-streaming-destination",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createEventStreamingDestination),
+    logActionAudit(ActionsEnum.createEventStreamingDestination),
+    eventStreamingDestination.createEventStreamingDestination
+);
+
+authenticated.post(
+    "/org/:orgId/event-streaming-destination/:destinationId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.updateEventStreamingDestination),
+    logActionAudit(ActionsEnum.updateEventStreamingDestination),
+    eventStreamingDestination.updateEventStreamingDestination
+);
+
+authenticated.delete(
+    "/org/:orgId/event-streaming-destination/:destinationId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteEventStreamingDestination),
+    logActionAudit(ActionsEnum.deleteEventStreamingDestination),
+    eventStreamingDestination.deleteEventStreamingDestination
+);
+
+authenticated.get(
+    "/org/:orgId/event-streaming-destinations",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listEventStreamingDestinations),
+    eventStreamingDestination.listEventStreamingDestinations
+);

From 5150a2c3862a32bac29d229cff33c869495f165e Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:00:05 -0700
Subject: [PATCH 088/122] Basic ui done

---
 messages/en-US.json                           |   1 +
 server/lib/billing/tierMatrix.ts              |   6 +-
 server/private/routers/external.ts            |   1 -
 .../[orgId]/settings/logs/streaming/page.tsx  | 861 ++++++++++++++++++
 src/app/navigation.tsx                        |   6 +
 5 files changed, 872 insertions(+), 3 deletions(-)
 create mode 100644 src/app/[orgId]/settings/logs/streaming/page.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 6a137e2ba..e8c7cb47d 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2460,6 +2460,7 @@
     "connectionLogs": "Connection Logs",
     "connectionLogsDescription": "View connection logs for tunnels in this organization",
     "sidebarLogsConnection": "Connection Logs",
+    "sidebarLogsStreaming": "Streaming",
     "sourceAddress": "Source Address",
     "destinationAddress": "Destination Address",
     "duration": "Duration",
diff --git a/server/lib/billing/tierMatrix.ts b/server/lib/billing/tierMatrix.ts
index 2aa38e1ef..c76dcd95b 100644
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -18,7 +18,8 @@ export enum TierFeature {
     AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
     SshPam = "sshPam",
     FullRbac = "fullRbac",
-    SiteProvisioningKeys = "siteProvisioningKeys" // handle downgrade by revoking keys if needed
+    SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
+    SIEM = "siem" // handle downgrade by disabling SIEM integrations
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -54,5 +55,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
     [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
     [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
     [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
-    [TierFeature.SiteProvisioningKeys]: ["enterprise"]
+    [TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
+    [TierFeature.SIEM]: ["enterprise"]
 };
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index 41a4919a0..4410a44c8 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -648,7 +648,6 @@ authenticated.delete(
 
 authenticated.get(
     "/org/:orgId/event-streaming-destinations",
-    verifyValidLicense,
     verifyOrgAccess,
     verifyUserHasAction(ActionsEnum.listEventStreamingDestinations),
     eventStreamingDestination.listEventStreamingDestinations
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
new file mode 100644
index 000000000..265001e8e
--- /dev/null
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -0,0 +1,861 @@
+"use client";
+
+import { useState, useEffect, useCallback } from "react";
+import { useParams } from "next/navigation";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { Label } from "@app/components/ui/label";
+import { Switch } from "@app/components/ui/switch";
+import {
+    Tabs,
+    TabsContent,
+    TabsList,
+    TabsTrigger
+} from "@app/components/ui/tabs";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
+import { Textarea } from "@app/components/ui/textarea";
+import { Globe, Plus, Pencil, Trash2, X } from "lucide-react";
+import { AxiosResponse } from "axios";
+import { build } from "@server/build";
+
+// ── Types ──────────────────────────────────────────────────────────────────────
+
+type AuthType = "none" | "bearer" | "basic" | "custom";
+
+interface HttpConfig {
+    name: string;
+    url: string;
+    authType: AuthType;
+    bearerToken?: string;
+    basicCredentials?: string;
+    customHeaderName?: string;
+    customHeaderValue?: string;
+    headers: Array<{ key: string; value: string }>;
+    useBodyTemplate: boolean;
+    bodyTemplate?: string;
+}
+
+interface Destination {
+    destinationId: number;
+    orgId: string;
+    type: string;
+    config: string;
+    enabled: boolean;
+    createdAt: number;
+    updatedAt: number;
+}
+
+interface ListDestinationsResponse {
+    destinations: Destination[];
+    pagination: {
+        total: number;
+        limit: number;
+        offset: number;
+    };
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+const defaultConfig = (): HttpConfig => ({
+    name: "",
+    url: "",
+    authType: "none",
+    bearerToken: "",
+    basicCredentials: "",
+    customHeaderName: "",
+    customHeaderValue: "",
+    headers: [],
+    useBodyTemplate: false,
+    bodyTemplate: ""
+});
+
+function parseConfig(raw: string): HttpConfig {
+    try {
+        return { ...defaultConfig(), ...JSON.parse(raw) };
+    } catch {
+        return defaultConfig();
+    }
+}
+
+// ── Headers editor ─────────────────────────────────────────────────────────────
+
+interface HeadersEditorProps {
+    headers: Array<{ key: string; value: string }>;
+    onChange: (headers: Array<{ key: string; value: string }>) => void;
+}
+
+function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
+    const addRow = () => onChange([...headers, { key: "", value: "" }]);
+
+    const removeRow = (i: number) =>
+        onChange(headers.filter((_, idx) => idx !== i));
+
+    const updateRow = (
+        i: number,
+        field: "key" | "value",
+        val: string
+    ) => {
+        const next = [...headers];
+        next[i] = { ...next[i], [field]: val };
+        onChange(next);
+    };
+
+    return (
+        <div className="space-y-3">
+            {headers.length === 0 && (
+                <p className="text-xs text-muted-foreground">
+                    No custom headers configured. Click "Add Header" to add one.
+                </p>
+            )}
+            {headers.map((h, i) => (
+                <div key={i} className="flex gap-2 items-center">
+                    <Input
+                        value={h.key}
+                        onChange={(e) => updateRow(i, "key", e.target.value)}
+                        placeholder="Header name"
+                        className="flex-1"
+                    />
+                    <Input
+                        value={h.value}
+                        onChange={(e) => updateRow(i, "value", e.target.value)}
+                        placeholder="Value"
+                        className="flex-1"
+                    />
+                    <Button
+                        type="button"
+                        variant="ghost"
+                        size="icon"
+                        onClick={() => removeRow(i)}
+                        className="shrink-0 h-9 w-9"
+                    >
+                        <X className="h-4 w-4" />
+                    </Button>
+                </div>
+            ))}
+            <Button
+                type="button"
+                variant="outline"
+                size="sm"
+                onClick={addRow}
+                className="gap-1.5"
+            >
+                <Plus className="h-3.5 w-3.5" />
+                Add Header
+            </Button>
+        </div>
+    );
+}
+
+// ── Destination card ───────────────────────────────────────────────────────────
+
+interface DestinationCardProps {
+    destination: Destination;
+    onToggle: (id: number, enabled: boolean) => void;
+    onEdit: (destination: Destination) => void;
+    isToggling: boolean;
+    disabled?: boolean;
+}
+
+function DestinationCard({
+    destination,
+    onToggle,
+    onEdit,
+    isToggling,
+    disabled = false
+}: DestinationCardProps) {
+    const cfg = parseConfig(destination.config);
+
+    return (
+        <div className="relative flex flex-col rounded-lg border bg-card text-card-foreground p-5 gap-3">
+            {/* Top row: icon + name/type + toggle */}
+            <div className="flex items-start justify-between gap-3">
+                <div className="flex items-center gap-3 min-w-0">
+                    <div className="shrink-0 flex items-center justify-center w-9 h-9 rounded-md bg-muted">
+                        <Globe className="h-5 w-5 text-muted-foreground" />
+                    </div>
+                    <div className="min-w-0">
+                        <p className="font-semibold text-sm leading-tight truncate">
+                            {cfg.name || "Unnamed destination"}
+                        </p>
+                        <p className="text-xs text-muted-foreground truncate mt-0.5">
+                            HTTP
+                        </p>
+                    </div>
+                </div>
+                <Switch
+                    checked={destination.enabled}
+                    onCheckedChange={(v) =>
+                        onToggle(destination.destinationId, v)
+                    }
+                    disabled={isToggling || disabled}
+                    className="shrink-0 mt-0.5"
+                />
+            </div>
+
+            {/* URL preview */}
+            <p className="text-xs text-muted-foreground truncate">
+                {cfg.url || (
+                    <span className="italic">No URL configured</span>
+                )}
+            </p>
+
+            {/* Footer: edit button */}
+            <div className="flex justify-end pt-1 border-t border-border mt-auto">
+                <Button
+                    variant="ghost"
+                    size="sm"
+                    onClick={() => onEdit(destination)}
+                    disabled={disabled}
+                    className="h-7 gap-1.5 text-xs mt-2"
+                >
+                    <Pencil className="h-3 w-3" />
+                    Edit
+                </Button>
+            </div>
+        </div>
+    );
+}
+
+// ── Add destination card ───────────────────────────────────────────────────────
+
+function AddDestinationCard({
+    onClick,
+    disabled = false
+}: {
+    onClick: () => void;
+    disabled?: boolean;
+}) {
+    return (
+        <button
+            type="button"
+            onClick={disabled ? undefined : onClick}
+            disabled={disabled}
+            className={`flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-border bg-transparent transition-colors p-5 min-h-35 w-full ${
+                disabled
+                    ? "opacity-50 cursor-not-allowed text-muted-foreground"
+                    : "text-muted-foreground hover:border-primary hover:text-primary hover:bg-primary/5 cursor-pointer"
+            }`}
+        >
+            <div className="flex flex-col items-center gap-2">
+                <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
+                    <Plus className="h-4 w-4" />
+                </div>
+                <span className="text-sm font-medium">Add Destination</span>
+            </div>
+        </button>
+    );
+}
+
+// ── Destination modal ──────────────────────────────────────────────────────────
+
+interface DestinationModalProps {
+    open: boolean;
+    onOpenChange: (open: boolean) => void;
+    editing: Destination | null;
+    orgId: string;
+    onSaved: () => void;
+    onDeleted: () => void;
+}
+
+function DestinationModal({
+    open,
+    onOpenChange,
+    editing,
+    orgId,
+    onSaved,
+    onDeleted
+}: DestinationModalProps) {
+    const api = createApiClient(useEnvContext());
+
+    const [saving, setSaving] = useState(false);
+    const [deleting, setDeleting] = useState(false);
+    const [confirmDelete, setConfirmDelete] = useState(false);
+    const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
+
+    useEffect(() => {
+        if (open) {
+            setCfg(editing ? parseConfig(editing.config) : defaultConfig());
+            setConfirmDelete(false);
+        }
+    }, [open, editing]);
+
+    const update = (patch: Partial<HttpConfig>) =>
+        setCfg((prev) => ({ ...prev, ...patch }));
+
+    const isValid =
+        cfg.name.trim() !== "" && cfg.url.trim() !== "";
+
+    async function handleSave() {
+        if (!isValid) return;
+        setSaving(true);
+        try {
+            const payload = {
+                type: "http",
+                config: JSON.stringify(cfg)
+            };
+            if (editing) {
+                await api.post(
+                    `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
+                    payload
+                );
+                toast({ title: "Destination updated successfully" });
+            } else {
+                await api.put(
+                    `/org/${orgId}/event-streaming-destination`,
+                    payload
+                );
+                toast({ title: "Destination created successfully" });
+            }
+            onSaved();
+            onOpenChange(false);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: editing
+                    ? "Failed to update destination"
+                    : "Failed to create destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setSaving(false);
+        }
+    }
+
+    async function handleDelete() {
+        if (!editing) return;
+        if (!confirmDelete) {
+            setConfirmDelete(true);
+            return;
+        }
+        setDeleting(true);
+        try {
+            await api.delete(
+                `/org/${orgId}/event-streaming-destination/${editing.destinationId}`
+            );
+            toast({ title: "Destination deleted successfully" });
+            onDeleted();
+            onOpenChange(false);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: "Failed to delete destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setDeleting(false);
+        }
+    }
+
+    return (
+        <Credenza open={open} onOpenChange={onOpenChange}>
+            <CredenzaContent className="sm:max-w-2xl">
+                <CredenzaHeader>
+                    <CredenzaTitle>
+                        {editing ? "Edit Destination" : "Add Destination"}
+                    </CredenzaTitle>
+                    <CredenzaDescription>
+                        {editing
+                            ? "Update the configuration for this HTTP event streaming destination."
+                            : "Configure a new HTTP endpoint to receive your organization's events."}
+                    </CredenzaDescription>
+                </CredenzaHeader>
+
+                <CredenzaBody>
+                    <Tabs defaultValue="settings">
+                        <TabsList>
+                            <TabsTrigger value="settings">Settings</TabsTrigger>
+                            <TabsTrigger value="headers">Headers</TabsTrigger>
+                            <TabsTrigger value="body">Body Template</TabsTrigger>
+                        </TabsList>
+
+                        {/* ── Settings ─────────────────────────────────── */}
+                        <TabsContent value="settings" className="space-y-5">
+                            <div className="space-y-1.5">
+                                <Label htmlFor="dest-name">Name</Label>
+                                <Input
+                                    id="dest-name"
+                                    placeholder="My HTTP destination"
+                                    value={cfg.name}
+                                    onChange={(e) =>
+                                        update({ name: e.target.value })
+                                    }
+                                />
+                            </div>
+
+                            <div className="space-y-1.5">
+                                <Label htmlFor="dest-url">Destination URL</Label>
+                                <Input
+                                    id="dest-url"
+                                    placeholder="https://example.com/webhook"
+                                    value={cfg.url}
+                                    onChange={(e) =>
+                                        update({ url: e.target.value })
+                                    }
+                                />
+                            </div>
+
+                            <div className="space-y-2">
+                                <Label>Authentication</Label>
+                                <RadioGroup
+                                    value={cfg.authType}
+                                    onValueChange={(v) =>
+                                        update({ authType: v as AuthType })
+                                    }
+                                    className="gap-2"
+                                >
+                                    {/* None */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors data-[state=checked]:border-primary">
+                                        <RadioGroupItem
+                                            value="none"
+                                            id="auth-none"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="auth-none"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                No Authentication
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                Sends requests without an{" "}
+                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                    Authorization
+                                                </code>{" "}
+                                                header.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* Bearer */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="bearer"
+                                            id="auth-bearer"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-bearer"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Bearer Token
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Bearer &lt;token&gt;
+                                                    </code>{" "}
+                                                    header to each request.
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "bearer" && (
+                                                <Input
+                                                    placeholder="Your API key or token"
+                                                    value={cfg.bearerToken ?? ""}
+                                                    onChange={(e) =>
+                                                        update({
+                                                            bearerToken:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Basic */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="basic"
+                                            id="auth-basic"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-basic"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Basic Auth
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Basic &lt;credentials&gt;
+                                                    </code>{" "}
+                                                    header. Provide credentials as{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        username:password
+                                                    </code>
+                                                    .
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "basic" && (
+                                                <Input
+                                                    placeholder="username:password"
+                                                    value={
+                                                        cfg.basicCredentials ?? ""
+                                                    }
+                                                    onChange={(e) =>
+                                                        update({
+                                                            basicCredentials:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Custom */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="custom"
+                                            id="auth-custom"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-custom"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Custom Header
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Specify a custom HTTP header name and value for
+                                                    authentication (e.g.{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        X-API-Key
+                                                    </code>
+                                                    ).
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "custom" && (
+                                                <div className="flex gap-2">
+                                                    <Input
+                                                        placeholder="Header name (e.g. X-API-Key)"
+                                                        value={
+                                                            cfg.customHeaderName ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderName:
+                                                                    e.target.value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                    <Input
+                                                        placeholder="Header value"
+                                                        value={
+                                                            cfg.customHeaderValue ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderValue:
+                                                                    e.target.value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                </div>
+                                            )}
+                                        </div>
+                                    </div>
+                                </RadioGroup>
+                            </div>
+                        </TabsContent>
+
+                        {/* ── Headers ───────────────────────────────────── */}
+                        <TabsContent value="headers" className="space-y-4">
+                            <div>
+                                <p className="text-sm font-medium mb-1">
+                                    Custom HTTP Headers
+                                </p>
+                                <p className="text-xs text-muted-foreground mb-4">
+                                    Add custom HTTP headers to every outgoing request.
+                                    Useful for passing static tokens, setting a custom{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type
+                                    </code>
+                                    , or other API requirements. By default, the{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type
+                                    </code>{" "}
+                                    is{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        application/json
+                                    </code>
+                                    .
+                                </p>
+                                <HeadersEditor
+                                    headers={cfg.headers}
+                                    onChange={(headers) => update({ headers })}
+                                />
+                            </div>
+                        </TabsContent>
+
+                        {/* ── Body Template ─────────────────────────────── */}
+                        <TabsContent value="body" className="space-y-4">
+                            <div>
+                                <p className="text-sm font-medium mb-1">
+                                    Custom Body Template
+                                </p>
+                                <p className="text-xs text-muted-foreground mb-4">
+                                    Control the structure of the JSON payload sent to your
+                                    endpoint. If disabled, a default JSON object is sent for
+                                    each event.
+                                </p>
+                            </div>
+
+                            <div className="flex items-center gap-3 rounded-md border p-3">
+                                <Switch
+                                    id="use-body-template"
+                                    checked={cfg.useBodyTemplate}
+                                    onCheckedChange={(v) =>
+                                        update({ useBodyTemplate: v })
+                                    }
+                                />
+                                <Label
+                                    htmlFor="use-body-template"
+                                    className="cursor-pointer"
+                                >
+                                    Enable custom body template
+                                </Label>
+                            </div>
+
+                            {cfg.useBodyTemplate && (
+                                <div className="space-y-1.5">
+                                    <Label htmlFor="body-template">
+                                        Body Template (JSON)
+                                    </Label>
+                                    <Textarea
+                                        id="body-template"
+                                        placeholder={
+                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "data": {{data}}\n}'
+                                        }
+                                        value={cfg.bodyTemplate ?? ""}
+                                        onChange={(e) =>
+                                            update({
+                                                bodyTemplate: e.target.value
+                                            })
+                                        }
+                                        className="font-mono text-xs min-h-45 resize-y"
+                                    />
+                                    <p className="text-xs text-muted-foreground">
+                                        Use template variables to reference event fields in
+                                        your payload.
+                                    </p>
+                                </div>
+                            )}
+                        </TabsContent>
+                    </Tabs>
+                </CredenzaBody>
+
+                <CredenzaFooter>
+                    {editing && (
+                        <Button
+                            type="button"
+                            variant="destructive"
+                            onClick={handleDelete}
+                            loading={deleting}
+                            disabled={saving}
+                            className="mr-auto"
+                        >
+                            <Trash2 className="h-4 w-4 mr-1.5" />
+                            {confirmDelete ? "Confirm Delete" : "Delete"}
+                        </Button>
+                    )}
+                    <CredenzaClose asChild>
+                        <Button
+                            type="button"
+                            variant="outline"
+                            disabled={saving || deleting}
+                        >
+                            Cancel
+                        </Button>
+                    </CredenzaClose>
+                    <Button
+                        type="button"
+                        onClick={handleSave}
+                        loading={saving}
+                        disabled={!isValid || deleting}
+                    >
+                        {editing ? "Save Changes" : "Create Destination"}
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
+
+// ── Main page ──────────────────────────────────────────────────────────────────
+
+export default function StreamingDestinationsPage() {
+    const { orgId } = useParams() as { orgId: string };
+    const api = createApiClient(useEnvContext());
+    const { isPaidUser } = usePaidStatus();
+    const isEnterprise = isPaidUser(tierMatrix[TierFeature.SIEM]);
+
+    const [destinations, setDestinations] = useState<Destination[]>([]);
+    const [loading, setLoading] = useState(true);
+    const [modalOpen, setModalOpen] = useState(false);
+    const [editingDestination, setEditingDestination] =
+        useState<Destination | null>(null);
+    const [togglingIds, setTogglingIds] = useState<Set<number>>(new Set());
+
+    const loadDestinations = useCallback(async () => {
+        if (build == "oss") {
+            setDestinations([]);
+            setLoading(false);
+            return;
+        }
+        try {
+            const res = await api.get<AxiosResponse<ListDestinationsResponse>>(
+                `/org/${orgId}/event-streaming-destinations`
+            );
+            setDestinations(res.data.data.destinations ?? []);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: "Failed to load destinations",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setLoading(false);
+        }
+    }, [orgId]);
+
+    useEffect(() => {
+        loadDestinations();
+    }, [loadDestinations]);
+
+    const handleToggle = async (destinationId: number, enabled: boolean) => {
+        // Optimistic update
+        setDestinations((prev) =>
+            prev.map((d) =>
+                d.destinationId === destinationId ? { ...d, enabled } : d
+            )
+        );
+        setTogglingIds((prev) => new Set(prev).add(destinationId));
+
+        try {
+            await api.post(
+                `/org/${orgId}/event-streaming-destination/${destinationId}`,
+                { enabled }
+            );
+        } catch (e) {
+            // Revert on failure
+            setDestinations((prev) =>
+                prev.map((d) =>
+                    d.destinationId === destinationId
+                        ? { ...d, enabled: !enabled }
+                        : d
+                )
+            );
+            toast({
+                variant: "destructive",
+                title: "Failed to update destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setTogglingIds((prev) => {
+                const next = new Set(prev);
+                next.delete(destinationId);
+                return next;
+            });
+        }
+    };
+
+    const openCreate = () => {
+        setEditingDestination(null);
+        setModalOpen(true);
+    };
+
+    const openEdit = (destination: Destination) => {
+        setEditingDestination(destination);
+        setModalOpen(true);
+    };
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title="Event Streaming"
+                description="Stream events from your organization to external destinations in real time."
+            />
+
+            <PaidFeaturesAlert tiers={tierMatrix[TierFeature.SIEM]} />
+
+            {loading ? (
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                    {Array.from({ length: 3 }).map((_, i) => (
+                        <div
+                            key={i}
+                            className="rounded-lg border bg-card p-5 min-h-36 animate-pulse"
+                        />
+                    ))}
+                </div>
+            ) : (
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                    {destinations.map((dest) => (
+                        <DestinationCard
+                            key={dest.destinationId}
+                            destination={dest}
+                            onToggle={handleToggle}
+                            onEdit={openEdit}
+                            isToggling={togglingIds.has(dest.destinationId)}
+                            disabled={!isEnterprise}
+                        />
+                    ))}
+                    <AddDestinationCard
+                        onClick={openCreate}
+                        disabled={!isEnterprise}
+                    />
+                </div>
+            )}
+
+            <DestinationModal
+                open={modalOpen}
+                onOpenChange={setModalOpen}
+                editing={editingDestination}
+                orgId={orgId}
+                onSaved={loadDestinations}
+                onDeleted={loadDestinations}
+            />
+        </>
+    );
+}
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 66e6cdad0..ac7a4a10f 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -23,6 +23,7 @@ import {
     Settings,
     SquareMousePointer,
     TicketCheck,
+    Unplug,
     User,
     UserCog,
     Users,
@@ -196,6 +197,11 @@ export const orgNavSections = (
                                   title: "sidebarLogsConnection",
                                   href: "/{orgId}/settings/logs/connection",
                                   icon: <Cable className="size-4 flex-none" />
+                              },
+                              {
+                                  title: "sidebarLogsStreaming",
+                                  href: "/{orgId}/settings/logs/streaming",
+                                  icon: <Unplug className="size-4 flex-none" />
                               }
                           ]
                         : [])

From 45c613dec46108192b3ea2320e985d4497e02ac9 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:09:14 -0700
Subject: [PATCH 089/122] Tweaking the ui

---
 .../[orgId]/settings/logs/streaming/page.tsx  | 85 +++++++++++--------
 1 file changed, 50 insertions(+), 35 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 265001e8e..c732274b4 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -7,6 +7,7 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import {
@@ -23,15 +24,10 @@ import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { Label } from "@app/components/ui/label";
 import { Switch } from "@app/components/ui/switch";
-import {
-    Tabs,
-    TabsContent,
-    TabsList,
-    TabsTrigger
-} from "@app/components/ui/tabs";
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
 import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import { Textarea } from "@app/components/ui/textarea";
-import { Globe, Plus, Pencil, Trash2, X } from "lucide-react";
+import { Globe, Plus, Trash2, X } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
 
@@ -217,15 +213,14 @@ function DestinationCard({
             </p>
 
             {/* Footer: edit button */}
-            <div className="flex justify-end pt-1 border-t border-border mt-auto">
+            <div className="mt-auto pt-3">
                 <Button
-                    variant="ghost"
+                    variant="secondary"
                     size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
-                    className="h-7 gap-1.5 text-xs mt-2"
+                    className="w-full"
                 >
-                    <Pencil className="h-3 w-3" />
                     Edit
                 </Button>
             </div>
@@ -286,13 +281,15 @@ function DestinationModal({
 
     const [saving, setSaving] = useState(false);
     const [deleting, setDeleting] = useState(false);
-    const [confirmDelete, setConfirmDelete] = useState(false);
+    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
     const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
 
     useEffect(() => {
         if (open) {
             setCfg(editing ? parseConfig(editing.config) : defaultConfig());
-            setConfirmDelete(false);
+        }
+        if (!open) {
+            setDeleteDialogOpen(false);
         }
     }, [open, editing]);
 
@@ -343,10 +340,6 @@ function DestinationModal({
 
     async function handleDelete() {
         if (!editing) return;
-        if (!confirmDelete) {
-            setConfirmDelete(true);
-            return;
-        }
         setDeleting(true);
         try {
             await api.delete(
@@ -370,6 +363,7 @@ function DestinationModal({
     }
 
     return (
+        <>
         <Credenza open={open} onOpenChange={onOpenChange}>
             <CredenzaContent className="sm:max-w-2xl">
                 <CredenzaHeader>
@@ -384,15 +378,16 @@ function DestinationModal({
                 </CredenzaHeader>
 
                 <CredenzaBody>
-                    <Tabs defaultValue="settings">
-                        <TabsList>
-                            <TabsTrigger value="settings">Settings</TabsTrigger>
-                            <TabsTrigger value="headers">Headers</TabsTrigger>
-                            <TabsTrigger value="body">Body Template</TabsTrigger>
-                        </TabsList>
-
+                    <HorizontalTabs
+                        clientSide
+                        items={[
+                            { title: "Settings", href: "" },
+                            { title: "Headers", href: "" },
+                            { title: "Body Template", href: "" }
+                        ]}
+                    >
                         {/* ── Settings ─────────────────────────────────── */}
-                        <TabsContent value="settings" className="space-y-5">
+                        <div className="space-y-5">
                             <div className="space-y-1.5">
                                 <Label htmlFor="dest-name">Name</Label>
                                 <Input
@@ -592,10 +587,10 @@ function DestinationModal({
                                     </div>
                                 </RadioGroup>
                             </div>
-                        </TabsContent>
+                        </div>
 
                         {/* ── Headers ───────────────────────────────────── */}
-                        <TabsContent value="headers" className="space-y-4">
+                        <div className="space-y-4">
                             <div>
                                 <p className="text-sm font-medium mb-1">
                                     Custom HTTP Headers
@@ -621,10 +616,10 @@ function DestinationModal({
                                     onChange={(headers) => update({ headers })}
                                 />
                             </div>
-                        </TabsContent>
+                        </div>
 
                         {/* ── Body Template ─────────────────────────────── */}
-                        <TabsContent value="body" className="space-y-4">
+                        <div className="space-y-4">
                             <div>
                                 <p className="text-sm font-medium mb-1">
                                     Custom Body Template
@@ -676,8 +671,8 @@ function DestinationModal({
                                     </p>
                                 </div>
                             )}
-                        </TabsContent>
-                    </Tabs>
+                        </div>
+                    </HorizontalTabs>
                 </CredenzaBody>
 
                 <CredenzaFooter>
@@ -685,13 +680,12 @@ function DestinationModal({
                         <Button
                             type="button"
                             variant="destructive"
-                            onClick={handleDelete}
-                            loading={deleting}
-                            disabled={saving}
+                            onClick={() => setDeleteDialogOpen(true)}
+                            disabled={saving || deleting}
                             className="mr-auto"
                         >
                             <Trash2 className="h-4 w-4 mr-1.5" />
-                            {confirmDelete ? "Confirm Delete" : "Delete"}
+                            Delete
                         </Button>
                     )}
                     <CredenzaClose asChild>
@@ -714,6 +708,27 @@ function DestinationModal({
                 </CredenzaFooter>
             </CredenzaContent>
         </Credenza>
+
+        {editing && (
+            <ConfirmDeleteDialog
+                open={deleteDialogOpen}
+                setOpen={setDeleteDialogOpen}
+                string={parseConfig(editing.config).name || "delete"}
+                title="Delete Destination"
+                dialog={
+                    <p className="text-sm text-muted-foreground">
+                        Are you sure you want to delete the destination{" "}
+                        <span className="font-semibold text-foreground">
+                            {parseConfig(editing.config).name || "this destination"}
+                        </span>
+                        ? All configuration will be permanently removed.
+                    </p>
+                }
+                buttonText="Delete Destination"
+                onConfirm={handleDelete}
+            />
+        )}
+        </>
     );
 }
 

From a73879ec7a55c6f164f661e361255e37227e005f Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:35:37 -0700
Subject: [PATCH 090/122] Fix formatting

---
 .../updateEventStreamingDestination.ts        |  24 +-
 .../[orgId]/settings/logs/streaming/page.tsx  | 233 +++++++++++++++---
 2 files changed, 212 insertions(+), 45 deletions(-)

diff --git a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
index 1ad8f0081..3d3321824 100644
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -22,7 +22,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
-import { parse } from "zod/v4/core";
+
 
 const paramsSchema = z
     .object({
@@ -35,10 +35,10 @@ const bodySchema = z.strictObject({
     type: z.string().optional(),
     config: z.string().optional(),
     enabled: z.boolean().optional(),
-    sendConnectionLogs: z.boolean().optional().default(false),
-    sendRequestLogs: z.boolean().optional().default(false),
-    sendActionLogs: z.boolean().optional().default(false),
-    sendAccessLogs: z.boolean().optional().default(false)
+    sendConnectionLogs: z.boolean().optional(),
+    sendRequestLogs: z.boolean().optional(),
+    sendActionLogs: z.boolean().optional(),
+    sendAccessLogs: z.boolean().optional()
 });
 
 export type UpdateEventStreamingDestinationResponse = {
@@ -110,7 +110,19 @@ export async function updateEventStreamingDestination(
             );
         }
 
-        const updateData = parsedBody.data;
+        const { type, config, enabled, sendAccessLogs, sendActionLogs, sendConnectionLogs, sendRequestLogs } = parsedBody.data;
+
+        const updateData: Record<string, unknown> = {
+            updatedAt: Date.now()
+        };
+
+        if (type !== undefined) updateData.type = type;
+        if (config !== undefined) updateData.config = config;
+        if (enabled !== undefined) updateData.enabled = enabled;
+        if (sendAccessLogs !== undefined) updateData.sendAccessLogs = sendAccessLogs;
+        if (sendActionLogs !== undefined) updateData.sendActionLogs = sendActionLogs;
+        if (sendConnectionLogs !== undefined) updateData.sendConnectionLogs = sendConnectionLogs;
+        if (sendRequestLogs !== undefined) updateData.sendRequestLogs = sendRequestLogs;
 
         await db
             .update(eventStreamingDestinations)
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index c732274b4..a89c961b4 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -27,7 +27,8 @@ import { Switch } from "@app/components/ui/switch";
 import { HorizontalTabs } from "@app/components/HorizontalTabs";
 import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import { Textarea } from "@app/components/ui/textarea";
-import { Globe, Plus, Trash2, X } from "lucide-react";
+import { Checkbox } from "@app/components/ui/checkbox";
+import { Globe, Plus, X } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
 
@@ -54,6 +55,10 @@ interface Destination {
     type: string;
     config: string;
     enabled: boolean;
+    sendAccessLogs: boolean;
+    sendActionLogs: boolean;
+    sendConnectionLogs: boolean;
+    sendRequestLogs: boolean;
     createdAt: number;
     updatedAt: number;
 }
@@ -215,7 +220,7 @@ function DestinationCard({
             {/* Footer: edit button */}
             <div className="mt-auto pt-3">
                 <Button
-                    variant="secondary"
+                    variant="outline"
                     size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
@@ -283,10 +288,18 @@ function DestinationModal({
     const [deleting, setDeleting] = useState(false);
     const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
     const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
+    const [sendAccessLogs, setSendAccessLogs] = useState(false);
+    const [sendActionLogs, setSendActionLogs] = useState(false);
+    const [sendConnectionLogs, setSendConnectionLogs] = useState(false);
+    const [sendRequestLogs, setSendRequestLogs] = useState(false);
 
     useEffect(() => {
         if (open) {
             setCfg(editing ? parseConfig(editing.config) : defaultConfig());
+            setSendAccessLogs(editing?.sendAccessLogs ?? false);
+            setSendActionLogs(editing?.sendActionLogs ?? false);
+            setSendConnectionLogs(editing?.sendConnectionLogs ?? false);
+            setSendRequestLogs(editing?.sendRequestLogs ?? false);
         }
         if (!open) {
             setDeleteDialogOpen(false);
@@ -296,8 +309,27 @@ function DestinationModal({
     const update = (patch: Partial<HttpConfig>) =>
         setCfg((prev) => ({ ...prev, ...patch }));
 
+    const urlError: string | null = (() => {
+        const raw = cfg.url.trim();
+        if (!raw) return null;
+        try {
+            const parsed = new URL(raw);
+            if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+                return "URL must use http or https";
+            }
+            if (build === "saas" && parsed.protocol !== "https:") {
+                return "HTTPS is required on cloud deployments";
+            }
+            return null;
+        } catch {
+            return "Enter a valid URL (e.g. https://example.com/webhook)";
+        }
+    })();
+
     const isValid =
-        cfg.name.trim() !== "" && cfg.url.trim() !== "";
+        cfg.name.trim() !== "" &&
+        cfg.url.trim() !== "" &&
+        urlError === null;
 
     async function handleSave() {
         if (!isValid) return;
@@ -305,7 +337,11 @@ function DestinationModal({
         try {
             const payload = {
                 type: "http",
-                config: JSON.stringify(cfg)
+                config: JSON.stringify(cfg),
+                sendAccessLogs,
+                sendActionLogs,
+                sendConnectionLogs,
+                sendRequestLogs
             };
             if (editing) {
                 await api.post(
@@ -383,11 +419,12 @@ function DestinationModal({
                         items={[
                             { title: "Settings", href: "" },
                             { title: "Headers", href: "" },
-                            { title: "Body Template", href: "" }
+                            { title: "Body Template", href: "" },
+                            { title: "Logs", href: "" }
                         ]}
                     >
                         {/* ── Settings ─────────────────────────────────── */}
-                        <div className="space-y-5">
+                        <div className="space-y-4 mt-4 p-1">
                             <div className="space-y-1.5">
                                 <Label htmlFor="dest-name">Name</Label>
                                 <Input
@@ -410,10 +447,22 @@ function DestinationModal({
                                         update({ url: e.target.value })
                                     }
                                 />
+                                {urlError && (
+                                    <p className="text-xs text-destructive mt-1">
+                                        {urlError}
+                                    </p>
+                                )}
                             </div>
 
-                            <div className="space-y-2">
-                                <Label>Authentication</Label>
+                            <div>
+                                <div className="mb-4">
+                                    <label className="font-medium block">
+                                        Authentication
+                                    </label>
+                                    <div className="text-sm text-muted-foreground">
+                                        Choose how requests to your endpoint are authenticated.
+                                    </div>
+                                </div>
                                 <RadioGroup
                                     value={cfg.authType}
                                     onValueChange={(v) =>
@@ -590,27 +639,25 @@ function DestinationModal({
                         </div>
 
                         {/* ── Headers ───────────────────────────────────── */}
-                        <div className="space-y-4">
+                        <div className="space-y-4 mt-4 p-1">
                             <div>
-                                <p className="text-sm font-medium mb-1">
-                                    Custom HTTP Headers
-                                </p>
-                                <p className="text-xs text-muted-foreground mb-4">
-                                    Add custom HTTP headers to every outgoing request.
-                                    Useful for passing static tokens, setting a custom{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type
-                                    </code>
-                                    , or other API requirements. By default, the{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type
-                                    </code>{" "}
-                                    is{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        application/json
-                                    </code>
-                                    .
-                                </p>
+                                <div className="mb-4">
+                                    <label className="font-medium block">
+                                        Custom HTTP Headers
+                                    </label>
+                                    <div className="text-sm text-muted-foreground">
+                                        Add custom headers to every outgoing request.
+                                        Useful for static tokens or custom{" "}
+                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                            Content-Type
+                                        </code>
+                                        . By default,{" "}
+                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                            Content-Type: application/json
+                                        </code>{" "}
+                                        is sent.
+                                    </div>
+                                </div>
                                 <HeadersEditor
                                     headers={cfg.headers}
                                     onChange={(headers) => update({ headers })}
@@ -619,19 +666,19 @@ function DestinationModal({
                         </div>
 
                         {/* ── Body Template ─────────────────────────────── */}
-                        <div className="space-y-4">
-                            <div>
-                                <p className="text-sm font-medium mb-1">
+                        <div className="space-y-4 mt-4 p-1">
+                            <div className="mb-4">
+                                <label className="font-medium block">
                                     Custom Body Template
-                                </p>
-                                <p className="text-xs text-muted-foreground mb-4">
-                                    Control the structure of the JSON payload sent to your
-                                    endpoint. If disabled, a default JSON object is sent for
-                                    each event.
-                                </p>
+                                </label>
+                                <div className="text-sm text-muted-foreground">
+                                    Control the JSON payload structure sent to your
+                                    endpoint. If disabled, a default JSON object is sent
+                                    for each event.
+                                </div>
                             </div>
 
-                            <div className="flex items-center gap-3 rounded-md border p-3">
+                            <div className="flex items-center gap-3">
                                 <Switch
                                     id="use-body-template"
                                     checked={cfg.useBodyTemplate}
@@ -672,6 +719,115 @@ function DestinationModal({
                                 </div>
                             )}
                         </div>
+
+                        {/* ── Logs ──────────────────────────────────────── */}
+                        <div className="space-y-4 mt-4 p-1">
+                            <div className="mb-4">
+                                <label className="font-medium block">
+                                    Log Types
+                                </label>
+                                <div className="text-sm text-muted-foreground">
+                                    Choose which log types are forwarded to this
+                                    destination. Only enabled log types will be
+                                    streamed.
+                                </div>
+                            </div>
+
+                            <div className="space-y-3">
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-access"
+                                        checked={sendAccessLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendAccessLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-access"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Access Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Resource access attempts, including
+                                            authenticated and denied requests.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-action"
+                                        checked={sendActionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendActionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-action"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Action Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Administrative actions performed by
+                                            users within the organization.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-connection"
+                                        checked={sendConnectionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendConnectionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-connection"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Connection Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Site and tunnel connection events,
+                                            including connects and disconnects.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-request"
+                                        checked={sendRequestLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendRequestLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-request"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Request Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            HTTP request logs for proxied
+                                            resources, including method, path,
+                                            and response code.
+                                        </p>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
                     </HorizontalTabs>
                 </CredenzaBody>
 
@@ -684,7 +840,6 @@ function DestinationModal({
                             disabled={saving || deleting}
                             className="mr-auto"
                         >
-                            <Trash2 className="h-4 w-4 mr-1.5" />
                             Delete
                         </Button>
                     )}

From 1711e392196c3dea9f5ad2587921bcc2fd84d257 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:42:41 -0700
Subject: [PATCH 091/122] Add logos

---
 public/third-party/dd.png | Bin 0 -> 74745 bytes
 public/third-party/s3.png | Bin 0 -> 13495 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 public/third-party/dd.png
 create mode 100644 public/third-party/s3.png

diff --git a/public/third-party/dd.png b/public/third-party/dd.png
new file mode 100644
index 0000000000000000000000000000000000000000..598771157afa6786bccb3dfdca9982d2316daabd
GIT binary patch
literal 74745
zcmYg22Rzm7_s_l7wJ*ZWyrM-!${rWt7D~3PYZPUajBHm{wkAa(R5sZ&*`<)OMK;OG
z-v8(7{lD+;{e1eo^}WycJm)$4oadZxnD!-gdKwNI008|3{COP!C~@#l0g4hn*{?g#
z3I9iZ8*l6a04+1=52Evj-wps+aN)d?o=4*EA6hzGhTW7u_0-$b%>x#Zf<cDZBIJl=
zbkLETPF2V;R?HXiI?+taR91`ufvKFxCbaRHW@EIUT~>=#TXFO5vclz{x*z(zf@e|$
zmuuD&mq+L4bK$1&zxap#(g_ED`zD$sY%cv|@i;5?;NM~K?QGksSAt^4_L97pE^iFq
z8oj&Zs2^vMsC#F9VUY1)Q7z`PZN&BXuXHl^N;#{}>tk*5(8PmZR;(3FxEkJ1?<IW^
zjP4PxK_O6mLgd(k-zx2kUiW)1zUh0Od3vPSR4Qlu5<rrESqzdg+OgEgyw2L(+Pv>b
zIDtfy9%JpJy7jUsBTGpyc$X*Xp7;x>_VGE&2t_VYa|bCSxuZz*J3|zXw4SJU?y4?p
z)Kk5yx(NS&@JaoSIkk7Yb^{&QsC%aC6I<_nKu%gaZI*hjD-$uswixiDx~#I&<q(1d
z!Qe0Cm%j*0-+gquCVB=Lk)FDU11ufVzCOR%MRd-|XyQv`M4*gWh$KkB{{|hK#W}(t
z!5Mq_FXAouzre5RYN<=*#g+4t|2YN@;D_1KvH438szi<CWb^JQLS7#{CO`ZCh%aFv
z!TtiSMV&o3rc=JuK=0k}Eie9JF4JwNReZCytXmIo|2<@FG)G_~F9Sx>C^6+N;Pd{A
zgopC~BOzvRy)ITBfg&N>ck};|B?cXwdyn)qK26O&Q=hD<__fuqA$>Q`nNyF1{>p<u
zhM3XL2yv;7;0*p!Kk`!QIsLD87t+tMI$UpGI%4~GJFlJtLYI9Q?cn*BHXWJ&4;Put
z{&$^3=l`!06`^XQlKy+v#khYL{zF8fCOmx}hbTO~X1mbT<3ws43DaY*{+|h0#mthH
z=La;wBBDNwGEzmdQ$~>0zGJ_8_pSybiDey05UN!p0kVu}=3~+|!LA<5m2p7wX(Q|W
zje5iwe8WtfD#+n4boUNO+stqkdqIL7l&hl$OFfiHOS|>p(vzqKWA?T~(#%8>E`2wP
zUV9lerkrC10)Hi0QwJ{1JXl)Z>+<^JlLPedI*=3ff($tsVDA{<GdUmx!4)#ikRCFP
z3wS&|SU0T?DO+HbPh#yHGsh$01D17UHW8K}Z|K>mfY%aK;kE}P1Jd1jfNH&nHPLzN
zb!KZ`8-4ke13}$M7c=sKavIo(=sYx3Pl2^jKTxx0cK@O)Dt&-MJdp%CCxecSs>Ni3
ztL*bGHkS8bQ-S2K&wp96hC)o_rn<!2>je%7L?A#yLyhD-#Za3|j<vaP0GJ!nLC}DX
zt>-xnQQ^1jr*ZtjV_7KcfAs<o0}eFwClg7bGo^}NBeAT4xR!^cV-p>q&i!RH&`tSq
z#Q1=?q8H#&#w^lO&{7*wSt&bp7_Lnt3B^sVYxz>(l(%8m#6)MRsHGqd(gX7X@;X$X
z3+g_|XFE7V^}n(Xrkh@lU35AS;G)-GpJy708JXG(0!%ar`h9?!kqL=&2l4<!IS#0^
z_pdMj{6N66`rp@|{dX#GOqFy{QN(|!hI?oMV<sZRC(`s^Q2?{~eE0rtLkX34HJ>D4
z0Q7c}j@8TnKr;WoWCbfT1DPW4rAEh<DWJmEKIO>C2xkp!EQWMwYT`n_J3^94kMn=A
z-LfMC8BD}jR?>N6(@8q?mjb$nay>;7jqmW0Rv&{p{Et8Y!YGLdxH}LmkAbtD76n)=
zt5#16pgy2_Dpbyz%yUmZi~=yg@(<jOtp6wrat;oc^RLMRM9Xp>ejyUU2*QvKjo}|g
zNh|=Ve@LQw82;_~zj99CsLA;CC(GpmgB~OijuIkapzmxK3~`USt#tzM(URc&mCC;Y
z58m;^6A&Lj&+(6@fdrbK2XWCH(j?ngOC%{#@#`~CiHIfDcg}wdCW(~H_y4FIf(3k>
zB(S{)y7>=>)wbJc$`2sW{4dgxiSTvess98L=%yos97qxppZFhjW5u6*wo!q+hjje+
zaDX`4_~XZmREU)wH0Sc!qaDv_0O()J&1}_Zewab>BDh=s;R}e}B)E23{~8BCkXuWn
zy+iT|1Yse{2+1rdsF{H1io&(rBO!ME|E(DS03QvXV95@aNgph$;*uI3$3d)O%UGe%
zG||J8!G#A(DthO?g+OBU6B9obqzMs`W2e<ccc5gT;-`7wDH299e_9Aj*UyELgaC9r
zAeqx>VNlCvQ1tpH13Of5sBDF|vMP2)>BO#)bk6{4Q<d=-OQ@6}R>lPvF9*dj_J#UY
z-E%4=qX&o?EJRUHxFO*VG!wTBTrg`?(Cbf4=Fv6>oFsXG3&v0>?eq==5`Y~gc#6nR
zP?WyhWPoN2Qn6r4>WmwNkSr+#!IB+-1zY^U@(+|}oDk39Q$yL4qEHN=Ymb7IF=`F(
z*84K@R~FM6=~RzhhA^`^NXu?tp@Yi=rbz56qy#K$c>B!jEhIAza4-K#XuBSC6U2rb
z%)elX%|YJk2-G9!6NpSE|BLM+jBx;+UE_a5b3Hj2Xf9KyNizR3?_QnL7yo%63&fP_
zJCyNf;BtqN2mc)oBMafe0D;K*KO`oe?7hqOjI_4T_&@T3T5`yu_{aaz7W}*{h>Jf9
z*IoGEb=mF5l#XcuWUXDcotFOD1DgvEO>jItKR?eU47{M9@hE&=58XPX*l=a0$Z77o
zukq04<QT!j9llL64Uisrki2rUf030}ft<i<dAD)uLMjmS?K3BDL)S_ITS1Q1gieew
z`VW6kL8}I8Nlt_Lf2a!<9|s<P8JGqit2z7+y#R@XwK#ZsL5@lhlF0{PYw^>S>zQzO
z?*BcOD5Z?1s4)^v6o$uwl4}Y@4sKLyKKSE@G!>wa`72&<``SaM?5a!K;=`e{7DTxN
z=Rfs41A0gsTh)INj}ISsb)wFy`x>20-TvNH81HGlf8VrIQSHH9eVPjqe+UY*00Jd?
z@;~h%e9E=zWx5xAdVrieCTu?^ec#-Ho^y|@Df0$&a?c?h9<mwX&hXrT=t&PcAVBP+
zS&WCNo|~t1$bu~85p^;26*KzS=%maFIp>;q4hWs&Kj_%IrRxFebn-6~hQ&@;qHsDS
zcz}Gm5lXXa>R-QMG*`mpVVb=YP7Z_cdQ3>w-IoZpnX1fI{x>1e89)a9m6uX>0J2X9
z@z`45bnJRsCiY7zgzsuEGO}4;KMqD-y3n$|EdEb8-6g{=#<(?Z`ZX`bV95y{Nc1u2
z-k*8f9LUKR=wMu@<l;K4S(Q+=9(rz@bu)yU<XBN>l0Jq;*ptL%cRTSDcDV+n3_^|r
z%W!gRY(8{d30+(;bON;=rjnChK5pg)_T+quxjRTuu@cpO;<Xw;@~<9fprzp<=r;$n
zvR9;vlZ&2}_01NY2wy*0?L=&-&ieJI^McLAy*Y<E(f^ULnTqff^`|cK{b;h(`rgiU
z&24i)faZR>_J0T#|GH!HSMPk^T7z}DWRmcu&s2zMQ=|Gnhnvz+I0Efo>i^b60%Fx5
zo2s);*F?thP*kSK<;lWE<7~=;47y~_JT5~Lri_2Z?m$GJD_3Umiz`&H$1HvDDUpg)
zx_=W*bf?C}bE$NE{KS87aFJx_z1(~=fBotG`pcrKR90MoJ6YdQ-;75pO*4!JeJuS-
zb-~|Y9^g2g#<F9?)m<?9W_vuLX<3vAzysZnP4<Bm>L6o-nyP|QWXOc3*DfXy?$$kM
z;Fdwp_UH((Jp0!Zl_o&Tig~_h-7s0GYNzf#y2nKD);FuUy%EohKvn;br51JXNtt+P
zIW@+%Am2V{i*!&2b>C6AUgN)^#eoygpnbyY?L1FT4U@t*s#km#Oc4&h&Gh5q7&vt;
zQ8Mi?@Vk1D`9Kr!X@0<*T9Fx2Z^@^m>@1cWz@+EnK@@}-yBGrLkoau#K|VAzRvOu~
z>!rYcz~wDOswL>3tPR@wN&?ho9?7spekY%8`DVeVQiaznG)@tVAyp3{@O6LBc;JEv
z-n_^4Hkt0lXwy3<+Mm;K2xF~T*G)hmu)HD3F?xS<AClZbv3&!1`P$WIs!%mP*g4)?
zBd_eiq9z2ZZU%Fm#okA;9EcX&KlI~-a!kNXK@Mrn^)_p{??<?3F=SO#nQpz(Y;ga|
zNA8(4D+WC7fuIXaL{}IllTyM;O^A2XjEn(Z^Nv9iJideLA(U`U+tZp8{L6hu^fq_m
zm&Jh5NJVDr?nEe`7BZIpZ;X+9;B=lVUu*E=dM<x~w6<iYb7Lq7>(9gDq69cHD||*g
zL|KusRHR_(Z@K^o&ugGQSpAxES1{SxBNSMm{@AjI(ys3Se`ccSQDX}1-+1ysDP!M!
zq?h;q>{Ej3Vi;ER*fMJqR|<b$DQ|j}6KvF%>YMpFpNPNrksJ%d1=ZA}`i0L`q=n#d
z7_XiCea=93XYJ?6fYi3Yc4O|Q15>7@!YO$~Y~1fa=hyttK-%BH@>(Wb?;v<;XF<zt
zdea)JO&seJ2IW{gSPOtgc)61WY__}-7Vz9y$JDfv;;4V3yJXtX@?hStec=>)9p^^Q
z3?|unY3@M@x{>(AN=ha+Yr790TV;-n{hI-qk*M5Jdiikax)Ce!P!xI`hthf3c=4IW
zEE|Z;ePKd?l9U5eMh^^JXzgOwHR0E0driS4=tcEH+{=w`Q<)-+aXeqNe;YYl`jWML
z_SBD4za*o(XhVVjAEA$ZE;?H`x|gJnjiJCUOcgfX(2r}@XtyCHSp`{*>1gtnmY0vd
z=<QrVFjM)+bCFV1xS#H_Sdru%gZ<u>jcxI{7hG8(kY3S^q3OrL>#5AlR<fxlCpQdt
zc$62~dB^5sO6y3alw;F{6ubT&PPKD49K63IbzxJuKbKo0Y;aS&$Hpu!9feB{qjK_A
z#P{D!A!D_<?=THmFW*J|`C0&oX9uaUhHcQu0~U9qu8D<9i^G`}Rrf!1=$bcs@|`aT
z$D@#%{XQk4R6!TCNtt2ocakCMG&Y|p7mPi^pxW+-_0pwNsxjloA@NV3K$kJ%Oi^&5
zsA`Yul|-q+n5)MDwVwpzICNG!I)@qq(Bz;=gOry5UH7!ruCZ>1K)1_6*;E{SEvuc6
zzzr5JacWXT2;wu7Mv><(o0QUwe}T5q%<HU+GMezpT)IFrfCdKR;PrGxrbbR)ccBwt
z_EAg{W_Zf;#Wed2^F5#ojT!SE3P%?Rb(f&5tnr5bxT|~tefP1p$->~^0@7w(aI=}O
z$cX<xSE8M7aX~xh4sBk<D=BlY$BN3anIbBvJM(s+cJVplJ~xb6LE3y~riP24MClFI
zmYC(fy7`~#&?^g&BbcY;U;YD04+5%oylPGR{3RCtu--{+Lj&KJ#**IuT}Dc?e@>1%
z54aN72R0q}ZhI-yDfxNr2mzwVL0y4BqhRRfIjK2s^G(9&Lq@>#WvHlWC&FVc`!Us`
zzSu^PO$C2HSc!GJYEf*R;1<wvWWr|V${t?`q!5^Xc0e7SyLynJZKF<*p^=uIuWORp
z*}TL22CA9v0qQ?Pm;O9Qw6MQnfsu8CPv);X3Ef)RC60GdWM6woSn~ruPk#!mdn-gb
zHlA}X?rNzc_+y^8v5Hax$%>371T)z+_?y6J$Mu@-IUOzj$g7Xg<oF;$!niyg&QuDD
zK<qup^Y5R^uR;3|_2k@uM;48ZuNe8JduzE6sO8|H#ES61Xb@95n<=8t>1sP5VH7MF
z`=tTBfI}f8zY84?`RABNEmJl+4$poULEIONrKeURGI@`U$I7rCP;^|X<i;!6%3OM`
z)ADtXg0P^2{_hW?E{O@a&{3-$5!xk^3J!Iq%3XkfzxtH)-nGL2LnSn&3$L_pbzeHY
zfhAjudl0r3^^8opbB~Fr=azva)fU8LT-*Dz%p~zVZML)#*G<s(0RLEZVw!w5pw5jW
zoq#y9gJut&Y0qWFp4R{EaC)zbbB!@FfXzt2Q6E^T(?dF0JL|)cpzv#6rpR4-98G=4
zU6%F_&5z$x0Ze};XvpP&Ynpy`i)<*(_4AFcLU}jxdR*L?vJXWb?;Wjh(u9@x7AAFo
zK=*kUW5CHNQ2e3)0h$~W4}#KiXmF%t7>E|}UcFi0u-0$HD@s>Q0cD}L4FaDh0S{T}
z8;rSP#}7O+qKsv&P<Ir97bx(bOx{F1{`d9AoQ{vwQgc=j2)qUiEukXSZjqv5VPEKu
zjr`EWlhm}d7Gvwn#Y^vdoE2Nn6rJ%HdxHdaS1?|F+Fj{Up8R4-!hSLOT$Nifo+5M4
z+S%AuuT&*{S|^JflGHbIdglaEmlo8`@kSW$>Xj4VWI3a>h_!cpe(YlLT*TAfZ=Q;K
zeG&V5M`(e=n9+uqjK$T85?Xz%twzkdoK%k&w^W!rLaXT|FV)$}u@QY(i9ldNVhH$_
z@7r3){vI86IlR9EZ8cYe=y>h?SwNsq8jU1tQUzy}M>yonZ_z4&pVXJ3R4*VSdmQ;)
z%eclaeasYDuo&hg(}WUYNvFaP{2SDgk%Ft!@}Dq8#bZ4o@lPAk<DwyYjzuTQJU;K$
zYsJKdzkz9F(?rFI@Q&H_BaPi?eKYfh9)GS|-{<$sjLC>qW}FY@Z|0cY4Y9BF(86md
zdk?4`y+3<1StyUoSO+FPn9|u^!Jk$a$(rZuW2F=YPI)B0r9lu+1!s2i*B7Yge6jBc
zEaMAd3;uEi`t#4^n|Wh2uIGXBy90Jqua$ZK?14^Ux?VsfW~w1G)>;^YzzQu`4QQ%4
zD43i&&E+r!;{@NS3QnkR*TRQ6Maw!e|J2^Vs_uJ@pUVP>X~W*#jf@lFx9YSk_2b@1
z2lJ|C(}c0>Ez~u3bwYojyL@HiL1e;H^XUX5geFyH1zp11Hf|HJG4Kfpl&VS+5y8QG
z3ox=^rS$jO-*xfuqEl8V@hGGRk*%Jl*+=OeOFz8g*Eb6hjBSrT-EpSNTfqJrU^aF|
zPOBC6kJVyZx<+5&%UZT>Ou*eTWMU$U(p131r>VUL?8(BXxi9Ff>Vb#5A~wXQX3d!)
z@?AW$)MQt(D(J{M-+yJJ1;<8Y+IEfzJDQjFs}2_2rZ+p(XgTOX0Z0XP*9AF-4Z1@4
zwo!U&PL$;phlq3za?r_I7em&g+~=LJjhI#$bV%=~w1a+S@ul)ZaxC~!78bF(Pc6(t
zx8b0kO}S~1pa$@5Ig9)^Ec$(x*uHLE>6(Z$3Sa<zu*g+3>-W~v&c$u?*n8h4HK*a*
z>d9241>p;ouTJ>guC=tUi&-i5onL#(lfvShJ9J!~-7a9=>7f8X^#0gIK1-RD4=Yq+
z`0*LRy&<&n_SYYMYwhKB1__4=g&n)%d&Kc)WUwOX-ytWTOo2o{Tv<47UIfU0-bkVU
zcH_#SNiRBq!OzeO<R|~pcuEEAzUliYD%$T!!pPJpP1YsNQm8Iw#%}wnA?SRc?|GtV
z!uQdDBm-`UBsub400vfLmyzQ_MdmW+daUK(Kd;cGnos(jB1Q!@_GuU2We#oJtA{2s
z!gry%w01Ixm*v~q7EV9z^i!TRU9s=)SIQ|JW&~ZUZ!hA%=nChDdwiv-O<D*|vP#HO
z8EGzS;2xk-C?%c?UJp-FKJ0Jjyo%pg5)9#2ImK+&D5!#evKVOF*y!PP$p3f@w+p!Q
zM~^o9$h?Pl<;n@1Laz0-55W?KV{A^-5U~I=$66LAtKw!E;halUb}Y<nQI|*eC0v5^
zs1=QR{7hYv)knldLoN@?&ew*ROB2$j%Rz$`Z*10bFRgjHx-xX~x5{~GfAUIDE7awV
z=gY3uce4DTnPZI^y?tT9GVS8Vhhq$%jX2a2Q%i5v3+3~P2jM$ig!4_ykkaM1!v1JE
zgdN$zYn!@m#&0`=J@inIqJdj^snSNlu*<3{%62GtEqrO;gib)ej!`0=qC20V7)E<k
z?G#u+9Ffbknc^L^Be`5b8dpb^-=N9=bR{koxF>hSZ-0#wHM#kosVu42SpAh#5U<0B
z?H@!dZ;SfKfT;N4^Wo5#OUuSoI;~3@WBKWq5?{)i#lBd^2qrp+Rh}eA=f&|jTA+sB
z(+lJ0Evy}e<8&0)Tx3JTa>o`Dz11byhPN^Jo$B2WOH>jB2GmDbuNYTL$chYd;bOl|
zoT&^?S^FyS#7CYIt=RZ;H?MKj$n&8x+Mh*HWuIk%#azUfqP#r%3GX~--&0^i&^LS8
zB&`Q#(Ztxq<DtpTmhUuT$OKLdCMRXCwCI!-?A=UZI3`3s&|F#de*F;6w6UlBW}J`3
zlj8#w;Ylg}MN|pxZ0ce9SshW!WnY0iA2=MkSm~1?d^kU3_oYcwUE51K+$)m^HC&x?
zM6~!5o=uuc9Vp6}KO6S*&B$ZZav?O8^9l=Rh^U^<<IbUT4<D4)$i(FB=7m4+UH6<=
zS2j>S`YlZN679-E-T;qkAKrUL`v`*0OZx!*crv5_K0#=YZ;x(g{B5nx;Msn&xkG*p
z6uY^|`&m+)me&ZPo!y4(Nh$lDy_d3=yo94Cgm!#<j_)L^o~HlK9cq*^eV5atZ3y07
zOlRvNUL^^|(m3XN=ow{)J;7ew=5tK4(pNU=c`H;O#w~BW`c?FGx1r?HImOk(UX$`?
z?MGy0ryoc-<wuZlo^Iyzaccb3uuhW4D^RNoFM&Uep}eAZ`b`T&(syHX6UsLF`@MbX
zREI_63lg$6WRkcVhMXrp9?P{_TpD+N(azR9PyKF9de3x#E3R}lTDgNPXH{+DL@rsB
zrvxj=)}lbgW)76Gtge)+9xG#a&uN1uVr<KnisE6XdslO{1p8oj&Q{sFUb-sp(@Af+
zV<G2;B$rp~DHVG(O$_bHC{tqa)_y}Ig(0MuNHQu-eFg{}7I)xJcP$ROLt4dNJ=2Er
zJ3q11>&uk=7}q^U=U#i0N|U6-)q>Fl1)jH0zB|%As_~Q>9usq(Z*JtjEbch+eAZ-y
zN?w%8#>OhElJ|}x1JDelL1S5ytc#l;3Cj?)EDZ+?bMgt_mEYd(wQPM+LRr06^bt3W
zIk6&dvnF9sndsy!*IuObQRglCro2bc@p!T`XPkNP>^VmQ8lVxBPq=d7V<7_X!2WJU
z3ddMf{)#24bI*d?5|e((WWGpmw_px8{f(!-Ct+j#g=1l?<GlJ)r?K|pOx~^Q3@uW9
zXUVhQu@7@%sb}?whnAFksdzf#Ua&b3xKp0P#M6i4BiiccWyykHsk3Ial?DU{y;bMa
zB_5mkE9bYJMtx#(rXu6F9~=#AJNz);Eok(0O8$+X?;!<2XK@={tnx|0jz?L&v+|F1
zoxZ&$lVF~tX)qhCT~uh6=6GR#ciw21>0a>Nfgs*1J(UUj@sC&))$dX(e%@_q)vDV2
z^=^Vo&R)R;6QZD8aOAh{d^2K$$|V8+sRBl~W->9d`cJga1l40!vRs2k9Q3agq^An+
zSHHM^#C1^JcPc!F3c@-5Wh4bwTMv2xn%`^`@^28h<G9-cr6T>Q#$1>O9#=a%5nr7!
zmqw-8`~YdQwA@%l$*4^pr;5XxsG-Me^#rdMl4wc^CugmJZu{S_w#EcS%u7oMcJt~I
zxmL+<I+Mh%AkOGS85q5vfDS|vg~Nx_pp$PII+v)MRO(sUT3Wim>Vn>(#+c}1E7u43
zMk}R;7Kf|D^PJz%G;TULcivHLbTh4Ta(h!$&TCv2rYL(gQB3WYvUZN3Ph#Cv@$5Bh
zCo&?<K?gCa!qD63NvH6*So~tj?xo-IIipM!lHc<uwE8WIJD&=*ed|5z;i);0lgm?c
zDPr_nS6@3r(Qm9ln7Hzi*QU16DWLNTNj}}_=&<R0{WyDASrXN&b$Qn*UHv#m3Z#7m
zt;Fo-Eo$1vP+^1DT&1GcZ(|zmT@+u>NR)8S**7tK>uz4%NdY!1pWDgwh_R3TbC#{<
zdMPCivE5W)Q)Rl?OD}o+u(RZrrKu>gf8F{1BEO8OmyPjT&AwYgJ9a5sW5;+3t3~P=
zT@;Va?AcC1C&;$ytaXc_rKQnZc0njs5^>@Jw9`cytCrcCx`Scd{lnRX*uJdZVX0G;
zd!x;aS6P%B0|Tf;6j%LRIH!&jai2+a@C@|eRJ>e?Nrb969~zuJBWfS@y_&8kZ1Q`g
z$%apO&+^q~q^Os@KJmPvMhw^~$Fod&lR6Rt76YeX-8VmZeK>zWimt+EvXzR7J=*Wi
znG{w@l~7*ins#fY1~(ty91%?OdMT`Xc=S8^EcDHu-0@&F`6B1;fLAYL+m<kopjO2H
z&<!{@=A3qu;}2_I9v@8IiH<)SR3Cjqg!DcvxxO9rh(45g{TPGiU=JIm`yE~px?Sm|
zUaNl3?49Y+RmZFPOD7F{S3I*X(Y@2^cdKHPbrDv(yhZa)IP)mBsP1_?+lb5f)L;w+
z7%RB|?qpOk-IpAA<Iesr@cNUE(A#5YN2SHomsYQ0gTDAi=gc?di*DZ*%gK6b=zqV9
zm-p#Qqd6BJ;p!U3rtYH&25&{H@(~k9%p;x^sO8mdZ~Bx>kLCGrOQg^ZN<27c7ffNy
zc}<eaNR<MWpSxUEuN@)e&TQ)tM3LCD^j>^YFm~Ab#)6@+6@ed?_M%7EWlB76hQ#-X
z#n0TabbRqE=ELOmMq-m%h^uLH$5`Dx(Zke9e9f0Un4_)SV(qWBM1UY0hcjdiua1vT
zNtBGEmgS>^c#Gaj_x@2aP3B53^WMe9SQ`!4)y2Fu-gO>Ym3z41w`SCub7cPKzSQF2
zDHp}2Ilr3zW)FHc_qrsMA|@>1rFoO?LTV&FTWz3djvuV3LCimCRo$=d(0v|lDrZ-H
zM{bhyjZrbPQ-i;m7qi_~O3cU)&i)vSp;r5dC)O5*MQyYZ{clv-+rqne<AiTHd38y(
z&Gxd_?$o;t%5%4UWLKi%UoXDWIB?W4pZOIlo6X0nV-HCU1Wt23GD*VS`&L+0Lubp$
zy1rEV<-XDNCZv%OW{}hSr$mx)UGAF2)0ZIJs7th><Rbj_NXheGj!eR*`dL+%OvX}{
zH#j~!7^!5x@;s&O`MX>{M$y4vqG$l)>Jt{xVxiab@cE|0*C~gN%lc+F1E1W-<l6^R
zY?jfmerc0Di6#P7(|GCP`fvs41q!KD?)lRQD>V5r2VwI&Pt?co!KaUU>n3`Sta~(+
zUs~r0Ikvr2U==|zlz_QO{=QkYcC@CmsU7ITeDxBq-je&w>r4&#NtQE7!pekI7ietH
zICJ;A%JiiXzJav%A3V6yc@yWvz6YPsR?l|)IsM(vNR~TWE;pwi$6l^uBx=&#reDd?
zx_SeqycTK(zErMhnXT;6!Y6xeP%@(Q>-B~fjRDW=7(@Qtmi#?yWG3cSpffRenE|B;
zruCS6LUsaOC~Mz3a1c-Y2yqSG<XNa=@Q%=rR7zZ5+Weq#*q1gN7T|fPm0A)P$*_vP
zdDL7Y@^x<;!(SvN9*wV&T4zwZOo7t0FiPG%M)#)E|2dPF)NRFQg0add<)I*6urlK2
zkZ|$pCF>~!q2FBkJ?T{E7qsy8j)QK?N%^>}FRc6}f{!&a9n4Y6A@GGw4l6Ajco=Uq
zlf%lUnFN9aAZ|M~D=5)pj8onlFRp#JlDfP5^IQ##OQ=r1kmf@jX7U3z4$0dQ^_vcs
z4}`@EwrlI%OKXel0#upxh_z?q7nDBnlzb4>c}{WXGD?{eZgPmMNWv?FM!;CTKo$Y$
zuBU<qr#l$#W%>Af`Uw16WS@zb>$nx_&&SJ0Sp;^#&mr`jTe0p%ZBvztPSz~>CFApb
zAHPYcbnuo4BDSv8P(6ZG-#B%5=3}0Pu=M3@bjsWd*?DvaB;U9n_27b2^hk{TnC>iI
z)OaZFLY)MxC804Pn>?C*nS!y58AH=ejaGap-P<B?r+}2J*1V_Xl?C+{foQz{ttIx*
zh!>?AF-WtDsPswo<-S**OBl9Li*?uWyd-Lz|E)o~7c_Rg+IAyryW##50$rT1^X=r4
zgln2^Pfc{P*KWLME^z`KXTQ7cJwOX+rHp#R;KFO%ix(faYWXl3N#415#xGxP=bPaM
zQ<d@3y5#=v##ptD4^6Ok=V5~z9q}pgC|<EUGV1U$P`ySHQwU`a@QCSAw6szse89Jc
z*;|2-d@XS1dn1FWLa8%)yHww7K9qZ*j?q0olfJw4``xX^!^ge7c*XBXF757AN?Ctm
zFabQ`<8;ah{HsylSF^P7nB`~q53rr2GRk}sR{CX)p~*nDTrg^(um3GV&Qo-BetP>_
zqyN0b=Ne<Lvtk7gkM0clEUMJweWK^4>by5&BaDH-bp;cLlGu*iTRu+dFnaL``$0jx
z;lVD;TWjYiOGe((?l_p@&vCa%Wk7_78n<V6H+Bm<iDBbuOsGkUs{s{vS^V2YtOuk)
zZ?{(aoJT^mKC{4F@9V2ztH_xGFSg^vm~0{G+*7e;;OeAcVybWkKL=~-A0Kx&-Mm=;
zbw=fFuWUq0=pqNvK+gF~cWAzteS7tV3Ybhj%e0G+<b_o&H<`nQj)J&w5Ahrurq^>W
z*=yRL@JS*(<<I=&VfoQ}Wc{Xs$?xWco~e_L+g$!7MJLIVg)Df=ug|LV;_hI`{5oB^
z+Ec#ZVr#|+^u>J#D6vkjEuTAacJXZeIujIeykCV|Yer3SFM6)sHeykBeHZe7%ZW1}
zwA%ozSWbHfvmo#lb(B#a^gGt13<n45rg!aI+1~~uH8t#9R>ht^BpLUMJAIXY<9Ys^
zChA%j_2Vq52JbpEadxx%nYY!qU(%1uBNgcUKu2my54ri}r3%sGBQ@efp~xEpclR)|
ztk_sd$6QQm>+ybN?&hiEM^BkTY^sl6B`T$Kk`b8>*N0?WFlWDhEU|un(ht^*yGv9$
z7=7_d@8;P%^t?nbI!iR&x?ELq>-A2dY?5%awF#B{gOfo#AhHXV27JU)d>_?_eEv{N
zwi@u`M@YD9^8>Mg5{joZX#8cP^V=s&%4P1P)*9)%ZB9IM*FLThqlt$_rh>?gPmDLZ
zm4k=W=W+n1K+H5tbE`s>rHwD`OOw3XtpU(bcQS44b-{hMOa=1zw4WJ`LyXIPR-Lk%
z$~fb$Yt#0-_2QQ3Z+E!cH~r!9vwwBoHUv!$bhF4u??n<TdZRbx*2e(uZV3(UH&>{D
zY2!$lH``Zyhb{uov`ul@Je6a-kazSW4Wj2wZ=JPbqKncw5Qb^3z_IlNv)r}%#+U|0
zmP^Vvvaf^{t2(I95P8|?gfF{$jQum^x|f`Go{6na?~Ul0uivU(?vp*4WR2&}T#j}W
zL12}v593~baU0QVoK5~V7()hr^d1GysSIOxc<!Qko6cC_4F(bWdR;2h;$CGd(?P+*
zv)W%-Z8v-Q;$A0s?9C5n1%HQ^1Fd-TZ4G_wquakY*dG>8eHXiqMB@h>`8Py+6Ei$T
zT3YWAtl}qF2CQbDBt~D?sAE~^0-8#L`DdO|*z04%A`~xEzEXkx1Cg+&vD20FF4F?F
zLVW&|d-MC3Fbmg+xsEMqlnHk%$lYO%)DchaeuyS!aOkq)4Z1$)9-11yu}Oo=f;a9@
zuP-`VX^ZHx1y;}6)-;|Xi}fxL?he?*rZTtHGa_$-Gh(m1D>JEHfA9=i!Q5+mOO3<Q
z-($S9I;gb@uQVR)HX2wfw5Th!5S}~cUaG!K78_Oo^DAjXs>>Jj<8196?jecAyWXKH
zM?t{+j|Og0cD8RVdS!^My=S*}J!~o&saS4d+DE_mdn|aom`Rz|wR2%b#)t_61kR#q
zZSyX39`6N{vYP!a=^&f<4-IcgO{fD~tI+4q?O*$O(x05yS&Zc!3_)sg3u5=93{+al
z`CgPqMF_p|n+GjFd`dRt+kRpqV&+pj;az?m<(txSUMjpQtZ^ltYPuQ6W)v*J*-??;
z@u6nw75Cn|OKzd&AB2L|AM|px=C8QJG6EA!hrv%q>nx-+bb#*sZ`xPoK~C>E;5^1S
zhxVx*6XEflycO!?%G-l^y65Q7*Kqy$!q-VrM6F^}4(m*7uX0#W@T?)H2bLSk_wbBW
zHtd4P?ogYc`amTId%a+nl4ONF%0&>?T^$Q*!k*BTruu)auVB7JR$JI4MK#+y8Gk{W
z0y(qzvek|nN5GUuNeI4aL&(i8b6B_(t)PU0yR`})@|mXj6;(Q2km6ZT?uz_L240>k
zp^2@VjK6VTA3Hlp1?pi>)m7N(U?{%Pp+?bN+7`7sE47k9-yqFLRUkO7JE_k%74_3P
zGC~@N$}GLS9=WWf!rB5aQqt67DQ<KiBfc^daf;-;`3Y|Q1Xicm680?RXlwnJyU*rI
zXg@SdrpU*`T}#e%3!;S|GqdMj`I1jYU?;T?mF)G55fg@Ce8^Mrp1^5ErGxSNU6(Wt
zdDvmG^@U@&SvI0~?tXP4qji2!TfyZEsMjjqS>HUY>4C#ZgOR;6onz}!?OR2S7hmpA
z_;C@&+s3LcU|#qy{JB>r+O_FWup*T|Uf;>TE5+_7$`@xZQpX$P%5HVXs`x63x@|OS
z$}+L|;T;U~y_jzppSMk9MEA(eej(FVu2b?C&nOemB?-4tRpn8>d^3SfEw+ax%4PEr
z(d&x%;b-w~p;zAbER_2es2ZT?*T$-1dBb0oU79v23(GSWQU-R$+4-2+{#w%A9=MPc
z<qI6rqriA;Cx30MlQnI!u5G|cYW+~oL8D5gUmg6GEk?E>K|jZ=_2ayk&e1A>WKQcm
zB%h_2P3sLc?zG7q@g}2UCZZ9ZxP+=KVEn8|sO#nq@xx3Rb`+>#nES1Fj|b5^&wuTx
z#O2kAu48<RRseB6$NPmuP!Ei`d)sk;9R83ItOaod8HMJ>`UL^qlKH6BRw>#bp5R~M
zXo;XT7+QvaU$BeG?^n5g_mmL@`w(Mu6`Bm_imz!I9hYcH6Lwmu{In}oYji{Pi_zR!
za(NvDvVQwxzRQ_{k5Q`+42<f-1AfOf-K$sPO5@qvte9YD&%AWW%9|V{+d6BnYEdOE
zIeH$>qj!9G!9*(bJ@hz)G-WXA7x~rG`R?7)Z}#E!4L%#SqRJ7^_$w1XeuUwN;=)4D
z&Qryk{%0>a-|bKuYnO;PT3Wz*ua5^Du3+pjqm5~Xt9s0M)%MQ3*FTq30?P?EhCpPe
ztZ?69e(3*lJ9H*HoNUjymMeif4$~7-jqACE+sn&XG<AK~u-sDJt<m}Sv>&K&HFdVN
z&?IoM|A_HD7Fnl?M6}$f8p4`o;s}XrEOw#z5cgbga?iA=cUKYVFgmEkQyxw`u|M#0
zpp^EgQq)u9?WLq!*6mZevc3qr@T9{dg(Es9y_StGOa9bV-(kpcR$JDRZ->jd@?6W4
zwcn9CCWw}Wf}~>|^1{9?Lm`rKNm&(gre23Yd}P_8-}}P-hSfi}VZ;(=D=6KJE&4iG
zm~zUDbPKe-eH6Mk{^bmK1^pDtdhyD=mG&TLK>doHCV#e@y`1&p%~AuzFdEuEm@U9t
zt2j}9Y+F{E|H;9;sz^m40l^{mVJUx6!R<>_*53_)RS&uAtjh*gESquf-3?lSN^RH;
zT9ES<MjDfbN-bEO8}eHp+SUF9838$XWgj`<=-}!0R*rLz&DLws={7#v%AO8(1CM6E
z&CmDcw#5fy$CXv>6h~j@=($fOm8)s?_l2yJ<4X02q8Fk3Rn^fC1Uxlde5>Wo9wI>n
z{Sgv8I>bH#FWFh&zh76qvU5wpB#~O#tKdfQytaAPp-YB?0&i)^o9cb+)GomNbunD&
z6RdJtoTtFgE6yT#lu{d~#j+B*GeQp;`?DD)9zAy|95CcRFTmYQl{e>MOQP`ix@C##
z0zY}!9}vew0geeXsPAw5^ga~iY8T<2u2Oja<y+V+t$>maKs?K7z!WnRd(#<mP=Rgh
zqhFAVkw$;~c2^9AnM9Dd5G#|uyFzRe6nsA}Wc+PPF!p+^XBS9On+h*+5hd(Sbv5GC
zTqW;jqE<~JI6>^2vafdg59klAE45^#^yXYR2~HN(T{Ikg?0v3lfsuL4FX8JAaj;}b
zmO%Sn(z09qrX-ap+rZ9z?++^QEPU<`gVpM);4o}|Ij2X4Qg&xqaMrmQsBahi<m?nf
zlM)OZ-+}<kAkF~ZI_)M87D@-c`L+I)rma8<deCCX70okw&(~`lTSeCe?!_9Um7K_7
zHF#x}P?<oAP+I%xaG!;VtAmEV)4DV;#-?dFg$6CAuu(-QBvq1H**$JF*C!{xGo6M!
z#1<u!nu;XfO8rGvQJ@9xKo<kMbIa^^25bc{?lT3Ql5b75Ds~F5{BxSz`~tip%Rf(n
zT2bkua<xrpPlAR>8TNz>p6*nX;HsXvmd&v7OU8=-<Pcf4grtbPbLxmE%(y9!$z6BV
zBjVQmbXE~RsC}!fTgpz-vV&UQZcOyhA+~0Jrl4%cgquIaHvC|ic5JKP<uycYwQ0%L
zfpoc5y!H_Gt9kE>;Vn+ADrElBaXaJ+FGGWPh7@ltmHKer^+kdmOZXr>ctKK%BX>Iq
zCjZK)KYKHI9O)e#j;Ec<_?Y+-BbAPd5;H|Cq~;@GbKP{)RPUcpTIdz)f#GxY9SEYo
zk+sy8ie<`b4>UN^Ny2pgX2M-&o2OZF2_K(ze-llHzGq=W{FoyZcAy9wkU<^T#yH1(
zZ|}D#VL1>H2WnNErM4<<LsAu2N|=I-c5c86z$0HRr$3m~FFZ=6XQOMCmq>-B%6=B7
z=%K@|41rfDkf7+8feUZ87}stJI%o&RHL!~XwlfrNUi7@OrJiCSGkX1eeTStK60Md#
z2hPJnyBn)_{T4TI#9`oN?V=7Kq#IrH%D+|`$Ox6}v>xMIsa=&{kXMP#X?A9m^-LIX
zL8vizVY`N0#~&I>*y^$ArC<U(J%~^0-2BRhhAq`MV_@&zm+B}TIL5^?{AB;CeY&f_
zkUKq*EdvD11wS<$ZsZHAt+hgJdbS#pMh0H$bzLhn-x$fr^Q>#_RhzM&<UFmzh#s2a
zu{o+nps4TIdvFDoJO`+KiHxJU%mld-`qANEvvff2c-!`N*~smc*V?L!8eEV4@>hO0
zG(P<>P{hLdh}T8#ZWuGMRul%g7qbxeH>qq!UFZ~Rq(($#DuW(omII<KY{+Aqy63=o
z?~t?hRvxMFRIfDiMk6MzSuU2mp~SuiMtj6Ti1wEqSSLvF<Q2WNbj)_Z{5|hr3lhxU
zPe@raF*5Z{8c1FV`+VIagTmv?Yjl~?%^?}<$P4TU{I7}Z{7<`8jJxKRJMI}sF<RIv
zt}*E0+|en&xSPCUnydQyw#6#UgzXB>`t=)-*<7MP$+cH8;#);3mx?|hK{uOVJ-o{1
zYw@I2pSzaG_~+U$@ncq;1>du9;YLahWMA$#&eJEkC^B@E(hbO-u`(maP970GYB=eO
zy91j;&0#86pRNu`tlf3Zh<tx!DX+IBL31)tGrd9~$Y5I|=FBk(apiqTA~klz{XUdt
zqi64zYeQ6NNB7$1JHwS(Q6Rq{Q=~pSAV!u!{T9u#lJdD0fq}(KZ)pU|&T2SSjkaGk
zc^?M^U_CK=O>BM?*;&*ol2`i44MB8l2<{GKV>eMT$>xPE6Fp%ijn6NZS)bV2$Up}8
zWkgz^h1DL#V9qCZmzpT>J-L#}nK(eqX;>?#a(+rMF~3|OY*4ju)B64n1{1E}1cT4G
zOer-L3e?V=UvK#f+1RqO#e5BoV17qBKy-9Fbng(0W5l`ig`;$;r4OzL!GcH!C9T(l
z-}A3_@<8l#z<D!HcZNrW8u5qwF_;hr;2=E6Y3O$NDlxIt=g`7{mG3iUlk76Y9Bd$*
z+46if_vtl`6}6&HdrB=ef+qG=pqWTVy6A5o3lFMCg|qb0KfFP0+o;2b%iLTaC1KLj
zM=ogi#{CED)hEU~oN%rQ7g9lkJ0<WaJc&*=^kaYViyxeo>wqYs=XRKFL($z;RPm51
zQ%KrzlWI~Y`0ZOIE9WbepR^simyz*xo@0xj{Q6l4por-R1#ebGqRxBcWIhA8xvLLO
zU@5>=CMrMw-*ya2Mz{ADU<0V82YzcNT70l+GAcaKIc%Lu_hu=j^;&12<tcavk$Ss+
zNo0r!zLm^sO;O20BuW~*V*?pN#okA$bUv~_$;$rbP08lCqurH~l@lt=7ZEm)o#o|G
z^=(gTlzIBgK9B?#HulF^SfM(*et(X0M&G^Dg=OKoZ{9$EF86qI{Z+7XUgJg+oFbB@
zmc(o?g^;!2c6^83LenLT04~c5r4+7q4u8|pKSm}y_VB0nlkIlT9!lMM-8w7_)JU6^
z!Fyzj7tSqhxs_Gsm6jBspUp&p+tqXlovGxP2ur0p8I;fLgtB2Hq2wVCuA&e3{L*9|
zg@?@ufH3w`qHI%QJBu#Vo;SxR)uGIGRNRh%B|gh4+nLUU$JYZP&2xtpgykQUpw-Nt
zpO&P7!W0UEu1sel)3kM3@QJXEPGE<aUHo-w-S?(^5rXI%<o%R~ZAUkO{?3^XZWMei
zsG{%3*oo&|4-<`UU$;|i<fO)07p(r!qE)Y5ya<xTVPtF{6(i3zvfYPGtued_ZzTGa
zS2<ZxsRRsc3q!lArL=;EY>JSTg3Q+MA-jklUnyw;raDuk-HS#^`Doo~Xnw55yHL7j
zh90nx()N@m{W2Uq&_v<lU&SmnS=x?V$I>Y>u)ndqot(smH{g_%I^A5O%M9=qRdJgo
zZ$5>t7jW2QSGqD<8;Ps(!tO;a@A@mjWIw*m$6P_fM%@w0kxH}r7>pNJ@DFWh-7T&h
z+NWoSjn;`GzGAWACGH+@Qi9mlc$k7pJ{Svo8#mn2B9?S-CH+aIm#DWZ&=OfJlZ;Uy
zlZRcutRqc7lQUa$+?^Xb#-!-TBU74BJ4=4A9w^DYNZf1W=`<AHX}m?RLIt+aDzUpf
zQ~{xl8>jgzyQSe}mzT28JFc2`vCatumJEr0{ZnD5cY5@iYI<|KGxn!orXtqYQ9r;=
zAApr3^E!&tV&tAICRX${SlGF_c6@N}S4!c=Zs%ziT(b4h04A^v8S9ZkX*M9Wb6;Fu
zgePOgXu<#>A9Zxow~e%f1|tCrvykyNos#nO;_#+}*owUNrHJbz@fKH4{DwoW6;ngc
zKDZepbf(|nn{#{U73+d+xNP>k6K9r8r@y*#+>#*%K{wH-!#fxEtjHPwwIhQuBpq&U
z_x4d8ZhmT{B5XdvMj2%PnU>RWtMCRpH9=_T8^*MUR5q^o<FN5HewN9P!9ODKv!rl}
z!7k!kXSYb+Sh_l#eKP2pxYEvtw+mZ!Q!t?ui<E1=dB3NCx#6Cre}6m+O77A%&OkUA
z_iB65`kH=IAe*6Lb3}_{#vbv;4I$u}s)_)jL700!zn1bC5?cJ|6I!3Xoawe+KKy1r
z3Y})yPe5o6zL(uwBgYmwUfX~%%v$&>sc?UHYPsin{<SMbo`Ei0!*C$nOTX*dTi1PN
zTaLAfsWQZP*{qh;(w>MdAG!25_hR-K_b1@$gY9i;{$ym(<5R)BDTibYym#_Wg!7uv
zDTXVE{0{JIEb(;wj5tXLIUWMtxe<21cUfbjL)YydMd2$C-bo`7`HKVO*bd=^DY{EQ
zS#Xa=k>~T;hFg8W<ZMNl<ROTSK7|!V28g~5P>$U$$C{Opaa&EcV0_W{T(dGYW(@$#
zall8>vxMBxuiDt|uXBi*!rZ3&*5wXkeBy@&^!NZ<mTAw@8H0PST@2r&N8VE_RoJ3s
zT#xs7UW&xOLEIO3!DiYl&9&~BtI!ZJCqnAR9~u8(Q+$|6@&<GwC7W^>EbM`UnZ+sj
zLRmzMqVM#y)ber1d~hs#mL~S+^%*9kVRNqEJ+@X3>XMp9tu8p4g~Om0LwD#NxuUyv
z3ZZ%N9j|P5*~b@sNgXLLtN(so+m{@hiR)GE>EdDZ4VPr7Eh;wtdrlg%5NwKa%9D|4
zwofltBG73pjzgTFwJJ~i1Ol}qJScENC`7Kv^N}@)C>&zseGzj(+ba@n6n*E&3$)kH
z^5M5(_m5^gAm4M>=}M>NZBZGhtRe*sYWzbzTy*GrRbhNBB799BI{D=U$ZtFlL3c>I
zh#%JDMck*jrgIzit7nK)cuo@-S~%x8VDsu>De_Htt5x#JOYqJA_X3zL-q9-N;lo#c
z&I_KmJNzYi3xyMyNvoZAY>5$s6Ly`HbV}w;7h@fj(TJ9<Ane@NYVry=C#NllOFq$-
zRdIHO?$5Wih3bUMfZ)nZr!)jFqjX{CZ10VL#$*{r+=`CPxYJyJh(q!2=1S+6<3Lmm
zHriKB#g$$`y;B*;9;8-sx78J>J->Pdp;I(y3vb#S7Ny5CQa_!Rd<kk#1aH606p2ye
zxrf4)94ALKee#wK{3QggP}E^a{GI%a>(0HpH#y7!IUL#7qJoaFsifv>x$tQih+a7T
z!XV_kA+QRSw@zDSO{O6SEp7KzV&A;9mRE!gyqvodwm)bHub>CbO8Wc;0ek;&xs(h_
zJX!JQKs7gS5SFu00dT{MXR7GaDpwH7(N0jk+$IB}Cy7<CiW*AFS|dLb`C1y`rA(Jk
z$EeXPY&y2d(?%%2j;2$f;^==##taAShyqZ6s$iqg7j(m_?lw#`7NyAOMhZSDPAAf!
z?<|+6au4GwDo`_uWnamGju-*enXQc`x{l3-=Tj%&LZT_ZX#lHkB)_x$qIABpVai)$
zi0T<i8l|C739W+NuGw_k8?6cFC_Bh%1y=PDIt`7sm`+$<wRnN}iGZ_wwYT|NLaCl$
zT~$zj&Q^X)F`1MTi&r2+>tpF=VB>sXd%#iWV;!rVES274lq>-M1;=;)SBzg(B;Wlg
znN~;_mM&Xh#eh=j+@kTgXvkNcpaHPbWWm@K{vho8&$hJdEx4r5d{&}x3j0I(hpAd|
zl9<||?`aOTTkc()r%F+xK)KFFjkRjS0)QK364~suAn=4a(?KGRC!%fsD8M!Z=pyUd
z9N_StO$M<1b;;V_pQsLR4vJ5NCp5ntegFj$Ypfjmk+$;P`*^eCARyN>$?}9RCAOn9
z0nX%bxe>I?^aH9&vlsyW83buQCC4Rip2gX~_`}8GGuDe1_nANdS1k|;)9-Yyz%U~A
zEMLp`4@PyxFN@x#Lfl(?z!D9|A2YMySW%)Gfy|6@6?XSxJ(Ximk){en#IpzrMqcF8
z_wpYot#A`fh2@byI<{zf;gv=Ta=aupbxrNPE+EhZVU0aZ4mHBO@PURX9KekiWyNZK
zEq`iX`&2Ig067)Z!{83)S@^ry%$MMT&WX8B799H;mwrgcU0`+Pxx(8$P;!j{GLFLv
z^{TagWfx;&rR6sA=k^R!GMtX4OhE=^P<O$AN}r$skvu(B7!0i>;bL9!mtt`l&lKg+
zR-cmi(U6xUHxz#e?jH4vkzg-h)DD|s!6Vqgy5Q`04{fuhtdVU2Gss3g%CzRg$8W(R
zY{jb|T!Gq%y2lWQ{*G%xp^UoamgL|>5LViYmn!YDrF9JbV{mx-91x3t9$oH%=<k@|
ziX|lyqUV%je+S)+-G42|DL^UZo~qJ*Oz!f1CS63G9tl{do6#+jt&@fppu6u&)2>5o
zngoAS`0sD&$B7Ck-1HAL0w0&7+7kDRF<ID*3VUnL3jto^Q4iC#>Hmz83UjtM(|%^3
z2=6IRk|LVE1(r0qdj7yMOmbe5n^zm!apDCyk`jRy(BRYFI9Jlx&pV5Nvu3u=(bS@m
zUuzUa%~W9iMC_1A&%zCmM6~xITEIR<xce5L9mb>!W{;$Kq?MT`sanI(DpWwJI-RJR
ze2s)lQ<XRaAQ*~~OS@wWS?`7HNAaPk#T6m(f)~lulz{RAd_$&-7sp<+a$8RyviXrg
z*R@{f{jbJt{l4fsVhxe8Wi!({140;jPQ=U$8nn)vEiyZ^!Gd15R!SFWB|fs;Ls!R$
zE7#?(jA=jlIuQ`2&udvfek*0mYlarIG(qa{R^I$rZ(H9Uz~E+9uyGag97_e;y2ou;
zLeuw64>j&LX2zyU)W>3c5@GVuO;cmBg@ip?0W&||Z|~8<A!}dQ5-!hRqP>f7ozY-S
z|I>Wc5&@)P;lZ!xy)@mRH}C!qbP>6ulxeM*B9i_05BcXZjPd5=5(dp>6jyTAfk1`9
zJv=Qr78h3+)f2<L&kchR&_@DL`d;-Wj~D0u4o33JP=jD}{>hp3^t?UY_>=G0vo6BI
z18MX-i)Z0G%x5Bb9rANJ_CD3|b!5QSj^@zuyZUA{uCVRB0gQLP#uFW?2Z}mr-NnA6
zU0ra!Pa2hz8GGb+xa&*-mNP}zeXxAE*$qx<m8T$Mn?JEznjz82jK04wl0GM39L9$)
zqpWb7M7%4Udi)K3i6(7Y#$1%lH75p)PxzF;p$%XRKOA76O%CT@##MoG9^~8+Ut~bd
z3TrPdWW;Y$I#C>*=n0aA1abHWaAH<<@R`TA`eD*1Jl?_Z$L`k7*FLJ2rT|^7BuZ*r
z(P=Anh{0vwptS>XKp})udf5-ofR@nfBbZH3%Ol$>nUWFmvqG+LQ~~tC6=f&FT@(@E
z(fX&8uP>`mV%ZA%Le_5JhCd?^U|I>zl1XSFHHSFg#4FIloTTMCr=JtiT;HwFkm5ef
zxq$y#2s=DU4s<qfaJCk`RYA>8I(>w2jLOj#M|hu1$b`aK^GL%29*^V0VNr4@WWbBm
z8DT_?tUU{7TW<aHOHj>_H%T2fWXU(DjR2ex4jO`=emPmd#gTl=SD$zYChlMlR!EGm
z97^J1Aby0yQbTlXB&=w?YLS7E{q`{nO3+pk-)6Rsy*i;F%L8g9Lf}}8(^H;+<_r#G
zNE$sGs1>c#Ua@cHA)HxDytsA775s6VVFDOZ1O_P4vUsjvG(Z%7^~MVh6BAcgjDtzv
zxv{%1e8G$#0XQLZYrVE0Ovik>U@~C$_SYHH7++US@Nm8RWZG%CyOD}Rb;s22%v4hF
zeFlEeW54jO;ss|@<6&Z<tXFgm>wR+^<qFODJlu+?dL5Irq<KIGP2|*J%d?;Ue)j0T
zDXyNzya4I%oF1X~isr50pMBq#sJdUuj`dn^GppWvw@J6Y`)&Pe7S2MGK7%s*4d!?R
zg1#;$oI%w2nt1}5@@eQU^J^5yVta<rNFevCR@;?$!R5WiX-azBC|VrEhbv4GZAb()
zh?u*;XyC^TupAXgf!XpTnQv>KR>>&4Z7J~ANydLH^L5#oL;uIqcL!4a{r{hPuW@Y|
zQPx!=du3+aC{#q*GOpP`l9BDosuWrxyNt-5DdR>)5mH7PRvAgiNHTuU+xzqV`NJRg
zbzbM3*BQ_Gcs`#3q>5EL^>w)zbeJ1IJ6w5+l1RrJ)o3|cy}*M;cf>rz872kW1%aWB
z{ASsX_91nh-^H^Wp-<+A5M59V#a-<s6L2xqwdB2Jl^c9^zd9vnXyOqMsAhWV%*@5}
zho)nKVXlwPU*}tThsd!ICVtbGm)B;5n{d$89%5xs#!02tz$90pjIGn?MwF%&4Ci>>
z-%g%nfMeF_p`INp<9;qN>m)lH8S>kY-q)sEMll9brqO;!V<Y6JpEH6H7($4;a2V9c
zt4nL3OgU<kH+$2a{swUb(_x=7C@~62Xv*Zc1jswy{Y=riv5zX_4Zp6ppvC^1U<xpQ
z@`|~Ux1%6%nk4jfsc-LsYATu18-xFu?nHxz$bkg(DE}QMo$om6yDYgQ5Aqc-OLUih
ze_mQOrG?0E1XAd+R3E2$J~m3cf&qWy(8$<k{7y1Lsn_T&<E8je4!9OfT{zi!BZcjs
z|KkrP{ajPlNt<q;kzTv-8S0w_@Fuh8RrE4d7m??p0ttfytf)`nI?6fE$W8D#27`KD
zJv8l=1mR$#*5;-m1B^^0U;8={Ur#A+LQ1xa$Jx>@_sHAi7iLD@@-M@mce!KaARor~
zSf@jg0OjnDIxb&NL#l46><Tj(o<rNA)ca9mrqp^a$@TsK8|stGLofN+m2*RO@jg%^
zAoR{Bhl!S=dN;6P{#5Ti;PxrXR<JMubBsNq>p58DQ2;wj{~hVIY)Yq}!Zg1>7fH)}
z?(u>>aBT_`%p=3~gP1#BP8Eay_gJkO_wVr<6I!?g9D>=HNlG1J#|z-N^BVSZ@!&RV
z&0*c@VR<qI3UTB>J|lEWDVmYJ#?Rv$8S|NSAu~*RgBAs-6_+8psV_+<ZWdrgOoLu0
zr43<Xd=-1cPs7l}gH_E~YSNq&H>IiDt?d80et=Dg_d1onaprOFL|ubJSax6lNh(h$
zCNV*C;7&kQhb5)RFY3#eePOqJ7A>?xNCe#m{}db+^_DopcqIF_on*>!Q2Ll1AMYak
zJ2|UnMmxR?rdypNhpBzizYh(V`}NZU!GJhzSASCQIs*UX5p&ZtH*5cMMwp;|C|eN(
z!8>xyc6coFn19xG3AIJ&GbThaydi-K9)KlGHrI9+Z?lOx!I8D&3DpQYWYf>(*!GcL
z65pE|dfdnoWL*_U#olXYv%GX!bb6?wpYOOYMZ$snUUf+SOdBtGy86}e0xV{IHITwh
zrQTIV=dbs`f-mbKoip&dzSrw|WetYuI}pc7PAPaW{z=$~Y!5&>>dVPE9X{wYbaw^T
z#S7>t8ouPR4?}te?^({n1I^v%@#{QpLKx&rz1g_880z`$2C=Cdo;F-nY15^yr>_|E
z;ik$)l>VW-$`=5yR9DLMyF`^%Dmjnmy~>K-DLwn|bXOha#`oSArq7n-p+nQK`Dft5
zpLQl+I6G%Z{o2cgL^9WpyMfX)z`~N?#wI71(-H0;PoS()C(2s^X8?Q{y~RW2&0(}e
z6@F44CotFu3E<wD^!Bdbni2YZu%Zp6mtEEuYuioz#E<Z%Pd<cSW;vUiesZy1eXEY6
z902ab4TF`ie8#$$cFh8)8M;-b|AB_{pJ38?-I2nwD96%QBZ=PJ?9(JyD!F~e^Mn{y
z`5wuIZS&4ps>T?JOp2LBq`g#mf_!|lZi=9?n^y8oYqwfkxQ)$|zr0Ln)gBSK)Z@o7
z74btVl#cAFu@Zzk&F79DVxvmZ#0zk4hCtI6ig^9`UnVR}shlnue!cCGGB_qQxcFtO
zQ@@|9QauOA=9EIIaivsn)ACVNQ+}p@x_M-4eYW(Zj7Q4g#71*+WO&cq8x=X$y#aI2
zo;+wS*o8<(QwC$LlLXp&Csz6#rrTYUT&J>~s?T44B@}XFY48FpNEK{oll8G-<w^AQ
z*e`v3nJ0OG0jatmGPbE*y^cc_rSnEQe$(E}T5UB)!}(egE5&1lv)@!mK$3?IcUFwr
zgu;OEbc!0mciJdrP=6<HvN+Hf0&p;)yMY3QU$&Vm+4XI**$Yj=SRI^I(XO9wosP7=
zk5aa}%(?Ll(`KNLvr(Buhllm=pAcQ2+&xOo0A^tJc<t(ocA<nfQ@jPen`6IwPe_=V
z8P3>CcVVwpieduPg8iz%0a6eoaQp>kQZG&$8JKvqE>FF@k`U|fbg+OuDy`LV&h(=C
ztx`_X5B}*#esDNGl*8$8bv_$D%CZ-Uh<tkYa@PZ&2fF2)r!Q}MF>(ugZw<HS8Y2{G
ziqU!PpY|SOqa3pkc19<EABN0xRkz#AiK(D2Nc+}+l^7u3%fx?I{F_5C4;@WjBcAf(
zF&0Bki5qKgHK0$cooiIG;7tlsZIhL=hzPM+r$MRg<lbj*=?LD5yvr|+3XrI2yX3<E
zG6?cBSMqQ3(KRGgjhn{;XHAi}B-0EYPayvNayKy4#V%qORbJ@=j%A_LdZ?c(90Ugk
zU?oYeA3XOAZob(JNzCnGetiBq(_daB`>XBO+nREEFeOcQLYz0{2AB;9!se#7@V>3m
zk;m89jDhxF3;8|Yg4TvuJ*40eP_EtpzXyF(;}5{AcXhaD%b*+}^h+kYZo7VH;w->3
z;6}Ikk1H8G?s`@6<H8IlDss({W=#QQbm4Ok-9wz>LokVO?EEM{C-(mKOlTU5LX0jo
zz!sIsVDQDKFj(zVCCpva99SHdN=H=90uoJ*=u8WQD_)88{3(eciGY76VfA&rmVFQx
zNz+-qfSOJ0r*7h12@aj$3GJBr(kBnbMLR2uk7pv1z)#n6{X@9K)Li|nV6k-;?CBuQ
zhtW$KbO3f6R49#Q4g-ce6d#yWb^blZKtl-=`tf81a~Fk=X9v2<%4v7?va7uVi#(4A
z^CM#yye1KhjaBD=07q3}X8!7#GFb3M1Sw`eU_n=lv)asZhie<8I%9UnhXGO<^?<x;
zVI)lDF(%z~L3fyYsVUt=qy%GB7Zn$zX=Z{=jn2Rxf~`$3pL=In%`Lh-dRPY}u9omy
z2`p_dYrYJ^M~sR~5YIvyri`6IZNo&G0r@tSa}uyoCtd9`+l;~+KkmvBNYeE~sXIQs
zlfd9Lj3uQ=g>YaJvs8N)&J2d-HtGU5LnI=WJ>ZLbs87VTpowM-(Pq4DE2VQQ=L_8<
zOQS`QFsTbRdh%I$uP6pzG<C+fk)o*ghkr+GCKk=84rsYZ2W!$D0h&f4JYpk`_sa3&
zip$92K+K7I#y4M=&o<Q5dRrVDgppIdg^s)DnP50R$!KCX-!U=;ytcyi$+MoJN6)g?
zoqe?1Q^eE3Q9*LXvfC)$ql%c$Z~vq^lPcPFA9!qwBhx(I3b<7%I2=<5_XM0?Bp+Z;
zrcPlyP|ldiO8bC+5T2SxbJhpOp&^vjr3=P>!@OH`%W){^b3_J_{tdE~mXm&G+#iEn
z$_!b~J~FiYiZ2q7!<5>IpyXPG(%%h}wd0|-oh5J+trEH=s~|DX$Afd(#!_+^SNnu#
z8iPLEs4GJ)dTyp-c-sjWoyCXKi@Y9?E$`#(BWT6qtep-gj~w_;vOzPwy1DSdo*$mJ
zvf$&N?h?T!u8CsW9>3Enr?~ijkjQ3n-d;!K`-?UsB@?WYX9XVOtaRI@8IE?CNf56*
z&($aKe@STAWa+IdZ<2qf&5b5K+gCjMPsHkeqlK@8)s)QR`e*o=@V1|<7IQNg96D{t
za1Mi%mrCL!5(~vk_!nrb;zE^e<a7TCsd9n`1=u=qZEwiRi2P^fyPz>Qp0ZR$c?c;B
zvoyUr>$Pe!5|gei?+dMjlZtv8W4}NCyx7{e7ZJq(0`WXdDTm><;_9j;<U}cr(*-vv
zd8%$OkNS4#WCYPhbVm>)oZXsVHFMU4e;m^P`7#6A$v`{{^4QrC_a!1h+;o?mOfoI`
z&oh6|gMNK4nruP(S|%xA4Eni1%(;E>*yA{rSClow+=}LzT_{<Wp6<Ed(4l)x2!f5>
ztoyEuo0DlS0~-%$m_JJrl;bEDXzo5-5(|`JvePZ7w)t;EOVTz|$u8*hJXLhfYtvv)
zt`(0?%ZNjy#!r%$OZy$CC&@^obZ(bn&WsS}-;#SP3Q7kTT@uDx<cv+%Kd)-gC{{bR
z&KQ02#Z4YTeGLt8GEQIU5%|eHBCW|t0YxTY{&k$8G-B{N09IzkiJf2eX99Kns{Z1~
zSs(f;8IQ8o!s5T-jW&4smdxMwzec2%f)>NS$b2%hZ^h|5Y*{NsuS&`75FV0RTEC!E
ztd{@%@wa1%l0XQ20nxNPVV5$<0}`OMSMog`Pn}g@?l%mirbcca`o5X@n|`Q1L_oVD
zHd55t<Pwj{w9L46saYcBtevXdP+dzBj{T4#<=v{L<*!qwMJS?Ry`gLNNz(DWhzO6N
zOK!|*_~?k2*W+V_O#h^Ry7r=@_F_)g?8kt;yS2KX<XtpiXdAOdeRYGLH7^*qGw96&
z(ME^VaeJ7-^6Z|pwW^b-GHa8&>=d)XymlU!f6=U;$A@1sf(vV0k?i+M<fO!0{(2An
z8tdwe<qkk0d(l|y*6N@`xY2p;&iaf29_G%HmYA#TG<nih)v2RzzBjEb$F6GPHBNnb
z$v9VWq9yjXn%oT&Z>{p3>88GRN=Mv_kHDz}ma*9<hVUR-TwF`!NwJ~DcfGLx#1AT3
z-kYPE24-m^-t5L0p|kS8-<<gL@}SI;dK5wIcsOo)I2z^n1iRWdotK~P-?Iy;A818~
z1NZwZ$aLe>{FEGnL{+zO0omZEY{M}t^JK2>!(Z#U7h8BJ%QBn$b5Bye554!~F+QLw
z3GT(?@xGg%t7Bhm*i5cue~Uf(;QM^ZD4jC9PJ%*dg7fi|?dZV^W9@ohl8>Uz>n(L&
z(!o<U!N%rFt#A4w(I?Y$Z{m#PkvC^+TH3up={GSmJ47gk(KVtV=rCy7aN4w<{mZba
zUil^6{cpqQH|nL61g2J|b31g0@@ZT8<d`A4cDMaqhGz%OCjEvEY&1!AhW!ryQuujS
zsH_|<Hu2|NbqHHN%TCJPs;tRecy%F)ASZ1aw&V&i>MzeH^o~nZ3H{mIHC>^VE{CHD
z;yNu6S}~dKUU}OA%m)G~<Lti4j~W6_bsDnsHi>U%FcL?D_YGd7JmRT6@u-Dx0t83*
znS*}4;}|1g9D-9?NjxdGwEtb(C$;4(baJQ4Pj$Ls4b41!{C1oP#%n*jETA({C=R5f
zXFPPN+Hc;>otv<#hB8FZ*pV(2;T_0h<NZ`r&Ze-6bY<LRDQ;-;`%U+uxU$6{6Q$@H
z8M!o5_mP4cm9H152~F%h3Nan9E^<OmF*kP)a_XJ?j=5^BE3%JHNX7ec-RL9j%kmp0
ze=xYh2jg9NLHVmTTld`~Y0Dl6PuE{%WarHv(M@F?q-%2)ohuz~JQ;iPdT|LgjCt7n
z`@IFo#}W6L^<LoTNrEqkpIJCl7Gk|Tfp$u|DVxq-@2@0pUGy%YaQp_Hcm5prjqY<B
zpL6&;Ee09mF&6J$k$C_!G*QjjtR;-U5i{T`cgod%J}EHtLR<T2e6*09O!@9ksl=aE
z*46WWI7v$MsR28<333;}=NVUgnH&-I#yqu9PHSwXyleK3ROgmT<W4`+-}2pjs7;^S
z;PP<2u_6xgEkZ<2o0qJ`75pKRYWsj-TW;5EOMuO4!*Ru@r+e<m*%uPk`)#Vj`niBE
z>rclwA2(F^PdhBwafMP=)pX_7)wz=9;1}DwFKX=;i^*u2F2JV5%)Y0ZZdO}{9x$>e
z$7{}wWQD_tZ1wl8BpA5928k-(T*#*HW_$5~rCb;c@oshYmfS9q((iH)&)5HLNI2ZE
zk1ph}H^s$qeU74MvcFFZs?pw791CSIjFm`S^ciLO*B+w54SNm><Ch<G%|=><(lQ_J
zZ=e296nPDR-;*m<hJMnJB=0UR5j0qWfDZd~`!&B9$0(M4=0a%hy7cS?Y4<0?8uz5k
z=&U?1e|uCGBTi2Ua=xuDjQ8Dd5w7aZirc@W?jiblO@L-P3MYsRZ=xtj;uvv`^9u2@
z2P*}^$GooiVQemR$2)l)OL_koyG!XWKk8M0%?Q<DKb!KMjaM&3^Y7<h#-N4g&2;#=
zzd3Yz`=M$+E!p*F&j;!X(F^0Nj<3)!pLP7wesESxt#l$Qh@?}PhwrJoU-DspK{tlH
z(?}V4D`1oGhq7o3wX+<AH?HbBY<@8s1Z8Snp=B8_+dd<@LW`_g{~FaOeFJZA(98~l
zRCXHspYM0;Xzy%J&^)en&e6Uz@OvCGHB~w?UAXWz8b{hgL-25gGcUnzB}x+^-8$B(
z?37L4obchp(iTosylS)FXGZVa9_X2@Y(y2uX)Krk&GpF^JHQ_9aO&~a!tkrnD51)g
zZs3SXh2j^?ni_|;UN(i13l>5;Er4Q#G_a%|*I~E%c+_J;!QJhw{DHCdADg?M%#g1=
zelY%WbdKlT->}YLC361{uX1i!HLqYD_5geSkgdwxD;F5FZ+qKJR&xf)Nnhz)EbGCP
zJ!p`w0o35+ycUhT6r*7N3T}DAZ0%N*0KFW^2G(qBS?oRwd4~@rrWi1z2cq8ON#@Ht
zTBi((DZ69`FJ7KY&ppu=f2dJTt)1>+!j;Gj)cf!#Jz+h$MenDvGvgt`^(MCYVtU^v
zU9-AP?nj3um)50Lj*ttk;@%qDmN}Xmjb({Z&aYMuy?!rAyfT}s54ld+zZ$n39s4MC
zW$9&7GubqVCsHqUbS8)gCr84<l!_T;?Ie-j+4dujd_H)hSp;P=jOPmFzBNrL=joV#
z8pD|j7Pl|E?c8Pfy1bJXb+z(i*}r9%rH@qS63pe%fjGcgOjc)4xyYlX44mkm8q)e`
z5X&)cRth6rEGcb9V@Q~Lj>%KJ+gXxepySc*^ZmST?f9ElJxM9kH@}-E#}|s9@My*%
zAGug`_#j(AO0Bo*vjMKIFU^1k`MCJ_K@QL2<u}*D1=angv7-B;k}k{aLVKO&uis=K
zlBH_I>aL4TICgh)ru{89=obl9JGycCX21V<51kwagtBCMETsdoA%cSOlt+2r*87Yr
zb=MWWzC5M$7W3x0hqgM0S@<!&JE?ReV0-!PzS+-5oJM4kuiG!sgzjOhrhcnd?R0DD
zUGn;5_>R6*SOYLnhQ}Xc>-^scej~FG!<i4AarSu()^?!T_IuL0>wEK4)vk`U&&!DV
z%5F7&z>lkeMTp{SX0-T01Kj$BlN{v7*of7JTn7Fjg#OD5aINL-8(PPT@t)Fm(<6Zm
zIqoM`D`lir9O0rp{T0ka!K*&*Yy($=>1q_g(0rq=;p&oSuk!8q*6(bQJ=XVMyq1#(
z`RR=H>I=WwR&(sgUW)Q+(e6}GOM2w_(_iffE6TAGu`}I#A?jaWOP&F1)=QIR`;Zf(
z!8BxhJdx}dJvOae%d0uo{;1xfZ&$yN$4qbYi)AoRy6jg+x^Hu%j9{&e>SdSKyDs{+
z9a~!zDZS@=l-RBOCCC_a#}AT~kqBS3D|TS;Wd)bLWv=q@>m6BJl!8V&EA+BCj5MO4
zZujW0BRVJT>o>dhAo=&)K|C=hKJP#1A{8a%E^m0JBzb~zoZm__SyZ^=vcM;v4-+UL
ztzo~i!hOcXu8Wq_>0{G3t}HlvUdTBI^5S#rq=xc}dNPnGIpGeK;tW0i4o)<zn2%oa
z(eUc=#)rAh?b2a}`|tjkYB97^ttqVUjlX^>Sy>p5G(T34dgvf*)fjYTxhNvHyeCGe
ziAj6ll3GORt#hYn4fp^Cca8H3>fIY`>~R=c?(3pu5WZ@}tj_Z!KCHISeQEd6Ss<`n
z#6Aun3^<@X`h%Q^H%^U~kO@a&eW!Bs*8ZjSm#^PNE0j9i3k(%3jF(!_t7>}4<fcMZ
zg1Zjm55WcOj}WpoMe0s;!h9*F$jOJkZ6XxJVaLj0rEKZ)R-5GCivtfYbh(SzfjJ~e
zQ<7on6c_~9S2CqKf7%Wge?GB1OGl<+czySY{8F)TdK<Im<Li3I;~-ct3>RnJ>c{7E
zRxPXA2)@agg>VO>?_0ZkeA~=5y2Guv;@SrqP+U|$Gfq6(w^Md!c-U6ihi6KutiFd<
z=siu97!|?tZPd?2Z{vjNg$%~-siw3BdG$N>B&%LNyWLxPEjmzWUiwqq<E<>F!oO!z
zGsTn3hd5>(Slti`{oCGUvGJO~&s*I43|!dy<@|zz+^4gnGVcr~YzhpBqHJ^T#ykGL
z$V0^6Qx*RkXPuO;b@Fqt&~4jRi@{8usT9wT!%K(UzeGld2if70GeUnqD{{X;&EY3^
zVN7(Y$<;pmb%hj-aM&5^Q<E#+Nv=&Yp;wBNw-3>$z0YTIBNO)&=BdV+H?}VxY`i99
zY4=4)Bfz+7d27GLllk@pT&yHU&*-n&fO0!yVl5akotONxce~6?MjmK2{Wf($`E>3Z
z8tR(Us+1=t^7`I5e}a^3$q||C)&ITx{8za!4fB*wt&~dwG9Vi^>~&B5$jqMq%2D0E
z9W#^fJ&_s(Th8mn|M_e6@#kvKMsu{#QG9GQ%&6qS9<$gD#m<V63aRIzYYpuSIi9O3
z&`CyA^&4qaXA?xj`#jTG=_+R{!}ZAS9v$~8v2|i4lzp&cH|vYGd%}3b8n3pqIdNOc
zZ1_vvMI>i0K_ttYu-wk#4T>IJxBKq?_SVPv6MJu$DU_yHJ(M)APQvisgS~%}ho5)d
z7NCEI>y`bzugKHlKP8kjY!)d(un3LfYt{A$@H@6bZ+G#S5PCSY$K9;b5OHKj(zvId
zhK=9g5}j|{{nb{fV?)X;bR%uuW|?yCFnk*~TGrhsi>gTRRBoLdTRUbHo-){8GPT@V
znBZeB)KE9Dbv+(3=aIt#Wa$@ZKI>Wy^5eiBL(<YYI#CMNrRjs(c2qHp?`ds8>5&Ap
z@ZNu!@X?*cgkAQ9lBphY2fZq!{#JI)!m1qvA3(1fSSVs|_EiRKPWPn$5%T?4s^CUM
zFy{bp;N;tx)vddmhJH#gM{Z;;II~ab=&0vJ3&1>?q{#UUM60-61j_qQwXM(I&U=Tz
zJ-*S?GH>b-he;Rtn~p<WQGpOC9<NqI!S=DA5Z*pHxdNtO{R`|d+-IuN3fFi)={GU?
zwn~X2L^{lW-Br5s35cHKPBVu{-OVw7x1qy0MX~9V9+$Z%LpH=Wcxn5Ed}r?U(~|8!
z+gv~aDgSz2mZ1~QcQpOdL;O9SmXP{%mDzZO9#QH8yyzEHgSCrXOQg$W(htYDL?4>b
z2grkT3UlNIFmvmd_fh1&E<QEg#2`e}S+(^T$cArzl&%_ekolPQ$sK+1a=wjSv%PK$
zm&e+t(+anc=!sMwvMbo?5#md6rvi!+HSs!K_z$P7YI#F8vY%bJTLOmcO^jhWI}a)4
zygykCTw2>}XU3k?!6H~yaZZ`lgSg?WAw7SfU(t!=>(tghEs)!Y5K{b>K|6X*J!}D-
zY{c`;Zd;kz53@l+u?)99yKCo}#~a3L@<C1bC34DwEnOL?)|7WN1ZpT#Vqx#=88Cup
zPpzdy%s50QNOi_fw0HM8kUT*3RrNC`r<A>-Um*5#jr9)nO`s4?8&djd)(nMC#>53t
z$C*Rqe*1Pc;ccF&C=p9;4oR&OPTMQLn-h*c?W{1Q<&+b1Bcme!+FvIj3%>*rH9pVe
zyu@eBp7y4$A@O>`(SrsJPS*~tr93(g3PgX2(~3Ik^uI3{K|je)whg)iA&zFz8~j?Y
z>l@>xE8y}Zw@w=JUkDRfOD@Xn+9ct}rcUs&s(%e+AyqR4^PvO|GIa%z@kcN>4=(Iz
zNsKG7h<UkcA4`{NJlqcV@00@#$^WNWHAdqYkr~O#O`(_K3|XGRi+jytKD8=akJU{&
z74-{)F4cZMp~dP$vu||vlzxd2?)i$X4!y@uj7IkjQ*!%<zu&Ckb80Gmv=v4E?mqCT
zE%nY5-mA<NDV$S5QDqZ^u%X9kvF^G(yRPx|Ncut{frYCk!aS01e_L#`fFaeV6a_Xx
zqBj+LZT#U1)wpTVu&Ak=RAtE{<5CHqd3}E{YPijI_xk9)>=6b6h&1MaQ<m8b@uhTj
zSv-T2mUYl;=WF>UnhJT|x|`VsJ5@plKAY6DY1r3cj>RlQmNWENd)aZ@<TWr+-Ze8n
z&CJ~3Lo>s6L(UQVDp`mi(p=@ciJX^$vQOzY9TW5s3RB(nCi!W3mS^pW9~cekdZ8QA
zm(7E5l$fmxF96#ZC3NH7&GW-~>o}6;nE?h;?xs0gb3+|H0Zjgg@{~cFx7fsS_Is~_
zwkeubyE)H^S$hjA73sw%9J}T_Oftt9z3C{K!Bf5V0qTiU96KS+O@S2J#t(v#6OMsg
zz#b;Y9j14#)9+I+j8I5KNr0fd0{~FULi4rt&@p<>Y}Xy0Z+iquIQauw6>g|Z3$|IV
zXx8eF<I@ACW1HNbZ?_mpy5^=)Q{8L>ETeqf1PySIBIYUQey+bZ6uEunr)CC@Ohn7j
zHldF|Cq(KKszQ*%4=cJ1AXX@5G5b8DG;^|qXIX&wTq&|AG$wFC+D}C{0kY~zkp7}y
z+}pk;_M2+Zu77FwPvPacF5HppM{~+@a^=u>cgn=1J?3`nm+wf9?srS~O2e7&8_Y`_
z`4((hN?>q8qu%0FtSsV<Oo&NW<SBnW;Kuav)F!6)_S%CGt|vDzr>bXPFC~K}4W<s>
zzR=Dmdy99a>`EQ-n0Q3s&9VboqV*U%*^Gf0a2Ncc)7`mAmR-r2?lq2EJBaik#Vpl@
zRn(vb2>C?4jV3FL$NRZ#?B!1{p7}UxuAIG&%YxNOYpnq)DNmEGPc6yd|JgE>_t$a8
zsuxanmkYJQM>t&a;2kX*+1wjZ4OxzfLd}z3yfp&p3-F$0IzzP+*OzXX_6wl~2C;0f
zdMzA7;5VnG<PVl)UR5R{o6eI6yD|ELYx9*|*fF(Q`Te*o`o$INgS>=&!6nKGN3&@y
z@-{fh@lpPk+pNWOG(SbU+LU`1`5AgE!EVfagr4jR(cZSGN<7VNOPp1$sjMPL>OvWB
zOt*8`k_Lkuv+mo7yHqFtmC9ohn5$te6!j9%@x>c*Qxm%VT*G!R5}0e<?w!`=LoEOs
zF#s8*2r^Bs{gg<X?y2~3|LI$n-;EFu-yQo#BY=>x&}6qxQ*iM8IwOgT_0tGqU?-PB
zae&bmK1cewvNJ>Xr*F7;-u|t-;JBA9LxkVut!%mGZiG{Wo}+eJQG2$^K7T#6P@J`e
z?4JMNj>sCBrM2c_hAe|tTMG@kahN$b+*=bFK>dtShV0_w$-mj@>^}}2Z}zMoxWYEn
zUG8`MOLZoW?0tQ#Dtnq@JNK-j==Nd6apID!Ccf;$Qiruv{zg{#PpRm!-`jOU7i8AR
zbD#?dhG!b|*m(#9j;e8y-cxZdZpTpbv2ClBQNw7{hSE)5Wc)N>!*nEQDgzvGyS@11
zHA)R_hKiV83>0MX+i<%@Y&af0Gpk@>8Jp01;+qfu6*dY@RPY0^CyqDt#Jkf`K5fpG
zHf<dn-*Z1u!2Z*SR48`zdAQfJYn)z!I=mIN%SYQJ(oD1x%r%Mhuj^Tx9OjGWa-``5
z#;O<fteEA5KqLr^-S#^gp$50iOJ+Y?t{LVMAex4Es=Vz1rhJuKSb2k*-aR<&BPG&4
zN+MBL?6}yNjKw9}m*Mt-88pdFy)_m8gp9u*zR{7oPZc5tmGSxeT9}2;ZQKOO40roh
z!dI){q8HJ<d%O0kR;JKzN-n8uux*{6(f{T+<n3rrPaO8`L~fIrKeq$-S2MDcPqg05
zk=y&Vs%v(WH-?{4H|S9xPVeFQ>+gm{P2wnHw%YiE8nW1hUdK<eC#xB{UX*B(1VM8<
z?8)X`{9s(d;tD^LuDTD;6Ac-s=`j(-8^;5_{C%f1^Tstqt6nadpX~QCdwNXp8ygcH
zg+KQ_R#Jq#eR`dS_<pdg2*!IUcew7)q|Cf-0<QvQZyvYBnV&yfSbJho{oR@|is1%_
z#9KSVo%=Y+E)EX8@BX+&++5)%YjDv&9tp=E4y$_l;_|n{iiUT##*23#TyKg(X^VT;
zX-Q_op;%DcZHYUnBR=g9qT@|{TCnZu94^fMAwj4>!%LIDJ2=-tvnyt6{9~Q{*+nr#
zm*uX%82U7nlT>J5cS+-}4eix;v6M$Kg(&bu%3vu-w418$-NT#tuKhmLZvKhAf$d<|
zJb72#SjpD7vEm?}e5lpGVe&G@)X!R}HR4J8!}k)zPlvI0I8`WNk2zk2G3yC#De|fQ
zXt?=8uVz6h{7*h-S7OP+Ux&#R`pwq+)O=vJrzKI$PW!mm^;@kQGH7xS?2m2(x&4!c
zQTgAFDN%P}k-FOL!$+qtY&`v~W^qQtO}=Z*V}jKxc5B=r#3uP$Hc+5P6DzxuA3rY?
z7yP(HI7t;O9(<#Fud~vj$<0gYjUV@UYp-KD-dNoqIz6T-j-1a3;^mIGu~vvwqn9%-
z2$J@`*;Zw9`KkNXiwB#ql-q-)Tx}hk)m?&mFwdIA{Atr`aERBch^%_`-VPrQodghh
z|5~1XVx`ntzJMbaT$jEO?v05MzZP3Onwo=U-<-jqHsMCuR9$?9#PUK0C)paTR|mRF
zu;io1ifJu&dR44I3U*#AJR{s0&9?1><?f4~d9jRah=T-k+xNU=XWS|Gh<j8VkDQ=9
zaqZlm`yy%NO@Nh^g2Dm`ZW6ByJ^R($N++s=n%Pc4$T9#Wd2fM8qsM>6wtZ`AyY&2Z
z-E4X!etk|r`{^2(B7sXFIv(A`@S8589iN+R6E=IdH8R3z$u8hH0w;Mc_@%!xADW^U
z??&EBfIZal7BzV4SjT(T?ex%lwKzv+R3=r`{7fEFZWjPMSm?j$hj{Hh%Dvf78?THt
z4o_s7oAN{Eu2JvF2*kPY`iRr5T?FI+aaMXx!Zb4#Z}iqKZ*$Q<5VABH^8<jJiBjtk
z4Gjo_2rglayUj!#XHi0E@6Hp+G1qTMb!ydYn1|h{)HH+0!=&c12*D>x7?QiV1=(fq
zt`Y`d#jp;H_jVg^7oYj;X1yxhS+UKt70UV&oEEIWv7OB(R~ngG8q9F)Dh&Xj+99d5
z#T|LW=u>UoFx+90RcU%;!~RiU@bqy~R2OC}mD;cg8ge{QZa!LK>>kpe{ieUEx(-Xe
z&^q|R&ps8i4o(9QBoH#xNn_#|_S~p=_^r*3S!-+8M_aq6g{U{~k#yk!%(EQYog+EB
z$&h#aB(T`F)CZlsAyIz>pUba3^|r%gX_vQt&E7{(y0LX@+MGcQJ0h#e2=#nkW=&A~
zvE;F6i+i9(mknZXyewgQp-CMNuw~%n5Gz;bq?XQWJgR`+a#C}bXZh(%PWoafB#?~Y
zZ^5bj$hY!)G<2(Nw4?T~F;^?7MIFdHVS52*A?D6V;r*8?9c3A1a}N}A)5e^dtX3n0
z+`2^7KA<VFvoLRsUzeSnjVG>wg@$5TS_FjxhzCKOpf?V$Ohe2dL{TjN4uF=Er3uni
z#Pnbi7cV(fu<>6N1Vpq15L-;vJ9-BZKJv>`)bWw}DWz6(KuZ?M_9|lV4*#2iA}oyy
z;LD;T1VOgrDWE6Vhd{3&bl5n4wmyT_?*@TS2nKHl=@i^=FV%6HCo#>`hTuAdzvZm+
z*G)gGk~4l-ou!s?f<MhZMkex?96|DbV@x0Qi1zbnh$sQQpLFY}Cc-?eb>9c=o>?lj
zS|_<?N+}_`<C_2UdxL&=OF{T36>#X=`3&8w!h!c%3wSRyC+3f5bloziQx`$PfBv(T
zQ%6$=zgnGz74kibZvVqnK{EMl?w!5dy1hF9t3{o>95W#Brf(y_d$QjPZ19qX-`2TL
zJKEX!XStS2K`l;h0_CzjFMRmFS8FsSuTvXCGfLL~zS|tOi`ou;Ly-U>F_V<aG8#_5
z6M{HmJuxmeBzT$m1og+&AddU+s~zC0b2_M{qsW+63#<GROfLt<V4Q~F0N^_Kl{W&|
z1iuBX&3KtR^;as5fvF1Wm(U{Fedy0IPy@x|Aj3Z|@RMf8{t;W&(P)2Z(lE6Lgi&z4
z1<fCEz&1S-p)lcz9Af|8fgdSX0a&=|9&g8qYM`U<5JCpOB05+ofXimu(vpsQN!e2S
zaWJGM5GRkoW71t6?vC{1I7%K3VPr;}0ouzcERKG^HjDLm)aC9&<Pb%FPJo9Vy2ryw
ze&G6{+8yU{2;G*$bX>-=6Vez}%cvzN9=Q<Isj%n}F~Hrx<O>SLWq?XguOq(UTG9;1
z|9_x@dmCZYP~r5ypRm$p&|I$&jG=%6;^QET7@}YQ)dK}`c$i)}ht{H*hH#Q9;}eFe
z{|$8phU(!UZ%q5o>>wxs+6&6)DY6R;kr@-C7>HqDT!k)4yHCLD17*&)`d~2tHy?0k
zgZj21(c?_mcN@$CFQy{_{JQY>&bu&IZ6Qselr7_rWY=Bv6#(>v`u*QoU^%EJ^N@Hr
zN2F{2{T|@T4X@;ZxLGOHDPt!y%J4iP{5ll-+yH|MjRcYU@CY}40gC!Oq#-bkFG!((
zr-u{n;SuUKC{pndNuMEJC#UV-F_}^Ge?!*iy^^sX(@_C>8X0O8K`)}B{;O-#&oCE_
zQN<5H7!v_n4?n;2EqYF0cEx|{8V6Yl90~O&!f2_j!JK@tY~_75PH^aSP?QLsm;|S#
z0)Pv}aK0!a>42FbaFUC1urwWa_24JNI}+?9?pV8bBFH)qOM_=EqPBB^Ln?S_Na+xi
z<tYTL4%Wq<T0S=KI5)oRN<#(>1JS}q2bt`ou8b#u9*@AOhYpP3aq54|n+#A(8p0De
z*8iJX9)L_P_Bakw--Y?QxZ3kYK@BxIM|d5)*8lf&j5CbWbp=p?hyT~`-!Fy^MOd}V
z;=+MmryR&!|9kRp%Ri`ki(|k`ZVkF3*je&aL}30JAeG+%YI~ov4}35U887if!F&~w
zvitug*A?qH4aFJcAy5Opv-uSQPcK4lK+58zIxpBAr`97x8B}mON@lAh5<FJ}IhGRM
z^Ncc#nNd>PwOK@T&cP_Xg+q~H{SA6U$-&jj)9X4aaXr7o4_as}JX#uJbU!nrNMyAC
z#oq~EhBEvYz5*hK?9!T4_dE4mTzDAo#UE_tWA>9Pn?j||a+h}K-j1V^x=kSt_QrXI
zQizI^X`L5hC+Fy)Ur!hEMmHa2(w@pb0A-XpDowH%&yQt{Ze27B@bGeyytKU%HtP$f
zxb|LFxIn47O`75PkeV$iG~?yQKeZv0#X@39y}ta9bN>|i>xSanRM_O?T!qs4$eW+J
zg-SV}e-|puGq@n5molirVDC=o1Upmj++JY`qTr5o7n!@)!BM56M_upa<bbD(T0fq8
zopk*&mGGtAPu;LcdLX4+C{cu)a1HQ<8eZD0uYq6b?e88Rx;g)ut>S>Bn*E+AoiW1n
zAsu0;PTcqYFC_ThhXRLl?+B9*O~WBzWh#EMQ#(&N!MSMl6ojUyPAHU?Zf>BiRM6A{
zUqh$`36(3od!aLwUHIs9us3n-ZCcYS+9~)-W9A@P+w}u@VunAMVDR5=fthGG^<;g%
z=2^7LgJt7;*Af8MfWUq(@hXhgAOOq0zzv#}#|t22Q_=hSe0j63!|I}{kt3^9KbNJe
z{YatIm9IaZeVt(^Ys@ttMFe#@YTFu4TtZ|tTfe}>>a(s{z%!iST(fWa(gO&s2)Oqm
z;0!4f^dSPtF~TNTtH$3W_*|BOKs#AX2WPV!kQJeACgQO!pz~yXyoQ^&Sp>hR9MemJ
zi$PC>dj>0n7(M_^4FBTs3bgRj?PQzKyN%Ob@;&g|f&#=xW@){zM~<SwK+Kpr!v3^&
z-WPVG;JUfs?}+y7>~BW{QagSJI?mJI{`LCX34lS7Lg}w9Q@{r-yR%S(wYvJ4sg7sa
z7m#wg?hRH(!E#M;p^L@|25|6YJpyFSg6jQS@6=`z`HJLlt0&AkDI0JJ25LD^P=MaM
zzJZ-*DlQJtlc0Yg!*Tu(?W@YBJFJ+FrHwr(j#Wbz_Rx<hyFJ^;A)|bIIsXix>dwj2
zi|oKAPK65o<-sq%=7;Huf`fK%Ha*|5+&vwKR1D&f$c}L1P|Uz6ExVNqRrtBX;T8lM
zvc;sI>gez13z0_m0yY2s&4Lu|R15N{f(yqp7!%Kc%doC%Hh-HVk%PM4ynxHPTq$)h
zzF&|or6ouP04mPKXi^tdWXwu+uI4R7V;kh?p}OeF>(V9h9^=gxG8;dM3jTKA;nWN`
zv*OD-sFTxk&K{oFpB>1u?5-Vy^O?%xqt^VuV>*IL(h%B7l_e;n<F+xJzn?4<?m51g
zB%`hy!qc<hVv-s@>WC*GG{H4&3t|pX9-(Hov&PA|RM!v1`=UhxHVvZ~6Ib>}&<Lvg
zs^bw^tM!kdSj+?6{F04$Ojj&C17S%J;H`)#tFz)=w6^xSO$t|c^z4|xmFUASciD8M
zAs0>i4RS1CTTkS&$smNo&#M3?DxtW9Mu=HF7ah*krp^~(I(9p;8IWTkj1>sZPFPJ|
zmGluC<LP_4Wk_)kvL0D6Yc$DHp<ZSixECOmZojGUX#cLj@rs{W2`_NFV*XN3CUOY{
z!W>IgXtK-!OX_O9`o!GT5U514#Gc$FheU<qH=G1yoylP^nw>uM00^kPRE*GkkqC1)
zKf6IB62V{-SAh3eP*Vg^;#zAgo7vi?6<$06%U)j=tp%2bFuOEPUqm(Zk$J9}w+`FO
zTZsRR9l~Lg86dE`ehu@aUS?_d8c^YyQ<HvYo4nmtc+0=8>K5kpVww6#+G5lZ!2Q||
zC{08<Exa*Q9(2R1(2+6++3Y?AY#Nb~i;=l0xN+O5oOH-4WzaF>(`m`}4!eCp5kGL4
zE@+_G7f!lIJwTQkKr@Wru3s;I4w{M2Lrd}gQTp2)Y<uOLv59XCwj=%<#?yP@kGo`B
zN3I6bUT8qFpdq9J)k{zd`s$6SP!9b(!Z-Ai;A;>WFQ_PnKHLD2;|4W)q-bBG*MYy0
z;_O)Db4K>e<bN+31JV_d{iapAxuX6Ez4{qxW+c3UNycD0+^Bx-DtVwM0<7I~v{NM<
zi71xC?F6dWg#o#O%CoFu-|WnTOvtYH!Qv|?4n_BJY}Xlz=7vsT&_Xh}S6!`ZmOAns
zrG8eCu^fx9qcc=69g`RGS7~t#ecd20<^RxLRO4lWuw6S4M7rK&NUD3m*8*3}`1P#I
zU8Nd$>D}~aK@K7IK{RBj2j~H1z%|<Ce4&V;^A^4H<<m;huVYIgD<`72o-#reYA`j3
z@d9#Sex~G;$`yh^q#8j{6n%iY!vWo3&Txx>lVS>%x>I{miag8)zEYhk(NNxp6h3Hf
zY`;8!h2t@BgMp}=zwKyp{_p=`0rr-~1K#@JA!w@0Lj`{FhBXp-Y2-rTvv<+Zc|hhI
z7?#^{t&YrU@V4ZMmIF3%?vv4C99__5k5?EJK*?5b`~LEt^(#U4E;!$9G=z_fG2B+|
z5b9-r7=zaGK=@QP+m*eb82Gcf$b}700*Uh@z-O%PgD`^xE3#h?rL|pTB^>dxUHQX7
z_GnKvC)oiRKnsa#OgC<hO`)#a$mQUPBWO0rZnByk4)zfn7I{%2^Kew~t~sO;x&vxK
zb+99f3fPWQaLreF!?q3t6BFq$9fl0Vnh6)0vTN{}O%+ZENtr-S0a%sswtE4$H3?(}
zPO^t^#sFq0iaMX2DRmUyH8q;G^CRkAcaTf)>w6JK{MMk|{A`W%8{8R%v9mC8BxqAC
z)h~lI>k<t2*{ELL1dbbhTH_f5w{QefdWtxvV|AHKqnrz1Xfy(H6KJW$+>WRgY|mk^
z5!6{htjo|{>KWGf%B7{d;6qR3fKLG_&f`1;j)^fMv?gj1kxZ+T3FRvU(8!0<f8Cmq
z(Z{Fd=i#-B^~-o){S|sjMS8A&GA#@V&-fs=#D^Xs?W>i%VU-fgL~!y^k5~a!kfY==
zKczvV@?u|P`*2`fN&w6NY2^&HwlFcgstHTY8YUj{^t(?l2Rs$gN52&An{JH*vEWS@
zIyWkIKPnyqyaR@R-pO>mO+8;oj$<*ZF_2JY1k+feAt;KVz?3-g@I`oZ11vi2)=8nh
z=g!{x&W3Ko@tp3tS4{_34~!`cht6L6&PHD0y`rUyO}tOt!STv|n1LO{Ig?%lWbXz2
zi;Ah=40J7qkgLOBtM+>v4qoiaiymVY=NV&FFaypbZZR|j*-;~!vg}YMIz-6>%Spog
zzEWvHK83$HQfTnN`LO@yc?r-tpu*`Sj@U{LEWdgIacp8Ju&%Qp9K<SQ2zK>$8>jL-
zXC~S*FgyCqCj&j8KIqUnE=B(<pvx=!{PeA!@)X=G?NNDp7oa1u`Dt8m+wEJEtQ?(J
zBkxT`9IVtvHKHg5UL}U#JqeLYg`j5Y{cft1dR|>|SPTS?8eVj|{Ia4Vd@}5Gk$d|w
z4C<{>omTf43aNPd>Ujy+(pHWjaxj&Xpya0)$D7VyZvil>0zvZ}U1qJ<<qIS13nEQR
zicr=qJD`t_Bn?rYxezr)wK}w(Pjr8hmS()VUwttsW`uJ=71PlLWP05-8O~w)bzI+X
z76apBkJr_Xh3-J3!We^tX+@ZUZz8b64Oek}+pfeQ4oGNmww-TQRTi7*A8-d#bQ~@g
z(F;`e>(b?6mES8}7XtM`rb_;%LYD}k>IX|E7mQE?a1ZKQU}hXuSDVZuyKWCyB58@G
z;jw;*kEw!WUu817y<o>X%%51i+r?h%rGyX~25PkfdZ_<^2EHBPg6uC+W|15EN*!PA
z+SO!zA!8T$8s~p6mke4kB62oJO(nZsepNMMr(=E!0OLIu%g9dhbhQr_rbVQSZjpu$
z1}ryCUa*~0X!6seAxPuBc8hHrq0nDCV2C=K%%Y%X<FEn|z2_>t6!&5iS8aQ~@j<v;
zf)r@k6_9;E_IK?g|NE{V9KXl)?oG`~6iq+qb{O>uniD9`()PgdysL9M7dEx6N7lPC
z-CGUzs|~E<_IpOeC>{*N;YYtk%VfkrgX66RS$5*@fN{zDvmr$f#sNBqrXxaAsjHz+
zU5)&!R3Xdc9GD8Tg=ZeI58oEZZ^Va6EZNLD84Sj|YYV~jK!6zlUF#hv-G(~6x9ydV
zoSj%dbh_wJl#({1j}6Dh7tH7p8p7P79?ejc8Ub1zqgvCXJM=9}EQL2NPFI9W5DAWj
z6cF6{1ikdgMpXL|>5|jwqDMnJXZyH+e3FH8)3X84tZqEf<{=mNP~sixXciuE++W^p
zxo8=j(Q0#CW^U2s%Q2dYPhlrl%?6zqVeS>DYTkzS5F6;N)ge0>S@m7PVpuNCazOAl
zTmc4*!E*>*njIEj8jcf3sFGchoB5cRzN&4YYOI&b`06PKL{_7A=0@#I%^W)G(mTr{
zK%dK`Q^Nyw+dOMx%_pmam56-x)Is4CdNlv*X)pc*6e`vLas?ud!E<1BqG=MaGc`2A
zd^^H!#I>9!6MRKsQNXQ{8t`u5JP42MT1i@P#&N-rOz|#|V)tLTvG%p(L3}dq04JPt
z5O{7@@!F&X-hmR}$>4N>_{_hAuYI(gS`6BHuNt^1kiN^tObKG7hTg}0B;5-XIPtDw
zRa5|q)L%Vhpvt^l3T9o=VZqs2@RLOgJ$i3bttAH_6L&i;9PFd`H(KSzhm47!gBrh{
zpoXzgXn-q#_2{imaM3JH$!UCW7;x&pYdhf1yigd;00zGR+Hn?6Wl=<#qHaHomHc#I
z?xl7rh_e)tR*9><11nM&h_S!xVioI~STQ}>tQ?OfU#fsbLjfm29G)^_F1wb_lOcEM
zJY?0gW*8$rj=x%|qZ3y&;@0aaY!({w_<@rHU?s5ZqZw0?yG$^BT3#+>BY~IiF7Syj
ztwRNyz3=jOB61yrbj5gf=EP9k=KjX;FR8t?yWP^#@LHlRF=Ev4wc#lima>9kY@&I;
zkfZ2T;p?!GZ*_PtY3GlT#++{ySLiJ4h-q+;3XPG6oFu=yXdYlN27h7K@{}_^@9<i)
zNDpH28u(0t6j<)%55|9N5#H($DulFS3ga6awx5}W7#gdZxRpqjk*Y8TA)h~nFYK@n
zK9RI_X&knAiH?5g{p><>^%zUvsTF--F_5o@DWXHA+;w1+?(NU!%*!@5nR0^@5<hWK
z;TcStq5yh<yw)o}wyJ+*eH*O!0Q5zw{)6~Zki`gRZ=BIbl7NinuY141yu0>AVfMJ(
z;ziBzquZ@-elAQ|8W(*W7k<QdsNKWUHl3}@X1+g)3ObDvNVPaH%xQB7_1!$Z?+ztq
zfR*U<YkSD&2Ip}QV{WLbc*(yvIbt*!#yH&xW!K8s{fo}~HG(|Oh)ulkNuykiq3pFY
zx4;wr;(#9+DnEemfArR--5|v!eLF4)^7Z^vF=|6*)r&02dFdt}c62UhE}2=cp5T)O
zc@v3W<GZUY5)tdKlJZAmp`P{cTS+|end8Kcp|(RmPHsG2%iE~C-4WWO3vKyMZel#X
zMlY#PUqd;3nNw><m~<xDwEUh8{fxq`r?pMzd-p=K1O+5u<=O<nEv%D%zD|)p_q>8U
zMJ;T*%5K)WZ-ft|aF5?Sh$!1<=Iw7!JT0k?NV@RU_{$D<K_cB4{Kt&B)!>h~IP~HV
z-z1te?V+iuICqf-t4AW7M?AbQWN#3|MFNk>JY0CJuhs2bjF0+8BVDO*GP-Liy+MWI
z4`NKhpM4>@<JC{rinpx~>IlIv2hSC*=8~P?QGGo~Ip2>Z5r^r3yM@`Wh+SQ9q3obL
z=c%ANYra+q&+7@xi}W24D_Qh3gqFIVm1s<4Pzly0)xjxj4CsIdgq|gWjCK)7)boIM
zW^*q%x1W1nc>S3I!hlEH5@#Y4pA*=LnA`c;NtVXu5gtp&J?8n=&RpRIj-QsijrrQl
zoJj2(<dz@b3l_%bhHvF-S{|(^sAP$$fKEg@H`oZk<^O-1P}Ay>jppISypSorKMUL2
zValoL+8fVdt}bBX`0A4Srt%03NM#KPu_|NFmoI*r(hIZxvv^)PHPrU64A|-gL6X_U
z`G0MS^Zn1A>DNbne-2rzLgiiYC2ew%Rm&f!;73?GQVhandkb;_IBV!6S!2Vs0HW+s
zBDW$N=9d`SH4xe@%gX!y3H`NA8BE8ITZD-tW81&`Bej3)LES7wQ1m~FQycbE^hknl
zJVlHBG0}M;$0Tr3E^+9+%)tj4LHJ%qCWJb!L1j06Y$6mIcLby459dI|M)#HWA1QJZ
zYCW4?GT<>m=oHT|ZIib!2I{)+f^rcgq0h_-Et+@!T8@pB-<*m;{`dCtxa-5N^gUe1
zb@co2osI)1`qhs|*>dCfMuxnG#=qN{R!>F{$C^uyBC?q^fo4DGm{#}Inp8<#?ap+B
z(^VhW3kqxw=4E*dYSANdRKw*(vf+oK8qf*YYgIJwx;1@v%3oEUtLVObwv_hkBll~+
z=kw0@02G$6PuUx#D2|+sMlQsE%QoHeL~u(WHR-Y!=h=Ej;j7uxCN)A23LBQKVOL?R
zOz<Gx?NV-d5&qo&YvAY1+69LC)HiOmeBC>+C>g3SbUZjyxy?alo|pK|gNH!v<HD_i
zb4AbC4>R#+Jz@OYP%xa(n#q6&He+@92@=7G0}@B=Z$Cb>t)*L`b-+Bh(VuJoTjT6~
zNiTvC@x}>T?kwb1Lx)WqgB5-`o~tk)8m<;rw#0{jmSi<ZcLR%dTnfkD9sM9f*atfE
z-HBYjO)Y=-%Lkk09$!)TRKFnce1K#7LZL;R1|l$KZ}#(9;$Zzm;IKgfA@(>+*&l5`
zpV+<e(qZ4<EX3E?LH*b-&fV;Y=%A60au+tZL4tg(pobIycI>n5KwK}W4WRXUZX|5f
zpHUJ@k4PFBClTXbv}-8jB-EL8`t^w=d?a^t%0EPR;6iPPw;kl3f<Dg{TBs=_If=Pa
za<f$e0~}`8z$%sjV%)9L=6J6rUt!~qX5^wEA-Wu)V(3+Lb*Mq%L+=*j{#TNge<d*;
zswKw)ZV?p(gCFxr<V=T+4bQRcVl*%LeXz0O!tZbMbU8ToJ7wNeBR0xzv*l9+vWIot
zAIQ>Sk}+{BoS~879wBT|CroBF<OsE8^u^L=8x5;(8{F-6ToYC;iRZ3|cRyet>Vf5o
z{f=eAkFeeAm{LBnN50C}srpz;7os|nS9P!^%>TTv{Y=6d$fyaV_amkVYM~qDlB1Ed
zCpwOwja(^+<*DXREU{rGzg031=5RAB{$9w%W_!~E3?>}h+LyiI5`ep!pgb>T<Fe5@
z>fF(NE@7$r%Nw`K)3~!3-s5Lm*35D*3Ehh~l%lbX!Qi;4pHOn=ntfgNbmFZ)54ZOI
zD6F5EF>heRo$U#=Kyo<?!IK*)t&5kH=Ura3F=m;yS}JtY5FXXZeD%YgOM&!jt||gw
z_W>qaGlr1P_F408G@v7V1>H_+wuibm>+n^^&b>j$PKF=_PV$YtQjF;3r04!WnMMo8
z-(C@Qam(fS+SqP6!18DlPOf4<0WFJn<$ZK<+_)*Hb<Wgt9ZTTACN3`5?d8al?WDg_
zj!U!@6cN^5Iugo<?bgyw>}Jc}{q^G9K~$D|QD{AG$$|!hH>tSL=Cnvdm;f`@%d@ZP
zu?+#jy6}dk3BJ!faw8wEi2DeJ%o2UQInJ|tFyy2|iGWCu@O03`G0a`4c?1?=GOyn~
zUejm-mc8TsF}y-l=7U0W7A$2zXU+RhSMO50t>&d02S8c9&f_M`O??I27)5zOaskd5
z&R^U*iSzV95nkqzs4NmFc7}G9c{Sb}?>I<*A4ehhVmbnV<CF)fjL9B;UO{k%scDh$
z3Z^hXUUTn~-OiV^gmb^rFbn;&eLa!LMMHu}PBwy@#V6JA2`_y0JUhzhH=A3G*X{9|
zj9d4g+b^!_cMmo0535Z6*BT8pFtjj4+_=eprOPZ5%t{NvV;i@;Je>x&1vnWa?t|4M
z1nQ=~`gfrM(ti2wrx^U}c8g<@XzQW29C8nd7=bZi>&Y666E@NN^W9}9j56e2;&RGi
zcgfpLLuL=N{dtmM;e%e=G7uGZH-7BGy<G%%ecs!tVr0KkST0&@G_O3(NfxY0P36LK
zl4YTG-`C$-lv<j9tw5Vd;3N|dK^DU$gVLu@=<1Zb@LBvu{r*j7w0<mJnV*VVcbeOO
zlF3}VuoKf*-Qz}<!V}wau{5LJ^E!3vCRhJF{ONx-Z1+sR|D17{SK+FZR6I&7FtM%&
zh_318t)h3DlMTSPFda`}u{GY5>Fn<cIe9tGtSNr2Fns!FJ1ops@hG9Dm4)%{f%rtM
z`8P0FgepHoF18Zj{h5rQWjx^UK7a2U8fzPiNZZF??a{~A{)N!Uv8h^j{cAS(CVznd
zw#4TTGlSu*fgyO|Kud47$zE1HhZW$zewBxo8R-pdhdvAsb^)-W&t*-G^6vTtH5s()
z?SCtup=@RH_?k{)iSb%fYGK2HSUdqNiBEr=TWv`no0?(h*M>a+r<SAH<r6BDJ70c&
zOl^Y0J3LH$Aj)`1eZJX)U08~!)2!*>FxKAnBf+I$3$6QVr@kq1tNhS2_TlTD%G8>s
zdtq47i|%Kzl*$v$kv~eFp>I!_PMLi<6!eTer(oFHIP_EPTj`8V4x7dF|HsmG$5Z`(
z|M#`GYj3WRghGW-Tq`$}y^@uXS(z#0$}E+uC>mB8uD#00Rw$t)du4Cg+wa`Z_xE2O
zz3=<|8fTy9Ij5DY^v_#_g%7h=)_ov(&SCX;<*#<~g5sC5MI#D(m&!xR9uqFS-LmDo
zXaZ_}IM=QXY2WEEyEU&AwBi}CDnb!<`Xcwe*7~WY&=<u0(te}aQxq6gsnMo>!9#B@
z)zzn&JLEl$!8FPz8v5qfIr&mHtX^WsfWZShk<asvA1HdioV><)4_hzJq^_(M;Z|g_
zKZ5!zXSgL-Oh^&z5~^jh&6({nW^ymrZbw+~4-EhhT;%ohpC5BwB$|SiQ=Mi-oZ-UZ
z*_S^qZRY5c+Z&Ka30bI)JuR7wI)-81HT6q)2i;8Id*xYVx2?LrZ<oA(eOm*Kv!qe4
z*nJ->xcm9WTyVFdV#(Ag441vKW`xkGE}<FPbK7bOA%ba`U<*HwhRa@mt9Mu1)%4V;
z-_X@$9_FV#XDG<_Qf#XGs3?E2OLaXqx4+k7ZA1oVWl|b_j=6HM>*5Eh@-=cw*%Yt}
zs4p*9zm%EHuny1skkuDkppI(ROE42?&pDMjp88g`;RC{BWns>DSqWMGteTBgUaFv;
z+RiYSWTu@J4ARJ7%F-lwP5oPn$|Qg2QoHQ<Zb$UoXb5%-HB(6^+{A7sz^+BvOrgOS
zopCoG<#ByZlECQiyr&F=?5-0gre#Wdl0MbQM!tEwF94bTQac(w8%F`E#C1zaY{E-^
zeELAC)Jh;ZXX3!pO~sA_(}~6-9`BYULC#+6vb8RVIGt;H?-lcJ>JYv`m)|!)MMq#7
zJGAkFjQk<Kt$w=tWz^^p?B{1@0^Q&9^@+;fmfwS`{4>#H1lNI`NXCM~PB?-))vmLg
z(l^$Zqfei^9xd-jbCQ13?+}Ktr>TiX2yF`MA3c8gnL7WI{8<SCbl)CS9z^)=atQkF
zcv<`XEd4d(d<rypj4jtmEzWzsAxS@+k6!F@i=`}h^UlpKZmoA{lZuZD5Z2;P-OZX5
zyn9+h%Ko<kOAqoM&=+)>?d|OrP{6ygOz(P`R=rJ>H;Q<iv-a_M2DQb~8r>&9C}pM1
z1PqFwy#%Dh>Cdjn$8NK*S8G8-Ls8Mg)rVEJI1PN@S&i%jPgnSABuhhFTY39LNyH;c
z=PZp-AhP#8bcCgYz18;8aE9!xzVKd;jnGS{YX2N;{~CDw&Mjd3%f?ucQ9mWk{a9HF
zs|w~WjDH^4*{kD_g%0pE>|_a1&7;H=u$c**qY<9JkyY~;6tmZYJ+zi(>%A4ml;&#z
zDr0Rxsb_3;UC4_<ICyaH5qv{0Q)XP8Lb#o(966GV+1mo~MGR&8W$I}`dtfp%g;Gc(
zI%3in7MFNFCmbIC=b}NMGc(Xzg%p$qT<j8T=UV@Qy!TRKA7m5}%gLT}BW}du0<QbT
z-mOtI+dW1hta<~V;kRi!c&?|p{i{&-V{|S|(fQ4B@5YB&dyDANsdo}&gqZ<4EaLy`
zxR)(c!Obmk2J^GFyG(?Hye?Cd(qh@MDYJ;sO=btLmfj#E>lpF}?DcWq<JI1)xdtb`
zii<xu5nXuYxF(aCz|)mVQHRU+7ePLGJ^#KdVt2OoASA@?X92xV{qm?yaK3@sxI@O5
zQqRFiH-fNaKaz2JbgH;lh_>a!1cS$4uTnoV8s#8cZLz1fs0{Mnj_Xr4`@)eTD!W;H
z{%1QFM~mtke~63axl^J!4X!e&SIicNDw^HpxQAY#$LB<<7nzt&XC2_$t!9qmJ%UZT
z98~!k^pKMR6K=@v4Dob|Kuq-;3-W`?u=q&yxcxY)vT|Co`@m6^hER+S(U*U7;d@;K
zs72oGCC{D+;^WWbvhCaU3plvI&caG&do=?_t(w7N%0JS3m1?s;m;<NlBNBB9JzOTO
z)TpB0gVug#pV_KDrXE**_a>{an@ox|lPDUh)at{DmzAvCK{mP>l~r#Sm{jCP_Y3!X
zphW3Y*`fz`l_MDB?sBMxUxK%I%l>m&sxsGgrK!_V6q@`!;v@2oNX`l&QQY+=!*O@&
z>7UsJD)YW+Pl+&u)w%kELH#+)dEw^yx*$TFKPy=lEq&h<TYJsfPIK844m1aIH&cVr
z)f>4ZQNnQDW=u7D5B75Q7u(f*xb0Kly>mM($VR1c9bOrF=<iurLD?W^Fc-I~?b(gF
z=KNQ6t#XI`9=ehtY&vpTH0n>dv(!cVw=W!dZt_QVG+bf6nn?`jx;XHyP;pgz-^SI#
z8abK%&P`^)8=2M)Xt-1MYwB=Q(7?T0VbtN}aSS<duAYbHx1z*YfgjkCdZxqJm^*KG
z=lLP5xuITri@VxmL(H70+;ahZPY;FNyRN8IPRma3G0KiOMXB6^odfLy$r7(KB*H8K
zBVv-qCR*TImh|t>bj-Hz2Q`!E<S_~kr@m=lOU=$seSME05HVN5dz1geB*vSlJZ*iV
zMv;liQt|!^Is&az0zWuSdQv&>+@iN8HVi7mF$NCrR{}HWl>(^Vk{9AWRHZ#2=;WCC
z@T+dMTS^9w$ZbjqM-!Q-PGLXY&)Ul_aiK;vN4y{|_)8ud&(k8)!@;+4m4YMc3trV9
znEyN`vx@m(v7g7FOD)bJDHVd7mmG+8OFThSZoBLCPGdQA+5UX=#z5wXGmm$~?ni4g
zfrm%lAmgAg4$AybJCeZ)*S?}+TBZzB)EYHkg-sL6-?>%l5}0XgzO|=|G+sqyAD}S-
zsjrvV)W#IkCC5dgiG-t3gzQNS$0l>1#bDof-EWQCd#Ma3B9MrG*GMn>v5yUY&!`nm
zCRP!<oo<jWqJ<`75HHcMXuiqWIJI1n!K_(dQ9qZ6AFD-sv%VpQUt{>~b=M<xDz@SS
z&wDb$eW#VLD2bMQ5Mi?qG>2Gc9S`}>Er!)aL~ed3<Lpz5?hcfj$ncoP{JVKRT6jED
z%Z$3^`!#`0x9SgZe;zyQBPR<<<aUZ2qZIl{igtyI^W}+?Wfp7^NYytnv7s+Nbh&@+
z)-SMWHk<hnM9c)P9ee6G@Nzpt^@_?1NM1IAuXx&n0i%=(rgNiH_+F$y8&~q0ehu@g
zdRuojc|kgZ^O1E|D*^BFALw;-L5(f#nWz_b)S4z;>PFsHO|NBUm;Nx3mLUfYTG7GG
zq~JF+Rg10jZ@2Lit<)?L2;cYR;({9i-(|%pri!Uiq&-|RqyEB%&%E&8+AFhm)i{D#
zkzb})hV><EqAF7;g=^2#z1T#3n8hEJH|wVySW4Xq(Ksl)IB|9MU{Z${@n6Yvw;ORl
zzWpq%b|-Eqy!jzDcw&6`1@RnXZedUg%AGD{6LrL}3)NrV205}Se=)fG85<ZOh5OUg
z(S}Gg1{sCIco?hmD(RK}3Lwz$a!6`W2-g-(bR`E05h8cH2%2Wp>`Q5x01!ao2VwLI
zncwj@a8_*v0<9|QG_t$AA^Z_aoG>xwj@Pr??E0#2>p@0`qskgG-hnc-SZ;$&`(D%B
zQ%r;tW*Eb?JQpuZOzSO70fvI^54b8G3Mz_A<Qba<#IcIZlml6or9ujxdxBx_+-xZD
zB^>fthOK;!%Z)S|X=rc(QeD)_hR_0L0_d<ja;;BB65;N*<n4Zc@fbHnu|{VXbTZ*j
z`;kW&Tv3rQuncPUg!xI58W^9;w(6%%{jdWRakR!LR(Q7zi2Rn_-5{gkiid`I_xirl
zXkbJy+tyu!r|zAc8TV0ym$sseP^{E&mphjlxC}pRXH?TT{Tn<ntH_f|$stUjJ)UpR
zPE^MCjPK<Xou|Z6fMJ_->pKPB*q2#>+TRo9aH3gTo$pEoMD^+Mf2zr~E_|2ben@0$
zzG6}uI&LVhWcPbGR{*lPVq`pw9Vm%Gkc+|QI~R~@(6DD$N2i$wBOee}OP7$J*NGor
zTKm77;F#Bj%aD9yM0F_r_K7vUG&0@pYH5f}`<uOvpw1koQ{uBZwtpkN!U|0mPut}>
zxVuv2PHt_~g(ApuVB(vv;hB))-kOpylsVXT+?@Kl{hq;G8lyh++OoMFej}etQicoO
zR(28I?7El<)M|ohcdaNnEs2Q}JfAeXqv`JzYPkmgUYPzAYGqlo@0Gs(Jdan5;j$`Q
zMD14Vs|X#N<JK0(YxW+KDfqs=fUMkEz`diu{40~ZZYYjz8w#L*4O^U(B-c}IItG!q
z|MdlMFq$Z+EyolaZvQ%7of0MBBNTkTepzF^w_JUS9T=o`3}QC5Z55J)xJyFIhG9PH
z=2di~?a}Yt)FL0CV-02T@7xSDDLE5BAjn2tQMF*|etb<AVU5#+R8cS3sRpxA;Xv3n
z(^m*@ozUJu;3v8dC<;nDyp{%vk0hIPq4Zm(E?$MNbkrz<!NV8DboT8?IfmIUwuHnH
zT=(D>)KDH`kiC#TV|m1Ys0`p@vWTA-Agbx@!L7Xfs($L;+24%%hn`B(gSEaruZYYi
z(~0EvSH5^8ZGkR4yrR;)1xz{XU!$~+SZ&+U->wyhziH_Y{k;ymkCJze1`<_q2}CB0
z>&33gqBPsa7m;*?+daJqA$6=klx@UH%18Z#hCIb^8?92OIr>1ai~2sWHTqM-GS6#y
z4h&0+#5szQ>}(Kc-Y4)E<;`}LrQNCne*GDUluY(fi97~Ahs~EJgAke+Ai*?lp4`y`
zpXv{kn1@H_cccPo#IcVL@`C9Lj?=$tuV79*+2?4K(4ny1dP<b7(wb38qhqv~TSC{Q
z^m($W!@*g*-(coBpQq0$>k&YaR%nSTC|pz*J8Nk(y-+imxM7(fW*X%e%cfSg{BYi_
zw?dLapm&Lt3Zq6wD7!K@N=JCj23-_lz0$L?`Wn#pdj9Q~Ee>r%yfq-*uP6DL)HoP;
z6TuOf1mUb%M50rjHvclh%Ej!CYzOu;O0J`6=S712`4!CWI&W?k4@Eq4P=g&GYo#qT
zNxl}jyxK~oM3n~TA6i~g3)5yQ+~4zK^q_V2-DH{BPUwt3aA}$Ac)ughi%Z@ml^Hs4
zpAth*1TMhrj0FCoqVKU*oDyMBSM6qX7qu~KmKl6bL>s3Ka@>UzuRZbL!)cOzL%P$`
z^<JrmQ)}ecW<nRRR6FQJo_3A5<o!k*8on9@+eVdAU|Ex6$VLM;mz1u={?Ay46n?xb
z@ekl8IyZqE7W>G83$250q-vtQ<G1E8MuQIv&_Oh(0^yqQxCwTAt8;P9l;At}FpgBd
z<BUj=FMr=3WG#ap+6z_vVRd&|s?3*_%A{9so6mG+NPjSQnqiUJOaRfJ!9*<dg1AeT
z9WVy?YLu?TamugnkC^9s)t7(n5Q(kMr4V{A`RT!1SRosa-@k2(MUJ0jgyz#`{pW7(
z8}0-m&88cQoVC6sjkAOA(Ggn%&NBDnL<XfbANP9viRAwTr?&FM2w7PL6#^=h<#@qg
z$M-zg>c<){Iq*ZS_q!_dGA1=mN;gMe`LAl^ox1yo0k>=vu}i&>?PcbNV6T8=_-9B-
z$R8`9A(M?Mz=nPxmRaQ2m+uL;(pyCd`}?eZkR905T8;;SkK|N*yY{edv@gE(dKgDC
z7%PKyHP1r?k&_z%%-?Idfti?M*E#K@Z?Uy4MYj7n+YS3f3$Mw>9rc8D-Znb#^C}<o
z`t^nD=S}gAO$}_=p~v<2cxuxsdN~}_H_kqdF7EO5{2DS-{emcew#we&pzZ#q)e}=c
z#IT~fye0%V?AvwdRXe8&?$EzJBRmT9F{8p>i<01%DcPk9+)oNSCTCAm2oZDszK4#*
zwiCXg=l&<)W9SHH{Hh{{6QC9M$wWWbW9aul2|cC@+LlQHsY*GUqjR4Oc``1Vi`N^j
zI(7;E1c8L?X;b1NPR<I0^gCdo;vj!0DLs-BO?l_*5rzw<N$-pIj2Bp#N!Ki1OgER)
zEdiUFfvH7=(l^U#OtQp|Co^YSrOy;6sSvx8g#)BKi==zb<EB|iC)qf8@(m(3r-UIR
zoGFhdZ|*m;yiJh=hCpgG(UJVu`=6!4yXm{2gH$7g2iMC=KBzoO+%VVCh`Rv1i2nyF
z{dKe;{xhTn^iN2a2=Ne9%e~U~HMd?wmJ2_Z3X4&nC5N2Z%_GZbipNVN`!jXZU2O@G
zz28tEd{oaFuLa?aMe)5&2q0l60h5@)!g-Go7uV^A@y^w_79bVYw4#^TbY{`Q+9ER5
zaTAM(<!AL>;rtVtA~PH3u5&7#Oze`N8?xd8A@fIGawnykLK$+CW19Mx*C#3>wuQT;
z=)d{@P!lOBxlAP(O%~TO(8{&$ke)Aq7{~iPr$gZ)Dr{^nc0CK>MZ8_)kQiM{Ej62D
z#;b*AF5Rf_-gTNQqE2u2_R^3O-W7FdQm1*8^aornz_bCqR&?G&Fz%cbc!?ie>)Ixz
z)WQ^jOOi(%<k`1HJU-0!x$Lt@Y9CnA>O9Fg!)&IT->}r-G<{1VC-&F#WlcX;B)Rh2
zwZ}bmeen;IP^?)6t8Exn{OA4rNEF5y6i+r)%O9KTRl7~PdSB<3hg}>${<)krl9Wrq
zSG=5>AIX1VC#3pAyPg^?GJgC$%)kE6`4@+)pCes;)f-t~Zj3I3y=5aXix*c{oZtT4
z`>C5s?HQQ==b+Xi^z5n5*^y*{$dHtkBYOyvA&lIA4v6h-6?O<Z(=R-EOfnlae=Ri1
zbozvSd4r<U-VxhF?D=fwx=j0hqAp_E2Sty7-<jt(;lz|bkxojHN`uziK1EG|`wH|E
zIkJ(Zi==tjY~3;jI|gdYZqWVyr3}zc(rB=ifN5UxV>A9!Ke+t3h7O=?lib%ULJ0AI
zNXTM9ll9RPbOxozFQy=3wyawCy{g%7!8R@!d7?U=Ly>qH)$_Bd(O|&Dr^8qbak#Ro
z{koHn2LB$=jZZRpDJ-Lez^Nn`Lab+;FM-5VEIvH&dEmXXzX>J?fHH2aVrU6!C>p})
zE{vh{C^fQ+tJ)D&?9IDKgZ&E)sWG9K&m%3?SybCY;(`+ORZxOx6Zs%6K<aSSv|q-m
z65yv|US8s;6+q85U)V(VFcyFIF%!0~XGS*G3wA_X5V7LnNO;|z=K_t~j38#X641GG
zROvMzp_RMWTg6rNtvgjKX=`ni5hBtJ%qq61o)*zAp~g|Oyl!=bRWa59ahm2t%h<Tv
zOG=G?b)Zo&*L?ix1OsLdNjrKpZqMB~PqnONB1EbCM>6Qp@<IxU1}K2xesGg~It*4@
z1>$HhJmmKH@G9(B+1oulaj-7}77d2mH^OYKqP@l-Q*Pp*H?t<wC{+g+96@m4nO$<K
zqsV>Bfbd>Z&zbkAGzvgv@X16#2=6PO3j?=$_n$GXEmUoFO4dQr5mmNv<u}RV(9p9n
zxJ~mqvQ>|qk%+lTj%&R5VXq?@fY9TY_v1U4S`w_|&s{)RYhD>^At@aTQJ{4Dn`-DY
zMdm%M+q!Q{j~5hD;z)}g`fRxWPdksijP0pY05Im>=YObg9fQ|tu$Zg$jA>{%-5vj;
zx*D0T4LzmO`|Nnx`->OXhO(%ehm0OqDL{gyEAM04<)JNlMf@))lbklYet74_KdW_>
zQ{K>+HINOJP>1p5ZWbN=>P8uD{syrNejzh^(SMq(R^gK3fPTURve<ZS+XH3*+Ff!o
zMb1J?e-*SBvZk?x!Y+NxIl%cLpGy0iX|aFd-qRSO^G*c;v37BqGWVO%Dk3}o=7Nl-
z23}C$XFOo*IeDJfOiFt{r+6)n1{t}?r<x+H<={57&0M6YecH-}&sQ86)chsWMp-LS
zohmcy^PU$U=3!!UyTm`@m@i*j5gqoxWdX(y+)o@_G%PaJ8%7y>%K!)B!1WnzdZ}?~
z<wqY2u<eBgvzenv8k#dio!JJT?l;;L52qOxJg{Pyy0Uunk|;w_f6_5<*KPyQeKHlr
zFe4rzRPT&X6+5ms^_PlvkfU(CC-h)CNaUHDq}fTeSm48lPW`iSzbDoz<tra00}e0-
zCLI3#!9}X>J|LZ&W@;hA;F;Phbg}E*j{d98rSAF5KJ?gM(84f{;j(?51$=33stGL6
zTdFAT7S$Rb54u;j{;1~RKaT+>95~TRj+~o`dYua5IFb!YCn35)b-hMv`PvkeS65m|
zOJZ4N?V#Qnq5El?D~UGTrz^;x_{<EX>ev^s(e$$~{`7S@9`LS_#v_&9CWyUhDx(Uu
zy$7X5=(VGtV9f;I=}1OHDh>=R$=*T@G<BiF6ryiGJR4_K&qsEn`*G&+?Emd87VsSQ
z)`OqpLfg3fgklYlg2Z=j%y)<fIB(67AR~ILh&XZ~`ZWP@f&nQ1TGhyVbQPDzI$VxI
zIcx3Ik!-*FHMs&XJqT*Ake=V|L{%gSn(=LQblQzVJWqKM@+^F65C0jVo-kDg0tc=z
z3az#5ox;B#bPc4$itX&#BzWTqCVV+>N=0b_l8M|Zbfl<0S^M16?-V+(p<&8%Yf7y?
zw3>-|DtO^i#IfKMh-Op0CYLQu$yT$6u(_7+{*{-+<NK!(_H+mZa>|c<&se|vK8$)%
zFoMsHn5mc)+_B&L6kH>hVyjI*k(=V`o5EXVH~%3qjjqF?kHCT|H}7^Ijv4ke2p@4I
zn7PoA4tC0LPSX%&T<|jSrlVEeEfu@pcRz8^jCxzpt`uhVJw->1ucYY?g)D@4c@hu|
z=it|>n=)OWOsB3+!X0Km(jX(0TnWUIBXse9^JEkPN_oAcvz5PI8Gz`>YOjaC;AKVW
zYz^Doef1>sO<SdlzDK2zKox=Mp<`W01P+u0MpZ`=i>1W<T{OS<sOGY{X9v;EH@#?F
z&ppSG!#ii6m!*u3Luip2iMjOQV7hAGtiw+WS2*Z+i32kzulj95RSS9Y3_6k`SlWug
zw#iiOCFi#f#`2$;9a}ODg*WgMHHPx`)wv&!kmK1I%=Y7pa>xj;Xt2Mo9u>p#6!D&+
zx?8qsFJGR$%rzY>sMA_Mr!rSvq5evkMoHn!YZR?2f~&9X5<1o1@UwYR8Ge_sB!%S}
zSgx}m+C>M{7}v@5o_(AY`QVvTth577@a_Pm=RGJv_ddHU{?;@#+NU1_+KW|C1BHJA
z5%D{>J}F0wP6qN9-W6j|VzTSIR+wv${#Ub-0Wn_v$zk2Sf2lnu@`gggG$eij^J7Rw
zU%i|dS@&Zwr*$-GLN-p+e{{g#PN<=kAWHr_ux`Jo^aY(1V*J~5p@qh*Alh9gNkakj
z%M-$)c(1G>k_I;44V!b^%C?PXAG1fe-xRE__!2gTj^WQ@5~fISacEXWGCdy7#wEBQ
zL#|JGg;2OVUT3vX<N5s;J&f2M&|?>c+D0v@1pH&)J5_&>aR$<oziTMqeXStWNHuaq
z^9U!>!k4up>i3D~HS|f*|Jopf<zbo+iIyHFXP&wh<Z9(4s8cPN#iVp4i|OYHDK*9K
zbH~d7!2RB_>eV~9xB(%96E82SkP+6d%rP<}37Ap!d)cdJ%%dOoQ?|{{6TCPZpHuH8
zVjF`)UMy;UiF0E{ir5z|d@}=kJuhwgT<ofDbI^=N#LoG%pb|!}J0-~_NN=cCq}JbE
z|8thfpT%GCU_DR<ec{`b;mj?go%;ypu4C(g<vQq0Uhlh{XIdR>G>|8PDi09+lg1&P
z%|3g_of6&{-^xYvdbEnn*s_x8-7D8`QDSN9Cm$9nI`N;F%Bq7>fSFrQ84aUM13qJi
zugZvS+B(TPga!MhRba32YA_?Z3jXUl-%RmZICwYErqdbU*Q2pLLLy9m9@k<iMBbF!
zDYZW*JqX$RQLUHp#=(MZ$B~w+#V{FJZtzDyMgtaw__ORzGNWjo1`4B--ReZlEF7Z8
zBGo66<>#IEFGWhuow@ceM-;ix`DoAv!3tj;4m^$s^D>ji_kPmsVs5Z#J>~bcgyHOo
zh5-)59!%H4;6>`GYf|NAc$g6Tkktdf*IP<&_obSx|LRF2YXPF_?$Xt-CmEFJm_L>u
z@()M0KUq9`h5jsJFKW_ufLjT?UH##P-{So^00a~=lT$)So^C;{l5%3v!DWFDoxWUr
zXE#lEd|g+fh?nqLcbV5VvOA!X^>z=I3W51x>Vz*l#qd+X0^o$kp@Y@heV$|Vs5-?&
z5xw-tKPNF(`|VjnPdB9!9iFEvSMM%;x`#uie<VP4i!a}4*1^V`sng<50Q&rE{Hq`$
zabccWHR|+}+(dsPuDGhNAj&O<$f@Jj9;ja46*{-zfcR9d%!`g7c$SE79o$4UCZTdg
zT%F&g*LS@?_;cYiTOO$)hEGU0l6sjxY5*+Md7nElf9I95T@J3gZ$Fd-1OWMH2z?Nt
z`k=sYpG6N@DIlKaaE{YHk37M=9Y(MYSBD)Sr3f(QUp~A)_a2y%69$NmpIlvdkDzcB
zi@Kn1v2uVpKx*+K*$4O`kREU8VDw%6H}s@s)%sH!1pD`r2oX%JD}e-S`ke9XK}rnN
zR0CKKS`8ZR|BM^BY=6XV;RJHwIRd|HF>B2)&FUM!J4S{WLaL>5Hcm0V>b9rz7zS}T
z`5%%Wv9}WvJsY0&G5H5H$yiwk`QHo27rw4X-e^>%{;x8=<$lSIs1;b$q;JBB!W6P*
zYp=@l@YNWDhj8MMu`2K<0J7-i8h})A8I!S>0i2)k-;dWMS_@;#cSO68@sI^v-;)$_
z5#&O@4cI3b$9rB|&xjHTGHp@PC3OFLF5@#KqQ#P*y!m<iZOeG9%wXpCdK4m|2QvV;
zwqyO{1gMV}Bt85hhop(gJ%3VjSp{Hx|8xNn-1UvTYmS8lp9uyUA-`uzpq4!&kL*J5
z84Q9r;WBp|pWQ?t9Ga6kB|wM$C4P|t(PiDOGWb<>3ts=#RYc}DmFNa2bZakH5u}cU
zu?X{<#KT1hg3AMW;-%LO>JuMb_d#`QP+(j^9~0guP4U+z{C8U+#!35y3A6Qgy<Ywq
z&Jnl}gNQl&huOmzs1A?bDy&g_GQ>lPV23o;o1!CZul=H5Y6O|9S{Z>_5k<n9zSyEj
zlPfUJ$IL=Ar7QE!Iou3^GM1TQ92Ftex|{va5yO2+(gV7*=Al79O+CGRHhdTELq%mU
zEONZ*2kY5|#g-*~gZruoQmA}k?OReYSM)W-yKq-7@eG(#5JsALQU5d}k3gp~hrqlq
zuos2vv!qTE2flKWxEoBk&jV#C%Q-#Pji6+an2TH?pLN%WnaX!XK3$w^G5-s+2qrE@
zMzwo15axvFuAz{as9EMaPX?r)0rl>{L5yo7WbLu%kP91ifJT*mdu3lvudKfBg{K$=
z=Kf0=H+m-|Q0|aC1>OTl+2^y%t8Ymh@W;apFPk+GHH#$7+7>X%kP0IaK8R@3s|}s8
zSi|&6ilA_U($7%i(2w)8ef0-3(#1HdI^Rt3kbR()bo41d{Qp`4d2={Iq2R;yFYrz!
ziO0@AGg{XnCQ>V@4j<(?Pm5gvqYuMOhVIdyHv_VeE#)Vw*+T)`Stvcg4MX?Dg2E5O
zQs8Ch3P3Ga{J6qy!@eJkkeB75cSdHQ&EU)8Z9veb_^*ryaDM^2e(T{4Di~j1O#hxq
zffGcp%5SKQ(faW0_VeCe1Mksun$*Xt#ZWk^lNZ@hx?{!s3jb|f@cGz$oS3zY6RB6@
z{5S;1tUDrq015m>F(UY%PT(gLW&bk3GEiW)m!rsV&o?XzA}Po;kL*BMgK*PqTr%VN
zpSY7(0JL7a1`{u;UdFU1Q=f+Yf^Ja%+9jmGU3dzGQ(b#Zje82eeVH_@m`^gWYYV({
z4{%ogbEU%9^+*G!-o4!+_h(yg&@w3{!ku$#TP7S3{`D$!iwTmU#oxebK^KhXrze9E
z<SRg6Q%L!pnV??>bpEj0xN-mUD1?wgMpUc5PE`29cwWiNQth$|s}c$)4*X9^gS}%K
ziUrjN6<4DrgyNhp(kg%htv$W?pL9^swO=L8Z@{ZZ5@Xn0l39*$K@WfxZ?hd*1lL?1
zOKAlgL}W|ycE-$vU6jgq=k!%J#JV5o!>Iwbr1s$I&>oDOL+oYKcitpySe)AI{)vWJ
zb3Rz)*K#1J9vi9VKECH%(2*n2bYK1K&^!O*uol_sQ&aqRSk@=w3Z$5!1xQ)Dbk@!r
zpAvsD#`B!|Fv^b$<oCbI?<LF<`lE5p?RUJ%$xvX@70xoh13ZLrJ894mcel<I-yI);
z?JQHE)mpS}P@eA%fw;`PNJLE3pPgK53BoXpYS9OzqLwrXz`C$2-#Ag;%clN#t`vSh
zV&oi(jr;GA5ajJoGkg~GW6AV-6@r%-q{rH$H(656VHwEUyOG&A8IVAhDl{@^{P@ug
zb2Rc+8CWUxXGcv>He6bo%=^gH7Itz1zqLKgtTpCDA%CxJP&0^5+W#BuV}U|gb(2yZ
z+V(n(j5C~0Wi0CNsw?SqxVR&J2q8#9?L6~wXUBNcBaaa=HPWxg&T~Yuk<P~i&S#_Q
zy{XMB%L#Rt>JL61VTr%_c~Q6!;PpoBb!vw1lkkYQi^-rx3nfP10C^%53-Y)u;0;}P
z>^b}Y&ZZ4kZ@T}F>v(}kyz$#gL=0pRV8AhgF2H=2LyiD5U;IsZY3Sn2QF~qB#Xu93
zet!1B86N?A_5hYt=StwIo(o`%6wENU4cR^6t*#PjVw`KaLXX0w07_neN#9KHq4=aE
zI`{!p<0U@(HmvKm<v&S*(T5^*yz3zNr+jAI2CXQV1^~6ifO?Yp<91XGX?ZHpgmkio
z)RtXk!rGEtHT?6yydW)Zy3`l^-ENHPF2=^%_?asZ#w%ZCe)HfC`c4M3E3hCW9=eHY
zDVblSty%Enq~<)n^S{FWX$#<Q<H!+vz4w<a&AkV5Qd-4jNK3>c`eU5{6jk1ot>{?_
ze!_!>k#{8;>(R)#YfFjk<@hn@^=p^+>98jObOWyK*MKE)j(733RdFQdxcK^os1BWm
zCD%C=uKGU%L3CFFA9Z0+D`<xjDC9G4z3II1=TB{=)&{Je1t2mWRB<U_FL^;IyOksI
z!WVul9Z*S6<Net<t|I|AJd4Lm;2|&>9yT!vB-yrBl1dp7kNV;x$Dq|uCj2qB)ivT1
zqXGXjltVfdh@qsE-59{J#xBOilshfuwE~$zuh3Dy@OCxjc68*2-Pw01F=&_{d;8;n
zKJj?Hw@3Jq|9|H7^aSnCnEk4x*-P@!mFC?}xE6`j;WG_8kR;-2lhYENr6ZX7>!7gG
z6|*e`5)7d03M0YNf3p4kz+%2#s+Sdi4Knz!+lHCTc7fdCF=B>~0L_Vf>|_i-$j$2e
z4#wOo6>pG!g|l%Y<2~p84)(><fGqL109nEv^Tz`HK079#<k0sR(wq&U3$3uWuk<2r
z{N5Hd3HkVGYUl;@P+x%{Us@>4X09Z)ReGs%cll^#dQ;5@Dq+R+L=)D^Y0;;DtNflF
zFEHNH=fsbLozWqan~(8&p2v)29+#%63H_@rovq%ghv5o&_C4O6ixw<#IOjFJIVpP!
z{|!{FbDQ0k2>|E}K>4c2(CIySyW=P`wCe#vM-h_9p{lOIls`$HJ}rHsz)Pm^5S5od
z4&LxaL?rJQR<gU`ul16-E4&oQ6}bNp5rd)J_>h5eCCUvB|7{c!M-x0AP(EeOsNr4T
zzH5>@)J*VV?F9NHt&<tniTaQ2kY9eBebx&a@-$ihiYtV28~!>_(R3!uxIsUPgOHCO
z=+;Ok+u6U7byNL@j2dfTuTWbMaf&?E*I_r6KD3CxKcv(BC$X3FuE-#`HW=OgDV;Z>
zXS;VE<jk=)R7+v8)*8v7R5QaMmE}v9?UVutuabl$=g(8(sXy`uRWo*Bv~<>W@;`qX
zTUOYpNkha!@BAU3pVX34$Nlna44q*Q$b$Y_8{9$FSx)lJRvDFFTH-GHJH>8W9kC`O
z>;*caJeIm4YIbu7a{(9zBe2V$I{cM+a0izpPxh2Xcz_UQ=bDjv?q7_wBC*NV^(fMk
z3iizcMEOf!8sjWlU#fkz96{m5*3N7Nnb^F{9X1P>O*h#LuhNx6TFic@X2DmWmqE`J
z#m%vv?R%NpRoj|E-pH0->i>58GwT4;T>9f95^;g_*g#>q5aHu?#^d1CXo2?#`;FSV
zsh7r#^*yGcYcgNZr@Ggvz-qlj2C}hm3pA6A4P$eCaHEVymMWsn=dir3U>YvV*(D?k
zC8s=BZ7GnLIuZ<LS{JKubqE2&FwNJIQFS=M4NV0!4vegxxfNoDItk@!JRkwjE;vKU
z&e?4njJBMbC6q)+{Gs^YI@5bR6d!)d+K)WtRqjbe^Aw`+Be!fK2LQdj`zqoyJc_ww
z0&o6Z#5)co5lqu1WYSg{Ca1OkP!u^94rkW%Iw_ID>VXncm_&w+7lA8zl&3rKF{=+c
zws4*^-j_?0HIa}H;IV!1L9L$><5W=0V{fClwg>oYLU<B6VO)0|Wp5V`-!N4y9vvpC
z_ax578D(<g$NQ+HE|U>X_6#yCAJ=RbzG0+hYN>@v!xqA`QEq5|r$1s}Vgf^+Aeju3
zakMG^$p2#ju*kvp4xi>LWDS(e-H#FMI}xFv>SJ9Pk0W~nH9mi+p8pLlr6a`CV(HRq
z&ehsgq)#<PrD(ETUCebKr2t1#bt{MumXYw7d<^%mTDcn$>+`=xM(`eZ9zury>z5j?
zLp#qvy~DD4*9JI28|SgS{mwLeS-MLI3Lfgm;k@6fn6Xf6v-p$MMz9LNfjG&>Y*d^D
z7vt>Dw%50#rV`-e-_i%^4T}J{r2PKZ-4Q3am&~m+Dx_aG5MEc&y=e`3a^dClo1;@u
z2H)NSqs%E@xAd+vB+P=U=no^GxV1!%u(ezR+NhvhntSKwlXu(URLZ%gBe%!3!GQ24
zaiQ+7bbUFCnm#ClS=7y`UL>lA7%>{>-5exAj?X{)`!M~A6gK0vj|6h8$qC#oiMAgA
zrt$Ahw*;=SCrf4`oixEa>tIA1TswD!)$_Y1c(6(pOFIT_T&3GOh97!{57XsokZW)8
z|B<vYcb8D7D^a2ETllZj03i7KTpBqBc|j<y(G}i9o_W0jd22@dAN6H|b^VTQB4d|+
zG3C&|D1+e*2>tPQ^lBy5DChWgRG|qYK8KyefkgF_T>e$=HLVKXp5YweOIYQBCyd>w
z<_bZit{$Al-FnZ9oPFO2GRe|B`~!P)d)Bx27hI3?F@udHn|5Mvxq~u?<TQxNZUs3G
zifn^`wS8$#h&J3$|H9M%t(2^h0WA*6KtgtEq)@FWsN~vO5E(7~fP59|!dMyZ%T=*2
zWm95AL0%Io3|6%l>QJ}ACqlSW>ZU497@x>?3H@9?xF5}FsecJtwY@yCcjlH^SW_#P
zU+bnS=K}->&s9P1`8>x>-}z?r8VmSPxGtAbYC=)RNeaZ+e{y#Hygcqsg!wJpzjIIB
zkrl5690di2@_rDPSgnGWb8+%Az}w9lT`nMG*dkJzt&4t5M;<2v|CHNO<0am_{S2YN
z|Mneif(n49fqo%-HlTwi?9M`#nL>}<2wU6RE<(L|E{&EGCy-+Xt(6#<!?A~a<nW=)
zfghUkK$}#OG^KeJ6EPdN6%nY_k|Z-b_fUppgZo1k&l_snFiH;T|H7pdUkE{T+Ru&t
zbF#|ueG05D1!e*oW8ff%(31$KGX1=6YHW_k7-GSAvI?!09L$!=KFqc0uCs!+v6O<>
z_zzyJyAKZ=wWbPi$|AT2byH7G7*C!nR{NXq_w%b){r1}0h_T=es0`aoUukgRDtOwg
zrY4O+5g5YT-@yC<5#if+EXHG_e<Y*o$LG_ijDfm#SUm&FBk2*=tIL5`Ov3@e&z;Y1
z{e80HycFW#&B+?ZPNN2`cJ{2ETrF2cBIUNuUM8xa&)5;YbBqd8o)@6CX(fgndnmYr
zC5sUHZ^}7-pF2oUu?y3n(y~vfVUXdzDuo>D1WOc&dA3Z>eUD@?#Me!=0M$Ve$BYGJ
zb0yO<o?rEQd~sHk1)tEu#}ET&!u{Z`5YiJ?H+A6-6i|4*B%V95ueH{E7cYFRas!-o
z)0dwqFiu5fG>zxCPz=W=+c|S3k(lJVDc9M&UT8@$Z?LYTyqBYMgy=4e9D8a*!0JZ`
z)piW*LK98~)%JUCgnd91>$v4Q`GlNj!OJSeKE%SbklGQE!-p3N?c@+A*{!q8M0J1m
zw&!Sq`n77N3`)+Y#q_K(kV50`d|k|lyoA%xBdUK4c+qE9c9R;~jtU-yPklLW?^e%j
z@A0WH<zL5D3M9jRIq;8ZxQE0mi0fX44yTLVkH;bV)A>Ti4VrW$cvbMRjZ(`NT_=a+
z&qL5s*5=`_5<)~$Zp{YQ(s<i&$&p7$43sg{Qg~@hL}NI)ty@tzH*!8yb3)ye_6+A{
zC_oU4vM%R_n}0aKJ-a)5TWdX81UdHni;leqEJRn18gtnYLDPq~e_ze(j})A&UhV>g
zC-(NX!Rxu5=9i_SY^?YMy*VCxeR$jr<k$!gRVr7m_57i>e6wAIx+|#gLRA$q6s}xa
zgUpd71d$_|a|W_ouhO>M2(ny9h=X$;`gp$h4r4i}a`wK!9VQpV36CX_wumgBhDkD#
zRlHj0=A@j&hgih;#0^>d>m<ad<rYe7{KT(VhdNq(3wKZ(+k<Q>qy6}53eCz_iXU`*
zz`LAy5XdD)s3u7Vfv{$+yN7Rv6%e+QTd&?Hm@@(;1}|of!QAr8@t?wwU*dbnRgP6A
zDZnf}Y#Z@WD9NE}QNUa$Zdk5UvvtThQjigfzVuO%;kx7MnK4)8)a*fFb0^kKd1Pf%
zZ38Uo1Wn7W5UaxQ;Zsk4w@;GtjAY-@z8Ptx>B#^b$_)~XNd^+$k_m6`)wYmZOMOLD
zujhXi;69Ae&bN_=?#fWIMz;2rUajr*MT|EbX6=a2PP~bHjIP8x-_)7jxXEI5#8?4v
zSow=w>uQlgSP_!!w2=HXqq)+BA*vOzUF?5*oTSTN&}pJ@Fh-?TwPJbfI@ma`wK0^d
z+5$e5G2X$*d52{sa$GrY<2*Ar7-{klA|O4R_iR+Bjl2?nc2H}FD6NH(Jrmx}W9Z$5
z0Rx$%Y^l3i{hO&-(~$>;rvF<-tk=I~s8<n_?2{x|`r}Xpd3gS^ZWpG$cJK3rWsVu5
zoGc1g_g{FyV@}*Oq;cRp)rb<D+_<b3J08aq)E4us3*%DgwG5`t5VI@{D$p8jb3zo>
zE^MJ>CE)%UT1I@nZfGiwC`H^Tgxk&1a``#_jR8$M)t*Lx<){KlK~DlQEQ~gG(Xi3W
z7<MF*$e`-C0>{JvnI59S4m;BeS*(xaI$%H$v~YO)eJ%YiOv()h{>%0(l+ZHi6_lv;
zHLwyMfz22gZT4_M7{Lwez;lh`T^J~L_Fdo`Z#*YIjK)L6MbHO?$^oeRskk8UwsF|$
z$ir}V?Q8FHsFXNpSf4g4USF8AVF(3x19J1}yR!3OeW@UUWe?WOwEp1{tT}_~QS&zz
z;U5kp&byt$l4i`pjm|>Cx4VrFK{6p<%{Hn`%U#T?wXVaHk)%>*0WmQBU`Yy0Bt#nE
zS<nu;ES|}MV&Up2s7jm3+X*)XSLXy(9_(B_=W4FuQaA#PU&&zjxm|c~>&+S)ioMQ7
z04YDU^@_b}NjVYX!vmYc=S;N%4H7_}z|J}f`}w|YKqMj#$V&Zc_2$1?s#;rE>Ma}G
zza<n=T{TZY*y3JZnZE7l3B<vfON@PilsP`OFNS=%zdh8{aUR)tyUw9Boy#j`8v5C4
zm#R^;kFyF|cgTVd^@Rk4ImeIsazE%#JTQU3^RiO%Og3qY4y|3W4|p(Iu#SYcFLzht
z;H?3JVfVf$lf$SwL`81v)x(7=z^>%tM-gE<7<0-W;LuaPdCsuHQjPj(C|J!_RH;vk
zZL-x%f=-yYy?jto%L~;;z-tm;FLqzn-a;*F=WMF^OOO=+fgWoH>-vkmXo>nS);#^b
zZ(ki(Hq(%Zo?UzL{VjG$HHs9(PW$d*Cn=$ge1shxnE^u%<m5`^t~m7VLD7WXFJ)FJ
zr~$Ji7&Q9U`PS6??dO`wYZVz(-`fwi@B5jQzGpTFn~nQ>#7_+%WmcbR>C7HHWx*Ff
zQ`D8UV6Kp|kBB=QF+|@ASi;*!_2ipn;!H^d@p5;jOkerw#0_^HiNx2Vgy(t0?ChPg
zn>HvxzulfX+--YudlRbE28-`*gvE2WV1z-&NmtVR@gp1<Lfo$Gk|u060?1eiNnS&t
z@Ta+hnB1#P!!5@|ej@X33pmx1S`j!x471{3+vs+Ne*^V$Q6;YZXC^a@Kh~U+y8VhM
zF(N~TekT1)V@Eam8*`X=t@G7fGDv0C7DL0I+qOyZTKwXJBTiH_dYt;go~aBf)IEKk
znXx*MtVgi+%SyH9E3`MiM_lT1`dasq2f|R5{J6f&dS?7<Efwm<$MQ%DNFU@FY4cCL
zdbVpoln>01_grWV@A!d2**~hALiki}5;NpnBP)>zGmADVu`$)w-Lji4h(D(fL>uFN
z!i0iTS(KP#rE|IvH^rP&9F+0SokKP_SEr_bLXhnNP#2QrM)WV5;zQA7i#<Zu7^JU^
zF?ZA1tEuXtaNtfO)}6-BWDX`zBVuFVysG+@BX|5x`5E*bg&3hdNOhz?*>`z^$$M!<
z&Pwkj2Zm(P{@bwyxkLk=wAPOiAN*@E4m`WzYiKh$Vl-H=8VWFpZO35>`x}LeCBMc5
z@JDj<k&j%CiHdA!{PJ@s{X>!6DyLmlg(KsB3`~&Ww5)_R@;Vt(7?no8{77n)x>h1%
z{}tnL14IH8G_vaoJNT%lQl#XLM5V2EBn}>tEhmxP-;>Bgk;&+Xzo`@<>Ji?K+UTUj
zd}?!GZ-u4A3PnOU_y^^`z%s_B!<|VOx7lDJcEocZiGY@ZVXnRnZHFX(WdL>le=)9@
z_$e~{{@ah~5_6oE>7`@S;2LyRGOwzhxI&M=a7Fu0AB6bXn_<gCJ%;ShFQnXnQ8@sl
z`0CfWu6}x+AFl(1DFFruqFt<T8d#*(S2glmT#g<;iWNOaMQEX-B$MTVb?*2i^pv*-
z2jjqo0a?a@k$r4e=`dB#jHJl*ra`c++jId8H{@C?0~)Upqz1)~Cls)!GX`NQc>^NR
zP(H`dk^Ot|t<R0HBakaCWFm|F?FYM&v->URf%GIG6ln+v4<5wSQJE=8q@QL5(+m66
ztNt@Hc`hQt7D#Uhk)2666#OU+_Vz={%hTO3b`&oF{=rIs+ag=7><i-S%vpP8MV><m
zeedH3AN?tuPiZEntEE;rOtl@wuH}h%o;!IV^$PNp#rfR+xGy<_c<JuUt8OQ|Tmhai
zI<%nUbLF)$ol$D+$*aK~IL{_tq+d=5jlUW(5^73@7KAYVMkk}nAr!06jnNYxTPos#
z;z$M=^5%^0{OPG`x!^TKi(Z=aq<_GTA!_WCtAogjKj4g7PHpkykM<-DK@)Lz;G4L2
zZrzW`Wh!V#qwUODXu{jf11_oUEfp^h?_QT#ZDJe!w?6yhI|MuP_GvMkaaGZ8I*vct
z9wZ|Oz+HSz&rm*LquutwU6c%+;_cWZ>@i`oiFOQgvy@8z>UOh`*F(QoV`RTCo?0;C
zyP`0^6{Eqku$Bd=!N}XE#|wYi+YUanp-F}`$Zhf4n`Zs^-D#BR0<XHt!lkeYIIC1;
zyIp$baB6s4k%i0Vu-)6eKEXoXllhTHg{8~q>IsSVnbyd@W~}_Q-Db5hioO;H7c+9K
zJip}yO5=1Mqht6Z5(x;}e?;#H2u0c5p%xy$ojW^k1gOuI)vfQB>ZnJXowi!5IUd#y
zEs8Q)>&UQC+jCQ;l0Q5FL5BfaY)lj#Ove0#^Y?hyu&VK$*pQee+NAq9>nwxLv%2Ok
z-LB@+RHL2;j9_Sd1?s+#`H{-O(Xkz<`^!tl6o0OI=B209=7O_KX1@B9Hd{Ngy9(^(
zw&t-(GGqo7k4_^>knzMmAg$VJ(4)82diC+a=Of7IF-h#mt-+C5(T29}$mKEPWtO*2
z5-Sb!bEOsZ-Lv1HV<`^)Rw1<*_+io|NC#AiCg>scCi5QAeyJ5U*7b2mU(>5S`6q4~
zBb}{fP99IMHpVXf2hp-VfnQ7Jqp5x8<!x&>)Au&6*GwC!e?uqn>7M64sWP~&ZwxS6
zg4084J3podm$=J#Ukv4UVaGo~uK8tdEINv&@ffsXLGHMKoF2D5>QC!EoN#7#9puxi
zoX+z-^<bxZHvM4(FPB!cEx%r7X5!wq5Oe*b{&ef(eonbkhwGT2b9*k#sWNx@szU&B
z9CC!AJZ4{p>Fxssgy-&ac4S|6iyuQ5JzD<k3=Nz=r$oXc2)yp2D?Gyd4@5A1lb8Ks
z?~guTY&c{m1kH67DT_t?2SOfZyY`meRWuKO(X*QuvEvD1s{QD7%I+n%JOM^ny>h1y
zW1oi?ed<>*k?Qt8ewtQgovER_?weYT<X%Y?U2fY@w7FHPX%r#7630bk659PthOq@w
z&>F)O>ZQxyh=WUQYO~e#V}nZ#(};8r-M(2Ucee3F13@&sSus)AhQ?d`v>5rPcq$B-
z-oM^FI)UXkrpI~*oSB?s!!Pr@iXPb^m7_-pofU7DEw?$|b%j>@Ss3nqqEEJG(V|A`
zTx_~abuISlaYdnZVHC-kWvUhQ4t=IT9&z2WEaNoEX=yZb;WLO3(Gf-~NiNrY>Q_3{
z+w3y+<dR5nkJr9>wdxQQErABOGvjHWGo)EbtJXm@E`+?2abrHVCc@x&m>v8_7xQa@
zBFMVK>fofzwYQSvSNu3=V@e;rEDFZ^!dKDHe@z8`b^h%a|No`S1;0&mh0wao`yg}L
zzf06Vt{qFnW@hpgPUH~c`W#uZ(Uu2-V|F*HKh#*Oz_?Y7yT1>8%#e)Lnk<iIsnLLz
zq;>^hY*=VcI5wSm6U?vlANubASj@f&*LNg%D1=F~QwD18*yw~O4rAAN_iS#{pn>XS
zejFe%ztl|b97x-n>|F0216)S!r?c0dg0eH34xxhH5WdwPDg^{Xm--5!x5-Pgyi47J
zbDLiAnEA4339V`=eLiV?3{V5|j|IOB1G1E6IiE8}2sOUz?;ZS+0Z7$`d-a3>VVZJJ
z;>NXwO4&!2!_X3+<XkYJt3XvO{dqj@R5B-wj2<CFd;73Ssxe#@cVn(6gaYc=?o<tG
zwl8#_^B!TWbg91V>b?NvFk>K|g51(uuvOla@BNwA1aL@Fvy1U@QZUfrlD9^w@up!g
zZ=d$-YiF@l)@QZ?OiC>rEGu|~^+%O|af;`IB_vxeo3nA$f(-flhAiSa4YoOQIb7N|
z47+8uC|FX{UZ(x0GLc6(+I=|E;mc(dNCWhHpKeObovcB<scLbRK50-?GAwvPIB4_n
zckW{f;BZJCFH(&hJt&{KM>qrvUeMp7p8IO<Sujk{B<1=fzOSl8zBdIFn|XKmLHUv<
zS@qJSM491uj(hxinxt5hm9S97N3DxpAy;;p62@}f8PUw}JA0R?G`7T7(Th*=chMmd
zI`6rq%!CIYHLAH3_fECi-c?*3e=jQ$T;gr@&2fVP;X4ToE|6t5H&J~oxMVn$46Tq(
z7eR`I#V?0HiL?^7(Tl2y-mp{(WSb1Xay?etH6j$b1yTVY=2RodCwYweDB=LYGUFl!
zwLBa7t-f!vB~3fS5c~6S_R$!M{%HB$eK>62MkyLO+u$sPZ|uQxy*8riq{sF^<*Mlb
zjoQeq^m9-Q>9RWYu#XRlltWwro1k&NJn-Iqi2o-g!R@u^9zzNR`=Ms(<#LoLWj%9G
z?MWJ19}REbq#?%WgE--tHB#H@l&fGUhR;?gvEPg`!=o8dG=<htLZM~G1?7ohGfI@g
zYFSjmJ|GUn*%hpTvk2nt_isT^<+`P*xHG)eBuX86xa<Is0e>T6=$~^OD$_lIa#L`k
z$mriOGW6fHw`i7Ku(6`+nWuHQA|eFj${F<R%)_~Tn@(KaAH3SlTkG3azbA)qYcARZ
zf^9CTBpng|{IGp!aQy3|w=-nUwrc~`QU!NV5nWORi*)mXUz;WItG@ZQZ5)|yf>=o%
z{%1av9GBH~V<;0!?tL^LiG3Pa|K%Y~%Z>wKYAO(Ep!}9-PVlA(99j*wqfxtLW5V5?
z;xJQQa~SPLfHJP!mN#ObQH}L{wG0&>nUB*9D{mrJotHjpfTg0#L34~Hq&AH49-%;V
zth=>6z*6?0+<mv*rhm$OrS<a@2INN>D(OpkCsS>sDIS6|^_s47T9Oe$vgs3dZV4Rz
z*th6B&6S+GTj0K`yf_jOjq@Xq!Nj>m&{gLx4AT}QKZTq6(!3Cov4&iGGV70`VSY;%
z0bxUX@pOR>?<$(Qx=<I@nBxQX`<-}SLAbCaqwbB->ZPf7t_MF)|2X`rTg~jOB6kFc
z_`yowg#LH-O+V7YDQSGzLa=1d=Dti#+%c*TBFJKbopj`ep+&tj>u_rO$AgVea_DV~
z?v3<}C27;>vh(~TqG^2_wQh-`X)#3AzlsndBtZfF@X2b08zqf@Rg8m23U*)fz6y2u
zsZ=7mBWD`z>v?#@Jo*)p$w42~Ov2IPz&n2&buh?iIzUtat}iCpMop`7<IwJ_XCb^n
zHB0rT<;dIXg~Tzr*fyEJsia?DiP~Im<vfEU9mIsu#n;cmZ{XPR%b4`d%2Qt$U=3jt
zcM5q+zI;o3W;qY`pg8AnbZX@^|IXb|j~A1hmIB^_*_xl5R_$R01cdJw>GN{li|dy{
z;J3-pxKr)ryYl9>zQ|{m&;1#S<Cm$>^xg^ccXRUvrS?7zHO&$ZA31DNFRc$Wf%%i+
z)JazUgmK0hPhdC0=!4^&{J^uYo^j&v8t<#<$cch8ljmX{iS<_|`(W><bnMI?8){Ua
zt>MdTJ4dppU1_km2SrlvFnf41>F(I#Gh*kO+z16D|MV=``?u-jD=w|c(_<yR;o$4;
zXK?%O{Fw*pwU&yc+k0-Ur!NqgasjD#{D6#hL<kuY$iVGB4Ln1RR(qZ>X+oy5IQ(^%
z@B_16T*iF~Mh;O+SbKTO>e<Bw7yDeh2G<U~W243P@EXwEwgB&&I4TvyW_@*r!!94j
z8mT>H7mZ?26W_RF+q5*3dW*2*68`%;SV2gF&i}q?2;VF_^ZB^+&HZx?7CXvO7=KhZ
zpb7Xp^kKbo+Br<U493h|!l@BsPGIn+@s^iXNQY?dq%UPbfN3BE2u=V9?)k(W7EaEC
zXAXKfT(`IiHnVqNrh3D-TTQ_<U)7kXvQnefXNj6c@MWxkcjeLt2hAPzrF78pJ>FH8
zO4bjhOBxE3XcDdRxTbhMHJ;?JQUzNQ%jy}tZt1`>5zL(l7j90KH3j#DBqbsg62_KW
zXK7XHZEQcZrycoogQt2+mVXfcTQ|bt;C}V5ZWSGjXmUyQod=5H>a*Rj@5(*f^L{~j
z<fdZ98(-yfUJ8^{?5p`duH8TJE~(AnAJq3?gP3n~NlAM5qxMucj;-68M@xl~Kg^4A
z=*<5+Wlhuel6xnV$>%LAlSQ^89N_&^Pq&jH4rxLkd^l_+OQAsJqwZbI^Ei*gX#2@t
z>&c|lD_;<$%|8|fg*=%D`Ec?7SJZb0Qr*4}e~!H=`$-%P36;ne2Mx+f_NF2;BYPcL
zg*Z>8$d1f1vR6bhGLtQPl#!La-s_|1`+NWJhjZ?8kL$kneT^3Eng@ty^>ghGR`Af4
z8ckg5JoM$qw{JG17sd?<2h9%Ro)mI9=S-Q~XIR2-RwT>H%KC-}e6I#<OP613LVuec
zmoQ@8hqEQ4P!FfCr5`;XP=*zA+x=Iw>TwiSp5XL$y8{w_=RdnD=r`|mhrz0^;7^E7
zW24Lohf+(xjh;>t?5V4y6l!a-jv-<-@#C#O9OKFejNFR-fg6I4HaWLC%XV{6m@UFz
zncOV-SU*XU@%0=Z4Z3m(s0^t*)(d=YTA7&sh$Tt<-G3eh)@OCa=MtpAuBD@Hi`?MT
z4%tny*~v8;^o!``X0cEB1XMOVwJ!16Ap2)3$mthTp0LY?a@`zO7GnSF?19+od+yV|
zM;<XjeMjl%Jvu2K$FddnnX?tz%=yo7f(4EUY3{BzaxYo}(s2j<7;IkiKSRmg2+VSk
zyV}B?EC}AP{0&134Np?*n;dV+hC`#+J|nJZ<kGkYR8!;g5DEcH*9R4RAr4%r><VOk
zidX*3C&W$Rd^7)aEUC0pGV|<M)#GmN>d&(TLB+l2{hEH@s6cMnZ*+>hdw<-P7@nxa
zUv!DLu#NTyVozb4Lg>O`Q_r_#-+w**lv<>$H-8poO)Cx9wVVYLZCB3X7zN@QE}<Re
zcV<2+h`a{08uRki&tXlhUbRFxuTs>uXjC0!`doY-Sg);|XqeJp)kmZ8;Ptd$MX^b}
z+^iO923%NP{k1nYC~)|E=swH&&_96TQ4Jlved@encJZmICjsC6xM(ykc-kidC%u~!
z%%U5d^qh$qJ2dsB!+EqL5ZeNQ6w;4+boycHgX_KPCKK2-dQv(KG0;owBz$_TE*{Vj
zF_<bZ(p)A_!;<(vxM7f*is+l%Td+H%eA%#ox&jmoZVp`WEW$X&2B#{J6Ed>wo^;A*
zgRwg72@kmygO7eZSRTC=TKJK#ZVo^IVP0!pG~}7!kih-6?z8pIlQ4o+Xr_G;XNe<^
z)Fm(!N>3K;^i85Hg%2_GvSx_)4Ie@|oMPx?te$6)t+>p09%|?d8#Q6h7~(j1>FHHz
zQ<nUN1cty&!&B~Q=jQ(n-|X<54%Os_pK=_ss6~w|x+f!H=p6L|Rev~6y#NbJb6Psj
zvE1-NPCTvY`2dDV(Yi2)m)pPfzUhqSnXkNE(~38)pC$OgookYz`$Ygfg$g(+d=22D
z;weq-*+Z~qW)`POnt~;;4k39vBS}_o#<0B8;g9|o3$Qi^*!JVanKN`Ue$}g_$Y#lq
zzH6H9QyEd_LqdaK9;GKfx736x`Q!=Ssh$TZ-idnk+6rVU1??!Ja{Wcry^c@swQUgs
z7eG0bia~WE!Uli$GsENqcH@5;9>t}9mx`|fggKIMQS5!L`(xI8$;nqB3E8t1uKCbY
zFO-ajA4N)EX@6(}^_hu!#HFHRn@X`8D1_Qk_MW@Hal;J;ZpCs<d<_fyJh&Hr{+}RC
z*iB$Ls7`eKh#)(V$DKM5;ijx_`Y)i7OBYNr08@l<0g*-3niKF6xAJRwuR?BJP>)Xd
z&#Q6$%QrbvKZXW;=i1pv-H%JGU@={pOUc?R1fbi<QsTB>&RwOj$rY;9d{BG7FFqyp
zM7`V&Ob}LYK{urW!qAH&)px&2ZWge8iA411Ti{JiO^&yo%#>YJXJ~9udPChavii}+
z>zwqr7v{{5jW?9r%!L^}nf-cdv1_>iypYR2gO}5hC0z--Q(4KRJ#wNwaEo+W*tM<H
zZSqDX@AhU9k}WpR<VB8q_A=y|2|YS3^MK!5I`8Nt!eYq+KOuy&%f~npRFGQdXkv|5
z+2XovSbj(Qx)9~ufeUIs{o2e<dmJ#jP1I@1)EjLHmgvB$*L8^SXB_C`IRTmTi9eh#
zJI_gU>0-^ESDK}{%VQ%!=@<!J&2zzavOSRfjidoMtnd4~FaUTINEI*pu3n>_v@bIb
z#BQ9Zdv#<x$v5JhWwc2a=J5|3jyNa|k290L^Vagu%s&{4_GF?|y5t8RIsf3!4vVNb
zKOeL4u<N|Y&WFp0K}RaJL}uZUz!}Jg3b`H7?yvEAqrffZV_b=2Bfl^(92kd|n@0-1
z=BIqR6N8bL6bRKBGcPmt&Vgr)druTP56*N!4w{XZmdEPX{7{O7xfXT^P46n&%MW|a
z1gc?~lTs+W38=qA#r%rz*FS6VWlD)gp;}m99`R^hpR}tai24a<9Mu_QtW4AY#hk#H
zC>L@^y!BF}7?Y3hSznoteG)_`AN$W;pE-({x@J?I{}da4vK`tgmI)AE{jw-C{wYk)
zbgtN`rRdv2RPxV)8!P+Q?=g^%SCJvSF?yas;EFJWKplup)8t<Dzy`l*KhwR#r6m`B
zV~!u7+f%fc;fw<Y{|ZT!He2$bJ?(<{HF|R@vW40=eES1*17U^tp)Nkc_iq=^8~vU+
zR0zW3e>WHIX|30YN?PuqG!&fS+4k9zFjWSUMMUzR@Lo=l=>=3e55XY&_Dd4#DJ?Vp
zl^OTXs2?3~zZrV%$Jwh@<;4d{Ys}Diom~XwHv%kQ!<>L!8L!}q%y+62g?#pMD~e?Y
zC7QX7PP@C3Vx<k{%jOdpkc_LM8y)&RvQLq~i<1LFfz^^X-LLc4oC0Mk{R(R_*ZB2S
z98c7^Wg2`R*U&74;Qy&~ih2%a^<)N7(};@UAL7w=ZQYWX1oBl}+VgP^2KoomH*I~^
zzUYx4rq@83g>dwJNSEw%sw!>S^tm`cuwUu?LP7C^wFdI#HUJX&&R1|_J1qX>6mSd}
zjHU&6ES$lZ-Y+wbyXSppi|6<Fbe_gL#Olj=)^t7;CWJ@5cYGms{R@<(iH-LKelbKf
zH<Pn)E|5z*%eg=kzjPlR7UfKDB#5E71F^z4*T`#71<_@id%4V2ksK_Y6Q4IIkC`L*
z*HaJas|F-Ak}it<fn<H?-ebb)iuwJo2mia?;Td|%GUE&+ndxxZ*PRJAaJdFU+&6tS
z{Say8w)c6yEw)J}_8K$|u&SxiV71Nb>G#59i01E%bw)x`XAZdi^M}Nr_viDojbf<o
z2d(Mx3z!;so8+;RA=q5xRJV5J9Y#2~7S;o*)h<!Ql+=2f{kv+aF<)&%5TOTjM{vFx
zcJ;9WaFXT73m2f2CFg}1ZQTcVvX3F~#)0hLIM)9syr)?YsnxYUTg~_B{VYAcfj^14
z2bx2s+{`CRy|@vya~~j`cQQRo*CsC#a_S&^bj4A7hZ1qm>Z6+D>tf7+#*v@B<j@Jp
zocaZdflufKh!6)(DsrtlKp2aAaaXunvbOF?pkyU&e7N3uRXuZ;4zE{`9u*?0Yvm!*
z<971zyh~+oQrSkaD8t?JYu=o<4id>RoT*i3M<);c*GA`&9tDo=sv*q@pJ4D7pVaL7
zao6*_Nd_5*R_F%KH8;OK{i54948mkl`0^%WhPm^qZUHTnUTLChEHwIz`G`p0ewX&O
zjJd}v;KTLj<8>iaT>B^Xy$(9{Fi7cbRSZQWB=jg};l5dvT&Q_Gz8f+kB$KXh_7qGM
zB@iV@l6cX(PZ2AIuw7+~o2hd^_J=Hpqb4MrA8S&-m^h=fygyUlcEmajz+ba5Rrn<1
zrAXf`(Ro0S=TwA;{cGe7NPdxN8?!4{MX}DgC26JMgVLN!D3(YE&u;z!V=My3!NUgK
zU6{Su9qXBLb-duM=fMOf;!E`d1b@QHe+}NKzoZhKQmJP5rE_qQpughRRpiq)a_|m7
zm$e}qEUuknv%}E#F=tO28p(9ThO53%`FVJ_{pGhxfYScVf(&~txIdOkj&$Kjs(C)?
zK*K;gq-E&c#>nd*9mePt7}T|6c%HA~{;)c#3#mOHzf3?<?L})~K8@b>vLS`u4`e&$
zGmVUJBL+FtvTvc7qu{?pWN!}cJFGu{+XqytaTdL|1c5NGpJ30cuqIrTgdjV%SUy4_
z#9*YkSYSP)fQ`wa9FS^tUIls;e6gTYl(a8AO&qN~^yIlS|5@VBM4ozNvKv5Zx=M}I
zbWLd<@hfr;tRlgNw?6WcoF6BR{)8$C1XlLM9W}ByvihNzM&7A$r~<x2e+br_svGS^
zw(_$55-W;C47_OZ-PNWts!1)5pKW!g+3|Oa1D;wwCYEyc9f3IQ0C@Q>juL(ym@OX8
zif0Flc*$ea=F7~!f}#2p=IDNl7Dgjd-DCaD`g17$uiTy^8m)fL$UR}tkPq<}`gK4f
zSRLnfry5#1c4~0=<`Sh6<*#+eqOir?v$jItzs@-}@UJ=_M=V&fiF}(kB`X&PWYUkT
zgC0+Hg;a42W%6uMJ2OO-xFl(@uWPk}p7={~AU0!{i}Lce9Uu&g57(TI;+MOz<-_wf
zdOKdOZwrt>g;ED?%X^y=xD%*B+oBLCmWAVNnLo#K$O^h)@ikjGKLo^MxxcQB3v_NV
z(BI4XUYA-*{B_(txxCmfQ=S?z_0F&7rS$kMas=-{F|F1z)5F1nKQ&dUzLjOO(-og$
zTR<Fk7UjMUY-J=^k)mo=JTd|`0gi%#P-{M=^`-ZV>gwXn70eatf)#MK<XF8fDN2N@
z?XT-yzZSXoICx?xLQJ8;=70$%bxz?+FOQ}_h1~C3{lpZ)Pu}Miz9mM)IgUO4=DZuX
z2&p~yj>tfyN-=L`<L0*a<FMSJbM<^&^bYsnF&V)>jk8oyy@u5OY)Oi4Z3Q`z^QVY-
z^27{ZC~J&PzOo!M1$hbzr&CS?f3&_zCQ&hr(my(b|C~v5);QD|m#~(H`v(PgbokE9
zpJ<HyGbiJrCa})2^jWy(D09-sHCZ&4C=TVlh0692a)MSVBQs}i%w;#>*TTBpTrTLN
zD{gVI<C-q5%tdKUd6GAU(dZ^r<eF(bNr4k*3R~_HIv~bg$ihX3X8DJsfD<g!QT5Ox
z!Kw!{c|{OAgs|yn6P;Cl_ghJ|cRdTYveu*k_5R&5EQJ3!Cs>hSIYOxjRuUt~)-BRn
z%|I>o(D%8%?+({GmqL3*#3jIEMffQ~(u}5M31{I#UH%=V{+bzi5#4u7tFx+S!mjd3
zWK3P4QH{6z<uSw?8gr$A{EI|Ys@0~`NM<I{6+~VikcRcuT_K&QN>%)L2GLoK(Ac9S
zSauZ9rmlL0HKFa#y`fTp!UsWF+HO(A<2Gq+GQ|5kp|SwMpF1OUol_C1<<2CE2`*&C
z-XYcWkNeG$8B4{G@D6y<<BzUn7{nr~Yj3r+?Z`f~{^rh9jt<`9Lbkqo^et!SECgW>
zUXGJ76r2+3DDt^qw3NTTiXa4h91%fZ^ja)jjwW6i7%^@d6%Pd$gnXGLN|yft13}S=
z__5wOy+#QNXxymaxsrAsFf5hmE)f|ghUw%C1GlDs<)DOq?jVVY2TK5l%^^8xIF-8<
zpWi%A#6YJ++Bh~<X~2f}C(6RnC>)e9iTP(BN-t3OG<p2nc{-B^`8BYw6wpD6<#<L#
zsACkuyf{6>M-Wr1;y$Myn%K?<38sK&2*+b2FaUf&EHm_KjU?&>T~ep#%ltw#dun_*
zcS6pBEGkP03E`q{-QS7klw!-_b_b$_z18J;@GFysq$?k7c2eR~)<D;DtM}uVIPik%
z`@SNiSha!g@IKig(7^?Gh_3~vwAzx5Yav?RYN?B}>@oQVN#YT8eG5-c&jb*pW+MKc
zcbjTOac<QQjnHGb;du@-(fqY28zO{|V@SksF7KlPQk$HKNF?>~bK+M5<Ht&3K4#^m
z?EPr#3>E05K87m=Ck7;(-77Qx&V-i+RYaixfwmz);~(!DlbSn<eG;``r*#sDM~D3q
zR=9AP52uL2rpd)p5TSQYfb7A0`BhmO4>=Wqz2j{szxRmEus@4jPF1-AFjoPXi<cmz
zVQ*WiEq1AFxPlYR5p&kT@Nrv??pv_(``4{HYB6GGk+CFmYI<bU%E>-pO|(riLo1Y?
zyNEtLF&15UOT8#I?fQdRs67^>-<$`PDjcKNuYR#ydpM(b8T2ZZ-t|R!-k;$J;(&-I
zjlijy{?y3O%rGa>NwgC|p6gZ8MjG=N-?oDY43hQdh3ie>%uJR26iXE<T=b)$?K%fz
z3}2q%g*M@wG@7~&8(KL{d|onKH7>#0{+9s_hT?XfIz7^!LUl^m@v)D!K&_fGdR&1(
zTFYt?mDSr_mkxehYV|wc8^&dRbDZNlTzhBocfWZK|78&IqaL+_e<EWN>cq_0Jm2`&
zBpbnRB;P*B7`M47fy&Nj50CWnT@b4Vl>d#9S2+inNvE0=L=kC)Qtrip{oXXIVM|X=
z1?I-|_>`%e%W|`gRsDC{G=D&ko@r4s;_S^Gmut+&!+|cDr0){ftj1H~J}`3T4WC+9
znY$zHpR=GQw7)@x5Mr}c8uKZosWN8W!(SWEr6lG8W*Xiv=qRdUq(#~pT=`w>5)E&@
zC8w(E7&+G))~@GWGNDvN6iECH*u$u)eaQQ4bFGG~^{(TI%x)2@X8<sib%DkbgUFIV
zGS%cOWi_)5qRexMQvPRS#K}EzXoCom9&E+_)UD4`c*V|nxmO*j)y%m}K~%GfVt3Ah
zb3Ff&=zO?NsEib*5mVozBg?V_DTH(r<{h=O8d?p{hqN#G{l4W4`knHW<R{KPgpjft
z&Z?_+hxz6?Q2IT}oC9y6^tNOqRwr@%;=FqI#R#Sudd}t)l&dP&$Fd{g6Oc3%qQ3CV
z^ujQQW#gngdUt*meVPwxYN1HeCyBU;hC&^v`OA!H+*G~cC5L#M^l^6=?Ojc)@G^F@
z^WzBqv*7*Ku!%M&H;=jh6UyB+=Uv6qPm&!M`LUQ@ySH~7mV$g<1RAE4R!V64d-qA`
z=P+?yiI^bfo5;*8I)<p{W`BAY5tS8@8aTI7{H)ir(s>dRN7Eo<1^@3|8Jaz#dzePP
zPkGH8gd;9?2TC@Owk=pv*P~@-)Nbl@)SQgs*OLWF!x%@sN+iSJr^mKTo$wN0A@vF(
zl6`%xWy(JJtwGl%uEkx@?tWFUlN`@xbM0%4OMK1e2-q|y+7+Lb`Jsy;$=))C469-r
zpmh`Z@BwFBxH_N){5L90jyn5h?6XjfuA!*w@1Fo&e7pB$uNi|qYnEr)yWT|G=bPlF
z=lyC*GINh49M$EpX8!}Y9H@87P3o!t1{G7AVcuo1lGfY_{4pbI>HftSR0D7yFpUJC
zozLnbE0jjX6=m5W=;>@6)-q>b%UY;tBDF7S>8A`Vy)~!t$oF%-Na_<U?6i7|!qwla
zD72Lq{z6-{ekG)jJ1On?@~FryK)z=(k&C5oIA;-CN~sDkanE(pk}ZOUqu2DikUCjG
z;y<g`!Bi(e?>N8K@w|!qGmYq7De+yFfdJMx%YX2dkF~I_-`bOGb{G{daOK+UEG4a-
zEm=H<DE2JmL49lKp_FBsl4Xf(G9rd&r!qMcxzms+YUfMk#qDd?N?t;`2T>~94D)48
zxc&0KaA#9)i#~tZZ65el43$@>%Gf8XGssoyf=k1en?xhp-^lpud()pzp9FO0<i+4a
zO4$nY$~C(&DPBuy4sfjOOePzu+-AQgh;)r!8b<N960>5c9j>U;n*`VeUTTPD=Hcf&
zC?xCL>0=2sEN<Tp6%o2ziFvH`QY?mS;tVqhHd7nF<bVR3H8wOtuFvdK%nL&cNv@T%
zEeN-s4BMCVAW{UdVC_z@<@k@be``+-kZF=O5~INGE<4`#>#^MRQ06N20`dp@jCjGK
z*UuU=`#w?P7~L{v*zlD<2lkEFra!JmeMs#g`@UC49LO#Li{UzR$O<H(CN$vPkIMk&
zR@u+Xm)(ETBU7PTWMi1$F2NU8jNX}^)w71vID4|eX_9DAB<Ei0P>mzf(#rhPkq_N|
z($elac<0vsz9PkhJPs=YOga(zARua-halKDNNB4FYCaY96(PKhmFvh4H4E|L%y@wW
zX6mKNhCiorZ6jLpNff5V8B0IhP(5Ee_atB|!n`7r$w2jZy(_&fXrDK@+USwf|AV@g
zM~C5ENZ7makm5e2_5I^SHEx0Nb}=QNnrHn*G}S*djGdxm9w9kiR;VmFAW<6(5{d9K
zb}TMJw>$YO1x+B5_raz2mDKfhFeyU52jgGXz}vMbD#*-c?h_S1ifBDhwMuBXO^I6v
zUngSWRwR;JXX<3i1s<y#cCe=LuL)Y*3!8qwqlx$OUAmW(T(p`t1c(Ud0Higk_94!a
z<{eP})IEc|h@AzGlc=??7w%<Dvd{l<_x_P3zB<N>{g!&ruc7eWfTruDds~76@?lQ-
ztq{WTxtnLQuP|Su8$<4BHnC+wiHojlmi-(c&WuMGg38ooE!>5!(c{J=_9s5&Y7FQ+
z9g{mfQS`W5cF{(b9?YH+gN5uIS{`yb@Xu>b7eSlTD>J}89>|+6zxaVSkZZUVOx!d>
zn8@1=K#!I%Y0>_U&gN*1Cg-1b5Jy1Ay>;-jg)0z#XFFi}!=ilC?<l|S`ad+MSRaOu
zX8Paum(l7YqD43-%x`xd34nt1gtRQlMd?Woc)z&^-GA{<+hdAXJ$j4wtQj0=>gbrM
zC#2fk9rk(6=dwBY(~waHd-Fzkg3S|(=1}Z*ON4h9<@57Le+~>kk)?qyz<rG(h{prE
zy40)$;x{1AqbdfvYG;SzzawQw@Hh{d&nC$Cg<&H>hT|i>PVa~S-s%CZrYqe^K~Y(B
zytnOA$W=A*gsiaF+np-&ng|iDuL}0^K&7kl{r=q=PIP<*DpRfQK-te`mh9J&<kf5p
zFf;HyKXB(4IwPi_(MhTPK5*)6Q6a`!{s+;J6&E`{>FDR~M-SXunOm<*T`z{h5?^nS
zHp<1%TGHZd?fw)nV*Ee`ol#iBG&Z&-=pDE4lmE1?>B6CR^9Qt1jPhh0knDs0MI}q7
zLq&U0LB_vt{ZP;x64AMBau-=~%Fq1yST1D7lh?3P_D3K`mgF@a#O!<#?PN?{CZ-hm
z+z$0uc4PVU5Df=Lg$VS-pC;Aw<g^-^lAcCc7R_w^4h9AL#hlOm#UufiB+o=z&uJME
zt*6#Lq&3Pp>xUqxDo)Qjxx2`kv-QV!b9>FkE;r`NL%YS0#U)>(9M<%=)r!b(fETOS
z;LyZDHv|52NXLj9`0pqBX?RR%^>s66@s9uwg-}PT-$A(Spz;B6Da3`xLTvZzO@{rR
zm{GchsKVCo+f?|AMt1TMD#w6_s~4+FT)uDQ@-FKn`}O5L_X`*b=kg54rD>YBJ5;o|
zDj8~AX~WlwYRzEK#QUC**D(IDFUl<!jpl$0k_?8b@Dbr)b9+Cqo?W1=F_s}NZC}1@
z^3~WIzc+aX`u~>p3ujNX8P((VLDgAK`cP-Fup2kD(E@o>s{9Z5o=foiI1=M4g2*>=
z7INqH$LZec;Nxsmp!f;OYS|tRmAR8mK2X!TzPZ-?_FN)DGP@*M=nHR%mN{a$B5fju
z-|F)`Px`i-gOB0Me|#p~5xH-6Pf&sh?Cw`y13G0~0)tiU!bA+ylfifN6U&Qb#a_@R
z>5nBJTz{2#IrLow5L(g=9WQ-d53*o+7du&7qat?ooU9a?4edf|T=er;f>qVybJ*eT
zKW{LbT~1Y-Lq$~upNzQ$c=H;{fOky|`~`mhUCN+;G+k`vf$V4~af&ZvpZ}^7VK|;-
z&C1DCT6fD3#|JNR$knoeK#tfNU|765z+*IBZOL8?ey{cUZMP<Xn29FSbgO>XiwmJ=
zyjO#0ZQI_8mf~2DjY}+5P@m(+OB>M)=ok%Fl1~lX?sl}b;0^)Lo4wBP5YNU9egV9-
z-j&hw^(0uJqq}1$>ww$M=y-aU!HFY#*3{OqU}M-`0U(h^WyYDz-1Ez+N<4SDp7=Z8
z5QD3o-<(;%<xpsmSWJIRdib|D1}|Ymqpxd}HH&u&DswV;pB-WAZE?b_4Fg$VB{$!T
zTR8U=RmnLbYkGQEi^zFmLf^Gd({%W)q0dR^9ZY#JQoYRz_zbSOmsEtU%EzlX)fQq*
zMzbY`!fR-&hHwO=Rhn}VrG%(|$jlAi+wW$@hqu?7r+6+lEbF;}&0N+`E0n7q?A~*!
z)vEOjCP`>OHBYVQJtg=a#G?l{hdvG*vSN^h#~T8g>5L2-hv`kKeO;JiRJ`x(rSl6`
z9Dr468I?$kw+8-U*URFyJHp|%_@ze&YA7HH3)X_!cbE-y*_G)?sfbg^xf{}=qGpJl
zT=NYtsIL1Qz-tw}R#<I96wrm>H^iDJ1*|LG%KDw+tb#fqV{)|fyr@FcosMLACMqVe
zP?|xV<C(Kb5IShV?8@$Hw|FA;llnuvCk2jI{vFSH0gXcmh*w8;1C&gOV5HM^w<>Q8
z#o5y4s>O%gwQWsW9HHk)Fubuw3G>d+y4tS|b!K=nkB*!tJNNFqmJ2S1OzZfWfSS7U
ze~K!E=fQ{lXx>wW)t2!Q$5bCN2R?*SO17f7x@?i>h>*j)C0oXK6&gwH02Xc0d^vw0
zy|fQ^gp&;C)Z8Hf=WOYBKf$wg@H9w)D=YkDJ~*80Pg&4M{(aP%(aDyGzTHYaA@7I_
zgA-cW|FKPsRCgqVu#HZiyPO+@Md~Y<@C4z4Nqp_lm-gxIw5Ny6J<iOvP$bS!iySrQ
znb>Mx^1$T%uC8Cyt2p?b9-L!C*vtQEnboal(M||U7KEM;v7(^bj5@5-$+O}KL}H%5
zsJL2QflI$&hayQ}%%{r6E39Es6+A{Rtg*?H7k}nqFjP$0k`d%l$A7Dtg4^@iX{hCt
zEqD4c0}1fd$gMEJ`&~1aYn~6$Jc{_*SKC~0o{2}>h2z1V=ai(vQRCk`JS5nb^FvIt
zBXO0jrhnXA1u#tapjgD$;gI0KEq1bLhl}^kTz;`rHp3g(SGh(|5>^~47t!N}9(&@k
z0!_c#a~2N3SKnqM%Z>z5P>XUIDU(IChF~_QdB~1u%Te=dIjKjhW2B%SA93^hTXNha
z*wpcXkei~uPZsi2ZDfxiq<N3)iih}cyEMdi{_=u5;IVdeP3AyB(g9lN3)FF5v7Y=q
zY9oJfN{XHo*`it;Ga3vbP3%2?vJ>5G89jz`P83%B%fb_MyYnd}pgX{E<9V+rxGFPo
zL*L=gW!Q91HspirS;P!mf_mZ{5>cZ`%hqhFpOH!^V^*BKFyH9`brjVi<zQ?PDK@oM
z<$i*31H<GM3L?V$rTx9(sgsh;zpe!CMCL5GMG$M1_tBh=lne2=rXHQQ&akK@3Z&<@
zut}CxB;2Kr$V1lF7M0ks>SGafgmctaXsl>4slP249vXguOFxs0&7WEqoD>K3NjeIG
z8%xbvP1quQD-AEmeD^(pIGK}Q9;|(%U=j9&)uKr*|9^Pz0eD|GHVM59(ls#huWJ>G
z>tCJNW!rh+E68yi%g;h!m;4|>8r|n0xRn+Z#Zmzdr0$C}01YH0?{HT)><f)}<$s>^
z<Cu9wA&0Cupzz3+z+QZ}yh^=Q`j;O&6TdhOxI)h-<*iD5yWis_ypBDy!6;r7t?N`<
z7$RzX^kbi9LHg3Ew)P9Dzg*kjb(>!``d=&nT|1dN;WEIY#|0m=ApI41-jg3*_xb~|
zXE+}s&t`mHC&zzS{@gD?w_5QZ4b&>}Ua@tl`th-Oo0b51d1oC13=;%P=RpeoAA)64
zDcoxvHy;%*c+OoDV1=?{;8j7t27LR<t$~=e$O&Qb4%&!3nj^h^dY%nscSVU5_&_7}
zD@rd6NGTlH#8Am*5g<>KB`Jz_a7hAZzQ(vkxvgwS{3-Bf7p^m62pKk*##H;G!zwY|
z?fz6eZ1wd?LEUdbfq4mtl{w!>!|OLDM0}cR^+|B7C}8wwT31MdBMqhJ%s`$ovQ!S2
z3#62XZir=<=9OBpuAXjbw0=FEnCUx_@6=@}@?yqSFnvO(ZMNeY9aVmM)<ho}Ym)r+
zx~J<v!bj{Y7lyNIcN`d5LQ)KLF^VCidFkxI942Jcp(EM0Dtp39;vdrtQw?tsJC~ub
z1Md0Zb1TzzgSsXt({2mb^xA-{Pm4lIUA`jJZJUDlRNc<<kA#1mhMK-ab{bLRGWr%k
z+mpBBy>fr*LwEVCq852gm1=M-_~BEhzjeH~4m?);RhJS9V3}I5Ode!l`~FlPu()z;
z3iC~61wC)!!_8Z#v*-kDWOX~&>0-}8!S*kZn<v6)JhyT}8^x$^4qBTLwG#3XI~n?H
zk?f)`euB4!Pt#?R=?2lpV?Yao>LEsOo49Y9z;^$k&s_t|FcaK{XIElVi(XO^Y)JrV
z-5d!_kZQQ)`N0_?j$$vLdj|x~{a0yH=%vQjc}nc&QsWe#QV}GfebcKB&#O?FKHE_A
zgl!1NtBaG3c5a0`3Cn>t2l+2p6*|w8EgHNcdyX3IT)`Z%+Q4g(G}yP*0Jd8NewaJy
z#&H20Y_4?E{8LxGDsGQ?*poX;o}YL}*Dk4!hhQfAq8!PUGD^aW>W3l>u<we*&C_ip
z67Tnw5oNWnQC4M(?2(B^(+@>5ZWzF=fUrOsM-C-0yV8x`bzfdeU*<=MGXL-UyCW~u
zyv&%fnIjv!I;v7VKNN)g2QL>$!T~XVrP|4jvipe0&bk1+bTj?<62tI)!N)e_GzlhJ
zu`i!v*y}bt_1`k9^S}LZ5nNQK?0$2zcXgX;H}DnbX;_hv0+3^yBU<rJiCoCNt#yHu
z2=~=j+m=Tu<&ZSDsLhCml-hygZ@ovHIaqz2$2gy*mxGIdO6$19-Vm`HMJ!LTe8fqp
zJr6oH;nJQHyC;|1&$yp&X#^=3i@M5H-8*G~eQqZFcPE%yjwZRetUKrrs1u13A?xl5
z75&KvMjT|d=i{|FBJ9oRM)T(1Bx*N@<u*uN|2A#;D*4bM6ws6mbcnda+w$2J(^?sM
zs1fBJ8L!<;{K7dKSuQY0AN&*-@l`w<RS$8X5OHd{Qj}rbGoH65g1|pPFE9jm?%*yH
zk{-1()8E<lZ=uya&5wUQVRXC-|5KqzO(DEXW0E^~2e6Zle{G{@h|GC}pT^+#!2U;B
zq4Xh^MBo^uKZLUt#HnNE2KJ}0lW6k@ZlA#xcxsav8{-)ZLcU>1Fye9FM|5s-wD`o%
zCiUd;i=}XP{-#{H#G(8#^xV5ZJwjQ|LI`(*1+FZM4oO>C5WWswn{U7t5z!MZC#J@J
zTrbnq-t2F!1%{%PG0U6wn%cTZ3xw5WV9x|_1ZS2zbbTg<UGjc%8OKma_p~~wUZ;@)
z#Fz%m2Wy*#SM9^2BgnYt7_@wyR0YKSn7z5*d`ZKY4Qh}s7f4lwsa$Qq&O4})u^-cP
ziK7|N^>{#vy$R<p(!kW7gsHzwRXx-{OYhcZHyxVzqYib)2!i#(kdSPSig^6D-TWA^
z0AI*c5aDt(_J<^gC7u<(7<@7{i7JR-iLQXr<=W_&3S(<Qv)6a;*#3ERSrKl}F;)6S
zg?RD>yV|-6xWS8-<Bq6Pw{}Z7nqx&QW0sBXj7~QOXSeST@&tK%<PjpBxS=NMG<ba8
za>HIMAn6Ws9i9J?y8_xSG-v}kWa)vQW&sen#<&!>QX&Hhe#kIY--R)F%;JxSHBWuw
z|AgXy#+1Ta9z+@sfw56AG%i(!{4<f~Yx`jEaP+~+gn($46V|nIp{29?B?wEq&>v5@
zdomE4IFSTV4Q=PQe+4=37Z<boAg2%JjcxfP$;?7jIH4P<QAxT_)Qkzj*3PvGPHo(;
zVNjqyf?8~3g(tu1ajWRNy3~}>&Y3bzd>}3fFPc??I*WfY+>rlL41$KZ8CY|Te-JG>
zTto2(;^2QP>BG3?8IYrCcAf6_Li)Ou|FQB)+W+JdB3>D`DP}8bXY@tI$8X4h8i&`1
zyHnI_mfCgBE-zCRM9PjA=TMELe3~Sb{C~0Zfv6_KKE(ga=*D#NMi(r{;`>;(Tt1vP
z5StD0s=rf-2+!p8#g^0m^KDUaHGWUXikJ|$VL;qJ#+Le9?exCNAE=?i;Rkk)^2-Hc
z5f46(-rcKj-fKA7j0oL3)_q92;7chv#Pxi@boXKvudH~!h)n%zDx9LWJHC+d88Icd
zqT(}IsZWSkjGQ3-%;iG|`m(=@7WrMUMN{7QXrY~4MmviKZ;Qmz+MKncfr2kZlJruQ
zU-;6Ad6nEB6jGY8j0yj;3mwt@>5|xKIqh8C{ujF$ROQl8NuYfXL^!hfabaC^giqW_
zUk$iIIlq*nIAN)y;OHZSKzPAVW&E2%saK&cbP#-MY!6G%;Fas)!0%0R4b_m+uI_}f
zag!UdW*`b&Tn8N$FOWeG=pH26pqZY%fxXqF-;Fc(uh$X#zzaHI#%hruxBFT~bZPx^
z?d;=`!0$%oF;g|h^n7vxfrw!Gi){K2nFwV?H#mo_Zf89Zl$hi%961I?E@lcn@5n-?
zE1$Tg$N{K)-}ML<RL}<xf_A?5lbN39eyrxc-VAIk5MD>rBz&sXEB=!^ACA!Bo9#-{
z%Q<bA`gN9Dj)SmPHE+@!cC+KsSfOtdM}*52A9h~IMo1K2p&+RnUf0wwicmx3XLkcE
zZ^*jZamn0oi+4dbA)a)JHy|tGx!maTfF4N_QHd8>*g<}ifmhEjpyqfghP3sYG;+K1
znC{tuVe<`d?I+s!zIfW9v)V4Ud{ThSCPQm87_76-pj~ER`i)meVCv~%>R6|s<ev>P
zh4@fP-1KwXH5-aA-lFn9%yBX_5)r`N)RPWzgl-`ds;qL8>)2<-==Qx|2V;_v%NA)m
zyXPY@MfEwQw174PSIWv+m?NnToPzrhJGPDu+>TO0<mm)(!XXUh@esx^J5PM-?H`t)
zv*a`v+#-;E=)!_CvtKVtqnZmFi0?%QpJ!YMQrSWwv@PcA^d1u}fB#~X!%ll1Xc{xT
zgr~aQj?x+POL3$)`<!(e*4~6rDN0<Uzu1N8KNsn)mW&eDXlmFUWD=1G9RVw=#J9?6
z4^bRia5dmt$b?`x3JLXuFGFp#SIPPABzqZW+V6`GOAxi7eij4nhJWD_ju!t&m^B~`
zS=ZzUMFKf8z&8PQb5VZB<y@^d)X|SFM&Ifq2;cwfU?Il8uq{d7W^wJ)Y=&MtlQ<$}
zDw?b0iVCzFq?y4B!6)iSP#KXIw)y^jv9Fk4z+Jd3V|QW|cQ#%ZN`+1xP+o^z$fK{H
zrq>qr!=3)0xbPd>CKe2cT`1NZxP1$pa%GAxY`kj{VG5l-o5ZK3oLnrUY`yS(bl;F0
z?y3Lz=Vp!}X%CBjyu9JXXN^U;S(|?<)`y8R{g7rzg7RGKLFDS)xrAJYM7ELZz}N)e
zqU4t){?0@lQj^O{dp2GMMw1f>M#hG=d1ZCyo(TxC&d~2&AN&gyx=GiHbKPlnS+j<v
ziAbO!Z~aM;X@BJO%_5@Iv>i;vA1pUu=a_>Nu>bHW3lkf@Rk6`6fQURIAKGS4F+Rh{
z+sd!=&^7x?wuzc+1Qe_QPSA5<5uP)8(=K<bG6TRJbRpl*%s+-H$jC2of>;Q5WIV|j
zKaLW<+`W*O6^L}bt5=pqmyo6xUo^T4Fj2Z+L1Gg6ESbZg{`iH$kJrryb#*HZ@hPi}
z+t1^379uwabHP@tQ2;vJ*8Y@ynK>26i$y*xIcLF0VA|<o>8JjoCEnYl(Z(u^6`3Ek
zh3OTw-<ci@=0F*pJ3jkzU47kRufDOuKAdLqi|RQ##YW818DY+&46cl6<y$A`(@F;a
zEwj^d0VkN3He#CCy8E<y$!#Gsi4KnAw2&NZIWRw~OIt@LC5h~xm}18kohwf-->Qpa
z;}Oo7?L+;r2wQo-{mr+RnFUWF+-G_@UEP7&YF1OFCz6Y^DmBIYIOtu~YwrWh{(3+L
zMeyb5fkeaVoMo0EFxP23;OWy=y2!6`ePh$)rW~#tV61eua`|3!e+fV!1GmuAZW~MH
zq#Is?x2=?D!>=Opssi?q1K*e&$UM6A%qZ|(o|<zO{T{fTN9l|P=@lYS-B7FShp_H$
zq^0Mo7(NqnBA-BvYKehDLl6fd9J*ksczx4wH+po90iSm#JL^u@mm6B-xc;2tK@BT4
z($s6PhPV5)l@w?|CkqCNv6s(YupRl$aTbaRK0}=#C48VHAulYu60Flh6}<Sc5P|*S
zh$}t#iyyt6lW)Wjs$THpva;!DnE!n;ypt*(9Z&q%6fyL}3jyU>i>``Ee<eN*7D?<e
zdZU7JwjmB5YN`2MgclMDekrXCpAiVRvAgvW?Ao(*qvWGwD7X3M`cDSLt_~Se<LG`{
ztJiZ+A{jTE-#@kf@g#b-s{P;fRFBXCU(rLAaK{F}Yq-FEKIbxX4GR!TS@AJDrr2X|
zyYt@EsjA{<*>&R*zFt}M0eQuJ7W_U#)<!OqGXG$Yl^il!B6kRaF3ZOqILOl>oC3ww
zN_y|#|D*Ba6FbXyS%~Ro$<MmOh#DP=BY@f$0`y)F+{VD8y}bPk$NlbBho74~^A2?+
zHH@h;2Pr*Xcum<ZEqsfqdbgv{{X1`+sIiv^7cxHv9Tz=KqzsjF?5z#^Se+2Tpzp*4
zeO79X9Apd+&jW!6d$kheinUjFd9)3xW2-R)HrUnKwQJ+9UO(N3*iTF%rhG~zHCZkt
zcYm(_DB5dVCV^hqO1<mX|8hk<B+Hk){gyz5HGvyCYA<@!h{XM|4|fAAaSKRY+wA8n
zm3Z(ox|FFn%v6(ZpLty18c`hlJbM<2?&&^czDP4D<=4-iC!#T;aeYi7fiyxBs}38J
zaEcAa2d)v%pzAYIFkr8?_8!Fq{5BxlEvhi2jxb?xH6->dB82+MTtYF585Vg>69$KF
zcm-Wj2XPe8q6P9kJea&lVAv|mLWZ<6j<5i4H0GyO_TJhV?nD3CjWQPwTm*XmLVm>f
z^rLt}ibL0`YwDs`*N(HuyPq8!jQHl%k9VrpNh38)4w{mx6fce|$C-7YI<x7e*mX@Q
zEe_FRL=F&v>GY>B_5?RMGL&qy<F-@%?8N}<6>Gmea&WojxpW^|68Q9fd$n%cM@|cw
zNOTx%Y+;bpL-@YV+PQi46V%8^)b?)VEUQZG+~R=mj62b@gZ_T7UIat`YDLms!~{N&
zR#am8vXl~tDO2VJbD*5e+v4;WtYs<bLAd?JPiOKaA04mYFuzVY3_cD-p=#yw_GB}r
zX7#htaxSCnQ&Gv?UqYWkgY-gX=(8kM$?V=~9C(mLcUkOzvEKArh<b^jHLM^Mfn(Z_
z0=NG#-V_ni)4JNb4v^OcFGIv%DTDz99Z9l~XmJokcGZ-MIVl&?z8LC)*>ykLr5gk%
zUKW*vqG51(NNFrO*jPdnfB)-px~ALW$03Oo9I&~4b5O^Y_Nxsq*peamGoU*nni&AX
z7y;42?(K9<*6N6AR*nBOJ=c9KuFQUehUMU7pQs-(LI?H@qMpt%U?MW$>HQqKxBWFP
zQ$<TiMj8HNI*8Tg*j#V!d8ieCue`Xr&6IV&-l?kbL`IB!@A}!{Qj^bDWwnmunnXdP
z%Mve4C&Cv(1~QVN%w`zhWbTrsMekgunD<6Lh@4OXSJ9eQl(?>mpna_noR6xoNBuzX
zZj{j%B+{)QS47KQ4c@dKxgxxA=z(Pxg*@t6()Rh{B1@#MV`g28EK5t_*EL*FodscT
z%GitQIa#6k87V6JamekFB{nEQh%fhUoa}~3Ejh5?EGjN{mr#Mih2Sqjq%1P~W>4#5
z93xijFP(o~lh2?=I1ZOP3f|PEiK{%hJ>~~5JHA2yS^NZOl#l(^tmoWT#Sr|d!wDQ;
zck*`+`c&ujZCWhqAYWVx4s`?sD~7I31vb(5ORa<9#+mg+d-EA&U!4Bx5J=J`^n1xk
zp`DYZosv_kuVP5`YP><U^T{4x;-p5t%cIv3LeE}xV<Gpqg^no0kbTM90nN5^z0`}z
z2m-CMkR%7k&8_Tk<G1TNZj5-`@&Bj~8HM;01eyA3wdrvZDSPEie6O!CeIRqZBLN}~
zrDeVMw!43kAiSC!zWcdx#y{Y}%4`NZ0%C!T^Bd@AS^b6UUFcAKNc2XUUv|w$TIBJ+
zu0Ug`w%c-vLjF&OLl7&lS&_qsv;h-lB`*%~cmIiW2(RVfMDXD#keZo;6RR8NyRGO~
zea1Mdl=fl+1MT=)wd+QT(uoi>ZWc*0Oce6I$AYa^Bc&Kxu&6i}1viVVp(xA*C=9u^
zS{AwU)@8=JLkBWprQdDQi`3%)c8=s75?I<$aH3e2EN9D!3#SJM6Zl9ti8K&|^AM?{
zAsp*<nn(Ot_EEevu5W6%$Y*8b%)DcTW!@$iv&!@Xh++e_gFvXD_)f|ZymYfx8aL~`
zih;jqgg75=<CL~vWz!OK%)zpF8?*CYh%PNc{dOh@I76D>Y^Ts=D+iqaR)j)ux8gfM
z5O0WnMfI=a+Vzu&$EAt|k9V;??=x%Lzd=atLs4k$aCnUzW!ip$$EOqB=$yEydu%HP
zgbfXW&XFu0pdDV^bT=2P)b&kH;<s~76@Re{*_1&^hP_SLml+OiRc37HW|!E#(NcAY
zL8ItRBMGX2La6&iEjG;~YB@VEV9&~4sQR}EuukBU6lU5BXUGwR4vnHB<bzc;ExmJ6
zV0>_F|86f4;jZmK>7iClj35@LU?Yu#AuX(*imE-!zlP6zoSgjMB@rNY7wX)aL+gl^
z+{ASqwe%0B9DfZVA_OmlBEX6ZJkW)OS04<b`JI!$<lX;V?0w)Xk5ZkM<9#(!XoA5A
zSA7?*dIAl-^Ig#Nla8$4Nkd7Q+3&&2xuC=g2$F$PCRWXo)KILOtDRw5?V(-b!o~qk
zY)AigOf?1~=mXIK!bXFMEJC~b$cndE4E?8(|3iKRwNVh<weiu_qgk@P1vQsL=K_fd
zhn#332F17<sE&sq9$PQAMptROxh6{E^8dO2e@p}J8a<9sXVIQg*CkmNrz#Tcg!o<N
zR@7o1+n57yLe*+I?BggDD@7WwQ@+prXCe0*v%Zp#_qd;fu-_e#T_f~nlbBF+qj_k@
zrEgMoeo{YkpRL_U?py0$S&o38VQFnnhxIswd>IXLiK(o5$@Ts`$U@lFXc|7Y9uhJ#
zs)o+-*~PB<wPVLx-{Jee?=*rS;)MqjG{jIi590JmgSeiqLp&#<49Rl{?hQn7K*zc_
z1e=Eyh8IAq0?6Zu(F&A=oYhCQkvtzEBMpf@grb~d-r8Jk4n#o1n5O&w5MUeKw>`U2
zoAVW7gTb%^6hp}05COosK{XS2sJ_|X1_k{QaV!dCeR=hztUMbhgZmkPLAY8Ju1_F}
zsnF{62B~pmJJ@Dl+aMtIzu`pVLy;PTSFHSCM>Uh^VBs)l**3u3Tcbs#@RkqZJ^<L!
z8uY7G>am77`P{m#!}X$T4n4{V5C#1W0-WjB?j+9~Kn4lN!r}2K(IyAcN*tcX)|;If
z`>>*^DhfIFzcKVCR5BYSko1Bef)HGZ)O?2b|C}Vr@l{}pADo$BI1k$UBwC$DRvV&F
zcy}xP1|*2!W2p3rR@;BGG=XM4SN$D|5=u1g>e%%=>p)t_Sq2!xp?hzv0mNkK&>_ee
zQB3DhzxTf}nTKN(d)L!dx^|6kZ63*z)jm9{DTKel?K~c9xDXX@&<)KHpf;PVA+Qxk
z2;msM)VkBGI`;scsiErP6NChB39-}}R<GRvvMn*Gu5c$%6T!Lb(gQweW-iwV7*-RG
z290E|($^FK>eWUH{@i*9tV1gHJ1?CSeH2$NzxP%(gw#Sd0*n?sDGUWY>(bfqhOTxG
zSjD@atjcId1#^{H_`$b?6U<m7{0*oVu<eukCFeB*)WdW!Yj^5dchjdl(bg9T7Hvjx
z4Kiq=eU?P`H}?CO?L{fxhOR!4(a~SaKe8Xs1-9h{DTtXv@G(~Yq&3m16OZmMy|H?o
zh^9LCLoR#Y%It@grIVY`MiS=J0*S=dt<C=~Iq`LxM1k&&HV8drCy%do;f@W1Tljln
zN1?6-{uWH#ar9@&<%8BpN5$=m_*@*>c>C|7rHNR2sq5%u+~{ORL#O?Y51KCAQIzag
zU(4?uc{LYwi1DeQxR^f7Z|(kd`QV2boDs;WptO`mX?9>gAS?1XeB?cFc%e_wVt}6j
zo3=324JD4Ek4d$j9U<RHtj~+6-d^mRrGv$u0V^LhHFs&a*L5kEbIENtKieCU=@z|7
zd5-#7C@d`xON`8wOnI6`(8FjwKnVwR;9{3lR@<-d9v5?zX|$f<cfdj7d}u(`;%lSZ
z73%L@m<)yha<~;B2@XR;-TlqR>X{STffVxM8Nl=>l*2+a`MS}tX$1KIIBbflG}^kk
ziA!#j^5Tzm;~%bnPW(Es3sF<>><qaE$mEnPRL$pEIp0R?Ve6GF7`UAXKfz88g)=1Z
zlW`@|i2LQm_Wc88Ly-?a`1mHkB6)(J^y;FpK>V2_-qQVk0QIlR)ow6?4~}fA0l$B#
zARDpdHvDD%s%5Z{GncST!jvE6MCg4PK~a|($U(5ovW2+pYwksg{G0Kz07;=@J4t4k
z?g8MkQQC+Uj046SZ44%pS{(VxWu1!@ot)Vk%a(Ju<0ORF+jUgrv&-&uYr(ilXuwh<
zFfJYJ$N6)SZXsVLn=13Vt+R{u#|GZo>O{r^R~Xb7kC5Q|QTEHU=RI02s~Hp+N^q{|
z|N5<H&(YTT?Z6#FzuQ-V72zlWxTpgwuVdTy&Ei;zF8hie+q3k(@mZsH>uk;uG=AG4
zeZ8H|!>qjiFsoj@S$8%&OF<BK41=fgG|C(Fn`~gJBqAUN3swcf9Qz=fT`d8aXzB14
z-*ZM!<=>EU8>hMc8g3KSb@8V@d(dT*SV$Ps@+r{xC#Z9TbIC_CCO4$!jCVLksl!rC
zAhdBp5QtN;=cn}3p!{ia_$+~#P17Upvk6&@n%X9c82PaGQ>Q;M-2KTzcH-4VhFjb#
z6#30(NRG#jnA}@!eFa5jVN@qND&1yh6&1V=_w2>Y8nI0I(YuRf=j-w&bc3#IK&~jP
zs0J%O6QYtUwhKAY`&K9Pb8|$BT%TiV`AI9NR|wh)6obX;84a4ST%wUGY%h=a)cA@m
z!n^4-$CFjmoJuR7cneVlP@fh-)S<Ev(iCd<LYrCO!-K4AuT=z(9&A`IS)Ok&E{vGj
zaCf-RXn*PA=>5VRzR)G$&G;<1e?|SP+>N(wvu<$88)TIm0dc4vo<IdXff@x-`^p>$
zCKoC=RYvQ9V?9REXsF2dsKF*ezu^W=I1vQidx&tNnvZHycI^P<QupAq@9=7b(+<Qg
z8I?E=H#BDgZ%?w&H^mT`7xG4p$42U*QaB8QHSQ`>5P9vf)J1;vF+qjm00>1~abew~
z2Zz-g;!r~0gjN}dUKqC`+n?Q@s8soBXikLG94EO!&Siig#Ij0P<TSC+@e(q39#y)D
zWHw%<k^NZu69(mhu8O+|F7l2`t?fCy%pEJJfQ5t-BHS&INp`QN-&wt8%@H6if1<?&
zjWl6ex81~@Y8u1?9`zwuODXOta(c_F>r%tveYmp$gJwEQcbz^U*`%WO?s-k0xPKm^
zdyE9_B<X%|%JVYywdJNHXZXln8n#_8%o<2zRG&q^kOLo$K7k`^!bU+OYb*ME!m%WO
ze4-@?z=NN;NOBy{_c{KLnfP{Yj`$NQ+1TrcYqEtvF}*CX(<^jo-<)PSTM8vG0$fr3
zLlD)xw19WsqmdilrZnXdySTYI50fD^o9H?!A{4@<Pn>1i;=SQBaSj;WeVexS3JHpP
zg52=$72t=Tv6E5GwU7UPNDLp^g3P-e-I{ccrTx?<jKs5p#%&r2m3{zN8x<x&UPhls
z@3@R`p(`DlxEr8@@RD&)2RI}Srdi1}j81GP$fCHRd<7vw=ow}L0(*2H#9biEF~_ZY
zpm8_m@Ff=VnGp9twm@(7BN|16;sOW2z72bPh0yP`(C;4g{WJHRom*?`Trg)M8pQ)5
z65XM+0>?{EK6zEpWTp&RW=g~d6~a)C+!&6KAlHE3RIml!kBrLg7`8tB2R_H|q9?eU
z&v%N1`=Gi?s@RT=><yAdTPe>XI8Qr%<XhT??(c%&Yw85jRN6^e8lvj~xXI=S`NxYG
z@_coLVy;AGXNQm7u_u;(8a*I|2?s$G<7Js11bKh1l$zsvaW0a{GyFXl1$<?TnjhLn
zTM0~oapslmA0o~YMRF5GCI_hicH!pWUY69}9Di0vNSXU!JpMW$Vw3J4R6*?EfrDwD
z_~%3e#g$=m!`L-lYuE5v6tzr25kdHLNKW1yd0%qPDdkSM(%ja{YX8ADBYc~LcIcuN
zU#wQm4;$k66`FS{*DY${k5mwQKBswnKt#X6aTrx23=4NezqzHs7w}xC$?Qw~G#PxH
c7n(C?&t>?)-8<<q{EHw;S5>d%$eTX;f9ky8TL1t6

literal 0
HcmV?d00001

diff --git a/public/third-party/s3.png b/public/third-party/s3.png
new file mode 100644
index 0000000000000000000000000000000000000000..f86959a934382c0d05f44089555b5857a82016bd
GIT binary patch
literal 13495
zcmcI~c{tQx81MPcj0S0llxi?Z5<<4dK2#_|(Mn7aipoybuPxa^mXvK;t)aBojV(f1
zijZaOOSbH5-822}bMJGX=l*m5xSpq{Ip1^MbKdiw_x-%fIU$Dn+S}Ooumb?Lozyvg
z761(Vi2<xw_+Qm4;W_}Yz);Wl#NWSvHA6%w!NPhm5@bJ;f{%bokkIik5v>T(Q_*5-
z!NNL`qH<mWG9JW>$ujzJ62_0El>$hV5aF|rBrm7RsRap{K9w_kB&icArV=0|>bO(P
zna?mzQZr1%?74!Z>mF(MJ;Jwl=*LK$PlSX*63%=g_B$or_bB<1&L_&~MT<$e@@a+$
zOM4KF6Q$+6h{q#D&pwvE_L5Ax$$c%2EM&)h_OT@Oxq?-O67?ln+MP&!sUYUacPdg$
z#)~N7y2tFP!sS#M%QW)&WEsm0C7Uc25&IoNb~{AvcM8~W>BWeVeMpvRN>*7)H(#r$
z1qqv`%8A_Gp%p1=`V`KyQ^AKsvg4NX5ipFCAlh&V+~m5LDnqp5vU#l{aFg36OG)VV
zj@9**y;g*Q=^oo0waveqGmDd(o12TP3(W(ybIUX9o9kZ~pN3}`#tCvI?Qc59TFg_9
zUrbQZkCyKm`yTw>A)zeHBggV|v{YhcSZukE^|RBTdn+FlxxcE9SzcdkWK{nByE!#K
z@onhK`_`A;6K$3+j@zc|6}G*eU!MClKWdSx8<>B`_Qlz@k+0*wM||>bcx2tE{#o>-
z>fYGzA(I5Hy57>-Zn{O%**DF!xYEG1+C=Sei3EC(L*}{l&DGJ_!H+FDcXQ3$vaVix
zrvCbC(y2(vm$eC+_asZ(-=B+9?wjnO|M++&PS!Q&V#{ECb@vCxukI9jjN>aR^@(n3
zO+?RlheNtaRIyKHeX{XG&73b!{oh+xb(UOCCNHlqhZZ<J`xNu>duDFq%O4}H(WUM-
zDd$gy$!9b?i7p6y`!)Stb0)1S#yRWK!s=W_=SP!7_3#4sGttWT-?=-zx}IJC)F=O1
zK&~^rEB{k(;nTW^(05)YspL0JFK(ru$!bh$9j<>+;B)Kc`Qu@SiraH+UY@-5-1L6I
z?aOgGr^A)aXe!AS50w0bU)07P50Rh*i>L>Qss)Jozq#d|edkoPgp7xvycg+W;!#DP
z1LjW^4IfD#^@6G^trsmp2@x?)l)<N)wm_3$v)8%g1i)4v=05~HN#X;51Wq2;Fm~^n
zN@g=O?kxRlz~ezeh(=asEo_UmtUOl-VvS<z8$7R^iMbH>I>|$SLN))~L}__HXWcUi
zNg9omLlY&1?hSh;BqqcjYSL}!z~WYWrDgXc(dQ48q*^@wPOy;6r+@Y=_o|I{|MdQP
zB(7eVcewY@%J_QmsGE=Z4&g$zwXx@s{#Rae6;yiukgi?)lCtP`tF)&5Xtr(Cg2!@?
z`tgE`SmE})zb0mGp13N$(|pr3C)K3gO}IUc@GI5sm-?SUYwllvFSZ*Hf0Qp}M_zgD
z`|DCFIosEv@Xva=@4nJMS8i^W_XcsiV_mt~Ve%4peBqDdNjf-)S>qg=d4gX2CFOzJ
z&^v_uU5kml!ZmwG(6@D67eUJN{+`tZGJK*+jMta($3>kezEi|m*<r#;$8)UOnQ7EK
zT^Q`<*ugKY_Zqw9kP{ui?hHr#Mm6j{KMmgZVRiy0as4RDdYv#fV*)9^InfW+^UrRL
zBjjPI%`Gw1TqKrEMGX`g2L<?N-#Fsay}92ZG-dqp*(uZ@R++I&jGv09+#&E)fBbLO
zHYz7ja-!h+2rI{fu*T;DO2JqI60qWmP8`*&XB)#(%n7qAT6MYnvmrO}qCNyVkX~sw
zx#|lCe5|bR!!rOYe(V#H*~|Vn><g$T0>DLR?)e(!h}oe8FeD;P7BAYj%WzGNj(~n}
zMUhfdhPEyv513?iNahmDjxtVr424WNN-%scMO*MjWkDrURwhLo^G0#ZpQTc?NpExq
z^Jlpfsd#4;jzXsYSY{b2=cF9ts6>1Uq)6-DV2{jkGX3w;f1mHM;#bDY(ClSoCkVuD
zIGR&>*TD{HIKp6=#j=!>f*_U1pF%0pj5lCs<s!@udLxnV0lPG$n<+y_Asv<#Z|`MB
zzXrK}(6qIKgG8iH-9-|SKx~1kRI>&AtlzYCfsaB)zs+O3w{Q^{b0sLtf1?@9=4=VN
z4K{B#ZKW{hax<gh|05#rfkgR`2+F|zt{J@(Zp}1#7ajSJC>Ab3R+0kD=5z`Aj=7?u
z6oVDD2iBu3rn@0=%sj@%7`B^6S(?+&R3a*=yC~1K*zmKEVGR6UJIay`C!h5+qi=!D
zkE1M;%%;cxVqpQE41M&jpBj`-fr=E0z~<mxga{cVG;Ia&>x%M!9NaelcW}K+EX|(J
z1F`PCyC^fI2Z{9gGT<?z+7D8eStOYID3PMFK+gKSk-cy`-P2n;nEbn#|F`L777u3A
z$(+Usmyld$X;z;3J%IjB-o1SI*T{{ZMX466Y1)x%PNh<4@7-EK{#g(GwwG8VldeZi
z;tl1h#U(0*d3y@YEZBMKYrmA0zO(3^8^4eyP+%-SDt~kxGnVYOQG@t4kvB^gKWD!U
za$uWQyLH#rx8>DO{`?&M9#0SbZ1b6|q;JY<)2PPoG)}$8=M;`0XD%N)F>dncBeCOc
zyVNpE)aRir!u^C8`Ni{{lPcBMzED`tJ?bkv>fIIp%jdlmswdLtL>cM1@v(k@J6b{f
z<;GHW%_D);&t>r31sy3><GlH|5AIjZe)eM6=;KD)=rTNol|Zc0a(i4`^?vWy69uoo
zE$1u_Gi9XYMzQ)_@$!VuM{%F-_AEHfSQ*L>HkC+&lTQoWU;LHdKV3f{CfL1e45364
z>T*;Q)OW77p1SDaqO0E5wQG!pVoh-O{CMEUN41TVI5*F=J%aEnmZD8aFn^pH>~;6R
zon((b?Ijjz;M|YS-Wv_x8U07)>kdh=$i(E7*vnRz_~-2!);O=9JUN~}SihD1<S!AQ
zZ*!$Tys72@Pw~WCX6u~ZH~UIt-|dlB&tI2c3Am@6i;MYvxqaIH`0>%C#I$7}2g~0J
zdoRp=t3ANu-Xyn_pJBULCIvwAcO)zHm#h2B9{$xEQ(>InM@r&5_#e!6?;H3onD^o4
zOmzJ4g*}5Mt4gOzyj^l~mRU%kOOaMksx{1S7VA87()PT5KqDcV^?<785+PdqoVkSA
zkLVoN;u}i~g?%kkWhfSOkx6OZNudU1BFkFWPwEHWvL4%;qIBG28|{U5T`S4o<-V!9
zH)EpYrx^Ku>NXWxnm3{iI+RKIXERof6yn-Wi`_Q-abV}u@5onG&B%7WD=FqF=?lfc
zQ=qw}4CMiK{CPeaInUC{0>8Uhhvl~|vMueQJjR+XvZ-CpUok9t*0t}>uilw4Xdk=5
zJwk%-89#j<$JAI$kIsV~VMvBqe@EfBcqwCw#+QY4rJuW^02+;LPrVbn{y_bD|7(`r
zIFBIDZItW_9a<V~#;fbRZMx+v4^oy`UI1!88ewF4dnV#ihnb8I-y5_3-e8Suggm*B
z#mG>PcW!r!O3qjBmcJl4Zf#EC23>@)`o{-<nMHi@E|FChw&W|E$84{LkVVRK2~l0U
zmaM|c{-~*~p$wG+&ir|@=3o0ZHtGkisySGR?p$Cu@B67{qUC4k{qmIHIz|%E#?Y=H
z8G)77opOPJ>vfNx{?RY3v`xFBIQTn^s`cl9>f~0M4UZB2yZ*vOX#<su#Oe9bE$gpu
zq)z=VoL$;8wajAZET@cjo=O@YH!1gN)$&z5+A%XSAj~PHXytYO<zg8KePA_$u4V}6
z4?3$fEoJ3bZC?8!SvK{@kEAwL_F)}5x(+h!YUIyyLP*Bw!Ii<zejnRiX~pZ33DF;?
zecyHO%EQp<NJZRq@1p}E?{6;*t|CrpcN{${89M4yODuN4(2ah@ZLivJn#`t`52d{0
zaB%l`7TLMcn;)d8cr*w5_D;bcAwAP4yp2^H(dmC5PrL&4#cLT_>ljgyCq>xlqTVSf
zo0%b-dpd1%nvdLsN>9aj`$eA7<G7B`zUj93LtU-hlGoZPP~foZs$A5^i#&K*0$(P9
z?`?J53imIkf~5TmL0Lzi%Esrk(V+*jQ6e?eoavo-x7z)c`{&!XARgNfd2T2#@F0*6
zT*0JXDvTbzbnT2uj!rqxXXVOnL;;8@(ri-}t_vj5H&rSMF9;uw5<Ro6*##oR9>UmH
z{fBllg>TL@^1SofuG7o!Jf>uVUjUQ}r1PPHa>jg(-kJ5HSV@<F98>EF)C|;Zr}9wT
zTobF?4wr~qg<iws9_+~2ho)oK0BI7H40&B%a_Gvn9BC4x#W6(N?~;Tq!U5hkAz8^%
z*+NE*ysl67y}kZneyd*=hb{CG4+-hcKEKvWOd5ASA~Dt$Huc}r&0GlpMC~WlW+;BR
z=AUp_@-)3EE6I#=SL4+YzzPmwik=W{%Rg%fnbU{m3g2HKvaN)7GVM5!HDOX`;Yzd=
z;{lp#;F6?~_o%IxwjUg4O<*){<XJqg<NGar&NZSc<+I&+RZV>mMPeK&N%+7fWKq2z
zF=1B`NAF>ikl7S)OtB#L#p0G|*`dd1;tAQ=;t#QBa;4dY_37!?W>=41$KOxdr`Uv?
zV}#{D`PX3p+;NR2+_V<wyQxm}?Rjox%SIvuir)}hdTs7t?C{_&LevS+Ay`sB(ip`8
zT5;$VRBwGL${w}GJYX0g4eHk&Z#T1ptC&3w05b`F{;VE-Pu_v*k;%Mm;4Q8@0N`vA
zWCl&3XiTrms?!PJ42Cf9qov0dIza;*12mH9R`+x`fiPRaJ?!i%*R7aWUZ0V}E3)*R
z3QmC@2uX+TN<=*`A3VJpg{9{(E-U0$!!y&Sh;;l+$#v;UY9cdO6TH9Jq>#2SWxS0x
zUfMz;k{S?OjR30B^T*G~pqdCc15((z2vLLR%RKqm7SpQ$j&-~mV003NTfx7pDx<q<
z<=5<kXF;B{C)itmv_}u(C0xf?73Z83@@x13=@^~8_G#q%N<@HY?{cq7)uc+)oW30h
z;bN8e@yb#u*ltBypG2C-#QSg=tt3Fwpyba#MtQDOB00q7JFn-DR9K!@JoXiEk*IOi
zPiKR41F@!L#=~mlO-T0JPr`siq4<60tNYwjiEtANBwds^Ze5Q%D$0T`<K#}Ic<Eme
zA~J?hU5AIunaSsRX~MvaC$Fo<G@<BRB~pOBHfrZ`<irANR^yo)pyUAKO@rcW%mp_5
zf)e#saf4pHe70lo6~N#}`ids4Bqu^4(RsYelW8mWvCHQ>2W^D6VICCijWF>^(<RgX
zE{=bmcC>$dJ@R?998^LdNw06oi%H5<eb2Y+?>c?Vw$tc{jT|pV<-n_O)t1IL*bm)%
z2mAlnP5p?B#zsZ6BLV?e4X@qI@YBVYq{L4v%H6n9?h{T#!;M)xBo3+^zFqSP^b+lz
zlC$%^XKbz=aRf4F_t6L&*WF(Gb<h7&bfhQ6ch0rSSeu4U)z(4y5aj}U0^E`vd3MUa
z8dx=wB+mZ0v3mP<)t_;O&SF=`MJ*WpQ&Q06mA3DZPx?j_4$OX9l2mu2KgXsPdQY2p
zlnbhz8`mrUHxQvDp%GL{b^4i}AKgD#?((`Rti8rgUl=Loj6IyNlUIJ1u^;zA?L&%C
zS#My<s&mPmj%JhHH#z+>Ln2}lH=B^nAK5>L`nRgz=~+xq?<l3QhaWhGaxmfN36K`C
z^LL4K|7>M&=85d5D-y{J7>zgye;JhZUCdT&_ePp|3M3Wc<FHV*^(ZVpsttC*TH5jr
z=>(oceYI4^I>9}Ei7wI9`9}12e&JH`zUCbY^33s2>2>KRHat??mfwZ-o{lqOc`0Ff
zskk?oKW~Ztl&tvUalzs%Rc{qBcHvC((1`29fCD_ldHo{$s7Agyw!dNIT!UDUkw`CD
zy}V(RDE(();9Y_Hr3+-&RqyrMJDq!R!8b;#KfQGX1aJ~_^Y^by5eA%mF4M-ChlQWM
zb~}}QvnEQ9hPjMe44GYCUC`cqK523+-nZ)S<!~3(6ZZ;Wg=mPC?>&yl>6}1%GojD(
zuzaVB-l3`QAF;jND$OZRvKdcq`~EJs_vAA6OS~4s&1grsfFn+&Cag?oR8doLS6sJL
z;3s{(#Ir?bf(dmU%GY}<H$!t?QhQ9(wrLu&`0V6uXhaAQVX50wxK@p?#dmyTSq;(Y
z7pp6GceQ?{Mw}h-IXV0^$U4?c)1}iaW9Pn$ELtayIHCJNH7l^@fAZ2g^tM-bpmFwQ
zV!dlm#+2#HXl(D$WU`F7uW4v#s*0NT@BQNfPlxl^!>^5igFt7yJ-2U#(S&1;{rn)m
z&T!`K%nsS%jiqoqErR<M)7G^i!?Smv)u$eH=#O2O^bDkT&gu$`usw8!`CA|>7}UH_
zka)Pv($Pd^&g#I?VF4xi*K!A)R9W!hP3e~nJ5%C!JQ{6lN_c2o=t}wP>)Lr>OYh#s
z5FrCp9Ipc?f#?~jS@EJVHFKKh;BV8J={rrfi*pMb@Al#^=w%+Bwqw08j^1w!&wQ94
z_RGpe_?Fn7V*|CPdb`%@yi-Zp7}cg72S&jmaGxuWW2nYm|M8`B#aV3IFE2fBZwrz?
z&13Y)mDrU(=WyND*7nznlQAOK;onq==koM;c6K&*gKtZh(t8(&hSz(8>m6gPYI%8I
zk)DYkDfK?>8|m%8tij87A_&~T>tHA-dghnL{G*Z=8IAe;pX*Z3pXu_`e(Mp$pGg;W
zB}8pO1F^G_Z;MO>kRAll{rc5pXqTXm=B42;_m5(G>n3<zvoW2DbQXYP1*a){ufO`T
zJNxft$3Mqo418CH=O1*twd@m`0?fmF<AjQXl7oOFqA!Q+>1FXbW<yhOV{&V}+M&Xn
zl@gGRv3TC02sTr8BGhZM@->}<$L=|E9<h^9je9aGo4VN%l>eaH*v$-__j8<Q(IJDN
zRw0Ip&uN#?{94cAn&Ky^KhAw0TYqj4BA)oC##`#^Rz@P*-8mi+Ryg#m5aVa+pqowp
zv+k=QMi!lJGf6gj&3)Q}=CSWab=usenm8)N3^nS*mkE@o?^wxrtzOYa0XGLnXU*U9
zhn7ViwAE<)TDf+<zHu(s(~Y%MQP!F5-Tj}QfgNNz2JmCF`lVXFGATSA--+ih>0jAw
z^mo7IZ0@6cYwewU@=|1}wQYwu9!;MbUJ}@+z(l-Y(80Gs*o|j+`)56|o%#Oqfc%>y
znw76MJPlsG{(L{Gn}2D#o1wJ9nfY#!^@t-(#>H@xRk;)CAuq7RqUyJ@u9E59aq;TK
zHtOSe&xR3A&td;>ySL@6V?8)%y+|JWyN|4S4$O!PH(8lG@%Gum-Nl#}Z<U>H9(+wM
zuy)bDX<`&T;2N<~Irl1P^?LA9heE87rQ3aXx7%Dv{Drx4cbdhSu;_;>(~fjlJ{t#*
zR5iCH@2;tN|GsHg(yio;6$jno>r;xBmp*p6O?9>Pwzi(_^l)vR&+aO&*`2&i%rj7^
zL`6Bg{8vY=%AMxD_ys1+Z)Hw)Z3ui+)og#wU~n}^@h9`AV3jrFtRHyvqiWzj4|EsS
zPxSUEg6yjmRsK~jZmu0q*(aM?5kByOZH0R#SxoxzLO<Aw^+*(yZhOOSIR=Q#@Fp5>
zaC*%i6&S^njr}$+DFHx90QQ8u&KJAzV|VV=S+7KNWyyG&zQmG%B^%k#{6fZOVIrdv
zk<6rs5bOaeisV7&xCv3Nbg*&GYVmL87l8|-KpW_AL!LMj^(v880ysxanwWHOA=qP3
z5<*fG`SFheHRi2rL|}-ppT4l8JkLQS#vXl#?LO!Cou7mNMLc60@lcOQKeW2;O5|d;
zlBX#@Vk3G2v(x_*_21C??(=@J{OG;2!lZ3-TbOG-BqU5dW49ata<M|lPl`nz<d!rJ
z3|W>gJXXz#2V22+R`B_V_-Q!pA$&H=Ia=4G!+YFCgmxTd6RvemfODKBTny-Y=@r*G
zn8}uhP(nZyF~5q*up>0Mw(F5u2f?;99h7ax`LpcfK<o=*Ga-|5u5-|g3%&PE7=-&i
zrZNZ9&l|F2)(I?!0=Xm+gb-1|oEbew8<=#EV#@=RNHmUiWQ8AYBoNE4!JAI@?AFB?
z@}0mu({OA&RM<Ias>t}VKhNTsoM*Q!>^P12pe(<|b_OkWSv@T;f9u9KnZ<qx6Jm`5
z%PC-oRt(xhJ3{VyQHT|Jw~M;{z$FiR`t}WhFJ~XB>IcG&FR=0jMRuRM|De4C$r9tY
zdLTS(GsC2>6F7K`nVI0w3WCA&_b&86nbGDV>}6#t1)q(<OS?ilx``X||HQC4%^!70
z-d(Khge@M8?J1PWul>9ordK<WU=0g<=XduA7iWZu^Uhh|8G{RFKQ+_~92`dlfavx-
zOnF<(^XKx;Xcj$lBKe6D?OP$cB{NYO<1!32?+qEVfwj->;po|dtCy9iVaIsM=o=UU
z&@_P!hkiszdn1z7t(RigHs?*3%Mgotij@X7T(dh;2aWbCd#4m&{hNvt$CUMomytWK
z2Gu|BP;?6VtOW4r7KCMmF)78yO>0I9r$_w1-(1n3WlzWSaZsmVL7N3*HSpu3vX(gB
zvN(CYT)WEK&v^r1s7M92cnYZF$=jo_rPgK$<^CAsHz3!&*ZC5Qj3Z28s@dGb`^J<V
zzm0|{Q$yEVe9dosIJ$CSV>CTl(Ig3i4MI9i-`c^a7Y|km9fLmPi?6IUk+h2Tz{bu2
zVSWY<W)KvMS+&mb`4{~5m8!r^{ud|IjY%)Wkzl_Cl|X7|x7vm7JB^y+O&6jlkK&(4
zV~Lq`))4}%Do7wJZys&79ND8t4Xw3Hd#Nn%0LZG#LI0?uFwiEc`M*rVwFshdM-Dh!
zog{nW>0+~-bFx}Gim-a{5QnNJJU?=zi%c!e-d8y&mVZeZsB5H>%``r-9>UW&5Ahh{
z5B}RX`{Vr;oC?|3m=+W--mqI}5G?Gwj-l(W7&+$Go>ZnwpIq{qUDCTpNOw%f>`zbz
z-a3z=y~ON176f(^#-1Ejk5#&*CW|N1|1yr9%KxOp#Qt*_ild&1Uif)}=!v-t*J|`(
zeBuB1&Efz0*}-YdpL?}J2WzWsM$o&V{@6Xbm6ym2fj`#zYsYY&_zplj3GP>W?s*=E
zEjoYLIG(@7c}aYY0Mx&o9=;pUs|*9#6BzpZ@>{+sVxGeX8H{1e;P0$4C2EutZ(SEs
zr<Vw3cP^dK3%4RjXV2J6uAd(&Y7l5BK9ZV=H5>F@5jywyd9M<9e1pfHD7OW&F^1+S
zv&>?rJNS0Q#>5Xy-_5fdmG&S+K}Y^?7<g!*|Ebz$9HmVfd0WSwRSLbOd?MMidxXaz
zX@U1JzTlt7$ABvs0rV4t&Uc!hYsZdQr_BA{rXDpBqdXo@Sc=qcl7|)ITw7xA*^3d#
z<YRByEysa4FlK{r6^6meyHXx46jm&b4tAFbs>r3@!%}(ECEYr7@if2hY@(Qm3coI8
z%G%^?CJRsWdN49aNEpv#w;Tm>Q3}ZOy>G&jev=HH@C7M?dHI#Mh`%S>?J5cM)RTj?
zSziQ}>k%803q~KBIGxg?#CXo2E+0Tn*~|!!qrVxi10Z(i5~&C(1F?HVpGr&N=jx7g
zuqa<oepXyf<Z|GV+wTl<A5L=~j4^TFtp+#o6S-2cH*H6Ow+8w5q=_a0_52<bhPPpW
zy+DqQuaKj>o*k<Hp0C`VzsiIuECw<s$)smB{mVUX?v-LEL9;M}&umhGMTSIQzjUoX
zraK;I(^zs1L$L3ng&Q<br<lOPO~u7<J;!=iAQcrAH8(=0%h@jPEpegW3h4=6`fbPG
zyp^d5cJWSrW&J3F!QfcVy?>@Mhhv6lD7;vFTj|Sp#2Ym4rwPby!Ead$#rg;A6$|VB
zNO&2~VKjsOZVf&8c<~7nY|^*evzM35`}vg(!g;Q4?NWL7@S|m>3;pzka_iLtt^_*t
zAQY0$14UlGF<k;HfzaF8|K}>L$RbS%UodW5*7~^~0pJu4#XehvvkWu2Sv{(fBz{9V
z@pUC~c)BS1EuSLT_R0X*aS%8b6!AFxous#Qs+i9oN5oy}``pT}dadt;#fpG&9<KXM
z)`~oQV*$*Cq)tX?r%Y&GC+N)0uJ>5?1GxkQp&tMFhLY-xCf)Iu4GxVXQ=`+4o%+Vd
zv_2PTeT_2DBbDfLr)LZ5s)9e*Uk)(E%Qen+Jn|ab=7NXL@HAbrnNQ-Vw^=YDFE&V4
z)yu}(swZv~y*9fx8ai|*{`<+F%!(C{Jst{9<^byT)$sR81M4q?mu0S#sR&tKQPehR
z$o5`hEWCU|C7EhtNu?PmlgMOpe$BU|8oedSDMV>jy~B!Ro8}dhvtLAm4mk5SWB<d3
z!8(e$8)Y^#H^noP&CpbL)Z`<KAs9$QFa3*i#?dN#x)N;{2*riV_2;&RTBbGq>VOKc
zZ+>})hmvKIvunv-JSvt~-@eaK@%$F#IDa!9oW@Hy+Hfp+<1gw*T1)9HF7T<pn!Ni#
z97Ew<>FO1d)*jd`>#*kpo(c?wL3cXd&u0LQii#?pS0M<Bbr?yUq+oMu0?V{24t_Pj
z95Qcq0-=@~AmN+)KIvw2A{RGzYjfAoo1{q3hrioHP~z+w_{FO>Wl9LYbnFWv`Vc{$
zLTA5HM^SgAxa+vzx)fUbcz=fVULq^lE^>or(tS7nL<R9Off6mj3g$0KJ|K=?Ah5Er
zjjLQ7I)lB-zjY71G2>mqsY`JkNpHJRv^iC7<OuH|CU7N~&qsKlYp=y&?b3qY)@Q03
zkaRr-T6F0W8@`Ia?5)P$8CiR5ed&#egYRq|plo}@bC}Za+qdtr(SV8pzoJv_iwZ5^
zE}i43A|Kzsa*A|^kX)*<7Y?Qyn5S)g8H*(3Whc+iS?UQ*CdmB>;8X)oGjo%_ZhK%p
zG3%R^_HDl<9#uf7e65PlQ<dnKcf4rWeInuK6F+sbh;9;bv$%?q7)umW)l>z|2dHv7
z4_3Qv7EJJgfq}dFbmA+3drXp~iz}Z#x3&#`oLN7N2)OfLFt<0tXA+H?ot-?H5fVBQ
z{qkgrKxAF;Eq~*$TNe;Y9BAe<wU%4^h^?%ulD#~z14v)-@S)qTcy_;VuwuocA_(n>
zdw$E<3}n98lYIzd|8glp7*+zeecQfgbc+Lo4hY&Jdm@Nrl8VYkR`xrU$E+{(l3b`|
zvIrxY;k?H>7-5D?5q<aHXzdpyuyS(VAt$B^ttXQ9-DnS$Pv%2>@l`K=v?T1qAT(_{
zp_$Kas0N8QvUnWF!>hV|=cfZ#F8O5TyxcV7o+Q}#KC0x{j)yS9Xy$8-#!94pa-6ss
zwVXBA<Mvq@L{N{>Pr(V~9EU+eX3@Fn!ypY`s@sd$;Pzs2`Y+6N*bIF^;^XFpza}=R
zuYRFv4Dq8{dHaBHZMMQ5MQ8MS&#enhbjOfMhZ%l|(<}%B9n*UrZGgYnzHvyFr_Jln
zx~%Zq+EQi(dJR{?UM*Ebw;5`OQ+5^^D`N5clk#iX$Y3*S8`RU5Dc$`|1U?13i>{%q
zP3ni99kdF}#x`?ya?OhEf+wTsM)!J|`ggLN5NiKb;2;Am9Mc-Ox6%v1_A|`4065~7
zh>HCYUdpuN{iEdzE($vpv|3?ND}f7&{6Pcs6BqEt{;z5AGRr@;*o<zKJ_`^f)7imR
zCNN!nuFu+Bj~tyXJ~EZqw?VRKO%dLeaX|iXd-<QUor5?c6^p7NS}?@0m7ALav&Wr_
z(o9NZvmDRg{<gb>&2qe=`1V`47Z?M0W6E%8z1n+MT|s(?(i@)reeUZ^Q!7cCT@O#j
zylo!}cS}{(uSB3;9t4)cf4<bc$Mz0bvwkW{5M(HNCIw=f*Rxqctyxoq!rUavVc4Gm
zciRsZ)Wk7KdjeKn==e*d(z7m0WHvl)`O@}TzVb0!E!FMxZbY1t8Vr3VHz5zu@1eWC
zMpSewQ8|62E}yfGgz-Kv5W%5C317;O&P~F=svWw{g9Fela<K9dpzjR)lVXiWU!nT%
zI|q*wA$|s7X9=|`7NWI;74}@reA(GVRsCwnw=@YXd=l6?+=0;8yPqm~Cf$csHktw5
zs+o_tr#=@;;l23k-&Yt&pQbk`ZM>BVzBl&^#{8LZCj+ox)`d%|mGb=AZ0N(!Fk~To
zYemSwna!Pra6czLS#2hmaB;$r<>ok8P_@FT;36uX773#f*rZI#Hh#3MHXLnn-*2gD
zBl;0CCW!fHert)m4^NwUvme;`-(ekYXY%y|auAM{0C_?*jNF!B$6x5>G%>?t(92Md
z!}?yO?y+NcT`1x{g14FC9fV@AV+9cv;+pU?{cwnwp)9@wp=v^}=)+r|g{`OXrvIDK
z15haxQJn`T;~=AM1Ta6W+-4QY<4BQ$a&*6!dS8OGO%{>k=XzkR7ruJxA8QK;9Yrxv
zI`tV?B@JFt2gle9=-kJ6n(v#hO&jVng>Z_C&XmGCHut;Skl%ZA<4|6wQUt8WV7_pR
zsiN;MJoQqd@t^m5h?91L$v`X{liy*h$n``h@`T}Q{y14Y8BiWE6GtiIWn8lZU1USj
zGO&PzMq`s;^h(!_B7T#Ti`B&k4jMUS1s5g>RaGOK$p~!%sMxuLJBU7F=FBmPikfyr
z)TjO-s?f}*60405oWZf(oEABG!~v`w(#1^t4pUch7L6nnU^6Kn^Q$jH6OP@7NE!Hj
zVmv)|*BPW^E)=AS)G}|RI=0*IR@lNh+=7revfHavG}d56g&qzoDk{twU`|Nqir|OV
z#S6j1=I88F6(y=fHs+X|D_Ap##{~{-<^@#+JB^`wQP0FJG9|9#X@4zGfw7<t>7-+L
z@&&&xCE)$&5Onpg?vjHE<gh+J)wd$LMlN7Y(uf)Gk2myhDAM$wv43wx#)>7_+}V2l
z_2Ls%rws@ocqrde|54f)Oj9}7Iv$w+33;S;0_?`4M|SVd(tPI%O~wkBaMdDja^bGJ
zBT!=_Ur(3}WV=boL+IgX?(a{G6Ia!=0D`x}?T_KL3~zRXMI0-f1PqI>b}Is7zrs^z
zt>6V49-PO$fKjgWG!cAyF?l9d_INE)3i9^Ry)fm-&#FpyC!iBx_Eh3V=sl<y9b8~!
zf6v|BpWwl2ACIrhKC%bChM{Vpg*)W7Fo8@E{~|!l@J1Jr1<wF^B#6h8p2J}{_hC>X
zE_1zfphRO1-ULaL7`tskVxgW&5$tm??_B{7MUc-ct}Ehw!jw|%w7;12aTeqSKLbF}
zqFUJVSu?|(ZRaxb1Nj-O|3z#qdD3M>d#>`eQ!a&7mdq6L7UlyyXXfW9kxNV~wT2NH
z*c%WW{CgP8vXIq9FM2X7t4uvKl2Z2WH6Wtun1eYNlGO~Fk+Z<?08rQxyef@|5u1UG
zUt3xek26@4x4=}+Za-;JRaxK&^=Ceyl!PW=n{zMm0D_hs>tH<+({1brD@~hE<YDcH
z94?Mea=gHDa}b`L9n%t|8n3D_MSkE)g%T6%Ug1mw;4!EuQun1}{^ufyEk>>OPUXq`
zTpn5-!bW4?s58O9`s5~h1i1<|=#1-Hi8`5z@fjbU_%?b{33kXMf9ZPzwl<a-pkDYL
z0k2jfS-BXc5Ll!|Xj{s+`L0I^;++pet7+EuU@rRsH&pqF!MW-Hi#Emn3(T}bf=ycR
z)14}o!tr?@2B=bj^%;ZIgX2IM_P{Kw7Qe=V%n_w|rdha!=*qB=M~{M{b7C?hNQO03
z4Gj-_2rrXNeB!lI-$%Iz?Y%(9drjpG9zqLLL=Ed~sG)ssaLoW#ZblH)p@i*dqV#ZF
z9~YwqX{u0erjb<10MPFPS@)eDHY1;q$O=gv!zfAkjEZ_3qMSnFT?hKjS}{XBv%JQJ
zSV0bY?M7;l2>o+30uibR4-<qk9$A?Y(X^48Tu%1Z0Ej9O4TWtudL`gF|KQJ4GlO>4
zjp#FdgmA5%-1;sghd(O7-1RIM3&xmC<yt%7glV+$GIQ(=#wt3XVPb|x_~RU!<(39?
zDue`kk{}_$-+VEaM)HQoau$oBziS-v!>-zcy3^hQJ6>?&F9NDQh2M@tpe~pRdlsy%
z!Psng8bE+6S>mW?_YZ!<K=Vb9w(<EuCafGmq!q1bg50Ej=<;@EK*3Lf1(PLQf`-Lx
zqaU`=p6=DW?G{Z36~fc{Zc^wCJ0{J9If!*Z*i-g^u$w~(Lf-2wxZ@A1?tJ<Ihl38}
z@ipnOYGiEvGM6E;C*X@I^Nh9x=o8VhToz=PhDBaCJPTI}cQ$4lle%mtj#z7e=RdkG
zj?j@6npf;CCOr&Hc%(7HwWdr1Z6I7^(XVE5HwBaLMy6U6TKzphYeK#d&e1duG6Cla
zR0>&rs1#DlP|dTpZ7F3&8@8C)k%a0CfAlC#PgJnQL$zB1%!n|dF~Mk|5z)Z`n+d1@
zOA<7Hmws6G>fi>qYe%C4Hv5na?sGH&B1}<?Fm&5Dwy>t;-H8mZ@ES<-Eiip_JTq1(
z()lYwe`{(ClYD?j`4KC7igP|w)n2nuc*)<OqH;o@$=eU)w#-Pct0D;H?mWkq9x}kt
z9{?3ixA41peLP@bPGB!bkpuKujjSMGK6TrYC&sn^M=_n+906-q)DwW!uv@ib2AXkm
z%`xUk9uUq7cmfV;uPGy0voBbkZ`X14km36m5!`YAkcyzaTh@;vJtP_T@T<%Y3Wgcl
ze4>6|;ruH?Q`m0$dTrtE90As(SP-cufU#1Wx5k`W4hZum(pV5lB8d$~eRLy|=IPo-
zA6@!ycl(UrUl3%?0X|$=U~~7~jRU-9OGbFhRQrO~ZqU{_xP!>RfGx1NVQ=1Cw#`ai
znD&nTTgff6Ng#~@E&#)WjI;)B{@Z%j`hU0l(V{;j)J6*4`f!J9q8gDzXftS-{_>W?
zMH{WDtYkN#mT~T_M=z^+Z9)|{f6dDGJ5t0NWB4uXf{!MJUKqEYoGbO_UG53WE&`>z
zH5?UG(~Bno-qSu-OIS>NPgZ<Ukx{Q@<Trb;7Uzm9DYpy%uBvH4m|1eb6zRqY=W_5*
zFNt_2-Gk^UCrp|fyEwic*p+kX6h`m>?e2BIu!hS$Q|Fe*+n^~mhojqPj_xWdI463&
zFX%#<4n1)2R*oc_>Ten51lhnwn|?o7*|b;ExL~dFN7)H_plxBBq*U6P-AA|1L1P#e
zQ;y*`o(mLSvRJy(%Miy&Tsk7#^5tc?@&pWhcwr3HJgrErUYBC;*@trPJt*aw;f6`M
zo%^$YNz8E5BR9V`gACo{Hn#iShJGs9Z`O0B{ut)sylgv%z8?{gq@~AFnA6Y%ZS^UZ
zL-)7J*A0qY^q#5^FWo*n+%m}jS-^K8Htbh1n`NXCw6!+`R=y(x!$Yz<pSt?oCn~p;
za@prN4>#UaRClT2mSJ*?`eb7<5}QcVhlmq%=TC1AH3{C-r5A3E{AFwTry$~|Hhi2X
zkTw9_iU*10SbcxnPxj%Svkm#KS10NlILoXIC~ot^S28~9EZywZm+(w_0Hrh*fYxpQ
zTW~&L$Lpa_VYN~!D^J)EgUFQJtUIU9%ncrxR^CIAWDd0hV}WR$&U}z}h|c(_8(kON
zrZnf@7>ePDwq^FOb9`#~YShnH)HeeE&cRq1gHr^XkapQ)wIA9@F5)j=IV@(_?uwu4
z<(iO3%u`H0Y;Fw36rR2-<{R(*vS%hj=!vR+Eez1d?xWjB@Z!7n<(|K$VRUn||CXCs
ztiY8eM*ltQ6gE~bkK1nZqr1#Z6H9DeYN}6Il&sGuiWrbmRP{f@s032$%(KqRJW{@y
zdH(7dQxg-D+wjlZ+j}#lDws1jCpWk6QDS1^_x2AKrj>mDzU>89v@@VS?t@P*Rkw5P
zRupP2nH(SwIoS>jT3zlObY`W4=3Pj;%cP_C(;2Uo5ZQxLs|xQY9ZtcADPs|6#Rt6q
zAnzfy+3`r_Gaii#w?g6OSpgVpM$U7k-0F*ek~YZcTU*m=@jbux&~|_{A3{cS@>hog
zY_n_^mODq~bG(lDom?Uxzz{)m7S=;XTgvWd_Fne0A}QoPmC#H7dXVO$$Vf%>h+k9u
z73FRPt#3_b_9G$6+U1rotqB1O%Be#1_QSUY$g{)KTWbyEM5O<Y)k>;3c&#fQehZgH
zeMZA@3pv)DW_G%^78M#-O}u+no0@8D;#Bp+AbFn%Jzn+C;&hYL9p%TDk3BV$=y)?z
zJ+$jft=7#X=8&yG?KI_1DsA;xey5k+@~G5<AIaGrXQIZwr1`vh^?G3FgYvF;RpRy4
zI_(LPXVOk&Oxx!edi`;g#NXAI*L7DqtMJ-VrfOxkeoTBRl>PbX@F~~MGI@oo-48x=
zdoKn{-B$Klt$f>4`{z~Fq{C$#O>lJ=^TnZ*`MsqDyvonK{tkG0f@<!~8;puVC(b6-
zp1iA7j~;ji_!Tt@q@4h3(GaSYkDCSEyZ7M3ovq~_!^)k5?^t0jxeHN)niU2;lRxl*
zPL;w%e+^5etQdC}3Mc%g4-1|s2{nMx2#J-!y!`VA0{kczHkx7eQ3LoAP&m4PnYH-C
z7by%@I2z_E%+U?-A`W&rqBz)<LL{-kuKn=38+O$qt;{ZH)>0ba2Z8eU04t*l88h$)
zIsE7!;s4#BB9Nmu&<<HKD=_YlAfdL<nL|>TL;P!81Y9`#$^WnXgSF@XmQ`o}x9q>h
z|KqY_P5<po;@{5xHU5vC!TT@`@R5+mlxrI_b5;!51;&N`Kn+$Jq1bd`6%n3^Ga$gm
zF+2b`WJ3`!CHWOT=zu*=U@hz)ljZ-(=3nFg#^fLMGijV2-AO$x0REjkp?^F_lj{FJ
E0E8NoSO5S3

literal 0
HcmV?d00001


From ed8c8bedcd3063249e9c90a47ef682fcb5ec51ca Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 30 Mar 2026 21:46:11 -0700
Subject: [PATCH 092/122] Add picker

---
 .../[orgId]/settings/logs/streaming/page.tsx  | 105 ++++++++++++++++++
 1 file changed, 105 insertions(+)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index a89c961b4..84b201260 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -31,6 +31,8 @@ import { Checkbox } from "@app/components/ui/checkbox";
 import { Globe, Plus, X } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
+import Image from "next/image";
+import { StrategySelect, StrategyOption } from "@app/components/StrategySelect";
 
 // ── Types ──────────────────────────────────────────────────────────────────────
 
@@ -263,6 +265,97 @@ function AddDestinationCard({
     );
 }
 
+// ── Destination type picker ────────────────────────────────────────────────────
+
+type DestinationType = "http" | "s3" | "datadog";
+
+const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
+    {
+        id: "http",
+        title: "HTTP Webhook",
+        description:
+            "Send events to any HTTP endpoint with flexible authentication and templating.",
+        icon: <Globe className="h-6 w-6" />
+    },
+    {
+        id: "s3",
+        title: "Amazon S3",
+        description: "Stream events to an S3-compatible object storage bucket. Coming soon.",
+        disabled: true,
+        icon: (
+            <Image
+                src="/third-party/s3.png"
+                alt="Amazon S3"
+                width={24}
+                height={24}
+                className="rounded-sm"
+            />
+        )
+    },
+    {
+        id: "datadog",
+        title: "Datadog",
+        description: "Forward events directly to your Datadog account. Coming soon.",
+        disabled: true,
+        icon: (
+            <Image
+                src="/third-party/dd.png"
+                alt="Datadog"
+                width={24}
+                height={24}
+                className="rounded-sm"
+            />
+        )
+    }
+];
+
+interface DestinationTypePickerProps {
+    open: boolean;
+    onOpenChange: (open: boolean) => void;
+    onSelect: (type: DestinationType) => void;
+}
+
+function DestinationTypePicker({
+    open,
+    onOpenChange,
+    onSelect
+}: DestinationTypePickerProps) {
+    const [selected, setSelected] = useState<DestinationType>("http");
+
+    useEffect(() => {
+        if (open) setSelected("http");
+    }, [open]);
+
+    return (
+        <Credenza open={open} onOpenChange={onOpenChange}>
+            <CredenzaContent className="sm:max-w-lg">
+                <CredenzaHeader>
+                    <CredenzaTitle>Add Destination</CredenzaTitle>
+                    <CredenzaDescription>
+                        Choose a destination type to get started.
+                    </CredenzaDescription>
+                </CredenzaHeader>
+                <CredenzaBody>
+                    <StrategySelect
+                        options={destinationTypeOptions}
+                        value={selected}
+                        onChange={setSelected}
+                        cols={1}
+                    />
+                </CredenzaBody>
+                <CredenzaFooter>
+                    <CredenzaClose asChild>
+                        <Button variant="outline">Cancel</Button>
+                    </CredenzaClose>
+                    <Button onClick={() => onSelect(selected)}>
+                        Continue
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
+
 // ── Destination modal ──────────────────────────────────────────────────────────
 
 interface DestinationModalProps {
@@ -898,6 +991,7 @@ export default function StreamingDestinationsPage() {
     const [destinations, setDestinations] = useState<Destination[]>([]);
     const [loading, setLoading] = useState(true);
     const [modalOpen, setModalOpen] = useState(false);
+    const [typePickerOpen, setTypePickerOpen] = useState(false);
     const [editingDestination, setEditingDestination] =
         useState<Destination | null>(null);
     const [togglingIds, setTogglingIds] = useState<Set<number>>(new Set());
@@ -972,6 +1066,11 @@ export default function StreamingDestinationsPage() {
     };
 
     const openCreate = () => {
+        setTypePickerOpen(true);
+    };
+
+    const handleTypePicked = (_type: DestinationType) => {
+        setTypePickerOpen(false);
         setEditingDestination(null);
         setModalOpen(true);
     };
@@ -1018,6 +1117,12 @@ export default function StreamingDestinationsPage() {
                 </div>
             )}
 
+            <DestinationTypePicker
+                open={typePickerOpen}
+                onOpenChange={setTypePickerOpen}
+                onSelect={handleTypePicked}
+            />
+
             <DestinationModal
                 open={modalOpen}
                 onOpenChange={setModalOpen}

From b50886179ab388433951b34f07269551ab888da4 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:43:52 -0700
Subject: [PATCH 093/122] Implement fixes to ui

---
 .../streaming/HttpDestinationCredenza.tsx     | 731 ++++++++++++++
 .../[orgId]/settings/logs/streaming/page.tsx  | 935 +++---------------
 2 files changed, 873 insertions(+), 793 deletions(-)
 create mode 100644 src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx

diff --git a/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx b/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx
new file mode 100644
index 000000000..653b766b0
--- /dev/null
+++ b/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx
@@ -0,0 +1,731 @@
+"use client";
+
+import { useState, useEffect } from "react";
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import { Label } from "@app/components/ui/label";
+import { Switch } from "@app/components/ui/switch";
+import { HorizontalTabs } from "@app/components/HorizontalTabs";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
+import { Textarea } from "@app/components/ui/textarea";
+import { Checkbox } from "@app/components/ui/checkbox";
+import { Plus, X } from "lucide-react";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { build } from "@server/build";
+
+// ── Types ──────────────────────────────────────────────────────────────────────
+
+export type AuthType = "none" | "bearer" | "basic" | "custom";
+
+export interface HttpConfig {
+    name: string;
+    url: string;
+    authType: AuthType;
+    bearerToken?: string;
+    basicCredentials?: string;
+    customHeaderName?: string;
+    customHeaderValue?: string;
+    headers: Array<{ key: string; value: string }>;
+    useBodyTemplate: boolean;
+    bodyTemplate?: string;
+}
+
+export interface Destination {
+    destinationId: number;
+    orgId: string;
+    type: string;
+    config: string;
+    enabled: boolean;
+    sendAccessLogs: boolean;
+    sendActionLogs: boolean;
+    sendConnectionLogs: boolean;
+    sendRequestLogs: boolean;
+    createdAt: number;
+    updatedAt: number;
+}
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+export const defaultHttpConfig = (): HttpConfig => ({
+    name: "",
+    url: "",
+    authType: "none",
+    bearerToken: "",
+    basicCredentials: "",
+    customHeaderName: "",
+    customHeaderValue: "",
+    headers: [],
+    useBodyTemplate: false,
+    bodyTemplate: ""
+});
+
+export function parseHttpConfig(raw: string): HttpConfig {
+    try {
+        return { ...defaultHttpConfig(), ...JSON.parse(raw) };
+    } catch {
+        return defaultHttpConfig();
+    }
+}
+
+// ── Headers editor ─────────────────────────────────────────────────────────────
+
+interface HeadersEditorProps {
+    headers: Array<{ key: string; value: string }>;
+    onChange: (headers: Array<{ key: string; value: string }>) => void;
+}
+
+function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
+    const addRow = () => onChange([...headers, { key: "", value: "" }]);
+
+    const removeRow = (i: number) =>
+        onChange(headers.filter((_, idx) => idx !== i));
+
+    const updateRow = (i: number, field: "key" | "value", val: string) => {
+        const next = [...headers];
+        next[i] = { ...next[i], [field]: val };
+        onChange(next);
+    };
+
+    return (
+        <div className="space-y-3">
+            {headers.length === 0 && (
+                <p className="text-xs text-muted-foreground">
+                    No custom headers configured. Click "Add Header" to add
+                    one.
+                </p>
+            )}
+            {headers.map((h, i) => (
+                <div key={i} className="flex gap-2 items-center">
+                    <Input
+                        value={h.key}
+                        onChange={(e) => updateRow(i, "key", e.target.value)}
+                        placeholder="Header name"
+                        className="flex-1"
+                    />
+                    <Input
+                        value={h.value}
+                        onChange={(e) =>
+                            updateRow(i, "value", e.target.value)
+                        }
+                        placeholder="Value"
+                        className="flex-1"
+                    />
+                    <Button
+                        type="button"
+                        variant="ghost"
+                        size="icon"
+                        onClick={() => removeRow(i)}
+                        className="shrink-0 h-9 w-9"
+                    >
+                        <X className="h-4 w-4" />
+                    </Button>
+                </div>
+            ))}
+            <Button
+                type="button"
+                variant="outline"
+                size="sm"
+                onClick={addRow}
+                className="gap-1.5"
+            >
+                <Plus className="h-3.5 w-3.5" />
+                Add Header
+            </Button>
+        </div>
+    );
+}
+
+// ── Component ──────────────────────────────────────────────────────────────────
+
+export interface HttpDestinationCredenzaProps {
+    open: boolean;
+    onOpenChange: (open: boolean) => void;
+    editing: Destination | null;
+    orgId: string;
+    onSaved: () => void;
+}
+
+export function HttpDestinationCredenza({
+    open,
+    onOpenChange,
+    editing,
+    orgId,
+    onSaved
+}: HttpDestinationCredenzaProps) {
+    const api = createApiClient(useEnvContext());
+
+    const [saving, setSaving] = useState(false);
+    const [cfg, setCfg] = useState<HttpConfig>(defaultHttpConfig());
+    const [sendAccessLogs, setSendAccessLogs] = useState(false);
+    const [sendActionLogs, setSendActionLogs] = useState(false);
+    const [sendConnectionLogs, setSendConnectionLogs] = useState(false);
+    const [sendRequestLogs, setSendRequestLogs] = useState(false);
+
+    useEffect(() => {
+        if (open) {
+            setCfg(
+                editing ? parseHttpConfig(editing.config) : defaultHttpConfig()
+            );
+            setSendAccessLogs(editing?.sendAccessLogs ?? false);
+            setSendActionLogs(editing?.sendActionLogs ?? false);
+            setSendConnectionLogs(editing?.sendConnectionLogs ?? false);
+            setSendRequestLogs(editing?.sendRequestLogs ?? false);
+        }
+    }, [open, editing]);
+
+    const update = (patch: Partial<HttpConfig>) =>
+        setCfg((prev) => ({ ...prev, ...patch }));
+
+    const urlError: string | null = (() => {
+        const raw = cfg.url.trim();
+        if (!raw) return null;
+        try {
+            const parsed = new URL(raw);
+            if (
+                parsed.protocol !== "http:" &&
+                parsed.protocol !== "https:"
+            ) {
+                return "URL must use http or https";
+            }
+            if (build === "saas" && parsed.protocol !== "https:") {
+                return "HTTPS is required on cloud deployments";
+            }
+            return null;
+        } catch {
+            return "Enter a valid URL (e.g. https://example.com/webhook)";
+        }
+    })();
+
+    const isValid =
+        cfg.name.trim() !== "" &&
+        cfg.url.trim() !== "" &&
+        urlError === null;
+
+    async function handleSave() {
+        if (!isValid) return;
+        setSaving(true);
+        try {
+            const payload = {
+                type: "http",
+                config: JSON.stringify(cfg),
+                sendAccessLogs,
+                sendActionLogs,
+                sendConnectionLogs,
+                sendRequestLogs
+            };
+            if (editing) {
+                await api.post(
+                    `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
+                    payload
+                );
+                toast({ title: "Destination updated successfully" });
+            } else {
+                await api.put(
+                    `/org/${orgId}/event-streaming-destination`,
+                    payload
+                );
+                toast({ title: "Destination created successfully" });
+            }
+            onSaved();
+            onOpenChange(false);
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: editing
+                    ? "Failed to update destination"
+                    : "Failed to create destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setSaving(false);
+        }
+    }
+
+    return (
+        <Credenza open={open} onOpenChange={onOpenChange}>
+            <CredenzaContent className="sm:max-w-2xl">
+                <CredenzaHeader>
+                    <CredenzaTitle>
+                        {editing
+                            ? "Edit Destination"
+                            : "Add HTTP Destination"}
+                    </CredenzaTitle>
+                    <CredenzaDescription>
+                        {editing
+                            ? "Update the configuration for this HTTP event streaming destination."
+                            : "Configure a new HTTP endpoint to receive your organization's events."}
+                    </CredenzaDescription>
+                </CredenzaHeader>
+
+                <CredenzaBody>
+                    <HorizontalTabs
+                        clientSide
+                        items={[
+                            { title: "Settings", href: "" },
+                            { title: "Headers", href: "" },
+                            { title: "Body Template", href: "" },
+                            { title: "Logs", href: "" }
+                        ]}
+                    >
+                        {/* ── Settings tab ────────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            {/* Name */}
+                            <div className="space-y-2">
+                                <Label htmlFor="dest-name">Name</Label>
+                                <Input
+                                    id="dest-name"
+                                    placeholder="My HTTP destination"
+                                    value={cfg.name}
+                                    onChange={(e) =>
+                                        update({ name: e.target.value })
+                                    }
+                                />
+                            </div>
+
+                            {/* URL */}
+                            <div className="space-y-2">
+                                <Label htmlFor="dest-url">
+                                    Destination URL
+                                </Label>
+                                <Input
+                                    id="dest-url"
+                                    placeholder="https://example.com/webhook"
+                                    value={cfg.url}
+                                    onChange={(e) =>
+                                        update({ url: e.target.value })
+                                    }
+                                />
+                                {urlError && (
+                                    <p className="text-xs text-destructive">
+                                        {urlError}
+                                    </p>
+                                )}
+                            </div>
+
+                            {/* Authentication */}
+                            <div className="space-y-3">
+                                <div>
+                                    <label className="font-medium block">
+                                        Authentication
+                                    </label>
+                                    <p className="text-sm text-muted-foreground mt-0.5">
+                                        Choose how requests to your endpoint
+                                        are authenticated.
+                                    </p>
+                                </div>
+
+                                <RadioGroup
+                                    value={cfg.authType}
+                                    onValueChange={(v) =>
+                                        update({ authType: v as AuthType })
+                                    }
+                                    className="gap-2"
+                                >
+                                    {/* None */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="none"
+                                            id="auth-none"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="auth-none"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                No Authentication
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                Sends requests without an{" "}
+                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                    Authorization
+                                                </code>{" "}
+                                                header.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* Bearer */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="bearer"
+                                            id="auth-bearer"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-bearer"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Bearer Token
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Bearer
+                                                        &lt;token&gt;
+                                                    </code>{" "}
+                                                    header to each request.
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "bearer" && (
+                                                <Input
+                                                    placeholder="Your API key or token"
+                                                    value={
+                                                        cfg.bearerToken ?? ""
+                                                    }
+                                                    onChange={(e) =>
+                                                        update({
+                                                            bearerToken:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Basic */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="basic"
+                                            id="auth-basic"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-basic"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Basic Auth
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Adds an{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        Authorization: Basic
+                                                        &lt;credentials&gt;
+                                                    </code>{" "}
+                                                    header. Provide credentials
+                                                    as{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        username:password
+                                                    </code>
+                                                    .
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "basic" && (
+                                                <Input
+                                                    placeholder="username:password"
+                                                    value={
+                                                        cfg.basicCredentials ??
+                                                        ""
+                                                    }
+                                                    onChange={(e) =>
+                                                        update({
+                                                            basicCredentials:
+                                                                e.target.value
+                                                        })
+                                                    }
+                                                />
+                                            )}
+                                        </div>
+                                    </div>
+
+                                    {/* Custom */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3">
+                                        <RadioGroupItem
+                                            value="custom"
+                                            id="auth-custom"
+                                            className="mt-0.5"
+                                        />
+                                        <div className="flex-1 space-y-3">
+                                            <div>
+                                                <Label
+                                                    htmlFor="auth-custom"
+                                                    className="cursor-pointer font-medium"
+                                                >
+                                                    Custom Header
+                                                </Label>
+                                                <p className="text-xs text-muted-foreground mt-0.5">
+                                                    Specify a custom HTTP
+                                                    header name and value for
+                                                    authentication (e.g.{" "}
+                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                        X-API-Key
+                                                    </code>
+                                                    ).
+                                                </p>
+                                            </div>
+                                            {cfg.authType === "custom" && (
+                                                <div className="flex gap-2">
+                                                    <Input
+                                                        placeholder="Header name (e.g. X-API-Key)"
+                                                        value={
+                                                            cfg.customHeaderName ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderName:
+                                                                    e.target
+                                                                        .value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                    <Input
+                                                        placeholder="Header value"
+                                                        value={
+                                                            cfg.customHeaderValue ??
+                                                            ""
+                                                        }
+                                                        onChange={(e) =>
+                                                            update({
+                                                                customHeaderValue:
+                                                                    e.target
+                                                                        .value
+                                                            })
+                                                        }
+                                                        className="flex-1"
+                                                    />
+                                                </div>
+                                            )}
+                                        </div>
+                                    </div>
+                                </RadioGroup>
+                            </div>
+                        </div>
+
+                        {/* ── Headers tab ──────────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            <div>
+                                <label className="font-medium block">
+                                    Custom HTTP Headers
+                                </label>
+                                <p className="text-sm text-muted-foreground mt-0.5">
+                                    Add custom headers to every outgoing
+                                    request. Useful for static tokens or
+                                    custom{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type
+                                    </code>
+                                    . By default,{" "}
+                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                        Content-Type: application/json
+                                    </code>{" "}
+                                    is sent.
+                                </p>
+                            </div>
+                            <HeadersEditor
+                                headers={cfg.headers}
+                                onChange={(headers) => update({ headers })}
+                            />
+                        </div>
+
+                        {/* ── Body Template tab ─────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            <div>
+                                <label className="font-medium block">
+                                    Custom Body Template
+                                </label>
+                                <p className="text-sm text-muted-foreground mt-0.5">
+                                    Control the JSON payload structure sent to
+                                    your endpoint. If disabled, a default JSON
+                                    object is sent for each event.
+                                </p>
+                            </div>
+
+                            <div className="flex items-center gap-3">
+                                <Switch
+                                    id="use-body-template"
+                                    checked={cfg.useBodyTemplate}
+                                    onCheckedChange={(v) =>
+                                        update({ useBodyTemplate: v })
+                                    }
+                                />
+                                <Label
+                                    htmlFor="use-body-template"
+                                    className="cursor-pointer"
+                                >
+                                    Enable custom body template
+                                </Label>
+                            </div>
+
+                            {cfg.useBodyTemplate && (
+                                <div className="space-y-2">
+                                    <Label htmlFor="body-template">
+                                        Body Template (JSON)
+                                    </Label>
+                                    <Textarea
+                                        id="body-template"
+                                        placeholder={
+                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "data": {{data}}\n}'
+                                        }
+                                        value={cfg.bodyTemplate ?? ""}
+                                        onChange={(e) =>
+                                            update({
+                                                bodyTemplate: e.target.value
+                                            })
+                                        }
+                                        className="font-mono text-xs min-h-45 resize-y"
+                                    />
+                                    <p className="text-xs text-muted-foreground">
+                                        Use template variables to reference
+                                        event fields in your payload.
+                                    </p>
+                                </div>
+                            )}
+                        </div>
+
+                        {/* ── Logs tab ──────────────────────────────────── */}
+                        <div className="space-y-6 mt-4 p-1">
+                            <div>
+                                <label className="font-medium block">
+                                    Log Types
+                                </label>
+                                <p className="text-sm text-muted-foreground mt-0.5">
+                                    Choose which log types are forwarded to
+                                    this destination. Only enabled log types
+                                    will be streamed.
+                                </p>
+                            </div>
+
+                            <div className="space-y-3">
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-access"
+                                        checked={sendAccessLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendAccessLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-access"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Access Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Resource access attempts, including
+                                            authenticated and denied requests.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-action"
+                                        checked={sendActionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendActionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-action"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Action Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Administrative actions performed by
+                                            users within the organization.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-connection"
+                                        checked={sendConnectionLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendConnectionLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-connection"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Connection Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            Site and tunnel connection events,
+                                            including connects and
+                                            disconnects.
+                                        </p>
+                                    </div>
+                                </div>
+
+                                <div className="flex items-start gap-3 rounded-md border p-3">
+                                    <Checkbox
+                                        id="log-request"
+                                        checked={sendRequestLogs}
+                                        onCheckedChange={(v) =>
+                                            setSendRequestLogs(v === true)
+                                        }
+                                        className="mt-0.5"
+                                    />
+                                    <div>
+                                        <label
+                                            htmlFor="log-request"
+                                            className="text-sm font-medium cursor-pointer"
+                                        >
+                                            Request Logs
+                                        </label>
+                                        <p className="text-xs text-muted-foreground mt-0.5">
+                                            HTTP request logs for proxied
+                                            resources, including method, path,
+                                            and response code.
+                                        </p>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </HorizontalTabs>
+                </CredenzaBody>
+
+                <CredenzaFooter>
+                    <CredenzaClose asChild>
+                        <Button
+                            type="button"
+                            variant="outline"
+                            disabled={saving}
+                        >
+                            Cancel
+                        </Button>
+                    </CredenzaClose>
+                    <Button
+                        type="button"
+                        onClick={handleSave}
+                        loading={saving}
+                        disabled={!isValid || saving}
+                    >
+                        {editing ? "Save Changes" : "Create Destination"}
+                    </Button>
+                </CredenzaFooter>
+            </CredenzaContent>
+        </Credenza>
+    );
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 84b201260..035ad98f8 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -21,49 +21,25 @@ import {
     CredenzaTitle
 } from "@app/components/Credenza";
 import { Button } from "@app/components/ui/button";
-import { Input } from "@app/components/ui/input";
-import { Label } from "@app/components/ui/label";
 import { Switch } from "@app/components/ui/switch";
-import { HorizontalTabs } from "@app/components/HorizontalTabs";
-import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import { Textarea } from "@app/components/ui/textarea";
-import { Checkbox } from "@app/components/ui/checkbox";
-import { Globe, Plus, X } from "lucide-react";
+import { Globe, MoreHorizontal, Plus } from "lucide-react";
 import { AxiosResponse } from "axios";
 import { build } from "@server/build";
 import Image from "next/image";
 import { StrategySelect, StrategyOption } from "@app/components/StrategySelect";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "@app/components/ui/dropdown-menu";
+import {
+    Destination,
+    HttpDestinationCredenza,
+    parseHttpConfig
+} from "./HttpDestinationCredenza";
 
-// ── Types ──────────────────────────────────────────────────────────────────────
-
-type AuthType = "none" | "bearer" | "basic" | "custom";
-
-interface HttpConfig {
-    name: string;
-    url: string;
-    authType: AuthType;
-    bearerToken?: string;
-    basicCredentials?: string;
-    customHeaderName?: string;
-    customHeaderValue?: string;
-    headers: Array<{ key: string; value: string }>;
-    useBodyTemplate: boolean;
-    bodyTemplate?: string;
-}
-
-interface Destination {
-    destinationId: number;
-    orgId: string;
-    type: string;
-    config: string;
-    enabled: boolean;
-    sendAccessLogs: boolean;
-    sendActionLogs: boolean;
-    sendConnectionLogs: boolean;
-    sendRequestLogs: boolean;
-    createdAt: number;
-    updatedAt: number;
-}
+// ── Re-export Destination so the rest of the file can use it ──────────────────
 
 interface ListDestinationsResponse {
     destinations: Destination[];
@@ -74,104 +50,13 @@ interface ListDestinationsResponse {
     };
 }
 
-// ── Helpers ────────────────────────────────────────────────────────────────────
-
-const defaultConfig = (): HttpConfig => ({
-    name: "",
-    url: "",
-    authType: "none",
-    bearerToken: "",
-    basicCredentials: "",
-    customHeaderName: "",
-    customHeaderValue: "",
-    headers: [],
-    useBodyTemplate: false,
-    bodyTemplate: ""
-});
-
-function parseConfig(raw: string): HttpConfig {
-    try {
-        return { ...defaultConfig(), ...JSON.parse(raw) };
-    } catch {
-        return defaultConfig();
-    }
-}
-
-// ── Headers editor ─────────────────────────────────────────────────────────────
-
-interface HeadersEditorProps {
-    headers: Array<{ key: string; value: string }>;
-    onChange: (headers: Array<{ key: string; value: string }>) => void;
-}
-
-function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
-    const addRow = () => onChange([...headers, { key: "", value: "" }]);
-
-    const removeRow = (i: number) =>
-        onChange(headers.filter((_, idx) => idx !== i));
-
-    const updateRow = (
-        i: number,
-        field: "key" | "value",
-        val: string
-    ) => {
-        const next = [...headers];
-        next[i] = { ...next[i], [field]: val };
-        onChange(next);
-    };
-
-    return (
-        <div className="space-y-3">
-            {headers.length === 0 && (
-                <p className="text-xs text-muted-foreground">
-                    No custom headers configured. Click "Add Header" to add one.
-                </p>
-            )}
-            {headers.map((h, i) => (
-                <div key={i} className="flex gap-2 items-center">
-                    <Input
-                        value={h.key}
-                        onChange={(e) => updateRow(i, "key", e.target.value)}
-                        placeholder="Header name"
-                        className="flex-1"
-                    />
-                    <Input
-                        value={h.value}
-                        onChange={(e) => updateRow(i, "value", e.target.value)}
-                        placeholder="Value"
-                        className="flex-1"
-                    />
-                    <Button
-                        type="button"
-                        variant="ghost"
-                        size="icon"
-                        onClick={() => removeRow(i)}
-                        className="shrink-0 h-9 w-9"
-                    >
-                        <X className="h-4 w-4" />
-                    </Button>
-                </div>
-            ))}
-            <Button
-                type="button"
-                variant="outline"
-                size="sm"
-                onClick={addRow}
-                className="gap-1.5"
-            >
-                <Plus className="h-3.5 w-3.5" />
-                Add Header
-            </Button>
-        </div>
-    );
-}
-
 // ── Destination card ───────────────────────────────────────────────────────────
 
 interface DestinationCardProps {
     destination: Destination;
     onToggle: (id: number, enabled: boolean) => void;
     onEdit: (destination: Destination) => void;
+    onDelete: (destination: Destination) => void;
     isToggling: boolean;
     disabled?: boolean;
 }
@@ -180,18 +65,22 @@ function DestinationCard({
     destination,
     onToggle,
     onEdit,
+    onDelete,
     isToggling,
     disabled = false
 }: DestinationCardProps) {
-    const cfg = parseConfig(destination.config);
+    const cfg = parseHttpConfig(destination.config);
 
     return (
         <div className="relative flex flex-col rounded-lg border bg-card text-card-foreground p-5 gap-3">
             {/* Top row: icon + name/type + toggle */}
             <div className="flex items-start justify-between gap-3">
                 <div className="flex items-center gap-3 min-w-0">
-                    <div className="shrink-0 flex items-center justify-center w-9 h-9 rounded-md bg-muted">
-                        <Globe className="h-5 w-5 text-muted-foreground" />
+                    {/* Squirkle icon: gray outer → white inner → black globe */}
+                    <div className="shrink-0 flex items-center justify-center w-10 h-10 rounded-2xl bg-muted">
+                        <div className="flex items-center justify-center w-6 h-6 rounded-xl bg-white shadow-sm">
+                            <Globe className="h-3.5 w-3.5 text-black" />
+                        </div>
                     </div>
                     <div className="min-w-0">
                         <p className="font-semibold text-sm leading-tight truncate">
@@ -219,17 +108,37 @@ function DestinationCard({
                 )}
             </p>
 
-            {/* Footer: edit button */}
-            <div className="mt-auto pt-3">
+            {/* Footer: edit button + three-dots menu */}
+            <div className="mt-auto pt-5 flex gap-2">
                 <Button
                     variant="outline"
                     size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
-                    className="w-full"
+                    className="flex-1"
                 >
                     Edit
                 </Button>
+                <DropdownMenu>
+                    <DropdownMenuTrigger asChild>
+                        <Button
+                            variant="outline"
+                            size="icon"
+                            className="h-9 w-9 shrink-0"
+                            disabled={disabled}
+                        >
+                            <MoreHorizontal className="h-4 w-4" />
+                        </Button>
+                    </DropdownMenuTrigger>
+                    <DropdownMenuContent align="end">
+                        <DropdownMenuItem
+                            className="text-destructive focus:text-destructive"
+                            onClick={() => onDelete(destination)}
+                        >
+                            Delete
+                        </DropdownMenuItem>
+                    </DropdownMenuContent>
+                </DropdownMenu>
             </div>
         </div>
     );
@@ -237,23 +146,12 @@ function DestinationCard({
 
 // ── Add destination card ───────────────────────────────────────────────────────
 
-function AddDestinationCard({
-    onClick,
-    disabled = false
-}: {
-    onClick: () => void;
-    disabled?: boolean;
-}) {
+function AddDestinationCard({ onClick }: { onClick: () => void }) {
     return (
         <button
             type="button"
-            onClick={disabled ? undefined : onClick}
-            disabled={disabled}
-            className={`flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-border bg-transparent transition-colors p-5 min-h-35 w-full ${
-                disabled
-                    ? "opacity-50 cursor-not-allowed text-muted-foreground"
-                    : "text-muted-foreground hover:border-primary hover:text-primary hover:bg-primary/5 cursor-pointer"
-            }`}
+            onClick={onClick}
+            className="flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-border bg-transparent transition-colors p-5 min-h-35 w-full text-muted-foreground hover:border-primary hover:text-primary hover:bg-primary/5 cursor-pointer"
         >
             <div className="flex flex-col items-center gap-2">
                 <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
@@ -280,7 +178,8 @@ const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
     {
         id: "s3",
         title: "Amazon S3",
-        description: "Stream events to an S3-compatible object storage bucket. Coming soon.",
+        description:
+            "Stream events to an S3-compatible object storage bucket. Coming soon.",
         disabled: true,
         icon: (
             <Image
@@ -295,7 +194,8 @@ const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
     {
         id: "datadog",
         title: "Datadog",
-        description: "Forward events directly to your Datadog account. Coming soon.",
+        description:
+            "Forward events directly to your Datadog account. Coming soon.",
         disabled: true,
         icon: (
             <Image
@@ -313,12 +213,14 @@ interface DestinationTypePickerProps {
     open: boolean;
     onOpenChange: (open: boolean) => void;
     onSelect: (type: DestinationType) => void;
+    isPaywalled?: boolean;
 }
 
 function DestinationTypePicker({
     open,
     onOpenChange,
-    onSelect
+    onSelect,
+    isPaywalled = false
 }: DestinationTypePickerProps) {
     const [selected, setSelected] = useState<DestinationType>("http");
 
@@ -336,18 +238,29 @@ function DestinationTypePicker({
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
-                    <StrategySelect
-                        options={destinationTypeOptions}
-                        value={selected}
-                        onChange={setSelected}
-                        cols={1}
-                    />
+                    {isPaywalled && (
+                        <div className="mb-4 rounded-md border border-amber-200 bg-amber-50 dark:border-amber-800 dark:bg-amber-950/30 px-4 py-3 text-sm text-amber-800 dark:text-amber-300">
+                            Upgrade to an enterprise plan to configure event
+                            streaming destinations.
+                        </div>
+                    )}
+                    <div className={isPaywalled ? "pointer-events-none opacity-50" : ""}>
+                        <StrategySelect
+                            options={destinationTypeOptions}
+                            value={selected}
+                            onChange={setSelected}
+                            cols={1}
+                        />
+                    </div>
                 </CredenzaBody>
                 <CredenzaFooter>
                     <CredenzaClose asChild>
                         <Button variant="outline">Cancel</Button>
                     </CredenzaClose>
-                    <Button onClick={() => onSelect(selected)}>
+                    <Button
+                        onClick={() => onSelect(selected)}
+                        disabled={isPaywalled}
+                    >
                         Continue
                     </Button>
                 </CredenzaFooter>
@@ -356,630 +269,6 @@ function DestinationTypePicker({
     );
 }
 
-// ── Destination modal ──────────────────────────────────────────────────────────
-
-interface DestinationModalProps {
-    open: boolean;
-    onOpenChange: (open: boolean) => void;
-    editing: Destination | null;
-    orgId: string;
-    onSaved: () => void;
-    onDeleted: () => void;
-}
-
-function DestinationModal({
-    open,
-    onOpenChange,
-    editing,
-    orgId,
-    onSaved,
-    onDeleted
-}: DestinationModalProps) {
-    const api = createApiClient(useEnvContext());
-
-    const [saving, setSaving] = useState(false);
-    const [deleting, setDeleting] = useState(false);
-    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
-    const [cfg, setCfg] = useState<HttpConfig>(defaultConfig());
-    const [sendAccessLogs, setSendAccessLogs] = useState(false);
-    const [sendActionLogs, setSendActionLogs] = useState(false);
-    const [sendConnectionLogs, setSendConnectionLogs] = useState(false);
-    const [sendRequestLogs, setSendRequestLogs] = useState(false);
-
-    useEffect(() => {
-        if (open) {
-            setCfg(editing ? parseConfig(editing.config) : defaultConfig());
-            setSendAccessLogs(editing?.sendAccessLogs ?? false);
-            setSendActionLogs(editing?.sendActionLogs ?? false);
-            setSendConnectionLogs(editing?.sendConnectionLogs ?? false);
-            setSendRequestLogs(editing?.sendRequestLogs ?? false);
-        }
-        if (!open) {
-            setDeleteDialogOpen(false);
-        }
-    }, [open, editing]);
-
-    const update = (patch: Partial<HttpConfig>) =>
-        setCfg((prev) => ({ ...prev, ...patch }));
-
-    const urlError: string | null = (() => {
-        const raw = cfg.url.trim();
-        if (!raw) return null;
-        try {
-            const parsed = new URL(raw);
-            if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-                return "URL must use http or https";
-            }
-            if (build === "saas" && parsed.protocol !== "https:") {
-                return "HTTPS is required on cloud deployments";
-            }
-            return null;
-        } catch {
-            return "Enter a valid URL (e.g. https://example.com/webhook)";
-        }
-    })();
-
-    const isValid =
-        cfg.name.trim() !== "" &&
-        cfg.url.trim() !== "" &&
-        urlError === null;
-
-    async function handleSave() {
-        if (!isValid) return;
-        setSaving(true);
-        try {
-            const payload = {
-                type: "http",
-                config: JSON.stringify(cfg),
-                sendAccessLogs,
-                sendActionLogs,
-                sendConnectionLogs,
-                sendRequestLogs
-            };
-            if (editing) {
-                await api.post(
-                    `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
-                    payload
-                );
-                toast({ title: "Destination updated successfully" });
-            } else {
-                await api.put(
-                    `/org/${orgId}/event-streaming-destination`,
-                    payload
-                );
-                toast({ title: "Destination created successfully" });
-            }
-            onSaved();
-            onOpenChange(false);
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: editing
-                    ? "Failed to update destination"
-                    : "Failed to create destination",
-                description: formatAxiosError(
-                    e,
-                    "An unexpected error occurred."
-                )
-            });
-        } finally {
-            setSaving(false);
-        }
-    }
-
-    async function handleDelete() {
-        if (!editing) return;
-        setDeleting(true);
-        try {
-            await api.delete(
-                `/org/${orgId}/event-streaming-destination/${editing.destinationId}`
-            );
-            toast({ title: "Destination deleted successfully" });
-            onDeleted();
-            onOpenChange(false);
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: "Failed to delete destination",
-                description: formatAxiosError(
-                    e,
-                    "An unexpected error occurred."
-                )
-            });
-        } finally {
-            setDeleting(false);
-        }
-    }
-
-    return (
-        <>
-        <Credenza open={open} onOpenChange={onOpenChange}>
-            <CredenzaContent className="sm:max-w-2xl">
-                <CredenzaHeader>
-                    <CredenzaTitle>
-                        {editing ? "Edit Destination" : "Add Destination"}
-                    </CredenzaTitle>
-                    <CredenzaDescription>
-                        {editing
-                            ? "Update the configuration for this HTTP event streaming destination."
-                            : "Configure a new HTTP endpoint to receive your organization's events."}
-                    </CredenzaDescription>
-                </CredenzaHeader>
-
-                <CredenzaBody>
-                    <HorizontalTabs
-                        clientSide
-                        items={[
-                            { title: "Settings", href: "" },
-                            { title: "Headers", href: "" },
-                            { title: "Body Template", href: "" },
-                            { title: "Logs", href: "" }
-                        ]}
-                    >
-                        {/* ── Settings ─────────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div className="space-y-1.5">
-                                <Label htmlFor="dest-name">Name</Label>
-                                <Input
-                                    id="dest-name"
-                                    placeholder="My HTTP destination"
-                                    value={cfg.name}
-                                    onChange={(e) =>
-                                        update({ name: e.target.value })
-                                    }
-                                />
-                            </div>
-
-                            <div className="space-y-1.5">
-                                <Label htmlFor="dest-url">Destination URL</Label>
-                                <Input
-                                    id="dest-url"
-                                    placeholder="https://example.com/webhook"
-                                    value={cfg.url}
-                                    onChange={(e) =>
-                                        update({ url: e.target.value })
-                                    }
-                                />
-                                {urlError && (
-                                    <p className="text-xs text-destructive mt-1">
-                                        {urlError}
-                                    </p>
-                                )}
-                            </div>
-
-                            <div>
-                                <div className="mb-4">
-                                    <label className="font-medium block">
-                                        Authentication
-                                    </label>
-                                    <div className="text-sm text-muted-foreground">
-                                        Choose how requests to your endpoint are authenticated.
-                                    </div>
-                                </div>
-                                <RadioGroup
-                                    value={cfg.authType}
-                                    onValueChange={(v) =>
-                                        update({ authType: v as AuthType })
-                                    }
-                                    className="gap-2"
-                                >
-                                    {/* None */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors data-[state=checked]:border-primary">
-                                        <RadioGroupItem
-                                            value="none"
-                                            id="auth-none"
-                                            className="mt-0.5"
-                                        />
-                                        <div>
-                                            <Label
-                                                htmlFor="auth-none"
-                                                className="cursor-pointer font-medium"
-                                            >
-                                                No Authentication
-                                            </Label>
-                                            <p className="text-xs text-muted-foreground mt-0.5">
-                                                Sends requests without an{" "}
-                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                    Authorization
-                                                </code>{" "}
-                                                header.
-                                            </p>
-                                        </div>
-                                    </div>
-
-                                    {/* Bearer */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3">
-                                        <RadioGroupItem
-                                            value="bearer"
-                                            id="auth-bearer"
-                                            className="mt-0.5"
-                                        />
-                                        <div className="flex-1 space-y-3">
-                                            <div>
-                                                <Label
-                                                    htmlFor="auth-bearer"
-                                                    className="cursor-pointer font-medium"
-                                                >
-                                                    Bearer Token
-                                                </Label>
-                                                <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Bearer &lt;token&gt;
-                                                    </code>{" "}
-                                                    header to each request.
-                                                </p>
-                                            </div>
-                                            {cfg.authType === "bearer" && (
-                                                <Input
-                                                    placeholder="Your API key or token"
-                                                    value={cfg.bearerToken ?? ""}
-                                                    onChange={(e) =>
-                                                        update({
-                                                            bearerToken:
-                                                                e.target.value
-                                                        })
-                                                    }
-                                                />
-                                            )}
-                                        </div>
-                                    </div>
-
-                                    {/* Basic */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3">
-                                        <RadioGroupItem
-                                            value="basic"
-                                            id="auth-basic"
-                                            className="mt-0.5"
-                                        />
-                                        <div className="flex-1 space-y-3">
-                                            <div>
-                                                <Label
-                                                    htmlFor="auth-basic"
-                                                    className="cursor-pointer font-medium"
-                                                >
-                                                    Basic Auth
-                                                </Label>
-                                                <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Basic &lt;credentials&gt;
-                                                    </code>{" "}
-                                                    header. Provide credentials as{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        username:password
-                                                    </code>
-                                                    .
-                                                </p>
-                                            </div>
-                                            {cfg.authType === "basic" && (
-                                                <Input
-                                                    placeholder="username:password"
-                                                    value={
-                                                        cfg.basicCredentials ?? ""
-                                                    }
-                                                    onChange={(e) =>
-                                                        update({
-                                                            basicCredentials:
-                                                                e.target.value
-                                                        })
-                                                    }
-                                                />
-                                            )}
-                                        </div>
-                                    </div>
-
-                                    {/* Custom */}
-                                    <div className="flex items-start gap-3 rounded-md border p-3">
-                                        <RadioGroupItem
-                                            value="custom"
-                                            id="auth-custom"
-                                            className="mt-0.5"
-                                        />
-                                        <div className="flex-1 space-y-3">
-                                            <div>
-                                                <Label
-                                                    htmlFor="auth-custom"
-                                                    className="cursor-pointer font-medium"
-                                                >
-                                                    Custom Header
-                                                </Label>
-                                                <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Specify a custom HTTP header name and value for
-                                                    authentication (e.g.{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        X-API-Key
-                                                    </code>
-                                                    ).
-                                                </p>
-                                            </div>
-                                            {cfg.authType === "custom" && (
-                                                <div className="flex gap-2">
-                                                    <Input
-                                                        placeholder="Header name (e.g. X-API-Key)"
-                                                        value={
-                                                            cfg.customHeaderName ??
-                                                            ""
-                                                        }
-                                                        onChange={(e) =>
-                                                            update({
-                                                                customHeaderName:
-                                                                    e.target.value
-                                                            })
-                                                        }
-                                                        className="flex-1"
-                                                    />
-                                                    <Input
-                                                        placeholder="Header value"
-                                                        value={
-                                                            cfg.customHeaderValue ??
-                                                            ""
-                                                        }
-                                                        onChange={(e) =>
-                                                            update({
-                                                                customHeaderValue:
-                                                                    e.target.value
-                                                            })
-                                                        }
-                                                        className="flex-1"
-                                                    />
-                                                </div>
-                                            )}
-                                        </div>
-                                    </div>
-                                </RadioGroup>
-                            </div>
-                        </div>
-
-                        {/* ── Headers ───────────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div>
-                                <div className="mb-4">
-                                    <label className="font-medium block">
-                                        Custom HTTP Headers
-                                    </label>
-                                    <div className="text-sm text-muted-foreground">
-                                        Add custom headers to every outgoing request.
-                                        Useful for static tokens or custom{" "}
-                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                            Content-Type
-                                        </code>
-                                        . By default,{" "}
-                                        <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                            Content-Type: application/json
-                                        </code>{" "}
-                                        is sent.
-                                    </div>
-                                </div>
-                                <HeadersEditor
-                                    headers={cfg.headers}
-                                    onChange={(headers) => update({ headers })}
-                                />
-                            </div>
-                        </div>
-
-                        {/* ── Body Template ─────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div className="mb-4">
-                                <label className="font-medium block">
-                                    Custom Body Template
-                                </label>
-                                <div className="text-sm text-muted-foreground">
-                                    Control the JSON payload structure sent to your
-                                    endpoint. If disabled, a default JSON object is sent
-                                    for each event.
-                                </div>
-                            </div>
-
-                            <div className="flex items-center gap-3">
-                                <Switch
-                                    id="use-body-template"
-                                    checked={cfg.useBodyTemplate}
-                                    onCheckedChange={(v) =>
-                                        update({ useBodyTemplate: v })
-                                    }
-                                />
-                                <Label
-                                    htmlFor="use-body-template"
-                                    className="cursor-pointer"
-                                >
-                                    Enable custom body template
-                                </Label>
-                            </div>
-
-                            {cfg.useBodyTemplate && (
-                                <div className="space-y-1.5">
-                                    <Label htmlFor="body-template">
-                                        Body Template (JSON)
-                                    </Label>
-                                    <Textarea
-                                        id="body-template"
-                                        placeholder={
-                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "data": {{data}}\n}'
-                                        }
-                                        value={cfg.bodyTemplate ?? ""}
-                                        onChange={(e) =>
-                                            update({
-                                                bodyTemplate: e.target.value
-                                            })
-                                        }
-                                        className="font-mono text-xs min-h-45 resize-y"
-                                    />
-                                    <p className="text-xs text-muted-foreground">
-                                        Use template variables to reference event fields in
-                                        your payload.
-                                    </p>
-                                </div>
-                            )}
-                        </div>
-
-                        {/* ── Logs ──────────────────────────────────────── */}
-                        <div className="space-y-4 mt-4 p-1">
-                            <div className="mb-4">
-                                <label className="font-medium block">
-                                    Log Types
-                                </label>
-                                <div className="text-sm text-muted-foreground">
-                                    Choose which log types are forwarded to this
-                                    destination. Only enabled log types will be
-                                    streamed.
-                                </div>
-                            </div>
-
-                            <div className="space-y-3">
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-access"
-                                        checked={sendAccessLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendAccessLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-access"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Access Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            Resource access attempts, including
-                                            authenticated and denied requests.
-                                        </p>
-                                    </div>
-                                </div>
-
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-action"
-                                        checked={sendActionLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendActionLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-action"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Action Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            Administrative actions performed by
-                                            users within the organization.
-                                        </p>
-                                    </div>
-                                </div>
-
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-connection"
-                                        checked={sendConnectionLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendConnectionLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-connection"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Connection Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            Site and tunnel connection events,
-                                            including connects and disconnects.
-                                        </p>
-                                    </div>
-                                </div>
-
-                                <div className="flex items-start gap-3 rounded-md border p-3">
-                                    <Checkbox
-                                        id="log-request"
-                                        checked={sendRequestLogs}
-                                        onCheckedChange={(v) =>
-                                            setSendRequestLogs(v === true)
-                                        }
-                                        className="mt-0.5"
-                                    />
-                                    <div>
-                                        <label
-                                            htmlFor="log-request"
-                                            className="text-sm font-medium cursor-pointer"
-                                        >
-                                            Request Logs
-                                        </label>
-                                        <p className="text-xs text-muted-foreground mt-0.5">
-                                            HTTP request logs for proxied
-                                            resources, including method, path,
-                                            and response code.
-                                        </p>
-                                    </div>
-                                </div>
-                            </div>
-                        </div>
-                    </HorizontalTabs>
-                </CredenzaBody>
-
-                <CredenzaFooter>
-                    {editing && (
-                        <Button
-                            type="button"
-                            variant="destructive"
-                            onClick={() => setDeleteDialogOpen(true)}
-                            disabled={saving || deleting}
-                            className="mr-auto"
-                        >
-                            Delete
-                        </Button>
-                    )}
-                    <CredenzaClose asChild>
-                        <Button
-                            type="button"
-                            variant="outline"
-                            disabled={saving || deleting}
-                        >
-                            Cancel
-                        </Button>
-                    </CredenzaClose>
-                    <Button
-                        type="button"
-                        onClick={handleSave}
-                        loading={saving}
-                        disabled={!isValid || deleting}
-                    >
-                        {editing ? "Save Changes" : "Create Destination"}
-                    </Button>
-                </CredenzaFooter>
-            </CredenzaContent>
-        </Credenza>
-
-        {editing && (
-            <ConfirmDeleteDialog
-                open={deleteDialogOpen}
-                setOpen={setDeleteDialogOpen}
-                string={parseConfig(editing.config).name || "delete"}
-                title="Delete Destination"
-                dialog={
-                    <p className="text-sm text-muted-foreground">
-                        Are you sure you want to delete the destination{" "}
-                        <span className="font-semibold text-foreground">
-                            {parseConfig(editing.config).name || "this destination"}
-                        </span>
-                        ? All configuration will be permanently removed.
-                    </p>
-                }
-                buttonText="Delete Destination"
-                onConfirm={handleDelete}
-            />
-        )}
-        </>
-    );
-}
-
 // ── Main page ──────────────────────────────────────────────────────────────────
 
 export default function StreamingDestinationsPage() {
@@ -996,6 +285,11 @@ export default function StreamingDestinationsPage() {
         useState<Destination | null>(null);
     const [togglingIds, setTogglingIds] = useState<Set<number>>(new Set());
 
+    // Delete state
+    const [deleteTarget, setDeleteTarget] = useState<Destination | null>(null);
+    const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+    const [deleting, setDeleting] = useState(false);
+
     const loadDestinations = useCallback(async () => {
         if (build == "oss") {
             setDestinations([]);
@@ -1065,6 +359,36 @@ export default function StreamingDestinationsPage() {
         }
     };
 
+    const handleDeleteCard = (destination: Destination) => {
+        setDeleteTarget(destination);
+        setDeleteDialogOpen(true);
+    };
+
+    const handleDeleteConfirm = async () => {
+        if (!deleteTarget) return;
+        setDeleting(true);
+        try {
+            await api.delete(
+                `/org/${orgId}/event-streaming-destination/${deleteTarget.destinationId}`
+            );
+            toast({ title: "Destination deleted successfully" });
+            setDeleteDialogOpen(false);
+            setDeleteTarget(null);
+            loadDestinations();
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: "Failed to delete destination",
+                description: formatAxiosError(
+                    e,
+                    "An unexpected error occurred."
+                )
+            });
+        } finally {
+            setDeleting(false);
+        }
+    };
+
     const openCreate = () => {
         setTypePickerOpen(true);
     };
@@ -1090,8 +414,8 @@ export default function StreamingDestinationsPage() {
             <PaidFeaturesAlert tiers={tierMatrix[TierFeature.SIEM]} />
 
             {loading ? (
-                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-                    {Array.from({ length: 3 }).map((_, i) => (
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4">
+                    {Array.from({ length: 4 }).map((_, i) => (
                         <div
                             key={i}
                             className="rounded-lg border bg-card p-5 min-h-36 animate-pulse"
@@ -1099,21 +423,20 @@ export default function StreamingDestinationsPage() {
                     ))}
                 </div>
             ) : (
-                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-4">
                     {destinations.map((dest) => (
                         <DestinationCard
                             key={dest.destinationId}
                             destination={dest}
                             onToggle={handleToggle}
                             onEdit={openEdit}
+                            onDelete={handleDeleteCard}
                             isToggling={togglingIds.has(dest.destinationId)}
                             disabled={!isEnterprise}
                         />
                     ))}
-                    <AddDestinationCard
-                        onClick={openCreate}
-                        disabled={!isEnterprise}
-                    />
+                    {/* Add card is always clickable — paywall is enforced inside the picker */}
+                    <AddDestinationCard onClick={openCreate} />
                 </div>
             )}
 
@@ -1121,16 +444,42 @@ export default function StreamingDestinationsPage() {
                 open={typePickerOpen}
                 onOpenChange={setTypePickerOpen}
                 onSelect={handleTypePicked}
+                isPaywalled={!isEnterprise}
             />
 
-            <DestinationModal
+            <HttpDestinationCredenza
                 open={modalOpen}
                 onOpenChange={setModalOpen}
                 editing={editingDestination}
                 orgId={orgId}
                 onSaved={loadDestinations}
-                onDeleted={loadDestinations}
             />
+
+            {deleteTarget && (
+                <ConfirmDeleteDialog
+                    open={deleteDialogOpen}
+                    setOpen={(v) => {
+                        setDeleteDialogOpen(v);
+                        if (!v) setDeleteTarget(null);
+                    }}
+                    string={
+                        parseHttpConfig(deleteTarget.config).name || "delete"
+                    }
+                    title="Delete Destination"
+                    dialog={
+                        <p className="text-sm text-muted-foreground">
+                            Are you sure you want to delete{" "}
+                            <span className="font-semibold text-foreground">
+                                {parseHttpConfig(deleteTarget.config).name ||
+                                    "this destination"}
+                            </span>
+                            ? All configuration will be permanently removed.
+                        </p>
+                    }
+                    buttonText="Delete Destination"
+                    onConfirm={handleDeleteConfirm}
+                />
+            )}
         </>
     );
-}
+}
\ No newline at end of file

From 6ea719c50f81153c332af52642be29da058f9995 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:44:18 -0700
Subject: [PATCH 094/122] Pin

---
 package.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 66c61c0e6..7d7b3df69 100644
--- a/package.json
+++ b/package.json
@@ -112,13 +112,13 @@
         "reodotdev": "1.1.0",
         "resend": "6.9.2",
         "semver": "7.7.4",
-        "sshpk": "^1.18.0",
+        "sshpk": "1.18.0",
         "stripe": "20.4.1",
         "swagger-ui-express": "5.0.1",
         "tailwind-merge": "3.5.0",
         "topojson-client": "3.1.0",
         "tw-animate-css": "1.4.0",
-        "use-debounce": "^10.1.0",
+        "use-debounce": "10.1.0",
         "uuid": "13.0.0",
         "vaul": "1.1.2",
         "visionscarto-world-atlas": "1.0.0",
@@ -153,7 +153,7 @@
         "@types/react": "19.2.14",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
-        "@types/sshpk": "^1.17.4",
+        "@types/sshpk": "1.17.4",
         "@types/swagger-ui-express": "4.1.8",
         "@types/topojson-client": "3.1.5",
         "@types/ws": "8.18.1",

From 954b492aa9f239d28c7e3e22bc461d0bc55525c4 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:52:08 -0700
Subject: [PATCH 095/122] Fix imports

---
 src/app/[orgId]/settings/access/invitations/page.tsx          | 3 +--
 src/app/[orgId]/settings/access/users/page.tsx                | 3 +--
 src/app/[orgId]/settings/api-keys/page.tsx                    | 2 +-
 src/app/[orgId]/settings/domains/page.tsx                     | 2 +-
 src/app/[orgId]/settings/logs/streaming/page.tsx              | 4 ++--
 src/app/[orgId]/settings/provisioning/keys/page.tsx           | 2 +-
 src/app/[orgId]/settings/share-links/page.tsx                 | 2 +-
 src/app/[orgId]/settings/sites/[niceId]/layout.tsx            | 4 ++--
 src/app/admin/api-keys/page.tsx                               | 2 +-
 src/app/admin/idp/[idpId]/policies/page.tsx                   | 2 +-
 src/app/admin/idp/page.tsx                                    | 2 +-
 src/app/admin/license/page.tsx                                | 4 ++--
 src/app/admin/users/page.tsx                                  | 2 +-
 .../logs/streaming => components}/HttpDestinationCredenza.tsx | 0
 14 files changed, 16 insertions(+), 18 deletions(-)
 rename src/{app/[orgId]/settings/logs/streaming => components}/HttpDestinationCredenza.tsx (100%)

diff --git a/src/app/[orgId]/settings/access/invitations/page.tsx b/src/app/[orgId]/settings/access/invitations/page.tsx
index 00cb0ffc8..ae37c3752 100644
--- a/src/app/[orgId]/settings/access/invitations/page.tsx
+++ b/src/app/[orgId]/settings/access/invitations/page.tsx
@@ -3,13 +3,12 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import InvitationsTable, {
     InvitationRow
-} from "../../../../../components/InvitationsTable";
+} from "@app/components/InvitationsTable";
 import { GetOrgResponse } from "@server/routers/org";
 import { cache } from "react";
 import OrgProvider from "@app/providers/OrgProvider";
 import UserProvider from "@app/providers/UserProvider";
 import { verifySession } from "@app/lib/auth/verifySession";
-import AccessPageHeaderAndNav from "../../../../../components/AccessPageHeaderAndNav";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { getTranslations } from "next-intl/server";
 
diff --git a/src/app/[orgId]/settings/access/users/page.tsx b/src/app/[orgId]/settings/access/users/page.tsx
index 812ac2b64..84685cc04 100644
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -3,13 +3,12 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import { ListUsersResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
-import UsersTable, { UserRow } from "../../../../../components/UsersTable";
+import UsersTable, { UserRow } from "@app/components/UsersTable";
 import { GetOrgResponse } from "@server/routers/org";
 import { cache } from "react";
 import OrgProvider from "@app/providers/OrgProvider";
 import UserProvider from "@app/providers/UserProvider";
 import { verifySession } from "@app/lib/auth/verifySession";
-import AccessPageHeaderAndNav from "../../../../../components/AccessPageHeaderAndNav";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { getTranslations } from "next-intl/server";
 
diff --git a/src/app/[orgId]/settings/api-keys/page.tsx b/src/app/[orgId]/settings/api-keys/page.tsx
index 2973bb542..0ed9553af 100644
--- a/src/app/[orgId]/settings/api-keys/page.tsx
+++ b/src/app/[orgId]/settings/api-keys/page.tsx
@@ -4,7 +4,7 @@ import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import OrgApiKeysTable, {
     OrgApiKeyRow
-} from "../../../../components/OrgApiKeysTable";
+} from "@app/components/OrgApiKeysTable";
 import { ListOrgApiKeysResponse } from "@server/routers/apiKeys";
 import { getTranslations } from "next-intl/server";
 
diff --git a/src/app/[orgId]/settings/domains/page.tsx b/src/app/[orgId]/settings/domains/page.tsx
index 04db84b38..d1325d32b 100644
--- a/src/app/[orgId]/settings/domains/page.tsx
+++ b/src/app/[orgId]/settings/domains/page.tsx
@@ -2,7 +2,7 @@ import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import DomainsTable, { DomainRow } from "../../../../components/DomainsTable";
+import DomainsTable, { DomainRow } from "@app/components/DomainsTable";
 import { getTranslations } from "next-intl/server";
 import { cache } from "react";
 import { GetOrgResponse } from "@server/routers/org";
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 035ad98f8..449f17edb 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -37,7 +37,7 @@ import {
     Destination,
     HttpDestinationCredenza,
     parseHttpConfig
-} from "./HttpDestinationCredenza";
+} from "@app/components/HttpDestinationCredenza";
 
 // ── Re-export Destination so the rest of the file can use it ──────────────────
 
@@ -482,4 +482,4 @@ export default function StreamingDestinationsPage() {
             )}
         </>
     );
-}
\ No newline at end of file
+}
diff --git a/src/app/[orgId]/settings/provisioning/keys/page.tsx b/src/app/[orgId]/settings/provisioning/keys/page.tsx
index 9637b03b3..32a06706d 100644
--- a/src/app/[orgId]/settings/provisioning/keys/page.tsx
+++ b/src/app/[orgId]/settings/provisioning/keys/page.tsx
@@ -4,7 +4,7 @@ import { AxiosResponse } from "axios";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import SiteProvisioningKeysTable, {
     SiteProvisioningKeyRow
-} from "../../../../../components/SiteProvisioningKeysTable";
+} from "@app/components/SiteProvisioningKeysTable";
 import { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 import { getTranslations } from "next-intl/server";
 import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
diff --git a/src/app/[orgId]/settings/share-links/page.tsx b/src/app/[orgId]/settings/share-links/page.tsx
index 3b52393cf..b41a3d1ce 100644
--- a/src/app/[orgId]/settings/share-links/page.tsx
+++ b/src/app/[orgId]/settings/share-links/page.tsx
@@ -9,7 +9,7 @@ import OrgProvider from "@app/providers/OrgProvider";
 import { ListAccessTokensResponse } from "@server/routers/accessToken";
 import ShareLinksTable, {
     ShareLinkRow
-} from "../../../../components/ShareLinksTable";
+} from "@app/components/ShareLinksTable";
 import { getTranslations } from "next-intl/server";
 
 type ShareLinksPageProps = {
diff --git a/src/app/[orgId]/settings/sites/[niceId]/layout.tsx b/src/app/[orgId]/settings/sites/[niceId]/layout.tsx
index 2554403ea..aa02bb667 100644
--- a/src/app/[orgId]/settings/sites/[niceId]/layout.tsx
+++ b/src/app/[orgId]/settings/sites/[niceId]/layout.tsx
@@ -6,9 +6,9 @@ import { redirect } from "next/navigation";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { HorizontalTabs } from "@app/components/HorizontalTabs";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import SiteInfoCard from "../../../../../components/SiteInfoCard";
+import SiteInfoCard from "@app/components/SiteInfoCard";
 import { getTranslations } from "next-intl/server";
-import { build } from "@server/build";
+
 
 interface SettingsLayoutProps {
     children: React.ReactNode;
diff --git a/src/app/admin/api-keys/page.tsx b/src/app/admin/api-keys/page.tsx
index 60195c4aa..ce468dd39 100644
--- a/src/app/admin/api-keys/page.tsx
+++ b/src/app/admin/api-keys/page.tsx
@@ -3,7 +3,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { ListRootApiKeysResponse } from "@server/routers/apiKeys";
-import ApiKeysTable, { ApiKeyRow } from "../../../components/ApiKeysTable";
+import ApiKeysTable, { ApiKeyRow } from "@app/components/ApiKeysTable";
 import { getTranslations } from "next-intl/server";
 
 type ApiKeyPageProps = {};
diff --git a/src/app/admin/idp/[idpId]/policies/page.tsx b/src/app/admin/idp/[idpId]/policies/page.tsx
index 57ee3cf7b..60e8a094a 100644
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -31,7 +31,7 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { InfoIcon, ExternalLink, CheckIcon } from "lucide-react";
-import PolicyTable, { PolicyRow } from "../../../../../components/PolicyTable";
+import PolicyTable, { PolicyRow } from "@app/components/PolicyTable";
 import { AxiosResponse } from "axios";
 import { ListOrgsResponse } from "@server/routers/org";
 import { ListRolesResponse } from "@server/routers/role";
diff --git a/src/app/admin/idp/page.tsx b/src/app/admin/idp/page.tsx
index a341c0469..01aac2a1e 100644
--- a/src/app/admin/idp/page.tsx
+++ b/src/app/admin/idp/page.tsx
@@ -2,7 +2,7 @@ import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import IdpTable, { IdpRow } from "../../../components/AdminIdpTable";
+import IdpTable, { IdpRow } from "@app/components/AdminIdpTable";
 import { getTranslations } from "next-intl/server";
 
 export default async function IdpPage() {
diff --git a/src/app/admin/license/page.tsx b/src/app/admin/license/page.tsx
index 3c444debb..b2322ec3b 100644
--- a/src/app/admin/license/page.tsx
+++ b/src/app/admin/license/page.tsx
@@ -6,7 +6,7 @@ import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { formatAxiosError } from "@app/lib/api";
-import { LicenseKeysDataTable } from "../../../components/LicenseKeysDataTable";
+import { LicenseKeysDataTable } from "@app/components/LicenseKeysDataTable";
 import { AxiosResponse } from "axios";
 import { Button } from "@app/components/ui/button";
 import {
@@ -45,7 +45,7 @@ import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { Check, Heart, InfoIcon } from "lucide-react";
 import CopyTextBox from "@app/components/CopyTextBox";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
-import { SitePriceCalculator } from "../../../components/SitePriceCalculator";
+import { SitePriceCalculator } from "@app/components/SitePriceCalculator";
 import { Checkbox } from "@app/components/ui/checkbox";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { useSupporterStatusContext } from "@app/hooks/useSupporterStatusContext";
diff --git a/src/app/admin/users/page.tsx b/src/app/admin/users/page.tsx
index 7368cb253..2a000b34b 100644
--- a/src/app/admin/users/page.tsx
+++ b/src/app/admin/users/page.tsx
@@ -3,7 +3,7 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { AdminListUsersResponse } from "@server/routers/user/adminListUsers";
-import UsersTable, { GlobalUserRow } from "../../../components/AdminUsersTable";
+import UsersTable, { GlobalUserRow } from "@app/components/AdminUsersTable";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { InfoIcon } from "lucide-react";
 import { getTranslations } from "next-intl/server";
diff --git a/src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx b/src/components/HttpDestinationCredenza.tsx
similarity index 100%
rename from src/app/[orgId]/settings/logs/streaming/HttpDestinationCredenza.tsx
rename to src/components/HttpDestinationCredenza.tsx

From 0254fb16952556c3e959ad5f6335c0eda5e11de0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 11:56:19 -0700
Subject: [PATCH 096/122] Small ui tweaks

---
 src/app/[orgId]/settings/logs/streaming/page.tsx | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 449f17edb..843f1ddb7 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -112,7 +112,6 @@ function DestinationCard({
             <div className="mt-auto pt-5 flex gap-2">
                 <Button
                     variant="outline"
-                    size="sm"
                     onClick={() => onEdit(destination)}
                     disabled={disabled}
                     className="flex-1"
@@ -238,12 +237,6 @@ function DestinationTypePicker({
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
-                    {isPaywalled && (
-                        <div className="mb-4 rounded-md border border-amber-200 bg-amber-50 dark:border-amber-800 dark:bg-amber-950/30 px-4 py-3 text-sm text-amber-800 dark:text-amber-300">
-                            Upgrade to an enterprise plan to configure event
-                            streaming destinations.
-                        </div>
-                    )}
                     <div className={isPaywalled ? "pointer-events-none opacity-50" : ""}>
                         <StrategySelect
                             options={destinationTypeOptions}

From 0db1397f2fca2d17a14a7773500d101ec903e1c6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 12:02:02 -0700
Subject: [PATCH 097/122] Add log connection audit dedicated file

---
 server/private/lib/logConnectionAudit.ts      | 234 ++++++++++++++++++
 .../newt/handleConnectionLogMessage.ts        | 232 +++--------------
 2 files changed, 266 insertions(+), 200 deletions(-)
 create mode 100644 server/private/lib/logConnectionAudit.ts

diff --git a/server/private/lib/logConnectionAudit.ts b/server/private/lib/logConnectionAudit.ts
new file mode 100644
index 000000000..c7e786280
--- /dev/null
+++ b/server/private/lib/logConnectionAudit.ts
@@ -0,0 +1,234 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { logsDb, connectionAuditLog } from "@server/db";
+import logger from "@server/logger";
+import { and, eq, lt } from "drizzle-orm";
+import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+
+// ---------------------------------------------------------------------------
+// Retry configuration for deadlock handling
+// ---------------------------------------------------------------------------
+
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// ---------------------------------------------------------------------------
+// Buffer / flush configuration
+// ---------------------------------------------------------------------------
+
+/** How often to flush accumulated connection log data to the database. */
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+/** Maximum number of records to buffer before forcing a flush. */
+const MAX_BUFFERED_RECORDS = 500;
+
+/** Maximum number of records to insert in a single database batch. */
+const INSERT_BATCH_SIZE = 100;
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    clientId: number | null;
+    userId: string | null;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// ---------------------------------------------------------------------------
+// In-memory buffer
+// ---------------------------------------------------------------------------
+
+let buffer: ConnectionLogRecord[] = [];
+
+// ---------------------------------------------------------------------------
+// Deadlock helpers
+// ---------------------------------------------------------------------------
+
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Flush
+// ---------------------------------------------------------------------------
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await logsDb.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if the DB is unreachable
+            const hardLimit = MAX_BUFFERED_RECORDS * 5;
+            if (buffer.length > hardLimit) {
+                const dropped = buffer.length - hardLimit;
+                buffer = buffer.slice(0, hardLimit);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop processing further batches from this snapshot — they will
+            // be picked up via the re-queued records on the next flush.
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Periodic flush timer
+// ---------------------------------------------------------------------------
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left. The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+// ---------------------------------------------------------------------------
+// Cleanup
+// ---------------------------------------------------------------------------
+
+export async function cleanUpOldLogs(
+    orgId: string,
+    retentionDays: number
+): Promise<void> {
+    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
+
+    try {
+        await logsDb
+            .delete(connectionAuditLog)
+            .where(
+                and(
+                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
+                    eq(connectionAuditLog.orgId, orgId)
+                )
+            );
+    } catch (error) {
+        logger.error("Error cleaning up old connection audit logs:", error);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Public logging entry-point
+// ---------------------------------------------------------------------------
+
+/**
+ * Buffer a single connection log record for eventual persistence.
+ *
+ * Records are written to the database in batches either when the buffer
+ * reaches MAX_BUFFERED_RECORDS or when the periodic flush timer fires.
+ */
+export function logConnectionAudit(record: ConnectionLogRecord): void {
+    buffer.push(record);
+
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+}
\ No newline at end of file
diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 2ac7153b5..00fb5dada 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -1,27 +1,20 @@
-import { db, logsDb } from "@server/db";
+import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { connectionAuditLog, sites, Newt, clients, orgs } from "@server/db";
-import { and, eq, lt, inArray } from "drizzle-orm";
+import { sites, Newt, clients, orgs } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { inflate } from "zlib";
 import { promisify } from "util";
-import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import {
+    logConnectionAudit,
+    flushConnectionLogToDb,
+    cleanUpOldLogs
+} from "#private/lib/logConnectionAudit";
+
+export { flushConnectionLogToDb, cleanUpOldLogs };
 
 const zlibInflate = promisify(inflate);
 
-// Retry configuration for deadlock handling
-const MAX_RETRIES = 3;
-const BASE_DELAY_MS = 50;
-
-// How often to flush accumulated connection log data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
-
-// Maximum number of records to buffer before forcing a flush
-const MAX_BUFFERED_RECORDS = 500;
-
-// Maximum number of records to insert in a single batch
-const INSERT_BATCH_SIZE = 100;
-
 interface ConnectionSessionData {
     sessionId: string;
     resourceId: number;
@@ -34,64 +27,6 @@ interface ConnectionSessionData {
     bytesRx?: number;
 }
 
-interface ConnectionLogRecord {
-    sessionId: string;
-    siteResourceId: number;
-    orgId: string;
-    siteId: number;
-    clientId: number | null;
-    userId: string | null;
-    sourceAddr: string;
-    destAddr: string;
-    protocol: string;
-    startedAt: number; // epoch seconds
-    endedAt: number | null;
-    bytesTx: number | null;
-    bytesRx: number | null;
-}
-
-// In-memory buffer of records waiting to be flushed
-let buffer: ConnectionLogRecord[] = [];
-
-/**
- * Check if an error is a deadlock error
- */
-function isDeadlockError(error: any): boolean {
-    return (
-        error?.code === "40P01" ||
-        error?.cause?.code === "40P01" ||
-        (error?.message && error.message.includes("deadlock"))
-    );
-}
-
-/**
- * Execute a function with retry logic for deadlock handling
- */
-async function withDeadlockRetry<T>(
-    operation: () => Promise<T>,
-    context: string
-): Promise<T> {
-    let attempt = 0;
-    while (true) {
-        try {
-            return await operation();
-        } catch (error: any) {
-            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
-                attempt++;
-                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
-                const jitter = Math.random() * baseDelay;
-                const delay = baseDelay + jitter;
-                logger.warn(
-                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
-                );
-                await new Promise((resolve) => setTimeout(resolve, delay));
-                continue;
-            }
-            throw error;
-        }
-    }
-}
-
 /**
  * Decompress a base64-encoded zlib-compressed string into parsed JSON.
  */
@@ -125,105 +60,6 @@ function toEpochSeconds(isoString: string | undefined | null): number | null {
     return Math.floor(ms / 1000);
 }
 
-/**
- * Flush all buffered connection log records to the database.
- *
- * Swaps out the buffer before writing so that any records added during the
- * flush are captured in the new buffer rather than being lost. Entries that
- * fail to write are re-queued back into the buffer so they will be retried
- * on the next flush.
- *
- * This function is exported so that the application's graceful-shutdown
- * cleanup handler can call it before the process exits.
- */
-export async function flushConnectionLogToDb(): Promise<void> {
-    if (buffer.length === 0) {
-        return;
-    }
-
-    // Atomically swap out the buffer so new data keeps flowing in
-    const snapshot = buffer;
-    buffer = [];
-
-    logger.debug(
-        `Flushing ${snapshot.length} connection log record(s) to the database`
-    );
-
-    // Insert in batches to avoid overly large SQL statements
-    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
-        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
-
-        try {
-            await withDeadlockRetry(async () => {
-                await logsDb.insert(connectionAuditLog).values(batch);
-            }, `flush connection log batch (${batch.length} records)`);
-        } catch (error) {
-            logger.error(
-                `Failed to flush connection log batch of ${batch.length} records:`,
-                error
-            );
-
-            // Re-queue the failed batch so it is retried on the next flush
-            buffer = [...batch, ...buffer];
-
-            // Cap buffer to prevent unbounded growth if DB is unreachable
-            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
-                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
-                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
-                logger.warn(
-                    `Connection log buffer overflow, dropped ${dropped} oldest records`
-                );
-            }
-
-            // Stop trying further batches from this snapshot — they'll be
-            // picked up by the next flush via the re-queued records above
-            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
-            if (remaining.length > 0) {
-                buffer = [...remaining, ...buffer];
-            }
-            break;
-        }
-    }
-}
-
-const flushTimer = setInterval(async () => {
-    try {
-        await flushConnectionLogToDb();
-    } catch (error) {
-        logger.error(
-            "Unexpected error during periodic connection log flush:",
-            error
-        );
-    }
-}, FLUSH_INTERVAL_MS);
-
-// Calling unref() means this timer will not keep the Node.js event loop alive
-// on its own — the process can still exit normally when there is no other work
-// left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
-// before process.exit(), so no data is lost.
-flushTimer.unref();
-
-export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
-    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
-
-    try {
-        await logsDb
-            .delete(connectionAuditLog)
-            .where(
-                and(
-                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
-                    eq(connectionAuditLog.orgId, orgId)
-                )
-            );
-
-        // logger.debug(
-        //     `Cleaned up connection audit logs older than ${retentionDays} days`
-        // );
-    } catch (error) {
-        logger.error("Error cleaning up old connection audit logs:", error);
-    }
-}
-
 export const handleConnectionLogMessage: MessageHandler = async (context) => {
     const { message, client } = context;
     const newt = client as Newt;
@@ -277,13 +113,16 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         return;
     }
 
-    logger.debug(`Sessions: ${JSON.stringify(sessions)}`)
+    logger.debug(`Sessions: ${JSON.stringify(sessions)}`);
 
     // Build a map from sourceAddr → { clientId, userId } by querying clients
     // whose subnet field matches exactly. Client subnets are stored with the
     // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
     // each unique sourceAddr + the org's CIDR suffix and do a targeted IN query.
-    const ipToClient = new Map<string, { clientId: number; userId: string | null }>();
+    const ipToClient = new Map<
+        string,
+        { clientId: number; userId: string | null }
+    >();
 
     if (cidrSuffix) {
         // Collect unique source addresses so we only query for what we need
@@ -296,13 +135,11 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
         if (uniqueSourceAddrs.size > 0) {
             // Construct the exact subnet strings as stored in the DB
-            const subnetQueries = Array.from(uniqueSourceAddrs).map(
-                (addr) => {
-                    // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
-                    const ip = addr.includes(":") ? addr.split(":")[0] : addr;
-                    return `${ip}${cidrSuffix}`;
-                }
-            );
+            const subnetQueries = Array.from(uniqueSourceAddrs).map((addr) => {
+                // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
+                const ip = addr.includes(":") ? addr.split(":")[0] : addr;
+                return `${ip}${cidrSuffix}`;
+            });
 
             logger.debug(`Subnet queries: ${JSON.stringify(subnetQueries)}`);
 
@@ -322,13 +159,18 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
 
             for (const c of matchedClients) {
                 const ip = c.subnet.split("/")[0];
-                logger.debug(`Client ${c.clientId} subnet ${c.subnet} matches ${ip}`);
-                ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
+                logger.debug(
+                    `Client ${c.clientId} subnet ${c.subnet} matches ${ip}`
+                );
+                ipToClient.set(ip, {
+                    clientId: c.clientId,
+                    userId: c.userId
+                });
             }
         }
     }
 
-    // Convert to DB records and add to the buffer
+    // Convert to DB records and hand off to the audit logger
     for (const session of sessions) {
         // Validate required fields
         if (
@@ -356,11 +198,12 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
         // client's IP on the WireGuard network, which corresponds to the IP
         // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
         // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
-        const sourceIp = session.sourceAddr.includes(":") ? session.sourceAddr.split(":")[0] : session.sourceAddr;
+        const sourceIp = session.sourceAddr.includes(":")
+            ? session.sourceAddr.split(":")[0]
+            : session.sourceAddr;
         const clientInfo = ipToClient.get(sourceIp) ?? null;
 
-
-        buffer.push({
+        logConnectionAudit({
             sessionId: session.sessionId,
             siteResourceId: session.resourceId,
             orgId,
@@ -380,15 +223,4 @@ export const handleConnectionLogMessage: MessageHandler = async (context) => {
     logger.debug(
         `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
     );
-
-    // If the buffer has grown large enough, trigger an immediate flush
-    if (buffer.length >= MAX_BUFFERED_RECORDS) {
-        // Fire and forget — errors are handled inside flushConnectionLogToDb
-        flushConnectionLogToDb().catch((error) => {
-            logger.error(
-                "Unexpected error during size-triggered connection log flush:",
-                error
-            );
-        });
-    }
 };

From 3dc258da16c0dd05e2f0f53d5495769400b4f17b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 12:22:37 -0700
Subject: [PATCH 098/122] Log streaming manager pass 1

---
 server/db/pg/schema/privateSchema.ts          |  28 +-
 server/db/sqlite/schema/privateSchema.ts      |  27 +-
 server/private/cleanup.ts                     |   2 +
 .../lib/logStreaming/LogStreamingManager.ts   | 626 ++++++++++++++++++
 server/private/lib/logStreaming/index.ts      |  31 +
 .../providers/HttpLogDestination.ts           | 260 ++++++++
 .../providers/LogDestinationProvider.ts       |  44 ++
 server/private/lib/logStreaming/types.ts      | 115 ++++
 8 files changed, 1131 insertions(+), 2 deletions(-)
 create mode 100644 server/private/lib/logStreaming/LogStreamingManager.ts
 create mode 100644 server/private/lib/logStreaming/index.ts
 create mode 100644 server/private/lib/logStreaming/providers/HttpLogDestination.ts
 create mode 100644 server/private/lib/logStreaming/providers/LogDestinationProvider.ts
 create mode 100644 server/private/lib/logStreaming/types.ts

diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index 1b031636f..ed6301437 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -8,7 +8,8 @@ import {
     real,
     text,
     index,
-    primaryKey
+    primaryKey,
+    uniqueIndex
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -470,3 +471,28 @@ export type SiteProvisioningKeyOrg = InferSelectModel<
 export type EventStreamingDestination = InferSelectModel<
     typeof eventStreamingDestinations
 >;
+
+export const eventStreamingCursors = pgTable(
+    "eventStreamingCursors",
+    {
+        cursorId: serial("cursorId").primaryKey(),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
+        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;
diff --git a/server/db/sqlite/schema/privateSchema.ts b/server/db/sqlite/schema/privateSchema.ts
index 9bb994266..c1aa084a2 100644
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -5,7 +5,8 @@ import {
     primaryKey,
     real,
     sqliteTable,
-    text
+    text,
+    uniqueIndex
 } from "drizzle-orm/sqlite-core";
 import {
     clients,
@@ -433,6 +434,27 @@ export const eventStreamingDestinations = sqliteTable(
     }
 );
 
+export const eventStreamingCursors = sqliteTable(
+    "eventStreamingCursors",
+    {
+        cursorId: integer("cursorId").primaryKey({ autoIncrement: true }),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: text("logType").notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: integer("lastSentId").notNull().default(0),
+        lastSentAt: integer("lastSentAt") // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -461,3 +483,6 @@ export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
 export type EventStreamingDestination = InferSelectModel<
     typeof eventStreamingDestinations
 >;
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;
diff --git a/server/private/cleanup.ts b/server/private/cleanup.ts
index f8032eb3b..af4238721 100644
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -12,6 +12,7 @@
  */
 
 import { rateLimitService } from "#private/lib/rateLimit";
+import { logStreamingManager } from "#private/lib/logStreaming";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#private/routers/newt";
@@ -25,6 +26,7 @@ async function cleanup() {
     await flushSiteBandwidthToDb();
     await rateLimitService.cleanup();
     await wsCleanup();
+    await logStreamingManager.shutdown();
 
     process.exit(0);
 }
diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
new file mode 100644
index 000000000..131cc8de0
--- /dev/null
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -0,0 +1,626 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    db,
+    logsDb,
+    eventStreamingDestinations,
+    eventStreamingCursors,
+    requestAuditLog,
+    actionAuditLog,
+    accessAuditLog,
+    connectionAuditLog
+} from "@server/db";
+import logger from "@server/logger";
+import { and, eq, gt, desc, max, sql } from "drizzle-orm";
+import {
+    LogType,
+    LOG_TYPES,
+    LogEvent,
+    DestinationFailureState,
+    HttpConfig
+} from "./types";
+import { LogDestinationProvider } from "./providers/LogDestinationProvider";
+import { HttpLogDestination } from "./providers/HttpLogDestination";
+import type { EventStreamingDestination } from "@server/db";
+
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+/**
+ * How often (ms) the manager polls all destinations for new log records.
+ * Destinations that were behind (full batch returned) will be re-polled
+ * immediately without waiting for this interval.
+ */
+const POLL_INTERVAL_MS = 30_000;
+
+/**
+ * Maximum number of log records fetched from the DB in a single query.
+ * This also controls the maximum size of one HTTP POST body.
+ */
+const BATCH_SIZE = 250;
+
+/**
+ * Minimum delay (ms) between consecutive HTTP requests to the same destination
+ * during a catch-up run.  Prevents bursting thousands of requests back-to-back
+ * when a destination has fallen behind.
+ */
+const INTER_BATCH_DELAY_MS = 100;
+
+/**
+ * Maximum number of consecutive back-to-back batches to process for a single
+ * destination per poll cycle.  After this limit the destination will wait for
+ * the next scheduled poll before continuing, giving other destinations a turn.
+ */
+const MAX_CATCHUP_BATCHES = 20;
+
+/**
+ * Back-off schedule (ms) indexed by consecutive failure count.
+ * After the last entry the max value is re-used.
+ */
+const BACKOFF_SCHEDULE_MS = [
+    60_000,       // 1 min   (failure 1)
+    2 * 60_000,   // 2 min   (failure 2)
+    5 * 60_000,   // 5 min   (failure 3)
+    10 * 60_000,  // 10 min  (failure 4)
+    30 * 60_000   // 30 min  (failure 5+)
+];
+
+// ---------------------------------------------------------------------------
+// LogStreamingManager
+// ---------------------------------------------------------------------------
+
+/**
+ * Orchestrates periodic polling of the four audit-log tables and forwards new
+ * records to every enabled event-streaming destination.
+ *
+ * ### Design
+ * - **Interval-based**: a timer fires every `POLL_INTERVAL_MS`.  On each tick
+ *   every enabled destination is processed in sequence.
+ * - **Cursor-based**: the last successfully forwarded row `id` is persisted in
+ *   the `eventStreamingCursors` table so state survives restarts.
+ * - **Catch-up**: if a full batch is returned the destination is immediately
+ *   re-queried (up to `MAX_CATCHUP_BATCHES` times) before yielding.
+ * - **Smoothing**: `INTER_BATCH_DELAY_MS` is inserted between consecutive
+ *   catch-up batches to avoid hammering the remote endpoint.
+ * - **Back-off**: consecutive send failures trigger exponential back-off
+ *   (tracked in-memory per destination).  Successful sends reset the counter.
+ */
+export class LogStreamingManager {
+    private pollTimer: ReturnType<typeof setTimeout> | null = null;
+    private isRunning = false;
+    private isPolling = false;
+
+    /** In-memory back-off state keyed by destinationId. */
+    private readonly failures = new Map<number, DestinationFailureState>();
+
+    // -------------------------------------------------------------------------
+    // Lifecycle
+    // -------------------------------------------------------------------------
+
+    start(): void {
+        if (this.isRunning) return;
+        this.isRunning = true;
+        logger.info("LogStreamingManager: started");
+        this.schedulePoll(POLL_INTERVAL_MS);
+    }
+
+    async shutdown(): Promise<void> {
+        this.isRunning = false;
+        if (this.pollTimer !== null) {
+            clearTimeout(this.pollTimer);
+            this.pollTimer = null;
+        }
+        // Wait for any in-progress poll to finish before returning so that
+        // callers (graceful-shutdown handlers) can safely exit afterward.
+        const deadline = Date.now() + 15_000;
+        while (this.isPolling && Date.now() < deadline) {
+            await sleep(100);
+        }
+        logger.info("LogStreamingManager: stopped");
+    }
+
+    // -------------------------------------------------------------------------
+    // Scheduling
+    // -------------------------------------------------------------------------
+
+    private schedulePoll(delayMs: number): void {
+        this.pollTimer = setTimeout(() => {
+            this.pollTimer = null;
+            this.runPoll()
+                .catch((err) =>
+                    logger.error("LogStreamingManager: unexpected poll error", err)
+                )
+                .finally(() => {
+                    if (this.isRunning) {
+                        this.schedulePoll(POLL_INTERVAL_MS);
+                    }
+                });
+        }, delayMs);
+
+        // Do not keep the event loop alive just for the poll timer – the
+        // graceful-shutdown path calls shutdown() explicitly.
+        this.pollTimer.unref?.();
+    }
+
+    // -------------------------------------------------------------------------
+    // Poll cycle
+    // -------------------------------------------------------------------------
+
+    private async runPoll(): Promise<void> {
+        if (this.isPolling) return; // previous poll still running – skip
+        this.isPolling = true;
+
+        try {
+            const destinations = await this.loadEnabledDestinations();
+            if (destinations.length === 0) return;
+
+            for (const dest of destinations) {
+                if (!this.isRunning) break;
+                await this.processDestination(dest).catch((err) => {
+                    // Individual destination errors must never abort the whole cycle
+                    logger.error(
+                        `LogStreamingManager: unhandled error for destination ${dest.destinationId}`,
+                        err
+                    );
+                });
+            }
+        } finally {
+            this.isPolling = false;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Per-destination processing
+    // -------------------------------------------------------------------------
+
+    private async processDestination(
+        dest: EventStreamingDestination
+    ): Promise<void> {
+        // Check back-off
+        const failState = this.failures.get(dest.destinationId);
+        if (failState && Date.now() < failState.nextRetryAt) {
+            logger.debug(
+                `LogStreamingManager: destination ${dest.destinationId} in back-off, skipping`
+            );
+            return;
+        }
+
+        // Parse config – skip destination if config is unparseable
+        let config: HttpConfig;
+        try {
+            config = JSON.parse(dest.config) as HttpConfig;
+        } catch (err) {
+            logger.error(
+                `LogStreamingManager: destination ${dest.destinationId} has invalid JSON config`,
+                err
+            );
+            return;
+        }
+
+        const provider = this.createProvider(dest.type, config);
+        if (!provider) {
+            logger.warn(
+                `LogStreamingManager: unsupported destination type "${dest.type}" ` +
+                    `for destination ${dest.destinationId} – skipping`
+            );
+            return;
+        }
+
+        const enabledTypes: LogType[] = [];
+        if (dest.sendRequestLogs) enabledTypes.push("request");
+        if (dest.sendActionLogs) enabledTypes.push("action");
+        if (dest.sendAccessLogs) enabledTypes.push("access");
+        if (dest.sendConnectionLogs) enabledTypes.push("connection");
+
+        if (enabledTypes.length === 0) return;
+
+        let anyFailure = false;
+
+        for (const logType of enabledTypes) {
+            if (!this.isRunning) break;
+            try {
+                await this.processLogType(dest, provider, logType);
+            } catch (err) {
+                anyFailure = true;
+                logger.error(
+                    `LogStreamingManager: failed to process "${logType}" logs ` +
+                        `for destination ${dest.destinationId}`,
+                    err
+                );
+            }
+        }
+
+        if (anyFailure) {
+            this.recordFailure(dest.destinationId);
+        } else {
+            // Any success resets the failure/back-off state
+            if (this.failures.has(dest.destinationId)) {
+                this.failures.delete(dest.destinationId);
+                logger.info(
+                    `LogStreamingManager: destination ${dest.destinationId} recovered`
+                );
+            }
+        }
+    }
+
+    /**
+     * Forward all pending log records of a specific type for a destination.
+     *
+     * Fetches up to `BATCH_SIZE` records at a time.  If the batch is full
+     * (indicating more records may exist) it loops immediately, inserting a
+     * short delay between consecutive requests to the remote endpoint.
+     * The loop is capped at `MAX_CATCHUP_BATCHES` to keep the poll cycle
+     * bounded.
+     */
+    private async processLogType(
+        dest: EventStreamingDestination,
+        provider: LogDestinationProvider,
+        logType: LogType
+    ): Promise<void> {
+        // Ensure a cursor row exists (creates one pointing at the current max
+        // id so we do not replay historical logs on first run)
+        const cursor = await this.getOrCreateCursor(
+            dest.destinationId,
+            logType,
+            dest.orgId
+        );
+
+        let lastSentId = cursor.lastSentId;
+        let batchCount = 0;
+
+        while (batchCount < MAX_CATCHUP_BATCHES) {
+            const rows = await this.fetchLogs(
+                logType,
+                dest.orgId,
+                lastSentId,
+                BATCH_SIZE
+            );
+
+            if (rows.length === 0) break;
+
+            const events = rows.map((row) =>
+                this.rowToLogEvent(logType, row)
+            );
+
+            // Throws on failure – caught by the caller which applies back-off
+            await provider.send(events);
+
+            lastSentId = rows[rows.length - 1].id;
+            await this.updateCursor(dest.destinationId, logType, lastSentId);
+
+            batchCount++;
+
+            if (rows.length < BATCH_SIZE) {
+                // Partial batch means we have caught up
+                break;
+            }
+
+            // Full batch – there are likely more records; pause briefly before
+            // fetching the next batch to smooth out the HTTP request rate
+            if (batchCount < MAX_CATCHUP_BATCHES) {
+                await sleep(INTER_BATCH_DELAY_MS);
+            }
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Cursor management
+    // -------------------------------------------------------------------------
+
+    private async getOrCreateCursor(
+        destinationId: number,
+        logType: LogType,
+        orgId: string
+    ): Promise<{ lastSentId: number }> {
+        // Try to read an existing cursor
+        const existing = await db
+            .select({
+                lastSentId: eventStreamingCursors.lastSentId
+            })
+            .from(eventStreamingCursors)
+            .where(
+                and(
+                    eq(eventStreamingCursors.destinationId, destinationId),
+                    eq(eventStreamingCursors.logType, logType)
+                )
+            )
+            .limit(1);
+
+        if (existing.length > 0) {
+            return { lastSentId: existing[0].lastSentId };
+        }
+
+        // No cursor yet – initialise at the current maximum id of the log
+        // table for this org so we only forward *new* events going forward.
+        const initialId = await this.getCurrentMaxId(logType, orgId);
+
+        await db.insert(eventStreamingCursors).values({
+            destinationId,
+            logType,
+            lastSentId: initialId,
+            lastSentAt: null
+        });
+
+        logger.debug(
+            `LogStreamingManager: initialised cursor for destination ${destinationId} ` +
+                `logType="${logType}" at id=${initialId}`
+        );
+
+        return { lastSentId: initialId };
+    }
+
+    private async updateCursor(
+        destinationId: number,
+        logType: LogType,
+        lastSentId: number
+    ): Promise<void> {
+        await db
+            .update(eventStreamingCursors)
+            .set({
+                lastSentId,
+                lastSentAt: Date.now()
+            })
+            .where(
+                and(
+                    eq(eventStreamingCursors.destinationId, destinationId),
+                    eq(eventStreamingCursors.logType, logType)
+                )
+            );
+    }
+
+    /**
+     * Returns the current maximum `id` in the given log table for the org.
+     * Returns 0 when the table is empty.
+     */
+    private async getCurrentMaxId(
+        logType: LogType,
+        orgId: string
+    ): Promise<number> {
+        try {
+            switch (logType) {
+                case "request": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(requestAuditLog.id) })
+                        .from(requestAuditLog)
+                        .where(eq(requestAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "action": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(actionAuditLog.id) })
+                        .from(actionAuditLog)
+                        .where(eq(actionAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "access": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(accessAuditLog.id) })
+                        .from(accessAuditLog)
+                        .where(eq(accessAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "connection": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(connectionAuditLog.id) })
+                        .from(connectionAuditLog)
+                        .where(eq(connectionAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+            }
+        } catch (err) {
+            logger.warn(
+                `LogStreamingManager: could not determine current max id for ` +
+                    `logType="${logType}", defaulting to 0`,
+                err
+            );
+            return 0;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Log fetching
+    // -------------------------------------------------------------------------
+
+    /**
+     * Fetch up to `limit` log rows with `id > afterId`, ordered by id ASC,
+     * filtered to the given organisation.
+     */
+    private async fetchLogs(
+        logType: LogType,
+        orgId: string,
+        afterId: number,
+        limit: number
+    ): Promise<Array<Record<string, unknown> & { id: number }>> {
+        switch (logType) {
+            case "request":
+                return (await logsDb
+                    .select()
+                    .from(requestAuditLog)
+                    .where(
+                        and(
+                            eq(requestAuditLog.orgId, orgId),
+                            gt(requestAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(requestAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "action":
+                return (await logsDb
+                    .select()
+                    .from(actionAuditLog)
+                    .where(
+                        and(
+                            eq(actionAuditLog.orgId, orgId),
+                            gt(actionAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(actionAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "access":
+                return (await logsDb
+                    .select()
+                    .from(accessAuditLog)
+                    .where(
+                        and(
+                            eq(accessAuditLog.orgId, orgId),
+                            gt(accessAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(accessAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "connection":
+                return (await logsDb
+                    .select()
+                    .from(connectionAuditLog)
+                    .where(
+                        and(
+                            eq(connectionAuditLog.orgId, orgId),
+                            gt(connectionAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(connectionAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Row → LogEvent conversion
+    // -------------------------------------------------------------------------
+
+    private rowToLogEvent(
+        logType: LogType,
+        row: Record<string, unknown> & { id: number }
+    ): LogEvent {
+        // Determine the epoch-seconds timestamp for this row type
+        let timestamp: number;
+        switch (logType) {
+            case "request":
+            case "action":
+            case "access":
+                timestamp =
+                    typeof row.timestamp === "number" ? row.timestamp : 0;
+                break;
+            case "connection":
+                timestamp =
+                    typeof row.startedAt === "number" ? row.startedAt : 0;
+                break;
+        }
+
+        const orgId =
+            typeof row.orgId === "string" ? row.orgId : "";
+
+        return {
+            id: row.id,
+            logType,
+            orgId,
+            timestamp,
+            data: row as Record<string, unknown>
+        };
+    }
+
+    // -------------------------------------------------------------------------
+    // Provider factory
+    // -------------------------------------------------------------------------
+
+    /**
+     * Instantiate the correct LogDestinationProvider for the given destination
+     * type string.  Returns `null` for unknown types.
+     *
+     * To add a new provider:
+     *  1. Implement `LogDestinationProvider` in a new file under `providers/`
+     *  2. Add a `case` here
+     */
+    private createProvider(
+        type: string,
+        config: unknown
+    ): LogDestinationProvider | null {
+        switch (type) {
+            case "http":
+                return new HttpLogDestination(config as HttpConfig);
+            // Future providers:
+            // case "datadog": return new DatadogLogDestination(config as DatadogConfig);
+            default:
+                return null;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Back-off tracking
+    // -------------------------------------------------------------------------
+
+    private recordFailure(destinationId: number): void {
+        const current = this.failures.get(destinationId) ?? {
+            consecutiveFailures: 0,
+            nextRetryAt: 0
+        };
+
+        current.consecutiveFailures += 1;
+
+        const scheduleIdx = Math.min(
+            current.consecutiveFailures - 1,
+            BACKOFF_SCHEDULE_MS.length - 1
+        );
+        const backoffMs = BACKOFF_SCHEDULE_MS[scheduleIdx];
+        current.nextRetryAt = Date.now() + backoffMs;
+
+        this.failures.set(destinationId, current);
+
+        logger.warn(
+            `LogStreamingManager: destination ${destinationId} failed ` +
+                `(consecutive #${current.consecutiveFailures}), ` +
+                `backing off for ${backoffMs / 1000}s`
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // DB helpers
+    // -------------------------------------------------------------------------
+
+    private async loadEnabledDestinations(): Promise<
+        EventStreamingDestination[]
+    > {
+        try {
+            return await db
+                .select()
+                .from(eventStreamingDestinations)
+                .where(eq(eventStreamingDestinations.enabled, true));
+        } catch (err) {
+            logger.error(
+                "LogStreamingManager: failed to load destinations",
+                err
+            );
+            return [];
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/index.ts b/server/private/lib/logStreaming/index.ts
new file mode 100644
index 000000000..a4b8c569a
--- /dev/null
+++ b/server/private/lib/logStreaming/index.ts
@@ -0,0 +1,31 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { LogStreamingManager } from "./LogStreamingManager";
+
+/**
+ * Module-level singleton.  Importing this module is sufficient to start the
+ * streaming manager – no explicit init call required by the caller.
+ *
+ * The manager registers a non-blocking timer (unref'd) so it will not keep
+ * the Node.js event loop alive on its own.  Call `logStreamingManager.shutdown()`
+ * during graceful shutdown to drain any in-progress poll and release resources.
+ */
+export const logStreamingManager = new LogStreamingManager();
+
+logStreamingManager.start();
+
+export { LogStreamingManager } from "./LogStreamingManager";
+export type { LogDestinationProvider } from "./providers/LogDestinationProvider";
+export { HttpLogDestination } from "./providers/HttpLogDestination";
+export * from "./types";
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/providers/HttpLogDestination.ts b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
new file mode 100644
index 000000000..eac3c42e2
--- /dev/null
+++ b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
@@ -0,0 +1,260 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import { LogEvent, HttpConfig } from "../types";
+import { LogDestinationProvider } from "./LogDestinationProvider";
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+/** Maximum time (ms) to wait for a single HTTP response. */
+const REQUEST_TIMEOUT_MS = 30_000;
+
+// ---------------------------------------------------------------------------
+// HttpLogDestination
+// ---------------------------------------------------------------------------
+
+/**
+ * Forwards a batch of log events to an arbitrary HTTP endpoint via a single
+ * POST request per batch.
+ *
+ * **Payload format**
+ *
+ * Without a body template the payload is a JSON array, one object per event:
+ * ```json
+ * [
+ *   { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
+ *   …
+ * ]
+ * ```
+ *
+ * With a body template each event is rendered through the template and the
+ * resulting objects are wrapped in the same outer array.  Template placeholders:
+ *   - `{{event}}`     → the LogType string ("request", "action", etc.)
+ *   - `{{timestamp}}` → ISO-8601 UTC datetime string
+ *   - `{{data}}`      → raw inline JSON object  (**no surrounding quotes**)
+ *
+ * Example template:
+ * ```
+ * { "event": "{{event}}", "ts": "{{timestamp}}", "payload": {{data}} }
+ * ```
+ */
+export class HttpLogDestination implements LogDestinationProvider {
+    readonly type = "http";
+
+    private readonly config: HttpConfig;
+
+    constructor(config: HttpConfig) {
+        this.config = config;
+    }
+
+    // -----------------------------------------------------------------------
+    // LogDestinationProvider implementation
+    // -----------------------------------------------------------------------
+
+    async send(events: LogEvent[]): Promise<void> {
+        if (events.length === 0) return;
+
+        const headers = this.buildHeaders();
+        const payload = this.buildPayload(events);
+        const body = JSON.stringify(payload);
+
+        const controller = new AbortController();
+        const timeoutHandle = setTimeout(
+            () => controller.abort(),
+            REQUEST_TIMEOUT_MS
+        );
+
+        let response: Response;
+        try {
+            response = await fetch(this.config.url, {
+                method: "POST",
+                headers,
+                body,
+                signal: controller.signal
+            });
+        } catch (err: unknown) {
+            const isAbort =
+                err instanceof Error && err.name === "AbortError";
+            if (isAbort) {
+                throw new Error(
+                    `HttpLogDestination: request to "${this.config.url}" timed out after ${REQUEST_TIMEOUT_MS} ms`
+                );
+            }
+            const msg = err instanceof Error ? err.message : String(err);
+            throw new Error(
+                `HttpLogDestination: request to "${this.config.url}" failed – ${msg}`
+            );
+        } finally {
+            clearTimeout(timeoutHandle);
+        }
+
+        if (!response.ok) {
+            // Try to include a snippet of the response body in the error so
+            // operators can diagnose auth or schema rejections.
+            let responseSnippet = "";
+            try {
+                const text = await response.text();
+                responseSnippet = text.slice(0, 300);
+            } catch {
+                // ignore – best effort
+            }
+
+            throw new Error(
+                `HttpLogDestination: server at "${this.config.url}" returned ` +
+                    `HTTP ${response.status} ${response.statusText}` +
+                    (responseSnippet ? ` – ${responseSnippet}` : "")
+            );
+        }
+    }
+
+    // -----------------------------------------------------------------------
+    // Header construction
+    // -----------------------------------------------------------------------
+
+    private buildHeaders(): Record<string, string> {
+        const headers: Record<string, string> = {
+            "Content-Type": "application/json"
+        };
+
+        // Authentication
+        switch (this.config.authType) {
+            case "bearer": {
+                const token = this.config.bearerToken?.trim();
+                if (token) {
+                    headers["Authorization"] = `Bearer ${token}`;
+                }
+                break;
+            }
+            case "basic": {
+                const creds = this.config.basicCredentials?.trim();
+                if (creds) {
+                    const encoded = Buffer.from(creds).toString("base64");
+                    headers["Authorization"] = `Basic ${encoded}`;
+                }
+                break;
+            }
+            case "custom": {
+                const name = this.config.customHeaderName?.trim();
+                const value = this.config.customHeaderValue ?? "";
+                if (name) {
+                    headers[name] = value;
+                }
+                break;
+            }
+            case "none":
+            default:
+                // No Authorization header
+                break;
+        }
+
+        // Additional static headers (user-defined; may override Content-Type
+        // if the operator explicitly sets it, which is intentional).
+        for (const { key, value } of this.config.headers ?? []) {
+            const trimmedKey = key?.trim();
+            if (trimmedKey) {
+                headers[trimmedKey] = value ?? "";
+            }
+        }
+
+        return headers;
+    }
+
+    // -----------------------------------------------------------------------
+    // Payload construction
+    // -----------------------------------------------------------------------
+
+    /**
+     * Build the JSON-serialisable value that will be sent as the request body.
+     *
+     * - No template  → `Array<{ event, timestamp, data }>`
+     * - With template → `Array<parsed-template-result>`
+     */
+    private buildPayload(events: LogEvent[]): unknown {
+        if (this.config.useBodyTemplate && this.config.bodyTemplate?.trim()) {
+            return events.map((event) =>
+                this.renderTemplate(this.config.bodyTemplate!, event)
+            );
+        }
+
+        return events.map((event) => ({
+            event: event.logType,
+            timestamp: epochSecondsToIso(event.timestamp),
+            data: event.data
+        }));
+    }
+
+    /**
+     * Render a single event through the body template.
+     *
+     * The three placeholder tokens are replaced in a specific order to avoid
+     * accidental double-replacement:
+     *
+     *  1. `{{data}}`      → raw JSON (may contain `{{` characters in values)
+     *  2. `{{event}}`     → safe string
+     *  3. `{{timestamp}}` → safe ISO string
+     *
+     * If the rendered string is not valid JSON we fall back to returning it as
+     * a plain string so the batch still makes it out and the operator can
+     * inspect the template.
+     */
+    private renderTemplate(template: string, event: LogEvent): unknown {
+        const isoTimestamp = epochSecondsToIso(event.timestamp);
+        const dataJson = JSON.stringify(event.data);
+
+        // Replace {{data}} first because its JSON value might legitimately
+        // contain the substrings "{{event}}" or "{{timestamp}}" inside string
+        // fields – those should NOT be re-expanded.
+        const rendered = template
+            .replace(/\{\{data\}\}/g, dataJson)
+            .replace(/\{\{event\}\}/g, escapeJsonString(event.logType))
+            .replace(
+                /\{\{timestamp\}\}/g,
+                escapeJsonString(isoTimestamp)
+            );
+
+        try {
+            return JSON.parse(rendered);
+        } catch {
+            logger.warn(
+                `HttpLogDestination: body template produced invalid JSON for ` +
+                    `event type "${event.logType}" destined for "${this.config.url}". ` +
+                    `Sending rendered template as a raw string. ` +
+                    `Check your template syntax – specifically that {{data}} is ` +
+                    `NOT wrapped in quotes.`
+            );
+            return rendered;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function epochSecondsToIso(epochSeconds: number): string {
+    return new Date(epochSeconds * 1000).toISOString();
+}
+
+/**
+ * Escape a string value so it can be safely substituted into the interior of
+ * a JSON string literal (i.e. between existing `"` quotes in the template).
+ * This prevents a crafted logType or timestamp from breaking out of its
+ * string context in the rendered template.
+ */
+function escapeJsonString(value: string): string {
+    // JSON.stringify produces `"<escaped>"` – strip the outer quotes.
+    return JSON.stringify(value).slice(1, -1);
+}
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/providers/LogDestinationProvider.ts b/server/private/lib/logStreaming/providers/LogDestinationProvider.ts
new file mode 100644
index 000000000..d09be320b
--- /dev/null
+++ b/server/private/lib/logStreaming/providers/LogDestinationProvider.ts
@@ -0,0 +1,44 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { LogEvent } from "../types";
+
+/**
+ * Common interface that every log-forwarding backend must implement.
+ *
+ * Adding a new destination type (e.g. Datadog, Splunk, Kafka) is as simple as
+ * creating a class that satisfies this interface and registering it inside
+ * LogStreamingManager.createProvider().
+ */
+export interface LogDestinationProvider {
+    /**
+     * The string identifier that matches the `type` column in the
+     * `eventStreamingDestinations` table (e.g. "http", "datadog").
+     */
+    readonly type: string;
+
+    /**
+     * Forward a batch of log events to the destination.
+     *
+     * Implementations should:
+     *  - Treat the call as atomic: either all events are accepted or an error
+     *    is thrown so the caller can retry / back off.
+     *  - Respect the timeout contract expected by the manager (default 30 s).
+     *  - NOT swallow errors – the manager relies on thrown exceptions to track
+     *    failure state and apply exponential back-off.
+     *
+     * @param events  A non-empty array of normalised log events to forward.
+     * @throws        Any network, authentication, or serialisation error.
+     */
+    send(events: LogEvent[]): Promise<void>;
+}
\ No newline at end of file
diff --git a/server/private/lib/logStreaming/types.ts b/server/private/lib/logStreaming/types.ts
new file mode 100644
index 000000000..2bd25418d
--- /dev/null
+++ b/server/private/lib/logStreaming/types.ts
@@ -0,0 +1,115 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+// ---------------------------------------------------------------------------
+// Log type identifiers
+// ---------------------------------------------------------------------------
+
+export type LogType = "request" | "action" | "access" | "connection";
+
+export const LOG_TYPES: LogType[] = [
+    "request",
+    "action",
+    "access",
+    "connection"
+];
+
+// ---------------------------------------------------------------------------
+// A normalised event ready to be forwarded to a destination
+// ---------------------------------------------------------------------------
+
+export interface LogEvent {
+    /** The auto-increment primary key from the source table */
+    id: number;
+    /** Which log table this event came from */
+    logType: LogType;
+    /** The organisation that owns this event */
+    orgId: string;
+    /** Unix epoch seconds – taken from the record's own timestamp field */
+    timestamp: number;
+    /** Full row data from the source table, serialised as a plain object */
+    data: Record<string, unknown>;
+}
+
+// ---------------------------------------------------------------------------
+// A batch of events destined for a single streaming target
+// ---------------------------------------------------------------------------
+
+export interface LogBatch {
+    destinationId: number;
+    logType: LogType;
+    events: LogEvent[];
+}
+
+// ---------------------------------------------------------------------------
+// HTTP destination configuration (mirrors HttpConfig in the UI component)
+// ---------------------------------------------------------------------------
+
+export type AuthType = "none" | "bearer" | "basic" | "custom";
+
+export interface HttpConfig {
+    /** Human-readable label for the destination */
+    name: string;
+    /** Target URL that will receive POST requests */
+    url: string;
+    /** Authentication strategy to use */
+    authType: AuthType;
+    /** Used when authType === "bearer" */
+    bearerToken?: string;
+    /** Used when authType === "basic" – must be "username:password" */
+    basicCredentials?: string;
+    /** Used when authType === "custom" – header name */
+    customHeaderName?: string;
+    /** Used when authType === "custom" – header value */
+    customHeaderValue?: string;
+    /** Additional static headers appended to every request */
+    headers: Array<{ key: string; value: string }>;
+    /** Whether to render a custom body template instead of the default shape */
+    useBodyTemplate: boolean;
+    /**
+     * Handlebars-style template for the JSON body of each event.
+     *
+     * Supported placeholders:
+     *   {{event}}     – the LogType string ("request", "action", etc.)
+     *   {{timestamp}} – ISO-8601 UTC string derived from the event's timestamp
+     *   {{data}}      – raw JSON object (no surrounding quotes) of the full row
+     *
+     * Example:
+     *   { "event": "{{event}}", "ts": "{{timestamp}}", "payload": {{data}} }
+     */
+    bodyTemplate?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Per-destination per-log-type cursor (reflects the DB table)
+// ---------------------------------------------------------------------------
+
+export interface StreamingCursor {
+    destinationId: number;
+    logType: LogType;
+    /** The `id` of the last row that was successfully forwarded */
+    lastSentId: number;
+    /** Epoch milliseconds of the last successful send (or null if never sent) */
+    lastSentAt: number | null;
+}
+
+// ---------------------------------------------------------------------------
+// In-memory failure / back-off state tracked per destination
+// ---------------------------------------------------------------------------
+
+export interface DestinationFailureState {
+    /** How many consecutive send failures have occurred */
+    consecutiveFailures: number;
+    /** Date.now() value after which the destination may be retried */
+    nextRetryAt: number;
+}
\ No newline at end of file

From d155d7e31b84c06c8b6391095fe5da0bcd1dc742 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 12:26:31 -0700
Subject: [PATCH 099/122] Update formatting

---
 server/db/pg/schema/privateSchema.ts | 43 ++++++++++++++--------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/server/db/pg/schema/privateSchema.ts b/server/db/pg/schema/privateSchema.ts
index ed6301437..4122fb5b5 100644
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -437,6 +437,27 @@ export const eventStreamingDestinations = pgTable(
     }
 );
 
+export const eventStreamingCursors = pgTable(
+    "eventStreamingCursors",
+    {
+        cursorId: serial("cursorId").primaryKey(),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
+        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -471,28 +492,6 @@ export type SiteProvisioningKeyOrg = InferSelectModel<
 export type EventStreamingDestination = InferSelectModel<
     typeof eventStreamingDestinations
 >;
-
-export const eventStreamingCursors = pgTable(
-    "eventStreamingCursors",
-    {
-        cursorId: serial("cursorId").primaryKey(),
-        destinationId: integer("destinationId")
-            .notNull()
-            .references(() => eventStreamingDestinations.destinationId, {
-                onDelete: "cascade"
-            }),
-        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
-        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
-        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
-    },
-    (table) => [
-        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
-            table.destinationId,
-            table.logType
-        )
-    ]
-);
-
 export type EventStreamingCursor = InferSelectModel<
     typeof eventStreamingCursors
 >;

From 2a1c290dffdaa213d37fd5a027658e3ad54202d1 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 31 Mar 2026 12:32:03 -0700
Subject: [PATCH 100/122] dont show identifier on create private resource

---
 src/components/InternalResourceForm.tsx | 28 +++++++++++++------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/components/InternalResourceForm.tsx b/src/components/InternalResourceForm.tsx
index 2de907079..50847a489 100644
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -566,19 +566,21 @@ export function InternalResourceForm({
                             </FormItem>
                         )}
                     />
-                    <FormField
-                        control={form.control}
-                        name="niceId"
-                        render={({ field }) => (
-                            <FormItem>
-                                <FormLabel>{t("identifier")}</FormLabel>
-                                <FormControl>
-                                    <Input {...field} />
-                                </FormControl>
-                                <FormMessage />
-                            </FormItem>
-                        )}
-                    />
+                    {variant === "edit" && (
+                        <FormField
+                            control={form.control}
+                            name="niceId"
+                            render={({ field }) => (
+                                <FormItem>
+                                    <FormLabel>{t("identifier")}</FormLabel>
+                                    <FormControl>
+                                        <Input {...field} />
+                                    </FormControl>
+                                    <FormMessage />
+                                </FormItem>
+                            )}
+                        />
+                    )}
                     <FormField
                         control={form.control}
                         name="siteId"

From a1e9396999657856c22a972e6fcd18ffc7ec9aa7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 13:47:32 -0700
Subject: [PATCH 101/122] Handle backlog better

---
 .../lib/logStreaming/LogStreamingManager.ts   | 171 ++++++++++++++++--
 server/private/lib/logStreaming/types.ts      |   2 +
 .../createEventStreamingDestination.ts        |  14 ++
 3 files changed, 175 insertions(+), 12 deletions(-)

diff --git a/server/private/lib/logStreaming/LogStreamingManager.ts b/server/private/lib/logStreaming/LogStreamingManager.ts
index 131cc8de0..04e35ad00 100644
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -77,6 +77,17 @@ const BACKOFF_SCHEDULE_MS = [
     30 * 60_000   // 30 min  (failure 5+)
 ];
 
+/**
+ * If a destination has been continuously unreachable for this long, its
+ * cursors are advanced to the current max row id and the backlog is silently
+ * discarded.  This prevents unbounded queue growth when a webhook endpoint is
+ * down for an extended period.  A prominent warning is logged so operators are
+ * aware logs were dropped.
+ *
+ * Default: 24 hours.
+ */
+const MAX_BACKLOG_DURATION_MS = 24 * 60 * 60_000;
+
 // ---------------------------------------------------------------------------
 // LogStreamingManager
 // ---------------------------------------------------------------------------
@@ -96,6 +107,10 @@ const BACKOFF_SCHEDULE_MS = [
  *   catch-up batches to avoid hammering the remote endpoint.
  * - **Back-off**: consecutive send failures trigger exponential back-off
  *   (tracked in-memory per destination).  Successful sends reset the counter.
+ * - **Backlog abandonment**: if a destination remains unreachable for longer
+ *   than `MAX_BACKLOG_DURATION_MS`, all cursors for that destination are
+ *   advanced to the current max id so the backlog is discarded and streaming
+ *   resumes from the present moment on recovery.
  */
 export class LogStreamingManager {
     private pollTimer: ReturnType<typeof setTimeout> | null = null;
@@ -116,6 +131,53 @@ export class LogStreamingManager {
         this.schedulePoll(POLL_INTERVAL_MS);
     }
 
+    // -------------------------------------------------------------------------
+    // Cursor initialisation (call this when a destination is first created)
+    // -------------------------------------------------------------------------
+
+    /**
+     * Eagerly seed cursors for every log type at the **current** max row id of
+     * each table, scoped to the destination's org.
+     *
+     * Call this immediately after inserting a new row into
+     * `eventStreamingDestinations` so the destination only receives events
+     * that were written *after* it was created.  If a cursor row already exists
+     * (e.g. the method is called twice) it is left untouched.
+     *
+     * The manager also has a lazy fallback inside `getOrCreateCursor` for
+     * destinations that existed before this method was introduced.
+     */
+    async initializeCursorsForDestination(
+        destinationId: number,
+        orgId: string
+    ): Promise<void> {
+        for (const logType of LOG_TYPES) {
+            const currentMaxId = await this.getCurrentMaxId(logType, orgId);
+            try {
+                await db
+                    .insert(eventStreamingCursors)
+                    .values({
+                        destinationId,
+                        logType,
+                        lastSentId: currentMaxId,
+                        lastSentAt: null
+                    })
+                    .onConflictDoNothing();
+            } catch (err) {
+                logger.warn(
+                    `LogStreamingManager: could not initialise cursor for ` +
+                        `destination ${destinationId} logType="${logType}"`,
+                    err
+                );
+            }
+        }
+
+        logger.debug(
+            `LogStreamingManager: cursors initialised for destination ${destinationId} ` +
+                `(org=${orgId})`
+        );
+    }
+
     async shutdown(): Promise<void> {
         this.isRunning = false;
         if (this.pollTimer !== null) {
@@ -188,8 +250,21 @@ export class LogStreamingManager {
     private async processDestination(
         dest: EventStreamingDestination
     ): Promise<void> {
-        // Check back-off
         const failState = this.failures.get(dest.destinationId);
+
+        // Check whether this destination has been unreachable long enough that
+        // we should give up on the accumulated backlog.
+        if (failState) {
+            const failingForMs = Date.now() - failState.firstFailedAt;
+            if (failingForMs >= MAX_BACKLOG_DURATION_MS) {
+                await this.abandonBacklog(dest, failState);
+                this.failures.delete(dest.destinationId);
+                // Cursors now point to the current head – retry on next poll.
+                return;
+            }
+        }
+
+        // Check regular exponential back-off window
         if (failState && Date.now() < failState.nextRetryAt) {
             logger.debug(
                 `LogStreamingManager: destination ${dest.destinationId} in back-off, skipping`
@@ -255,6 +330,69 @@ export class LogStreamingManager {
         }
     }
 
+    /**
+     * Advance every cursor for the destination to the current max row id,
+     * effectively discarding the accumulated backlog.  Called when the
+     * destination has been unreachable for longer than MAX_BACKLOG_DURATION_MS.
+     */
+    private async abandonBacklog(
+        dest: EventStreamingDestination,
+        failState: DestinationFailureState
+    ): Promise<void> {
+        const failingForHours = (
+            (Date.now() - failState.firstFailedAt) /
+            3_600_000
+        ).toFixed(1);
+
+        let totalDropped = 0;
+
+        for (const logType of LOG_TYPES) {
+            try {
+                const currentMaxId = await this.getCurrentMaxId(
+                    logType,
+                    dest.orgId
+                );
+
+                // Find out how many rows are being skipped for this type
+                const cursor = await db
+                    .select({ lastSentId: eventStreamingCursors.lastSentId })
+                    .from(eventStreamingCursors)
+                    .where(
+                        and(
+                            eq(eventStreamingCursors.destinationId, dest.destinationId),
+                            eq(eventStreamingCursors.logType, logType)
+                        )
+                    )
+                    .limit(1);
+
+                const prevId = cursor[0]?.lastSentId ?? currentMaxId;
+                totalDropped += Math.max(0, currentMaxId - prevId);
+
+                await this.updateCursor(
+                    dest.destinationId,
+                    logType,
+                    currentMaxId
+                );
+            } catch (err) {
+                logger.error(
+                    `LogStreamingManager: failed to advance cursor for ` +
+                        `destination ${dest.destinationId} logType="${logType}" ` +
+                        `during backlog abandonment`,
+                    err
+                );
+            }
+        }
+
+        logger.warn(
+            `LogStreamingManager: destination ${dest.destinationId} has been ` +
+                `unreachable for ${failingForHours}h ` +
+                `(${failState.consecutiveFailures} consecutive failures). ` +
+                `Discarding backlog of ~${totalDropped} log event(s) and ` +
+                `resuming from the current position. ` +
+                `Verify the destination URL and credentials.`
+        );
+    }
+
     /**
      * Forward all pending log records of a specific type for a destination.
      *
@@ -342,20 +480,27 @@ export class LogStreamingManager {
             return { lastSentId: existing[0].lastSentId };
         }
 
-        // No cursor yet – initialise at the current maximum id of the log
-        // table for this org so we only forward *new* events going forward.
+        // No cursor yet – this destination pre-dates the eager initialisation
+        // path (initializeCursorsForDestination).  Seed at the current max id
+        // so we do not replay historical logs.
         const initialId = await this.getCurrentMaxId(logType, orgId);
 
-        await db.insert(eventStreamingCursors).values({
-            destinationId,
-            logType,
-            lastSentId: initialId,
-            lastSentAt: null
-        });
+        // Use onConflictDoNothing in case of a rare race between two poll
+        // cycles both hitting this branch simultaneously.
+        await db
+            .insert(eventStreamingCursors)
+            .values({
+                destinationId,
+                logType,
+                lastSentId: initialId,
+                lastSentAt: null
+            })
+            .onConflictDoNothing();
 
         logger.debug(
-            `LogStreamingManager: initialised cursor for destination ${destinationId} ` +
-                `logType="${logType}" at id=${initialId}`
+            `LogStreamingManager: lazily initialised cursor for destination ${destinationId} ` +
+                `logType="${logType}" at id=${initialId} ` +
+                `(prefer initializeCursorsForDestination at creation time)`
         );
 
         return { lastSentId: initialId };
@@ -574,7 +719,9 @@ export class LogStreamingManager {
     private recordFailure(destinationId: number): void {
         const current = this.failures.get(destinationId) ?? {
             consecutiveFailures: 0,
-            nextRetryAt: 0
+            nextRetryAt: 0,
+            // Stamp the very first failure so we can measure total outage duration
+            firstFailedAt: Date.now()
         };
 
         current.consecutiveFailures += 1;
diff --git a/server/private/lib/logStreaming/types.ts b/server/private/lib/logStreaming/types.ts
index 2bd25418d..585adb2a2 100644
--- a/server/private/lib/logStreaming/types.ts
+++ b/server/private/lib/logStreaming/types.ts
@@ -112,4 +112,6 @@ export interface DestinationFailureState {
     consecutiveFailures: number;
     /** Date.now() value after which the destination may be retried */
     nextRetryAt: number;
+    /** Date.now() value of the very first failure in the current streak */
+    firstFailedAt: number;
 }
\ No newline at end of file
diff --git a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
index 1c9de788a..623f2d9e0 100644
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -15,6 +15,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
+import { logStreamingManager } from "#private/lib/logStreaming";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -106,6 +107,19 @@ export async function createEventStreamingDestination(
             })
             .returning();
 
+        // Seed cursors at the current max row id for every log type so this
+        // destination only receives events written *after* it was created.
+        // Fire-and-forget: a failure here is non-fatal; the manager has a lazy
+        // fallback that will seed at the next poll if these rows are missing.
+        logStreamingManager
+            .initializeCursorsForDestination(destination.destinationId, orgId)
+            .catch((err) =>
+                logger.error(
+                    "createEventStreamingDestination: failed to initialise streaming cursors",
+                    err
+                )
+            );
+
         return response<CreateEventStreamingDestinationResponse>(res, {
             data: {
                 destinationId: destination.destinationId

From fe30bb280e5d80ca66f915b45a5a0c25b501df3a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:04:58 -0700
Subject: [PATCH 102/122] Add option for how to batch

---
 .../providers/HttpLogDestination.ts           | 118 +++++++++++++-----
 server/private/lib/logStreaming/types.ts      |  17 +++
 src/components/HttpDestinationCredenza.tsx    | 111 +++++++++++++++-
 3 files changed, 215 insertions(+), 31 deletions(-)

diff --git a/server/private/lib/logStreaming/providers/HttpLogDestination.ts b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
index eac3c42e2..5e149f814 100644
--- a/server/private/lib/logStreaming/providers/HttpLogDestination.ts
+++ b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
@@ -12,7 +12,7 @@
  */
 
 import logger from "@server/logger";
-import { LogEvent, HttpConfig } from "../types";
+import { LogEvent, HttpConfig, PayloadFormat } from "../types";
 import { LogDestinationProvider } from "./LogDestinationProvider";
 
 // ---------------------------------------------------------------------------
@@ -22,6 +22,9 @@ import { LogDestinationProvider } from "./LogDestinationProvider";
 /** Maximum time (ms) to wait for a single HTTP response. */
 const REQUEST_TIMEOUT_MS = 30_000;
 
+/** Default payload format when none is specified in the config. */
+const DEFAULT_FORMAT: PayloadFormat = "json_array";
+
 // ---------------------------------------------------------------------------
 // HttpLogDestination
 // ---------------------------------------------------------------------------
@@ -32,16 +35,31 @@ const REQUEST_TIMEOUT_MS = 30_000;
  *
  * **Payload format**
  *
- * Without a body template the payload is a JSON array, one object per event:
- * ```json
- * [
- *   { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
- *   …
- * ]
- * ```
+ * **Payload formats** (controlled by `config.format`):
  *
- * With a body template each event is rendered through the template and the
- * resulting objects are wrapped in the same outer array.  Template placeholders:
+ * - `json_array` (default) — one POST per batch, body is a JSON array:
+ *   ```json
+ *   [
+ *     { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
+ *     …
+ *   ]
+ *   ```
+ *   `Content-Type: application/json`
+ *
+ * - `ndjson` — one POST per batch, body is newline-delimited JSON (one object
+ *   per line, no outer array).  Required by Splunk HEC, Elastic/OpenSearch,
+ *   and Grafana Loki:
+ *   ```
+ *   {"event":"request","timestamp":"…","data":{…}}
+ *   {"event":"action","timestamp":"…","data":{…}}
+ *   ```
+ *   `Content-Type: application/x-ndjson`
+ *
+ * - `json_single` — one POST **per event**, body is a plain JSON object.
+ *   Use only for endpoints that cannot handle batches at all.
+ *
+ * With a body template each event is rendered through the template before
+ * serialisation.  Template placeholders:
  *   - `{{event}}`     → the LogType string ("request", "action", etc.)
  *   - `{{timestamp}}` → ISO-8601 UTC datetime string
  *   - `{{data}}`      → raw inline JSON object  (**no surrounding quotes**)
@@ -67,9 +85,41 @@ export class HttpLogDestination implements LogDestinationProvider {
     async send(events: LogEvent[]): Promise<void> {
         if (events.length === 0) return;
 
-        const headers = this.buildHeaders();
-        const payload = this.buildPayload(events);
-        const body = JSON.stringify(payload);
+        const format = this.config.format ?? DEFAULT_FORMAT;
+
+        if (format === "json_single") {
+            // One HTTP POST per event – send sequentially so a failure on one
+            // event throws and lets the manager retry the whole batch from the
+            // same cursor position.
+            for (const event of events) {
+                await this.postRequest(
+                    this.buildSingleBody(event),
+                    "application/json"
+                );
+            }
+            return;
+        }
+
+        if (format === "ndjson") {
+            const body = this.buildNdjsonBody(events);
+            await this.postRequest(body, "application/x-ndjson");
+            return;
+        }
+
+        // json_array (default)
+        const body = JSON.stringify(this.buildArrayPayload(events));
+        await this.postRequest(body, "application/json");
+    }
+
+    // -----------------------------------------------------------------------
+    // Internal HTTP sender
+    // -----------------------------------------------------------------------
+
+    private async postRequest(
+        body: string,
+        contentType: string
+    ): Promise<void> {
+        const headers = this.buildHeaders(contentType);
 
         const controller = new AbortController();
         const timeoutHandle = setTimeout(
@@ -124,9 +174,9 @@ export class HttpLogDestination implements LogDestinationProvider {
     // Header construction
     // -----------------------------------------------------------------------
 
-    private buildHeaders(): Record<string, string> {
+    private buildHeaders(contentType: string): Record<string, string> {
         const headers: Record<string, string> = {
-            "Content-Type": "application/json"
+            "Content-Type": contentType
         };
 
         // Authentication
@@ -176,24 +226,36 @@ export class HttpLogDestination implements LogDestinationProvider {
     // Payload construction
     // -----------------------------------------------------------------------
 
-    /**
-     * Build the JSON-serialisable value that will be sent as the request body.
-     *
-     * - No template  → `Array<{ event, timestamp, data }>`
-     * - With template → `Array<parsed-template-result>`
-     */
-    private buildPayload(events: LogEvent[]): unknown {
+    /** Single default event object (no surrounding array). */
+    private buildEventObject(event: LogEvent): unknown {
         if (this.config.useBodyTemplate && this.config.bodyTemplate?.trim()) {
-            return events.map((event) =>
-                this.renderTemplate(this.config.bodyTemplate!, event)
-            );
+            return this.renderTemplate(this.config.bodyTemplate!, event);
         }
-
-        return events.map((event) => ({
+        return {
             event: event.logType,
             timestamp: epochSecondsToIso(event.timestamp),
             data: event.data
-        }));
+        };
+    }
+
+    /** JSON array payload – used for `json_array` format. */
+    private buildArrayPayload(events: LogEvent[]): unknown[] {
+        return events.map((e) => this.buildEventObject(e));
+    }
+
+    /**
+     * NDJSON payload – one JSON object per line, no outer array.
+     * Each line must be a complete, valid JSON object.
+     */
+    private buildNdjsonBody(events: LogEvent[]): string {
+        return events
+            .map((e) => JSON.stringify(this.buildEventObject(e)))
+            .join("\n");
+    }
+
+    /** Single-event body – used for `json_single` format. */
+    private buildSingleBody(event: LogEvent): string {
+        return JSON.stringify(this.buildEventObject(event));
     }
 
     /**
diff --git a/server/private/lib/logStreaming/types.ts b/server/private/lib/logStreaming/types.ts
index 585adb2a2..03fe88cad 100644
--- a/server/private/lib/logStreaming/types.ts
+++ b/server/private/lib/logStreaming/types.ts
@@ -57,6 +57,18 @@ export interface LogBatch {
 
 export type AuthType = "none" | "bearer" | "basic" | "custom";
 
+/**
+ * Controls how the batch of events is serialised into the HTTP request body.
+ *
+ * - `json_array`   – `[{…}, {…}]`  — default; one POST per batch wrapped in a
+ *                    JSON array.  Works with most generic webhooks and Datadog.
+ * - `ndjson`       – `{…}\n{…}`    — newline-delimited JSON, one object per
+ *                    line.  Required by Splunk HEC, Elastic/OpenSearch, Loki.
+ * - `json_single`  – one HTTP POST per event, body is a plain JSON object.
+ *                    Use only for endpoints that cannot handle batches at all.
+ */
+export type PayloadFormat = "json_array" | "ndjson" | "json_single";
+
 export interface HttpConfig {
     /** Human-readable label for the destination */
     name: string;
@@ -75,6 +87,11 @@ export interface HttpConfig {
     /** Additional static headers appended to every request */
     headers: Array<{ key: string; value: string }>;
     /** Whether to render a custom body template instead of the default shape */
+    /**
+     * How events are serialised into the request body.
+     * Defaults to `"json_array"` when absent.
+     */
+    format?: PayloadFormat;
     useBodyTemplate: boolean;
     /**
      * Handlebars-style template for the JSON body of each event.
diff --git a/src/components/HttpDestinationCredenza.tsx b/src/components/HttpDestinationCredenza.tsx
index 653b766b0..205c17c84 100644
--- a/src/components/HttpDestinationCredenza.tsx
+++ b/src/components/HttpDestinationCredenza.tsx
@@ -29,6 +29,8 @@ import { build } from "@server/build";
 
 export type AuthType = "none" | "bearer" | "basic" | "custom";
 
+export type PayloadFormat = "json_array" | "ndjson" | "json_single";
+
 export interface HttpConfig {
     name: string;
     url: string;
@@ -38,6 +40,7 @@ export interface HttpConfig {
     customHeaderName?: string;
     customHeaderValue?: string;
     headers: Array<{ key: string; value: string }>;
+    format: PayloadFormat;
     useBodyTemplate: boolean;
     bodyTemplate?: string;
 }
@@ -67,6 +70,7 @@ export const defaultHttpConfig = (): HttpConfig => ({
     customHeaderName: "",
     customHeaderValue: "",
     headers: [],
+    format: "json_array",
     useBodyTemplate: false,
     bodyTemplate: ""
 });
@@ -278,7 +282,7 @@ export function HttpDestinationCredenza({
                         items={[
                             { title: "Settings", href: "" },
                             { title: "Headers", href: "" },
-                            { title: "Body Template", href: "" },
+                            { title: "Body", href: "" },
                             { title: "Logs", href: "" }
                         ]}
                     >
@@ -539,7 +543,7 @@ export function HttpDestinationCredenza({
                             />
                         </div>
 
-                        {/* ── Body Template tab ─────────────────────────── */}
+                        {/* ── Body tab ─────────────────────────── */}
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
@@ -592,6 +596,107 @@ export function HttpDestinationCredenza({
                                     </p>
                                 </div>
                             )}
+
+                            {/* Payload Format */}
+                            <div className="space-y-3">
+                                <div>
+                                    <label className="font-medium block">
+                                        Payload Format
+                                    </label>
+                                    <p className="text-sm text-muted-foreground mt-0.5">
+                                        How events are serialised into each
+                                        request body.
+                                    </p>
+                                </div>
+
+                                <RadioGroup
+                                    value={cfg.format ?? "json_array"}
+                                    onValueChange={(v) =>
+                                        update({
+                                            format: v as PayloadFormat
+                                        })
+                                    }
+                                    className="gap-2"
+                                >
+                                    {/* JSON Array */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="json_array"
+                                            id="fmt-json-array"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="fmt-json-array"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                JSON Array
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                One request per batch, body is
+                                                a JSON array{" "}
+                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
+                                                    [{"{...}"}, {"{...}"}]
+                                                </code>
+                                                . Compatible with most generic
+                                                webhooks and Datadog.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* NDJSON */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="ndjson"
+                                            id="fmt-ndjson"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="fmt-ndjson"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                NDJSON
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                One request per batch, body is
+                                                newline-delimited JSON — one
+                                                object per line, no outer
+                                                array. Required by{" "}
+                                                <strong>Splunk HEC</strong>,{" "}
+                                                <strong>
+                                                    Elastic / OpenSearch
+                                                </strong>
+                                                , and{" "}
+                                                <strong>Grafana Loki</strong>.
+                                            </p>
+                                        </div>
+                                    </div>
+
+                                    {/* Single event per request */}
+                                    <div className="flex items-start gap-3 rounded-md border p-3 transition-colors">
+                                        <RadioGroupItem
+                                            value="json_single"
+                                            id="fmt-json-single"
+                                            className="mt-0.5"
+                                        />
+                                        <div>
+                                            <Label
+                                                htmlFor="fmt-json-single"
+                                                className="cursor-pointer font-medium"
+                                            >
+                                                One Event Per Request
+                                            </Label>
+                                            <p className="text-xs text-muted-foreground mt-0.5">
+                                                Sends a separate HTTP POST for
+                                                each individual event. Use only
+                                                for endpoints that cannot
+                                                handle batches.
+                                            </p>
+                                        </div>
+                                    </div>
+                                </RadioGroup>
+                            </div>
                         </div>
 
                         {/* ── Logs tab ──────────────────────────────────── */}
@@ -728,4 +833,4 @@ export function HttpDestinationCredenza({
             </CredenzaContent>
         </Credenza>
     );
-}
\ No newline at end of file
+}

From 9162ac6d910e164c9f4585862acbab470a9781e8 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:07:28 -0700
Subject: [PATCH 103/122] Add missing headers

---
 .../routers/newt/handleConnectionLogMessage.ts      | 13 +++++++++++++
 server/private/routers/newt/index.ts                | 13 +++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/server/private/routers/newt/handleConnectionLogMessage.ts b/server/private/routers/newt/handleConnectionLogMessage.ts
index 00fb5dada..e980f85c9 100644
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { sites, Newt, clients, orgs } from "@server/db";
diff --git a/server/private/routers/newt/index.ts b/server/private/routers/newt/index.ts
index cc182cf7d..256d19cb7 100644
--- a/server/private/routers/newt/index.ts
+++ b/server/private/routers/newt/index.ts
@@ -1 +1,14 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 export * from "./handleConnectionLogMessage";

From 29b272f5d57f45700477beec8e2911573081db60 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:08:50 -0700
Subject: [PATCH 104/122] Restrict saas

---
 server/private/lib/logStreaming/index.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/server/private/lib/logStreaming/index.ts b/server/private/lib/logStreaming/index.ts
index a4b8c569a..619809771 100644
--- a/server/private/lib/logStreaming/index.ts
+++ b/server/private/lib/logStreaming/index.ts
@@ -11,6 +11,7 @@
  * This file is not licensed under the AGPLv3.
  */
 
+import { build } from "@server/build";
 import { LogStreamingManager } from "./LogStreamingManager";
 
 /**
@@ -23,9 +24,11 @@ import { LogStreamingManager } from "./LogStreamingManager";
  */
 export const logStreamingManager = new LogStreamingManager();
 
-logStreamingManager.start();
+if (build != "saas") { // this is handled separately in the saas build, so we don't want to start it here
+    logStreamingManager.start();
+}
 
 export { LogStreamingManager } from "./LogStreamingManager";
 export type { LogDestinationProvider } from "./providers/LogDestinationProvider";
 export { HttpLogDestination } from "./providers/HttpLogDestination";
-export * from "./types";
\ No newline at end of file
+export * from "./types";

From edfeec900dd23d2a6a27bef41815ea8e69829e8f Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:25:47 -0700
Subject: [PATCH 105/122] Define db type

---
 server/db/pg/driver.ts                    | 6 +++---
 server/db/sqlite/driver.ts                | 3 ++-
 server/routers/gerbil/receiveBandwidth.ts | 8 ++------
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/server/db/pg/driver.ts b/server/db/pg/driver.ts
index 9366e32e1..86a0c0352 100644
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -60,8 +60,7 @@ function createDb() {
             })
         );
     } else {
-        const maxReplicaConnections =
-            poolConfig?.max_replica_connections || 20;
+        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
             const replicaPool = createPool(
                 conn.connection_string,
@@ -91,4 +90,5 @@ export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
\ No newline at end of file
+>[0];
+export const DB_TYPE: "pg" | "sqlite" = "pg";
diff --git a/server/db/sqlite/driver.ts b/server/db/sqlite/driver.ts
index 9cbc8d7be..832ff16f9 100644
--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -23,7 +23,8 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+    >[0];
+export const DB_TYPE: "pg" | "sqlite" = "sqlite";
 
 function checkFileExists(filePath: string): boolean {
     try {
diff --git a/server/routers/gerbil/receiveBandwidth.ts b/server/routers/gerbil/receiveBandwidth.ts
index 787b7b702..b4cce8c4e 100644
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { sql } from "drizzle-orm";
-import { db } from "@server/db";
+import { db, DB_TYPE } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
@@ -96,12 +96,8 @@ async function dbQueryRows<T extends Record<string, unknown>>(
     return (await anyDb.all(query)) as T[];
 }
 
-/**
- * Returns true when the active database driver is SQLite (better-sqlite3).
- * Used to select the appropriate bulk-update strategy.
- */
 function isSQLite(): boolean {
-    return typeof (db as any).execute !== "function";
+    return DB_TYPE == "sqlite";
 }
 
 /**

From 2cee723f0ec0f896fcb1a189901d02bf3e494cb7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:41:02 -0700
Subject: [PATCH 106/122] Handle online and offline for wireguard sites

---
 server/routers/newt/handleNewtPingMessage.ts | 62 +++++++++++++++++++-
 1 file changed, 59 insertions(+), 3 deletions(-)

diff --git a/server/routers/newt/handleNewtPingMessage.ts b/server/routers/newt/handleNewtPingMessage.ts
index da25852a0..c2c4e7762 100644
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -1,8 +1,11 @@
 import { db, newts, sites } from "@server/db";
-import { hasActiveConnections, getClientConfigVersion } from "#dynamic/routers/ws";
+import {
+    hasActiveConnections,
+    getClientConfigVersion
+} from "#dynamic/routers/ws";
 import { MessageHandler } from "@server/routers/ws";
 import { Newt } from "@server/db";
-import { eq, lt, isNull, and, or } from "drizzle-orm";
+import { eq, lt, isNull, and, or, ne, not } from "drizzle-orm";
 import logger from "@server/logger";
 import { sendNewtSyncMessage } from "./sync";
 import { recordPing } from "./pingAccumulator";
@@ -11,6 +14,7 @@ import { recordPing } from "./pingAccumulator";
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
 const OFFLINE_CHECK_INTERVAL = 30 * 1000; // Check every 30 seconds
 const OFFLINE_THRESHOLD_MS = 2 * 60 * 1000; // 2 minutes
+const OFFLINE_THRESHOLD_BANDWIDTH_MS = 8 * 60 * 1000; // 8 minutes
 
 /**
  * Starts the background interval that checks for newt sites that haven't
@@ -56,7 +60,9 @@ export const startNewtOfflineChecker = (): void => {
                 // Backward-compatibility check: if the newt still has an
                 // active WebSocket connection (older clients that don't send
                 // pings), keep the site online.
-                const isConnected = await hasActiveConnections(staleSite.newtId);
+                const isConnected = await hasActiveConnections(
+                    staleSite.newtId
+                );
                 if (isConnected) {
                     logger.debug(
                         `Newt ${staleSite.newtId} has not pinged recently but is still connected via WebSocket — keeping site ${staleSite.siteId} online`
@@ -73,6 +79,56 @@ export const startNewtOfflineChecker = (): void => {
                     .set({ online: false })
                     .where(eq(sites.siteId, staleSite.siteId));
             }
+
+            // this part only effects self hosted. Its not efficient but we dont expect people to have very many wireguard sites
+            // select all of the wireguard sites to evaluate if they need to be offline due to the last bandwidth update
+            const allWireguardSites = await db
+                .select({
+                    siteId: sites.siteId,
+                    online: sites.online,
+                    lastBandwidthUpdate: sites.lastBandwidthUpdate
+                })
+                .from(sites)
+                .where(
+                    and(
+                        eq(sites.type, "wireguard"),
+                        not(isNull(sites.lastBandwidthUpdate))
+                    )
+                );
+
+            const wireguardOfflineThreshold = Math.floor(
+                (Date.now() - OFFLINE_THRESHOLD_BANDWIDTH_MS) / 1000
+            );
+
+            // loop over each one. If its offline and there is a new update then mark it online. If its online and there is no update then mark it offline
+            for (const site of allWireguardSites) {
+                const lastBandwidthUpdate = new Date(site.lastBandwidthUpdate!).getTime() / 1000;
+                if (
+                    lastBandwidthUpdate < wireguardOfflineThreshold &&
+                    site.online
+                ) {
+                    logger.info(
+                        `Marking wireguard site ${site.siteId} offline: no bandwidth update in over ${OFFLINE_THRESHOLD_BANDWIDTH_MS / 60000} minutes`
+                    );
+
+                    await db
+                        .update(sites)
+                        .set({ online: false })
+                        .where(eq(sites.siteId, site.siteId));
+                } else if (
+                    lastBandwidthUpdate >= wireguardOfflineThreshold &&
+                    !site.online
+                ) {
+                    logger.info(
+                        `Marking wireguard site ${site.siteId} online: recent bandwidth update`
+                    );
+
+                    await db
+                        .update(sites)
+                        .set({ online: true })
+                        .where(eq(sites.siteId, site.siteId));
+                }
+            }
         } catch (error) {
             logger.error("Error in newt offline checker interval", { error });
         }

From c1bd36231d79881e5ad6462e8872b97704ff52c7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 14:46:23 -0700
Subject: [PATCH 107/122] Default to approved

---
 server/db/pg/schema/schema.ts        | 2 +-
 server/db/sqlite/schema/schema.ts    | 2 +-
 server/setup/scriptsPg/1.17.0.ts     | 2 +-
 server/setup/scriptsSqlite/1.17.0.ts | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index b0c0d49a9..bde3e9aec 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -101,7 +101,7 @@ export const sites = pgTable("sites", {
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
     dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
-    status: varchar("status").$type<"pending" | "approved">()
+    status: varchar("status").$type<"pending" | "approved">().default("approved")
 });
 
 export const resources = pgTable("resources", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 65ff144a4..1fb04ef14 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -111,7 +111,7 @@ export const sites = sqliteTable("sites", {
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
         .default(true),
-    status: text("status").$type<"pending" | "approved">()
+    status: text("status").$type<"pending" | "approved">().default("approved")
 });
 
 export const resources = sqliteTable("resources", {
diff --git a/server/setup/scriptsPg/1.17.0.ts b/server/setup/scriptsPg/1.17.0.ts
index 09d09261c..ea66948ab 100644
--- a/server/setup/scriptsPg/1.17.0.ts
+++ b/server/setup/scriptsPg/1.17.0.ts
@@ -178,7 +178,7 @@ export default async function migration() {
         );
         await db.execute(sql`ALTER TABLE "userInvites" DROP COLUMN "roleId";`);
         await db.execute(sql`ALTER TABLE "siteProvisioningKeys" ADD COLUMN "approveNewSites" boolean DEFAULT true NOT NULL;`);
-        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar;`);
+        await db.execute(sql`ALTER TABLE "sites" ADD COLUMN "status" varchar DEFAULT 'approved';`);
 
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
diff --git a/server/setup/scriptsSqlite/1.17.0.ts b/server/setup/scriptsSqlite/1.17.0.ts
index b6515510f..28877f16e 100644
--- a/server/setup/scriptsSqlite/1.17.0.ts
+++ b/server/setup/scriptsSqlite/1.17.0.ts
@@ -192,7 +192,7 @@ export default async function migration() {
             ).run();
             db.prepare(`ALTER TABLE 'user' ADD 'locale' text;`).run();
             db.prepare(`ALTER TABLE 'siteProvisioningKeys' ADD COLUMN 'approveNewSites' integer DEFAULT 1 NOT NULL;`).run();
-            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text;`).run();
+            db.prepare(`ALTER TABLE 'sites' ADD COLUMN 'status' text DEFAULT 'approved';`).run();
         })();
 
         db.pragma("foreign_keys = ON");

From 3b8dd45a73cb2835ad2b5440ffcc3a166bf13aeb Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Tue, 31 Mar 2026 15:09:14 -0700
Subject: [PATCH 108/122] Translate siem

---
 messages/en-US.json                           |  86 +++++++-
 .../[orgId]/settings/logs/streaming/page.tsx  | 137 ++++++------
 src/components/HttpDestinationCredenza.tsx    | 201 ++++++------------
 3 files changed, 224 insertions(+), 200 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index e8c7cb47d..412d50179 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2804,5 +2804,89 @@
     "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
     "approvalsEmptyStateButtonText": "Manage Roles",
     "domainErrorTitle": "We are having trouble verifying your domain",
-    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab."
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
+    "streamingTitle": "Event Streaming",
+    "streamingDescription": "Stream events from your organization to external destinations in real time.",
+    "streamingUnnamedDestination": "Unnamed destination",
+    "streamingNoUrlConfigured": "No URL configured",
+    "streamingAddDestination": "Add Destination",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Send events to any HTTP endpoint with flexible authentication and templating.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Stream events to an S3-compatible object storage bucket. Coming soon.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Forward events directly to your Datadog account. Coming soon.",
+    "streamingTypePickerDescription": "Choose a destination type to get started.",
+    "streamingFailedToLoad": "Failed to load destinations",
+    "streamingUnexpectedError": "An unexpected error occurred.",
+    "streamingFailedToUpdate": "Failed to update destination",
+    "streamingDeletedSuccess": "Destination deleted successfully",
+    "streamingFailedToDelete": "Failed to delete destination",
+    "streamingDeleteTitle": "Delete Destination",
+    "streamingDeleteButtonText": "Delete Destination",
+    "streamingDeleteDialogAreYouSure": "Are you sure you want to delete",
+    "streamingDeleteDialogThisDestination": "this destination",
+    "streamingDeleteDialogPermanentlyRemoved": "? All configuration will be permanently removed.",
+    "httpDestEditTitle": "Edit Destination",
+    "httpDestAddTitle": "Add HTTP Destination",
+    "httpDestEditDescription": "Update the configuration for this HTTP event streaming destination.",
+    "httpDestAddDescription": "Configure a new HTTP endpoint to receive your organization's events.",
+    "httpDestTabSettings": "Settings",
+    "httpDestTabHeaders": "Headers",
+    "httpDestTabBody": "Body",
+    "httpDestTabLogs": "Logs",
+    "httpDestNamePlaceholder": "My HTTP destination",
+    "httpDestUrlLabel": "Destination URL",
+    "httpDestUrlErrorHttpRequired": "URL must use http or https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS is required on cloud deployments",
+    "httpDestUrlErrorInvalid": "Enter a valid URL (e.g. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentication",
+    "httpDestAuthDescription": "Choose how requests to your endpoint are authenticated.",
+    "httpDestAuthNoneTitle": "No Authentication",
+    "httpDestAuthNoneDescription": "Sends requests without an Authorization header.",
+    "httpDestAuthBearerTitle": "Bearer Token",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer <token> header to each request.",
+    "httpDestAuthBearerPlaceholder": "Your API key or token",
+    "httpDestAuthBasicTitle": "Basic Auth",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic <credentials> header. Provide credentials as username:password.",
+    "httpDestAuthBasicPlaceholder": "username:password",
+    "httpDestAuthCustomTitle": "Custom Header",
+    "httpDestAuthCustomDescription": "Specify a custom HTTP header name and value for authentication (e.g. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Header name (e.g. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header value",
+    "httpDestCustomHeadersTitle": "Custom HTTP Headers",
+    "httpDestCustomHeadersDescription": "Add custom headers to every outgoing request. Useful for static tokens or a custom Content-Type. By default, Content-Type: application/json is sent.",
+    "httpDestNoHeadersConfigured": "No custom headers configured. Click \"Add Header\" to add one.",
+    "httpDestHeaderNamePlaceholder": "Header name",
+    "httpDestHeaderValuePlaceholder": "Value",
+    "httpDestAddHeader": "Add Header",
+    "httpDestBodyTemplateTitle": "Custom Body Template",
+    "httpDestBodyTemplateDescription": "Control the JSON payload structure sent to your endpoint. If disabled, a default JSON object is sent for each event.",
+    "httpDestEnableBodyTemplate": "Enable custom body template",
+    "httpDestBodyTemplateLabel": "Body Template (JSON)",
+    "httpDestBodyTemplateHint": "Use template variables to reference event fields in your payload.",
+    "httpDestPayloadFormatTitle": "Payload Format",
+    "httpDestPayloadFormatDescription": "How events are serialised into each request body.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "One request per batch, body is a JSON array. Compatible with most generic webhooks and Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "One request per batch, body is newline-delimited JSON — one object per line, no outer array. Required by Splunk HEC, Elastic / OpenSearch, and Grafana Loki.",
+    "httpDestFormatSingleTitle": "One Event Per Request",
+    "httpDestFormatSingleDescription": "Sends a separate HTTP POST for each individual event. Use only for endpoints that cannot handle batches.",
+    "httpDestLogTypesTitle": "Log Types",
+    "httpDestLogTypesDescription": "Choose which log types are forwarded to this destination. Only enabled log types will be streamed.",
+    "httpDestAccessLogsTitle": "Access Logs",
+    "httpDestAccessLogsDescription": "Resource access attempts, including authenticated and denied requests.",
+    "httpDestActionLogsTitle": "Action Logs",
+    "httpDestActionLogsDescription": "Administrative actions performed by users within the organization.",
+    "httpDestConnectionLogsTitle": "Connection Logs",
+    "httpDestConnectionLogsDescription": "Site and tunnel connection events, including connects and disconnects.",
+    "httpDestRequestLogsTitle": "Request Logs",
+    "httpDestRequestLogsDescription": "HTTP request logs for proxied resources, including method, path, and response code.",
+    "httpDestSaveChanges": "Save Changes",
+    "httpDestCreateDestination": "Create Destination",
+    "httpDestUpdatedSuccess": "Destination updated successfully",
+    "httpDestCreatedSuccess": "Destination created successfully",
+    "httpDestUpdateFailed": "Failed to update destination",
+    "httpDestCreateFailed": "Failed to create destination"
 }
diff --git a/src/app/[orgId]/settings/logs/streaming/page.tsx b/src/app/[orgId]/settings/logs/streaming/page.tsx
index 843f1ddb7..44ec39fcd 100644
--- a/src/app/[orgId]/settings/logs/streaming/page.tsx
+++ b/src/app/[orgId]/settings/logs/streaming/page.tsx
@@ -38,6 +38,7 @@ import {
     HttpDestinationCredenza,
     parseHttpConfig
 } from "@app/components/HttpDestinationCredenza";
+import { useTranslations } from "next-intl";
 
 // ── Re-export Destination so the rest of the file can use it ──────────────────
 
@@ -69,6 +70,7 @@ function DestinationCard({
     isToggling,
     disabled = false
 }: DestinationCardProps) {
+    const t = useTranslations();
     const cfg = parseHttpConfig(destination.config);
 
     return (
@@ -84,7 +86,7 @@ function DestinationCard({
                     </div>
                     <div className="min-w-0">
                         <p className="font-semibold text-sm leading-tight truncate">
-                            {cfg.name || "Unnamed destination"}
+                            {cfg.name || t("streamingUnnamedDestination")}
                         </p>
                         <p className="text-xs text-muted-foreground truncate mt-0.5">
                             HTTP
@@ -104,7 +106,7 @@ function DestinationCard({
             {/* URL preview */}
             <p className="text-xs text-muted-foreground truncate">
                 {cfg.url || (
-                    <span className="italic">No URL configured</span>
+                    <span className="italic">{t("streamingNoUrlConfigured")}</span>
                 )}
             </p>
 
@@ -116,7 +118,7 @@ function DestinationCard({
                     disabled={disabled}
                     className="flex-1"
                 >
-                    Edit
+                    {t("edit")}
                 </Button>
                 <DropdownMenu>
                     <DropdownMenuTrigger asChild>
@@ -134,7 +136,7 @@ function DestinationCard({
                             className="text-destructive focus:text-destructive"
                             onClick={() => onDelete(destination)}
                         >
-                            Delete
+                            {t("delete")}
                         </DropdownMenuItem>
                     </DropdownMenuContent>
                 </DropdownMenu>
@@ -146,6 +148,8 @@ function DestinationCard({
 // ── Add destination card ───────────────────────────────────────────────────────
 
 function AddDestinationCard({ onClick }: { onClick: () => void }) {
+    const t = useTranslations();
+
     return (
         <button
             type="button"
@@ -156,7 +160,7 @@ function AddDestinationCard({ onClick }: { onClick: () => void }) {
                 <div className="flex items-center justify-center w-9 h-9 rounded-md border-2 border-dashed border-current">
                     <Plus className="h-4 w-4" />
                 </div>
-                <span className="text-sm font-medium">Add Destination</span>
+                <span className="text-sm font-medium">{t("streamingAddDestination")}</span>
             </div>
         </button>
     );
@@ -166,48 +170,6 @@ function AddDestinationCard({ onClick }: { onClick: () => void }) {
 
 type DestinationType = "http" | "s3" | "datadog";
 
-const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
-    {
-        id: "http",
-        title: "HTTP Webhook",
-        description:
-            "Send events to any HTTP endpoint with flexible authentication and templating.",
-        icon: <Globe className="h-6 w-6" />
-    },
-    {
-        id: "s3",
-        title: "Amazon S3",
-        description:
-            "Stream events to an S3-compatible object storage bucket. Coming soon.",
-        disabled: true,
-        icon: (
-            <Image
-                src="/third-party/s3.png"
-                alt="Amazon S3"
-                width={24}
-                height={24}
-                className="rounded-sm"
-            />
-        )
-    },
-    {
-        id: "datadog",
-        title: "Datadog",
-        description:
-            "Forward events directly to your Datadog account. Coming soon.",
-        disabled: true,
-        icon: (
-            <Image
-                src="/third-party/dd.png"
-                alt="Datadog"
-                width={24}
-                height={24}
-                className="rounded-sm"
-            />
-        )
-    }
-];
-
 interface DestinationTypePickerProps {
     open: boolean;
     onOpenChange: (open: boolean) => void;
@@ -221,8 +183,48 @@ function DestinationTypePicker({
     onSelect,
     isPaywalled = false
 }: DestinationTypePickerProps) {
+    const t = useTranslations();
     const [selected, setSelected] = useState<DestinationType>("http");
 
+    const destinationTypeOptions: ReadonlyArray<StrategyOption<DestinationType>> = [
+        {
+            id: "http",
+            title: t("streamingHttpWebhookTitle"),
+            description: t("streamingHttpWebhookDescription"),
+            icon: <Globe className="h-6 w-6" />
+        },
+        {
+            id: "s3",
+            title: t("streamingS3Title"),
+            description: t("streamingS3Description"),
+            disabled: true,
+            icon: (
+                <Image
+                    src="/third-party/s3.png"
+                    alt={t("streamingS3Title")}
+                    width={24}
+                    height={24}
+                    className="rounded-sm"
+                />
+            )
+        },
+        {
+            id: "datadog",
+            title: t("streamingDatadogTitle"),
+            description: t("streamingDatadogDescription"),
+            disabled: true,
+            icon: (
+                <Image
+                    src="/third-party/dd.png"
+                    alt={t("streamingDatadogTitle")}
+                    width={24}
+                    height={24}
+                    className="rounded-sm"
+                />
+            )
+        }
+    ];
+
     useEffect(() => {
         if (open) setSelected("http");
     }, [open]);
@@ -231,9 +233,9 @@ function DestinationTypePicker({
         <Credenza open={open} onOpenChange={onOpenChange}>
             <CredenzaContent className="sm:max-w-lg">
                 <CredenzaHeader>
-                    <CredenzaTitle>Add Destination</CredenzaTitle>
+                    <CredenzaTitle>{t("streamingAddDestination")}</CredenzaTitle>
                     <CredenzaDescription>
-                        Choose a destination type to get started.
+                        {t("streamingTypePickerDescription")}
                     </CredenzaDescription>
                 </CredenzaHeader>
                 <CredenzaBody>
@@ -248,13 +250,13 @@ function DestinationTypePicker({
                 </CredenzaBody>
                 <CredenzaFooter>
                     <CredenzaClose asChild>
-                        <Button variant="outline">Cancel</Button>
+                        <Button variant="outline">{t("cancel")}</Button>
                     </CredenzaClose>
                     <Button
                         onClick={() => onSelect(selected)}
                         disabled={isPaywalled}
                     >
-                        Continue
+                        {t("continue")}
                     </Button>
                 </CredenzaFooter>
             </CredenzaContent>
@@ -269,6 +271,7 @@ export default function StreamingDestinationsPage() {
     const api = createApiClient(useEnvContext());
     const { isPaidUser } = usePaidStatus();
     const isEnterprise = isPaidUser(tierMatrix[TierFeature.SIEM]);
+    const t = useTranslations();
 
     const [destinations, setDestinations] = useState<Destination[]>([]);
     const [loading, setLoading] = useState(true);
@@ -297,10 +300,10 @@ export default function StreamingDestinationsPage() {
         } catch (e) {
             toast({
                 variant: "destructive",
-                title: "Failed to load destinations",
+                title: t("streamingFailedToLoad"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -337,10 +340,10 @@ export default function StreamingDestinationsPage() {
             );
             toast({
                 variant: "destructive",
-                title: "Failed to update destination",
+                title: t("streamingFailedToUpdate"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -364,17 +367,17 @@ export default function StreamingDestinationsPage() {
             await api.delete(
                 `/org/${orgId}/event-streaming-destination/${deleteTarget.destinationId}`
             );
-            toast({ title: "Destination deleted successfully" });
+            toast({ title: t("streamingDeletedSuccess") });
             setDeleteDialogOpen(false);
             setDeleteTarget(null);
             loadDestinations();
         } catch (e) {
             toast({
                 variant: "destructive",
-                title: "Failed to delete destination",
+                title: t("streamingFailedToDelete"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -400,8 +403,8 @@ export default function StreamingDestinationsPage() {
     return (
         <>
             <SettingsSectionTitle
-                title="Event Streaming"
-                description="Stream events from your organization to external destinations in real time."
+                title={t("streamingTitle")}
+                description={t("streamingDescription")}
             />
 
             <PaidFeaturesAlert tiers={tierMatrix[TierFeature.SIEM]} />
@@ -456,23 +459,23 @@ export default function StreamingDestinationsPage() {
                         if (!v) setDeleteTarget(null);
                     }}
                     string={
-                        parseHttpConfig(deleteTarget.config).name || "delete"
+                        parseHttpConfig(deleteTarget.config).name || t("streamingDeleteDialogThisDestination")
                     }
-                    title="Delete Destination"
+                    title={t("streamingDeleteTitle")}
                     dialog={
                         <p className="text-sm text-muted-foreground">
-                            Are you sure you want to delete{" "}
+                            {t("streamingDeleteDialogAreYouSure")}{" "}
                             <span className="font-semibold text-foreground">
                                 {parseHttpConfig(deleteTarget.config).name ||
-                                    "this destination"}
+                                    t("streamingDeleteDialogThisDestination")}
                             </span>
-                            ? All configuration will be permanently removed.
+                            {t("streamingDeleteDialogPermanentlyRemoved")}
                         </p>
                     }
-                    buttonText="Delete Destination"
+                    buttonText={t("streamingDeleteButtonText")}
                     onConfirm={handleDeleteConfirm}
                 />
             )}
         </>
     );
-}
+}
\ No newline at end of file
diff --git a/src/components/HttpDestinationCredenza.tsx b/src/components/HttpDestinationCredenza.tsx
index 205c17c84..e39567332 100644
--- a/src/components/HttpDestinationCredenza.tsx
+++ b/src/components/HttpDestinationCredenza.tsx
@@ -24,6 +24,7 @@ import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { build } from "@server/build";
+import { useTranslations } from "next-intl";
 
 // ── Types ──────────────────────────────────────────────────────────────────────
 
@@ -91,6 +92,8 @@ interface HeadersEditorProps {
 }
 
 function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
+    const t = useTranslations();
+
     const addRow = () => onChange([...headers, { key: "", value: "" }]);
 
     const removeRow = (i: number) =>
@@ -106,8 +109,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
         <div className="space-y-3">
             {headers.length === 0 && (
                 <p className="text-xs text-muted-foreground">
-                    No custom headers configured. Click "Add Header" to add
-                    one.
+                    {t("httpDestNoHeadersConfigured")}
                 </p>
             )}
             {headers.map((h, i) => (
@@ -115,7 +117,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
                     <Input
                         value={h.key}
                         onChange={(e) => updateRow(i, "key", e.target.value)}
-                        placeholder="Header name"
+                        placeholder={t("httpDestHeaderNamePlaceholder")}
                         className="flex-1"
                     />
                     <Input
@@ -123,7 +125,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
                         onChange={(e) =>
                             updateRow(i, "value", e.target.value)
                         }
-                        placeholder="Value"
+                        placeholder={t("httpDestHeaderValuePlaceholder")}
                         className="flex-1"
                     />
                     <Button
@@ -145,7 +147,7 @@ function HeadersEditor({ headers, onChange }: HeadersEditorProps) {
                 className="gap-1.5"
             >
                 <Plus className="h-3.5 w-3.5" />
-                Add Header
+                {t("httpDestAddHeader")}
             </Button>
         </div>
     );
@@ -169,6 +171,7 @@ export function HttpDestinationCredenza({
     onSaved
 }: HttpDestinationCredenzaProps) {
     const api = createApiClient(useEnvContext());
+    const t = useTranslations();
 
     const [saving, setSaving] = useState(false);
     const [cfg, setCfg] = useState<HttpConfig>(defaultHttpConfig());
@@ -201,14 +204,14 @@ export function HttpDestinationCredenza({
                 parsed.protocol !== "http:" &&
                 parsed.protocol !== "https:"
             ) {
-                return "URL must use http or https";
+                return t("httpDestUrlErrorHttpRequired");
             }
             if (build === "saas" && parsed.protocol !== "https:") {
-                return "HTTPS is required on cloud deployments";
+                return t("httpDestUrlErrorHttpsRequired");
             }
             return null;
         } catch {
-            return "Enter a valid URL (e.g. https://example.com/webhook)";
+            return t("httpDestUrlErrorInvalid");
         }
     })();
 
@@ -234,13 +237,13 @@ export function HttpDestinationCredenza({
                     `/org/${orgId}/event-streaming-destination/${editing.destinationId}`,
                     payload
                 );
-                toast({ title: "Destination updated successfully" });
+                toast({ title: t("httpDestUpdatedSuccess") });
             } else {
                 await api.put(
                     `/org/${orgId}/event-streaming-destination`,
                     payload
                 );
-                toast({ title: "Destination created successfully" });
+                toast({ title: t("httpDestCreatedSuccess") });
             }
             onSaved();
             onOpenChange(false);
@@ -248,11 +251,11 @@ export function HttpDestinationCredenza({
             toast({
                 variant: "destructive",
                 title: editing
-                    ? "Failed to update destination"
-                    : "Failed to create destination",
+                    ? t("httpDestUpdateFailed")
+                    : t("httpDestCreateFailed"),
                 description: formatAxiosError(
                     e,
-                    "An unexpected error occurred."
+                    t("streamingUnexpectedError")
                 )
             });
         } finally {
@@ -266,13 +269,13 @@ export function HttpDestinationCredenza({
                 <CredenzaHeader>
                     <CredenzaTitle>
                         {editing
-                            ? "Edit Destination"
-                            : "Add HTTP Destination"}
+                            ? t("httpDestEditTitle")
+                            : t("httpDestAddTitle")}
                     </CredenzaTitle>
                     <CredenzaDescription>
                         {editing
-                            ? "Update the configuration for this HTTP event streaming destination."
-                            : "Configure a new HTTP endpoint to receive your organization's events."}
+                            ? t("httpDestEditDescription")
+                            : t("httpDestAddDescription")}
                     </CredenzaDescription>
                 </CredenzaHeader>
 
@@ -280,20 +283,20 @@ export function HttpDestinationCredenza({
                     <HorizontalTabs
                         clientSide
                         items={[
-                            { title: "Settings", href: "" },
-                            { title: "Headers", href: "" },
-                            { title: "Body", href: "" },
-                            { title: "Logs", href: "" }
+                            { title: t("httpDestTabSettings"), href: "" },
+                            { title: t("httpDestTabHeaders"), href: "" },
+                            { title: t("httpDestTabBody"), href: "" },
+                            { title: t("httpDestTabLogs"), href: "" }
                         ]}
                     >
                         {/* ── Settings tab ────────────────────────────── */}
                         <div className="space-y-6 mt-4 p-1">
                             {/* Name */}
                             <div className="space-y-2">
-                                <Label htmlFor="dest-name">Name</Label>
+                                <Label htmlFor="dest-name">{t("name")}</Label>
                                 <Input
                                     id="dest-name"
-                                    placeholder="My HTTP destination"
+                                    placeholder={t("httpDestNamePlaceholder")}
                                     value={cfg.name}
                                     onChange={(e) =>
                                         update({ name: e.target.value })
@@ -304,7 +307,7 @@ export function HttpDestinationCredenza({
                             {/* URL */}
                             <div className="space-y-2">
                                 <Label htmlFor="dest-url">
-                                    Destination URL
+                                    {t("httpDestUrlLabel")}
                                 </Label>
                                 <Input
                                     id="dest-url"
@@ -325,11 +328,10 @@ export function HttpDestinationCredenza({
                             <div className="space-y-3">
                                 <div>
                                     <label className="font-medium block">
-                                        Authentication
+                                        {t("httpDestAuthTitle")}
                                     </label>
                                     <p className="text-sm text-muted-foreground mt-0.5">
-                                        Choose how requests to your endpoint
-                                        are authenticated.
+                                        {t("httpDestAuthDescription")}
                                     </p>
                                 </div>
 
@@ -352,14 +354,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="auth-none"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                No Authentication
+                                                {t("httpDestAuthNoneTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                Sends requests without an{" "}
-                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                    Authorization
-                                                </code>{" "}
-                                                header.
+                                                {t("httpDestAuthNoneDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -377,20 +375,15 @@ export function HttpDestinationCredenza({
                                                     htmlFor="auth-bearer"
                                                     className="cursor-pointer font-medium"
                                                 >
-                                                    Bearer Token
+                                                    {t("httpDestAuthBearerTitle")}
                                                 </Label>
                                                 <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Bearer
-                                                        &lt;token&gt;
-                                                    </code>{" "}
-                                                    header to each request.
+                                                    {t("httpDestAuthBearerDescription")}
                                                 </p>
                                             </div>
                                             {cfg.authType === "bearer" && (
                                                 <Input
-                                                    placeholder="Your API key or token"
+                                                    placeholder={t("httpDestAuthBearerPlaceholder")}
                                                     value={
                                                         cfg.bearerToken ?? ""
                                                     }
@@ -418,25 +411,15 @@ export function HttpDestinationCredenza({
                                                     htmlFor="auth-basic"
                                                     className="cursor-pointer font-medium"
                                                 >
-                                                    Basic Auth
+                                                    {t("httpDestAuthBasicTitle")}
                                                 </Label>
                                                 <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Adds an{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        Authorization: Basic
-                                                        &lt;credentials&gt;
-                                                    </code>{" "}
-                                                    header. Provide credentials
-                                                    as{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        username:password
-                                                    </code>
-                                                    .
+                                                    {t("httpDestAuthBasicDescription")}
                                                 </p>
                                             </div>
                                             {cfg.authType === "basic" && (
                                                 <Input
-                                                    placeholder="username:password"
+                                                    placeholder={t("httpDestAuthBasicPlaceholder")}
                                                     value={
                                                         cfg.basicCredentials ??
                                                         ""
@@ -465,22 +448,16 @@ export function HttpDestinationCredenza({
                                                     htmlFor="auth-custom"
                                                     className="cursor-pointer font-medium"
                                                 >
-                                                    Custom Header
+                                                    {t("httpDestAuthCustomTitle")}
                                                 </Label>
                                                 <p className="text-xs text-muted-foreground mt-0.5">
-                                                    Specify a custom HTTP
-                                                    header name and value for
-                                                    authentication (e.g.{" "}
-                                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                        X-API-Key
-                                                    </code>
-                                                    ).
+                                                    {t("httpDestAuthCustomDescription")}
                                                 </p>
                                             </div>
                                             {cfg.authType === "custom" && (
                                                 <div className="flex gap-2">
                                                     <Input
-                                                        placeholder="Header name (e.g. X-API-Key)"
+                                                        placeholder={t("httpDestAuthCustomHeaderNamePlaceholder")}
                                                         value={
                                                             cfg.customHeaderName ??
                                                             ""
@@ -495,7 +472,7 @@ export function HttpDestinationCredenza({
                                                         className="flex-1"
                                                     />
                                                     <Input
-                                                        placeholder="Header value"
+                                                        placeholder={t("httpDestAuthCustomHeaderValuePlaceholder")}
                                                         value={
                                                             cfg.customHeaderValue ??
                                                             ""
@@ -521,20 +498,10 @@ export function HttpDestinationCredenza({
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
-                                    Custom HTTP Headers
+                                    {t("httpDestCustomHeadersTitle")}
                                 </label>
                                 <p className="text-sm text-muted-foreground mt-0.5">
-                                    Add custom headers to every outgoing
-                                    request. Useful for static tokens or
-                                    custom{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type
-                                    </code>
-                                    . By default,{" "}
-                                    <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                        Content-Type: application/json
-                                    </code>{" "}
-                                    is sent.
+                                    {t("httpDestCustomHeadersDescription")}
                                 </p>
                             </div>
                             <HeadersEditor
@@ -547,12 +514,10 @@ export function HttpDestinationCredenza({
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
-                                    Custom Body Template
+                                    {t("httpDestBodyTemplateTitle")}
                                 </label>
                                 <p className="text-sm text-muted-foreground mt-0.5">
-                                    Control the JSON payload structure sent to
-                                    your endpoint. If disabled, a default JSON
-                                    object is sent for each event.
+                                    {t("httpDestBodyTemplateDescription")}
                                 </p>
                             </div>
 
@@ -568,14 +533,14 @@ export function HttpDestinationCredenza({
                                     htmlFor="use-body-template"
                                     className="cursor-pointer"
                                 >
-                                    Enable custom body template
+                                    {t("httpDestEnableBodyTemplate")}
                                 </Label>
                             </div>
 
                             {cfg.useBodyTemplate && (
                                 <div className="space-y-2">
                                     <Label htmlFor="body-template">
-                                        Body Template (JSON)
+                                        {t("httpDestBodyTemplateLabel")}
                                     </Label>
                                     <Textarea
                                         id="body-template"
@@ -591,8 +556,7 @@ export function HttpDestinationCredenza({
                                         className="font-mono text-xs min-h-45 resize-y"
                                     />
                                     <p className="text-xs text-muted-foreground">
-                                        Use template variables to reference
-                                        event fields in your payload.
+                                        {t("httpDestBodyTemplateHint")}
                                     </p>
                                 </div>
                             )}
@@ -601,11 +565,10 @@ export function HttpDestinationCredenza({
                             <div className="space-y-3">
                                 <div>
                                     <label className="font-medium block">
-                                        Payload Format
+                                        {t("httpDestPayloadFormatTitle")}
                                     </label>
                                     <p className="text-sm text-muted-foreground mt-0.5">
-                                        How events are serialised into each
-                                        request body.
+                                        {t("httpDestPayloadFormatDescription")}
                                     </p>
                                 </div>
 
@@ -630,16 +593,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="fmt-json-array"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                JSON Array
+                                                {t("httpDestFormatJsonArrayTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                One request per batch, body is
-                                                a JSON array{" "}
-                                                <code className="bg-muted px-1 py-0.5 rounded text-xs">
-                                                    [{"{...}"}, {"{...}"}]
-                                                </code>
-                                                . Compatible with most generic
-                                                webhooks and Datadog.
+                                                {t("httpDestFormatJsonArrayDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -656,19 +613,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="fmt-ndjson"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                NDJSON
+                                                {t("httpDestFormatNdjsonTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                One request per batch, body is
-                                                newline-delimited JSON — one
-                                                object per line, no outer
-                                                array. Required by{" "}
-                                                <strong>Splunk HEC</strong>,{" "}
-                                                <strong>
-                                                    Elastic / OpenSearch
-                                                </strong>
-                                                , and{" "}
-                                                <strong>Grafana Loki</strong>.
+                                                {t("httpDestFormatNdjsonDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -685,13 +633,10 @@ export function HttpDestinationCredenza({
                                                 htmlFor="fmt-json-single"
                                                 className="cursor-pointer font-medium"
                                             >
-                                                One Event Per Request
+                                                {t("httpDestFormatSingleTitle")}
                                             </Label>
                                             <p className="text-xs text-muted-foreground mt-0.5">
-                                                Sends a separate HTTP POST for
-                                                each individual event. Use only
-                                                for endpoints that cannot
-                                                handle batches.
+                                                {t("httpDestFormatSingleDescription")}
                                             </p>
                                         </div>
                                     </div>
@@ -703,12 +648,10 @@ export function HttpDestinationCredenza({
                         <div className="space-y-6 mt-4 p-1">
                             <div>
                                 <label className="font-medium block">
-                                    Log Types
+                                    {t("httpDestLogTypesTitle")}
                                 </label>
                                 <p className="text-sm text-muted-foreground mt-0.5">
-                                    Choose which log types are forwarded to
-                                    this destination. Only enabled log types
-                                    will be streamed.
+                                    {t("httpDestLogTypesDescription")}
                                 </p>
                             </div>
 
@@ -727,11 +670,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-access"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Access Logs
+                                            {t("httpDestAccessLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            Resource access attempts, including
-                                            authenticated and denied requests.
+                                            {t("httpDestAccessLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -750,11 +692,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-action"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Action Logs
+                                            {t("httpDestActionLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            Administrative actions performed by
-                                            users within the organization.
+                                            {t("httpDestActionLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -773,12 +714,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-connection"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Connection Logs
+                                            {t("httpDestConnectionLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            Site and tunnel connection events,
-                                            including connects and
-                                            disconnects.
+                                            {t("httpDestConnectionLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -797,12 +736,10 @@ export function HttpDestinationCredenza({
                                             htmlFor="log-request"
                                             className="text-sm font-medium cursor-pointer"
                                         >
-                                            Request Logs
+                                            {t("httpDestRequestLogsTitle")}
                                         </label>
                                         <p className="text-xs text-muted-foreground mt-0.5">
-                                            HTTP request logs for proxied
-                                            resources, including method, path,
-                                            and response code.
+                                            {t("httpDestRequestLogsDescription")}
                                         </p>
                                     </div>
                                 </div>
@@ -818,7 +755,7 @@ export function HttpDestinationCredenza({
                             variant="outline"
                             disabled={saving}
                         >
-                            Cancel
+                            {t("cancel")}
                         </Button>
                     </CredenzaClose>
                     <Button
@@ -827,10 +764,10 @@ export function HttpDestinationCredenza({
                         loading={saving}
                         disabled={!isValid || saving}
                     >
-                        {editing ? "Save Changes" : "Create Destination"}
+                        {editing ? t("httpDestSaveChanges") : t("httpDestCreateDestination")}
                     </Button>
                 </CredenzaFooter>
             </CredenzaContent>
         </Credenza>
     );
-}
+}
\ No newline at end of file

From 44664faf3ce10d6f0707bf64c71974858b0246f1 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:45 -0700
Subject: [PATCH 109/122] New translations en-us.json (French)

---
 messages/fr-FR.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 2b3368a07..792775fdd 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -148,6 +148,11 @@
     "createLink": "Créer un lien",
     "resourcesNotFound": "Aucune ressource trouvée",
     "resourceSearch": "Rechercher des ressources",
+    "machineSearch": "Rechercher des machines",
+    "machinesSearch": "Rechercher des clients de la machine...",
+    "machineNotFound": "Aucune machine trouvée",
+    "userDeviceSearch": "Rechercher des périphériques utilisateur",
+    "userDevicesSearch": "Rechercher des appareils utilisateurs...",
     "openMenu": "Ouvrir le menu",
     "resource": "Ressource",
     "title": "Titre de la page",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Supprimer la clé d'API",
     "apiKeysManage": "Gérer les clés d'API",
     "apiKeysDescription": "Les clés d'API sont utilisées pour s'authentifier avec l'API d'intégration",
+    "provisioningKeysTitle": "Clé de provisioning",
+    "provisioningKeysManage": "Gérer les clés de provisioning",
+    "provisioningKeysDescription": "Les clés de provisioning sont utilisées pour authentifier la fourniture automatique de sites pour votre organisation.",
+    "provisioningManage": "Mise en place",
+    "provisioningDescription": "Gérer les clés de provisioning et examiner les sites en attente d'approbation.",
+    "pendingSites": "Sites en attente",
+    "siteApproveSuccess": "Site approuvé avec succès",
+    "siteApproveError": "Erreur lors de l'approbation du site",
+    "provisioningKeys": "Clés de provisionnement",
+    "searchProvisioningKeys": "Recherche des clés de provision...",
+    "provisioningKeysAdd": "Générer une clé de provisioning",
+    "provisioningKeysErrorDelete": "Erreur lors de la suppression de la clé de provisioning",
+    "provisioningKeysErrorDeleteMessage": "Erreur lors de la suppression de la clé de provisioning",
+    "provisioningKeysQuestionRemove": "Êtes-vous sûr de vouloir supprimer cette clé de provisioning de l'organisation ?",
+    "provisioningKeysMessageRemove": "Une fois supprimée, la clé ne peut plus être utilisée pour le provisionnement du site.",
+    "provisioningKeysDeleteConfirm": "Confirmer la suppression de la clé de provisioning",
+    "provisioningKeysDelete": "Supprimer la clé de provisioning",
+    "provisioningKeysCreate": "Générer une clé de provisioning",
+    "provisioningKeysCreateDescription": "Générer une nouvelle clé de provisioning pour l'organisation",
+    "provisioningKeysSeeAll": "Voir toutes les clés de provisioning",
+    "provisioningKeysSave": "Enregistrer la clé de provisioning",
+    "provisioningKeysSaveDescription": "Vous ne pourrez voir cela qu'une seule fois. Copiez-le dans un endroit sécurisé.",
+    "provisioningKeysErrorCreate": "Erreur lors de la création de la clé de provisioning",
+    "provisioningKeysList": "Nouvelle clé de provisioning",
+    "provisioningKeysMaxBatchSize": "Taille maximale du lot",
+    "provisioningKeysUnlimitedBatchSize": "Taille de lot illimitée (sans limite)",
+    "provisioningKeysMaxBatchUnlimited": "Illimité",
+    "provisioningKeysMaxBatchSizeInvalid": "Entrez une taille de lot maximale valide (1–1 000 000).",
+    "provisioningKeysValidUntil": "Valable jusqu'au",
+    "provisioningKeysValidUntilHint": "Laisser vide pour ne pas expirer.",
+    "provisioningKeysValidUntilInvalid": "Entrez une date et une heure valides.",
+    "provisioningKeysNumUsed": "Nombre de fois utilisées",
+    "provisioningKeysLastUsed": "Dernière utilisation",
+    "provisioningKeysNoExpiry": "Pas d'expiration",
+    "provisioningKeysNeverUsed": "Jamais",
+    "provisioningKeysEdit": "Modifier la clé de provisioning",
+    "provisioningKeysEditDescription": "Mettre à jour la taille maximale du lot et la durée d'expiration de cette clé.",
+    "provisioningKeysApproveNewSites": "Approuver les nouveaux sites",
+    "provisioningKeysApproveNewSitesDescription": "Approuver automatiquement les sites qui s'inscrivent avec cette clé.",
+    "provisioningKeysUpdateError": "Erreur lors de la mise à jour de la clé de provisioning",
+    "provisioningKeysUpdated": "Clé de provisioning mise à jour",
+    "provisioningKeysUpdatedDescription": "Vos modifications ont été enregistrées.",
+    "provisioningKeysBannerTitle": "Clés de provisioning du site",
+    "provisioningKeysBannerDescription": "Générez une clé de provisioning et utilisez-la avec le connecteur Newt pour créer automatiquement des sites au premier démarrage — pas besoin de configurer des identifiants distincts pour chaque site.",
+    "provisioningKeysBannerButtonText": "En savoir plus",
+    "pendingSitesBannerTitle": "Sites en attente",
+    "pendingSitesBannerDescription": "Les sites qui se connectent à l'aide d'une clé de provisioning apparaissent ici pour être revus. Approuver chaque site avant qu'il ne devienne actif et qu'il accède à vos ressources.",
+    "pendingSitesBannerButtonText": "En savoir plus",
     "apiKeysSettings": "Paramètres de {apiKeyName}",
     "userTitle": "Gérer tous les utilisateurs",
     "userDescription": "Voir et gérer tous les utilisateurs du système",
@@ -509,9 +562,12 @@
     "userSaved": "Utilisateur enregistré",
     "userSavedDescription": "L'utilisateur a été mis à jour.",
     "autoProvisioned": "Auto-provisionné",
+    "autoProvisionSettings": "Paramètres de la fourniture automatique",
     "autoProvisionedDescription": "Permettre à cet utilisateur d'être géré automatiquement par le fournisseur d'identité",
     "accessControlsDescription": "Gérer ce que cet utilisateur peut accéder et faire dans l'organisation",
     "accessControlsSubmit": "Enregistrer les contrôles d'accès",
+    "singleRolePerUserPlanNotice": "Votre plan ne prend en charge qu'un seul rôle par utilisateur.",
+    "singleRolePerUserEditionNotice": "Cette édition ne prend en charge qu'un rôle par utilisateur.",
     "roles": "Rôles",
     "accessUsersRoles": "Gérer les utilisateurs et les rôles",
     "accessUsersRolesDescription": "Invitez des utilisateurs et ajoutez-les aux rôles pour gérer l'accès à l'organisation",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Entrez le jeton de configuration depuis la console du serveur.",
     "setupTokenRequired": "Le jeton de configuration est requis.",
     "actionUpdateSite": "Mettre à jour un site",
+    "actionResetSiteBandwidth": "Réinitialiser la bande passante de l'organisation",
     "actionListSiteRoles": "Lister les rôles autorisés du site",
     "actionCreateResource": "Créer une ressource",
     "actionDeleteResource": "Supprimer une ressource",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Supprimer un utilisateur",
     "actionListUsers": "Lister les utilisateurs",
     "actionAddUserRole": "Ajouter un rôle utilisateur",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Définir les rôles de l'utilisateur",
     "actionGenerateAccessToken": "Générer un jeton d'accès",
     "actionDeleteAccessToken": "Supprimer un jeton d'accès",
     "actionListAccessTokens": "Lister les jetons d'accès",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Rôles",
     "sidebarShareableLinks": "Liens",
     "sidebarApiKeys": "Clés API",
+    "sidebarProvisioning": "Mise en place",
     "sidebarSettings": "Réglages",
     "sidebarAllUsers": "Tous les utilisateurs",
     "sidebarIdentityProviders": "Fournisseurs d'identité",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nœud de sortie",
     "country": "Pays",
     "rulesMatchCountry": "Actuellement basé sur l'IP source",
+    "region": "Région",
+    "selectRegion": "Sélectionner une région",
+    "searchRegions": "Rechercher des régions...",
+    "noRegionFound": "Aucune région trouvée.",
+    "rulesMatchRegion": "Sélectionnez un groupement régional de pays",
+    "rulesErrorInvalidRegion": "Région invalide",
+    "rulesErrorInvalidRegionDescription": "Veuillez sélectionner une région valide.",
+    "regionAfrica": "L'Afrique",
+    "regionNorthernAfrica": "Afrique du Nord",
+    "regionEasternAfrica": "Afrique de l'Est",
+    "regionMiddleAfrica": "Afrique Moyenne",
+    "regionSouthernAfrica": "Afrique australe",
+    "regionWesternAfrica": "Afrique de l'Ouest",
+    "regionAmericas": "Amériques",
+    "regionCaribbean": "Caraïbes",
+    "regionCentralAmerica": "Amérique centrale",
+    "regionSouthAmerica": "Amérique du Sud",
+    "regionNorthernAmerica": "Amérique du Nord",
+    "regionAsia": "L'Asie",
+    "regionCentralAsia": "Asie centrale",
+    "regionEasternAsia": "Asie de l'Est",
+    "regionSouthEasternAsia": "Asie du Sud-Est",
+    "regionSouthernAsia": "Asie du Sud",
+    "regionWesternAsia": "Asie de l'Ouest",
+    "regionEurope": "L’Europe",
+    "regionEasternEurope": "Europe de l'Est",
+    "regionNorthernEurope": "Europe du Nord",
+    "regionSouthernEurope": "Europe du Sud",
+    "regionWesternEurope": "Europe occidentale",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australie et Nouvelle-Zélande",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Gestion autonome",
         "description": "Serveur Pangolin auto-hébergé avec des cloches et des sifflets supplémentaires",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valeur non valide",
     "idpTypeLabel": "Type de fournisseur d'identité",
     "roleMappingExpressionPlaceholder": "ex: contenu(groupes) && 'admin' || 'membre'",
+    "roleMappingModeFixedRoles": "Rôles fixes",
+    "roleMappingModeMappingBuilder": "Constructeur de cartographie",
+    "roleMappingModeRawExpression": "Expression brute",
+    "roleMappingFixedRolesPlaceholderSelect": "Sélectionnez un ou plusieurs rôles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Tapez les noms des rôles (correspondance exacte par organisation)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assigner le même jeu de rôles à chaque utilisateur auto-provisionné.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Pour les politiques par défaut, les noms de rôles de type qui existent dans chaque organisation où les utilisateurs sont fournis. Les noms doivent correspondre exactement.",
+    "roleMappingClaimPath": "Chemin de revendication",
+    "roleMappingClaimPathPlaceholder": "Groupes",
+    "roleMappingClaimPathDescription": "Chemin dans le bloc de jeton qui contient les valeurs source (par exemple, les groupes).",
+    "roleMappingMatchValue": "Valeur de la correspondance",
+    "roleMappingAssignRoles": "Assigner des rôles",
+    "roleMappingAddMappingRule": "Ajouter une règle de mappage",
+    "roleMappingRawExpressionResultDescription": "L'expression doit être évaluée à une chaîne ou un tableau de chaînes.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "L'expression doit être évaluée à une chaîne (un seul nom de rôle).",
+    "roleMappingMatchValuePlaceholder": "Valeur de la correspondance (par exemple: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Tapez les noms des rôles (exact par org)",
+    "roleMappingBuilderFreeformRowHint": "Les noms de rôle doivent correspondre à un rôle dans chaque organisation cible.",
+    "roleMappingRemoveRule": "Supprimer",
     "idpGoogleConfiguration": "Configuration Google",
     "idpGoogleConfigurationDescription": "Configurer les identifiants Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Durée de conservation des journaux d'accès",
     "logRetentionActionLabel": "Retention du journal des actions",
     "logRetentionActionDescription": "Durée de conservation du journal des actions",
+    "logRetentionConnectionLabel": "Rétention du journal de connexion",
+    "logRetentionConnectionDescription": "Durée de conservation des logs de connexion",
     "logRetentionDisabled": "Désactivé",
     "logRetention3Days": "3 jours",
     "logRetention7Days": "7 jours",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
     "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
     "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
+    "connectionLogs": "Journaux de connexion",
+    "connectionLogsDescription": "Voir les journaux de connexion pour les tunnels de cette organisation",
+    "sidebarLogsConnection": "Journaux de connexion",
+    "sidebarLogsStreaming": "Streaming en cours",
+    "sourceAddress": "Adresse source",
+    "destinationAddress": "Adresse de destination",
+    "duration": "Durée",
     "licenseRequiredToUse": "Une <enterpriseLicenseLink>licence Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> est requise pour utiliser cette fonctionnalité. <bookADemoLink>Réservez une démonstration ou une évaluation de POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Réservez une démo ou un essai POC</bookADemoLink>.",
     "certResolver": "Résolveur de certificat",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
     "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
     "approvalsEmptyStateButtonText": "Gérer les rôles",
-    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine"
+    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configurer les politiques de mappage des rôles et de l'organisation dans l'onglet <policiesTabLink>Paramètres de la fourniture automatique</policiesTabLink>.",
+    "streamingTitle": "Streaming d'événements",
+    "streamingDescription": "Diffusez en temps réel des événements de votre organisation vers des destinations externes.",
+    "streamingUnnamedDestination": "Destination sans nom",
+    "streamingNoUrlConfigured": "Aucune URL configurée",
+    "streamingAddDestination": "Ajouter une destination",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Envoyez des événements à n'importe quel point de terminaison HTTP avec une authentification flexible et un template.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Flux d'événements vers un compartiment de stockage d'objet compatible S3. Bientôt.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Transférer des événements directement sur votre compte Datadog. Prochainement.",
+    "streamingTypePickerDescription": "Choisissez un type de destination pour commencer.",
+    "streamingFailedToLoad": "Impossible de charger les destinations",
+    "streamingUnexpectedError": "Une erreur inattendue s'est produite.",
+    "streamingFailedToUpdate": "Impossible de mettre à jour la destination",
+    "streamingDeletedSuccess": "Destination supprimée avec succès",
+    "streamingFailedToDelete": "Impossible de supprimer la destination",
+    "streamingDeleteTitle": "Supprimer la destination",
+    "streamingDeleteButtonText": "Supprimer la destination",
+    "streamingDeleteDialogAreYouSure": "Êtes-vous sûr de vouloir supprimer",
+    "streamingDeleteDialogThisDestination": "cette destination",
+    "streamingDeleteDialogPermanentlyRemoved": "? Toutes les configurations seront définitivement supprimées.",
+    "httpDestEditTitle": "Modifier la destination",
+    "httpDestAddTitle": "Ajouter une destination HTTP",
+    "httpDestEditDescription": "Mettre à jour la configuration pour cette destination de streaming d'événements HTTP.",
+    "httpDestAddDescription": "Configurez un nouveau point de terminaison HTTP pour recevoir les événements de votre organisation.",
+    "httpDestTabSettings": "Réglages",
+    "httpDestTabHeaders": "En-têtes",
+    "httpDestTabBody": "Corps",
+    "httpDestTabLogs": "Journaux",
+    "httpDestNamePlaceholder": "Ma destination HTTP",
+    "httpDestUrlLabel": "URL de destination",
+    "httpDestUrlErrorHttpRequired": "L'URL doit utiliser http ou https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS est requis pour les déploiements du cloud",
+    "httpDestUrlErrorInvalid": "Entrez une URL valide (par exemple https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentification",
+    "httpDestAuthDescription": "Choisissez comment les requêtes à votre terminaison sont authentifiées.",
+    "httpDestAuthNoneTitle": "Aucune authentification",
+    "httpDestAuthNoneDescription": "Envoie des requêtes sans en-tête d'autorisation.",
+    "httpDestAuthBearerTitle": "Jeton de Porteur",
+    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer <token> à chaque requête.",
+    "httpDestAuthBearerPlaceholder": "Votre clé API ou votre jeton",
+    "httpDestAuthBasicTitle": "Authentification basique",
+    "httpDestAuthBasicDescription": "Ajoute une autorisation : en-tête de base <credentials> . Fournissez des informations d'identification comme nom d'utilisateur:mot de passe.",
+    "httpDestAuthBasicPlaceholder": "nom d'utilisateur:mot de passe",
+    "httpDestAuthCustomTitle": "En-tête personnalisé",
+    "httpDestAuthCustomDescription": "Spécifiez un nom d'en-tête HTTP personnalisé et une valeur pour l'authentification (par exemple X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nom de l'en-tête (par exemple X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valeur de l'en-tête",
+    "httpDestCustomHeadersTitle": "En-têtes HTTP personnalisés",
+    "httpDestCustomHeadersDescription": "Ajouter des en-têtes personnalisés à chaque requête sortante. Utile pour les jetons statiques ou un type de contenu personnalisé. Par défaut, Content-Type: application/json est envoyé.",
+    "httpDestNoHeadersConfigured": "Aucun en-tête personnalisé configuré. Cliquez sur \"Ajouter un en-tête\" pour en ajouter un.",
+    "httpDestHeaderNamePlaceholder": "Nom de l'en-tête",
+    "httpDestHeaderValuePlaceholder": "Valeur",
+    "httpDestAddHeader": "Ajouter un en-tête",
+    "httpDestBodyTemplateTitle": "Modèle de corps personnalisé",
+    "httpDestBodyTemplateDescription": "Contrôle la structure de charge utile JSON envoyée à votre terminal. Si désactivé, un objet JSON par défaut est envoyé pour chaque événement.",
+    "httpDestEnableBodyTemplate": "Activer le modèle de corps personnalisé",
+    "httpDestBodyTemplateLabel": "Modèle de corps (JSON)",
+    "httpDestBodyTemplateHint": "Utilisez les variables de modèle pour référencer les champs d'événement dans votre charge utile.",
+    "httpDestPayloadFormatTitle": "Format de la charge utile",
+    "httpDestPayloadFormatDescription": "Comment les événements sont sérialisés dans chaque corps de requête.",
+    "httpDestFormatJsonArrayTitle": "Tableau JSON",
+    "httpDestFormatJsonArrayDescription": "Une requête par lot, le corps est un tableau JSON. Compatible avec la plupart des webhooks génériques et des datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Une requête par lot, body est un JSON délimité par une nouvelle ligne — un objet par ligne, pas de tableau extérieur. Requis par Splunk HEC, Elastic / OpenSearch, et Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un événement par demande",
+    "httpDestFormatSingleDescription": "Envoie un POST HTTP séparé pour chaque événement individuel. Utilisé uniquement pour les terminaux qui ne peuvent pas gérer des lots.",
+    "httpDestLogTypesTitle": "Types de logs",
+    "httpDestLogTypesDescription": "Choisissez quels types de journaux sont envoyés à cette destination. Seuls les types de journaux activés seront diffusés.",
+    "httpDestAccessLogsTitle": "Journaux d'accès",
+    "httpDestAccessLogsDescription": "Tentatives d'accès aux ressources, y compris les demandes authentifiées et refusées.",
+    "httpDestActionLogsTitle": "Journaux des actions",
+    "httpDestActionLogsDescription": "Actions administratives effectuées par les utilisateurs au sein de l'organisation.",
+    "httpDestConnectionLogsTitle": "Journaux de connexion",
+    "httpDestConnectionLogsDescription": "Événements de connexion du site et du tunnel, y compris les connexions et les déconnexions.",
+    "httpDestRequestLogsTitle": "Journal des requêtes",
+    "httpDestRequestLogsDescription": "Journaux des requêtes HTTP pour les ressources proxiées, y compris la méthode, le chemin et le code de réponse.",
+    "httpDestSaveChanges": "Enregistrer les modifications",
+    "httpDestCreateDestination": "Créer une destination",
+    "httpDestUpdatedSuccess": "Destination mise à jour avec succès",
+    "httpDestCreatedSuccess": "Destination créée avec succès",
+    "httpDestUpdateFailed": "Impossible de mettre à jour la destination",
+    "httpDestCreateFailed": "Impossible de créer la destination"
 }

From 4bf148a4bf9beb0a32799cc2361d08d5e4b4cea4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:46 -0700
Subject: [PATCH 110/122] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 10b83f38d..e841490b2 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -148,6 +148,11 @@
     "createLink": "Създаване на връзка",
     "resourcesNotFound": "Не са намерени ресурси",
     "resourceSearch": "Търсене на ресурси",
+    "machineSearch": "Търсене на машини",
+    "machinesSearch": "Търсене на клиенти на машини...",
+    "machineNotFound": "Не са намерени машини",
+    "userDeviceSearch": "Търсене на устройства на потребителя",
+    "userDevicesSearch": "Търсене на устройства на потребителя...",
     "openMenu": "Отваряне на менюто",
     "resource": "Ресурс",
     "title": "Заглавие",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Изтрийте API ключа",
     "apiKeysManage": "Управление на API ключове",
     "apiKeysDescription": "API ключове се използват за удостоверяване с интеграционния API",
+    "provisioningKeysTitle": "Ключ за осигуряване",
+    "provisioningKeysManage": "Управление на ключове за осигуряване",
+    "provisioningKeysDescription": "Ключовете за осигуряване се използват за удостоверяване на автоматичното осигуряване на сайта за вашата организация.",
+    "provisioningManage": "Осигуряване",
+    "provisioningDescription": "Управление на ключовете за осигуряване и преглед на чаканещите сайтове за одобрение.",
+    "pendingSites": "Чаканещи сайтове",
+    "siteApproveSuccess": "Сайтът е одобрен успешно",
+    "siteApproveError": "Грешка при одобряването на сайта",
+    "provisioningKeys": "Ключове за осигуряване",
+    "searchProvisioningKeys": "Търсене на ключове за осигуряване...",
+    "provisioningKeysAdd": "Генериране на ключ за осигуряване",
+    "provisioningKeysErrorDelete": "Грешка при изтриване на ключ за осигуряване",
+    "provisioningKeysErrorDeleteMessage": "Грешка при изтриване на ключ за осигуряване",
+    "provisioningKeysQuestionRemove": "Сигурни ли сте, че искате да премахнете този ключ за осигуряване от организацията?",
+    "provisioningKeysMessageRemove": "След като бъде премахнат, ключът няма да бъде използван за осигуряване на сайтове.",
+    "provisioningKeysDeleteConfirm": "Потвърдете изтриването на ключ за осигуряване",
+    "provisioningKeysDelete": "Изтриване на ключ за осигуряване",
+    "provisioningKeysCreate": "Генериране на ключ за осигуряване",
+    "provisioningKeysCreateDescription": "Генерирайте нов ключ за осигуряване за организацията",
+    "provisioningKeysSeeAll": "Вижте всички ключове за осигуряване",
+    "provisioningKeysSave": "Запазете ключа за осигуряване",
+    "provisioningKeysSaveDescription": "Ще можете да видите това само веднъж. Копирайте го на сигурно място.",
+    "provisioningKeysErrorCreate": "Грешка при създаване на ключ за осигуряване",
+    "provisioningKeysList": "Нов ключ за осигуряване",
+    "provisioningKeysMaxBatchSize": "Максимален размер на пакет",
+    "provisioningKeysUnlimitedBatchSize": "Неограничен размер на партида (без лимит)",
+    "provisioningKeysMaxBatchUnlimited": "Неограничено",
+    "provisioningKeysMaxBatchSizeInvalid": "Въведете валиден максимален размер на партида (1–1,000,000).",
+    "provisioningKeysValidUntil": "Валиден до",
+    "provisioningKeysValidUntilHint": "Оставете празно за неограничено валидност.",
+    "provisioningKeysValidUntilInvalid": "Въведете валидна дата и час.",
+    "provisioningKeysNumUsed": "Брой използвания",
+    "provisioningKeysLastUsed": "Последно използван",
+    "provisioningKeysNoExpiry": "Без изтичане",
+    "provisioningKeysNeverUsed": "Никога",
+    "provisioningKeysEdit": "Редактиране на ключ за осигуряване",
+    "provisioningKeysEditDescription": "Актуализирайте максималния размер на партида и времето на изтичане за този ключ.",
+    "provisioningKeysApproveNewSites": "Одобрете нови сайтове",
+    "provisioningKeysApproveNewSitesDescription": "Автоматично одобряване на сайтове, които се регистрират с този ключ.",
+    "provisioningKeysUpdateError": "Грешка при актуализирането на ключа за осигуряване",
+    "provisioningKeysUpdated": "Ключът за осигуряване е актуализиран",
+    "provisioningKeysUpdatedDescription": "Вашите промени бяха запазени.",
+    "provisioningKeysBannerTitle": "Ключове за осигуряване на сайта",
+    "provisioningKeysBannerDescription": "Генерирайте ключ за осигуряване и го използвайте с Newt конектора за автоматично създаване на сайтове при първото стартиране — няма нужда от създаване на отделни идентификационни данни за всеки сайт.",
+    "provisioningKeysBannerButtonText": "Научете повече",
+    "pendingSitesBannerTitle": "Чакащи сайтове",
+    "pendingSitesBannerDescription": "Сайтовете, които се свързват чрез ключ за осигуряване, се появяват тук за преглед. Одобрете всеки сайт, преди да стане активен и да получи достъп до вашите ресурси.",
+    "pendingSitesBannerButtonText": "Научете повече",
     "apiKeysSettings": "Настройки на {apiKeyName}",
     "userTitle": "Управление на всички потребители",
     "userDescription": "Преглед и управление на всички потребители в системата",
@@ -509,9 +562,12 @@
     "userSaved": "Потребителят е запазен",
     "userSavedDescription": "Потребителят беше актуализиран.",
     "autoProvisioned": "Автоматично предоставено",
+    "autoProvisionSettings": "Настройки за автоматично осигуряване",
     "autoProvisionedDescription": "Позволете този потребител да бъде автоматично управляван от доставчик на идентификационни данни",
     "accessControlsDescription": "Управлявайте какво може да достъпва и прави този потребител в организацията",
     "accessControlsSubmit": "Запазване на контролите за достъп",
+    "singleRolePerUserPlanNotice": "Вашият план поддържа само една роля на потребител.",
+    "singleRolePerUserEditionNotice": "Това издание поддържа само една роля на потребител.",
     "roles": "Роли",
     "accessUsersRoles": "Управление на потребители и роли",
     "accessUsersRolesDescription": "Поканете потребители и ги добавете към роли, за да управлявате достъпа до организацията",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Въведете конфигурационния токен от сървърната конзола.",
     "setupTokenRequired": "Необходим е конфигурационен токен",
     "actionUpdateSite": "Актуализиране на сайт",
+    "actionResetSiteBandwidth": "Нулиране на честотната лента на организацията",
     "actionListSiteRoles": "Изброяване на позволените роли за сайта",
     "actionCreateResource": "Създаване на ресурс",
     "actionDeleteResource": "Изтриване на ресурс",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Изтрийте потребител",
     "actionListUsers": "Изброяване на потребители",
     "actionAddUserRole": "Добавяне на роля на потребител",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Задайте роли на потребители",
     "actionGenerateAccessToken": "Генериране на токен за достъп",
     "actionDeleteAccessToken": "Изтриване на токен за достъп",
     "actionListAccessTokens": "Изброяване на токени за достъп",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Роли",
     "sidebarShareableLinks": "Връзки",
     "sidebarApiKeys": "API ключове",
+    "sidebarProvisioning": "Осигуряване",
     "sidebarSettings": "Настройки",
     "sidebarAllUsers": "Всички потребители",
     "sidebarIdentityProviders": "Идентификационни доставчици",
@@ -1890,6 +1948,40 @@
     "exitNode": "Изходен възел",
     "country": "Държава",
     "rulesMatchCountry": "Понастоящем на базата на изходния IP",
+    "region": "Регион",
+    "selectRegion": "Изберете регион",
+    "searchRegions": "Търсене на региони...",
+    "noRegionFound": "Регионът не е намерен.",
+    "rulesMatchRegion": "Изберете регионална групировка на държави",
+    "rulesErrorInvalidRegion": "Невалиден регион",
+    "rulesErrorInvalidRegionDescription": "Моля, изберете валиден регион.",
+    "regionAfrica": "Африка",
+    "regionNorthernAfrica": "Северна Африка",
+    "regionEasternAfrica": "Източна Африка",
+    "regionMiddleAfrica": "Централна Африка",
+    "regionSouthernAfrica": "Южна Африка",
+    "regionWesternAfrica": "Западна Африка",
+    "regionAmericas": "Америките",
+    "regionCaribbean": "Карибите",
+    "regionCentralAmerica": "Централна Америка",
+    "regionSouthAmerica": "Южна Америка",
+    "regionNorthernAmerica": "Северна Америка",
+    "regionAsia": "Азия",
+    "regionCentralAsia": "Централна Азия",
+    "regionEasternAsia": "Източна Азия",
+    "regionSouthEasternAsia": "Югоизточна Азия",
+    "regionSouthernAsia": "Южна Азия",
+    "regionWesternAsia": "Западна Азия",
+    "regionEurope": "Европа",
+    "regionEasternEurope": "Източна Европа",
+    "regionNorthernEurope": "Северна Европа",
+    "regionSouthernEurope": "Южна Европа",
+    "regionWesternEurope": "Западна Европа",
+    "regionOceania": "Океания",
+    "regionAustraliaAndNewZealand": "Австралия и Нова Зеландия",
+    "regionMelanesia": "Меланезия",
+    "regionMicronesia": "Микронезия",
+    "regionPolynesia": "Полинезия",
     "managedSelfHosted": {
         "title": "Управлявано Самостоятелно-хоствано",
         "description": "По-надежден и по-нисък поддръжка на Самостоятелно-хостван Панголиин сървър с допълнителни екстри",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Невалидна стойност",
     "idpTypeLabel": "Тип на доставчика на идентичност",
     "roleMappingExpressionPlaceholder": "напр.: contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Фиксирани роли",
+    "roleMappingModeMappingBuilder": "Строител на карти",
+    "roleMappingModeRawExpression": "Необработено израз",
+    "roleMappingFixedRolesPlaceholderSelect": "Изберете една или повече роли",
+    "roleMappingFixedRolesPlaceholderFreeform": "Въведете имена на роли (точно съвпадение на организацията)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Присвойте същият набор от роли на всеки автоматично осигурен потребител.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "За стандартните политики въведете имена на роли, които съществуват във всяка организация, където е осигурен потребител. Имената трябва да съвпадат точно.",
+    "roleMappingClaimPath": "Път на иск",
+    "roleMappingClaimPathPlaceholder": "групи",
+    "roleMappingClaimPathDescription": "Път в съдържанието на маркера, който съдържа изходни стойности (например групи).",
+    "roleMappingMatchValue": "Съвпадение на стойност",
+    "roleMappingAssignRoles": "Присвояване на роли",
+    "roleMappingAddMappingRule": "Добавяне на правило за картироване",
+    "roleMappingRawExpressionResultDescription": "Изразът трябва да бъде оценен на низ или масив от низове.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Изразът трябва да бъде оценен на низ (едно име на роля).",
+    "roleMappingMatchValuePlaceholder": "Съвпадение на стойност (например: администратор)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Въведете имена на роли (точно по организация)",
+    "roleMappingBuilderFreeformRowHint": "Имената на ролите трябва да съвпадат с роля във всяка целева организация.",
+    "roleMappingRemoveRule": "Премахни",
     "idpGoogleConfiguration": "Конфигурация на Google",
     "idpGoogleConfigurationDescription": "Конфигурирайте Google OAuth2 идентификационни данни",
     "idpGoogleClientIdDescription": "Google OAuth2 идентификационен клиент",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Колко дълго да се задържат логовете за достъп",
     "logRetentionActionLabel": "Задържане на логове за действия",
     "logRetentionActionDescription": "Колко дълго да се задържат логовете за действия",
+    "logRetentionConnectionLabel": "Запазване на дневниците на връзките",
+    "logRetentionConnectionDescription": "Колко дълго да се съхраняват дневниците на връзките",
     "logRetentionDisabled": "Деактивирано",
     "logRetention3Days": "3 дни",
     "logRetention7Days": "7 дни",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Край на следващата година",
     "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
     "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
+    "connectionLogs": "Логове на връзката",
+    "connectionLogsDescription": "Вижте логовете на връзките за тунелите в тази организация",
+    "sidebarLogsConnection": "Логове на връзката",
+    "sidebarLogsStreaming": "Потоци",
+    "sourceAddress": "Източен адрес",
+    "destinationAddress": "Адрес на дестинация",
+    "duration": "Продължителност",
     "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> за използване на тази функция. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> е необходим за използване на тази функция. Тази функция също е налична в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
     "certResolver": "Решавач на сертификати",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
     "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
     "approvalsEmptyStateButtonText": "Управлявайте роли",
-    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн"
+    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн",
+    "idpAdminAutoProvisionPoliciesTabHint": "Конфигурирайте картографирането на ролите и организационните политики на раздела <policiesTabLink>Настройки за автоматично осигуряване</policiesTabLink>.",
+    "streamingTitle": "Събитийни потоци",
+    "streamingDescription": "Предавайте събития от вашата организация до външни дестинации в реално време.",
+    "streamingUnnamedDestination": "Неименувана дестинация",
+    "streamingNoUrlConfigured": "Не е конфигуриран URL",
+    "streamingAddDestination": "Добавяне на дестинация",
+    "streamingHttpWebhookTitle": "HTTP Уеб хук",
+    "streamingHttpWebhookDescription": "Изпратете събития до всяка HTTP крайна точка с гъвкаво удостоверяване и шаблониране.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Предавайте събития на хранилище, съвместимо с S3. Очаквайте скоро.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Пресочвайте събития директно към вашият акаунт в Datadog. Очаквайте скоро.",
+    "streamingTypePickerDescription": "Изберете вид на дестинацията, за да започнете.",
+    "streamingFailedToLoad": "Неуспешно зареждане на дестинации",
+    "streamingUnexpectedError": "Възникна неочаквана грешка.",
+    "streamingFailedToUpdate": "Неуспешно актуализиране на дестинация",
+    "streamingDeletedSuccess": "Дестинацията беше изтрита успешно",
+    "streamingFailedToDelete": "Неуспешно изтриване на дестинацията",
+    "streamingDeleteTitle": "Изтриване на дестинация",
+    "streamingDeleteButtonText": "Изтриване на дестинация",
+    "streamingDeleteDialogAreYouSure": "Сигурни ли сте, че искате да изтриете",
+    "streamingDeleteDialogThisDestination": "тази дестинация",
+    "streamingDeleteDialogPermanentlyRemoved": "? Всички конфигурации ще бъдат премахнати завинаги.",
+    "httpDestEditTitle": "Редактиране на дестинация",
+    "httpDestAddTitle": "Добавяне на HTTP дестинация",
+    "httpDestEditDescription": "Актуализирайте конфигурацията за този HTTP събитий.",
+    "httpDestAddDescription": "Конфигурирайте нов HTTP крайна точка, за да получавате събития на вашата организация.",
+    "httpDestTabSettings": "Настройки",
+    "httpDestTabHeaders": "Заглавки",
+    "httpDestTabBody": "Тяло",
+    "httpDestTabLogs": "Логове",
+    "httpDestNamePlaceholder": "Моята HTTP дестинация",
+    "httpDestUrlLabel": "Дестинация URL",
+    "httpDestUrlErrorHttpRequired": "URL адресът трябва да използва http или https",
+    "httpDestUrlErrorHttpsRequired": "SSL е необходимо за облачни инсталации",
+    "httpDestUrlErrorInvalid": "Въведете валиден URL (напр. https://example.com/webhook)",
+    "httpDestAuthTitle": "Удостоверяване",
+    "httpDestAuthDescription": "Изберете как заявленията ви се удостоверяват.",
+    "httpDestAuthNoneTitle": "Без удостоверяване",
+    "httpDestAuthNoneDescription": "Изпращане на заявки без заглавие за удостоверяване.",
+    "httpDestAuthBearerTitle": "Bearer Токен",
+    "httpDestAuthBearerDescription": "Добавя заглавие за удостоверяване Bearer <token> към всяка заявка.",
+    "httpDestAuthBearerPlaceholder": "Вашият API ключ или токен",
+    "httpDestAuthBasicTitle": "Основно удостоверяване",
+    "httpDestAuthBasicDescription": "Добавя заглавие за удостоверяване Basic <credentials> към всяка заявка. Осигурете идентификационни данни като потребителско име:парола.",
+    "httpDestAuthBasicPlaceholder": "потребителско име:парола",
+    "httpDestAuthCustomTitle": "Персонализирано заглавие",
+    "httpDestAuthCustomDescription": "Посочете персонализирано име и стойност на заглавието за удостоверяване (например X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Имя на заглавието (напр. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Стойност на заглавието",
+    "httpDestCustomHeadersTitle": "Персонализирани заглавия за HTTP",
+    "httpDestCustomHeadersDescription": "Добавяне на персонализирани заглавия към всяка изходяща заявка. Полезно за статични токени или персонални Content-Type. По подразбиране се изпраща Content-Type: application/json.",
+    "httpDestNoHeadersConfigured": "Персонализирани заглавия не са конфигурирани. Кликнете \"Добавяне на заглавие\" да добавите такова.",
+    "httpDestHeaderNamePlaceholder": "Име на заглавието",
+    "httpDestHeaderValuePlaceholder": "Стойност на заглавието",
+    "httpDestAddHeader": "Добавяне на заглавие",
+    "httpDestBodyTemplateTitle": "Шаблон на персонализирано тяло",
+    "httpDestBodyTemplateDescription": "Управлявайте структурата на JSON съобщението, изпратено до вашата крайна точка. Ако е деактивирано, по подразбиране се изпраща JSON обект за всяко събитие.",
+    "httpDestEnableBodyTemplate": "Активиране на персонализиран шаблон на тяло",
+    "httpDestBodyTemplateLabel": "Шаблон за тяло (JSON)",
+    "httpDestBodyTemplateHint": "Използвайте шаблонни променливи за позоваване на полетата на събитията в съобщението си.",
+    "httpDestPayloadFormatTitle": "Формат на полезния товар",
+    "httpDestPayloadFormatDescription": "Как се сериализират събитията във всеки заявка.",
+    "httpDestFormatJsonArrayTitle": "JSON масив",
+    "httpDestFormatJsonArrayDescription": "Една заявка на партида, тялото е JSON масив. Съвместим с повечето общи уеб куки и Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Една заявка на партида, тялото е ново линии отделени JSON — един обект на ред, няма външен масив. Изисквано от Splunk HEC, Elastic / OpenSearch и Grafana.",
+    "httpDestFormatSingleTitle": "Едно събитие на заявка",
+    "httpDestFormatSingleDescription": "Изпращат се отделни HTTP POST за всяко индивидуално събитие. Използвайте само за крайни точки, които не могат да обработват партиди.",
+    "httpDestLogTypesTitle": "Видове логове",
+    "httpDestLogTypesDescription": "Изберете кои видове журнални записи ще се предават към тази дестинация. Предаването ще се прави само за активирани видове журнални записи.",
+    "httpDestAccessLogsTitle": "Логове за достъп",
+    "httpDestAccessLogsDescription": "Опити за достъп до ресурс, включително удостоверени и отказани заявки.",
+    "httpDestActionLogsTitle": "Логове на действия",
+    "httpDestActionLogsDescription": "Административни действия, извършени от потребители в организацията.",
+    "httpDestConnectionLogsTitle": "Логове на връзката",
+    "httpDestConnectionLogsDescription": "Събития на свързване и прекъсване на сайта и тунела, включително свръзки и прекъсвания.",
+    "httpDestRequestLogsTitle": "Заявки за логове",
+    "httpDestRequestLogsDescription": "Регистри за HTTP заявките към проксирани ресурси, включително метод, път и код на отговор.",
+    "httpDestSaveChanges": "Запази промените",
+    "httpDestCreateDestination": "Създаване на дестинация",
+    "httpDestUpdatedSuccess": "Дестинацията беше актуализирана успешно",
+    "httpDestCreatedSuccess": "Дестинацията беше създадена успешно",
+    "httpDestUpdateFailed": "Неуспешно актуализиране на дестинацията",
+    "httpDestCreateFailed": "Неуспешно създаване на дестинацията"
 }

From c8e83fedeb464e744d9197496e2e44d83f8fb5b8 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:48 -0700
Subject: [PATCH 111/122] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index ea12fe535..fe5de4199 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -148,6 +148,11 @@
     "createLink": "Vytvořit odkaz",
     "resourcesNotFound": "Nebyly nalezeny žádné zdroje",
     "resourceSearch": "Vyhledat zdroje",
+    "machineSearch": "Vyhledávací stroje",
+    "machinesSearch": "Hledat klienty stroje...",
+    "machineNotFound": "Nebyly nalezeny žádné stroje",
+    "userDeviceSearch": "Hledat uživatelská zařízení",
+    "userDevicesSearch": "Hledat uživatelská zařízení...",
     "openMenu": "Otevřít nabídku",
     "resource": "Zdroj",
     "title": "Název",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Odstranit klíč API",
     "apiKeysManage": "Správa API klíčů",
     "apiKeysDescription": "API klíče se používají k ověření s integračním API",
+    "provisioningKeysTitle": "Zajišťovací klíč",
+    "provisioningKeysManage": "Spravovat zajišťovací klíče",
+    "provisioningKeysDescription": "Zajišťovací klíče slouží k ověření automatického poskytování služeb vaší organizaci.",
+    "provisioningManage": "Zajištění",
+    "provisioningDescription": "Spravovat klíče pro nastavení a zkontrolovat čekající stránky čekající na schválení.",
+    "pendingSites": "Nevyřízené weby",
+    "siteApproveSuccess": "Web byl úspěšně schválen",
+    "siteApproveError": "Chyba při schvalování webu",
+    "provisioningKeys": "Poskytovací klíče",
+    "searchProvisioningKeys": "Hledat klíče k zajišťování...",
+    "provisioningKeysAdd": "Generovat zajišťovací klíč",
+    "provisioningKeysErrorDelete": "Chyba při odstraňování klíče pro úpravu",
+    "provisioningKeysErrorDeleteMessage": "Chyba při odstraňování klíče pro úpravu",
+    "provisioningKeysQuestionRemove": "Jste si jisti, že chcete odstranit tento konfigurační klíč z organizace?",
+    "provisioningKeysMessageRemove": "Jakmile je klíč odstraněn, nelze již použít pro poskytování služeb.",
+    "provisioningKeysDeleteConfirm": "Potvrdit odstranění zajišťovacího klíče",
+    "provisioningKeysDelete": "Odstranit zajišťovací klíč",
+    "provisioningKeysCreate": "Generovat zajišťovací klíč",
+    "provisioningKeysCreateDescription": "Vygenerovat nový klíč pro organizaci",
+    "provisioningKeysSeeAll": "Zobrazit všechny doplňovací klíče",
+    "provisioningKeysSave": "Uložit konfigurační klíč",
+    "provisioningKeysSaveDescription": "Toto můžete vidět pouze jednou. Zkopírujte ho na bezpečné místo.",
+    "provisioningKeysErrorCreate": "Chyba při vytváření doplňovacího klíče",
+    "provisioningKeysList": "Nový klíč pro poskytování informací",
+    "provisioningKeysMaxBatchSize": "Maximální velikost dávky",
+    "provisioningKeysUnlimitedBatchSize": "Neomezená velikost šarže (bez omezení)",
+    "provisioningKeysMaxBatchUnlimited": "Bez omezení",
+    "provisioningKeysMaxBatchSizeInvalid": "Zadejte platnou maximální velikost šarže (1–1,000,000).",
+    "provisioningKeysValidUntil": "Platné do",
+    "provisioningKeysValidUntilHint": "Ponechte prázdné, pokud vyprší platnost.",
+    "provisioningKeysValidUntilInvalid": "Zadejte platné datum a čas.",
+    "provisioningKeysNumUsed": "Časy použití",
+    "provisioningKeysLastUsed": "Naposledy použito",
+    "provisioningKeysNoExpiry": "Bez vypršení platnosti",
+    "provisioningKeysNeverUsed": "Nikdy",
+    "provisioningKeysEdit": "Upravit zajišťovací klíč",
+    "provisioningKeysEditDescription": "Aktualizujte maximální velikost dávky a dobu vypršení platnosti tohoto klíče.",
+    "provisioningKeysApproveNewSites": "Schválit nové stránky",
+    "provisioningKeysApproveNewSitesDescription": "Automaticky schvalovat weby, které se registrují pomocí tohoto klíče.",
+    "provisioningKeysUpdateError": "Chyba při aktualizaci klíče",
+    "provisioningKeysUpdated": "Zajišťovací klíč byl aktualizován",
+    "provisioningKeysUpdatedDescription": "Vaše změny byly uloženy.",
+    "provisioningKeysBannerTitle": "Klíče pro poskytování webu",
+    "provisioningKeysBannerDescription": "Vygenerujte konfigurační klíč a používejte jej pomocí nového konektoru k automatickému vytváření stránek při prvním startu – není třeba nastavovat samostatné přihlašovací údaje pro každý web.",
+    "provisioningKeysBannerButtonText": "Zjistit více",
+    "pendingSitesBannerTitle": "Nevyřízené weby",
+    "pendingSitesBannerDescription": "Zde se zobrazují stránky, které se připojují pomocí doplňovacího klíče. Schválte každý web předtím, než bude aktivní, a získejte přístup k vašim zdrojům.",
+    "pendingSitesBannerButtonText": "Zjistit více",
     "apiKeysSettings": "Nastavení {apiKeyName}",
     "userTitle": "Spravovat všechny uživatele",
     "userDescription": "Zobrazit a spravovat všechny uživatele v systému",
@@ -509,9 +562,12 @@
     "userSaved": "Uživatel uložen",
     "userSavedDescription": "Uživatel byl aktualizován.",
     "autoProvisioned": "Automaticky poskytnuto",
+    "autoProvisionSettings": "Automatická nastavení",
     "autoProvisionedDescription": "Povolit tomuto uživateli automaticky spravovat poskytovatel identity",
     "accessControlsDescription": "Spravovat co může tento uživatel přistupovat a dělat v organizaci",
     "accessControlsSubmit": "Uložit kontroly přístupu",
+    "singleRolePerUserPlanNotice": "Váš plán podporuje pouze jednu roli na uživatele.",
+    "singleRolePerUserEditionNotice": "Tato verze podporuje pouze jednu roli na uživatele.",
     "roles": "Role",
     "accessUsersRoles": "Spravovat uživatele a role",
     "accessUsersRolesDescription": "Pozvěte uživatele a přidejte je do rolí pro správu přístupu k organizaci",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Zadejte nastavovací token z konzole serveru.",
     "setupTokenRequired": "Je vyžadován token nastavení",
     "actionUpdateSite": "Aktualizovat stránku",
+    "actionResetSiteBandwidth": "Resetovat šířku pásma organizace",
     "actionListSiteRoles": "Seznam povolených rolí webu",
     "actionCreateResource": "Vytvořit zdroj",
     "actionDeleteResource": "Odstranit dokument",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Odstranit uživatele",
     "actionListUsers": "Seznam uživatelů",
     "actionAddUserRole": "Přidat uživatelskou roli",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Nastavit uživatelské role",
     "actionGenerateAccessToken": "Generovat přístupový token",
     "actionDeleteAccessToken": "Odstranit přístupový token",
     "actionListAccessTokens": "Seznam přístupových tokenů",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Role",
     "sidebarShareableLinks": "Odkazy",
     "sidebarApiKeys": "API klíče",
+    "sidebarProvisioning": "Zajištění",
     "sidebarSettings": "Nastavení",
     "sidebarAllUsers": "Všichni uživatelé",
     "sidebarIdentityProviders": "Poskytovatelé identity",
@@ -1890,6 +1948,40 @@
     "exitNode": "Ukončit uzel",
     "country": "L 343, 22.12.2009, s. 1).",
     "rulesMatchCountry": "Aktuálně založené na zdrojové IP adrese",
+    "region": "Oblasti",
+    "selectRegion": "Vyberte region",
+    "searchRegions": "Hledat regiony...",
+    "noRegionFound": "Nebyl nalezen žádný region.",
+    "rulesMatchRegion": "Vyberte regionální seskupení zemí",
+    "rulesErrorInvalidRegion": "Neplatný region",
+    "rulesErrorInvalidRegionDescription": "Vyberte prosím platný region.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Severní Afrika",
+    "regionEasternAfrica": "Východní Afrika",
+    "regionMiddleAfrica": "Střední Afrika",
+    "regionSouthernAfrica": "Jižní Afrika",
+    "regionWesternAfrica": "Západní Afrika",
+    "regionAmericas": "Ameriky",
+    "regionCaribbean": "Karibské",
+    "regionCentralAmerica": "Střední Amerika",
+    "regionSouthAmerica": "Jižní Amerika",
+    "regionNorthernAmerica": "Severní Amerika",
+    "regionAsia": "Asie",
+    "regionCentralAsia": "Střední Asie",
+    "regionEasternAsia": "Východní Asie",
+    "regionSouthEasternAsia": "jihovýchodní Asie",
+    "regionSouthernAsia": "Jižní Asie",
+    "regionWesternAsia": "Západní Asie",
+    "regionEurope": "L 347, 20.12.2013, s. 965).",
+    "regionEasternEurope": "Východní Evropa",
+    "regionNorthernEurope": "Severní Evropa",
+    "regionSouthernEurope": "Jižní Evropa",
+    "regionWesternEurope": "Západní Evropa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Austrálie a Nový Zéland",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Spravované vlastní hostování",
         "description": "Spolehlivější a nízko udržovaný Pangolinův server s dalšími zvony a bičkami",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Neplatná hodnota",
     "idpTypeLabel": "Typ poskytovatele identity",
     "roleMappingExpressionPlaceholder": "např. obsahuje(skupiny, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Pevné role",
+    "roleMappingModeMappingBuilder": "Tvorba mapování",
+    "roleMappingModeRawExpression": "Surový výraz",
+    "roleMappingFixedRolesPlaceholderSelect": "Vyberte jednu nebo více rolí",
+    "roleMappingFixedRolesPlaceholderFreeform": "Napište názvy rolí (shoda podle organizace)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Přiřadit stejnou roli nastavenou každému uživateli automatického poskytování.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Pro výchozí zásady zadejte názvy rolí, které existují v každé organizaci, kde jsou uživatelé poskytováni. Jména musí přesně odpovídat.",
+    "roleMappingClaimPath": "Cesta k žádosti",
+    "roleMappingClaimPathPlaceholder": "skupiny",
+    "roleMappingClaimPathDescription": "Cesta k užitečnému zatížení tokenu, která obsahuje zdrojové hodnoty (například skupiny).",
+    "roleMappingMatchValue": "Hodnota zápasu",
+    "roleMappingAssignRoles": "Přiřadit role",
+    "roleMappingAddMappingRule": "Přidat pravidlo pro mapování",
+    "roleMappingRawExpressionResultDescription": "Výraz se musí vyhodnotit do pole řetězce nebo řetězce.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Výraz musí být vyhodnocen na řetězec (jediný název role).",
+    "roleMappingMatchValuePlaceholder": "Hodnota zápasu (například: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Napište názvy rolí (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Názvy rolí musí odpovídat roli v každé cílové organizaci.",
+    "roleMappingRemoveRule": "Odstranit",
     "idpGoogleConfiguration": "Konfigurace Google",
     "idpGoogleConfigurationDescription": "Konfigurace přihlašovacích údajů Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Jak dlouho uchovávat přístupové záznamy",
     "logRetentionActionLabel": "Uchovávání protokolu akcí",
     "logRetentionActionDescription": "Jak dlouho uchovávat záznamy akcí",
+    "logRetentionConnectionLabel": "Uchovávání protokolu připojení",
+    "logRetentionConnectionDescription": "Jak dlouho uchovávat protokoly připojení",
     "logRetentionDisabled": "Zakázáno",
     "logRetention3Days": "3 dny",
     "logRetention7Days": "7 dní",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Konec následujícího roku",
     "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
     "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
+    "connectionLogs": "Protokoly připojení",
+    "connectionLogsDescription": "Zobrazit protokoly připojení pro tunely v této organizaci",
+    "sidebarLogsConnection": "Protokoly připojení",
+    "sidebarLogsStreaming": "Streamování",
+    "sourceAddress": "Zdrojová adresa",
+    "destinationAddress": "Cílová adresa",
+    "duration": "Doba trvání",
     "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> nebo <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Rezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
     "certResolver": "Oddělovač certifikátů",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
     "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
     "approvalsEmptyStateButtonText": "Spravovat role",
-    "domainErrorTitle": "Máme problém s ověřením tvé domény"
+    "domainErrorTitle": "Máme problém s ověřením tvé domény",
+    "idpAdminAutoProvisionPoliciesTabHint": "Nastavte pravidla mapování rolí a organizace na kartě <policiesTabLink>Automatická úprava nastavení</policiesTabLink>.",
+    "streamingTitle": "Streamování událostí",
+    "streamingDescription": "Streamujte události z vaší organizace do externích destinací v reálném čase.",
+    "streamingUnnamedDestination": "Nepojmenovaný cíl",
+    "streamingNoUrlConfigured": "Není nakonfigurována žádná URL",
+    "streamingAddDestination": "Přidat cíl",
+    "streamingHttpWebhookTitle": "HTTP webový háček",
+    "streamingHttpWebhookDescription": "Odeslat události na libovolný HTTP koncový bod s pružnou autentizací a šablonou.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Streamujte události do úložiště, které je kompatibilní se S3. Brzy přijde.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Přeposlat události přímo do vašeho účtu Datadog účtu. Brzy přijde.",
+    "streamingTypePickerDescription": "Vyberte cílový typ pro začátek.",
+    "streamingFailedToLoad": "Nepodařilo se načíst destinace",
+    "streamingUnexpectedError": "Došlo k neočekávané chybě.",
+    "streamingFailedToUpdate": "Nepodařilo se aktualizovat cíl",
+    "streamingDeletedSuccess": "Cíl byl úspěšně odstraněn",
+    "streamingFailedToDelete": "Nepodařilo se odstranit cíl",
+    "streamingDeleteTitle": "Odstranit cíl",
+    "streamingDeleteButtonText": "Odstranit cíl",
+    "streamingDeleteDialogAreYouSure": "Jste si jisti, že chcete odstranit",
+    "streamingDeleteDialogThisDestination": "tato destinace",
+    "streamingDeleteDialogPermanentlyRemoved": "? Všechny konfigurace budou trvale odstraněny.",
+    "httpDestEditTitle": "Upravit cíl",
+    "httpDestAddTitle": "Přidat cíl HTTP",
+    "httpDestEditDescription": "Aktualizovat konfiguraci pro tuto destinaci HTTP události",
+    "httpDestAddDescription": "Konfigurace nového koncového bodu HTTP pro příjem událostí vaší organizace.",
+    "httpDestTabSettings": "Nastavení",
+    "httpDestTabHeaders": "Záhlaví",
+    "httpDestTabBody": "Tělo",
+    "httpDestTabLogs": "Logy",
+    "httpDestNamePlaceholder": "Moje HTTP cíl",
+    "httpDestUrlLabel": "Cílová adresa URL",
+    "httpDestUrlErrorHttpRequired": "URL musí používat http nebo https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS je vyžadován při nasazení do cloudu",
+    "httpDestUrlErrorInvalid": "Zadejte platnou URL (např. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autentifikace",
+    "httpDestAuthDescription": "Zvolte, jak jsou požadavky na tvůj koncový bod ověřeny.",
+    "httpDestAuthNoneTitle": "Žádné ověření",
+    "httpDestAuthNoneDescription": "Odešle žádosti bez záhlaví autorizace.",
+    "httpDestAuthBearerTitle": "Token na doručitele",
+    "httpDestAuthBearerDescription": "Přidá autorizaci: Hlavička Bearer <token> ke každému požadavku.",
+    "httpDestAuthBearerPlaceholder": "Váš API klíč nebo token",
+    "httpDestAuthBasicTitle": "Základní ověření",
+    "httpDestAuthBasicDescription": "Přidá autorizaci: Základní <credentials> hlavička. Poskytněte přihlašovací údaje jako uživatelské jméno:password.",
+    "httpDestAuthBasicPlaceholder": "uživatelské jméno:heslo",
+    "httpDestAuthCustomTitle": "Vlastní záhlaví",
+    "httpDestAuthCustomDescription": "Zadejte název a hodnotu vlastního HTTP hlavičky pro ověření (např. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Název záhlaví (např. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Hodnota záhlaví",
+    "httpDestCustomHeadersTitle": "Vlastní HTTP hlavičky",
+    "httpDestCustomHeadersDescription": "Přidat vlastní hlavičky ke každému odchozímu požadavku. Užitečné pro statické tokeny nebo vlastní Typ obsahu. Ve výchozím nastavení je typ obsahu: application/json.",
+    "httpDestNoHeadersConfigured": "Nejsou nakonfigurovány žádné vlastní záhlaví. Pro přidání klikněte na \"Přidat záhlaví\".",
+    "httpDestHeaderNamePlaceholder": "Název záhlaví",
+    "httpDestHeaderValuePlaceholder": "Hodnota",
+    "httpDestAddHeader": "Přidat záhlaví",
+    "httpDestBodyTemplateTitle": "Vlastní šablona těla",
+    "httpDestBodyTemplateDescription": "Ovládá strukturu užitečného zatížení JSON odeslanou na váš koncový bod. Pokud je vypnuto, je pro každou událost zaslán výchozí objekt JSON.",
+    "httpDestEnableBodyTemplate": "Povolit vlastní šablonu těla",
+    "httpDestBodyTemplateLabel": "Šablona těla (JSON)",
+    "httpDestBodyTemplateHint": "Použijte šablonové proměnné pro referenční pole události ve vašem užitečném zatížení.",
+    "httpDestPayloadFormatTitle": "Formát datového zatížení",
+    "httpDestPayloadFormatDescription": "Jak jsou události serializovány v každém žádajícím subjektu.",
+    "httpDestFormatJsonArrayTitle": "JSON pole",
+    "httpDestFormatJsonArrayDescription": "Jeden požadavek na každou šarži, tělo je pole JSON. Kompatibilní s většinou generických webových háčků a Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Jeden požadavek na každou šarži, tělo je nově ohraničené JSON – jeden objekt na jednu čáru, bez vnějšího pole. Vyžaduje Splunk HEC, Elastic / OpenSearch, a Grafana Loki.",
+    "httpDestFormatSingleTitle": "Jedna událost na požadavek",
+    "httpDestFormatSingleDescription": "Odešle samostatnou HTTP POST pro každou jednotlivou událost. Používejte pouze pro koncové body, které nemohou zpracovávat dávky.",
+    "httpDestLogTypesTitle": "Typy protokolů",
+    "httpDestLogTypesDescription": "Vyberte, které typy logů jsou přesměrovány do této destinace. Budou streamovány pouze povolené typy logů.",
+    "httpDestAccessLogsTitle": "Protokoly přístupu",
+    "httpDestAccessLogsDescription": "Pokusy o přístup k dokumentům, včetně ověřených a zamítnutých požadavků.",
+    "httpDestActionLogsTitle": "Záznamy akcí",
+    "httpDestActionLogsDescription": "Správní opatření prováděná uživateli v rámci organizace.",
+    "httpDestConnectionLogsTitle": "Protokoly připojení",
+    "httpDestConnectionLogsDescription": "Události týkající se připojení lokality a tunelu, včetně připojení a odpojení.",
+    "httpDestRequestLogsTitle": "Záznamy požadavků",
+    "httpDestRequestLogsDescription": "HTTP záznamy požadavků pro proxy zdroje, včetně metod, cesty a kódu odpovědi.",
+    "httpDestSaveChanges": "Uložit změny",
+    "httpDestCreateDestination": "Vytvořit cíl",
+    "httpDestUpdatedSuccess": "Cíl byl úspěšně aktualizován",
+    "httpDestCreatedSuccess": "Cíl byl úspěšně vytvořen",
+    "httpDestUpdateFailed": "Nepodařilo se aktualizovat cíl",
+    "httpDestCreateFailed": "Nepodařilo se vytvořit cíl"
 }

From a7fefc84a832f196ba374cabe9cff884b0693993 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:49 -0700
Subject: [PATCH 112/122] New translations en-us.json (German)

---
 messages/de-DE.json | 175 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 173 insertions(+), 2 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index bfced13d0..0b72ececd 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -148,6 +148,11 @@
     "createLink": "Link erstellen",
     "resourcesNotFound": "Keine Ressourcen gefunden",
     "resourceSearch": "Suche Ressourcen",
+    "machineSearch": "Maschinen suchen",
+    "machinesSearch": "Suche Maschinen-Klienten...",
+    "machineNotFound": "Keine Maschinen gefunden",
+    "userDeviceSearch": "Benutzergeräte durchsuchen",
+    "userDevicesSearch": "Benutzergeräte durchsuchen...",
     "openMenu": "Menü öffnen",
     "resource": "Ressource",
     "title": "Titel",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API-Schlüssel löschen",
     "apiKeysManage": "API-Schlüssel verwalten",
     "apiKeysDescription": "API-Schlüssel werden zur Authentifizierung mit der Integrations-API verwendet",
+    "provisioningKeysTitle": "Bereitstellungsschlüssel",
+    "provisioningKeysManage": "Bereitstellungsschlüssel verwalten",
+    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Seiten für Ihr Unternehmen zu authentifizieren.",
+    "provisioningManage": "Bereitstellung",
+    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Seiten prüfen, die noch auf Genehmigung warten.",
+    "pendingSites": "Ausstehende Seiten",
+    "siteApproveSuccess": "Site erfolgreich freigegeben",
+    "siteApproveError": "Fehler beim Bestätigen der Seite",
+    "provisioningKeys": "Bereitstellungsschlüssel",
+    "searchProvisioningKeys": "Bereitstellungsschlüssel suchen...",
+    "provisioningKeysAdd": "Bereitstellungsschlüssel generieren",
+    "provisioningKeysErrorDelete": "Fehler beim Löschen des Bereitstellungsschlüssels",
+    "provisioningKeysErrorDeleteMessage": "Fehler beim Löschen des Bereitstellungsschlüssels",
+    "provisioningKeysQuestionRemove": "Sind Sie sicher, dass Sie diesen Bereitstellungsschlüssel aus der Organisation entfernen möchten?",
+    "provisioningKeysMessageRemove": "Einmal entfernt, kann der Schlüssel nicht mehr für die Bereitstellung der Site verwendet werden.",
+    "provisioningKeysDeleteConfirm": "Bereitstellungsschlüssel löschen bestätigen",
+    "provisioningKeysDelete": "Bereitstellungsschlüssel löschen",
+    "provisioningKeysCreate": "Bereitstellungsschlüssel generieren",
+    "provisioningKeysCreateDescription": "Einen neuen Bereitstellungsschlüssel für die Organisation generieren",
+    "provisioningKeysSeeAll": "Alle Bereitstellungsschlüssel anzeigen",
+    "provisioningKeysSave": "Bereitstellungsschlüssel speichern",
+    "provisioningKeysSaveDescription": "Sie können dies nur einmal sehen. Kopieren Sie es an einen sicheren Ort.",
+    "provisioningKeysErrorCreate": "Fehler beim Erstellen des Bereitstellungsschlüssels",
+    "provisioningKeysList": "Neuer Bereitstellungsschlüssel",
+    "provisioningKeysMaxBatchSize": "Max. Batch-Größe",
+    "provisioningKeysUnlimitedBatchSize": "Unbegrenzte Batch-Größe (kein Limit)",
+    "provisioningKeysMaxBatchUnlimited": "Unbegrenzt",
+    "provisioningKeysMaxBatchSizeInvalid": "Geben Sie eine gültige maximale Batchgröße ein (1–1.000.000).",
+    "provisioningKeysValidUntil": "Gültig bis",
+    "provisioningKeysValidUntilHint": "Leer lassen für keine Verjährung.",
+    "provisioningKeysValidUntilInvalid": "Geben Sie ein gültiges Datum und Zeit ein.",
+    "provisioningKeysNumUsed": "Verwendete Zeiten",
+    "provisioningKeysLastUsed": "Zuletzt verwendet",
+    "provisioningKeysNoExpiry": "Kein Ablauf",
+    "provisioningKeysNeverUsed": "Nie",
+    "provisioningKeysEdit": "Bereitstellungsschlüssel bearbeiten",
+    "provisioningKeysEditDescription": "Aktualisieren Sie die maximale Batch-Größe und Ablaufzeit für diesen Schlüssel.",
+    "provisioningKeysApproveNewSites": "Neue Seiten genehmigen",
+    "provisioningKeysApproveNewSitesDescription": "Sites, die sich mit diesem Schlüssel registrieren, automatisch freigeben.",
+    "provisioningKeysUpdateError": "Fehler beim Aktualisieren des Bereitstellungsschlüssels",
+    "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
+    "provisioningKeysUpdatedDescription": "Ihre Änderungen wurden gespeichert.",
+    "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
+    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Konnektor, um beim ersten Start automatisch Sites zu erstellen – keine Notwendigkeit, separate Anmeldeinformationen für jede Seite einzurichten.",
+    "provisioningKeysBannerButtonText": "Mehr erfahren",
+    "pendingSitesBannerTitle": "Ausstehende Seiten",
+    "pendingSitesBannerDescription": "Sites, die sich mit einem Bereitstellungsschlüssel verbinden, erscheinen hier zur Überprüfung. Bestätigen Sie jede Site, bevor sie aktiv wird und erhalten Zugriff auf Ihre Ressourcen.",
+    "pendingSitesBannerButtonText": "Mehr erfahren",
     "apiKeysSettings": "{apiKeyName} Einstellungen",
     "userTitle": "Alle Benutzer verwalten",
     "userDescription": "Alle Benutzer im System anzeigen und verwalten",
@@ -509,9 +562,12 @@
     "userSaved": "Benutzer gespeichert",
     "userSavedDescription": "Der Benutzer wurde aktualisiert.",
     "autoProvisioned": "Automatisch bereitgestellt",
+    "autoProvisionSettings": "Auto-Bereitstellungseinstellungen",
     "autoProvisionedDescription": "Erlaube diesem Benutzer die automatische Verwaltung durch Identitätsanbieter",
     "accessControlsDescription": "Verwalten Sie, worauf dieser Benutzer in der Organisation zugreifen und was er tun kann",
     "accessControlsSubmit": "Zugriffskontrollen speichern",
+    "singleRolePerUserPlanNotice": "Ihr Plan unterstützt nur eine Rolle pro Benutzer.",
+    "singleRolePerUserEditionNotice": "Diese Ausgabe unterstützt nur eine Rolle pro Benutzer.",
     "roles": "Rollen",
     "accessUsersRoles": "Benutzer & Rollen verwalten",
     "accessUsersRolesDescription": "Lade Benutzer ein und füge sie zu Rollen hinzu, um den Zugriff auf die Organisation zu verwalten",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Geben Sie das Setup-Token von der Serverkonsole ein.",
     "setupTokenRequired": "Setup-Token ist erforderlich",
     "actionUpdateSite": "Standorte aktualisieren",
+    "actionResetSiteBandwidth": "Organisations-Bandbreite zurücksetzen",
     "actionListSiteRoles": "Erlaubte Standort-Rollen auflisten",
     "actionCreateResource": "Ressource erstellen",
     "actionDeleteResource": "Ressource löschen",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Benutzer entfernen",
     "actionListUsers": "Benutzer auflisten",
     "actionAddUserRole": "Benutzerrolle hinzufügen",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Benutzerrollen festlegen",
     "actionGenerateAccessToken": "Zugriffstoken generieren",
     "actionDeleteAccessToken": "Zugriffstoken löschen",
     "actionListAccessTokens": "Zugriffstoken auflisten",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Rollen",
     "sidebarShareableLinks": "Links",
     "sidebarApiKeys": "API-Schlüssel",
+    "sidebarProvisioning": "Bereitstellung",
     "sidebarSettings": "Einstellungen",
     "sidebarAllUsers": "Alle Benutzer",
     "sidebarIdentityProviders": "Identitätsanbieter",
@@ -1972,6 +2030,25 @@
     "invalidValue": "Ungültiger Wert",
     "idpTypeLabel": "Identitätsanbietertyp",
     "roleMappingExpressionPlaceholder": "z. B. enthalten(Gruppen, 'admin') && 'Admin' || 'Mitglied'",
+    "roleMappingModeFixedRoles": "Feste Rollen",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Roher Ausdruck",
+    "roleMappingFixedRolesPlaceholderSelect": "Wählen Sie eine oder mehrere Rollen",
+    "roleMappingFixedRolesPlaceholderFreeform": "Rollennamen eingeben (exakte Übereinstimmung pro Organisation)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Weisen Sie jedem auto-provisionierten Benutzer die gleiche Rolle zu.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Für Standardrichtlinien geben Sie Rollennamen ein, die in jeder Organisation existieren, in der Benutzer angegeben sind. Namen müssen exakt übereinstimmen.",
+    "roleMappingClaimPath": "Pfad einfordern",
+    "roleMappingClaimPathPlaceholder": "gruppen",
+    "roleMappingClaimPathDescription": "Pfad in der Token Payload mit Quellwerten (zum Beispiel Gruppen).",
+    "roleMappingMatchValue": "Match-Wert",
+    "roleMappingAssignRoles": "Rollen zuweisen",
+    "roleMappingAddMappingRule": "Zuordnungsregel hinzufügen",
+    "roleMappingRawExpressionResultDescription": "Ausdruck muss zu einem String oder String Array ausgewertet werden.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Ausdruck muss zu einem String (einem einzigen Rollennamen) ausgewertet werden.",
+    "roleMappingMatchValuePlaceholder": "Match-Wert (z. B.: Admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Rollennamen eingeben (exakt pro Ort)",
+    "roleMappingBuilderFreeformRowHint": "Rollennamen müssen mit einer Rolle in jeder Zielorganisation übereinstimmen.",
+    "roleMappingRemoveRule": "Entfernen",
     "idpGoogleConfiguration": "Google-Konfiguration",
     "idpGoogleConfigurationDescription": "Google OAuth2 Zugangsdaten konfigurieren",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2368,6 +2445,8 @@
     "logRetentionAccessDescription": "Wie lange Zugriffsprotokolle beibehalten werden sollen",
     "logRetentionActionLabel": "Aktionsprotokoll-Speicherung",
     "logRetentionActionDescription": "Dauer des Action-Logs",
+    "logRetentionConnectionLabel": "Verbindungsprotokoll-Speicherung",
+    "logRetentionConnectionDescription": "Wie lange Verbindungsprotokolle gespeichert werden sollen",
     "logRetentionDisabled": "Deaktiviert",
     "logRetention3Days": "3 Tage",
     "logRetention7Days": "7 Tage",
@@ -2378,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
     "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
     "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
+    "connectionLogs": "Verbindungsprotokolle",
+    "connectionLogsDescription": "Verbindungsprotokolle für Tunnel in dieser Organisation anzeigen",
+    "sidebarLogsConnection": "Verbindungsprotokolle",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Quelladresse",
+    "destinationAddress": "Zieladresse",
+    "duration": "Dauer",
     "licenseRequiredToUse": "Eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz oder <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> wird benötigt, um diese Funktion nutzen zu können. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "Die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> wird benötigt, um diese Funktion nutzen zu können. Diese Funktion ist auch in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>verfügbar. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
     "certResolver": "Zertifikatsauflöser",
@@ -2717,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
     "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
     "approvalsEmptyStateButtonText": "Rollen verwalten",
-    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain"
+    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain",
+    "idpAdminAutoProvisionPoliciesTabHint": "Konfigurieren Sie Rollenzuordnungs- und Organisationsrichtlinien auf der Registerkarte <policiesTabLink>Auto-Bereitstellungseinstellungen</policiesTabLink>.",
+    "streamingTitle": "Event Streaming",
+    "streamingDescription": "Streamen Sie Events aus Ihrem Unternehmen in Echtzeit zu externen Zielen.",
+    "streamingUnnamedDestination": "Unbenanntes Ziel",
+    "streamingNoUrlConfigured": "Keine URL konfiguriert",
+    "streamingAddDestination": "Ziel hinzufügen",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Sende Ereignisse an jeden HTTP-Endpunkt mit flexibler Authentifizierung und Vorlage.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Streame Ereignisse in eine S3-kompatible Objekt-Speicher-Eimer. Kommt bald.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Events direkt an Ihr Datadog Konto weiterleiten. Kommen Sie bald.",
+    "streamingTypePickerDescription": "Wählen Sie einen Zieltyp aus, um loszulegen.",
+    "streamingFailedToLoad": "Fehler beim Laden der Ziele",
+    "streamingUnexpectedError": "Ein unerwarteter Fehler ist aufgetreten.",
+    "streamingFailedToUpdate": "Fehler beim Aktualisieren des Ziels",
+    "streamingDeletedSuccess": "Ziel erfolgreich gelöscht",
+    "streamingFailedToDelete": "Fehler beim Löschen des Ziels",
+    "streamingDeleteTitle": "Ziel löschen",
+    "streamingDeleteButtonText": "Ziel löschen",
+    "streamingDeleteDialogAreYouSure": "Sind Sie sicher, dass Sie löschen möchten",
+    "streamingDeleteDialogThisDestination": "dieses Ziel",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle Konfiguration wird dauerhaft entfernt.",
+    "httpDestEditTitle": "Ziel bearbeiten",
+    "httpDestAddTitle": "HTTP-Ziel hinzufügen",
+    "httpDestEditDescription": "Aktualisiere die Konfiguration für dieses HTTP-Streaming-Ziel.",
+    "httpDestAddDescription": "Konfigurieren Sie einen neuen HTTP-Endpunkt, um die Ereignisse Ihrer Organisation zu empfangen.",
+    "httpDestTabSettings": "Einstellungen",
+    "httpDestTabHeaders": "Kopfzeilen",
+    "httpDestTabBody": "Körper",
+    "httpDestTabLogs": "Logs",
+    "httpDestNamePlaceholder": "Mein HTTP-Ziel",
+    "httpDestUrlLabel": "Ziel-URL",
+    "httpDestUrlErrorHttpRequired": "URL muss http oder https verwenden",
+    "httpDestUrlErrorHttpsRequired": "HTTPS wird für Cloud-Deployment benötigt",
+    "httpDestUrlErrorInvalid": "Geben Sie eine gültige URL ein (z.B. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentifizierung",
+    "httpDestAuthDescription": "Legen Sie fest, wie Anfragen an Ihren Endpunkt authentifiziert werden.",
+    "httpDestAuthNoneTitle": "Keine Authentifizierung",
+    "httpDestAuthNoneDescription": "Sendet Anfragen ohne Autorisierungs-Header.",
+    "httpDestAuthBearerTitle": "Bären-Token",
+    "httpDestAuthBearerDescription": "Fügt eine Berechtigung hinzu: Bearer <token> Header zu jeder Anfrage.",
+    "httpDestAuthBearerPlaceholder": "Ihr API-Schlüssel oder Token",
+    "httpDestAuthBasicTitle": "Einfacher Auth",
+    "httpDestAuthBasicDescription": "Fügt eine Autorisierung hinzu: Basic <credentials> Kopfzeile hinzu. Geben Sie Anmeldedaten als Benutzername:password an.",
+    "httpDestAuthBasicPlaceholder": "benutzername:password",
+    "httpDestAuthCustomTitle": "Eigene Kopfzeile",
+    "httpDestAuthCustomDescription": "Geben Sie einen eigenen HTTP-Header-Namen und einen Wert für die Authentifizierung an (z.B. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Headername (z.B. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header-Wert",
+    "httpDestCustomHeadersTitle": "Eigene HTTP-Header",
+    "httpDestCustomHeadersDescription": "Fügen Sie jeder ausgehenden Anfrage benutzerdefinierte Kopfzeilen hinzu. Nützlich für statische Tokens oder einen benutzerdefinierten Content-Typ. Standardmäßig wird Content-Type: application/json gesendet.",
+    "httpDestNoHeadersConfigured": "Keine benutzerdefinierten Header konfiguriert. Klicken Sie auf \"Header hinzufügen\", um einen hinzuzufügen.",
+    "httpDestHeaderNamePlaceholder": "Header-Name",
+    "httpDestHeaderValuePlaceholder": "Wert",
+    "httpDestAddHeader": "Header hinzufügen",
+    "httpDestBodyTemplateTitle": "Eigene Body-Vorlage",
+    "httpDestBodyTemplateDescription": "Steuere die JSON-Payload-Struktur, die an deinen Endpunkt gesendet wurde. Wenn deaktiviert, wird für jede Veranstaltung ein Standard-JSON-Objekt gesendet.",
+    "httpDestEnableBodyTemplate": "Eigene Körpervorlage aktivieren",
+    "httpDestBodyTemplateLabel": "Body-Vorlage (JSON)",
+    "httpDestBodyTemplateHint": "Verwenden Sie Template-Variablen, um Ereignisfelder in Ihrer Payload zu referenzieren.",
+    "httpDestPayloadFormatTitle": "Payload-Format",
+    "httpDestPayloadFormatDescription": "Wie Ereignisse in jedes Anfragegremium serialisiert werden.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "Eine Anfrage pro Stapel ist ein JSON-Array. Kompatibel mit den meisten generischen Webhooks und Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Eine Anfrage pro Batch, der Körper ist newline-getrenntes JSON — ein Objekt pro Zeile, kein äußeres Array. Benötigt von Splunk HEC, Elastic / OpenSearch, und Grafana Loki.",
+    "httpDestFormatSingleTitle": "Ein Ereignis pro Anfrage",
+    "httpDestFormatSingleDescription": "Sendet eine separate HTTP-POST für jedes einzelne Ereignis. Nur für Endpunkte, die Batches nicht handhaben können.",
+    "httpDestLogTypesTitle": "Log-Typen",
+    "httpDestLogTypesDescription": "Wählen Sie, welche Log-Typen an dieses Ziel weitergeleitet werden. Nur aktivierte Log-Typen werden gestreamt.",
+    "httpDestAccessLogsTitle": "Zugriffsprotokolle",
+    "httpDestAccessLogsDescription": "Ressourcenzugriffe, einschließlich authentifizierter und abgelehnter Anfragen.",
+    "httpDestActionLogsTitle": "Aktionsprotokolle",
+    "httpDestActionLogsDescription": "Administrative Maßnahmen, die von Benutzern innerhalb der Organisation durchgeführt werden.",
+    "httpDestConnectionLogsTitle": "Verbindungsprotokolle",
+    "httpDestConnectionLogsDescription": "Site- und Tunnelverbindungen, einschließlich Verbindungen und Trennungen.",
+    "httpDestRequestLogsTitle": "Logs anfordern",
+    "httpDestRequestLogsDescription": "HTTP-Request-Protokolle für proxiierte Ressourcen, einschließlich Methode, Pfad und Antwort-Code.",
+    "httpDestSaveChanges": "Änderungen speichern",
+    "httpDestCreateDestination": "Ziel erstellen",
+    "httpDestUpdatedSuccess": "Ziel erfolgreich aktualisiert",
+    "httpDestCreatedSuccess": "Ziel erfolgreich erstellt",
+    "httpDestUpdateFailed": "Fehler beim Aktualisieren des Ziels",
+    "httpDestCreateFailed": "Fehler beim Erstellen des Ziels"
 }

From 8559942c5cfe68abe6db6d9bd2d19cd9f52bb6e5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:51 -0700
Subject: [PATCH 113/122] New translations en-us.json (Italian)

---
 messages/it-IT.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 6891cd290..990e2be66 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -148,6 +148,11 @@
     "createLink": "Crea Collegamento",
     "resourcesNotFound": "Nessuna risorsa trovata",
     "resourceSearch": "Cerca risorse",
+    "machineSearch": "Ricerca macchine",
+    "machinesSearch": "Cerca client macchina...",
+    "machineNotFound": "Nessuna macchina trovata",
+    "userDeviceSearch": "Cerca dispositivi utente",
+    "userDevicesSearch": "Cerca dispositivi utente...",
     "openMenu": "Apri menu",
     "resource": "Risorsa",
     "title": "Titolo",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Elimina Chiave API",
     "apiKeysManage": "Gestisci Chiavi API",
     "apiKeysDescription": "Le chiavi API sono utilizzate per autenticarsi con l'API di integrazione",
+    "provisioningKeysTitle": "Chiave Di Provvedimento",
+    "provisioningKeysManage": "Gestisci Chiavi Di Provvedimento",
+    "provisioningKeysDescription": "Le chiavi di provisioning vengono utilizzate per autenticare il provisioning automatico del sito per la tua organizzazione.",
+    "provisioningManage": "Accantonamento",
+    "provisioningDescription": "Gestire le chiavi di provisioning e rivedere i siti in attesa di approvazione.",
+    "pendingSites": "Siti In Attesa",
+    "siteApproveSuccess": "Sito approvato con successo",
+    "siteApproveError": "Errore nell'approvazione del sito",
+    "provisioningKeys": "Chiavi Di Provvedimento",
+    "searchProvisioningKeys": "Cerca i tasti di provisioning ...",
+    "provisioningKeysAdd": "Genera Chiave Di Provvedimento",
+    "provisioningKeysErrorDelete": "Errore nell'eliminare la chiave di provisioning",
+    "provisioningKeysErrorDeleteMessage": "Errore nell'eliminare la chiave di provisioning",
+    "provisioningKeysQuestionRemove": "Sei sicuro di voler rimuovere questa chiave di provisioning dall'organizzazione?",
+    "provisioningKeysMessageRemove": "Una volta rimossa, la chiave non può più essere utilizzata per il provisioning.",
+    "provisioningKeysDeleteConfirm": "Conferma Elimina Chiave Provvisoria",
+    "provisioningKeysDelete": "Elimina chiave di provisioning",
+    "provisioningKeysCreate": "Genera Chiave Di Provvedimento",
+    "provisioningKeysCreateDescription": "Genera una nuova chiave di provisioning per l'organizzazione",
+    "provisioningKeysSeeAll": "Vedi tutte le chiavi di provisioning",
+    "provisioningKeysSave": "Salva la chiave di provisioning",
+    "provisioningKeysSaveDescription": "Sarai in grado di vedere solo una volta. Copiarlo in un posto sicuro.",
+    "provisioningKeysErrorCreate": "Errore nella creazione della chiave di provisioning",
+    "provisioningKeysList": "Nuova chiave di provisioning",
+    "provisioningKeysMaxBatchSize": "Dimensione massima lotto",
+    "provisioningKeysUnlimitedBatchSize": "Dimensione illimitata del lotto (nessun limite)",
+    "provisioningKeysMaxBatchUnlimited": "Illimitato",
+    "provisioningKeysMaxBatchSizeInvalid": "Inserisci un lotto massimo valido (1–1.000.000).",
+    "provisioningKeysValidUntil": "Valido fino al",
+    "provisioningKeysValidUntilHint": "Lasciare vuoto per nessuna scadenza.",
+    "provisioningKeysValidUntilInvalid": "Inserisci una data e ora valide.",
+    "provisioningKeysNumUsed": "Volte usate",
+    "provisioningKeysLastUsed": "Ultimo utilizzo",
+    "provisioningKeysNoExpiry": "Nessuna scadenza",
+    "provisioningKeysNeverUsed": "Mai",
+    "provisioningKeysEdit": "Modifica Chiave Di Provvedimento",
+    "provisioningKeysEditDescription": "Aggiorna la dimensione massima del lotto e il tempo di scadenza per questa chiave.",
+    "provisioningKeysApproveNewSites": "Approva nuovi siti",
+    "provisioningKeysApproveNewSitesDescription": "Approvare automaticamente i siti che si registrano con questa chiave.",
+    "provisioningKeysUpdateError": "Errore nell'aggiornamento della chiave di provisioning",
+    "provisioningKeysUpdated": "Chiave di accantonamento aggiornata",
+    "provisioningKeysUpdatedDescription": "Le tue modifiche sono state salvate.",
+    "provisioningKeysBannerTitle": "Chiavi Di Provvedimento Sito",
+    "provisioningKeysBannerDescription": "Generare una chiave di provisioning e usarla con il connettore Newt per creare automaticamente siti al primo avvio — non è necessario impostare credenziali separate per ogni sito.",
+    "provisioningKeysBannerButtonText": "Scopri di più",
+    "pendingSitesBannerTitle": "Siti In Attesa",
+    "pendingSitesBannerDescription": "I siti che si connettono utilizzando una chiave di provisioning appaiono qui per la revisione. Approva ogni sito prima che diventi attivo e ottenga l'accesso alle tue risorse.",
+    "pendingSitesBannerButtonText": "Scopri di più",
     "apiKeysSettings": "Impostazioni {apiKeyName}",
     "userTitle": "Gestisci Tutti Gli Utenti",
     "userDescription": "Visualizza e gestisci tutti gli utenti del sistema",
@@ -509,9 +562,12 @@
     "userSaved": "Utente salvato",
     "userSavedDescription": "L'utente è stato aggiornato.",
     "autoProvisioned": "Auto Provisioned",
+    "autoProvisionSettings": "Impostazioni Automatiche Di Fornitura",
     "autoProvisionedDescription": "Permetti a questo utente di essere gestito automaticamente dal provider di identità",
     "accessControlsDescription": "Gestisci cosa questo utente può accedere e fare nell'organizzazione",
     "accessControlsSubmit": "Salva Controlli di Accesso",
+    "singleRolePerUserPlanNotice": "Il tuo piano supporta solo un ruolo per utente.",
+    "singleRolePerUserEditionNotice": "Questa edizione supporta solo un ruolo per utente.",
     "roles": "Ruoli",
     "accessUsersRoles": "Gestisci Utenti e Ruoli",
     "accessUsersRolesDescription": "Invita gli utenti e aggiungili ai ruoli per gestire l'accesso all'organizzazione",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Inserisci il token di configurazione dalla console del server.",
     "setupTokenRequired": "Il token di configurazione è richiesto",
     "actionUpdateSite": "Aggiorna Sito",
+    "actionResetSiteBandwidth": "Reimposta Larghezza Banda Dell'Organizzazione",
     "actionListSiteRoles": "Elenca Ruoli Sito Consentiti",
     "actionCreateResource": "Crea Risorsa",
     "actionDeleteResource": "Elimina Risorsa",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Rimuovi Utente",
     "actionListUsers": "Elenca Utenti",
     "actionAddUserRole": "Aggiungi Ruolo Utente",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Imposta Ruoli Utente",
     "actionGenerateAccessToken": "Genera Token di Accesso",
     "actionDeleteAccessToken": "Elimina Token di Accesso",
     "actionListAccessTokens": "Elenca Token di Accesso",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Ruoli",
     "sidebarShareableLinks": "Collegamenti",
     "sidebarApiKeys": "Chiavi API",
+    "sidebarProvisioning": "Accantonamento",
     "sidebarSettings": "Impostazioni",
     "sidebarAllUsers": "Tutti Gli Utenti",
     "sidebarIdentityProviders": "Fornitori Di Identità",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nodo di Uscita",
     "country": "Paese",
     "rulesMatchCountry": "Attualmente basato sull'IP di origine",
+    "region": "Regione",
+    "selectRegion": "Seleziona regione",
+    "searchRegions": "Cerca regioni...",
+    "noRegionFound": "Nessuna regione trovata.",
+    "rulesMatchRegion": "Seleziona un raggruppamento regionale di paesi",
+    "rulesErrorInvalidRegion": "Regione non valida",
+    "rulesErrorInvalidRegionDescription": "Seleziona una regione valida.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "Africa Settentrionale",
+    "regionEasternAfrica": "Africa Orientale",
+    "regionMiddleAfrica": "Africa Centrale",
+    "regionSouthernAfrica": "Africa Meridionale",
+    "regionWesternAfrica": "Africa Occidentale",
+    "regionAmericas": "Americhe",
+    "regionCaribbean": "Caraibi",
+    "regionCentralAmerica": "America Centrale",
+    "regionSouthAmerica": "America Del Sud",
+    "regionNorthernAmerica": "America Del Nord",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Asia Centrale",
+    "regionEasternAsia": "Asia Orientale",
+    "regionSouthEasternAsia": "Asia Sudorientale",
+    "regionSouthernAsia": "Asia Meridionale",
+    "regionWesternAsia": "Asia Occidentale",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Orientale",
+    "regionNorthernEurope": "Europa Settentrionale",
+    "regionSouthernEurope": "Europa Meridionale",
+    "regionWesternEurope": "Europa Occidentale",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia e Nuova Zelanda",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Gestito Auto-Ospitato",
         "description": "Server Pangolin self-hosted più affidabile e a bassa manutenzione con campanelli e fischietti extra",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valore non valido",
     "idpTypeLabel": "Tipo Provider Identità",
     "roleMappingExpressionPlaceholder": "es. contiene(gruppi, 'admin') && 'Admin' <unk> <unk> 'Membro'",
+    "roleMappingModeFixedRoles": "Ruoli Fissi",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Espressione Raw",
+    "roleMappingFixedRolesPlaceholderSelect": "Seleziona uno o più ruoli",
+    "roleMappingFixedRolesPlaceholderFreeform": "Digita nomi dei ruoli (corrispondenza esatta per organizzazione)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assegna lo stesso ruolo impostato a ogni utente auto-provisioned.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Per i criteri predefiniti, digita i nomi dei ruoli che esistono in ogni organizzazione in cui gli utenti sono forniti. I nomi devono corrispondere esattamente.",
+    "roleMappingClaimPath": "Richiedi Percorso",
+    "roleMappingClaimPathPlaceholder": "gruppi",
+    "roleMappingClaimPathDescription": "Percorso nel payload del token che contiene valori sorgente (ad esempio, gruppi).",
+    "roleMappingMatchValue": "Valore Della Partita",
+    "roleMappingAssignRoles": "Assegna Ruoli",
+    "roleMappingAddMappingRule": "Aggiungi Regola Mappatura",
+    "roleMappingRawExpressionResultDescription": "Espressione deve essere valutata in una stringa o array di stringhe.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Espressione deve valutare in una stringa (un singolo nome ruolo).",
+    "roleMappingMatchValuePlaceholder": "Valore della corrispondenza (per esempio: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Digita i nomi dei ruoli (esatto per org)",
+    "roleMappingBuilderFreeformRowHint": "I nomi dei ruoli devono corrispondere a un ruolo in ogni organizzazione di destinazione.",
+    "roleMappingRemoveRule": "Rimuovi",
     "idpGoogleConfiguration": "Configurazione Google",
     "idpGoogleConfigurationDescription": "Configura le credenziali di Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Per quanto tempo conservare i log di accesso",
     "logRetentionActionLabel": "Ritenzione Registro Azioni",
     "logRetentionActionDescription": "Per quanto tempo conservare i log delle azioni",
+    "logRetentionConnectionLabel": "Ritenzione Registro Di Connessione",
+    "logRetentionConnectionDescription": "Per quanto tempo conservare i log di connessione",
     "logRetentionDisabled": "Disabilitato",
     "logRetention3Days": "3 giorni",
     "logRetention7Days": "7 giorni",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
     "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
     "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
+    "connectionLogs": "Log Di Connessione",
+    "connectionLogsDescription": "Visualizza i log di connessione per i tunnel in questa organizzazione",
+    "sidebarLogsConnection": "Log Di Connessione",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Indirizzo Di Origine",
+    "destinationAddress": "Indirizzo Di Destinazione",
+    "duration": "Durata",
     "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzione è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
     "certResolver": "Risolutore Di Certificato",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
     "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
     "approvalsEmptyStateButtonText": "Gestisci Ruoli",
-    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio"
+    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configura la mappatura dei ruoli e le politiche di organizzazione nella scheda <policiesTabLink>Auto Provision Settings</policiesTabLink>.",
+    "streamingTitle": "Streaming Eventi",
+    "streamingDescription": "Trasmetti eventi dalla tua organizzazione a destinazioni esterne in tempo reale.",
+    "streamingUnnamedDestination": "Destinazione senza nome",
+    "streamingNoUrlConfigured": "Nessun URL configurato",
+    "streamingAddDestination": "Aggiungi Destinazione",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Invia eventi a qualsiasi endpoint HTTP con autenticazione e template flessibili.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Trasmetti eventi su un contenitore di archiviazione per oggetti compatibile con S3. Presto in arrivo.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Inoltra gli eventi direttamente al tuo account Datadog. In arrivo.",
+    "streamingTypePickerDescription": "Scegli un tipo di destinazione per iniziare.",
+    "streamingFailedToLoad": "Impossibile caricare le destinazioni",
+    "streamingUnexpectedError": "Si è verificato un errore imprevisto.",
+    "streamingFailedToUpdate": "Impossibile aggiornare la destinazione",
+    "streamingDeletedSuccess": "Destinazione eliminata con successo",
+    "streamingFailedToDelete": "Impossibile eliminare la destinazione",
+    "streamingDeleteTitle": "Elimina Destinazione",
+    "streamingDeleteButtonText": "Elimina Destinazione",
+    "streamingDeleteDialogAreYouSure": "Sei sicuro di voler eliminare",
+    "streamingDeleteDialogThisDestination": "questa destinazione",
+    "streamingDeleteDialogPermanentlyRemoved": "? Tutta la configurazione verrà definitivamente rimossa.",
+    "httpDestEditTitle": "Modifica Destinazione",
+    "httpDestAddTitle": "Aggiungi Destinazione HTTP",
+    "httpDestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming di eventi HTTP.",
+    "httpDestAddDescription": "Configura un nuovo endpoint HTTP per ricevere gli eventi della tua organizzazione.",
+    "httpDestTabSettings": "Impostazioni",
+    "httpDestTabHeaders": "Intestazioni",
+    "httpDestTabBody": "Corpo",
+    "httpDestTabLogs": "Registri",
+    "httpDestNamePlaceholder": "La mia destinazione HTTP",
+    "httpDestUrlLabel": "Url Di Destinazione",
+    "httpDestUrlErrorHttpRequired": "L'URL deve usare http o https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS è richiesto sulle distribuzioni cloud",
+    "httpDestUrlErrorInvalid": "Inserisci un URL valido (es. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticazione",
+    "httpDestAuthDescription": "Scegli come vengono autenticate le richieste al tuo endpoint.",
+    "httpDestAuthNoneTitle": "Nessuna Autenticazione",
+    "httpDestAuthNoneDescription": "Invia richieste senza intestazione autorizzazione.",
+    "httpDestAuthBearerTitle": "Token Del Portatore",
+    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Autorizzazione: Bearer <token> ad ogni richiesta.",
+    "httpDestAuthBearerPlaceholder": "La tua chiave API o token",
+    "httpDestAuthBasicTitle": "Autenticazione Base",
+    "httpDestAuthBasicDescription": "Aggiunge un'autorizzazione: intestazione di base <credentials> . Fornisce le credenziali come username:password.",
+    "httpDestAuthBasicPlaceholder": "username:password",
+    "httpDestAuthCustomTitle": "Intestazione Personalizzata",
+    "httpDestAuthCustomDescription": "Specifica un nome e un valore di intestazione HTTP personalizzati per l'autenticazione (ad esempio X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nome intestazione (es. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valore intestazione",
+    "httpDestCustomHeadersTitle": "Intestazioni Http Personalizzate",
+    "httpDestCustomHeadersDescription": "Aggiungi intestazioni personalizzate ad ogni richiesta in uscita. Utile per token statici o un tipo di contenuto personalizzato. Come impostazione predefinita, viene inviato il tipo di contenuto/json.",
+    "httpDestNoHeadersConfigured": "Nessuna intestazione personalizzata configurata. Fare clic su \"Aggiungi intestazione\" per aggiungerne una.",
+    "httpDestHeaderNamePlaceholder": "Nome intestazione",
+    "httpDestHeaderValuePlaceholder": "Valore",
+    "httpDestAddHeader": "Aggiungi Intestazione",
+    "httpDestBodyTemplateTitle": "Modello Corpo Personalizzato",
+    "httpDestBodyTemplateDescription": "Controlla la struttura JSON payload inviata al tuo endpoint. Se disabilitata, viene inviato un oggetto JSON predefinito per ogni evento.",
+    "httpDestEnableBodyTemplate": "Abilita modello corpo personalizzato",
+    "httpDestBodyTemplateLabel": "Modello Corpo (JSON)",
+    "httpDestBodyTemplateHint": "Usa le variabili del modello per fare riferimento ai campi dell'evento nel tuo payload.",
+    "httpDestPayloadFormatTitle": "Formato Payload",
+    "httpDestPayloadFormatDescription": "Come gli eventi sono serializzati in ogni organismo di richiesta.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "Una richiesta per lotto, corpo è un array JSON. Compatibile con la maggior parte dei webhooks generici e Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Una richiesta per lotto, corpo è newline-delimited JSON — un oggetto per linea, nessun array esterno. Richiesto da Splunk HEC, Elastic / OpenSearch, e Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un Evento Per Richiesta",
+    "httpDestFormatSingleDescription": "Invia un HTTP POST separato per ogni singolo evento. Usa solo per gli endpoint che non possono gestire i batch.",
+    "httpDestLogTypesTitle": "Tipi Di Log",
+    "httpDestLogTypesDescription": "Scegli quali tipi di log vengono inoltrati a questa destinazione. Verranno trasmessi solo i tipi di log abilitati.",
+    "httpDestAccessLogsTitle": "Log Accesso",
+    "httpDestAccessLogsDescription": "Tentativi di accesso alle risorse, comprese le richieste autenticate e negate.",
+    "httpDestActionLogsTitle": "Log Azioni",
+    "httpDestActionLogsDescription": "Azioni amministrative eseguite dagli utenti all'interno dell'organizzazione.",
+    "httpDestConnectionLogsTitle": "Log Di Connessione",
+    "httpDestConnectionLogsDescription": "Eventi di connessione al sito e al tunnel, inclusi collegamenti e disconnessioni.",
+    "httpDestRequestLogsTitle": "Log Richiesta",
+    "httpDestRequestLogsDescription": "Registri di richiesta HTTP per le risorse proxy, inclusi metodo, percorso e codice di risposta.",
+    "httpDestSaveChanges": "Salva Modifiche",
+    "httpDestCreateDestination": "Crea Destinazione",
+    "httpDestUpdatedSuccess": "Destinazione aggiornata con successo",
+    "httpDestCreatedSuccess": "Destinazione creata con successo",
+    "httpDestUpdateFailed": "Impossibile aggiornare la destinazione",
+    "httpDestCreateFailed": "Impossibile creare la destinazione"
 }

From 82ba2bd809ea847ea083329237e81c4e0b5da7f0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:52 -0700
Subject: [PATCH 114/122] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 02915abd7..e0ae07d66 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -148,6 +148,11 @@
     "createLink": "링크 생성",
     "resourcesNotFound": "리소스가 발견되지 않았습니다.",
     "resourceSearch": "리소스 검색",
+    "machineSearch": "기계 검색",
+    "machinesSearch": "기계 클라이언트 검색...",
+    "machineNotFound": "기계를 찾을 수 없습니다",
+    "userDeviceSearch": "사용자 장치 검색",
+    "userDevicesSearch": "사용자 장치 검색...",
     "openMenu": "메뉴 열기",
     "resource": "리소스",
     "title": "제목",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API 키 삭제",
     "apiKeysManage": "API 키 관리",
     "apiKeysDescription": "API 키는 통합 API와 인증하는 데 사용됩니다.",
+    "provisioningKeysTitle": "프로비저닝 키",
+    "provisioningKeysManage": "프로비저닝 키 관리",
+    "provisioningKeysDescription": "프로비저닝 키는 조직의 자동 사이트 프로비저닝 인증에 사용됩니다.",
+    "provisioningManage": "프로비저닝",
+    "provisioningDescription": "프로비저닝 키를 관리하고 승인을 기다리는 사이트를 검토합니다.",
+    "pendingSites": "대기중인 사이트",
+    "siteApproveSuccess": "사이트가 성공적으로 승인되었습니다",
+    "siteApproveError": "사이트 승인 오류",
+    "provisioningKeys": "프로비저닝 키",
+    "searchProvisioningKeys": "프로비저닝 키 검색...",
+    "provisioningKeysAdd": "프로비저닝 키 생성",
+    "provisioningKeysErrorDelete": "프로비저닝 키 삭제 오류",
+    "provisioningKeysErrorDeleteMessage": "프로비저닝 키 삭제 오류",
+    "provisioningKeysQuestionRemove": "이 프로비저닝 키를 조직에서 제거하시겠습니까?",
+    "provisioningKeysMessageRemove": "제거 후에는 이 키를 사이트 프로비저닝에 사용할 수 없습니다.",
+    "provisioningKeysDeleteConfirm": "프로비저닝 키 삭제 확인",
+    "provisioningKeysDelete": "프로비저닝 키 삭제",
+    "provisioningKeysCreate": "프로비저닝 키 생성",
+    "provisioningKeysCreateDescription": "조직을 위한 새로운 프로비저닝 키 생성",
+    "provisioningKeysSeeAll": "모든 프로비저닝 키 보기",
+    "provisioningKeysSave": "프로비저닝 키 저장",
+    "provisioningKeysSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
+    "provisioningKeysErrorCreate": "프로비저닝 키 생성 오류",
+    "provisioningKeysList": "새 프로비저닝 키",
+    "provisioningKeysMaxBatchSize": "최대 배치 크기",
+    "provisioningKeysUnlimitedBatchSize": "무제한 배치 크기 (제한 없음)",
+    "provisioningKeysMaxBatchUnlimited": "무제한",
+    "provisioningKeysMaxBatchSizeInvalid": "유효한 최대 배치 크기를 입력하세요 (1–1,000,000).",
+    "provisioningKeysValidUntil": "유효 기간",
+    "provisioningKeysValidUntilHint": "만료 날짜를 설정하지 않을 경우 빈칸으로 남겨 두세요.",
+    "provisioningKeysValidUntilInvalid": "유효한 날짜와 시간을 입력하세요.",
+    "provisioningKeysNumUsed": "사용 횟수",
+    "provisioningKeysLastUsed": "마지막 사용",
+    "provisioningKeysNoExpiry": "만료 없음",
+    "provisioningKeysNeverUsed": "절대",
+    "provisioningKeysEdit": "프로비저닝 키 수정",
+    "provisioningKeysEditDescription": "이 키의 최대 배치 크기 및 만료 시간을 업데이트하세요.",
+    "provisioningKeysApproveNewSites": "새로운 사이트 승인",
+    "provisioningKeysApproveNewSitesDescription": "이 키를 등록하는 사이트를 자동으로 승인합니다.",
+    "provisioningKeysUpdateError": "프로비저닝 키 업데이트 오류",
+    "provisioningKeysUpdated": "프로비저닝 키가 업데이트되었습니다",
+    "provisioningKeysUpdatedDescription": "변경 사항이 저장되었습니다.",
+    "provisioningKeysBannerTitle": "사이트 프로비저닝 키",
+    "provisioningKeysBannerDescription": "프로비저닝 키를 생성하여 Newt 커넥터와 함께 사용해 첫 실행 시 자동으로 사이트를 생성하세요 — 각 사이트마다 별도의 인증을 설정할 필요가 없습니다.",
+    "provisioningKeysBannerButtonText": "자세히 알아보기",
+    "pendingSitesBannerTitle": "대기중인 사이트",
+    "pendingSitesBannerDescription": "프로비저닝 키를 사용하여 연결하는 사이트는 검토 대기 중입니다. 사이트가 활성화되어 리소스에 액세스하기 전에 각 사이트를 승인하세요.",
+    "pendingSitesBannerButtonText": "자세히 알아보기",
     "apiKeysSettings": "{apiKeyName} 설정",
     "userTitle": "모든 사용자 관리",
     "userDescription": "시스템의 모든 사용자를 보고 관리합니다",
@@ -509,9 +562,12 @@
     "userSaved": "사용자 저장됨",
     "userSavedDescription": "사용자가 업데이트되었습니다.",
     "autoProvisioned": "자동 프로비저닝됨",
+    "autoProvisionSettings": "자동 프로비저닝 설정",
     "autoProvisionedDescription": "이 사용자가 ID 공급자에 의해 자동으로 관리될 수 있도록 허용합니다",
     "accessControlsDescription": "이 사용자가 조직에서 접근하고 수행할 수 있는 작업을 관리하세요",
     "accessControlsSubmit": "접근 제어 저장",
+    "singleRolePerUserPlanNotice": "계획에는 사용자당 한 가지 역할만 지원됩니다.",
+    "singleRolePerUserEditionNotice": "이 판에는 사용자당 한 가지 역할만 지원됩니다.",
     "roles": "역할",
     "accessUsersRoles": "사용자 및 역할 관리",
     "accessUsersRolesDescription": "사용자를 초대하고 역할에 추가하여 조직에 대한 접근을 관리하세요",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "서버 콘솔에서 설정 토큰 입력.",
     "setupTokenRequired": "설정 토큰이 필요합니다",
     "actionUpdateSite": "사이트 업데이트",
+    "actionResetSiteBandwidth": "조직 대역폭 재설정",
     "actionListSiteRoles": "허용된 사이트 역할 목록",
     "actionCreateResource": "리소스 생성",
     "actionDeleteResource": "리소스 삭제",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "사용자 제거",
     "actionListUsers": "사용자 목록",
     "actionAddUserRole": "사용자 역할 추가",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "사용자 역할 설정",
     "actionGenerateAccessToken": "액세스 토큰 생성",
     "actionDeleteAccessToken": "액세스 토큰 삭제",
     "actionListAccessTokens": "액세스 토큰 목록",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "역할",
     "sidebarShareableLinks": "링크",
     "sidebarApiKeys": "API 키",
+    "sidebarProvisioning": "프로비저닝",
     "sidebarSettings": "설정",
     "sidebarAllUsers": "모든 사용자",
     "sidebarIdentityProviders": "신원 공급자",
@@ -1890,6 +1948,40 @@
     "exitNode": "종단 노드",
     "country": "국가",
     "rulesMatchCountry": "현재 소스 IP를 기반으로 합니다",
+    "region": "지역",
+    "selectRegion": "지역 선택",
+    "searchRegions": "지역 검색...",
+    "noRegionFound": "지역을 찾을 수 없습니다.",
+    "rulesMatchRegion": "국가의 지역 구성을 선택합니다",
+    "rulesErrorInvalidRegion": "잘못된 지역",
+    "rulesErrorInvalidRegionDescription": "유효한 지역을 선택하세요.",
+    "regionAfrica": "아프리카",
+    "regionNorthernAfrica": "북부 아프리카",
+    "regionEasternAfrica": "동부 아프리카",
+    "regionMiddleAfrica": "중부 아프리카",
+    "regionSouthernAfrica": "남부 아프리카",
+    "regionWesternAfrica": "서부 아프리카",
+    "regionAmericas": "아메리카",
+    "regionCaribbean": "카리브",
+    "regionCentralAmerica": "중앙 아메리카",
+    "regionSouthAmerica": "남아메리카",
+    "regionNorthernAmerica": "북미",
+    "regionAsia": "아시아",
+    "regionCentralAsia": "중앙 아시아",
+    "regionEasternAsia": "동아시아",
+    "regionSouthEasternAsia": "동남아시아",
+    "regionSouthernAsia": "남아시아",
+    "regionWesternAsia": "서아시아",
+    "regionEurope": "유럽",
+    "regionEasternEurope": "동부 유럽",
+    "regionNorthernEurope": "북부 유럽",
+    "regionSouthernEurope": "남부 유럽",
+    "regionWesternEurope": "서부 유럽",
+    "regionOceania": "오세아니아",
+    "regionAustraliaAndNewZealand": "호주와 뉴질랜드",
+    "regionMelanesia": "멜라네시아",
+    "regionMicronesia": "미크로네시아",
+    "regionPolynesia": "폴리네시아",
     "managedSelfHosted": {
         "title": "관리 자체 호스팅",
         "description": "더 신뢰할 수 있고 낮은 유지보수의 자체 호스팅 팡골린 서버, 추가 기능 포함",
@@ -1938,6 +2030,25 @@
     "invalidValue": "잘못된 값",
     "idpTypeLabel": "신원 공급자 유형",
     "roleMappingExpressionPlaceholder": "예: contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "고정 역할",
+    "roleMappingModeMappingBuilder": "매핑 빌더",
+    "roleMappingModeRawExpression": "원시 표현식",
+    "roleMappingFixedRolesPlaceholderSelect": "하나 이상의 역할을 선택하세요",
+    "roleMappingFixedRolesPlaceholderFreeform": "역할 이름 입력 (조직마다 정확히 일치)",
+    "roleMappingFixedRolesDescriptionSameForAll": "모든 자동 프로비전 사용자에게 동일한 역할 세트를 할당합니다.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "기본 정책의 경우 사용자가 프로비저닝된 조직의 역할 이름을 입력하세요. 이름은 정확히 일치해야 합니다.",
+    "roleMappingClaimPath": "클레임 경로",
+    "roleMappingClaimPathPlaceholder": "그룹",
+    "roleMappingClaimPathDescription": "토큰 페이로드에서 소스 값을 포함하는 경로 (예: 그룹).",
+    "roleMappingMatchValue": "매치 값",
+    "roleMappingAssignRoles": "역할 할당",
+    "roleMappingAddMappingRule": "매핑 규칙 추가",
+    "roleMappingRawExpressionResultDescription": "표현식은 문자열 또는 문자열 배열로 평가되어야 합니다.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "표현식은 문자열 (단일 역할 이름)로 평가되어야 합니다.",
+    "roleMappingMatchValuePlaceholder": "매치 값 (예: 관리자)",
+    "roleMappingAssignRolesPlaceholderFreeform": "역할 이름 입력 (조직마다 정확히)",
+    "roleMappingBuilderFreeformRowHint": "역할 이름은 각 대상 조직의 역할과 일치해야 합니다.",
+    "roleMappingRemoveRule": "제거",
     "idpGoogleConfiguration": "Google 구성",
     "idpGoogleConfigurationDescription": "Google OAuth2 자격 증명을 구성합니다.",
     "idpGoogleClientIdDescription": "Google OAuth2 클라이언트 ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "접근 로그를 얼마나 오래 보관할지",
     "logRetentionActionLabel": "작업 로그 보관",
     "logRetentionActionDescription": "작업 로그를 얼마나 오래 보관할지",
+    "logRetentionConnectionLabel": "연결 로그 보유 기간",
+    "logRetentionConnectionDescription": "연결 로그를 얼마나 오래 보유할지",
     "logRetentionDisabled": "비활성화됨",
     "logRetention3Days": "3 일",
     "logRetention7Days": "7 일",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "다음 연도 말",
     "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
     "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
+    "connectionLogs": "연결 로그",
+    "connectionLogsDescription": "이 조직의 터널 연결 로그 보기",
+    "sidebarLogsConnection": "연결 로그",
+    "sidebarLogsStreaming": "스트리밍",
+    "sourceAddress": "소스 주소",
+    "destinationAddress": "대상 주소",
+    "duration": "지속 시간",
     "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이(가) 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
     "certResolver": "인증서 해결사",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
     "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
     "approvalsEmptyStateButtonText": "역할 관리",
-    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다."
+    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다.",
+    "idpAdminAutoProvisionPoliciesTabHint": "<policiesTabLink>자동 프로비저닝 설정</policiesTabLink> 탭에서 역할 매핑 및 조직 정책을 구성합니다.",
+    "streamingTitle": "이벤트 스트리밍",
+    "streamingDescription": "조직의 이벤트를 외부 목적지로 실시간 전송합니다.",
+    "streamingUnnamedDestination": "이름이 없는 대상지",
+    "streamingNoUrlConfigured": "설정된 URL이 없습니다",
+    "streamingAddDestination": "대상지 추가",
+    "streamingHttpWebhookTitle": "HTTP 웹훅",
+    "streamingHttpWebhookDescription": "유연한 인증 및 템플릿 작성 기능을 갖춘 HTTP 엔드포인트에 이벤트를 전송합니다.",
+    "streamingS3Title": "아마존 S3",
+    "streamingS3Description": "S3 호환 객체 스토리지 버킷에 이벤트를 스트리밍합니다. 곧 제공됩니다.",
+    "streamingDatadogTitle": "데이터독",
+    "streamingDatadogDescription": "이벤트를 직접 Datadog 계정으로 전달합니다. 곧 제공됩니다.",
+    "streamingTypePickerDescription": "목표 유형을 선택하여 시작합니다.",
+    "streamingFailedToLoad": "대상 로드에 실패했습니다",
+    "streamingUnexpectedError": "예기치 않은 오류가 발생했습니다.",
+    "streamingFailedToUpdate": "대상지를 업데이트하는 데 실패했습니다",
+    "streamingDeletedSuccess": "대상지가 성공적으로 삭제되었습니다",
+    "streamingFailedToDelete": "대상지 삭제 실패",
+    "streamingDeleteTitle": "대상지 삭제",
+    "streamingDeleteButtonText": "대상지 삭제",
+    "streamingDeleteDialogAreYouSure": "삭제하시겠습니까",
+    "streamingDeleteDialogThisDestination": "이 대상지",
+    "streamingDeleteDialogPermanentlyRemoved": "? 모든 구성은 영구적으로 제거됩니다.",
+    "httpDestEditTitle": "대상지 수정",
+    "httpDestAddTitle": "HTTP 대상지 추가",
+    "httpDestEditDescription": "이 HTTP 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
+    "httpDestAddDescription": "조직의 이벤트 수신을 위한 새로운 HTTP 엔드포인트를 구성하세요.",
+    "httpDestTabSettings": "설정",
+    "httpDestTabHeaders": "헤더",
+    "httpDestTabBody": "본문",
+    "httpDestTabLogs": "로그",
+    "httpDestNamePlaceholder": "내 HTTP 대상",
+    "httpDestUrlLabel": "대상 URL",
+    "httpDestUrlErrorHttpRequired": "URL은 http 또는 https를 사용해야 합니다",
+    "httpDestUrlErrorHttpsRequired": "클라우드 배포에는 HTTPS가 필요합니다",
+    "httpDestUrlErrorInvalid": "유효한 URL을 입력하세요 (예: https://example.com/webhook)",
+    "httpDestAuthTitle": "인증",
+    "httpDestAuthDescription": "엔드포인트에 대한 요청 인증 방법을 선택하세요.",
+    "httpDestAuthNoneTitle": "인증 없음",
+    "httpDestAuthNoneDescription": "Authorization 헤더 없이 요청을 보냅니다.",
+    "httpDestAuthBearerTitle": "Bearer 토큰",
+    "httpDestAuthBearerDescription": "모든 요청에 Authorization: Bearer <token> 헤더를 추가합니다.",
+    "httpDestAuthBearerPlaceholder": "API 키 또는 토큰",
+    "httpDestAuthBasicTitle": "기본 인증",
+    "httpDestAuthBasicDescription": "Authorization: Basic <credentials> 헤더를 추가합니다. 자격 증명은 username:password 형식으로 제공하세요.",
+    "httpDestAuthBasicPlaceholder": "사용자 이름:비밀번호",
+    "httpDestAuthCustomTitle": "사용자 정의 헤더",
+    "httpDestAuthCustomDescription": "인증을 위한 사용자 정의 HTTP 헤더 이름 및 값을 지정하세요 (예: X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "헤더 이름 (예: X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "헤더 값",
+    "httpDestCustomHeadersTitle": "사용자 정의 HTTP 헤더",
+    "httpDestCustomHeadersDescription": "모든 발신 요청에 사용자 정의 헤더를 추가합니다. 정적 토큰 또는 사용자 정의 Content-Type에 유용합니다. 기본적으로 Content-Type: application/json이 전송됩니다.",
+    "httpDestNoHeadersConfigured": "구성된 사용자 정의 헤더가 없습니다. \"헤더 추가\"를 클릭하여 추가하세요.",
+    "httpDestHeaderNamePlaceholder": "헤더 이름",
+    "httpDestHeaderValuePlaceholder": "값",
+    "httpDestAddHeader": "헤더 추가",
+    "httpDestBodyTemplateTitle": "사용자 정의 본문 템플릿",
+    "httpDestBodyTemplateDescription": "엔드포인트에 전송되는 JSON 페이로드 구조를 제어합니다. 비활성화된 경우 각 이벤트에 대해 기본 JSON 객체가 전송됩니다.",
+    "httpDestEnableBodyTemplate": "사용자 정의 본문 템플릿 활성화",
+    "httpDestBodyTemplateLabel": "본문 템플릿 (JSON)",
+    "httpDestBodyTemplateHint": "템플릿 변수를 사용하여 페이로드에서 이벤트 필드를 참조하세요.",
+    "httpDestPayloadFormatTitle": "페이로드 형식",
+    "httpDestPayloadFormatDescription": "각 요청 본문에 이벤트가 시리얼라이즈되는 방식입니다.",
+    "httpDestFormatJsonArrayTitle": "JSON 배열",
+    "httpDestFormatJsonArrayDescription": "각 배치마다 요청 하나씩, 본문은 JSON 배열입니다. 대부분의 일반 웹훅 및 Datadog과 호환됩니다.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "각 배치마다 요청 하나씩, 본문은 줄 구분 JSON — 한 라인에 하나의 객체가 있으며 외부 배열이 없습니다. Splunk HEC, Elastic / OpenSearch, Grafana Loki에 필요합니다.",
+    "httpDestFormatSingleTitle": "각 요청 당 하나의 이벤트",
+    "httpDestFormatSingleDescription": "각 개별 이벤트에 대해 별도의 HTTP POST를 전송합니다. 배치를 처리할 수 없는 엔드포인트에만 사용하세요.",
+    "httpDestLogTypesTitle": "로그 유형",
+    "httpDestLogTypesDescription": "이 대상지에 전달될 로그 유형을 선택하세요. 활성화된 로그 유형만 스트리밍 됩니다.",
+    "httpDestAccessLogsTitle": "접근 로그",
+    "httpDestAccessLogsDescription": "인증 및 거부된 요청을 포함한 리소스 접근 시도.",
+    "httpDestActionLogsTitle": "작업 로그",
+    "httpDestActionLogsDescription": "조직 내에서 사용자가 수행한 관리 작업.",
+    "httpDestConnectionLogsTitle": "연결 로그",
+    "httpDestConnectionLogsDescription": "사이트 및 터널 연결 이벤트, 연결 및 연결 끊기를 포함합니다.",
+    "httpDestRequestLogsTitle": "요청 로그",
+    "httpDestRequestLogsDescription": "프록시된 리소스에 대한 HTTP 요청 로그, 메서드, 경로 및 응답 코드를 포함합니다.",
+    "httpDestSaveChanges": "변경 사항 저장",
+    "httpDestCreateDestination": "대상지 생성",
+    "httpDestUpdatedSuccess": "대상지가 성공적으로 업데이트되었습니다",
+    "httpDestCreatedSuccess": "대상지가 성공적으로 생성되었습니다",
+    "httpDestUpdateFailed": "대상지를 업데이트하는 데 실패했습니다",
+    "httpDestCreateFailed": "대상지를 생성하는 데 실패했습니다"
 }

From 75193bb0a212382877daa8d7bbabd97081504d5a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:54 -0700
Subject: [PATCH 115/122] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index f0eaff3fd..e38aec788 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -148,6 +148,11 @@
     "createLink": "Koppeling aanmaken",
     "resourcesNotFound": "Geen bronnen gevonden",
     "resourceSearch": "Zoek bronnen",
+    "machineSearch": "Zoek machines",
+    "machinesSearch": "Zoek machine-clients...",
+    "machineNotFound": "Geen machines gevonden",
+    "userDeviceSearch": "Gebruikersapparaten zoeken",
+    "userDevicesSearch": "Gebruikersapparaten zoeken...",
     "openMenu": "Menu openen",
     "resource": "Bron",
     "title": "Aanspreektitel",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API-sleutel verwijderen",
     "apiKeysManage": "API-sleutels beheren",
     "apiKeysDescription": "API-sleutels worden gebruikt om te verifiëren met de integratie-API",
+    "provisioningKeysTitle": "Vertrekkende sleutel",
+    "provisioningKeysManage": "Beheren van Provisioning Sleutels",
+    "provisioningKeysDescription": "Provisionerende sleutels worden gebruikt om geautomatiseerde sitebepaling voor uw organisatie te verifiëren.",
+    "provisioningManage": "Provisie",
+    "provisioningDescription": "Voorzieningssleutels beheren en sites beoordelen in afwachting van goedkeuring.",
+    "pendingSites": "Openstaande sites",
+    "siteApproveSuccess": "Site succesvol goedgekeurd",
+    "siteApproveError": "Fout bij goedkeuren website",
+    "provisioningKeys": "Verhelderende sleutels",
+    "searchProvisioningKeys": "Zoek provisioningsleutels ...",
+    "provisioningKeysAdd": "Genereer Provisioning Sleutel",
+    "provisioningKeysErrorDelete": "Fout bij verwijderen provisioning sleutel",
+    "provisioningKeysErrorDeleteMessage": "Fout bij verwijderen provisioning sleutel",
+    "provisioningKeysQuestionRemove": "Weet u zeker dat u deze proefsleutel van de organisatie wilt verwijderen?",
+    "provisioningKeysMessageRemove": "Eenmaal verwijderd, kan de sleutel niet meer worden gebruikt voor site-instructie.",
+    "provisioningKeysDeleteConfirm": "Bevestig Verwijderen Provisione-sleutel",
+    "provisioningKeysDelete": "Provisione-sleutel verwijderen",
+    "provisioningKeysCreate": "Genereer Provisioning Sleutel",
+    "provisioningKeysCreateDescription": "Een nieuwe provisioningsleutel voor de organisatie genereren",
+    "provisioningKeysSeeAll": "Bekijk alle provisioning sleutels",
+    "provisioningKeysSave": "Sla de provisioning sleutel op",
+    "provisioningKeysSaveDescription": "Je kunt dit slechts één keer zien. Kopieer het naar een veilige plaats.",
+    "provisioningKeysErrorCreate": "Fout bij aanmaken provisioning sleutel",
+    "provisioningKeysList": "Nieuwe provisioning sleutel",
+    "provisioningKeysMaxBatchSize": "Maximale batchgrootte",
+    "provisioningKeysUnlimitedBatchSize": "Onbeperkte batchgrootte (geen limiet)",
+    "provisioningKeysMaxBatchUnlimited": "Onbeperkt",
+    "provisioningKeysMaxBatchSizeInvalid": "Voer een geldige maximale batchgrootte in (1–1.000,000).",
+    "provisioningKeysValidUntil": "Geldig tot",
+    "provisioningKeysValidUntilHint": "Laat leeg voor geen vervaldatum.",
+    "provisioningKeysValidUntilInvalid": "Voer een geldige datum en tijd in.",
+    "provisioningKeysNumUsed": "Aantal keer gebruikt",
+    "provisioningKeysLastUsed": "Laatst gebruikt",
+    "provisioningKeysNoExpiry": "Geen vervaldatum",
+    "provisioningKeysNeverUsed": "Nooit",
+    "provisioningKeysEdit": "Wijzig Provisioning Sleutel",
+    "provisioningKeysEditDescription": "Werk de maximale batchgrootte en verlooptijd voor deze sleutel bij.",
+    "provisioningKeysApproveNewSites": "Goedkeuren van nieuwe sites",
+    "provisioningKeysApproveNewSitesDescription": "Automatisch sites goedkeuren die zich registreren met deze sleutel.",
+    "provisioningKeysUpdateError": "Fout tijdens bijwerken provisioning sleutel",
+    "provisioningKeysUpdated": "Provisie sleutel bijgewerkt",
+    "provisioningKeysUpdatedDescription": "Uw wijzigingen zijn opgeslagen.",
+    "provisioningKeysBannerTitle": "Bewerkingssleutels voor websites",
+    "provisioningKeysBannerDescription": "Genereer een provisioning-sleutel en gebruik deze met de Newt-connector om automatisch sites aan te maken bij het opstarten van de eerste opstart- het is niet nodig om afzonderlijke inloggegevens in te stellen voor elke site.",
+    "provisioningKeysBannerButtonText": "Meer informatie",
+    "pendingSitesBannerTitle": "Openstaande sites",
+    "pendingSitesBannerDescription": "Sites die met elkaar verbinden met behulp van een provisioning-sleutel verschijnen hier voor beoordeling. Accepteer elke site voordat deze actief wordt en krijgt toegang tot uw bronnen.",
+    "pendingSitesBannerButtonText": "Meer informatie",
     "apiKeysSettings": "{apiKeyName} instellingen",
     "userTitle": "Alle gebruikers beheren",
     "userDescription": "Bekijk en beheer alle gebruikers in het systeem",
@@ -509,9 +562,12 @@
     "userSaved": "Gebruiker opgeslagen",
     "userSavedDescription": "De gebruiker is bijgewerkt.",
     "autoProvisioned": "Automatisch bevestigen",
+    "autoProvisionSettings": "Auto Provisie Instellingen",
     "autoProvisionedDescription": "Toestaan dat deze gebruiker automatisch wordt beheerd door een identiteitsprovider",
     "accessControlsDescription": "Beheer wat deze gebruiker toegang heeft tot en doet in de organisatie",
     "accessControlsSubmit": "Bewaar Toegangsbesturing",
+    "singleRolePerUserPlanNotice": "Uw plan ondersteunt slechts één rol per gebruiker.",
+    "singleRolePerUserEditionNotice": "Deze editie ondersteunt slechts één rol per gebruiker.",
     "roles": "Rollen",
     "accessUsersRoles": "Beheer Gebruikers & Rollen",
     "accessUsersRolesDescription": "Nodig gebruikers uit en voeg ze toe aan de rollen om toegang tot de organisatie te beheren",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Voer het setup-token in vanaf de serverconsole.",
     "setupTokenRequired": "Setup-token is vereist",
     "actionUpdateSite": "Site bijwerken",
+    "actionResetSiteBandwidth": "Reset organisatieschandbreedte",
     "actionListSiteRoles": "Toon toegestane sitenollen",
     "actionCreateResource": "Bron maken",
     "actionDeleteResource": "Document verwijderen",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Gebruiker verwijderen",
     "actionListUsers": "Gebruikers weergeven",
     "actionAddUserRole": "Gebruikersrol toevoegen",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Stel gebruikersrollen in",
     "actionGenerateAccessToken": "Genereer Toegangstoken",
     "actionDeleteAccessToken": "Verwijder toegangstoken",
     "actionListAccessTokens": "Lijst toegangstokens",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Rollen",
     "sidebarShareableLinks": "Koppelingen",
     "sidebarApiKeys": "API sleutels",
+    "sidebarProvisioning": "Provisie",
     "sidebarSettings": "Instellingen",
     "sidebarAllUsers": "Alle gebruikers",
     "sidebarIdentityProviders": "Identiteit aanbieders",
@@ -1890,6 +1948,40 @@
     "exitNode": "Exit Node",
     "country": "Land",
     "rulesMatchCountry": "Momenteel gebaseerd op bron IP",
+    "region": "Regio",
+    "selectRegion": "Selecteer regio",
+    "searchRegions": "Zoek regio's...",
+    "noRegionFound": "Geen regio gevonden.",
+    "rulesMatchRegion": "Selecteer een regionale groepering van landen",
+    "rulesErrorInvalidRegion": "Ongeldige regio",
+    "rulesErrorInvalidRegionDescription": "Selecteer een geldige regio.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Noord-Afrika",
+    "regionEasternAfrica": "Oost Afrika",
+    "regionMiddleAfrica": "Midden Afrika",
+    "regionSouthernAfrica": "Zuidelijk Afrika",
+    "regionWesternAfrica": "Westelijk Afrika",
+    "regionAmericas": "Amerika's",
+    "regionCaribbean": "Caraïben",
+    "regionCentralAmerica": "Midden-Amerika",
+    "regionSouthAmerica": "Zuid Amerika",
+    "regionNorthernAmerica": "Noord-Amerika",
+    "regionAsia": "Azië",
+    "regionCentralAsia": "Centraal-Azië",
+    "regionEasternAsia": "Oost-Azië",
+    "regionSouthEasternAsia": "Zuid-Oost-Azië",
+    "regionSouthernAsia": "Zuid-Azië",
+    "regionWesternAsia": "Westelijk Azië",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Oost-Europa",
+    "regionNorthernEurope": "Noord-Europa",
+    "regionSouthernEurope": "Zuid-Europa",
+    "regionWesternEurope": "West-Europa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australië en Nieuw-Zeeland",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Beheerde Self-Hosted",
         "description": "betrouwbaardere en slecht onderhouden Pangolin server met extra klokken en klokkenluiders",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Ongeldige waarde",
     "idpTypeLabel": "Identiteit provider type",
     "roleMappingExpressionPlaceholder": "bijvoorbeeld bevat (groepen, 'admin') && 'Admin' ½ 'Member'",
+    "roleMappingModeFixedRoles": "Vaste rollen",
+    "roleMappingModeMappingBuilder": "Toewijzing Bouwer",
+    "roleMappingModeRawExpression": "Ruwe expressie",
+    "roleMappingFixedRolesPlaceholderSelect": "Selecteer één of meer rollen",
+    "roleMappingFixedRolesPlaceholderFreeform": "Typ rolnamen (exacte overeenkomst per organisatie)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Wijs dezelfde rolset toe aan elke auto-provisioned gebruiker.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Voor standaardbeleid, typ rolnamen die bestaan in elke organisatie waar gebruikers worden opgegeven. Namen moeten exact overeenkomen.",
+    "roleMappingClaimPath": "Claim pad",
+    "roleMappingClaimPathPlaceholder": "Groepen",
+    "roleMappingClaimPathDescription": "Pad in de token payload die bronwaarden bevat (bijvoorbeeld groepen).",
+    "roleMappingMatchValue": "Kies een waarde",
+    "roleMappingAssignRoles": "Rollen toewijzen",
+    "roleMappingAddMappingRule": "Toewijzingsregel toevoegen",
+    "roleMappingRawExpressionResultDescription": "Expressie moet een tekenreeks of tekenreeks evalueren.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expressie moet evalueren naar een tekenreeks (een naam met één rol).",
+    "roleMappingMatchValuePlaceholder": "Overeenkomende waarde (bijvoorbeeld: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Typ rolnamen (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Rol namen moeten overeenkomen met een rol in elke doelorganisatie.",
+    "roleMappingRemoveRule": "Verwijderen",
     "idpGoogleConfiguration": "Google Configuratie",
     "idpGoogleConfigurationDescription": "Configureer de Google OAuth2-referenties",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Hoe lang de toegangslogboeken behouden blijven",
     "logRetentionActionLabel": "Actie log bewaring",
     "logRetentionActionDescription": "Hoe lang de action logs behouden moeten blijven",
+    "logRetentionConnectionLabel": "Connectie log bewaring",
+    "logRetentionConnectionDescription": "Hoe lang de verbindingslogs onderhouden",
     "logRetentionDisabled": "Uitgeschakeld",
     "logRetention3Days": "3 dagen",
     "logRetention7Days": "7 dagen",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
     "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
     "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
+    "connectionLogs": "Connectie Logs",
+    "connectionLogsDescription": "Toon verbindingslogs voor tunnels in deze organisatie",
+    "sidebarLogsConnection": "Connectie Logs",
+    "sidebarLogsStreaming": "Streamen",
+    "sourceAddress": "Bron adres",
+    "destinationAddress": "Adres bestemming",
+    "duration": "Duur",
     "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie of <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is vereist om deze functie te gebruiken. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
     "certResolver": "Certificaat Resolver",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
     "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
     "approvalsEmptyStateButtonText": "Rollen beheren",
-    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein"
+    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configureer rolverrekening en organisatie beleid in het <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
+    "streamingTitle": "Event streaming",
+    "streamingDescription": "Stream events van uw organisatie naar externe bestemmingen in realtime.",
+    "streamingUnnamedDestination": "Naamloze bestemming",
+    "streamingNoUrlConfigured": "Geen URL ingesteld",
+    "streamingAddDestination": "Bestemming toevoegen",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Stuur gebeurtenissen naar elk HTTP eindpunt met flexibele authenticatie en template.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Stream events naar een S3-compatibele object-opslagemmer. Binnenkort beschikbaar.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Stuur gebeurtenissen rechtstreeks door naar je Datadog account. Binnenkort beschikbaar.",
+    "streamingTypePickerDescription": "Kies een bestemmingstype om te beginnen.",
+    "streamingFailedToLoad": "Laden van bestemmingen mislukt",
+    "streamingUnexpectedError": "Er is een onverwachte fout opgetreden.",
+    "streamingFailedToUpdate": "Bijwerken bestemming mislukt",
+    "streamingDeletedSuccess": "Bestemming succesvol verwijderd",
+    "streamingFailedToDelete": "Verwijderen van bestemming mislukt",
+    "streamingDeleteTitle": "Verwijder bestemming",
+    "streamingDeleteButtonText": "Verwijder bestemming",
+    "streamingDeleteDialogAreYouSure": "Weet u zeker dat u wilt verwijderen",
+    "streamingDeleteDialogThisDestination": "deze bestemming",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle configuratie zal permanent worden verwijderd.",
+    "httpDestEditTitle": "Bewerk bestemming",
+    "httpDestAddTitle": "Voeg HTTP bestemming toe",
+    "httpDestEditDescription": "Werk de configuratie voor deze HTTP-event streaming bestemming bij.",
+    "httpDestAddDescription": "Configureer een nieuw HTTP-eindpunt om de gebeurtenissen van uw organisatie te ontvangen.",
+    "httpDestTabSettings": "Instellingen",
+    "httpDestTabHeaders": "Kopteksten",
+    "httpDestTabBody": "Lichaam",
+    "httpDestTabLogs": "Logboeken",
+    "httpDestNamePlaceholder": "Mijn HTTP-bestemming",
+    "httpDestUrlLabel": "Bestemming URL",
+    "httpDestUrlErrorHttpRequired": "URL moet http of https gebruiken",
+    "httpDestUrlErrorHttpsRequired": "HTTPS is vereist op cloud implementaties",
+    "httpDestUrlErrorInvalid": "Voer een geldige URL in (bijv. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authenticatie",
+    "httpDestAuthDescription": "Kies hoe verzoeken voor uw eindpunt zijn geverifieerd.",
+    "httpDestAuthNoneTitle": "Geen authenticatie",
+    "httpDestAuthNoneDescription": "Stuurt verzoeken zonder toestemmingskop.",
+    "httpDestAuthBearerTitle": "Betere Token",
+    "httpDestAuthBearerDescription": "Voegt een machtiging toe: Drager <token> header aan elke aanvraag.",
+    "httpDestAuthBearerPlaceholder": "Uw API-sleutel of -token",
+    "httpDestAuthBasicTitle": "Basis authenticatie",
+    "httpDestAuthBasicDescription": "Voegt een Authorizatie toe: Basis <credentials> kop. Geef inloggegevens op als gebruikersnaam:wachtwoord.",
+    "httpDestAuthBasicPlaceholder": "Gebruikersnaam:wachtwoord",
+    "httpDestAuthCustomTitle": "Aangepaste koptekst",
+    "httpDestAuthCustomDescription": "Specificeer een aangepaste HTTP header naam en waarde voor authenticatie (bijv. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Header naam (bijv. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header waarde",
+    "httpDestCustomHeadersTitle": "Aangepaste HTTP Headers",
+    "httpDestCustomHeadersDescription": "Voeg aangepaste headers toe aan elk uitgaande verzoek. Handig voor statische tokens of een aangepast Content-Type. Standaard Content-Type: application/json wordt verzonden.",
+    "httpDestNoHeadersConfigured": "Geen aangepaste headers geconfigureerd. Klik op \"Header\" om er een toe te voegen.",
+    "httpDestHeaderNamePlaceholder": "Naam koptekst",
+    "httpDestHeaderValuePlaceholder": "Waarde",
+    "httpDestAddHeader": "Koptekst toevoegen",
+    "httpDestBodyTemplateTitle": "Aangepaste Body Sjabloon",
+    "httpDestBodyTemplateDescription": "Bestuur de JSON payload structuur verzonden naar uw eindpunt. Indien uitgeschakeld, wordt een standaard JSON object verzonden voor elke event.",
+    "httpDestEnableBodyTemplate": "Aangepaste lichaam sjabloon inschakelen",
+    "httpDestBodyTemplateLabel": "Body sjabloon (JSON)",
+    "httpDestBodyTemplateHint": "Gebruik sjabloonvariabelen om te verwijzen naar gebeurtenisvelden in uw payload.",
+    "httpDestPayloadFormatTitle": "Payload formaat",
+    "httpDestPayloadFormatDescription": "Hoe evenementen worden geserialiseerd in elk verzoeklichaam.",
+    "httpDestFormatJsonArrayTitle": "JSON matrix",
+    "httpDestFormatJsonArrayDescription": "Eén verzoek per batch, lichaam is een JSON-array. Compatibel met de meeste algemene webhooks en Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Eén aanvraag per batch, lichaam is nieuwe JSON gescheiden - één object per regel, geen buitenste array. Vereist door Splunk HEC, Elastic / OpenSearch, en Grafana Loki.",
+    "httpDestFormatSingleTitle": "Eén afspraak per verzoek",
+    "httpDestFormatSingleDescription": "Stuurt een aparte HTTP POST voor elk individueel event. Gebruik alleen voor eindpunten die geen batches kunnen verwerken.",
+    "httpDestLogTypesTitle": "Log soorten",
+    "httpDestLogTypesDescription": "Kies welke log types doorgestuurd worden naar deze bestemming. Alleen ingeschakelde log types worden gestreden.",
+    "httpDestAccessLogsTitle": "Toegang tot logboek",
+    "httpDestAccessLogsDescription": "Hulpbrontoegangspogingen, inclusief geauthenticeerde en weigerde aanvragen.",
+    "httpDestActionLogsTitle": "Actie logs",
+    "httpDestActionLogsDescription": "Administratieve acties uitgevoerd door gebruikers binnen de organisatie.",
+    "httpDestConnectionLogsTitle": "Connectie Logs",
+    "httpDestConnectionLogsDescription": "Verbinding met de Site en tunnel maken verbroken, inclusief verbindingen en verbindingen.",
+    "httpDestRequestLogsTitle": "Logboeken aanvragen",
+    "httpDestRequestLogsDescription": "HTTP request logs voor proxied hulpmiddelen, waaronder methode, pad en response code.",
+    "httpDestSaveChanges": "Wijzigingen opslaan",
+    "httpDestCreateDestination": "Maak bestemming aan",
+    "httpDestUpdatedSuccess": "Bestemming succesvol bijgewerkt",
+    "httpDestCreatedSuccess": "Bestemming succesvol aangemaakt",
+    "httpDestUpdateFailed": "Bijwerken bestemming mislukt",
+    "httpDestCreateFailed": "Aanmaken bestemming mislukt"
 }

From 64d3c6b2d9efb4e0936f3e8741f3ff6f27cbb087 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:56 -0700
Subject: [PATCH 116/122] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 998fcc880..3a9607e7c 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -148,6 +148,11 @@
     "createLink": "Utwórz link",
     "resourcesNotFound": "Nie znaleziono zasobów",
     "resourceSearch": "Szukaj zasobów",
+    "machineSearch": "Wyszukiwarki",
+    "machinesSearch": "Szukaj klientów maszyn...",
+    "machineNotFound": "Nie znaleziono maszyn",
+    "userDeviceSearch": "Szukaj urządzeń użytkownika",
+    "userDevicesSearch": "Szukaj urządzeń użytkownika...",
     "openMenu": "Otwórz menu",
     "resource": "Zasoby",
     "title": "Tytuł",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Usuń klucz API",
     "apiKeysManage": "Zarządzaj kluczami API",
     "apiKeysDescription": "Klucze API służą do uwierzytelniania z API integracji",
+    "provisioningKeysTitle": "Klucz Zaopatrzenia",
+    "provisioningKeysManage": "Zarządzaj kluczami zaopatrzenia",
+    "provisioningKeysDescription": "Klucze zaopatrzenia są używane do uwierzytelniania zautomatyzowanego zaopatrzenia twojej organizacji.",
+    "provisioningManage": "Dostarczanie",
+    "provisioningDescription": "Zarządzaj kluczami rezerwacji i sprawdzaj oczekujące strony oczekujące na zatwierdzenie.",
+    "pendingSites": "Witryny oczekujące",
+    "siteApproveSuccess": "Witryna została pomyślnie zatwierdzona",
+    "siteApproveError": "Błąd zatwierdzania witryny",
+    "provisioningKeys": "Klucze Zaopatrzenia",
+    "searchProvisioningKeys": "Szukaj kluczy zaopatrzenia...",
+    "provisioningKeysAdd": "Wygeneruj klucz zaopatrzenia",
+    "provisioningKeysErrorDelete": "Błąd podczas usuwania klucza zaopatrzenia",
+    "provisioningKeysErrorDeleteMessage": "Błąd podczas usuwania klucza zaopatrzenia",
+    "provisioningKeysQuestionRemove": "Czy na pewno chcesz usunąć ten klucz rezerwacji z organizacji?",
+    "provisioningKeysMessageRemove": "Po usunięciu, klucz nie może być już używany do tworzenia witryny.",
+    "provisioningKeysDeleteConfirm": "Potwierdź usunięcie klucza zaopatrzenia",
+    "provisioningKeysDelete": "Usuń klucz zaopatrzenia",
+    "provisioningKeysCreate": "Wygeneruj klucz zaopatrzenia",
+    "provisioningKeysCreateDescription": "Wygeneruj nowy klucz tworzenia rezerw dla organizacji",
+    "provisioningKeysSeeAll": "Zobacz wszystkie klucze rezerwacji",
+    "provisioningKeysSave": "Zapisz klucz zaopatrzenia",
+    "provisioningKeysSaveDescription": "Możesz to zobaczyć tylko raz. Skopiuj je do bezpiecznego miejsca.",
+    "provisioningKeysErrorCreate": "Błąd podczas tworzenia klucza zaopatrzenia",
+    "provisioningKeysList": "Nowy klucz rezerwacji",
+    "provisioningKeysMaxBatchSize": "Maksymalny rozmiar partii",
+    "provisioningKeysUnlimitedBatchSize": "Nieograniczony rozmiar partii (bez limitu)",
+    "provisioningKeysMaxBatchUnlimited": "Nieograniczona",
+    "provisioningKeysMaxBatchSizeInvalid": "Wprowadź poprawny maksymalny rozmiar partii (1–1 000,000).",
+    "provisioningKeysValidUntil": "Ważny do",
+    "provisioningKeysValidUntilHint": "Pozostaw puste, aby nie wygasnąć.",
+    "provisioningKeysValidUntilInvalid": "Wprowadź prawidłową datę i godzinę.",
+    "provisioningKeysNumUsed": "Używane czasy",
+    "provisioningKeysLastUsed": "Ostatnio używane",
+    "provisioningKeysNoExpiry": "Brak wygaśnięcia",
+    "provisioningKeysNeverUsed": "Nigdy",
+    "provisioningKeysEdit": "Edytuj klucz zaopatrzenia",
+    "provisioningKeysEditDescription": "Zaktualizuj maksymalny rozmiar partii i czas wygaśnięcia dla tego klucza.",
+    "provisioningKeysApproveNewSites": "Zatwierdź nowe witryny",
+    "provisioningKeysApproveNewSitesDescription": "Automatycznie zatwierdzaj witryny, które rejestrują się za pomocą tego klucza.",
+    "provisioningKeysUpdateError": "Błąd podczas aktualizacji klucza zaopatrzenia",
+    "provisioningKeysUpdated": "Klucz zaopatrzenia zaktualizowany",
+    "provisioningKeysUpdatedDescription": "Twoje zmiany zostały zapisane.",
+    "provisioningKeysBannerTitle": "Klucze Zaopatrzenia witryny",
+    "provisioningKeysBannerDescription": "Wygeneruj klucz tworzenia rezerw i użyj go z konektorem Newt do automatycznego tworzenia witryn przy pierwszym uruchomieniu — nie ma potrzeby ustawiania oddzielnych poświadczeń dla każdej witryny.",
+    "provisioningKeysBannerButtonText": "Dowiedz się więcej",
+    "pendingSitesBannerTitle": "Witryny oczekujące",
+    "pendingSitesBannerDescription": "Witryny, które łączą się przy użyciu klucza zaopatrzenia, pojawiają się tutaj, aby przejrzeć. Zatwierdź każdą witrynę, zanim stanie się aktywna i uzyska dostęp do twoich zasobów.",
+    "pendingSitesBannerButtonText": "Dowiedz się więcej",
     "apiKeysSettings": "Ustawienia {apiKeyName}",
     "userTitle": "Zarządzaj wszystkimi użytkownikami",
     "userDescription": "Zobacz i zarządzaj wszystkimi użytkownikami w systemie",
@@ -509,9 +562,12 @@
     "userSaved": "Użytkownik zapisany",
     "userSavedDescription": "Użytkownik został zaktualizowany.",
     "autoProvisioned": "Przesłane automatycznie",
+    "autoProvisionSettings": "Ustawienia automatycznego dostarczania",
     "autoProvisionedDescription": "Pozwól temu użytkownikowi na automatyczne zarządzanie przez dostawcę tożsamości",
     "accessControlsDescription": "Zarządzaj tym, do czego użytkownik ma dostęp i co może robić w organizacji",
     "accessControlsSubmit": "Zapisz kontrole dostępu",
+    "singleRolePerUserPlanNotice": "Twój plan obsługuje tylko jedną rolę na użytkownika.",
+    "singleRolePerUserEditionNotice": "Ta edycja obsługuje tylko jedną rolę na użytkownika.",
     "roles": "Role",
     "accessUsersRoles": "Zarządzaj użytkownikami i rolami",
     "accessUsersRolesDescription": "Zaproś użytkowników i dodaj je do ról do zarządzania dostępem do organizacji",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Wprowadź token konfiguracji z konsoli serwera.",
     "setupTokenRequired": "Wymagany jest token konfiguracji",
     "actionUpdateSite": "Aktualizuj witrynę",
+    "actionResetSiteBandwidth": "Zresetuj przepustowość organizacji",
     "actionListSiteRoles": "Lista dozwolonych ról witryny",
     "actionCreateResource": "Utwórz zasób",
     "actionDeleteResource": "Usuń zasób",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Usuń użytkownika",
     "actionListUsers": "Lista użytkowników",
     "actionAddUserRole": "Dodaj rolę użytkownika",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Ustaw role użytkownika",
     "actionGenerateAccessToken": "Wygeneruj token dostępu",
     "actionDeleteAccessToken": "Usuń token dostępu",
     "actionListAccessTokens": "Lista tokenów dostępu",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Role",
     "sidebarShareableLinks": "Linki",
     "sidebarApiKeys": "Klucze API",
+    "sidebarProvisioning": "Dostarczanie",
     "sidebarSettings": "Ustawienia",
     "sidebarAllUsers": "Wszyscy użytkownicy",
     "sidebarIdentityProviders": "Dostawcy tożsamości",
@@ -1890,6 +1948,40 @@
     "exitNode": "Węzeł Wyjściowy",
     "country": "Kraj",
     "rulesMatchCountry": "Obecnie bazuje na adresie IP źródła",
+    "region": "Region",
+    "selectRegion": "Wybierz region",
+    "searchRegions": "Szukaj regionów...",
+    "noRegionFound": "Nie znaleziono regionu.",
+    "rulesMatchRegion": "Wybierz regionalną grupę krajów",
+    "rulesErrorInvalidRegion": "Nieprawidłowy region",
+    "rulesErrorInvalidRegionDescription": "Proszę wybrać prawidłowy region.",
+    "regionAfrica": "Afryka",
+    "regionNorthernAfrica": "Afryka Północna",
+    "regionEasternAfrica": "Afryka Wschodnia",
+    "regionMiddleAfrica": "Afryka Środkowa",
+    "regionSouthernAfrica": "Afryka Południowa",
+    "regionWesternAfrica": "Afryka Zachodnia",
+    "regionAmericas": "Ameryka",
+    "regionCaribbean": "Karaiby",
+    "regionCentralAmerica": "Ameryka Środkowa",
+    "regionSouthAmerica": "Ameryka Południowej",
+    "regionNorthernAmerica": "Ameryka Północna",
+    "regionAsia": "Akwakultura",
+    "regionCentralAsia": "Azja Środkowa",
+    "regionEasternAsia": "Azja Wschodnia",
+    "regionSouthEasternAsia": "Azja Południowo-Wschodnia",
+    "regionSouthernAsia": "Azja Południowa",
+    "regionWesternAsia": "Azja Zachodnia",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Wschodnia",
+    "regionNorthernEurope": "Europa Północna",
+    "regionSouthernEurope": "Europa Południowa",
+    "regionWesternEurope": "Europa Zachodnia",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia i Nowa Zelandia",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Zarządzane Samodzielnie-Hostingowane",
         "description": "Większa niezawodność i niska konserwacja serwera Pangolin z dodatkowymi dzwonkami i sygnałami",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Nieprawidłowa wartość",
     "idpTypeLabel": "Typ dostawcy tożsamości",
     "roleMappingExpressionPlaceholder": "np. zawiera(grupy, 'admin') && 'Admin' || 'Członek'",
+    "roleMappingModeFixedRoles": "Stałe role",
+    "roleMappingModeMappingBuilder": "Konstruktor mapowania",
+    "roleMappingModeRawExpression": "Surowe wyrażenie",
+    "roleMappingFixedRolesPlaceholderSelect": "Wybierz jedną lub więcej ról",
+    "roleMappingFixedRolesPlaceholderFreeform": "Wpisz nazwy ról (dopasowanie na organizację)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Przypisz tę samą rolę do każdego automatycznie udostępnionego użytkownika.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "W przypadku domyślnych zasad nazwy ról typu które istnieją w każdej organizacji, gdzie użytkownicy są zapisywani. Nazwy muszą się dokładnie zgadzać.",
+    "roleMappingClaimPath": "Ścieżka przejęcia",
+    "roleMappingClaimPathPlaceholder": "grupy",
+    "roleMappingClaimPathDescription": "Ścieżka w payloadzie tokenów, która zawiera wartości źródłowe (np. grupy).",
+    "roleMappingMatchValue": "Wartość dopasowania",
+    "roleMappingAssignRoles": "Przypisz role",
+    "roleMappingAddMappingRule": "Dodaj regułę mapowania",
+    "roleMappingRawExpressionResultDescription": "Wyrażenie musi ocenić do tablicy ciągów lub ciągów.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Wyrażenie musi oceniać ciąg znaków (pojedyncza nazwa).",
+    "roleMappingMatchValuePlaceholder": "Wartość dopasowania (na przykład: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Wpisz nazwy ról (aktywizacja na org)",
+    "roleMappingBuilderFreeformRowHint": "Nazwy ról muszą pasować do roli w każdej organizacji docelowej.",
+    "roleMappingRemoveRule": "Usuń",
     "idpGoogleConfiguration": "Konfiguracja Google",
     "idpGoogleConfigurationDescription": "Skonfiguruj dane logowania Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Jak długo zachować dzienniki dostępu",
     "logRetentionActionLabel": "Zachowanie dziennika akcji",
     "logRetentionActionDescription": "Jak długo zachować dzienniki akcji",
+    "logRetentionConnectionLabel": "Zachowanie dziennika połączeń",
+    "logRetentionConnectionDescription": "Jak długo zachować dzienniki połączeń",
     "logRetentionDisabled": "Wyłączone",
     "logRetention3Days": "3 dni",
     "logRetention7Days": "7 dni",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Koniec następnego roku",
     "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
     "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
+    "connectionLogs": "Dzienniki połączeń",
+    "connectionLogsDescription": "Wyświetl dzienniki połączeń dla tuneli w tej organizacji",
+    "sidebarLogsConnection": "Dzienniki połączeń",
+    "sidebarLogsStreaming": "Strumieniowanie",
+    "sourceAddress": "Adres źródłowy",
+    "destinationAddress": "Adres docelowy",
+    "duration": "Czas trwania",
     "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lub <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezerwuj wersję demonstracyjną lub wersję próbną POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Zarezerwuj demo lub okres próbny POC</bookADemoLink>.",
     "certResolver": "Rozwiązywanie certyfikatów",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
     "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
     "approvalsEmptyStateButtonText": "Zarządzaj rolami",
-    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny"
+    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny",
+    "idpAdminAutoProvisionPoliciesTabHint": "Skonfiguruj mapowanie ról i zasady organizacji na karcie <policiesTabLink>Auto Provivision Settings</policiesTabLink>.",
+    "streamingTitle": "Strumieniowanie wydarzeń",
+    "streamingDescription": "Wydarzenia strumieniowe z Twojej organizacji do zewnętrznych miejsc przeznaczenia w czasie rzeczywistym.",
+    "streamingUnnamedDestination": "Miejsce przeznaczenia bez nazwy",
+    "streamingNoUrlConfigured": "Brak skonfigurowanego adresu URL",
+    "streamingAddDestination": "Dodaj cel",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Wyślij zdarzenia do dowolnego punktu końcowego HTTP z elastycznym uwierzytelnianiem i szablonem.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Zdarzenia strumieniowe do magazynu obiektów kompatybilnych z S3. Już wkrótce.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Przekaż wydarzenia bezpośrednio do Twojego konta Datadog. Już wkrótce.",
+    "streamingTypePickerDescription": "Wybierz typ docelowy, aby rozpocząć.",
+    "streamingFailedToLoad": "Nie udało się załadować miejsc docelowych",
+    "streamingUnexpectedError": "Wystąpił nieoczekiwany błąd.",
+    "streamingFailedToUpdate": "Nie udało się zaktualizować miejsca docelowego",
+    "streamingDeletedSuccess": "Cel usunięty pomyślnie",
+    "streamingFailedToDelete": "Nie udało się usunąć miejsca docelowego",
+    "streamingDeleteTitle": "Usuń cel",
+    "streamingDeleteButtonText": "Usuń cel",
+    "streamingDeleteDialogAreYouSure": "Czy na pewno chcesz usunąć",
+    "streamingDeleteDialogThisDestination": "ten cel",
+    "streamingDeleteDialogPermanentlyRemoved": "? Wszystkie konfiguracje zostaną trwale usunięte.",
+    "httpDestEditTitle": "Edytuj cel",
+    "httpDestAddTitle": "Dodaj cel HTTP",
+    "httpDestEditDescription": "Aktualizuj konfigurację dla tego celu przesyłania strumieniowego zdarzeń HTTP.",
+    "httpDestAddDescription": "Skonfiguruj nowy punkt końcowy HTTP, aby otrzymywać wydarzenia organizacji.",
+    "httpDestTabSettings": "Ustawienia",
+    "httpDestTabHeaders": "Nagłówki",
+    "httpDestTabBody": "Ciało",
+    "httpDestTabLogs": "Logi",
+    "httpDestNamePlaceholder": "Mój cel HTTP",
+    "httpDestUrlLabel": "Adres docelowy",
+    "httpDestUrlErrorHttpRequired": "Adres URL musi używać http lub https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS jest wymagany dla wdrożenia w chmurze",
+    "httpDestUrlErrorInvalid": "Wprowadź poprawny adres URL (np. https://example.com/webhook)",
+    "httpDestAuthTitle": "Uwierzytelnianie",
+    "httpDestAuthDescription": "Wybierz sposób uwierzytelniania żądań do Twojego punktu końcowego.",
+    "httpDestAuthNoneTitle": "Brak uwierzytelniania",
+    "httpDestAuthNoneDescription": "Wysyła żądania bez nagłówka autoryzacji.",
+    "httpDestAuthBearerTitle": "Token Bearer",
+    "httpDestAuthBearerDescription": "Dodaje autoryzację: nagłówek Bearer <token> do każdego żądania.",
+    "httpDestAuthBearerPlaceholder": "Twój klucz API lub token",
+    "httpDestAuthBasicTitle": "Podstawowa Autoryzacja",
+    "httpDestAuthBasicDescription": "Dodaje Autoryzacja: Nagłówek Basic <credentials> . Podaj poświadczenia jako nazwę użytkownika: hasło.",
+    "httpDestAuthBasicPlaceholder": "Nazwa użytkownika:hasło",
+    "httpDestAuthCustomTitle": "Niestandardowy nagłówek",
+    "httpDestAuthCustomDescription": "Określ niestandardową nazwę nagłówka HTTP i wartość dla uwierzytelniania (np. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nazwa nagłówka (np. klucz X-API)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Wartość nagłówka",
+    "httpDestCustomHeadersTitle": "Niestandardowe nagłówki HTTP",
+    "httpDestCustomHeadersDescription": "Dodaj własne nagłówki do każdego wychodzącego żądania. Przydatne dla tokenów statycznych lub niestandardowego typu zawartości. Domyślnie Content-Type: aplikacja/json jest wysyłane.",
+    "httpDestNoHeadersConfigured": "Nie skonfigurowano nagłówków niestandardowych. Kliknij \"Dodaj nagłówek\", aby go dodać.",
+    "httpDestHeaderNamePlaceholder": "Nazwa nagłówka",
+    "httpDestHeaderValuePlaceholder": "Wartość",
+    "httpDestAddHeader": "Dodaj nagłówek",
+    "httpDestBodyTemplateTitle": "Własny szablon ciała",
+    "httpDestBodyTemplateDescription": "Kontroluj strukturę JSON wysyłaną do Twojego punktu końcowego. Jeśli wyłączone, dla każdego zdarzenia wysyłany jest domyślny obiekt JSON.",
+    "httpDestEnableBodyTemplate": "Włącz niestandardowy szablon ciała",
+    "httpDestBodyTemplateLabel": "Szablon ciała (JSON)",
+    "httpDestBodyTemplateHint": "Użyj zmiennych szablonu do odniesienia pól zdarzeń w twoim payloadzie.",
+    "httpDestPayloadFormatTitle": "Format obciążenia",
+    "httpDestPayloadFormatDescription": "Jak zdarzenia są serializowane w każdym organie żądania.",
+    "httpDestFormatJsonArrayTitle": "Tablica JSON",
+    "httpDestFormatJsonArrayDescription": "Jedna prośba na partię, treść jest tablicą JSON. Kompatybilna z najbardziej ogólnymi webhookami i Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Jedno żądanie na partię, ciałem jest plik JSON rozdzielony na newline-delimited — jeden obiekt na wiersz, bez tablicy zewnętrznej. Wymagane przez Splunk HEC, Elastic / OpenSesearch i Grafana Loki.",
+    "httpDestFormatSingleTitle": "Jedno wydarzenie na żądanie",
+    "httpDestFormatSingleDescription": "Wysyła oddzielny POST HTTP dla każdego zdarzenia. Użyj tylko dla punktów końcowych, które nie mogą obsługiwać partii.",
+    "httpDestLogTypesTitle": "Typy logów",
+    "httpDestLogTypesDescription": "Wybierz, które typy logów są przekazywane do tego miejsca docelowego. Tylko włączone typy logów będą strumieniowane.",
+    "httpDestAccessLogsTitle": "Logi dostępu",
+    "httpDestAccessLogsDescription": "Próby dostępu do zasobów, w tym uwierzytelnione i odrzucone żądania.",
+    "httpDestActionLogsTitle": "Dzienniki działań",
+    "httpDestActionLogsDescription": "Działania administracyjne wykonywane przez użytkowników w organizacji.",
+    "httpDestConnectionLogsTitle": "Dzienniki połączeń",
+    "httpDestConnectionLogsDescription": "Zdarzenia związane z miejscem i tunelem, w tym połączenia i rozłączenia.",
+    "httpDestRequestLogsTitle": "Dzienniki żądań",
+    "httpDestRequestLogsDescription": "Logi żądań HTTP dla zasobów proxy, w tym metody, ścieżki i kodu odpowiedzi.",
+    "httpDestSaveChanges": "Zapisz zmiany",
+    "httpDestCreateDestination": "Utwórz cel",
+    "httpDestUpdatedSuccess": "Cel został pomyślnie zaktualizowany",
+    "httpDestCreatedSuccess": "Cel został utworzony pomyślnie",
+    "httpDestUpdateFailed": "Nie udało się zaktualizować miejsca docelowego",
+    "httpDestCreateFailed": "Nie udało się utworzyć miejsca docelowego"
 }

From 467808f1744086c28f5e900747a031333ada8bdf Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:57 -0700
Subject: [PATCH 117/122] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index b121f4b16..2573ed6da 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -148,6 +148,11 @@
     "createLink": "Criar Link",
     "resourcesNotFound": "Nenhum recurso encontrado",
     "resourceSearch": "Recursos de pesquisa",
+    "machineSearch": "Procurar máquinas",
+    "machinesSearch": "Pesquisar clientes de máquina...",
+    "machineNotFound": "Nenhuma máquina encontrada",
+    "userDeviceSearch": "Procurar dispositivos do usuário",
+    "userDevicesSearch": "Pesquisar dispositivos do usuário...",
     "openMenu": "Abrir menu",
     "resource": "Recurso",
     "title": "Título",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Excluir Chave API",
     "apiKeysManage": "Gerir Chaves API",
     "apiKeysDescription": "As chaves API são usadas para autenticar com a API de integração",
+    "provisioningKeysTitle": "Chave de provisionamento",
+    "provisioningKeysManage": "Gerenciar chaves de provisionamento",
+    "provisioningKeysDescription": "Chaves de provisionamento são usadas para autenticar o provisionamento automatizado do site para sua organização.",
+    "provisioningManage": "Provisionamento",
+    "provisioningDescription": "Gerenciar chaves de provisionamento e revisar sites pendentes aguardando aprovação.",
+    "pendingSites": "Sites pendentes",
+    "siteApproveSuccess": "Site aprovado com sucesso",
+    "siteApproveError": "Erro ao aprovar site",
+    "provisioningKeys": "Posicionando chaves",
+    "searchProvisioningKeys": "Pesquisar chaves de provisionamento...",
+    "provisioningKeysAdd": "Gerar chave de provisionamento",
+    "provisioningKeysErrorDelete": "Erro ao excluir chave de provisionamento",
+    "provisioningKeysErrorDeleteMessage": "Erro ao excluir chave de provisionamento",
+    "provisioningKeysQuestionRemove": "Tem certeza de que deseja remover esta chave de provisionamento da organização?",
+    "provisioningKeysMessageRemove": "Uma vez removida, a chave não pode mais ser usada para o provisionamento do site.",
+    "provisioningKeysDeleteConfirm": "Confirmar chave de exclusão",
+    "provisioningKeysDelete": "Apagar chave de provisionamento",
+    "provisioningKeysCreate": "Gerar chave de provisionamento",
+    "provisioningKeysCreateDescription": "Gerar uma nova chave de provisionamento para a organização",
+    "provisioningKeysSeeAll": "Ver todas as chaves provisionadas",
+    "provisioningKeysSave": "Salvar a chave de provisionamento",
+    "provisioningKeysSaveDescription": "Você só será capaz de ver esta vez. Copiá-lo para um lugar seguro.",
+    "provisioningKeysErrorCreate": "Erro ao criar chave de provisionamento",
+    "provisioningKeysList": "Nova chave de aprovisionamento",
+    "provisioningKeysMaxBatchSize": "Tamanho máximo do lote",
+    "provisioningKeysUnlimitedBatchSize": "Tamanho ilimitado em lote (sem limite)",
+    "provisioningKeysMaxBatchUnlimited": "Ilimitado",
+    "provisioningKeysMaxBatchSizeInvalid": "Informe um tamanho máximo válido em lote (1–1,000,000).",
+    "provisioningKeysValidUntil": "Valido ate",
+    "provisioningKeysValidUntilHint": "Deixe em branco para nenhuma expiração.",
+    "provisioningKeysValidUntilInvalid": "Informe uma data e hora válidas.",
+    "provisioningKeysNumUsed": "Use percentual",
+    "provisioningKeysLastUsed": "Última utilização",
+    "provisioningKeysNoExpiry": "Sem vencimento",
+    "provisioningKeysNeverUsed": "nunca",
+    "provisioningKeysEdit": "Editar chave de provisionamento",
+    "provisioningKeysEditDescription": "Atualizar o tamanho máximo do lote e tempo de expiração para esta chave.",
+    "provisioningKeysApproveNewSites": "Aprovar novos sites",
+    "provisioningKeysApproveNewSitesDescription": "Aprovar automaticamente sites que se registram com esta chave.",
+    "provisioningKeysUpdateError": "Erro ao atualizar chave de provisionamento",
+    "provisioningKeysUpdated": "Chave de provisionamento atualizada",
+    "provisioningKeysUpdatedDescription": "Suas alterações foram salvas.",
+    "provisioningKeysBannerTitle": "Chaves de provisionamento do site",
+    "provisioningKeysBannerDescription": "Gerar uma chave de provisionamento e usá-la com o conector de Newt para criar automaticamente sites na primeira inicialização — não é necessário configurar credenciais separadas para cada site.",
+    "provisioningKeysBannerButtonText": "Saiba mais",
+    "pendingSitesBannerTitle": "Sites pendentes",
+    "pendingSitesBannerDescription": "Sites que conectam usando uma chave de provisionamento aparecem aqui para revisão. Aprovar cada site antes de se tornar ativo e ganhar acesso a seus recursos.",
+    "pendingSitesBannerButtonText": "Saiba mais",
     "apiKeysSettings": "Configurações de {apiKeyName}",
     "userTitle": "Gerir Todos os Utilizadores",
     "userDescription": "Visualizar e gerir todos os utilizadores no sistema",
@@ -509,9 +562,12 @@
     "userSaved": "Usuário salvo",
     "userSavedDescription": "O utilizador foi atualizado.",
     "autoProvisioned": "Auto provisionado",
+    "autoProvisionSettings": "Configurações de provisão automática",
     "autoProvisionedDescription": "Permitir que este utilizador seja gerido automaticamente pelo provedor de identidade",
     "accessControlsDescription": "Gerir o que este utilizador pode aceder e fazer na organização",
     "accessControlsSubmit": "Guardar Controlos de Acesso",
+    "singleRolePerUserPlanNotice": "Seu plano suporta apenas uma função por usuário.",
+    "singleRolePerUserEditionNotice": "Esta edição suporta apenas uma função por usuário.",
     "roles": "Funções",
     "accessUsersRoles": "Gerir Utilizadores e Funções",
     "accessUsersRolesDescription": "Convidar usuários e adicioná-los a funções para gerenciar o acesso à organização",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Digite o token de configuração do console do servidor.",
     "setupTokenRequired": "Token de configuração é necessário",
     "actionUpdateSite": "Atualizar Site",
+    "actionResetSiteBandwidth": "Redefinir banda da organização",
     "actionListSiteRoles": "Listar Funções Permitidas do Site",
     "actionCreateResource": "Criar Recurso",
     "actionDeleteResource": "Eliminar Recurso",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Remover Utilizador",
     "actionListUsers": "Listar Utilizadores",
     "actionAddUserRole": "Adicionar Função ao Utilizador",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Definir funções do usuário",
     "actionGenerateAccessToken": "Gerar Token de Acesso",
     "actionDeleteAccessToken": "Eliminar Token de Acesso",
     "actionListAccessTokens": "Listar Tokens de Acesso",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Papéis",
     "sidebarShareableLinks": "Links",
     "sidebarApiKeys": "Chaves API",
+    "sidebarProvisioning": "Provisionamento",
     "sidebarSettings": "Configurações",
     "sidebarAllUsers": "Todos os utilizadores",
     "sidebarIdentityProviders": "Provedores de identidade",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nodo de Saída",
     "country": "País",
     "rulesMatchCountry": "Atualmente baseado no IP de origem",
+    "region": "Região",
+    "selectRegion": "Selecionar região",
+    "searchRegions": "Procurar regiões...",
+    "noRegionFound": "Nenhuma região encontrada.",
+    "rulesMatchRegion": "Selecione um grupo regional de países",
+    "rulesErrorInvalidRegion": "Região inválida",
+    "rulesErrorInvalidRegionDescription": "Por favor, selecione uma região válida.",
+    "regionAfrica": "África",
+    "regionNorthernAfrica": "África do Norte",
+    "regionEasternAfrica": "África Oriental",
+    "regionMiddleAfrica": "África Média",
+    "regionSouthernAfrica": "África Austral",
+    "regionWesternAfrica": "África Ocidental",
+    "regionAmericas": "Américas",
+    "regionCaribbean": "Caribe",
+    "regionCentralAmerica": "América Central",
+    "regionSouthAmerica": "América do Sul",
+    "regionNorthernAmerica": "América do Norte",
+    "regionAsia": "Ásia",
+    "regionCentralAsia": "Ásia Central",
+    "regionEasternAsia": "Ásia Oriental",
+    "regionSouthEasternAsia": "Sudeste da Ásia",
+    "regionSouthernAsia": "Sudeste da Ásia",
+    "regionWesternAsia": "Ásia Ocidental",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Oriental",
+    "regionNorthernEurope": "Europa do Norte",
+    "regionSouthernEurope": "Europa do Sul",
+    "regionWesternEurope": "Europa Ocidental",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Austrália e Nova Zelândia",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Gerenciado Auto-Hospedado",
         "description": "Servidor Pangolin auto-hospedado mais confiável e com baixa manutenção com sinos extras e assobiamentos",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valor Inválido",
     "idpTypeLabel": "Tipo de provedor de identidade",
     "roleMappingExpressionPlaceholder": "ex.: Contem (grupos, 'administrador') && 'Administrador' 「'Membro'",
+    "roleMappingModeFixedRoles": "Papéis fixos",
+    "roleMappingModeMappingBuilder": "Mapeando Construtor",
+    "roleMappingModeRawExpression": "Expressão Bruta",
+    "roleMappingFixedRolesPlaceholderSelect": "Selecione um ou mais papéis",
+    "roleMappingFixedRolesPlaceholderFreeform": "Digite o nome das funções (correspondência exata por organização)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Atribuir o mesmo conjunto de funções a cada usuário auto-provisionado.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Para políticas padrão, nomes de funções de tipo que existem em cada organização onde os usuários são fornecidos. Nomes devem coincidir exatamente.",
+    "roleMappingClaimPath": "Caminho da Reivindicação",
+    "roleMappingClaimPathPlaceholder": "grupos",
+    "roleMappingClaimPathDescription": "Caminho no payload token que contém valores de origem (por exemplo, grupos).",
+    "roleMappingMatchValue": "Valor Correspondente",
+    "roleMappingAssignRoles": "Atribuir Papéis",
+    "roleMappingAddMappingRule": "Adicionar regra de mapeamento",
+    "roleMappingRawExpressionResultDescription": "Expressão deve retornar à matriz string ou string.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expressão deve ser avaliada para uma string (um nome de função única).",
+    "roleMappingMatchValuePlaceholder": "Valor do jogo (por exemplo: administrador)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Digite nomes de funções ((exact por org)",
+    "roleMappingBuilderFreeformRowHint": "Nomes de papéis devem corresponder a um papel em cada organizaçãoalvo.",
+    "roleMappingRemoveRule": "Remover",
     "idpGoogleConfiguration": "Configuração do Google",
     "idpGoogleConfigurationDescription": "Configurar as credenciais do Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Por quanto tempo manter os registros de acesso",
     "logRetentionActionLabel": "Ação de Retenção no Log",
     "logRetentionActionDescription": "Por quanto tempo manter os registros de ação",
+    "logRetentionConnectionLabel": "Retenção de registro de conexão",
+    "logRetentionConnectionDescription": "Por quanto tempo manter os registros de conexão",
     "logRetentionDisabled": "Desabilitado",
     "logRetention3Days": "3 dias",
     "logRetention7Days": "7 dias",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
     "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
     "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
+    "connectionLogs": "Logs da conexão",
+    "connectionLogsDescription": "Ver logs de conexão para túneis nesta organização",
+    "sidebarLogsConnection": "Logs da conexão",
+    "sidebarLogsStreaming": "Transmitindo",
+    "sourceAddress": "Endereço de origem",
+    "destinationAddress": "Endereço de destino",
+    "duration": "Duração",
     "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> é necessária para usar este recurso. <bookADemoLink>Reserve um teste de demonstração ou POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserve uma demonstração ou avaliação POC</bookADemoLink>.",
     "certResolver": "Resolvedor de Certificado",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
     "approvalsEmptyStateButtonText": "Gerir Funções",
-    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio"
+    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configurar funções de mapeamento e políticas de organização na aba <policiesTabLink>Auto Provision Settings</policiesTabLink>.",
+    "streamingTitle": "Streaming do Evento",
+    "streamingDescription": "Transmita eventos de sua organização para destinos externos em tempo real.",
+    "streamingUnnamedDestination": "Destino sem nome",
+    "streamingNoUrlConfigured": "Nenhuma URL configurada",
+    "streamingAddDestination": "Adicionar destino",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Envie os eventos para qualquer endpoint HTTP com autenticação flexível e modelo.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Transmitir eventos para um balde de armazenamento de objetos compatível com S3. Em breve.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Encaminha eventos diretamente para a sua conta no Datadog. Em breve.",
+    "streamingTypePickerDescription": "Escolha um tipo de destino para começar.",
+    "streamingFailedToLoad": "Falha ao carregar destinos",
+    "streamingUnexpectedError": "Ocorreu um erro inesperado.",
+    "streamingFailedToUpdate": "Falha ao atualizar destino",
+    "streamingDeletedSuccess": "Destino apagado com sucesso",
+    "streamingFailedToDelete": "Falha ao excluir destino",
+    "streamingDeleteTitle": "Excluir destino",
+    "streamingDeleteButtonText": "Excluir destino",
+    "streamingDeleteDialogAreYouSure": "Tem certeza de que deseja excluir",
+    "streamingDeleteDialogThisDestination": "este destino",
+    "streamingDeleteDialogPermanentlyRemoved": "? Todas as configurações serão permanentemente removidas.",
+    "httpDestEditTitle": "Editar destino",
+    "httpDestAddTitle": "Adicionar Destino HTTP",
+    "httpDestEditDescription": "Atualizar a configuração para este destino de transmissão de eventos HTTP.",
+    "httpDestAddDescription": "Configure um novo ponto de extremidade HTTP para receber eventos da sua organização.",
+    "httpDestTabSettings": "Confirgurações",
+    "httpDestTabHeaders": "Cabeçalhos",
+    "httpDestTabBody": "Conteúdo",
+    "httpDestTabLogs": "Registros",
+    "httpDestNamePlaceholder": "Meu destino HTTP",
+    "httpDestUrlLabel": "URL de destino",
+    "httpDestUrlErrorHttpRequired": "A URL deve usar http ou https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS é necessário em implantações em nuvem",
+    "httpDestUrlErrorInvalid": "Informe uma URL válida (por exemplo, https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticação",
+    "httpDestAuthDescription": "Escolha como os pedidos para seu endpoint são autenticados.",
+    "httpDestAuthNoneTitle": "Sem Autenticação",
+    "httpDestAuthNoneDescription": "Envia pedidos sem um cabeçalho de autorização.",
+    "httpDestAuthBearerTitle": "Token do portador",
+    "httpDestAuthBearerDescription": "Adiciona uma autorização: Bearer <token> header a cada requisição.",
+    "httpDestAuthBearerPlaceholder": "Sua chave de API ou token",
+    "httpDestAuthBasicTitle": "Autenticação básica",
+    "httpDestAuthBasicDescription": "Adiciona uma Autorização: cabeçalho <credentials> básico. Forneça credenciais como nome de usuário:senha.",
+    "httpDestAuthBasicPlaceholder": "Usuário:password",
+    "httpDestAuthCustomTitle": "Cabeçalho personalizado",
+    "httpDestAuthCustomDescription": "Especifique um nome e valor de cabeçalho HTTP personalizado para autenticação (por exemplo, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nome do cabeçalho (ex: X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valor do cabeçalho",
+    "httpDestCustomHeadersTitle": "Cabeçalhos HTTP personalizados",
+    "httpDestCustomHeadersDescription": "Adicionar cabeçalhos personalizados a todas as solicitações de saída. Útil para tokens estáticos ou um tipo de conteúdo personalizado. Por padrão, Content-Type: application/json é enviado.",
+    "httpDestNoHeadersConfigured": "Nenhum cabeçalho personalizado configurado. Clique em \"Adicionar Cabeçalho\" para adicionar um.",
+    "httpDestHeaderNamePlaceholder": "Nome do Cabeçalho",
+    "httpDestHeaderValuePlaceholder": "Valor",
+    "httpDestAddHeader": "Adicionar Cabeçalho",
+    "httpDestBodyTemplateTitle": "Modelo de corpo personalizado",
+    "httpDestBodyTemplateDescription": "Controla a estrutura de carga JSON enviada ao seu endpoint. Se desativado, um objeto JSON padrão é enviado para cada evento.",
+    "httpDestEnableBodyTemplate": "Ativar modelo personalizado de corpo",
+    "httpDestBodyTemplateLabel": "Modelo de corpo (JSON)",
+    "httpDestBodyTemplateHint": "Use variáveis de template para referenciar campos de evento em seu payload.",
+    "httpDestPayloadFormatTitle": "Formato de carga",
+    "httpDestPayloadFormatDescription": "Como os eventos são serializados em cada corpo do pedido.",
+    "httpDestFormatJsonArrayTitle": "Matriz JSON",
+    "httpDestFormatJsonArrayDescription": "Um pedido por lote, o corpo é um array JSON. Compatível com a maioria dos webhooks genéricos e Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Um pedido por lote, o corpo é um JSON delimitado por nova-linha — um objeto por linha, sem array exterior. Requerido pelo Splunk HEC, Elástico / OpenSearch, e Grafana Loki.",
+    "httpDestFormatSingleTitle": "Um Evento por Requisição",
+    "httpDestFormatSingleDescription": "Envia um POST HTTP separado para cada evento. Utilize apenas para endpoints que não podem manipular lotes.",
+    "httpDestLogTypesTitle": "Tipos de log",
+    "httpDestLogTypesDescription": "Escolha quais tipos de log são encaminhados para este destino. Somente serão racionalizados os tipos de logs habilitados.",
+    "httpDestAccessLogsTitle": "Logs de Acesso",
+    "httpDestAccessLogsDescription": "Tentativas de acesso a recursos, incluindo solicitações autenticadas e negadas.",
+    "httpDestActionLogsTitle": "Logs de Ações",
+    "httpDestActionLogsDescription": "Ações administrativas realizadas por usuários dentro da organização.",
+    "httpDestConnectionLogsTitle": "Logs da conexão",
+    "httpDestConnectionLogsDescription": "Eventos de conexão de site e túnel, incluindo conexões e desconexões.",
+    "httpDestRequestLogsTitle": "Registro de pedidos",
+    "httpDestRequestLogsDescription": "Logs de solicitação HTTP para recursos proxy incluindo o método, o caminho e o código de resposta.",
+    "httpDestSaveChanges": "Salvar as alterações",
+    "httpDestCreateDestination": "Criar destino",
+    "httpDestUpdatedSuccess": "Destino atualizado com sucesso",
+    "httpDestCreatedSuccess": "Destino criado com sucesso",
+    "httpDestUpdateFailed": "Falha ao atualizar destino",
+    "httpDestCreateFailed": "Falha ao criar destino"
 }

From d07996d435e777a54925c2bf14b85afaa9e2255d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:19:59 -0700
Subject: [PATCH 118/122] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 175 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 173 insertions(+), 2 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 98a787f45..b44ec36ed 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -148,6 +148,11 @@
     "createLink": "Создать ссылку",
     "resourcesNotFound": "Ресурсы не найдены",
     "resourceSearch": "Поиск ресурсов",
+    "machineSearch": "Поиск машин",
+    "machinesSearch": "Поиск клиентов машины...",
+    "machineNotFound": "Машины не найдены",
+    "userDeviceSearch": "Поиск устройств пользователя",
+    "userDevicesSearch": "Поиск устройств пользователя...",
     "openMenu": "Открыть меню",
     "resource": "Ресурс",
     "title": "Заголовок",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Удаление ключа API",
     "apiKeysManage": "Управление ключами API",
     "apiKeysDescription": "Ключи API используются для аутентификации в интеграционном API",
+    "provisioningKeysTitle": "Ключ подготовки",
+    "provisioningKeysManage": "Управление ключами подготовки",
+    "provisioningKeysDescription": "Ключи подготовки используются для аутентификации автоматического обеспечения сайта для вашей организации.",
+    "provisioningManage": "Подготовка",
+    "provisioningDescription": "Управляйте предоставленными ключами и проверять непроверенные сайты, ожидающие утверждения.",
+    "pendingSites": "Ожидающие сайты",
+    "siteApproveSuccess": "Сайт успешно утвержден",
+    "siteApproveError": "Ошибка при утверждении сайта",
+    "provisioningKeys": "Ключи подготовки",
+    "searchProvisioningKeys": "Поиск подготовительных ключей...",
+    "provisioningKeysAdd": "Сгенерировать ключ подготовки",
+    "provisioningKeysErrorDelete": "Ошибка при удалении подготовительного ключа",
+    "provisioningKeysErrorDeleteMessage": "Ошибка при удалении подготовительного ключа",
+    "provisioningKeysQuestionRemove": "Вы уверены, что хотите удалить этот ключ подготовки из организации?",
+    "provisioningKeysMessageRemove": "После удаления ключ больше не может быть использован для размещения сайта.",
+    "provisioningKeysDeleteConfirm": "Подтвердите удаление ключа подготовки",
+    "provisioningKeysDelete": "Удалить ключ подготовки",
+    "provisioningKeysCreate": "Сгенерировать ключ подготовки",
+    "provisioningKeysCreateDescription": "Создать новый подготовительный ключ для организации",
+    "provisioningKeysSeeAll": "Посмотреть все подготовительные ключи",
+    "provisioningKeysSave": "Сохранить ключ подготовки",
+    "provisioningKeysSaveDescription": "Вы сможете увидеть это только один раз. Скопируйте его в безопасное место.",
+    "provisioningKeysErrorCreate": "Ошибка при создании ключа подготовки",
+    "provisioningKeysList": "Новый подготовительный ключ",
+    "provisioningKeysMaxBatchSize": "Макс. размер партии",
+    "provisioningKeysUnlimitedBatchSize": "Неограниченный размер партии (без ограничений)",
+    "provisioningKeysMaxBatchUnlimited": "Неограниченный",
+    "provisioningKeysMaxBatchSizeInvalid": "Введите максимальный размер пакета (1–1,000,000).",
+    "provisioningKeysValidUntil": "Действителен до",
+    "provisioningKeysValidUntilHint": "Оставьте пустым для отсутствия срока действия.",
+    "provisioningKeysValidUntilInvalid": "Введите правильную дату и время.",
+    "provisioningKeysNumUsed": "Использовано раз",
+    "provisioningKeysLastUsed": "Последнее использованное",
+    "provisioningKeysNoExpiry": "Без истечения срока",
+    "provisioningKeysNeverUsed": "Никогда",
+    "provisioningKeysEdit": "Редактировать ключ подготовки",
+    "provisioningKeysEditDescription": "Обновить максимальный размер и срок действия этого ключа.",
+    "provisioningKeysApproveNewSites": "Одобрить новые сайты",
+    "provisioningKeysApproveNewSitesDescription": "Автоматически одобрять сайты, регистрирующиеся с этим ключом.",
+    "provisioningKeysUpdateError": "Ошибка при обновлении ключа подготовки",
+    "provisioningKeysUpdated": "Ключ подготовки обновлен",
+    "provisioningKeysUpdatedDescription": "Ваши изменения были сохранены.",
+    "provisioningKeysBannerTitle": "Ключи подготовки сайта",
+    "provisioningKeysBannerDescription": "Генерировать подготовительный ключ и использовать его вместе с Новым коннектором для автоматического создания сайтов при первом запуске — нет необходимости настраивать отдельные учетные данные для каждого сайта.",
+    "provisioningKeysBannerButtonText": "Узнать больше",
+    "pendingSitesBannerTitle": "Ожидающие сайты",
+    "pendingSitesBannerDescription": "Сайты, связанные с использованием ключа подготовки, появляются здесь для проверки. Одобрите каждый сайт, прежде чем он станет активным и получит доступ к вашим ресурсам.",
+    "pendingSitesBannerButtonText": "Узнать больше",
     "apiKeysSettings": "Настройки {apiKeyName}",
     "userTitle": "Управление всеми пользователями",
     "userDescription": "Просмотр и управление всеми пользователями в системе",
@@ -509,9 +562,12 @@
     "userSaved": "Пользователь сохранён",
     "userSavedDescription": "Пользователь был обновлён.",
     "autoProvisioned": "Автоподбор",
+    "autoProvisionSettings": "Настройки автоматического обеспечения",
     "autoProvisionedDescription": "Разрешить автоматическое управление этим пользователем",
     "accessControlsDescription": "Управляйте тем, к чему этот пользователь может получить доступ и что делать в организации",
     "accessControlsSubmit": "Сохранить контроль доступа",
+    "singleRolePerUserPlanNotice": "Ваш план поддерживает только одну роль каждого пользователя.",
+    "singleRolePerUserEditionNotice": "Эта редакция поддерживает только одну роль для каждого пользователя.",
     "roles": "Роли",
     "accessUsersRoles": "Управление пользователями и ролями",
     "accessUsersRolesDescription": "Пригласить пользователей и добавить их в роли для управления доступом к организации",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Введите токен настройки из консоли сервера.",
     "setupTokenRequired": "Токен настройки обязателен",
     "actionUpdateSite": "Обновить сайт",
+    "actionResetSiteBandwidth": "Сброс пропускной способности организации",
     "actionListSiteRoles": "Список разрешенных ролей сайта",
     "actionCreateResource": "Создать ресурс",
     "actionDeleteResource": "Удалить ресурс",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Удалить пользователя",
     "actionListUsers": "Список пользователей",
     "actionAddUserRole": "Добавить роль пользователя",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Установка ролей пользователей",
     "actionGenerateAccessToken": "Сгенерировать токен доступа",
     "actionDeleteAccessToken": "Удалить токен доступа",
     "actionListAccessTokens": "Список токенов доступа",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Роли",
     "sidebarShareableLinks": "Ссылки",
     "sidebarApiKeys": "API ключи",
+    "sidebarProvisioning": "Подготовка",
     "sidebarSettings": "Настройки",
     "sidebarAllUsers": "Все пользователи",
     "sidebarIdentityProviders": "Поставщики удостоверений",
@@ -1972,6 +2030,25 @@
     "invalidValue": "Неверное значение",
     "idpTypeLabel": "Тип поставщика удостоверений",
     "roleMappingExpressionPlaceholder": "например, contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Фиксированные роли",
+    "roleMappingModeMappingBuilder": "Сопоставляющий конструктор",
+    "roleMappingModeRawExpression": "Сырое выражение",
+    "roleMappingFixedRolesPlaceholderSelect": "Выберите одну или несколько ролей",
+    "roleMappingFixedRolesPlaceholderFreeform": "Тип имен ролей (точное совпадение по организации)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Назначить одну и ту же роль, которая установлена каждому автообеспеченному пользователю.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Для политик по умолчанию, введите имена ролей, которые существуют в каждой организации, где пользователи предоставлены. Имена должны соответствовать точно.",
+    "roleMappingClaimPath": "Путь к заявлению",
+    "roleMappingClaimPathPlaceholder": "группы",
+    "roleMappingClaimPathDescription": "Путь в полезной нагрузке токенов, который содержит исходные значения (например, группы).",
+    "roleMappingMatchValue": "Значение матча",
+    "roleMappingAssignRoles": "Назначить роли",
+    "roleMappingAddMappingRule": "Добавить правило сопоставления",
+    "roleMappingRawExpressionResultDescription": "Выражение должно быть оценено к строке или строковому массиву.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Выражение должно быть оценено строке (название одной роли).",
+    "roleMappingMatchValuePlaceholder": "Значение совпадения (например: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Введите имена ролей (точное по организациям)",
+    "roleMappingBuilderFreeformRowHint": "Имена ролей должны соответствовать роли в каждой целевой организации.",
+    "roleMappingRemoveRule": "Удалить",
     "idpGoogleConfiguration": "Конфигурация Google",
     "idpGoogleConfigurationDescription": "Настройка учетных данных Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2368,6 +2445,8 @@
     "logRetentionAccessDescription": "Как долго сохранять журналы доступа",
     "logRetentionActionLabel": "Сохранение журнала действий",
     "logRetentionActionDescription": "Как долго хранить журналы действий",
+    "logRetentionConnectionLabel": "Сохранение журнала подключений",
+    "logRetentionConnectionDescription": "Как долго хранить журналы подключений",
     "logRetentionDisabled": "Отключено",
     "logRetention3Days": "3 дня",
     "logRetention7Days": "7 дней",
@@ -2378,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Конец следующего года",
     "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
     "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
+    "connectionLogs": "Журнал подключений",
+    "connectionLogsDescription": "Просмотр журналов подключения туннелей в этой организации",
+    "sidebarLogsConnection": "Журнал подключений",
+    "sidebarLogsStreaming": "Вещание",
+    "sourceAddress": "Адрес источника",
+    "destinationAddress": "Адрес назначения",
+    "duration": "Продолжительность",
     "licenseRequiredToUse": "Требуется лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> для использования этой функции. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
     "certResolver": "Резольвер сертификата",
@@ -2717,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
     "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
     "approvalsEmptyStateButtonText": "Управление ролями",
-    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена"
+    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена",
+    "idpAdminAutoProvisionPoliciesTabHint": "Настройте сопоставление ролей и организационные политики на вкладке <policiesTabLink>Настройки авто-предоставления</policiesTabLink>.",
+    "streamingTitle": "Поток событий",
+    "streamingDescription": "Трансляция событий от вашей организации к внешним направлениям в режиме реального времени.",
+    "streamingUnnamedDestination": "Место назначения без имени",
+    "streamingNoUrlConfigured": "URL-адрес не настроен",
+    "streamingAddDestination": "Добавить место назначения",
+    "streamingHttpWebhookTitle": "HTTP вебхук",
+    "streamingHttpWebhookDescription": "Отправлять события на любую конечную точку HTTP с гибкой аутентификацией и шаблоном.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Потоковая передача событий к пакету хранения объектов, совместимому с S3.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Перенаправлять события непосредственно на ваш аккаунт в Datadog. Скоро будет доступно.",
+    "streamingTypePickerDescription": "Выберите тип назначения, чтобы начать.",
+    "streamingFailedToLoad": "Не удалось загрузить места назначения",
+    "streamingUnexpectedError": "Произошла непредвиденная ошибка.",
+    "streamingFailedToUpdate": "Не удалось обновить место назначения",
+    "streamingDeletedSuccess": "Адрес назначения успешно удален",
+    "streamingFailedToDelete": "Не удалось удалить место назначения",
+    "streamingDeleteTitle": "Удалить адрес назначения",
+    "streamingDeleteButtonText": "Удалить адрес назначения",
+    "streamingDeleteDialogAreYouSure": "Вы уверены, что хотите удалить",
+    "streamingDeleteDialogThisDestination": "это место назначения",
+    "streamingDeleteDialogPermanentlyRemoved": "? Все настройки будут удалены навсегда.",
+    "httpDestEditTitle": "Изменить адрес назначения",
+    "httpDestAddTitle": "Добавить HTTP адрес",
+    "httpDestEditDescription": "Обновление конфигурации для этого HTTP события потокового назначения.",
+    "httpDestAddDescription": "Настройте новую HTTP-конечную точку для получения событий вашей организации.",
+    "httpDestTabSettings": "Настройки",
+    "httpDestTabHeaders": "Заголовки",
+    "httpDestTabBody": "Тело",
+    "httpDestTabLogs": "Логи",
+    "httpDestNamePlaceholder": "Мой HTTP адрес назначения",
+    "httpDestUrlLabel": "URL назначения",
+    "httpDestUrlErrorHttpRequired": "URL должен использовать http или https",
+    "httpDestUrlErrorHttpsRequired": "Требуется HTTPS при развертывании облака",
+    "httpDestUrlErrorInvalid": "Введите действительный URL (например, https://example.com/webhook)",
+    "httpDestAuthTitle": "Аутентификация",
+    "httpDestAuthDescription": "Выберите, как запросы к вашей конечной точке аутентифицированы.",
+    "httpDestAuthNoneTitle": "Нет аутентификации",
+    "httpDestAuthNoneDescription": "Отправляет запросы без заголовка авторизации.",
+    "httpDestAuthBearerTitle": "Жетон носителя",
+    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer <token> к каждому запросу.",
+    "httpDestAuthBearerPlaceholder": "Ваш ключ API или токен",
+    "httpDestAuthBasicTitle": "Базовая авторизация",
+    "httpDestAuthBasicDescription": "Добавляет Authorization: Basic <credentials> header. Предоставьте учетные данные в качестве имени пользователя:password.",
+    "httpDestAuthBasicPlaceholder": "имя пользователя:пароль",
+    "httpDestAuthCustomTitle": "Пользовательский заголовок",
+    "httpDestAuthCustomDescription": "Укажите пользовательское имя заголовка HTTP и значение для аутентификации (например, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Имя заголовка (например, X-API-ключ)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Значение заголовка",
+    "httpDestCustomHeadersTitle": "Пользовательские HTTP-заголовки",
+    "httpDestCustomHeadersDescription": "Добавляет пользовательские заголовки к каждому исходящему запросу. Полезно для статических маркеров или пользовательского типа содержимого. По умолчанию отправляется Content-Type: application/json.",
+    "httpDestNoHeadersConfigured": "Пользовательские заголовки не настроены. Нажмите \"Добавить заголовок\", чтобы добавить их.",
+    "httpDestHeaderNamePlaceholder": "Название заголовка",
+    "httpDestHeaderValuePlaceholder": "Значение",
+    "httpDestAddHeader": "Добавить заголовок",
+    "httpDestBodyTemplateTitle": "Пользовательский шаблон тела",
+    "httpDestBodyTemplateDescription": "Контролируйте структуру JSON приложения, отправленную на вашу конечную точку. Если отключено, для каждого события отправляется JSON объект по умолчанию.",
+    "httpDestEnableBodyTemplate": "Включить настраиваемый шаблон тела",
+    "httpDestBodyTemplateLabel": "Шаблон тела (JSON)",
+    "httpDestBodyTemplateHint": "Использовать шаблонные переменные для ссылки поля событий в вашей полезной нагрузке.",
+    "httpDestPayloadFormatTitle": "Формат нагрузки",
+    "httpDestPayloadFormatDescription": "Как события сериализуются в каждый орган запроса.",
+    "httpDestFormatJsonArrayTitle": "JSON массив",
+    "httpDestFormatJsonArrayDescription": "По одному запросу на каждую партию, тело является JSON-массивом. Совместим с большинством общих вебхуков и Датадог.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "По одному запросу на каждую партию, тело - это JSON, разделённый новой строкой, по одному объекту на строку, без внешнего массива. Требуется в Splunk HEC, Elastic / OpenSearch, и Grafana Loki.",
+    "httpDestFormatSingleTitle": "Одно событие на запрос",
+    "httpDestFormatSingleDescription": "Отправляет отдельный HTTP POST для каждого отдельного события. Используйте только для конечных точек, которые не могут обрабатывать пакеты.",
+    "httpDestLogTypesTitle": "Типы журналов",
+    "httpDestLogTypesDescription": "Выберите, какие типы журналов пересылаются в этот пункт назначения. Только включенные типы журналов будут транслированы.",
+    "httpDestAccessLogsTitle": "Журналы доступа",
+    "httpDestAccessLogsDescription": "Попытки доступа к ресурсам, включая аутентифицированные и отклоненные запросы.",
+    "httpDestActionLogsTitle": "Журнал действий",
+    "httpDestActionLogsDescription": "Административные меры, осуществляемые пользователями в рамках организации.",
+    "httpDestConnectionLogsTitle": "Журнал подключений",
+    "httpDestConnectionLogsDescription": "События связи с сайтами и туннелями, включая соединения и отключения.",
+    "httpDestRequestLogsTitle": "Запросить журналы",
+    "httpDestRequestLogsDescription": "Журналы запросов HTTP для проксируемых ресурсов, включая метод, путь и код ответа.",
+    "httpDestSaveChanges": "Сохранить изменения",
+    "httpDestCreateDestination": "Создать адрес назначения",
+    "httpDestUpdatedSuccess": "Адрес назначения успешно обновлен",
+    "httpDestCreatedSuccess": "Адрес назначения успешно создан",
+    "httpDestUpdateFailed": "Не удалось обновить место назначения",
+    "httpDestCreateFailed": "Не удалось создать место назначения"
 }

From 546769ca6666fd57a939f691cb01644d562356bc Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:00 -0700
Subject: [PATCH 119/122] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 2fc52b885..39a2919f8 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -148,6 +148,11 @@
     "createLink": "Crear enlace",
     "resourcesNotFound": "No se encontraron recursos",
     "resourceSearch": "Buscar recursos",
+    "machineSearch": "Buscar máquinas",
+    "machinesSearch": "Buscar clientes...",
+    "machineNotFound": "No hay máquinas",
+    "userDeviceSearch": "Buscar dispositivos de usuario",
+    "userDevicesSearch": "Buscar dispositivos de usuario...",
     "openMenu": "Abrir menú",
     "resource": "Recurso",
     "title": "Título",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Borrar Clave API",
     "apiKeysManage": "Administrar claves API",
     "apiKeysDescription": "Las claves API se utilizan para autenticar con la API de integración",
+    "provisioningKeysTitle": "Clave de aprovisionamiento",
+    "provisioningKeysManage": "Administrar Claves de Aprovisionamiento",
+    "provisioningKeysDescription": "Las claves de aprovisionamiento se utilizan para autenticar la provisión automatizada del sitio para su organización.",
+    "provisioningManage": "Aprovisionamiento",
+    "provisioningDescription": "Administrar las claves de aprovisionamiento y revisar los sitios pendientes de aprobación.",
+    "pendingSites": "Sitios pendientes",
+    "siteApproveSuccess": "Sitio aprobado con éxito",
+    "siteApproveError": "Error al aprobar el sitio",
+    "provisioningKeys": "Claves de aprovisionamiento",
+    "searchProvisioningKeys": "Buscar claves de suministro...",
+    "provisioningKeysAdd": "Generar clave de aprovisionamiento",
+    "provisioningKeysErrorDelete": "Error al eliminar la clave de aprovisionamiento",
+    "provisioningKeysErrorDeleteMessage": "Error al eliminar la clave de aprovisionamiento",
+    "provisioningKeysQuestionRemove": "¿Está seguro que desea eliminar esta clave de aprovisionamiento de la organización?",
+    "provisioningKeysMessageRemove": "Una vez eliminada, la clave ya no se puede utilizar para la disposición del sitio.",
+    "provisioningKeysDeleteConfirm": "Confirmar Eliminar Clave de Aprovisionamiento",
+    "provisioningKeysDelete": "Eliminar clave de aprovisionamiento",
+    "provisioningKeysCreate": "Generar clave de aprovisionamiento",
+    "provisioningKeysCreateDescription": "Generar una nueva clave de aprovisionamiento para la organización",
+    "provisioningKeysSeeAll": "Ver todas las claves de aprovisionamiento",
+    "provisioningKeysSave": "Guardar la clave de aprovisionamiento",
+    "provisioningKeysSaveDescription": "Sólo podrás verlo una vez. Copítalo a un lugar seguro.",
+    "provisioningKeysErrorCreate": "Error al crear la clave de provisioning",
+    "provisioningKeysList": "Nueva clave de aprovisionamiento",
+    "provisioningKeysMaxBatchSize": "Tamaño máximo de lote",
+    "provisioningKeysUnlimitedBatchSize": "Tamaño ilimitado del lote (sin límite)",
+    "provisioningKeysMaxBatchUnlimited": "Ilimitado",
+    "provisioningKeysMaxBatchSizeInvalid": "Introduzca un tamaño máximo de lote válido (1–1,000,000).",
+    "provisioningKeysValidUntil": "Válido hasta",
+    "provisioningKeysValidUntilHint": "Dejar vacío para no expirar.",
+    "provisioningKeysValidUntilInvalid": "Introduzca una fecha y hora válidas.",
+    "provisioningKeysNumUsed": "Tiempos usados",
+    "provisioningKeysLastUsed": "Último uso",
+    "provisioningKeysNoExpiry": "No expiración",
+    "provisioningKeysNeverUsed": "Nunca",
+    "provisioningKeysEdit": "Editar clave de aprovisionamiento",
+    "provisioningKeysEditDescription": "Actualizar el tamaño máximo de lote y el tiempo de caducidad para esta clave.",
+    "provisioningKeysApproveNewSites": "Aprobar nuevos sitios",
+    "provisioningKeysApproveNewSitesDescription": "Aprobar automáticamente los sitios que se registran con esta clave.",
+    "provisioningKeysUpdateError": "Error al actualizar la clave de aprovisionamiento",
+    "provisioningKeysUpdated": "Clave de aprovisionamiento actualizada",
+    "provisioningKeysUpdatedDescription": "Sus cambios han sido guardados.",
+    "provisioningKeysBannerTitle": "Claves de aprovisionamiento del sitio",
+    "provisioningKeysBannerDescription": "Generar una clave de aprovisionamiento y usarla con el conector Newt para crear automáticamente sitios en el primer inicio — no es necesario configurar credenciales separadas para cada sitio.",
+    "provisioningKeysBannerButtonText": "Saber más",
+    "pendingSitesBannerTitle": "Sitios pendientes",
+    "pendingSitesBannerDescription": "Los sitios que se conectan usando una clave de aprovisionamiento aparecen aquí para su revisión. Aprobar cada sitio antes de que se active y obtenga acceso a sus recursos.",
+    "pendingSitesBannerButtonText": "Saber más",
     "apiKeysSettings": "Ajustes {apiKeyName}",
     "userTitle": "Administrar todos los usuarios",
     "userDescription": "Ver y administrar todos los usuarios en el sistema",
@@ -509,9 +562,12 @@
     "userSaved": "Usuario guardado",
     "userSavedDescription": "El usuario ha sido actualizado.",
     "autoProvisioned": "Auto asegurado",
+    "autoProvisionSettings": "Configuración de Auto Provision",
     "autoProvisionedDescription": "Permitir a este usuario ser administrado automáticamente por el proveedor de identidad",
     "accessControlsDescription": "Administrar lo que este usuario puede acceder y hacer en la organización",
     "accessControlsSubmit": "Guardar controles de acceso",
+    "singleRolePerUserPlanNotice": "Tu plan sólo soporta un rol por usuario.",
+    "singleRolePerUserEditionNotice": "Esta edición sólo soporta un rol por usuario.",
     "roles": "Roles",
     "accessUsersRoles": "Administrar usuarios y roles",
     "accessUsersRolesDescription": "Invitar usuarios y añadirlos a roles para administrar el acceso a la organización",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Ingrese el token de configuración desde la consola del servidor.",
     "setupTokenRequired": "Se requiere el token de configuración",
     "actionUpdateSite": "Actualizar sitio",
+    "actionResetSiteBandwidth": "Restablecer ancho de banda de la organización",
     "actionListSiteRoles": "Lista de roles permitidos del sitio",
     "actionCreateResource": "Crear Recurso",
     "actionDeleteResource": "Eliminar Recurso",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Eliminar usuario",
     "actionListUsers": "Listar usuarios",
     "actionAddUserRole": "Añadir rol de usuario",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Establecer roles de usuario",
     "actionGenerateAccessToken": "Generar token de acceso",
     "actionDeleteAccessToken": "Eliminar token de acceso",
     "actionListAccessTokens": "Lista de Tokens de Acceso",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Roles",
     "sidebarShareableLinks": "Enlaces",
     "sidebarApiKeys": "Claves API",
+    "sidebarProvisioning": "Aprovisionamiento",
     "sidebarSettings": "Ajustes",
     "sidebarAllUsers": "Todos los usuarios",
     "sidebarIdentityProviders": "Proveedores de identidad",
@@ -1890,6 +1948,40 @@
     "exitNode": "Nodo de Salida",
     "country": "País",
     "rulesMatchCountry": "Actualmente basado en IP de origen",
+    "region": "Región",
+    "selectRegion": "Seleccionar región",
+    "searchRegions": "Buscar regiones...",
+    "noRegionFound": "Región no encontrada.",
+    "rulesMatchRegion": "Seleccione una agrupación regional de países",
+    "rulesErrorInvalidRegion": "Región no válida",
+    "rulesErrorInvalidRegionDescription": "Por favor, seleccione una región válida.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "África septentrional",
+    "regionEasternAfrica": "África oriental",
+    "regionMiddleAfrica": "África central",
+    "regionSouthernAfrica": "África del Sur",
+    "regionWesternAfrica": "África Occidental",
+    "regionAmericas": "Américas",
+    "regionCaribbean": "Caribe",
+    "regionCentralAmerica": "América Central",
+    "regionSouthAmerica": "América del Sur",
+    "regionNorthernAmerica": "América del Norte",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Asia Central",
+    "regionEasternAsia": "Asia oriental",
+    "regionSouthEasternAsia": "Asia sudoriental",
+    "regionSouthernAsia": "Asia meridional",
+    "regionWesternAsia": "Asia Occidental",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa del Este",
+    "regionNorthernEurope": "Europa septentrional",
+    "regionSouthernEurope": "Europa meridional",
+    "regionWesternEurope": "Europa Occidental",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia y Nueva Zelanda",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Autogestionado",
         "description": "Servidor Pangolin autoalojado más fiable y de bajo mantenimiento con campanas y silbidos extra",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Valor inválido",
     "idpTypeLabel": "Tipo de proveedor de identidad",
     "roleMappingExpressionPlaceholder": "e.g., contiene(grupos, 'administrador') && 'administrador' || 'miembro'",
+    "roleMappingModeFixedRoles": "Roles fijos",
+    "roleMappingModeMappingBuilder": "Constructor de mapeo",
+    "roleMappingModeRawExpression": "Expresión sin procesar",
+    "roleMappingFixedRolesPlaceholderSelect": "Seleccione uno o más roles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Nombre de rol de tipo (coincidencia exacta por organización)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Asignar el mismo rol establecido a cada usuario auto-provisionado.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Para las políticas predeterminadas, escriba nombres de roles que existen en cada organización donde los usuarios son proporcionados. Los nombres deben coincidir exactamente.",
+    "roleMappingClaimPath": "Reclamar ruta",
+    "roleMappingClaimPathPlaceholder": "grupos",
+    "roleMappingClaimPathDescription": "Ruta en el payload del token que contiene valores de origen (por ejemplo, grupos).",
+    "roleMappingMatchValue": "Valor de partida",
+    "roleMappingAssignRoles": "Asignar roles",
+    "roleMappingAddMappingRule": "Añadir regla de mapeo",
+    "roleMappingRawExpressionResultDescription": "La expresión debe evaluar a un array de cadenas o cadenas.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "La expresión debe evaluar una cadena (un solo nombre de rol).",
+    "roleMappingMatchValuePlaceholder": "Valor coincidente (por ejemplo: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Escriba nombres de rol (exacto por org)",
+    "roleMappingBuilderFreeformRowHint": "Los nombres de rol deben coincidir con un rol en cada organización objetivo.",
+    "roleMappingRemoveRule": "Eliminar",
     "idpGoogleConfiguration": "Configuración de Google",
     "idpGoogleConfigurationDescription": "Configurar las credenciales de Google OAuth2",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Cuánto tiempo retener los registros de acceso",
     "logRetentionActionLabel": "Retención de registro de acción",
     "logRetentionActionDescription": "Cuánto tiempo retener los registros de acción",
+    "logRetentionConnectionLabel": "Retención de Registro de Conexión",
+    "logRetentionConnectionDescription": "Cuánto tiempo conservar los registros de conexión",
     "logRetentionDisabled": "Deshabilitado",
     "logRetention3Days": "3 días",
     "logRetention7Days": "7 días",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Fin del año siguiente",
     "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
     "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
+    "connectionLogs": "Registros de conexión",
+    "connectionLogsDescription": "Ver registros de conexión para túneles en esta organización",
+    "sidebarLogsConnection": "Registros de conexión",
+    "sidebarLogsStreaming": "Transmisión",
+    "sourceAddress": "Dirección de origen",
+    "destinationAddress": "Dirección de destino",
+    "duration": "Duración",
     "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> para usar esta función. <bookADemoLink>Reserve una demostración o prueba POC</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserva una demostración o prueba POC</bookADemoLink>.",
     "certResolver": "Resolver certificado",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
     "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
     "approvalsEmptyStateButtonText": "Administrar roles",
-    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio"
+    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure el mapeo de roles y las políticas de organización en la pestaña <policiesTabLink>Configuración de provisión automática</policiesTabLink>.",
+    "streamingTitle": "Transmisión de Eventos",
+    "streamingDescription": "Transmita eventos desde su organización a destinos externos en tiempo real.",
+    "streamingUnnamedDestination": "Destino sin nombre",
+    "streamingNoUrlConfigured": "No hay URL configurada",
+    "streamingAddDestination": "Añadir destino",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Enviar eventos a cualquier extremo HTTP con autenticación flexible y plantilla.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Transmite eventos a un bucket de almacenamiento de objetos compatible con S3. Próximamente.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Reenviar eventos directamente a tu cuenta de Datadog. Próximamente.",
+    "streamingTypePickerDescription": "Elija un tipo de destino para empezar.",
+    "streamingFailedToLoad": "Error al cargar destinos",
+    "streamingUnexpectedError": "Se ha producido un error inesperado.",
+    "streamingFailedToUpdate": "Error al actualizar destino",
+    "streamingDeletedSuccess": "Destino eliminado correctamente",
+    "streamingFailedToDelete": "Error al eliminar destino",
+    "streamingDeleteTitle": "Eliminar destino",
+    "streamingDeleteButtonText": "Eliminar destino",
+    "streamingDeleteDialogAreYouSure": "¿Está seguro que desea eliminar",
+    "streamingDeleteDialogThisDestination": "este destino",
+    "streamingDeleteDialogPermanentlyRemoved": "? Toda la configuración se eliminará permanentemente.",
+    "httpDestEditTitle": "Editar destino",
+    "httpDestAddTitle": "Añadir destino HTTP",
+    "httpDestEditDescription": "Actualizar la configuración para este destino de transmisión de eventos HTTP.",
+    "httpDestAddDescription": "Configure un nuevo extremo HTTP para recibir los eventos de su organización.",
+    "httpDestTabSettings": "Ajustes",
+    "httpDestTabHeaders": "Encabezados",
+    "httpDestTabBody": "Cuerpo",
+    "httpDestTabLogs": "Registros",
+    "httpDestNamePlaceholder": "Mi destino HTTP",
+    "httpDestUrlLabel": "URL de destino",
+    "httpDestUrlErrorHttpRequired": "URL debe usar http o https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS es necesario en implementaciones en la nube",
+    "httpDestUrlErrorInvalid": "Introduzca una URL válida (ej. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticación",
+    "httpDestAuthDescription": "Elija cómo están autenticadas las solicitudes en su punto final.",
+    "httpDestAuthNoneTitle": "Sin autenticación",
+    "httpDestAuthNoneDescription": "Envía solicitudes sin un encabezado de autorización.",
+    "httpDestAuthBearerTitle": "Tóken de portador",
+    "httpDestAuthBearerDescription": "Añade una autorización: portador <token> encabezado a cada solicitud.",
+    "httpDestAuthBearerPlaceholder": "Tu clave o token API",
+    "httpDestAuthBasicTitle": "Auth Básica",
+    "httpDestAuthBasicDescription": "Añade una Autorización: encabezado básico <credentials> . Proporcione credenciales como nombre de usuario: contraseña.",
+    "httpDestAuthBasicPlaceholder": "usuario:contraseña",
+    "httpDestAuthCustomTitle": "Cabecera personalizada",
+    "httpDestAuthCustomDescription": "Especifique un nombre de cabecera HTTP personalizado y un valor para la autenticación (por ejemplo, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nombre de cabecera (ej. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valor de cabecera",
+    "httpDestCustomHeadersTitle": "Cabeceras HTTP personalizadas",
+    "httpDestCustomHeadersDescription": "Añadir cabeceras personalizadas a cada petición saliente. Útil para tokens estáticos o un tipo de contenido personalizado. De forma predeterminada, Content Type: application/json es enviado.",
+    "httpDestNoHeadersConfigured": "No hay cabeceras personalizadas. Haga clic en \"Añadir cabecera\" para añadir una.",
+    "httpDestHeaderNamePlaceholder": "Nombre de cabecera",
+    "httpDestHeaderValuePlaceholder": "Valor",
+    "httpDestAddHeader": "Añadir cabecera",
+    "httpDestBodyTemplateTitle": "Plantilla de cuerpo personalizada",
+    "httpDestBodyTemplateDescription": "Controla la estructura de carga de JSON enviada a tu punto final. Si está desactivado, se envía un objeto JSON por defecto para cada evento.",
+    "httpDestEnableBodyTemplate": "Activar plantilla de cuerpo personalizado",
+    "httpDestBodyTemplateLabel": "Plantilla de cuerpo (JSON)",
+    "httpDestBodyTemplateHint": "Utilice variables de plantilla para referenciar los campos del evento en su carga útil.",
+    "httpDestPayloadFormatTitle": "Formato de carga",
+    "httpDestPayloadFormatDescription": "Cómo se serializan los eventos en cada cuerpo de solicitud.",
+    "httpDestFormatJsonArrayTitle": "Matriz JSON",
+    "httpDestFormatJsonArrayDescription": "Una petición por lote, cuerpo es una matriz JSON. Compatible con la mayoría de los webhooks y Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Una petición por lote, el cuerpo es JSON delimitado por línea — un objeto por línea, sin arrays externos. Requerido por Splunk HEC, Elastic / OpenSearch, y Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un evento por solicitud",
+    "httpDestFormatSingleDescription": "Envía un HTTP POST separado para cada evento individual. Úsalo sólo para los extremos que no pueden manejar lotes.",
+    "httpDestLogTypesTitle": "Tipos de Log",
+    "httpDestLogTypesDescription": "Elija qué tipos de registro son reenviados a este destino. Sólo los tipos de registro habilitados serán transmitidos.",
+    "httpDestAccessLogsTitle": "Registros de acceso",
+    "httpDestAccessLogsDescription": "Intentos de acceso a recursos, incluyendo solicitudes autenticadas y denegadas.",
+    "httpDestActionLogsTitle": "Registros de acción",
+    "httpDestActionLogsDescription": "Acciones administrativas realizadas por los usuarios dentro de la organización.",
+    "httpDestConnectionLogsTitle": "Registros de conexión",
+    "httpDestConnectionLogsDescription": "Eventos de conexión de sitios y túneles, incluyendo conexiones y desconexiones.",
+    "httpDestRequestLogsTitle": "Registros de Solicitud",
+    "httpDestRequestLogsDescription": "Registros de peticiones HTTP para recursos proxyficados, incluyendo método, ruta y código de respuesta.",
+    "httpDestSaveChanges": "Guardar Cambios",
+    "httpDestCreateDestination": "Crear destino",
+    "httpDestUpdatedSuccess": "Destino actualizado correctamente",
+    "httpDestCreatedSuccess": "Destino creado correctamente",
+    "httpDestUpdateFailed": "Error al actualizar destino",
+    "httpDestCreateFailed": "Error al crear el destino"
 }

From f6cdadbc2ddc4220d18dbe491148ae64d829cc97 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:02 -0700
Subject: [PATCH 120/122] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 2bfed7fb3..e89778322 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -148,6 +148,11 @@
     "createLink": "Bağlantı Oluştur",
     "resourcesNotFound": "Hiçbir kaynak bulunamadı",
     "resourceSearch": "Kaynak ara",
+    "machineSearch": "Makinaları ara",
+    "machinesSearch": "Makina müşteri...",
+    "machineNotFound": "Hiçbir makine bulunamadı",
+    "userDeviceSearch": "Kullanıcı cihazlarını ara",
+    "userDevicesSearch": "Kullanıcı cihazlarını ara...",
     "openMenu": "Menüyü Aç",
     "resource": "Kaynak",
     "title": "Başlık",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "API Anahtarını Sil",
     "apiKeysManage": "API Anahtarlarını Yönet",
     "apiKeysDescription": "API anahtarları entegrasyon API'sini doğrulamak için kullanılır",
+    "provisioningKeysTitle": "Tedarik Anahtarı",
+    "provisioningKeysManage": "Tedarik Anahtarlarını Yönet",
+    "provisioningKeysDescription": "Tedarik anahtarları, organizasyonunuz için otomatik site sağlama işlemini doğrulamak için kullanılır.",
+    "provisioningManage": "Tedarik",
+    "provisioningDescription": "Tedarik anahtarlarını yönetin ve onay bekleyen siteleri gözden geçirin.",
+    "pendingSites": "Bekleyen Siteler",
+    "siteApproveSuccess": "Site başarıyla onaylandı",
+    "siteApproveError": "Site onaylanırken hata oluştu",
+    "provisioningKeys": "Tedarik Anahtarları",
+    "searchProvisioningKeys": "Tedarik anahtarlarını ara...",
+    "provisioningKeysAdd": "Tedarik Anahtarı Üret",
+    "provisioningKeysErrorDelete": "Tedarik anahtarı silinirken hata oluştu",
+    "provisioningKeysErrorDeleteMessage": "Tedarik anahtarı silinirken hata oluştu",
+    "provisioningKeysQuestionRemove": "Bu tedarik anahtarını organizasyondan kaldırmak istediğinizden emin misiniz?",
+    "provisioningKeysMessageRemove": "Kaldırıldıktan sonra, anahtar site tedariki için artık kullanılamaz.",
+    "provisioningKeysDeleteConfirm": "Tedarik Anahtarını Silmeyi Onayla",
+    "provisioningKeysDelete": "Tedarik Anahtarını Sil",
+    "provisioningKeysCreate": "Tedarik Anahtarı Üret",
+    "provisioningKeysCreateDescription": "Organizasyon için yeni bir tedarik anahtarı oluşturun",
+    "provisioningKeysSeeAll": "Tüm tedarik anahtarlarını gör",
+    "provisioningKeysSave": "Tedarik anahtarını kaydet",
+    "provisioningKeysSaveDescription": "Bunu yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyalayın.",
+    "provisioningKeysErrorCreate": "Tedarik anahtarı oluşturulurken hata oluştu",
+    "provisioningKeysList": "Yeni tedarik anahtarı",
+    "provisioningKeysMaxBatchSize": "Maksimum toplu iş boyutu",
+    "provisioningKeysUnlimitedBatchSize": "Sınırsız toplu iş boyutu (sınırlama yok)",
+    "provisioningKeysMaxBatchUnlimited": "Sınırsız",
+    "provisioningKeysMaxBatchSizeInvalid": "Geçerli bir maksimum toplu iş boyutu girin (1–1,000,000).",
+    "provisioningKeysValidUntil": "Geçerlilik tarihi",
+    "provisioningKeysValidUntilHint": "Son kullanım tarihi için boş bırakın.",
+    "provisioningKeysValidUntilInvalid": "Geçerli bir tarih ve saat girin.",
+    "provisioningKeysNumUsed": "Kullanım Sayısı",
+    "provisioningKeysLastUsed": "Son kullanım",
+    "provisioningKeysNoExpiry": "Son kullanma tarihi yok",
+    "provisioningKeysNeverUsed": "Asla",
+    "provisioningKeysEdit": "Tedarik Anahtarını Düzenle",
+    "provisioningKeysEditDescription": "Bu anahtar için maksimum toplu iş boyutunu ve son kullanma zamanını güncelleyin.",
+    "provisioningKeysApproveNewSites": "Yeni siteleri onayla",
+    "provisioningKeysApproveNewSitesDescription": "Bu anahtar ile kayıt olan siteleri otomatik olarak onayla.",
+    "provisioningKeysUpdateError": "Tedarik anahtarı güncellenirken hata oluştu",
+    "provisioningKeysUpdated": "Tedarik anahtarı güncellendi",
+    "provisioningKeysUpdatedDescription": "Değişiklikleriniz kaydedildi.",
+    "provisioningKeysBannerTitle": "Site Tedarik Anahtarları",
+    "provisioningKeysBannerDescription": "Tedarik anahtarı oluşturun ve ilk başlangıçta siteleri otomatik olarak oluşturmak için Newt konektörüyle kullanın — her site için ayrı kimlik bilgileri ayarlamaya gerek yoktur.",
+    "provisioningKeysBannerButtonText": "Daha fazla bilgi",
+    "pendingSitesBannerTitle": "Bekleyen Siteler",
+    "pendingSitesBannerDescription": "Tedarik anahtarı kullanarak bağlanan siteler burada incelenmek için görünür. Aktif hale gelmeden ve kaynaklarınıza erişim kazanmadan önce her siteyi onaylayın.",
+    "pendingSitesBannerButtonText": "Daha fazla bilgi",
     "apiKeysSettings": "{apiKeyName} Ayarları",
     "userTitle": "Tüm Kullanıcıları Yönet",
     "userDescription": "Sistemdeki tüm kullanıcıları görün ve yönetin",
@@ -509,9 +562,12 @@
     "userSaved": "Kullanıcı kaydedildi",
     "userSavedDescription": "Kullanıcı güncellenmiştir.",
     "autoProvisioned": "Otomatik Sağlandı",
+    "autoProvisionSettings": "Otomatik Tedarik Ayarları",
     "autoProvisionedDescription": "Bu kullanıcının kimlik sağlayıcısı tarafından otomatik olarak yönetilmesine izin ver",
     "accessControlsDescription": "Bu kullanıcının organizasyonda neleri erişebileceğini ve yapabileceğini yönetin",
     "accessControlsSubmit": "Erişim Kontrollerini Kaydet",
+    "singleRolePerUserPlanNotice": "Planınız yalnızca kullanıcı başına bir rol desteler.",
+    "singleRolePerUserEditionNotice": "Bu sürüm yalnızca kullanıcı başına bir rol destekler.",
     "roles": "Roller",
     "accessUsersRoles": "Kullanıcılar ve Roller Yönetin",
     "accessUsersRolesDescription": "Kullanıcılara davet gönderin ve organizasyona erişimi yönetmek için rollere ekleyin",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Sunucu konsolundan kurulum simgesini girin.",
     "setupTokenRequired": "Kurulum simgesi gerekli",
     "actionUpdateSite": "Siteyi Güncelle",
+    "actionResetSiteBandwidth": "Organizasyon Bant Genişliğini Sıfırla",
     "actionListSiteRoles": "İzin Verilen Site Rolleri Listele",
     "actionCreateResource": "Kaynak Oluştur",
     "actionDeleteResource": "Kaynağı Sil",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Kullanıcıyı Kaldır",
     "actionListUsers": "Kullanıcıları Listele",
     "actionAddUserRole": "Kullanıcı Rolü Ekle",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Kullanıcı Rolleri Belirle",
     "actionGenerateAccessToken": "Erişim Jetonu Oluştur",
     "actionDeleteAccessToken": "Erişim Jetonunu Sil",
     "actionListAccessTokens": "Erişim Jetonlarını Listele",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Roller",
     "sidebarShareableLinks": "Bağlantılar",
     "sidebarApiKeys": "API Anahtarları",
+    "sidebarProvisioning": "Tedarik",
     "sidebarSettings": "Ayarlar",
     "sidebarAllUsers": "Tüm Kullanıcılar",
     "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
@@ -1890,6 +1948,40 @@
     "exitNode": "Çıkış Düğümü",
     "country": "Ülke",
     "rulesMatchCountry": "Şu anda kaynak IP'ye dayanarak",
+    "region": "Bölge",
+    "selectRegion": "Bölgeyi seçin",
+    "searchRegions": "Bölgeleri ara...",
+    "noRegionFound": "Bölge bulunamadı.",
+    "rulesMatchRegion": "Başka ülkelerin bölgesel gruplandırmasını seçin",
+    "rulesErrorInvalidRegion": "Geçersiz bölge",
+    "rulesErrorInvalidRegionDescription": "Lütfen geçerli bir bölge seçin.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Kuzey Afrika",
+    "regionEasternAfrica": "Doğu Afrika",
+    "regionMiddleAfrica": "Orta Afrika",
+    "regionSouthernAfrica": "Güney Afrika",
+    "regionWesternAfrica": "Batı Afrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karayipler",
+    "regionCentralAmerica": "Orta Amerika",
+    "regionSouthAmerica": "Güney Amerika",
+    "regionNorthernAmerica": "Kuzey Amerika",
+    "regionAsia": "Asya",
+    "regionCentralAsia": "Orta Asya",
+    "regionEasternAsia": "Doğu Asya",
+    "regionSouthEasternAsia": "Güneydoğu Asya",
+    "regionSouthernAsia": "Güney Asya",
+    "regionWesternAsia": "Batı Asya",
+    "regionEurope": "Avrupa",
+    "regionEasternEurope": "Doğu Avrupa",
+    "regionNorthernEurope": "Kuzey Avrupa",
+    "regionSouthernEurope": "Güney Avrupa",
+    "regionWesternEurope": "Batı Avrupa",
+    "regionOceania": "Okyanusya",
+    "regionAustraliaAndNewZealand": "Avustralya ve Yeni Zelanda",
+    "regionMelanesia": "Melanezya",
+    "regionMicronesia": "Mikronezya",
+    "regionPolynesia": "Polinezya",
     "managedSelfHosted": {
         "title": "Yönetilen Self-Hosted",
         "description": "Daha güvenilir ve düşük bakım gerektiren, ekstra özelliklere sahip kendi kendine barındırabileceğiniz Pangolin sunucusu",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Geçersiz değer",
     "idpTypeLabel": "Kimlik Sağlayıcı Türü",
     "roleMappingExpressionPlaceholder": "örn., contains(gruplar, 'yönetici') && 'Yönetici' || 'Üye'",
+    "roleMappingModeFixedRoles": "Sabit Roller",
+    "roleMappingModeMappingBuilder": "Harita Oluşturucu",
+    "roleMappingModeRawExpression": "Ham İfade",
+    "roleMappingFixedRolesPlaceholderSelect": "Bir veya daha fazla rol seçin",
+    "roleMappingFixedRolesPlaceholderFreeform": "Rol isimlerini yazın (organizasyon başına tam eşleşme)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Her otomatik tedarik edilmiş kullanıcıya aynı rol setini atayın.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Varsayılan politikalar için, kullanıcıların sağlandığı her organizasyonda mevcut olan rol isimlerini yazın. İsimler tam olarak eşleşmelidir.",
+    "roleMappingClaimPath": "Hak Talep Yolu",
+    "roleMappingClaimPathPlaceholder": "gruplar",
+    "roleMappingClaimPathDescription": "Kaynak değerleri içeren belirteç yükündeki yol (örneğin, gruplar).",
+    "roleMappingMatchValue": "Eşleme Değeri",
+    "roleMappingAssignRoles": "Rolleri Ata",
+    "roleMappingAddMappingRule": "Eşleme Kuralı Ekle",
+    "roleMappingRawExpressionResultDescription": "İfade bir string veya string dizisine değerlendirilmelidir.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "İfade bir string (tek rol ismi) olarak değerlendirilmelidir.",
+    "roleMappingMatchValuePlaceholder": "Eşleme değeri (örneğin: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Rol isimlerini yazın (organizasyon başına tam eşleşme)",
+    "roleMappingBuilderFreeformRowHint": "Rol isimleri her hedef organizasyondaki bir rol ile eşleşmelidir.",
+    "roleMappingRemoveRule": "Kaldır",
     "idpGoogleConfiguration": "Google Yapılandırması",
     "idpGoogleConfigurationDescription": "Google OAuth2 kimlik bilgilerinizi yapılandırın",
     "idpGoogleClientIdDescription": "Google OAuth2 İstemci Kimliğiniz",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Erişim günlüklerini ne kadar süre tutacağını belirle",
     "logRetentionActionLabel": "Eylem Günlüğü Saklama",
     "logRetentionActionDescription": "Eylem günlüklerini ne kadar süre tutacağını belirle",
+    "logRetentionConnectionLabel": "Bağlantı kayıtlarını ne kadar süre saklayacağınız",
+    "logRetentionConnectionDescription": "Bağlantı kayıtlarını ne kadar süre saklayacağınız",
     "logRetentionDisabled": "Devre Dışı",
     "logRetention3Days": "3 gün",
     "logRetention7Days": "7 gün",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
     "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
     "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
+    "connectionLogs": "Bağlantı Kayıtları",
+    "connectionLogsDescription": "Bu organizasyondaki tüneller için bağlantı geçmişine bakın",
+    "sidebarLogsConnection": "Bağlantı Kayıtları",
+    "sidebarLogsStreaming": "Akış",
+    "sourceAddress": "Kaynak Adresi",
+    "destinationAddress": "Hedef Adresi",
+    "duration": "Süre",
     "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı veya <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> gereklidir. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>’da da mevcuttur. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
     "certResolver": "Sertifika Çözücü",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
     "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
     "approvalsEmptyStateButtonText": "Rolleri Yönet",
-    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz"
+    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz",
+    "idpAdminAutoProvisionPoliciesTabHint": "Rol eşleme ve organizasyon politikalarını <policiesTabLink>Otomatik Tedarik Ayarları</policiesTabLink> sekmesinde yapılandırın.",
+    "streamingTitle": "Olay Akışı",
+    "streamingDescription": "Olayları organizasyonunuzdan dış hedeflere gerçek zamanlı olarak iletin.",
+    "streamingUnnamedDestination": "Adsız hedef",
+    "streamingNoUrlConfigured": "URL yapılandırılmadı",
+    "streamingAddDestination": "Hedef Ekle",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Esnek kimlik doğrulama ve şablon oluşturmayla her HTTP uç noktasına olaylar gönderin.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Olayları S3 uyumlu bir nesne depolama kovasına iletin. Yakında gelicek.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Olayları doğrudan Datadog hesabınıza iletin. Yakında gelicek.",
+    "streamingTypePickerDescription": "Başlamak için bir hedef türü seçin.",
+    "streamingFailedToLoad": "Hedefler yüklenemedi",
+    "streamingUnexpectedError": "Beklenmeyen bir hata oluştu.",
+    "streamingFailedToUpdate": "Hedef güncellenemedi",
+    "streamingDeletedSuccess": "Hedef başarıyla silindi",
+    "streamingFailedToDelete": "Hedef silinemedi",
+    "streamingDeleteTitle": "Hedefi Sil",
+    "streamingDeleteButtonText": "Hedefi Sil",
+    "streamingDeleteDialogAreYouSure": "Silmek istediğinizden emin misiniz",
+    "streamingDeleteDialogThisDestination": "bu hedefi",
+    "streamingDeleteDialogPermanentlyRemoved": "? Tüm yapılandırma kalıcı olarak kaldırılacak.",
+    "httpDestEditTitle": "Hedefi Düzenle",
+    "httpDestAddTitle": "HTTP Hedefi Ekle",
+    "httpDestEditDescription": "Bu HTTP olay akışı hedefine yapılandırmayı güncelleyin.",
+    "httpDestAddDescription": "Organizasyonunuzun olaylarını almak için yeni bir HTTP uç noktası yapılandırın.",
+    "httpDestTabSettings": "Ayarlar",
+    "httpDestTabHeaders": "Başlıklar",
+    "httpDestTabBody": "Gövde",
+    "httpDestTabLogs": "Kayıtlar",
+    "httpDestNamePlaceholder": "Benim HTTP hedefim",
+    "httpDestUrlLabel": "Hedef URL",
+    "httpDestUrlErrorHttpRequired": "URL http veya https kullanmalıdır",
+    "httpDestUrlErrorHttpsRequired": "Bulut dağıtımlarında HTTPS gereklidir",
+    "httpDestUrlErrorInvalid": "Geçerli bir URL girin (örn. https://example.com/webhook)",
+    "httpDestAuthTitle": "Kimlik Doğrulama",
+    "httpDestAuthDescription": "Uç noktanıza yapılan isteklerin nasıl kimlik doğrulandığını seçin.",
+    "httpDestAuthNoneTitle": "Kimlik Doğrulama Yok",
+    "httpDestAuthNoneDescription": "Yetkilendirme başlığı olmadan istekler gönderir.",
+    "httpDestAuthBearerTitle": "Taşıyıcı Jetonu",
+    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı <token> başlığı ekler.",
+    "httpDestAuthBearerPlaceholder": "API anahtarınız veya jetonunuz",
+    "httpDestAuthBasicTitle": "Temel Kimlik Doğrulama",
+    "httpDestAuthBasicDescription": "Authorization: Temel <belirtecikler> başlığı ekler. Yetkilendirmeleri kullanıcı adı:şifre olarak sağlayın.",
+    "httpDestAuthBasicPlaceholder": "kullanıcı adı:şifre",
+    "httpDestAuthCustomTitle": "Özel Başlık",
+    "httpDestAuthCustomDescription": "Kimlik doğrulama için özel bir HTTP başlık adı ve değer belirtin (örn. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Başlık adı (örn. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Başlık değeri",
+    "httpDestCustomHeadersTitle": "Özel HTTP Başlıkları",
+    "httpDestCustomHeadersDescription": "Her giden isteğe özel başlıklar ekleyin. Statik jetonlar veya özel bir İçerik Türü için kullanışlıdır. Varsayılan olarak İçerik Türü: application/json gönderilir.",
+    "httpDestNoHeadersConfigured": "Özel başlık yapılandırılmamış. Bir tane eklemek için \"Başlık Ekle\"ye tıklayın.",
+    "httpDestHeaderNamePlaceholder": "Başlık adı",
+    "httpDestHeaderValuePlaceholder": "Değer",
+    "httpDestAddHeader": "Başlık Ekle",
+    "httpDestBodyTemplateTitle": "Özel Gövde Şablonu",
+    "httpDestBodyTemplateDescription": "Uç noktanıza gönderilen JSON yük yapısını kontrol edin. Devre dışı bırakılırsa, her olay için varsayılan bir JSON nesnesi gönderilir.",
+    "httpDestEnableBodyTemplate": "Özel gövde şablonunu etkinleştir",
+    "httpDestBodyTemplateLabel": "Gövde Şablonu (JSON)",
+    "httpDestBodyTemplateHint": "Yükünüzdeki olay alanlarına atıfta bulunmak için şablon değişkenlerini kullanın.",
+    "httpDestPayloadFormatTitle": "Yük Formatı",
+    "httpDestPayloadFormatDescription": "Her bir istek gövdesine olayların nasıl serileştirildiği.",
+    "httpDestFormatJsonArrayTitle": "JSON Dizisi",
+    "httpDestFormatJsonArrayDescription": "Her bir toplu işte bir istek, gövde bir JSON dizisidir. Çoğu genel webhook ve Datadog ile uyumludur.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Her bir toplu işte bir istek, gövde satırlarla ayrılmış JSON'dur - her satıra bir nesne, dış dizi yoktur. Splunk HEC, Elastic / OpenSearch ve Grafana Loki tarafından gereklidir.",
+    "httpDestFormatSingleTitle": "Her İstek Başına Bir Olay",
+    "httpDestFormatSingleDescription": "Her olay için ayrı bir HTTP POST gönderir. Toplu işlere yetkemeyen uç noktalar için kullanın.",
+    "httpDestLogTypesTitle": "Kayıt Türleri",
+    "httpDestLogTypesDescription": "Bu hedefe hangi kayıt türlerinin iletileceğini seçin. Yalnızca etkin kayıt türleri yayınlanacaktır.",
+    "httpDestAccessLogsTitle": "Erişim Kayıtları",
+    "httpDestAccessLogsDescription": "Kimlik doğrulanmış ve reddedilen talepler dahil kaynak erişim denemeleri.",
+    "httpDestActionLogsTitle": "Eylem Kayıtları",
+    "httpDestActionLogsDescription": "Kullanıcılar tarafından organizasyon içerisinde yapılan yönetici eylemleri.",
+    "httpDestConnectionLogsTitle": "Bağlantı Kayıtları",
+    "httpDestConnectionLogsDescription": "Site ve tünel bağlantı olayları, bağlantılar ve bağlantı kesilmeleri dahil.",
+    "httpDestRequestLogsTitle": "İstek Kayıtları",
+    "httpDestRequestLogsDescription": "Yönlendirilmiş kaynaklar için HTTP istek kayıtları, yöntem, yol ve yanıt kodu dahil.",
+    "httpDestSaveChanges": "Değişiklikleri Kaydet",
+    "httpDestCreateDestination": "Hedef Oluştur",
+    "httpDestUpdatedSuccess": "Hedef başarıyla güncellendi",
+    "httpDestCreatedSuccess": "Hedef başarıyla oluşturuldu",
+    "httpDestUpdateFailed": "Hedef güncellenemedi",
+    "httpDestCreateFailed": "Hedef oluşturulamadı"
 }

From ff64a790140f4bb25e2d24567af358139d0d5da8 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:04 -0700
Subject: [PATCH 121/122] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index f297d1ea9..07ffe4d5b 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -148,6 +148,11 @@
     "createLink": "创建链接",
     "resourcesNotFound": "找不到资源",
     "resourceSearch": "搜索资源",
+    "machineSearch": "搜索机",
+    "machinesSearch": "搜索机器客户端...",
+    "machineNotFound": "未找到任何机",
+    "userDeviceSearch": "搜索用户设备",
+    "userDevicesSearch": "搜索用户设备...",
     "openMenu": "打开菜单",
     "resource": "资源",
     "title": "标题",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "删除 API 密钥",
     "apiKeysManage": "管理 API 密钥",
     "apiKeysDescription": "API 密钥用于认证集成 API",
+    "provisioningKeysTitle": "置备密钥",
+    "provisioningKeysManage": "管理置备键",
+    "provisioningKeysDescription": "置备密钥用于验证您组织的自动站点配置。",
+    "provisioningManage": "置备中",
+    "provisioningDescription": "管理预配键和审查等待批准的站点。",
+    "pendingSites": "待定站点",
+    "siteApproveSuccess": "站点批准成功",
+    "siteApproveError": "批准站点出错",
+    "provisioningKeys": "置备键",
+    "searchProvisioningKeys": "搜索配备密钥...",
+    "provisioningKeysAdd": "生成置备键",
+    "provisioningKeysErrorDelete": "删除预配键时出错",
+    "provisioningKeysErrorDeleteMessage": "删除预配键时出错",
+    "provisioningKeysQuestionRemove": "您确定要从组织中删除此预配键吗？",
+    "provisioningKeysMessageRemove": "一旦移除，密钥不能再用于站点预配。",
+    "provisioningKeysDeleteConfirm": "确认删除置备键",
+    "provisioningKeysDelete": "删除置备键",
+    "provisioningKeysCreate": "生成置备键",
+    "provisioningKeysCreateDescription": "为组织生成一个新的预置密钥",
+    "provisioningKeysSeeAll": "查看所有预配键",
+    "provisioningKeysSave": "保存预配键",
+    "provisioningKeysSaveDescription": "您只能看到一次。复制它到一个安全的地方。",
+    "provisioningKeysErrorCreate": "创建预配键时出错",
+    "provisioningKeysList": "新建预配键",
+    "provisioningKeysMaxBatchSize": "最大批量大小",
+    "provisioningKeysUnlimitedBatchSize": "无限批量大小(无限制)",
+    "provisioningKeysMaxBatchUnlimited": "无限制",
+    "provisioningKeysMaxBatchSizeInvalid": "输入一个有效的最大批处理大小(1-1,000,000)。",
+    "provisioningKeysValidUntil": "有效期至",
+    "provisioningKeysValidUntilHint": "留空为无过期。",
+    "provisioningKeysValidUntilInvalid": "输入一个有效的日期和时间。",
+    "provisioningKeysNumUsed": "使用的时间",
+    "provisioningKeysLastUsed": "上次使用",
+    "provisioningKeysNoExpiry": "没有过期",
+    "provisioningKeysNeverUsed": "永不过期",
+    "provisioningKeysEdit": "编辑置备键",
+    "provisioningKeysEditDescription": "更新此密钥的最大批量大小和过期时间。",
+    "provisioningKeysApproveNewSites": "批准新站点",
+    "provisioningKeysApproveNewSitesDescription": "自动批准使用此密钥注册的站点。",
+    "provisioningKeysUpdateError": "更新预配键时出错",
+    "provisioningKeysUpdated": "置备密钥已更新",
+    "provisioningKeysUpdatedDescription": "您的更改已保存。",
+    "provisioningKeysBannerTitle": "站点置备密钥",
+    "provisioningKeysBannerDescription": "生成一个预配键并使用它来在首次启动时自动创建站点——无需为每个站点设置单独的凭证。",
+    "provisioningKeysBannerButtonText": "了解更多",
+    "pendingSitesBannerTitle": "待定站点",
+    "pendingSitesBannerDescription": "使用预配键连接的站点会出现在这里供审核。在站点开始运行之前批准并获取对您资源的访问权限。",
+    "pendingSitesBannerButtonText": "了解更多",
     "apiKeysSettings": "{apiKeyName} 设置",
     "userTitle": "管理所有用户",
     "userDescription": "查看和管理系统中的所有用户",
@@ -509,9 +562,12 @@
     "userSaved": "用户已保存",
     "userSavedDescription": "用户已更新。",
     "autoProvisioned": "自动设置",
+    "autoProvisionSettings": "自动提供设置",
     "autoProvisionedDescription": "允许此用户由身份提供商自动管理",
     "accessControlsDescription": "管理此用户在组织中可以访问和做什么",
     "accessControlsSubmit": "保存访问控制",
+    "singleRolePerUserPlanNotice": "您的计划仅支持每个用户一个角色。",
+    "singleRolePerUserEditionNotice": "此版本仅支持每个用户一个角色。",
     "roles": "角色",
     "accessUsersRoles": "管理用户和角色",
     "accessUsersRolesDescription": "邀请用户加入角色来管理访问组织",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "从服务器控制台输入设置令牌。",
     "setupTokenRequired": "需要设置令牌",
     "actionUpdateSite": "更新站点",
+    "actionResetSiteBandwidth": "重置组织带宽",
     "actionListSiteRoles": "允许站点角色列表",
     "actionCreateResource": "创建资源",
     "actionDeleteResource": "删除资源",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "删除用户",
     "actionListUsers": "列出用户",
     "actionAddUserRole": "添加用户角色",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "设置用户角色",
     "actionGenerateAccessToken": "生成访问令牌",
     "actionDeleteAccessToken": "删除访问令牌",
     "actionListAccessTokens": "访问令牌",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "角色",
     "sidebarShareableLinks": "链接",
     "sidebarApiKeys": "API密钥",
+    "sidebarProvisioning": "置备中",
     "sidebarSettings": "设置",
     "sidebarAllUsers": "所有用户",
     "sidebarIdentityProviders": "身份提供商",
@@ -1890,6 +1948,40 @@
     "exitNode": "出口节点",
     "country": "国家",
     "rulesMatchCountry": "当前基于源 IP",
+    "region": "地区",
+    "selectRegion": "选择区域",
+    "searchRegions": "搜索区域...",
+    "noRegionFound": "未找到区域。",
+    "rulesMatchRegion": "选择一个区域国家组",
+    "rulesErrorInvalidRegion": "无效区域",
+    "rulesErrorInvalidRegionDescription": "请选择一个有效的区域。",
+    "regionAfrica": "非洲",
+    "regionNorthernAfrica": "B. 北非地区",
+    "regionEasternAfrica": "东部非洲",
+    "regionMiddleAfrica": "中东",
+    "regionSouthernAfrica": "D. 南 非",
+    "regionWesternAfrica": "D. 西部非洲",
+    "regionAmericas": "Americas",
+    "regionCaribbean": "加勒比",
+    "regionCentralAmerica": "中美洲：",
+    "regionSouthAmerica": "南 非",
+    "regionNorthernAmerica": "北美洲：",
+    "regionAsia": "亚洲",
+    "regionCentralAsia": "B. 亚 洲",
+    "regionEasternAsia": "东亚",
+    "regionSouthEasternAsia": "D. 东南亚区域",
+    "regionSouthernAsia": "D. 亚 洲",
+    "regionWesternAsia": "西亚",
+    "regionEurope": "欧洲",
+    "regionEasternEurope": "D. 欧 洲",
+    "regionNorthernEurope": "北欧洲",
+    "regionSouthernEurope": "南欧洲",
+    "regionWesternEurope": "西欧洲",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "澳大利亚和新西兰",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "托管自托管",
         "description": "更可靠和低维护自我托管的 Pangolin 服务器，带有额外的铃声和告密器",
@@ -1938,6 +2030,25 @@
     "invalidValue": "无效的值",
     "idpTypeLabel": "身份提供者类型",
     "roleMappingExpressionPlaceholder": "例如: contains(group, 'admin' &'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "固定角色",
+    "roleMappingModeMappingBuilder": "映射构建器",
+    "roleMappingModeRawExpression": "原始表达式",
+    "roleMappingFixedRolesPlaceholderSelect": "选择一个或多个角色",
+    "roleMappingFixedRolesPlaceholderFreeform": "输入角色名称 (每个组织确切匹配)",
+    "roleMappingFixedRolesDescriptionSameForAll": "将相同的角色分配给每个自动配备的用户。",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "对于缺省策略，每个提供用户的组织中存在的角色名称类型。名称必须完全匹配。",
+    "roleMappingClaimPath": "认领路径",
+    "roleMappingClaimPathPlaceholder": "组",
+    "roleMappingClaimPathDescription": "包含源值的 token 有效负载路径 (例如组)。",
+    "roleMappingMatchValue": "匹配值",
+    "roleMappingAssignRoles": "分配角色",
+    "roleMappingAddMappingRule": "添加映射规则",
+    "roleMappingRawExpressionResultDescription": "表达式必须值为字符串或字符串。",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "表达式必须计算到字符串(单个角色名称)。",
+    "roleMappingMatchValuePlaceholder": "匹配值(例如: 管理员)",
+    "roleMappingAssignRolesPlaceholderFreeform": "输入角色名称 (每个组织确切)",
+    "roleMappingBuilderFreeformRowHint": "角色名称必须匹配每个目标组织的角色。",
+    "roleMappingRemoveRule": "删除",
     "idpGoogleConfiguration": "Google 配置",
     "idpGoogleConfigurationDescription": "配置 Google OAuth2 凭据",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "保留访问日志的时间",
     "logRetentionActionLabel": "动作日志保留",
     "logRetentionActionDescription": "保留操作日志的时间",
+    "logRetentionConnectionLabel": "连接日志保留",
+    "logRetentionConnectionDescription": "保留连接日志的时间",
     "logRetentionDisabled": "已禁用",
     "logRetention3Days": "3 天",
     "logRetention7Days": "7 天",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "下一年结束",
     "actionLogsDescription": "查看此机构执行的操作历史",
     "accessLogsDescription": "查看此机构资源的访问认证请求",
+    "connectionLogs": "连接日志",
+    "connectionLogsDescription": "查看此机构隧道的连接日志",
+    "sidebarLogsConnection": "连接日志",
+    "sidebarLogsStreaming": "流流",
+    "sourceAddress": "源地址",
+    "destinationAddress": "目的地址",
+    "duration": "期限",
     "licenseRequiredToUse": "使用此功能需要<enterpriseLicenseLink>企业版</enterpriseLicenseLink>许可证或<pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>。<bookADemoLink>预约演示或POC试用</bookADemoLink>。",
     "ossEnterpriseEditionRequired": "需要 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 才能使用此功能。 此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>上获取。 <bookADemoLink>预订演示或POC 试用</bookADemoLink>。",
     "certResolver": "证书解决器",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
     "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
     "approvalsEmptyStateButtonText": "管理角色",
-    "domainErrorTitle": "我们在验证您的域名时遇到了问题"
+    "domainErrorTitle": "我们在验证您的域名时遇到了问题",
+    "idpAdminAutoProvisionPoliciesTabHint": "在 <policiesTabLink>自动供应设置</policiesTabLink> 选项卡上配置角色映射和组织策略。",
+    "streamingTitle": "事件流",
+    "streamingDescription": "实时将事件从您的组织流到外部目的地。",
+    "streamingUnnamedDestination": "未命名目标",
+    "streamingNoUrlConfigured": "未配置URL",
+    "streamingAddDestination": "添加目标",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "将事件发送到任意HTTP端点并灵活验证和模板。",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "将事件串流到 S3 兼容的对象存储桶。即将推出。",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "直接转发事件到您的Datadog 帐户。即将推出。",
+    "streamingTypePickerDescription": "选择要开始的目标类型。",
+    "streamingFailedToLoad": "加载目的地失败",
+    "streamingUnexpectedError": "发生意外错误.",
+    "streamingFailedToUpdate": "更新目标失败",
+    "streamingDeletedSuccess": "目标删除成功",
+    "streamingFailedToDelete": "删除目标失败",
+    "streamingDeleteTitle": "删除目标",
+    "streamingDeleteButtonText": "删除目标",
+    "streamingDeleteDialogAreYouSure": "您确定要删除吗？",
+    "streamingDeleteDialogThisDestination": "这个目标",
+    "streamingDeleteDialogPermanentlyRemoved": "? 所有配置将被永久删除。",
+    "httpDestEditTitle": "编辑目标",
+    "httpDestAddTitle": "添加 HTTP 目标",
+    "httpDestEditDescription": "更新此 HTTP 事件流媒体目的地的配置。",
+    "httpDestAddDescription": "配置新的 HTTP 端点来接收您的组织事件。",
+    "httpDestTabSettings": "设置",
+    "httpDestTabHeaders": "信头",
+    "httpDestTabBody": "正文内容",
+    "httpDestTabLogs": "日志",
+    "httpDestNamePlaceholder": "我的 HTTP 目标",
+    "httpDestUrlLabel": "目标网址",
+    "httpDestUrlErrorHttpRequired": "URL 必须使用 http 或 https",
+    "httpDestUrlErrorHttpsRequired": "云端部署需要HTTPS",
+    "httpDestUrlErrorInvalid": "输入一个有效的 URL (例如，https://example.com/webhook)",
+    "httpDestAuthTitle": "认证",
+    "httpDestAuthDescription": "选择如何验证您的端点的请求。",
+    "httpDestAuthNoneTitle": "无身份验证",
+    "httpDestAuthNoneDescription": "在没有授权头的情况下发送请求。",
+    "httpDestAuthBearerTitle": "持有者令牌",
+    "httpDestAuthBearerDescription": "添加授权：每个请求的标题为 <token>。",
+    "httpDestAuthBearerPlaceholder": "您的 API 密钥或令牌",
+    "httpDestAuthBasicTitle": "基本认证",
+    "httpDestAuthBasicDescription": "添加授权：基本 <credentials> 头。提供用户名：密码的凭据。",
+    "httpDestAuthBasicPlaceholder": "用户名:密码",
+    "httpDestAuthCustomTitle": "自定义标题",
+    "httpDestAuthCustomDescription": "指定自定义 HTTP 头名称和身份验证值 (例如，X-API 键)。",
+    "httpDestAuthCustomHeaderNamePlaceholder": "标题名称(例如X-API-键)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "页眉值",
+    "httpDestCustomHeadersTitle": "自定义 HTTP 头",
+    "httpDestCustomHeadersDescription": "向每个输出请求添加自定义标题。用于静态令牌或自定义内容类型。默认情况下，内容类型：应用程序/json已发送。",
+    "httpDestNoHeadersConfigured": "未配置自定义头。单击\"添加头\"以添加一个。",
+    "httpDestHeaderNamePlaceholder": "标题名称",
+    "httpDestHeaderValuePlaceholder": "值",
+    "httpDestAddHeader": "添加标题",
+    "httpDestBodyTemplateTitle": "自定义实体模板",
+    "httpDestBodyTemplateDescription": "控制发送到您的端点的 JSON 有效载荷结构。如果禁用，将为每个事件发送一个 JSON 默认对象。",
+    "httpDestEnableBodyTemplate": "启用自定义实体模板",
+    "httpDestBodyTemplateLabel": "身体模板 (JSON)",
+    "httpDestBodyTemplateHint": "将模板变量用于您有效载荷中的参考事件字段。",
+    "httpDestPayloadFormatTitle": "有效载荷格式",
+    "httpDestPayloadFormatDescription": "事件如何序列化为每个请求实体。",
+    "httpDestFormatJsonArrayTitle": "JSON 数组",
+    "httpDestFormatJsonArrayDescription": "每批一个请求，实体是一个 JSON 数组。与大多数通用的 Web 钩子和数据兼容。",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "每批有一个请求，物体是换行符限制的 JSON ——每行一个对象，不是外部数组。 Sluk HEC、Elastic / OpenSearch和Grafana Loki所需。",
+    "httpDestFormatSingleTitle": "每个请求一个事件",
+    "httpDestFormatSingleDescription": "为每个事件单独发送一个 HTTP POST。仅用于无法处理批量的端点。",
+    "httpDestLogTypesTitle": "日志类型",
+    "httpDestLogTypesDescription": "选择转发到此目的地的日志类型。只有启用的日志类型才会被连续使用。",
+    "httpDestAccessLogsTitle": "访问日志",
+    "httpDestAccessLogsDescription": "资源访问尝试，包括已验证和拒绝的请求。",
+    "httpDestActionLogsTitle": "操作日志",
+    "httpDestActionLogsDescription": "组织内部用户采取的行政行动。",
+    "httpDestConnectionLogsTitle": "连接日志",
+    "httpDestConnectionLogsDescription": "站点和隧道连接事件，包括连接和断开连接。",
+    "httpDestRequestLogsTitle": "请求日志",
+    "httpDestRequestLogsDescription": "HTTP 请求代理资源日志，包括方法、路径和响应代码。",
+    "httpDestSaveChanges": "保存更改",
+    "httpDestCreateDestination": "创建目标",
+    "httpDestUpdatedSuccess": "目标已成功更新",
+    "httpDestCreatedSuccess": "目标创建成功",
+    "httpDestUpdateFailed": "更新目标失败",
+    "httpDestCreateFailed": "创建目标失败"
 }

From 1d2f1405aacf799cdbfd54cb6f13bbfd109a2683 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Tue, 31 Mar 2026 15:20:05 -0700
Subject: [PATCH 122/122] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 209 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 207 insertions(+), 2 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 50ec9a717..751f15081 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -148,6 +148,11 @@
     "createLink": "Opprett lenke",
     "resourcesNotFound": "Ingen ressurser funnet",
     "resourceSearch": "Søk i ressurser",
+    "machineSearch": "Søk etter maskiner",
+    "machinesSearch": "Søk etter maskinklienter...",
+    "machineNotFound": "Ingen maskiner funnet",
+    "userDeviceSearch": "Søk etter brukerenheter",
+    "userDevicesSearch": "Søk etter brukerenheter...",
     "openMenu": "Åpne meny",
     "resource": "Ressurs",
     "title": "Tittel",
@@ -323,6 +328,54 @@
     "apiKeysDelete": "Slett API-nøkkel",
     "apiKeysManage": "Administrer API-nøkler",
     "apiKeysDescription": "API-nøkler brukes for å autentisere med integrasjons-API",
+    "provisioningKeysTitle": "Foreløpig nøkkel",
+    "provisioningKeysManage": "Behandle bestemmende nøkler",
+    "provisioningKeysDescription": "Bestemmelsesnøkler brukes til å godkjenne automatisert nettstedsløsning for din organisasjon.",
+    "provisioningManage": "Levering",
+    "provisioningDescription": "Administrer foreløpig nøkler og gjennomgå ventende nettsteder som venter på godkjenning.",
+    "pendingSites": "Ventende nettsteder",
+    "siteApproveSuccess": "Vellykket godkjenning av nettsted",
+    "siteApproveError": "Feil ved godkjenning av side",
+    "provisioningKeys": "Foreløpig nøkler",
+    "searchProvisioningKeys": "Søk varer i lagrings nøkler...",
+    "provisioningKeysAdd": "Generer fremvisende nøkkel",
+    "provisioningKeysErrorDelete": "Feil under sletting av foreløpig nøkkel",
+    "provisioningKeysErrorDeleteMessage": "Feil under sletting av foreløpig nøkkel",
+    "provisioningKeysQuestionRemove": "Er du sikker på at du vil fjerne denne midlertidig nøkkelen fra organisasjonen?",
+    "provisioningKeysMessageRemove": "Når nøkkelen er fjernet, kan den ikke lenger brukes til anleggsavsetning.",
+    "provisioningKeysDeleteConfirm": "Bekreft sletting av bestemmelsesnøkkel",
+    "provisioningKeysDelete": "Slett bestemmelsesnøkkel",
+    "provisioningKeysCreate": "Generer fremvisende nøkkel",
+    "provisioningKeysCreateDescription": "Generer en ny foreløpig nøkkel til organisasjonen",
+    "provisioningKeysSeeAll": "Se alle foreløpig nøkler",
+    "provisioningKeysSave": "Lagre den midlertidig nøkkelen",
+    "provisioningKeysSaveDescription": "Du kan bare se denne én gang. Kopier det til et sikkert sted.",
+    "provisioningKeysErrorCreate": "Feil under oppretting av foreløpig nøkkel",
+    "provisioningKeysList": "Ny provisorisk nøkkel",
+    "provisioningKeysMaxBatchSize": "Maks størrelse på bunt",
+    "provisioningKeysUnlimitedBatchSize": "Ubegrenset mengde bunt (ingen begrensning)",
+    "provisioningKeysMaxBatchUnlimited": "Ubegrenset",
+    "provisioningKeysMaxBatchSizeInvalid": "Angi en gyldig sjakkstørrelse (1–1 000.000).",
+    "provisioningKeysValidUntil": "Gyldig til",
+    "provisioningKeysValidUntilHint": "La stå tomt for ingen utløp.",
+    "provisioningKeysValidUntilInvalid": "Angi en gyldig dato og klokkeslett.",
+    "provisioningKeysNumUsed": "Antall ganger brukt",
+    "provisioningKeysLastUsed": "Sist brukt",
+    "provisioningKeysNoExpiry": "Ingen utløpsdato",
+    "provisioningKeysNeverUsed": "Aldri",
+    "provisioningKeysEdit": "Rediger bestemmelsesnøkkel",
+    "provisioningKeysEditDescription": "Oppdater maksimal størrelse for bunt og utløpstid for denne nøkkelen.",
+    "provisioningKeysApproveNewSites": "Godkjenn nye nettsteder",
+    "provisioningKeysApproveNewSitesDescription": "Godkjenn automatisk nettsteder som registrerer deg med denne nøkkelen.",
+    "provisioningKeysUpdateError": "Feil under oppdatering av foreløpig nøkkel",
+    "provisioningKeysUpdated": "Foreslå nøkkel oppdatert",
+    "provisioningKeysUpdatedDescription": "Dine endringer er lagret.",
+    "provisioningKeysBannerTitle": "Sidens bestemmende nøkler",
+    "provisioningKeysBannerDescription": "Generer en foreløpig nøkkel og bruk den med Nyhetskontakten for å automatisk opprette sider ved første oppstart — trenger ikke å sette opp separat innloggingsinformasjon for hver side.",
+    "provisioningKeysBannerButtonText": "Lær mer",
+    "pendingSitesBannerTitle": "Ventende nettsteder",
+    "pendingSitesBannerDescription": "Nettsteder som kobler deg til ved hjelp av en bestemmelsestekst, vises her for gjennomgang. Godkjenn hvert nettsted før det blir aktivt og får tilgang til ressursene dine.",
+    "pendingSitesBannerButtonText": "Lær mer",
     "apiKeysSettings": "{apiKeyName} Innstillinger",
     "userTitle": "Administrer alle brukere",
     "userDescription": "Vis og administrer alle brukere i systemet",
@@ -509,9 +562,12 @@
     "userSaved": "Bruker lagret",
     "userSavedDescription": "Brukeren har blitt oppdatert.",
     "autoProvisioned": "Auto avlyst",
+    "autoProvisionSettings": "Auto leveringsinnstillinger",
     "autoProvisionedDescription": "Tillat denne brukeren å bli automatisk administrert av en identitetsleverandør",
     "accessControlsDescription": "Administrer hva denne brukeren kan få tilgang til og gjøre i organisasjonen",
     "accessControlsSubmit": "Lagre tilgangskontroller",
+    "singleRolePerUserPlanNotice": "Din plan støtter bare én rolle per bruker.",
+    "singleRolePerUserEditionNotice": "Denne utgaven støtter bare én rolle per bruker.",
     "roles": "Roller",
     "accessUsersRoles": "Administrer brukere og roller",
     "accessUsersRolesDescription": "Inviter brukere og legg dem til roller for å administrere tilgang til organisasjonen",
@@ -1119,6 +1175,7 @@
     "setupTokenDescription": "Skriv inn oppsetttoken fra serverkonsollen.",
     "setupTokenRequired": "Oppsetttoken er nødvendig",
     "actionUpdateSite": "Oppdater område",
+    "actionResetSiteBandwidth": "Tilbakestill organisasjons-båndbredde",
     "actionListSiteRoles": "List opp tillatte områderoller",
     "actionCreateResource": "Opprett ressurs",
     "actionDeleteResource": "Slett ressurs",
@@ -1148,7 +1205,7 @@
     "actionRemoveUser": "Fjern bruker",
     "actionListUsers": "List opp brukere",
     "actionAddUserRole": "Legg til brukerrolle",
-    "actionSetUserOrgRoles": "Set User Roles",
+    "actionSetUserOrgRoles": "Angi brukerroller",
     "actionGenerateAccessToken": "Generer tilgangstoken",
     "actionDeleteAccessToken": "Slett tilgangstoken",
     "actionListAccessTokens": "List opp tilgangstokener",
@@ -1265,6 +1322,7 @@
     "sidebarRoles": "Roller",
     "sidebarShareableLinks": "Lenker",
     "sidebarApiKeys": "API-nøkler",
+    "sidebarProvisioning": "Levering",
     "sidebarSettings": "Innstillinger",
     "sidebarAllUsers": "Alle brukere",
     "sidebarIdentityProviders": "Identitetsleverandører",
@@ -1890,6 +1948,40 @@
     "exitNode": "Utgangsnode",
     "country": "Land",
     "rulesMatchCountry": "For tiden basert på kilde IP",
+    "region": "Fylke",
+    "selectRegion": "Velg region",
+    "searchRegions": "Søk etter områder...",
+    "noRegionFound": "Ingen region funnet.",
+    "rulesMatchRegion": "Velg en regional gruppering av land",
+    "rulesErrorInvalidRegion": "Ugyldig område",
+    "rulesErrorInvalidRegionDescription": "Vennligst velg et gyldig område.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "[country name] Nord-Afrika",
+    "regionEasternAfrica": "Øst-Afrika",
+    "regionMiddleAfrica": "Middle Africa",
+    "regionSouthernAfrica": "Sør-Afrika",
+    "regionWesternAfrica": "[country name] Vest-Afrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karibia",
+    "regionCentralAmerica": "Sentral-Amerika",
+    "regionSouthAmerica": "Sør-Amerika",
+    "regionNorthernAmerica": "Nord-Amerika",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Sentral-Asia",
+    "regionEasternAsia": "Øst-Asia",
+    "regionSouthEasternAsia": "Sørøst-Asia",
+    "regionSouthernAsia": "Sørlige Asia",
+    "regionWesternAsia": "Vest-Asia",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Øst-Europa",
+    "regionNorthernEurope": "Nord-Europa",
+    "regionSouthernEurope": "Sørlige Europa",
+    "regionWesternEurope": "Vest-Europa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia og New Zealand",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
     "managedSelfHosted": {
         "title": "Administrert selv-hostet",
         "description": "Sikre og lavvedlikeholdsservere, selvbetjente Pangolin med ekstra klokker, og understell",
@@ -1938,6 +2030,25 @@
     "invalidValue": "Ugyldig verdi",
     "idpTypeLabel": "Identitet leverandør type",
     "roleMappingExpressionPlaceholder": "F.eks. inneholder(grupper, 'admin') && 'Admin' ⋅'Medlem'",
+    "roleMappingModeFixedRoles": "Fast roller",
+    "roleMappingModeMappingBuilder": "Kartlegger bygger",
+    "roleMappingModeRawExpression": "Rå uttrykk",
+    "roleMappingFixedRolesPlaceholderSelect": "Velg en eller flere roller",
+    "roleMappingFixedRolesPlaceholderFreeform": "Skriv inn rollenavn (eksakt treff per organisasjon)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Tilordne den samme rollen som er satt til hver automatisk midlertidig bruker.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "For standard policyer, type rollenavn som eksisterer i hver organisasjon der brukerne tilbys. Navn må stemmer nøyaktig.",
+    "roleMappingClaimPath": "Krev sti",
+    "roleMappingClaimPathPlaceholder": "grupper",
+    "roleMappingClaimPathDescription": "Sti i i token nyttelast som inneholder kildeverdier (for eksempel grupper).",
+    "roleMappingMatchValue": "Treff verdi",
+    "roleMappingAssignRoles": "Tilordne roller",
+    "roleMappingAddMappingRule": "Legg til tilordningsregel",
+    "roleMappingRawExpressionResultDescription": "Uttrykk skal vurderes til en streng eller en tekststreng.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Uttrykk må evaluere til en streng (en rollenavn).",
+    "roleMappingMatchValuePlaceholder": "Match verdi (for eksempel: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Angi rollenavn (eksakt per org)",
+    "roleMappingBuilderFreeformRowHint": "Rollenavn må samsvare med en rolle i hver målorganisasjon.",
+    "roleMappingRemoveRule": "Fjern",
     "idpGoogleConfiguration": "Google Konfigurasjon",
     "idpGoogleConfigurationDescription": "Konfigurer Google OAuth2 legitimasjonen",
     "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2334,6 +2445,8 @@
     "logRetentionAccessDescription": "Hvor lenge du vil beholde adgangslogger",
     "logRetentionActionLabel": "Handlings logg nytt",
     "logRetentionActionDescription": "Hvor lenge handlingen skal lagres",
+    "logRetentionConnectionLabel": "Logg nyhet",
+    "logRetentionConnectionDescription": "Hvor lenge du vil beholde tilkoblingslogger",
     "logRetentionDisabled": "Deaktivert",
     "logRetention3Days": "3 dager",
     "logRetention7Days": "7 dager",
@@ -2344,6 +2457,13 @@
     "logRetentionEndOfFollowingYear": "Slutt på neste år",
     "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
     "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
+    "connectionLogs": "Loggfiler for tilkobling",
+    "connectionLogsDescription": "Vis tilkoblingslogger for tunneler i denne organisasjonen",
+    "sidebarLogsConnection": "Loggfiler for tilkobling",
+    "sidebarLogsStreaming": "Strømming",
+    "sourceAddress": "Kilde adresse",
+    "destinationAddress": "Måladresse (Automatic Translation)",
+    "duration": "Varighet",
     "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens eller <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> er påkrevd for å bruke denne funksjonen. <bookADemoLink>Bestill en demo eller POC prøveversjon</bookADemoLink>.",
     "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Bestill en demo eller POC studie</bookADemoLink>.",
     "certResolver": "Sertifikat løser",
@@ -2683,5 +2803,90 @@
     "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
     "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
     "approvalsEmptyStateButtonText": "Administrer Roller",
-    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt"
+    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt",
+    "idpAdminAutoProvisionPoliciesTabHint": "Konfigurer rollegartlegging og organisasjonspolicyer på <policiesTabLink>Auto leveringsinnstillinger</policiesTabLink> fanen.",
+    "streamingTitle": "Hendelse Strømming",
+    "streamingDescription": "Stream hendelser fra din organisasjon til eksterne destinasjoner i sanntid.",
+    "streamingUnnamedDestination": "Plassering uten navn",
+    "streamingNoUrlConfigured": "Ingen URL konfigurert",
+    "streamingAddDestination": "Legg til mål",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Send hendelser til alle HTTP-endepunkter med fleksibel autentisering og maling.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Strøm hendelser til en S3-kompatibel objektlagringskjøt. Kommer snart.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Videresend arrangementer direkte til din Datadog-konto. Kommer snart.",
+    "streamingTypePickerDescription": "Velg en måltype for å komme i gang.",
+    "streamingFailedToLoad": "Kan ikke laste inn destinasjoner",
+    "streamingUnexpectedError": "En uventet feil oppstod.",
+    "streamingFailedToUpdate": "Kunne ikke oppdatere destinasjon",
+    "streamingDeletedSuccess": "Målet ble slettet",
+    "streamingFailedToDelete": "Kunne ikke slette destinasjon",
+    "streamingDeleteTitle": "Slett mål",
+    "streamingDeleteButtonText": "Slett mål",
+    "streamingDeleteDialogAreYouSure": "Er du sikker på at du vil slette",
+    "streamingDeleteDialogThisDestination": "denne destinasjonen",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle konfigurasjoner vil bli slettet permanent.",
+    "httpDestEditTitle": "Rediger mål",
+    "httpDestAddTitle": "Legg til HTTP-destinasjon",
+    "httpDestEditDescription": "Oppdater konfigurasjonen for denne HTTP-hendelsesstrømmedestinasjonen.",
+    "httpDestAddDescription": "Konfigurer et nytt HTTP endepunkt for å motta organisasjonens hendelser.",
+    "httpDestTabSettings": "Innstillinger",
+    "httpDestTabHeaders": "Overskrifter",
+    "httpDestTabBody": "Innhold",
+    "httpDestTabLogs": "Logger",
+    "httpDestNamePlaceholder": "Min HTTP destinasjon",
+    "httpDestUrlLabel": "Destinasjons URL",
+    "httpDestUrlErrorHttpRequired": "URL-adressen må bruke httpp eller https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS er nødvendig for distribusjon av sky",
+    "httpDestUrlErrorInvalid": "Skriv inn en gyldig nettadresse (f.eks. https://eksempel.com/webhook)",
+    "httpDestAuthTitle": "Autentisering",
+    "httpDestAuthDescription": "Velg hvordan ønsker til sluttpunktet ditt er autentisert.",
+    "httpDestAuthNoneTitle": "Ingen godkjenning",
+    "httpDestAuthNoneDescription": "Sender forespørsler uten autorisasjonsoverskrift.",
+    "httpDestAuthBearerTitle": "Bærer Symbol",
+    "httpDestAuthBearerDescription": "Legger til en autorisasjon: Bearer <token> header til hver forespørsel.",
+    "httpDestAuthBearerPlaceholder": "Din API-nøkkel eller token",
+    "httpDestAuthBasicTitle": "Standard Auth",
+    "httpDestAuthBasicDescription": "Legger til en godkjenning: Grunnleggende <credentials> overskrift. Angi legitimasjon som brukernavn:passord.",
+    "httpDestAuthBasicPlaceholder": "brukernavn:passord",
+    "httpDestAuthCustomTitle": "Egendefinert topptekst",
+    "httpDestAuthCustomDescription": "Angi et egendefinert HTTP headers navn og verdi for autentisering (f.eks X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Topptekst navn (f.eks X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header verdi",
+    "httpDestCustomHeadersTitle": "Egendefinerte HTTP-overskrifter",
+    "httpDestCustomHeadersDescription": "Legg til egendefinerte overskrifter til hver utgående forespørsel. Nyttig for statisk tokens eller en egendefinert innholdstype. Som standard blir innholdstype: applikasjon/json sendt.",
+    "httpDestNoHeadersConfigured": "Ingen egendefinerte overskrifter konfigurert. Klikk \"Legg til topptekst\" for å legge til en.",
+    "httpDestHeaderNamePlaceholder": "Navn på topptekst",
+    "httpDestHeaderValuePlaceholder": "Verdi",
+    "httpDestAddHeader": "Legg til topptekst",
+    "httpDestBodyTemplateTitle": "Egendefinert hovedmal",
+    "httpDestBodyTemplateDescription": "Kontroller JSON nyttelaststrukturen sendt til ditt endepunkt. Hvis deaktivert, sendes et standard JSON-objekt for hver hendelse.",
+    "httpDestEnableBodyTemplate": "Aktiver egendefinert meldingsmal",
+    "httpDestBodyTemplateLabel": "Kroppsmal (JSON)",
+    "httpDestBodyTemplateHint": "Bruk designmal variabler for å referere til eventfelt i din betaling.",
+    "httpDestPayloadFormatTitle": "Mål format",
+    "httpDestPayloadFormatDescription": "Hvordan blir hendelser serialisert inn i hver forespørselsorgan.",
+    "httpDestFormatJsonArrayTitle": "JSON liste",
+    "httpDestFormatJsonArrayDescription": "Én forespørsel per batch, innholdet er en JSON-liste. Kompatibel med de mest generiske webhooks og Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Én forespørsel per sats, innholdet er nytt avgrenset JSON — et objekt per linje, ingen ytterarray. Kreves av Splunk HEC, Elastisk/OpenSearch, og Grafana Loki.",
+    "httpDestFormatSingleTitle": "En hendelse per forespørsel",
+    "httpDestFormatSingleDescription": "Sender en separat HTTP POST for hver enkelt hendelse. Bruk bare for endepunkter som ikke kan håndtere batcher.",
+    "httpDestLogTypesTitle": "Logg typer",
+    "httpDestLogTypesDescription": "Velg hvilke loggtyper som blir videresendt til dette målet. Bare aktiverte loggtyper vil bli strømmet.",
+    "httpDestAccessLogsTitle": "Tilgangslogger (Automatic Translation)",
+    "httpDestAccessLogsDescription": "Adgangsforsøk for ressurser, inkludert godkjente og nektet forespørsler.",
+    "httpDestActionLogsTitle": "Handlingslogger",
+    "httpDestActionLogsDescription": "Administrative tiltak som utføres av brukere innenfor organisasjonen.",
+    "httpDestConnectionLogsTitle": "Loggfiler for tilkobling",
+    "httpDestConnectionLogsDescription": "Utstyrs- og tunneltilkoblingshendelser, inkludert forbindelser og frakobling.",
+    "httpDestRequestLogsTitle": "Forespørselslogger (Automatic Translation)",
+    "httpDestRequestLogsDescription": "HTTP-forespørsel logger for bekreftede ressurser, inkludert metode, bane og responskode.",
+    "httpDestSaveChanges": "Lagre endringer",
+    "httpDestCreateDestination": "Opprett mål",
+    "httpDestUpdatedSuccess": "Målet er oppdatert",
+    "httpDestCreatedSuccess": "Målet er opprettet",
+    "httpDestUpdateFailed": "Kunne ikke oppdatere destinasjon",
+    "httpDestCreateFailed": "Kan ikke opprette mål"
 }