Merge branch 'dev'

Update and add server version
2026-02-18 10:56:38 +00:00 · 2025-12-08 15:16:12 -05:00 · 2025-12-08 15:16:05 -05:00 · 2025-12-08 15:15:42 -05:00 · 2025-12-08 14:12:46 -05:00 · 2025-12-08 11:10:36 -08:00
596 changed files with 54488 additions and 12673 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -17,6 +17,7 @@ on:
    push:
        tags:
            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+"

 concurrency:
  group: ${{ github.ref }}
@@ -30,15 +31,15 @@ jobs:
        timeout-minutes: 120
        env:
          # Target images
-          DOCKERHUB_IMAGE: docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.event.repository.name }}
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}

        steps:
            - name: Checkout code
-              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

            - name: Set up QEMU
-              uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+              uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -55,7 +56,7 @@ jobs:
              shell: bash

            - name: Install Go
-              uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
              with:
                  go-version: 1.24

@@ -98,7 +99,7 @@ jobs:
                  make go-build-release 

            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
              with:
                  name: install-bin
                  path: install/bin/
@@ -110,13 +111,6 @@ jobs:
                  echo "Built & pushed to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash

-            - name: Login in to GHCR
-              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-              with:
-                  registry: ghcr.io
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
            - name: Install skopeo + jq
              # skopeo: copy/inspect images between registries
              # jq: JSON parsing tool used to extract digest values
@@ -126,6 +120,11 @@ jobs:
                  skopeo --version
              shell: bash

+            - name: Login to GHCR
+              run: |
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
            - name: Copy tag from Docker Hub to GHCR
              # Mirror the already-built image (all architectures) to GHCR so we can sign it
              run: |
@@ -136,6 +135,13 @@ jobs:
                    docker://$DOCKERHUB_IMAGE:$TAG \
                    docker://$GHCR_IMAGE:$TAG
              shell: bash
+  
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}

            - name: Install cosign
              # cosign is used to sign and verify container images (key and keyless)
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -21,7 +21,7 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
-              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

            - name: Set up Node.js
              uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
--- a/.gitignore
+++ b/.gitignore
@@ -49,4 +49,5 @@ postgres/
 dynamic/
 *.mmdb
 scratch/
-tsconfig.json
+tsconfig.json
+hydrateSaas.ts
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-22
+24
--- a/16
+++ b/16
@@ -1,10 +1,12 @@
-FROM node:22-alpine AS builder
+FROM node:24-alpine AS builder

 WORKDIR /app

 ARG BUILD=oss
 ARG DATABASE=sqlite

+RUN apk add --no-cache curl tzdata python3 make g++
+
 # COPY package.json package-lock.json ./
 COPY package*.json ./
 RUN npm ci
@@ -12,8 +14,9 @@ RUN npm ci
 COPY . .

 RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
+RUN echo "export const driver: \"pg\" | \"sqlite\" = \"$DATABASE\";" >> server/db/index.ts

-RUN echo "export const build = \"$BUILD\" as any;" > server/build.ts
+RUN echo "export const build = \"$BUILD\" as \"saas\" | \"enterprise\" | \"oss\";" > server/build.ts

 # Copy the appropriate TypeScript configuration based on build type
 RUN if [ "$BUILD" = "oss" ]; then cp tsconfig.oss.json tsconfig.json; \
@@ -30,9 +33,9 @@ RUN mkdir -p dist
 RUN npm run next:build
 RUN node esbuild.mjs -e server/index.ts -o dist/server.mjs -b $BUILD
 RUN if [ "$DATABASE" = "pg" ]; then \
-        node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
+    node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
    else \
-        node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
+    node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
    fi

 # test to make sure the build output is there and error if not
@@ -40,12 +43,13 @@ RUN test -f dist/server.mjs

 RUN npm run build:cli

-FROM node:22-alpine AS runner
+FROM node:24-alpine AS runner

 WORKDIR /app

 # Curl used for the health checks
-RUN apk add --no-cache curl tzdata
+# Python and build tools needed for better-sqlite3 native compilation
+RUN apk add --no-cache curl tzdata python3 make g++

 # COPY package.json package-lock.json ./
 COPY package*.json ./
--- a/30
+++ b/30
@@ -44,6 +44,36 @@ build-release:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .

+build-rc:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-$(tag) \
+		--push .
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64,linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--push .
+
 build-arm:
 	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .

--- a/README.md
+++ b/README.md
@@ -45,7 +45,10 @@ Pangolin is a self-hosted tunneled reverse proxy server with identity and contex

 ## Installation

-Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
+- Check out the [quick install guide](https://docs.pangolin.net/self-host/quick-install) for how to install and set up Pangolin.
+- Install from the [DigitalOcean marketplace](https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81) for a one-click pre-configured installer.
+
+<img src="public/screenshots/hero.png" />

 ## Deployment Options

@@ -86,3 +89,7 @@ Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License
 ## Contributions

 Please see [CONTRIBUTING](./CONTRIBUTING.md) in the repository for guidelines and best practices.
+
+---
+
+WireGuard® is a registered trademark of Jason A. Donenfeld.
--- a/blueprint.yaml
+++ b/blueprint.yaml
@@ -31,6 +31,7 @@ proxy-resources:
      #   - owen@pangolin.net
      # whitelist-users:
      #   - owen@pangolin.net
+      # auto-login-idp: 1
    headers:
      - name: X-Example-Header
        value: example-value
--- a/bruno/Auth/login.bru
+++ b/bruno/Auth/login.bru
@@ -5,14 +5,14 @@ meta {
 }

 post {
-  url: http://localhost:4000/api/v1/auth/login
+  url: http://localhost:3000/api/v1/auth/login
  body: json
  auth: none
 }

 body:json {
  {
-    "email": "owen@pangolin.net",
+    "email": "admin@fosrl.io",
    "password": "Password123!"
  }
 }
--- a/bruno/Olm/createOlm.bru
+++ b/bruno/Olm/createOlm.bru
@@ -0,0 +1,15 @@
+meta {
+  name: createOlm
+  type: http
+  seq: 1
+}
+
+put {
+  url: http://localhost:3000/api/v1/olm
+  body: none
+  auth: inherit
+}
+
+settings {
+  encodeUrl: true
+}
--- a/bruno/Olm/folder.bru
+++ b/bruno/Olm/folder.bru
@@ -0,0 +1,8 @@
+meta {
+  name: Olm
+  seq: 15
+}
+
+auth {
+  mode: inherit
+}
--- a/bruno/bruno.json
+++ b/bruno/bruno.json
@@ -1,6 +1,6 @@
 {
  "version": "1",
-  "name": "Pangolin Saas",
+  "name": "Pangolin",
  "type": "collection",
  "ignore": [
    "node_modules",
--- a/cli/commands/setAdminCredentials.ts
+++ b/cli/commands/setAdminCredentials.ts
@@ -90,7 +90,8 @@ export const setAdminCredentials: CommandModule<{}, SetAdminCredentialsArgs> = {
                            passwordHash,
                            dateCreated: moment().toISOString(),
                            serverAdmin: true,
-                            emailVerified: true
+                            emailVerified: true,
+                            lastPasswordChange: new Date().getTime()
                        });

                        console.log("Server admin created");
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -25,4 +25,3 @@ flags:
  disable_user_create_org: true
  allow_raw_resources: true
  enable_integration_api: true
-  enable_clients: true
--- a/docker-compose.drizzle.yml
+++ b/docker-compose.drizzle.yml
@@ -0,0 +1,15 @@
+services:
+  drizzle-gateway:
+    image: ghcr.io/drizzle-team/gateway:latest
+    ports:
+      - "4984:4983"
+    depends_on:
+      - db
+    environment:
+      - STORE_PATH=/app
+      - DATABASE_URL=postgresql://postgres:password@db:5432/postgres
+    volumes:
+      - drizzle-gateway-data:/app
+
+volumes:
+  drizzle-gateway-data:
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -35,7 +35,7 @@ services:
      - 80:80 # Port for traefik because of the network_mode

  traefik:
-    image: traefik:v3.5
+    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    network_mode: service:gerbil # Ports appear on the gerbil service
@@ -52,4 +52,4 @@ networks:
  default:
    driver: bridge
    name: pangolin
-    enable_ipv6: true
+    enable_ipv6: true
--- a/docker-compose.pgr.yml
+++ b/docker-compose.pgr.yml
@@ -11,7 +11,7 @@ services:
      - ./config/postgres:/var/lib/postgresql/data
    ports:
      - "5432:5432" # Map host port 5432 to container port 5432
-    restart: no 
+    restart: no

  redis:
    image: redis:latest # Use the latest Redis image
--- a/install/Makefile
+++ b/install/Makefile
@@ -18,7 +18,11 @@ put-back:
 	mv main.go.bak main.go

 dev-update-versions:
-	PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name') && \
+	if [ -z "$(tag)" ]; then \
+		PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name'); \
+	else \
+		PANGOLIN_VERSION=$(tag); \
+	fi && \
 	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
 	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
 	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \
--- a/install/config/config.yml
+++ b/install/config/config.yml
@@ -14,7 +14,6 @@ app:
 domains:
    domain1:
        base_domain: "{{.BaseDomain}}"
-        cert_resolver: "letsencrypt"

 server:
    secret: "{{.Secret}}"
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -35,7 +35,7 @@ services:
      - 80:80
 {{end}}
  traefik:
-    image: docker.io/traefik:v3.5
+    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
 {{if .InstallGerbil}}
@@ -59,4 +59,4 @@ networks:
  default:
    driver: bridge
    name: pangolin
-{{if .EnableIPv6}}    enable_ipv6: true{{end}}
+{{if .EnableIPv6}}    enable_ipv6: true{{end}}
--- a/install/config/traefik/dynamic_config.yml
+++ b/install/config/traefik/dynamic_config.yml
@@ -51,3 +51,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2
--- a/install/containers.go
+++ b/install/containers.go
@@ -73,7 +73,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=ubuntu"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			apt-get install -y apt-transport-https ca-certificates curl &&
 			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
@@ -82,7 +82,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=debian"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl software-properties-common &&
+			apt-get install -y apt-transport-https ca-certificates curl &&
 			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
--- a/install/go.mod
+++ b/install/go.mod
@@ -3,8 +3,8 @@ module installer
 go 1.24.0

 require (
-	golang.org/x/term v0.36.0
+	golang.org/x/term v0.37.0
 	gopkg.in/yaml.v3 v3.0.1
 )

-require golang.org/x/sys v0.37.0 // indirect
+require golang.org/x/sys v0.38.0 // indirect
--- a/install/go.sum
+++ b/install/go.sum
@@ -1,7 +1,7 @@
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/install/main.go
+++ b/install/main.go
@@ -54,8 +54,8 @@ type Config struct {
 type SupportedContainer string

 const (
-	Docker SupportedContainer = "docker"
-	Podman SupportedContainer = "podman"
+	Docker    SupportedContainer = "docker"
+	Podman    SupportedContainer = "podman"
 	Undefined SupportedContainer = "undefined"
 )

@@ -160,7 +160,7 @@ func main() {
 	} else {
 		alreadyInstalled = true
 		fmt.Println("Looks like you already installed Pangolin!")
-		
+
 		// Check if MaxMind database exists and offer to update it
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
@@ -209,8 +209,8 @@ func main() {

 					parsedURL, err := url.Parse(appConfig.DashboardURL)
 					if err != nil {
-                        fmt.Printf("Error parsing URL: %v\n", err)
-                        return
+						fmt.Printf("Error parsing URL: %v\n", err)
+						return
 					}

 					config.DashboardDomain = parsedURL.Hostname()
@@ -238,12 +238,11 @@ func main() {
 				}

 				fmt.Println("CrowdSec installed successfully!")
-				return
 			}
 		}
 	}

-	if !alreadyInstalled {
+	if !alreadyInstalled || config.DoCrowdsecInstall {
 		// Setup Token Section
 		fmt.Println("\n=== Setup Token ===")

@@ -360,7 +359,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
 		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
 		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
-		config.EmailNoReply = readString(reader, "Enter no-reply email address", "")
+		config.EmailNoReply = readString(reader, "Enter no-reply email address (often the same as SMTP username)", "")
 	}

 	// Validate required fields
@@ -372,13 +371,17 @@ func collectUserInput(reader *bufio.Reader) Config {
 		fmt.Println("Error: Let's Encrypt email is required")
 		os.Exit(1)
 	}
+	if config.EnableEmail && config.EmailNoReply == "" {
+		fmt.Println("Error: No-reply email address is required when email is enabled")
+		os.Exit(1)
+	}

 	// Advanced configuration

 	fmt.Println("\n=== Advanced Configuration ===")

 	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", false)
+	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)

 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -644,28 +647,28 @@ func checkPortsAvailable(port int) error {

 func downloadMaxMindDatabase() error {
 	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
-	
+
 	// Download the GeoLite2 Country database
-	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz", 
+	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
 		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
 	}
-	
+
 	// Extract the database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
 		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
 	}
-	
+
 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
 		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
 	}
-	
+
 	// Clean up the downloaded files
 	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
 		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
 	}
-	
+
 	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
 	return nil
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
--- a/messages/en-US.json
+++ b/messages/en-US.json
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1,12 +1,12 @@
 {
-    "setupCreate": "조직, 사이트 및 리소스를 생성하십시오.",
+    "setupCreate": "조직, 사이트 및 리소스를 생성합니다.",
    "setupNewOrg": "새 조직",
    "setupCreateOrg": "조직 생성",
    "setupCreateResources": "리소스 생성",
    "setupOrgName": "조직 이름",
-    "orgDisplayName": "이것은 귀하의 조직의 표시 이름입니다.",
+    "orgDisplayName": "이것은 조직의 표시 이름입니다.",
    "orgId": "조직 ID",
-    "setupIdentifierMessage": "이것은 귀하의 조직에 대한 고유 식별자입니다. 표시 이름과는 별개입니다.",
+    "setupIdentifierMessage": "이것은 조직의 고유 식별자입니다.",
    "setupErrorIdentifier": "조직 ID가 이미 사용 중입니다. 다른 것을 선택해 주세요.",
    "componentsErrorNoMemberCreate": "현재 어떤 조직의 구성원도 아닙니다. 시작하려면 조직을 생성하세요.",
    "componentsErrorNoMember": "현재 어떤 조직의 구성원도 아닙니다.",
@@ -50,10 +50,10 @@
    "siteMessageRemove": "삭제되면 사이트에 더 이상 액세스할 수 없습니다. 사이트와 연결된 모든 대상도 삭제됩니다.",
    "siteQuestionRemove": "조직에서 사이트를 제거하시겠습니까?",
    "siteManageSites": "사이트 관리",
-    "siteDescription": "안전한 터널을 통해 네트워크에 연결할 수 있도록 허용",
+    "siteDescription": "프라이빗 네트워크로의 연결을 활성화하려면 사이트를 생성하고 관리하세요.",
    "siteCreate": "사이트 생성",
    "siteCreateDescription2": "아래 단계를 따라 새 사이트를 생성하고 연결하십시오",
-    "siteCreateDescription": "리소스를 연결하기 위해 새 사이트를 생성하십시오.",
+    "siteCreateDescription": "리소스를 연결하기 위해 새 사이트를 생성하세요.",
    "close": "닫기",
    "siteErrorCreate": "사이트 생성 오류",
    "siteErrorCreateKeyPair": "키 쌍 또는 사이트 기본값을 찾을 수 없습니다",
@@ -74,7 +74,7 @@
    "siteInstallNewt": "Newt 설치",
    "siteInstallNewtDescription": "시스템에서 Newt 실행하기",
    "WgConfiguration": "WireGuard 구성",
-    "WgConfigurationDescription": "네트워크에 연결하기 위한 다음 구성을 사용하십시오.",
+    "WgConfigurationDescription": "네트워크에 연결하기 위한 다음 구성을 사용하세요.",
    "operatingSystem": "운영 체제",
    "commands": "명령",
    "recommended": "추천",
@@ -87,25 +87,25 @@
    "siteUpdated": "사이트가 업데이트되었습니다",
    "siteUpdatedDescription": "사이트가 업데이트되었습니다.",
    "siteGeneralDescription": "이 사이트에 대한 일반 설정을 구성하세요.",
-    "siteSettingDescription": "사이트에서 설정을 구성하세요",
+    "siteSettingDescription": "사이트에서 설정을 구성하세요.",
    "siteSetting": "{siteName} 설정",
-    "siteNewtTunnel": "뉴트 터널 (추천)",
-    "siteNewtTunnelDescription": "네트워크에 대한 진입점을 생성하는 가장 쉬운 방법입니다. 추가 설정이 필요 없습니다.",
+    "siteNewtTunnel": "뉴트 사이트 (추천)",
+    "siteNewtTunnelDescription": "네트워크의 진입점을 생성하는 가장 쉬운 방법입니다. 추가 설정이 필요 없습니다.",
    "siteWg": "기본 WireGuard",
    "siteWgDescription": "모든 WireGuard 클라이언트를 사용하여 터널을 설정하세요. 수동 NAT 설정이 필요합니다.",
    "siteWgDescriptionSaas": "모든 WireGuard 클라이언트를 사용하여 터널을 설정하세요. 수동 NAT 설정이 필요합니다. 자체 호스팅 노드에서만 작동합니다.",
    "siteLocalDescription": "로컬 리소스만 사용 가능합니다. 터널링이 없습니다.",
    "siteLocalDescriptionSaas": "로컬 리소스 전용. 터널링 금지. 원격 노드에서만 사용 가능합니다.",
    "siteSeeAll": "모든 사이트 보기",
-    "siteTunnelDescription": "사이트에 연결하는 방법을 결정하세요",
-    "siteNewtCredentials": "Newt 자격 증명",
-    "siteNewtCredentialsDescription": "이것이 Newt가 서버와 인증하는 방법입니다",
+    "siteTunnelDescription": "사이트에 연결하는 방법을 결정하세요.",
+    "siteNewtCredentials": "자격 증명",
+    "siteNewtCredentialsDescription": "이것이 사이트가 서버와 인증하는 방법입니다.",
    "siteCredentialsSave": "자격 증명 저장",
    "siteCredentialsSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
    "siteInfo": "사이트 정보",
    "status": "상태",
    "shareTitle": "공유 링크 관리",
-    "shareDescription": "공유 가능한 링크를 생성하여 리소스에 대한 임시 또는 영구 액세스를 부여합니다.",
+    "shareDescription": "공유 가능한 링크를 생성하여 프록시 리소스에 임시 또는 영구적으로 액세스하세요.",
    "shareSearch": "공유 링크 검색...",
    "shareCreate": "공유 링크 생성",
    "shareErrorDelete": "링크 삭제에 실패했습니다.",
@@ -144,8 +144,10 @@
    "expires": "만료",
    "never": "절대",
    "shareErrorSelectResource": "리소스를 선택하세요",
-    "resourceTitle": "리소스 관리",
-    "resourceDescription": "개인 애플리케이션에 대한 보안 프록시 생성",
+    "proxyResourceTitle": "공개 리소스 관리",
+    "proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
+    "clientResourceTitle": "개인 리소스 관리",
+    "clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
    "resourcesSearch": "리소스 검색...",
    "resourceAdd": "리소스 추가",
    "resourceErrorDelte": "리소스 삭제 중 오류 발생",
@@ -155,9 +157,9 @@
    "resourceMessageRemove": "제거되면 리소스에 더 이상 접근할 수 없습니다. 리소스와 연결된 모든 대상도 제거됩니다.",
    "resourceQuestionRemove": "조직에서 리소스를 제거하시겠습니까?",
    "resourceHTTP": "HTTPS 리소스",
-    "resourceHTTPDescription": "서브도메인 또는 기본 도메인을 사용하여 HTTPS를 통해 앱에 대한 요청을 프록시합니다.",
+    "resourceHTTPDescription": "서브도메인이나 기본 도메인을 사용하여 HTTPS를 통해 앱에 대한 요청을 프록시합니다.",
    "resourceRaw": "원시 TCP/UDP 리소스",
-    "resourceRawDescription": "TCP/UDP를 통해 포트 번호를 사용하여 앱에 요청을 프록시합니다.",
+    "resourceRawDescription": "TCP/UDP를 사용하여 포트 번호를 통해 앱에 요청을 프록시합니다. 이 기능은 사이트가 노드에 연결될 때만 작동합니다.",
    "resourceCreate": "리소스 생성",
    "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
    "resourceSeeAll": "모든 리소스 보기",
@@ -171,9 +173,9 @@
    "noCountryFound": "국가를 찾을 수 없습니다.",
    "siteSelectionDescription": "이 사이트는 대상에 대한 연결을 제공합니다.",
    "resourceType": "리소스 유형",
-    "resourceTypeDescription": "리소스에 접근하는 방법을 결정하세요",
+    "resourceTypeDescription": "리소스에 액세스하는 방법을 결정하세요.",
    "resourceHTTPSSettings": "HTTPS 설정",
-    "resourceHTTPSSettingsDescription": "리소스에 대한 HTTPS 접근 방식을 구성하십시오.",
+    "resourceHTTPSSettingsDescription": "리소스가 HTTPS로 접근할 수 있는 방식을 구성합니다.",
    "domainType": "도메인 유형",
    "subdomain": "서브도메인",
    "baseDomain": "기본 도메인",
@@ -186,7 +188,7 @@
    "resourcePortNumberDescription": "요청을 프록시하기 위한 외부 포트 번호입니다.",
    "cancel": "취소",
    "resourceConfig": "구성 스니펫",
-    "resourceConfigDescription": "TCP/UDP 리소스를 설정하기 위해 이 구성 스니펫을 복사하여 붙여넣으십시오.",
+    "resourceConfigDescription": "TCP/UDP 리소스를 설정하기 위해 이 구성 스니펫을 복사하여 붙여넣습니다.",
    "resourceAddEntrypoints": "Traefik: 엔트리포인트 추가",
    "resourceExposePorts": "Gerbil: Docker Compose에서 포트 노출",
    "resourceLearnRaw": "TCP/UDP 리소스 구성 방법 알아보기",
@@ -204,10 +206,10 @@
    "rules": "규칙",
    "resourceSettingDescription": "리소스의 설정을 구성하세요.",
    "resourceSetting": "{resourceName} 설정",
-    "alwaysAllow": "항상 허용",
-    "alwaysDeny": "항상 거부",
+    "alwaysAllow": "인증 우회",
+    "alwaysDeny": "접근 차단",
    "passToAuth": "인증으로 전달",
-    "orgSettingsDescription": "조직의 일반 설정을 구성하세요",
+    "orgSettingsDescription": "조직의 일반 설정을 구성하세요.",
    "orgGeneralSettings": "조직 설정",
    "orgGeneralSettingsDescription": "조직 세부정보 및 구성을 관리하세요.",
    "saveGeneralSettings": "일반 설정 저장",
@@ -232,7 +234,7 @@
    "orgMissing": "조직 ID가 누락되었습니다",
    "orgMissingMessage": "조직 ID 없이 초대장을 재생성할 수 없습니다.",
    "accessUsersManage": "사용자 관리",
-    "accessUsersDescription": "사용자를 초대하고 역할에 추가하여 조직에 대한 접근을 관리하세요",
+    "accessUsersDescription": "이 조직에 액세스할 사용자 초대 및 관리",
    "accessUsersSearch": "사용자 검색...",
    "accessUserCreate": "사용자 생성",
    "accessUserRemove": "사용자 제거",
@@ -241,13 +243,13 @@
    "role": "역할",
    "nameRequired": "이름은 필수입니다",
    "accessRolesManage": "역할 관리",
-    "accessRolesDescription": "조직에 대한 액세스를 관리할 역할 구성",
+    "accessRolesDescription": "조직의 사용자에 대한 역할을 생성하고 관리합니다.",
    "accessRolesSearch": "역할 검색...",
    "accessRolesAdd": "역할 추가",
    "accessRoleDelete": "역할 삭제",
    "description": "설명",
    "inviteTitle": "열린 초대",
-    "inviteDescription": "다른 사용자에 대한 초대를 관리하세요",
+    "inviteDescription": "다른 사용자가 조직에 참여하도록 초대장을 관리합니다.",
    "inviteSearch": "초대 검색...",
    "minutes": "분",
    "hours": "시간",
@@ -264,10 +266,10 @@
    "apiKeysCreateDescription": "조직을 위한 새로운 API 키 생성",
    "apiKeysGeneralSettings": "권한",
    "apiKeysGeneralSettingsDescription": "이 API 키가 수행할 수 있는 작업 결정",
-    "apiKeysList": "귀하의 API 키",
+    "apiKeysList": "새로운 API 키",
    "apiKeysSave": "API 키 저장",
    "apiKeysSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
-    "apiKeysInfo": "귀하의 API 키는 다음과 같습니다:",
+    "apiKeysInfo": "API 키는 다음과 같습니다:",
    "apiKeysConfirmCopy": "API 키를 복사했습니다",
    "generate": "생성",
    "done": "완료",
@@ -424,7 +426,7 @@
    "userCreated": "사용자가 생성되었습니다.",
    "userCreatedDescription": "사용자가 성공적으로 생성되었습니다.",
    "userTypeInternal": "내부 사용자",
-    "userTypeInternalDescription": "사용자를 초대하여 귀하의 조직에 직접 참여하게 하세요.",
+    "userTypeInternalDescription": "사용자를 초대하여 조직에 직접 참여하게 하세요.",
    "userTypeExternal": "외부 사용자",
    "userTypeExternalDescription": "외부 신원 공급자를 사용하여 사용자를 생성하세요.",
    "accessUserCreateDescription": "새 사용자를 만들기 위한 아래 단계를 따르세요.",
@@ -436,6 +438,16 @@
    "inviteEmailSent": "사용자에게 초대 이메일 보내기",
    "inviteValid": "유효 기간",
    "selectDuration": "지속 시간 선택",
+    "selectResource": "리소스 선택",
+    "filterByResource": "리소스별 필터",
+    "resetFilters": "필터 재설정",
+    "totalBlocked": "Pangolin으로 차단된 요청",
+    "totalRequests": "총 요청 수",
+    "requestsByCountry": "국가별 요청 수",
+    "requestsByDay": "일자별 요청 수",
+    "blocked": "차단됨",
+    "allowed": "허용됨",
+    "topCountries": "상위 국가",
    "accessRoleSelect": "역할 선택",
    "inviteEmailSentDescription": "아래의 접근 링크와 함께 사용자에게 이메일이 전송되었습니다. 사용자는 초대를 수락하기 위해 링크에 접근해야 합니다.",
    "inviteSentDescription": "사용자가 초대되었습니다. 초대를 수락하려면 아래 링크에 접속해야 합니다.",
@@ -464,7 +476,7 @@
    "proxyErrorInvalidHeader": "잘못된 사용자 정의 호스트 헤더 값입니다. 도메인 이름 형식을 사용하거나 사용자 정의 호스트 헤더를 해제하려면 비워 두십시오.",
    "proxyErrorTls": "유효하지 않은 TLS 서버 이름입니다. 도메인 이름 형식을 사용하거나 비워 두어 TLS 서버 이름을 제거하십시오.",
    "proxyEnableSSL": "SSL 활성화",
-    "proxyEnableSSLDescription": "대상에 대한 안전한 HTTPS 연결을 위해 SSL/TLS 암호화를 활성화하세요.",
+    "proxyEnableSSLDescription": "타겟과의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화를 활성화하세요.",
    "target": "대상",
    "configureTarget": "대상 구성",
    "targetErrorFetch": "대상 가져오는 데 실패했습니다.",
@@ -480,14 +492,14 @@
    "targetsErrorUpdate": "대상 업데이트 실패",
    "targetsErrorUpdateDescription": "대상 업데이트 중 오류가 발생했습니다.",
    "targetTlsUpdate": "TLS 설정이 업데이트되었습니다.",
-    "targetTlsUpdateDescription": "TLS 설정이 성공적으로 업데이트되었습니다.",
+    "targetTlsUpdateDescription": "TLS 설정이 성공적으로 업데이트되었습니다",
    "targetErrorTlsUpdate": "TLS 설정 업데이트에 실패했습니다.",
    "targetErrorTlsUpdateDescription": "TLS 설정을 업데이트하는 동안 오류가 발생했습니다",
    "proxyUpdated": "프록시 설정이 업데이트되었습니다.",
    "proxyUpdatedDescription": "프록시 설정이 성공적으로 업데이트되었습니다",
    "proxyErrorUpdate": "프록시 설정 업데이트에 실패했습니다.",
    "proxyErrorUpdateDescription": "프록시 설정을 업데이트하는 동안 오류가 발생했습니다",
-    "targetAddr": "IP / 호스트 이름",
+    "targetAddr": "호스트",
    "targetPort": "포트",
    "targetProtocol": "프로토콜",
    "targetTlsSettings": "보안 연결 구성",
@@ -502,7 +514,7 @@
    "targetStickySessionsDescription": "세션 전체 동안 동일한 백엔드 대상을 유지합니다.",
    "methodSelect": "선택 방법",
    "targetSubmit": "대상 추가",
-    "targetNoOne": "이 리소스에는 대상이 없습니다. 백엔드로 요청을 보내려면 대상을 추가하세요.",
+    "targetNoOne": "이 리소스에는 대상이 없습니다. 백엔드로 요청을 보낼 대상을 구성하려면 대상을 추가하세요.",
    "targetNoOneDescription": "위에 하나 이상의 대상을 추가하면 로드 밸런싱이 활성화됩니다.",
    "targetsSubmit": "대상 저장",
    "addTarget": "대상 추가",
@@ -516,6 +528,8 @@
    "targetCreatedDescription": "대상이 성공적으로 생성되었습니다.",
    "targetErrorCreate": "대상 생성 실패",
    "targetErrorCreateDescription": "대상 생성 중 오류가 발생했습니다.",
+    "tlsServerName": "TLS 서버 이름",
+    "tlsServerNameDescription": "SNI를 위한 TLS 서버 이름",
    "save": "저장",
    "proxyAdditional": "추가 프록시 설정",
    "proxyAdditionalDescription": "리소스가 프록시 설정을 처리하는 방법 구성",
@@ -607,9 +621,9 @@
    "unknownCommand": "알 수 없는 명령",
    "newtErrorFetchReleases": "릴리스 정보를 가져오는 데 실패했습니다: {err}",
    "newtErrorFetchLatest": "최신 릴리스를 가져오는 중 오류 발생: {err}",
-    "newtEndpoint": "Newt 엔드포인트",
-    "newtId": "뉴트 ID",
-    "newtSecretKey": "Newt 비밀 키",
+    "newtEndpoint": "엔드포인트",
+    "newtId": "ID",
+    "newtSecretKey": "비밀",
    "architecture": "아키텍처",
    "sites": "사이트",
    "siteWgAnyClients": "WireGuard 클라이언트를 사용하여 연결하십시오. 피어 IP를 사용하여 내부 리소스에 접근해야 합니다.",
@@ -671,7 +685,7 @@
    "resourcePincodeSetupTitle": "핀코드 설정",
    "resourcePincodeSetupTitleDescription": "이 리소스를 보호하기 위해 핀 코드를 설정하십시오.",
    "resourceRoleDescription": "관리자는 항상 이 리소스에 접근할 수 있습니다.",
-    "resourceUsersRoles": "사용자 및 역할",
+    "resourceUsersRoles": "접근 제어",
    "resourceUsersRolesDescription": "이 리소스를 방문할 수 있는 사용자 및 역할을 구성하십시오",
    "resourceUsersRolesSubmit": "사용자 및 역할 저장",
    "resourceWhitelistSave": "성공적으로 저장되었습니다.",
@@ -702,6 +716,7 @@
    "resourceTransferSubmit": "리소스 전송",
    "siteDestination": "대상 사이트",
    "searchSites": "사이트 검색",
+    "countries": "국가",
    "accessRoleCreate": "역할 생성",
    "accessRoleCreateDescription": "사용자를 그룹화하고 권한을 관리하기 위해 새 역할을 생성하세요.",
    "accessRoleCreateSubmit": "역할 생성",
@@ -909,11 +924,30 @@
    "passwordResetSent": "이 이메일 주소로 비밀번호 재설정 코드를 전송하겠습니다.",
    "passwordResetCode": "코드 재설정",
    "passwordResetCodeDescription": "재설정 코드를 확인하려면 이메일을 확인하세요.",
+    "generatePasswordResetCode": "비밀번호 초기화 코드 생성",
+    "passwordResetCodeGenerated": "비밀번호 초기화 코드 생성됨",
+    "passwordResetCodeGeneratedDescription": "이 코드를 사용자와 공유하세요. 사용자는 이를 사용하여 비밀번호를 재설정할 수 있습니다.",
+    "passwordResetUrl": "리디렉션 URL",
    "passwordNew": "새 비밀번호",
    "passwordNewConfirm": "새 비밀번호 확인",
+    "changePassword": "비밀번호 변경",
+    "changePasswordDescription": "계정 비밀번호를 업데이트하십시오",
+    "oldPassword": "현재 비밀번호",
+    "newPassword": "새 비밀번호",
+    "confirmNewPassword": "새 비밀번호 확인",
+    "changePasswordError": "비밀번호 변경 실패",
+    "changePasswordErrorDescription": "비밀번호를 변경하는 중 오류가 발생했습니다",
+    "changePasswordSuccess": "비밀번호 변경 완료",
+    "changePasswordSuccessDescription": "비밀번호가 성공적으로 업데이트되었습니다",
+    "passwordExpiryRequired": "비밀번호 만료 필요",
+    "passwordExpiryDescription": "이 조직은 {maxDays}일마다 비밀번호 변경을 요구합니다.",
+    "changePasswordNow": "지금 비밀번호 변경",
    "pincodeAuth": "인증 코드",
    "pincodeSubmit2": "코드 제출",
    "passwordResetSubmit": "재설정 요청",
+    "passwordResetAlreadyHaveCode": "비밀번호 초기화 코드를 입력하세요",
+    "passwordResetSmtpRequired": "관리자에게 문의하십시오",
+    "passwordResetSmtpRequiredDescription": "비밀번호를 재설정하려면 비밀번호 초기화 코드가 필요합니다. 지원을 받으려면 관리자에게 문의하십시오.",
    "passwordBack": "비밀번호로 돌아가기",
    "loginBack": "로그인으로 돌아가기",
    "signup": "가입하기",
@@ -1079,12 +1113,15 @@
    "actionListSiteResources": "사이트 리소스 목록",
    "actionUpdateSiteResource": "사이트 리소스 업데이트",
    "actionListInvitations": "초대 목록",
+    "actionExportLogs": "로그 내보내기",
+    "actionViewLogs": "로그 보기",
    "noneSelected": "선택된 항목 없음",
    "orgNotFound2": "조직이 없습니다.",
    "searchProgress": "검색...",
    "create": "생성",
    "orgs": "조직",
    "loginError": "로그인 중 오류가 발생했습니다",
+    "loginRequiredForDevice": "장치를 인증하려면 로그인이 필요합니다.",
    "passwordForgot": "비밀번호를 잊으셨나요?",
    "otpAuth": "이중 인증",
    "otpAuthDescription": "인증 앱에서 코드를 입력하거나 단일 사용 백업 코드 중 하나를 입력하세요.",
@@ -1139,18 +1176,47 @@
    "sidebarHome": "홈",
    "sidebarSites": "사이트",
    "sidebarResources": "리소스",
+    "sidebarProxyResources": "공유",
+    "sidebarClientResources": "비공개",
    "sidebarAccessControl": "액세스 제어",
+    "sidebarLogsAndAnalytics": "로그 및 분석",
    "sidebarUsers": "사용자",
+    "sidebarAdmin": "관리자",
    "sidebarInvitations": "초대",
    "sidebarRoles": "역할",
-    "sidebarShareableLinks": "공유 가능한 링크",
+    "sidebarShareableLinks": "링크",
    "sidebarApiKeys": "API 키",
    "sidebarSettings": "설정",
    "sidebarAllUsers": "모든 사용자",
    "sidebarIdentityProviders": "신원 공급자",
    "sidebarLicense": "라이선스",
    "sidebarClients": "클라이언트",
+    "sidebarUserDevices": "사용자",
+    "sidebarMachineClients": "기계",
    "sidebarDomains": "도메인",
+    "sidebarGeneral": "일반",
+    "sidebarLogAndAnalytics": "로그 & 통계",
+    "sidebarBluePrints": "청사진",
+    "sidebarOrganization": "조직",
+    "sidebarLogsAnalytics": "분석",
+    "blueprints": "청사진",
+    "blueprintsDescription": "선언적 구성을 적용하고 이전 실행을 봅니다",
+    "blueprintAdd": "청사진 추가",
+    "blueprintGoBack": "모든 청사진 보기",
+    "blueprintCreate": "청사진 생성",
+    "blueprintCreateDescription2": "새 청사진을 생성하고 적용하려면 아래 단계를 따르십시오",
+    "blueprintDetails": "청사진 세부사항",
+    "blueprintDetailsDescription": "적용된 청사진의 결과와 발생한 오류를 확인합니다",
+    "blueprintInfo": "청사진 정보",
+    "message": "메시지",
+    "blueprintContentsDescription": "인프라를 설명하는 YAML 내용을 정의하십시오",
+    "blueprintErrorCreateDescription": "청사진을 적용하는 중 오류가 발생했습니다",
+    "blueprintErrorCreate": "청사진 생성 오류",
+    "searchBlueprintProgress": "청사진 검색...",
+    "appliedAt": "적용 시점",
+    "source": "출처",
+    "contents": "콘텐츠",
+    "parsedContents": "구문 분석된 콘텐츠 (읽기 전용)",
    "enableDockerSocket": "Docker 청사진 활성화",
    "enableDockerSocketDescription": "블루프린트 레이블을 위한 Docker 소켓 레이블 수집을 활성화합니다. 소켓 경로는 Newt에 제공되어야 합니다.",
    "enableDockerSocketLink": "자세히 알아보기",
@@ -1199,14 +1265,14 @@
    "loading": "로딩 중",
    "restart": "재시작",
    "domains": "도메인",
-    "domainsDescription": "조직의 도메인을 관리합니다",
+    "domainsDescription": "조직에서 사용 가능한 도메인 생성 및 관리",
    "domainsSearch": "도메인 검색...",
    "domainAdd": "도메인 추가",
    "domainAddDescription": "조직에 새로운 도메인을 등록하세요",
    "domainCreate": "도메인 생성",
    "domainCreatedDescription": "도메인이 성공적으로 생성되었습니다",
    "domainDeletedDescription": "도메인이 성공적으로 삭제되었습니다",
-    "domainQuestionRemove": "계정에서 도메인을 제거하시겠습니까?",
+    "domainQuestionRemove": "도메인을 제거하시겠습니까?",
    "domainMessageRemove": "제거되면 도메인이 더 이상 계정과 연관되지 않습니다.",
    "domainConfirmDelete": "도메인 삭제 확인",
    "domainDelete": "도메인 삭제",
@@ -1248,6 +1314,15 @@
    "settingsErrorUpdateDescription": "설정을 업데이트하는 동안 오류가 발생했습니다",
    "sidebarCollapse": "줄이기",
    "sidebarExpand": "확장하기",
+    "productUpdateMoreInfo": "{noOfUpdates}개의 더 많은 업데이트",
+    "productUpdateInfo": "{noOfUpdates}개 업데이트",
+    "productUpdateWhatsNew": "새로운 기능",
+    "productUpdateTitle": "제품 업데이트",
+    "productUpdateEmpty": "업데이트 없음",
+    "dismissAll": "모두 해제",
+    "pangolinUpdateAvailable": "업데이트 가능",
+    "pangolinUpdateAvailableInfo": "버전 {version}을(를) 설치할 준비가 되었습니다",
+    "pangolinUpdateAvailableReleaseNotes": "릴리스 노트 보기",
    "newtUpdateAvailable": "업데이트 가능",
    "newtUpdateAvailableInfo": "뉴트의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
    "domainPickerEnterDomain": "도메인",
@@ -1340,6 +1415,19 @@
    "securityKeyUnknownError": "보안 키를 사용하는 데 문제가 발생했습니다. 다시 시도하세요.",
    "twoFactorRequired": "보안 키를 등록하려면 이중 인증이 필요합니다.",
    "twoFactor": "이중 인증",
+    "twoFactorAuthentication": "이중 인증",
+    "twoFactorDescription": "이 조직은 이중 인증을 요구합니다.",
+    "enableTwoFactor": "이중 인증 활성화",
+    "organizationSecurityPolicy": "조직 보안 정책",
+    "organizationSecurityPolicyDescription": "이 조직에는 접근하기 전에 준수해야 하는 보안 요구 사항이 있습니다",
+    "securityRequirements": "보안 요구 사항",
+    "allRequirementsMet": "모든 요구 사항이 충족되었습니다",
+    "completeRequirementsToContinue": "이 조직에 계속 접근하려면 아래 요구 사항을 완료하십시오",
+    "youCanNowAccessOrganization": "이제 이 조직에 접근할 수 있습니다",
+    "reauthenticationRequired": "세션 길이",
+    "reauthenticationDescription": "이 조직은 {maxDays}일마다 로그인하는 것을 요구합니다.",
+    "reauthenticationDescriptionHours": "이 조직은 {maxHours}시간마다 로그인하는 것을 요구합니다.",
+    "reauthenticateNow": "다시 로그인",
    "adminEnabled2FaOnYourAccount": "관리자가 {email}에 대한 이중 인증을 활성화했습니다. 계속하려면 설정을 완료하세요.",
    "securityKeyAdd": "보안 키 추가",
    "securityKeyRegisterTitle": "새 보안 키 등록",
@@ -1377,28 +1465,31 @@
        "and": "및",
        "privacyPolicy": "개인 정보 보호 정책"
    },
+    "signUpMarketing": {
+        "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."
+    },
    "siteRequired": "사이트가 필요합니다.",
    "olmTunnel": "Olm 터널",
    "olmTunnelDescription": "클라이언트 연결에 Olm 사용",
    "errorCreatingClient": "클라이언트 생성 오류",
    "clientDefaultsNotFound": "클라이언트 기본값을 찾을 수 없습니다.",
    "createClient": "클라이언트 생성",
-    "createClientDescription": "사이트에 연결하기 위한 새 클라이언트를 생성하십시오.",
+    "createClientDescription": "개인 리소스에 액세스할 새 클라이언트를 생성하십시오",
    "seeAllClients": "모든 클라이언트 보기",
    "clientInformation": "클라이언트 정보",
    "clientNamePlaceholder": "클라이언트 이름",
    "address": "주소",
    "subnetPlaceholder": "서브넷",
-    "addressDescription": "이 클라이언트가 연결에 사용할 주소",
+    "addressDescription": "클라이언트의 내부 주소. 조직의 서브넷 내에 있어야 합니다.",
    "selectSites": "사이트 선택",
    "sitesDescription": "클라이언트는 선택한 사이트에 연결됩니다.",
    "clientInstallOlm": "Olm 설치",
    "clientInstallOlmDescription": "시스템에서 Olm을 실행하기",
    "clientOlmCredentials": "Olm 자격 증명",
-    "clientOlmCredentialsDescription": "Olm이 서버와 인증하는 방법입니다.",
+    "clientOlmCredentialsDescription": "이것이 Newt가 서버와 인증하는 방법입니다",
    "olmEndpoint": "Olm 엔드포인트",
-    "olmId": "Olm ID",
-    "olmSecretKey": "Olm 비밀 키",
+    "olmId": "ID",
+    "olmSecretKey": "비밀",
    "clientCredentialsSave": "자격 증명 저장",
    "clientCredentialsSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
    "generalSettingsDescription": "이 클라이언트에 대한 일반 설정을 구성하세요.",
@@ -1410,9 +1501,7 @@
    "sitesFetchError": "사이트 가져오는 중 오류가 발생했습니다.",
    "olmErrorFetchReleases": "Olm 릴리즈 가져오는 중 오류가 발생했습니다.",
    "olmErrorFetchLatest": "최신 Olm 릴리즈 가져오는 중 오류가 발생했습니다.",
-    "remoteSubnets": "원격 서브넷",
    "enterCidrRange": "CIDR 범위 입력",
-    "remoteSubnetsDescription": "이 사이트에서 원격으로 액세스할 수 있는 CIDR 범위를 추가하세요. 10.0.0.0/24와 같은 형식을 사용하세요. 이는 VPN 클라이언트 연결에만 적용됩니다.",
    "resourceEnableProxy": "공개 프록시 사용",
    "resourceEnableProxyDescription": "이 리소스에 대한 공개 프록시를 활성화하십시오. 이를 통해 네트워크 외부로부터 클라우드를 통해 열린 포트에서 리소스에 액세스할 수 있습니다. Traefik 구성이 필요합니다.",
    "externalProxyEnabled": "외부 프록시 활성화됨",
@@ -1430,14 +1519,15 @@
    "enableHealthChecksDescription": "이 대상을 모니터링하여 건강 상태를 확인하세요. 필요에 따라 대상과 다른 엔드포인트를 모니터링할 수 있습니다.",
    "healthScheme": "방법",
    "healthSelectScheme": "방법 선택",
+    "healthCheckPortInvalid": "올바르지 않은 서브넷 마스크입니다. 1에서 65535 사이여야 합니다",
    "healthCheckPath": "경로",
    "healthHostname": "IP / 호스트",
    "healthPort": "포트",
    "healthCheckPathDescription": "상태 확인을 위한 경로입니다.",
-    "healthyIntervalSeconds": "정상 간격",
-    "unhealthyIntervalSeconds": "비정상 간격",
+    "healthyIntervalSeconds": "정상 간격(초)",
+    "unhealthyIntervalSeconds": "비정상 간격(초)",
    "IntervalSeconds": "정상 간격",
-    "timeoutSeconds": "시간 초과",
+    "timeoutSeconds": "타임아웃(초)",
    "timeIsInSeconds": "시간은 초 단위입니다",
    "retryAttempts": "재시도 횟수",
    "expectedResponseCodes": "예상 응답 코드",
@@ -1473,16 +1563,22 @@
    "resourceEditDomain": "도메인 수정",
    "siteName": "사이트 이름",
    "proxyPort": "포트",
-    "resourcesTableProxyResources": "프록시 리소스",
-    "resourcesTableClientResources": "클라이언트 리소스",
+    "resourcesTableProxyResources": "공유",
+    "resourcesTableClientResources": "비공개",
    "resourcesTableNoProxyResourcesFound": "프록시 리소스를 찾을 수 없습니다.",
    "resourcesTableNoInternalResourcesFound": "내부 리소스를 찾을 수 없습니다.",
    "resourcesTableDestination": "대상지",
-    "resourcesTableTheseResourcesForUseWith": "이 리소스는 다음과 함께 사용하기 위한 것입니다.",
+    "resourcesTableAlias": "별칭",
    "resourcesTableClients": "클라이언트",
    "resourcesTableAndOnlyAccessibleInternally": "클라이언트와 연결되었을 때만 내부적으로 접근 가능합니다.",
-    "editInternalResourceDialogEditClientResource": "클라이언트 리소스 수정",
-    "editInternalResourceDialogUpdateResourceProperties": "{resourceName}의 리소스 속성과 대상 구성을 업데이트하세요.",
+    "resourcesTableNoTargets": "대상 없음",
+    "resourcesTableHealthy": "정상",
+    "resourcesTableDegraded": "저하됨",
+    "resourcesTableOffline": "오프라인",
+    "resourcesTableUnknown": "알 수 없음",
+    "resourcesTableNotMonitored": "모니터링되지 않음",
+    "editInternalResourceDialogEditClientResource": "비공개 리소스 수정",
+    "editInternalResourceDialogUpdateResourceProperties": "{resourceName}의 리소스 속성과 대상 구성을 업데이트하세요",
    "editInternalResourceDialogResourceProperties": "리소스 속성",
    "editInternalResourceDialogName": "이름",
    "editInternalResourceDialogProtocol": "프로토콜",
@@ -1501,11 +1597,22 @@
    "editInternalResourceDialogInvalidIPAddressFormat": "잘못된 IP 주소 형식",
    "editInternalResourceDialogDestinationPortMin": "대상 포트는 최소 1이어야 합니다.",
    "editInternalResourceDialogDestinationPortMax": "대상 포트는 65536 미만이어야 합니다.",
+    "editInternalResourceDialogPortModeRequired": "포트 모드에는 프로토콜, 프록시 포트 및 대상 포트가 필요합니다",
+    "editInternalResourceDialogMode": "모드",
+    "editInternalResourceDialogModePort": "포트",
+    "editInternalResourceDialogModeHost": "호스트",
+    "editInternalResourceDialogModeCidr": "CIDR",
+    "editInternalResourceDialogDestination": "대상지",
+    "editInternalResourceDialogDestinationHostDescription": "사이트 네트워크의 자원 IP 주소입니다.",
+    "editInternalResourceDialogDestinationIPDescription": "사이트 네트워크의 자원 IP 또는 호스트 네임 주소입니다.",
+    "editInternalResourceDialogDestinationCidrDescription": "사이트 네트워크의 자원 IP 주소입니다.",
+    "editInternalResourceDialogAlias": "별칭",
+    "editInternalResourceDialogAliasDescription": "이 리소스에 대한 선택적 내부 DNS 별칭입니다.",
    "createInternalResourceDialogNoSitesAvailable": "사용 가능한 사이트가 없습니다.",
    "createInternalResourceDialogNoSitesAvailableDescription": "내부 리소스를 생성하려면 서브넷이 구성된 최소 하나의 Newt 사이트가 필요합니다.",
    "createInternalResourceDialogClose": "닫기",
-    "createInternalResourceDialogCreateClientResource": "클라이언트 리소스 생성",
-    "createInternalResourceDialogCreateClientResourceDescription": "선택한 사이트에 연결된 클라이언트에 접근할 새 리소스를 생성합니다.",
+    "createInternalResourceDialogCreateClientResource": "사이트 리소스 생성",
+    "createInternalResourceDialogCreateClientResourceDescription": "선택한 사이트에 연결된 클라이언트에 접근할 새 리소스를 생성합니다",
    "createInternalResourceDialogResourceProperties": "리소스 속성",
    "createInternalResourceDialogName": "이름",
    "createInternalResourceDialogSite": "사이트",
@@ -1534,11 +1641,22 @@
    "createInternalResourceDialogInvalidIPAddressFormat": "잘못된 IP 주소 형식",
    "createInternalResourceDialogDestinationPortMin": "대상 포트는 최소 1이어야 합니다.",
    "createInternalResourceDialogDestinationPortMax": "대상 포트는 65536 미만이어야 합니다.",
+    "createInternalResourceDialogPortModeRequired": "포트 모드에는 프로토콜, 프록시 포트 및 대상 포트가 필요합니다",
+    "createInternalResourceDialogMode": "모드",
+    "createInternalResourceDialogModePort": "포트",
+    "createInternalResourceDialogModeHost": "호스트",
+    "createInternalResourceDialogModeCidr": "CIDR",
+    "createInternalResourceDialogDestination": "대상지",
+    "createInternalResourceDialogDestinationHostDescription": "사이트 네트워크의 자원 IP 주소입니다.",
+    "createInternalResourceDialogDestinationCidrDescription": "사이트 네트워크의 자원 IP 주소입니다.",
+    "createInternalResourceDialogAlias": "별칭",
+    "createInternalResourceDialogAliasDescription": "이 리소스에 대한 선택적 내부 DNS 별칭입니다.",
    "siteConfiguration": "설정",
    "siteAcceptClientConnections": "클라이언트 연결 허용",
-    "siteAcceptClientConnectionsDescription": "이 Newt 인스턴스를 게이트웨이로 사용하여 다른 장치가 연결될 수 있도록 허용합니다.",
-    "siteAddress": "사이트 주소",
-    "siteAddressDescription": "클라이언트가 연결하기 위한 호스트의 IP 주소를 지정합니다. 이는 클라이언트가 주소를 지정하기 위한 Pangolin 네트워크의 사이트 내부 주소입니다. 조직 서브넷 내에 있어야 합니다.",
+    "siteAcceptClientConnectionsDescription": "사용자 장치와 클라이언트가 이 사이트의 리소스에 접근할 수 있도록 허용하세요. 나중에 변경할 수 있습니다.",
+    "siteAddress": "사이트 주소(고급)",
+    "siteAddressDescription": "사이트의 내부 주소. 조직의 서브넷 내에 있어야 합니다.",
+    "siteNameDescription": "나중에 변경할 수 있는 사이트의 표시 이름입니다.",
    "autoLoginExternalIdp": "외부 IDP로 자동 로그인",
    "autoLoginExternalIdpDescription": "인증을 위해 외부 IDP로 사용자를 즉시 리디렉션합니다.",
    "selectIdp": "IDP 선택",
@@ -1552,7 +1670,7 @@
    "autoLoginErrorNoRedirectUrl": "ID 공급자로부터 리디렉션 URL을 받지 못했습니다.",
    "autoLoginErrorGeneratingUrl": "인증 URL 생성 실패.",
    "remoteExitNodeManageRemoteExitNodes": "원격 노드",
-    "remoteExitNodeDescription": "네트워크 연결성을 확장하고 클라우드 의존도를 줄이기 위해 하나 이상의 원격 노드를 자체 호스트하십시오.",
+    "remoteExitNodeDescription": "하나 이상의 원격 노드를 자체 호스팅하여 네트워크 연결을 확장하고 클라우드에 대한 의존도를 줄입니다.",
    "remoteExitNodes": "노드",
    "searchRemoteExitNodes": "노드 검색...",
    "remoteExitNodeAdd": "노드 추가",
@@ -1671,7 +1789,7 @@
    "idpAzureConfiguration": "Azure Entra ID 구성",
    "idpAzureConfigurationDescription": "Azure Entra ID OAuth2 자격 증명을 구성합니다.",
    "idpTenantId": "테넌트 ID",
-    "idpTenantIdPlaceholder": "your-tenant-id",
+    "idpTenantIdPlaceholder": "테넌트 ID",
    "idpAzureTenantIdDescription": "Azure 액티브 디렉터리 개요에서 찾은 Azure 테넌트 ID",
    "idpAzureClientIdDescription": "Azure 앱 등록 클라이언트 ID",
    "idpAzureClientSecretDescription": "Azure 앱 등록 클라이언트 비밀",
@@ -1726,7 +1844,49 @@
    "resourceExposePortsEditFile": "파일 편집: docker-compose.yml",
    "emailVerificationRequired": "이메일 인증이 필요합니다. 이 단계를 완료하려면 {dashboardUrl}/auth/login 통해 다시 로그인하십시오. 그런 다음 여기로 돌아오세요.",
    "twoFactorSetupRequired": "이중 인증 설정이 필요합니다. 이 단계를 완료하려면 {dashboardUrl}/auth/login 통해 다시 로그인하십시오. 그런 다음 여기로 돌아오세요.",
+    "additionalSecurityRequired": "추가 보안 필요",
+    "organizationRequiresAdditionalSteps": "이 조직은 자원에 접근하기 전에 추가 보안 단계를 요구합니다.",
+    "completeTheseSteps": "이 단계를 완료하십시오",
+    "enableTwoFactorAuthentication": "이중 인증 활성화",
+    "completeSecuritySteps": "보안 단계 완료",
+    "securitySettings": "보안 설정",
+    "securitySettingsDescription": "조직의 보안 정책을 구성하세요",
+    "requireTwoFactorForAllUsers": "모든 사용자에 대해 이중 인증 요구",
+    "requireTwoFactorDescription": "활성화되면, 이 조직의 모든 내부 사용자는 조직에 접근하기 위해 이중 인증을 활성화해야 합니다.",
+    "requireTwoFactorDisabledDescription": "이 기능을 사용하려면 유효한 라이선스(Enterprise) 또는 활성 구독(SaaS)가 필요합니다.",
+    "requireTwoFactorCannotEnableDescription": "모든 사용자에게 강제하기 전에 계정에 대해 이중 인증을 활성화해야 합니다",
+    "maxSessionLength": "최대 세션 길이",
+    "maxSessionLengthDescription": "사용자 세션의 최대 지속 시간을 설정합니다. 이 시간이 지나면 사용자는 다시 인증해야 합니다.",
+    "maxSessionLengthDisabledDescription": "이 기능을 사용하려면 유효한 라이선스(Enterprise) 또는 활성 구독(SaaS)가 필요합니다.",
+    "selectSessionLength": "세션 길이 선택",
+    "unenforced": "강제되지 않음",
+    "1Hour": "1 시간",
+    "3Hours": "3 시간",
+    "6Hours": "6 시간",
+    "12Hours": "12 시간",
+    "1DaySession": "1 일",
+    "3Days": "3 일",
+    "7Days": "7 일",
+    "14Days": "14 일",
+    "30DaysSession": "30 일",
+    "90DaysSession": "90 일",
+    "180DaysSession": "180 일",
+    "passwordExpiryDays": "비밀번호 만료",
+    "editPasswordExpiryDescription": "사용자가 비밀번호를 변경해야 하는 날 수를 설정합니다.",
+    "selectPasswordExpiry": "비밀번호 만료 선택",
+    "30Days": "30 일",
+    "1Day": "1 일",
+    "60Days": "60 일",
+    "90Days": "90 일",
+    "180Days": "180 일",
+    "1Year": "1 년",
+    "subscriptionBadge": "구독 필요",
+    "securityPolicyChangeWarning": "보안 정책 변경 경고",
+    "securityPolicyChangeDescription": "보안 정책 설정을 변경하려고 합니다. 저장 후, 정책 업데이트를 준수하기 위해 다시 인증해야 할 수도 있습니다. 규정을 준수하지 않는 모든 사용자도 다시 인증해야 합니다.",
+    "securityPolicyChangeConfirmMessage": "확인합니다",
+    "securityPolicyChangeWarningText": "이 작업은 조직의 모든 사용자에게 영향을 미칩니다",
    "authPageErrorUpdateMessage": "인증 페이지 설정을 업데이트하는 동안 오류가 발생했습니다",
+    "authPageErrorUpdate": "인증 페이지를 업데이트할 수 없습니다",
    "authPageUpdated": "인증 페이지가 성공적으로 업데이트되었습니다",
    "healthCheckNotAvailable": "로컬",
    "rewritePath": "경로 재작성",
@@ -1753,8 +1913,12 @@
    "enterpriseEdition": "엔터프라이즈 에디션",
    "unlicensed": "라이선스 없음",
    "beta": "베타",
-    "manageClients": "클라이언트 관리",
-    "manageClientsDescription": "클라이언트는 당신의 사이트에 연결할 수 있는 디바이스입니다.",
+    "manageUserDevices": "사용자 초대를 제어",
+    "manageUserDevicesDescription": "리소스에 개인적으로 연결하기 위해 사용자가 사용하는 장치를 보고 관리하세요",
+    "manageMachineClients": "기계 클라이언트 관리",
+    "manageMachineClientsDescription": "서버와 시스템이 리소스에 개인적으로 연결하는 데 사용하는 클라이언트를 생성하고 관리하십시오",
+    "clientsTableUserClients": "사용자",
+    "clientsTableMachineClients": "기계",
    "licenseTableValidUntil": "유효 기한",
    "saasLicenseKeysSettingsTitle": "엔터프라이즈 라이선스",
    "saasLicenseKeysSettingsDescription": "자체 호스팅된 Pangolin 인스턴스를 위한 엔터프라이즈 라이선스 키를 생성하고 관리합니다.",
@@ -1889,7 +2053,222 @@
    "pathRewriteStripLabel": "제거",
    "sidebarEnableEnterpriseLicense": "엔터프라이즈 라이선스 활성화",
    "cannotbeUndone": "이 작업은 되돌릴 수 없습니다.",
-    "toConfirm": "확인하려면",
+    "toConfirm": "확인을 위해.",
    "deleteClientQuestion": "고객을 사이트와 조직에서 제거하시겠습니까?",
-    "clientMessageRemove": "제거되면 클라이언트는 사이트에 더 이상 연결할 수 없습니다."
+    "clientMessageRemove": "제거되면 클라이언트는 사이트에 더 이상 연결할 수 없습니다.",
+    "sidebarLogs": "로그",
+    "request": "요청",
+    "requests": "요청",
+    "logs": "로그",
+    "logsSettingsDescription": "이 조직에서 수집된 로그를 모니터링합니다",
+    "searchLogs": "로그 검색...",
+    "action": "작업",
+    "actor": "행위자",
+    "timestamp": "타임스탬프",
+    "accessLogs": "접근 로그",
+    "exportCsv": "CSV 내보내기",
+    "actorId": "행위자 ID",
+    "allowedByRule": "룰에 의해 허용됨",
+    "allowedNoAuth": "인증 없음 허용됨",
+    "validAccessToken": "유효한 접근 토큰",
+    "validHeaderAuth": "유효한 헤더 인증",
+    "validPincode": "유효한 핀코드",
+    "validPassword": "유효한 비밀번호",
+    "validEmail": "유효한 이메일",
+    "validSSO": "유효한 SSO",
+    "resourceBlocked": "리소스 차단됨",
+    "droppedByRule": "룰에 의해 드롭됨",
+    "noSessions": "세션 없음",
+    "temporaryRequestToken": "임시 요청 토큰",
+    "noMoreAuthMethods": "유효한 인증 없음",
+    "ip": "IP",
+    "reason": "이유",
+    "requestLogs": "요청 로그",
+    "requestAnalytics": "요청 분석",
+    "host": "호스트",
+    "location": "위치",
+    "actionLogs": "작업 로그",
+    "sidebarLogsRequest": "요청 로그",
+    "sidebarLogsAccess": "접근 로그",
+    "sidebarLogsAction": "작업 로그",
+    "logRetention": "로그 보관",
+    "logRetentionDescription": "다양한 유형의 로그를 이 조직에 대해 얼마나 오래 보관할지 관리하거나 비활성화합니다",
+    "requestLogsDescription": "이 조직의 자원에 대한 상세한 요청 로그를 봅니다",
+    "requestAnalyticsDescription": "이 조직의 리소스에 대한 자세한 요청 분석 보기",
+    "logRetentionRequestLabel": "요청 로그 보관",
+    "logRetentionRequestDescription": "요청 로그를 얼마나 오래 보관할지",
+    "logRetentionAccessLabel": "접근 로그 보관",
+    "logRetentionAccessDescription": "접근 로그를 얼마나 오래 보관할지",
+    "logRetentionActionLabel": "작업 로그 보관",
+    "logRetentionActionDescription": "작업 로그를 얼마나 오래 보관할지",
+    "logRetentionDisabled": "비활성화됨",
+    "logRetention3Days": "3 일",
+    "logRetention7Days": "7 일",
+    "logRetention14Days": "14 일",
+    "logRetention30Days": "30 일",
+    "logRetention90Days": "90 일",
+    "logRetentionForever": "영구",
+    "logRetentionEndOfFollowingYear": "다음 연도 말",
+    "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
+    "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
+    "licenseRequiredToUse": "이 기능을 사용하려면 Enterprise 라이선스가 필요합니다.",
+    "certResolver": "인증서 해결사",
+    "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
+    "selectCertResolver": "인증서 해결사 선택",
+    "enterCustomResolver": "사용자 정의 해결사 입력",
+    "preferWildcardCert": "와일드카드 인증서 선호",
+    "unverified": "검증되지 않음",
+    "domainSetting": "도메인 설정",
+    "domainSettingDescription": "도메인 설정 구성",
+    "preferWildcardCertDescription": "와일드카드 인증서를 생성하려고 시도합니다 (올바르게 구성된 인증서 해결사가 필요합니다).",
+    "recordName": "레코드 이름",
+    "auto": "자동",
+    "TTL": "TTL",
+    "howToAddRecords": "레코드 추가 방법",
+    "dnsRecord": "DNS 레코드",
+    "required": "필수",
+    "domainSettingsUpdated": "도메인 설정이 성공적으로 업데이트되었습니다",
+    "orgOrDomainIdMissing": "조직 ID 또는 도메인 ID가 누락되었습니다",
+    "loadingDNSRecords": "DNS 레코드를 로드하는 중...",
+    "olmUpdateAvailableInfo": "올름의 새 버전이 이용 가능합니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
+    "client": "클라이언트",
+    "proxyProtocol": "프록시 프로토콜 설정",
+    "proxyProtocolDescription": "TCP 서비스에 대한 클라이언트 IP 주소를 유지하도록 프록시 프로토콜을 구성하세요.",
+    "enableProxyProtocol": "프록시 프로토콜 활성화",
+    "proxyProtocolInfo": "TCP 백엔드에 대한 클라이언트 IP 주소를 유지합니다.",
+    "proxyProtocolVersion": "프록시 프로토콜 버전",
+    "version1": " 버전 1 (추천)",
+    "version2": "버전 2",
+    "versionDescription": "버전 1은 텍스트 기반으로 널리 지원됩니다. 버전 2는 이진 기반으로 더 효율적이지만 호환성이 낮습니다.",
+    "warning": "경고",
+    "proxyProtocolWarning": "백엔드 애플리케이션이 프록시 프로토콜 연결을 허용하도록 구성되어야 합니다. 백엔드가 프록시 프로토콜을 지원하지 않으면, 이를 활성화하면 모든 연결이 끊어집니다. 트래픽에서 온 프록시 프로토콜 헤더를 백엔드가 신뢰하도록 구성하십시오.",
+    "restarting": "재시작 중...",
+    "manual": "수동",
+    "messageSupport": "지원 메시지",
+    "supportNotAvailableTitle": "지원 불가",
+    "supportNotAvailableDescription": "현재 지원을 받을 수 없습니다. support@pangolin.net으로 이메일을 보낼 수 있습니다.",
+    "supportRequestSentTitle": "지원 요청 전송 완료",
+    "supportRequestSentDescription": "메시지가 성공적으로 전송되었습니다.",
+    "supportRequestFailedTitle": "요청 전송 실패",
+    "supportRequestFailedDescription": "지원 요청을 보내는 중 오류가 발생했습니다.",
+    "supportSubjectRequired": "제목은 필수입니다",
+    "supportSubjectMaxLength": "제목은 255자 이내여야 합니다",
+    "supportMessageRequired": "메시지는 필수입니다",
+    "supportReplyTo": "회신",
+    "supportSubject": "제목",
+    "supportSubjectPlaceholder": "제목 입력",
+    "supportMessage": "메시지",
+    "supportMessagePlaceholder": "메시지를 입력하십시오",
+    "supportSending": "발송 중...",
+    "supportSend": "보내기",
+    "supportMessageSent": "메시지 전송 완료!",
+    "supportWillContact": "곧 연락드리겠습니다!",
+    "selectLogRetention": "로그 보존 선택",
+    "terms": "약관",
+    "privacy": "개인정보 보호",
+    "security": "보안",
+    "docs": "문서",
+    "deviceActivation": "장치 활성화",
+    "deviceCodeInvalidFormat": "코드는 9자리여야 합니다 (예: A1AJ-N5JD)",
+    "deviceCodeInvalidOrExpired": "무효하거나 만료된 코드",
+    "deviceCodeVerifyFailed": "이메일 확인에 실패했습니다:",
+    "signedInAs": "로그인한 사용자",
+    "deviceCodeEnterPrompt": "기기에 표시된 코드를 입력하세요",
+    "continue": "계속 진행하기",
+    "deviceUnknownLocation": "알 수 없는 위치",
+    "deviceAuthorizationRequested": "이 인증 요청은 {location}에서 {date}에 요청되었습니다. 이 장치에 액세스 권한을 부여할 신뢰할 수 있는 경우 확인하세요.",
+    "deviceLabel": "장치: {deviceName}",
+    "deviceWantsAccess": "계정에 액세스하려고 합니다",
+    "deviceExistingAccess": "기존 액세스:",
+    "deviceFullAccess": "계정에 대한 전체 액세스",
+    "deviceOrganizationsAccess": "계정이 접근할 수 있는 모든 조직에 대한 접근",
+    "deviceAuthorize": "{applicationName} 권한 부여",
+    "deviceConnected": "장치가 연결되었습니다!",
+    "deviceAuthorizedMessage": "장치가 계정에 액세스할 수 있도록 승인되었습니다.",
+    "pangolinCloud": "판골린 클라우드",
+    "viewDevices": "장치 보기",
+    "viewDevicesDescription": "연결된 장치를 관리하십시오",
+    "noDevices": "장치를 찾을 수 없습니다",
+    "dateCreated": "생성 날짜",
+    "unnamedDevice": "이름 없는 장치",
+    "deviceQuestionRemove": "이 장치를 삭제하시겠습니까?",
+    "deviceMessageRemove": "이 작업은 취소할 수 없습니다.",
+    "deviceDeleteConfirm": "장치 삭제",
+    "deleteDevice": "장치 삭제",
+    "errorLoadingDevices": "장치 로딩 오류",
+    "failedToLoadDevices": "장치를 로드하지 못했습니다",
+    "deviceDeleted": "장치 삭제 완료",
+    "deviceDeletedDescription": "장치가 성공적으로 삭제되었습니다.",
+    "errorDeletingDevice": "장치 삭제 오류",
+    "failedToDeleteDevice": "장치를 삭제하지 못했습니다",
+    "showColumns": "열 표시",
+    "hideColumns": "열 숨기기",
+    "columnVisibility": "열 가시성",
+    "toggleColumn": "{columnName} 열 토글",
+    "allColumns": "모든 열",
+    "defaultColumns": "기본 열",
+    "customizeView": "보기 사용자 지정",
+    "viewOptions": "보기 옵션",
+    "selectAll": "모두 선택",
+    "selectNone": "선택하지 않음",
+    "selectedResources": "선택된 리소스",
+    "enableSelected": "선택된 항목 활성화",
+    "disableSelected": "선택된 항목 비활성화",
+    "checkSelectedStatus": "선택된 항목 상태 확인",
+    "clients": "클라이언트",
+    "accessClientSelect": "기계 클라이언트 선택",
+    "resourceClientDescription": "관리자는 항상 이 리소스에 접근할 수 있습니다",
+    "regenerate": "재생성",
+    "credentials": "자격 증명",
+    "savecredentials": "자격 증명 저장",
+    "regenerateCredentialsButton": "자격 증명 다시 생성",
+    "regenerateCredentials": "자격 증명 다시 생성",
+    "generatedcredentials": "생성된 자격 증명",
+    "copyandsavethesecredentials": "이 자격 증명을 복사하여 저장합니다",
+    "copyandsavethesecredentialsdescription": "이 페이지를 떠난 후에는 자격 증명이 다시 표시되지 않습니다. 지금 안전하게 저장하십시오.",
+    "credentialsSaved": "자격 증명 저장됨",
+    "credentialsSavedDescription": "자격 증명이 성공적으로 재생성 및 저장되었습니다.",
+    "credentialsSaveError": "자격 증명 저장 오류",
+    "credentialsSaveErrorDescription": "자격 증명을 재생성하고 저장하는 동안 오류가 발생했습니다.",
+    "regenerateCredentialsWarning": "자격 증명을 다시 생성하면 이전 것들이 무효화되면서 연결이 끊어집니다. 이러한 자격 증명을 사용하는 모든 구성을 업데이트하세요.",
+    "confirm": "확인",
+    "regenerateCredentialsConfirmation": "자격 증명을 재생성하시겠습니까?",
+    "endpoint": "엔드포인트",
+    "Id": "아이디",
+    "SecretKey": "비밀 키",
+    "niceId": "예쁜 ID",
+    "niceIdUpdated": "예쁜 ID 업데이트됨",
+    "niceIdUpdatedSuccessfully": "예쁜 ID가 성공적으로 업데이트되었습니다",
+    "niceIdUpdateError": "예쁜 ID 업데이트 오류",
+    "niceIdUpdateErrorDescription": "예쁜 ID를 업데이트하는 동안 오류가 발생했습니다.",
+    "niceIdCannotBeEmpty": "예쁜 ID는 비워둘 수 없습니다",
+    "enterIdentifier": "식별자 입력",
+    "identifier": "식별자",
+    "deviceLoginUseDifferentAccount": "본인이 아닙니까? 다른 계정을 사용하세요.",
+    "deviceLoginDeviceRequestingAccessToAccount": "장치가 이 계정에 접근하려고 합니다.",
+    "noData": "데이터 없음",
+    "machineClients": "기계 클라이언트",
+    "install": "설치",
+    "run": "실행",
+    "clientNameDescription": "나중에 변경할 수 있는 클라이언트의 표시 이름입니다.",
+    "clientAddress": "클라이언트 주소(고급)",
+    "setupFailedToFetchSubnet": "기본값 로드 실패",
+    "setupSubnetAdvanced": "서브넷(고급)",
+    "setupSubnetDescription": "이 조직의 네트워크 구성에 대한 서브넷입니다.",
+    "siteRegenerateAndDisconnect": "재생성 및 연결 해제",
+    "siteRegenerateAndDisconnectConfirmation": "자격 증명을 재생성하고 이 사이트와의 연결을 해제하시겠습니까?",
+    "siteRegenerateAndDisconnectWarning": "이 과정은 자격 증명을 다시 생성하고 사이트와의 연결을 즉시 해제합니다. 사이트는 새 자격 증명으로 다시 시작되어야 합니다.",
+    "siteRegenerateCredentialsConfirmation": "이 사이트에 대한 자격 증명을 다시 생성하시겠습니까?",
+    "siteRegenerateCredentialsWarning": "이 과정은 자격 증명을 다시 생성합니다. 수동으로 다시 시작하고 새 자격 증명을 사용하기 전까지 사이트는 연결된 상태로 유지됩니다.",
+    "clientRegenerateAndDisconnect": "재생성 및 연결 해제",
+    "clientRegenerateAndDisconnectConfirmation": "자격 증명을 재생성하고 이 클라이언트와의 연결을 해제하시겠습니까?",
+    "clientRegenerateAndDisconnectWarning": "이 과정은 자격 증명을 다시 생성하고 클라이언트와의 연결을 즉시 해제합니다. 클라이언트는 새 자격 증명으로 다시 시작되어야 합니다.",
+    "clientRegenerateCredentialsConfirmation": "이 클라이언트에 대한 자격 증명을 다시 생성하시겠습니까?",
+    "clientRegenerateCredentialsWarning": "이 과정은 자격 증명을 다시 생성합니다. 수동으로 다시 시작하고 새 자격 증명을 사용하기 전까지 클라이언트는 연결된 상태로 유지됩니다.",
+    "remoteExitNodeRegenerateAndDisconnect": "재생성 및 연결 해제",
+    "remoteExitNodeRegenerateAndDisconnectConfirmation": "자격 증명을 재생성하고 이 원격 종료 노드와의 연결을 해제하시겠습니까?",
+    "remoteExitNodeRegenerateAndDisconnectWarning": "이 과정은 자격 증명을 다시 생성하고 원격 종료 노드와의 연결을 즉시 해제합니다. 원격 종료 노드는 새 자격 증명으로 다시 시작되어야 합니다.",
+    "remoteExitNodeRegenerateCredentialsConfirmation": "이 원격 종료 노드에 대한 자격 증명을 다시 생성하시겠습니까?",
+    "remoteExitNodeRegenerateCredentialsWarning": "이 과정은 자격 증명을 다시 생성합니다. 수동으로 다시 시작하고 새 자격 증명을 사용하기 전까지 원격 종료 노드는 연결된 상태로 유지됩니다.",
+    "agent": "에이전트"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1,12 +1,12 @@
 {
-    "setupCreate": "Organizasyonunuzu, sitenizi ve kaynaklarınızı oluşturun",
+    "setupCreate": "Organizasyonu, siteyi ve kaynakları oluşturun",
    "setupNewOrg": "Yeni Organizasyon",
    "setupCreateOrg": "Organizasyon Oluştur",
    "setupCreateResources": "Kaynaklar Oluştur",
    "setupOrgName": "Organizasyon Adı",
-    "orgDisplayName": "Bu, organizasyonunuzun görünen adıdır.",
+    "orgDisplayName": "Bu organizasyonun görünen adıdır.",
    "orgId": "Organizasyon ID",
-    "setupIdentifierMessage": "Bu, organizasyonunuzun benzersiz kimliğidir. Görünen adtan ayrı olarak.",
+    "setupIdentifierMessage": "Bu organizasyonun benzersiz tanımlayıcısıdır.",
    "setupErrorIdentifier": "Organizasyon ID'si zaten alınmış. Lütfen başka bir tane seçin.",
    "componentsErrorNoMemberCreate": "Şu anda herhangi bir organizasyona üye değilsiniz. Başlamak için bir organizasyon oluşturun.",
    "componentsErrorNoMember": "Şu anda herhangi bir organizasyona üye değilsiniz.",
@@ -50,7 +50,7 @@
    "siteMessageRemove": "Kaldırıldıktan sonra site artık erişilebilir olmayacaktır. Siteyle ilişkilendirilmiş tüm hedefler de kaldırılacaktır.",
    "siteQuestionRemove": "Siteyi organizasyondan kaldırmak istediğinizden emin misiniz?",
    "siteManageSites": "Siteleri Yönet",
-    "siteDescription": "Ağınıza güvenli tüneller üzerinden bağlantı izni verin",
+    "siteDescription": "Özel ağlara erişimi etkinleştirmek için siteler oluşturun ve yönetin",
    "siteCreate": "Site Oluştur",
    "siteCreateDescription2": "Yeni bir site oluşturup bağlanmak için aşağıdaki adımları izleyin",
    "siteCreateDescription": "Kaynaklarınızı bağlamaya başlamak için yeni bir site oluşturun",
@@ -89,7 +89,7 @@
    "siteGeneralDescription": "Bu site için genel ayarları yapılandırın",
    "siteSettingDescription": "Sitenizdeki ayarları yapılandırın",
    "siteSetting": "{siteName} Ayarları",
-    "siteNewtTunnel": "Newt Tüneli (Önerilen)",
+    "siteNewtTunnel": "Newt Site (Önerilen)",
    "siteNewtTunnelDescription": "Ağınıza giriş noktası oluşturmanın en kolay yolu. Ekstra kurulum gerekmez.",
    "siteWg": "Temel WireGuard",
    "siteWgDescription": "Bir tünel oluşturmak için herhangi bir WireGuard istemcisi kullanın. Manuel NAT kurulumu gereklidir.",
@@ -98,8 +98,8 @@
    "siteLocalDescriptionSaas": "Yerel kaynaklar yalnızca. Tünel oluşturma yok. Yalnızca uzak düğümlerde mevcuttur.",
    "siteSeeAll": "Tüm Siteleri Gör",
    "siteTunnelDescription": "Sitenize nasıl bağlanmak istediğinizi belirleyin",
-    "siteNewtCredentials": "Newt Kimlik Bilgileri",
-    "siteNewtCredentialsDescription": "Bu, Newt'in sunucu ile kimlik doğrulaması yapacağı yöntemdir",
+    "siteNewtCredentials": "Kimlik Bilgileri",
+    "siteNewtCredentialsDescription": "Bu, sitenin sunucu ile kimlik doğrulaması yapacağı yöntemdir",
    "siteCredentialsSave": "Kimlik Bilgilerinizi Kaydedin",
    "siteCredentialsSaveDescription": "Yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyaladığınızdan emin olun.",
    "siteInfo": "Site Bilgilendirmesi",
@@ -144,8 +144,10 @@
    "expires": "Süresi Doluyor",
    "never": "Asla",
    "shareErrorSelectResource": "Lütfen bir kaynak seçin",
-    "resourceTitle": "Kaynakları Yönet",
-    "resourceDescription": "Özel uygulamalarınıza güvenli vekil sunucular oluşturun",
+    "proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
+    "proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
+    "clientResourceTitle": "Özel Kaynakları Yönet",
+    "clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
    "resourcesSearch": "Kaynakları ara...",
    "resourceAdd": "Kaynak Ekle",
    "resourceErrorDelte": "Kaynak silinirken hata",
@@ -179,7 +181,7 @@
    "baseDomain": "Temel Alan Adı",
    "subdomnainDescription": "Kaynağınızın erişilebileceği alt alan adı.",
    "resourceRawSettings": "TCP/UDP Ayarları",
-    "resourceRawSettingsDescription": "Kaynağınıza TCP/UDP üzerinden erişimin nasıl sağlanacağını yapılandırın",
+    "resourceRawSettingsDescription": "Kaynaklara TCP/UDP üzerinden nasıl erişileceğini yapılandırın",
    "protocol": "Protokol",
    "protocolSelect": "Bir protokol seçin",
    "resourcePortNumber": "Port Numarası",
@@ -204,8 +206,8 @@
    "rules": "Kurallar",
    "resourceSettingDescription": "Kaynağınızdaki ayarları yapılandırın",
    "resourceSetting": "{resourceName} Ayarları",
-    "alwaysAllow": "Her Zaman İzin Ver",
-    "alwaysDeny": "Her Zaman Reddet",
+    "alwaysAllow": "Kimlik Doğrulamayı Atla",
+    "alwaysDeny": "Erişimi Engelle",
    "passToAuth": "Kimlik Doğrulamasına Geç",
    "orgSettingsDescription": "Organizasyonunuzun genel ayarlarını yapılandırın",
    "orgGeneralSettings": "Organizasyon Ayarları",
@@ -232,7 +234,7 @@
    "orgMissing": "Organizasyon Kimliği Eksik",
    "orgMissingMessage": "Organizasyon kimliği olmadan daveti yeniden oluşturmanız mümkün değildir.",
    "accessUsersManage": "Kullanıcıları Yönet",
-    "accessUsersDescription": "Kullanıcıları davet edin ve erişimi yönetmek için rollere ekleyin",
+    "accessUsersDescription": "Bu organizasyona erişimi olan kullanıcıları davet edin ve yönetin",
    "accessUsersSearch": "Kullanıcıları ara...",
    "accessUserCreate": "Kullanıcı Oluştur",
    "accessUserRemove": "Kullanıcıyı Kaldır",
@@ -241,13 +243,13 @@
    "role": "Rol",
    "nameRequired": "Ad gereklidir",
    "accessRolesManage": "Rolleri Yönet",
-    "accessRolesDescription": "Organizasyonunuza erişimi yönetmek için rolleri yapılandırın",
+    "accessRolesDescription": "Organizasyondaki kullanıcılar için rolleri oluşturun ve yönetin",
    "accessRolesSearch": "Rolleri ara...",
    "accessRolesAdd": "Rol Ekle",
    "accessRoleDelete": "Rolü Sil",
    "description": "Açıklama",
    "inviteTitle": "Açık Davetiyeler",
-    "inviteDescription": "Davetiyelerinizi diğer kullanıcılarla yönetin",
+    "inviteDescription": "Organizasyona katılmak için diğer kullanıcılar için davetleri yönetin",
    "inviteSearch": "Davetiyeleri ara...",
    "minutes": "Dakika",
    "hours": "Saat",
@@ -424,7 +426,7 @@
    "userCreated": "Kullanıcı oluşturuldu",
    "userCreatedDescription": "Kullanıcı başarıyla oluşturulmuştur.",
    "userTypeInternal": "Dahili Kullanıcı",
-    "userTypeInternalDescription": "Kullanıcınızı doğrudan organizasyonunuza davet edin.",
+    "userTypeInternalDescription": "Kullanıcıyı doğrudan organizasyona davet edin.",
    "userTypeExternal": "Harici Kullanıcı",
    "userTypeExternalDescription": "Harici bir kimlik sağlayıcısıyla kullanıcı oluşturun.",
    "accessUserCreateDescription": "Yeni bir kullanıcı oluşturmak için aşağıdaki adımları izleyin",
@@ -436,6 +438,16 @@
    "inviteEmailSent": "Kullanıcıya davet e-postası gönder",
    "inviteValid": "Geçerli Süresi",
    "selectDuration": "Süreyi seçin",
+    "selectResource": "Kaynak Seçin",
+    "filterByResource": "Kaynağa Göre Filtrele",
+    "resetFilters": "Filtreleri Sıfırla",
+    "totalBlocked": "Pangolin Tarafından Engellenen İstekler",
+    "totalRequests": "Toplam İstekler",
+    "requestsByCountry": "Ülkeye Göre İstekler",
+    "requestsByDay": "Güne Göre İstekler",
+    "blocked": "Engellendi",
+    "allowed": "İzin Verildi",
+    "topCountries": "En İyi Ülkeler",
    "accessRoleSelect": "Rol seçin",
    "inviteEmailSentDescription": "Kullanıcıya erişim bağlantısı ile bir e-posta gönderildi. Daveti kabul etmek için bağlantıya erişmelidirler.",
    "inviteSentDescription": "Kullanıcı davet edilmiştir. Daveti kabul etmek için aşağıdaki bağlantıya erişmelidirler.",
@@ -458,13 +470,13 @@
    "accessControlsSubmit": "Erişim Kontrollerini Kaydet",
    "roles": "Roller",
    "accessUsersRoles": "Kullanıcılar ve Roller Yönetin",
-    "accessUsersRolesDescription": "Kullanıcılara davet gönderin ve organizasyonunuza erişim yönetmek için rollere ekleyin",
+    "accessUsersRolesDescription": "Kullanıcılara davet gönderin ve organizasyona erişimi yönetmek için rollere ekleyin",
    "key": "Anahtar",
    "createdAt": "Oluşturulma Tarihi",
    "proxyErrorInvalidHeader": "Geçersiz özel Ana Bilgisayar Başlığı değeri. Alan adı formatını kullanın veya özel Ana Bilgisayar Başlığını ayarlamak için boş bırakın.",
    "proxyErrorTls": "Geçersiz TLS Sunucu Adı. Alan adı formatını kullanın veya TLS Sunucu Adını kaldırmak için boş bırakılsın.",
    "proxyEnableSSL": "SSL Etkinleştir",
-    "proxyEnableSSLDescription": "Hedeflerinize güvenli HTTPS bağlantıları için SSL/TLS şifrelemesi etkinleştirin.",
+    "proxyEnableSSLDescription": "Hedeflere güvenli HTTPS bağlantıları için SSL/TLS şifrelemesini etkinleştirin.",
    "target": "Hedef",
    "configureTarget": "Hedefleri Yapılandır",
    "targetErrorFetch": "Hedefleri alamadı",
@@ -480,29 +492,29 @@
    "targetsErrorUpdate": "Hedefler güncellenemedi",
    "targetsErrorUpdateDescription": "Hedefler güncellenirken bir hata oluştu",
    "targetTlsUpdate": "TLS ayarları güncellendi",
-    "targetTlsUpdateDescription": "TLS ayarlarınız başarıyla güncellendi",
+    "targetTlsUpdateDescription": "TLS ayarları başarıyla güncellendi",
    "targetErrorTlsUpdate": "TLS ayarları güncellenemedi",
    "targetErrorTlsUpdateDescription": "TLS ayarlarını güncellerken bir hata oluştu",
    "proxyUpdated": "Proxy ayarları güncellendi",
-    "proxyUpdatedDescription": "Proxy ayarlarınız başarıyla güncellenmiştir",
+    "proxyUpdatedDescription": "Proxy ayarları başarıyla güncellendi",
    "proxyErrorUpdate": "Proxy ayarları güncellenemedi",
    "proxyErrorUpdateDescription": "Proxy ayarlarını güncellerken bir hata oluştu",
-    "targetAddr": "IP / Hostname",
+    "targetAddr": "Host",
    "targetPort": "Bağlantı Noktası",
    "targetProtocol": "Protokol",
    "targetTlsSettings": "HTTPS & TLS Settings",
-    "targetTlsSettingsDescription": "Configure TLS settings for your resource",
+    "targetTlsSettingsDescription": "SSL/TLS ayarlarını kaynak için yapılandırın",
    "targetTlsSettingsAdvanced": "Gelişmiş TLS Ayarları",
    "targetTlsSni": "TLS Sunucu Adı",
    "targetTlsSniDescription": "SNI için kullanılacak TLS Sunucu Adı'",
    "targetTlsSubmit": "Ayarları Kaydet",
    "targets": "Hedefler Konfigürasyonu",
-    "targetsDescription": "Trafiği arka uç hizmetlerinize yönlendirmek için hedefleri ayarlayın",
+    "targetsDescription": "Trafiği arka uç hizmetlerine yönlendirmek için hedefleri ayarlayın",
    "targetStickySessions": "Yapışkan Oturumları Etkinleştir",
    "targetStickySessionsDescription": "Bağlantıları oturum süresince aynı arka uç hedef üzerinde tutun.",
    "methodSelect": "Yöntemi Seç",
    "targetSubmit": "Hedef Ekle",
-    "targetNoOne": "Bu kaynağın hedefi yok. Arka planınıza istek göndereceğiniz bir hedef yapılandırmak için hedef ekleyin.",
+    "targetNoOne": "Bu kaynağın hedefleri yok. Arka uca gönderilecek istekleri yapılandırmak için bir hedef ekleyin.",
    "targetNoOneDescription": "Yukarıdaki birden fazla hedef ekleyerek yük dengeleme etkinleştirilecektir.",
    "targetsSubmit": "Hedefleri Kaydet",
    "addTarget": "Hedef Ekle",
@@ -516,9 +528,11 @@
    "targetCreatedDescription": "Hedef başarıyla oluşturuldu",
    "targetErrorCreate": "Hedef oluşturma başarısız oldu",
    "targetErrorCreateDescription": "Hedef oluşturulurken bir hata oluştu",
+    "tlsServerName": "TLS Sunucu Adı",
+    "tlsServerNameDescription": "SNI için kullanılacak TLS sunucu adı",
    "save": "Kaydet",
    "proxyAdditional": "Ek Proxy Ayarları",
-    "proxyAdditionalDescription": "Kaynağınızın proxy ayarlarını nasıl yöneteceğini yapılandırın",
+    "proxyAdditionalDescription": "Kaynağın proxy ayarlarını nasıl yöneteceği yapılandırın",
    "proxyCustomHeader": "Özel Ana Bilgisayar Başlığı",
    "proxyCustomHeaderDescription": "İstekleri proxy'lerken ayarlanacak ana bilgisayar başlığı. Varsayılanı kullanmak için boş bırakılır.",
    "proxyAdditionalSubmit": "Proxy Ayarlarını Kaydet",
@@ -558,7 +572,7 @@
    "rulesMatchType": "Eşleşme Türü",
    "value": "Değer",
    "rulesAbout": "Kurallar Hakkında",
-    "rulesAboutDescription": "Kurallar, kaynağınıza erişimi belirli bir kriterlere göre kontrol etmenizi sağlar. IP adresi veya URL yolu temelinde erişimi izin vermek veya engellemek için kurallar oluşturabilirsiniz.",
+    "rulesAboutDescription": "Kurallar, kaynağa erişimi belirli kriterlere göre kontrol etmenizi sağlar. IP adresi veya URL yolu temelinde erişimi izin vermek veya engellemek için kurallar oluşturabilirsiniz.",
    "rulesActions": "Aksiyonlar",
    "rulesActionAlwaysAllow": "Her Zaman İzin Ver: Tüm kimlik doğrulama yöntemlerini atlayın",
    "rulesActionAlwaysDeny": "Her Zaman Reddedin: Tüm istekleri engelleyin; kimlik doğrulaması yapılamaz",
@@ -570,7 +584,7 @@
    "rulesEnable": "Kuralları Etkinleştir",
    "rulesEnableDescription": "Bu kaynak için kural değerlendirmesini etkinleştirin veya devre dışı bırakın",
    "rulesResource": "Kaynak Kuralları Yapılandırması",
-    "rulesResourceDescription": "Kaynağınıza erişimi kontrol etmek için kuralları yapılandırın",
+    "rulesResourceDescription": "Kaynağa erişimi kontrol etmek için kuralları yapılandırın",
    "ruleSubmit": "Kural Ekle",
    "rulesNoOne": "Kural yok. Formu kullanarak bir kural ekleyin.",
    "rulesOrder": "Kurallar, artan öncelik sırasına göre değerlendirilir.",
@@ -586,7 +600,7 @@
    "none": "Hiçbiri",
    "unknown": "Bilinmiyor",
    "resources": "Kaynaklar",
-    "resourcesDescription": "Kaynaklar, özel ağınızda çalışan uygulamalara proxy görevi görür. Özel ağınızdaki herhangi bir HTTP/HTTPS veya ham TCP/UDP hizmeti için bir kaynak oluşturun. Her kaynak, şifreli bir WireGuard tüneli aracılığıyla özel ve güvenli bağlantıyı etkinleştirmek için bir siteye bağlı olmalıdır.",
+    "resourcesDescription": "Kaynaklar, özel ağda çalışan uygulamalara proxy olarak hizmet eder. Özel ağınızdaki herhangi bir HTTP/HTTPS veya ham TCP/UDP hizmeti için bir kaynak oluşturun. Her kaynak, şifreli bir WireGuard tüneli aracılığıyla özel, güvenli bağlanabilirliği etkinleştirmek için bir siteye bağlı olmalıdır.",
    "resourcesWireGuardConnect": "WireGuard şifreleme ile güvenli bağlantı",
    "resourcesMultipleAuthenticationMethods": "Birden fazla kimlik doğrulama yöntemi yapılandırın",
    "resourcesUsersRolesAccess": "Kullanıcı ve rol tabanlı erişim kontrolü",
@@ -607,19 +621,19 @@
    "unknownCommand": "Bilinmeyen komut",
    "newtErrorFetchReleases": "Sürüm bilgileri alınamadı: {err}",
    "newtErrorFetchLatest": "Son sürüm alınırken hata: {err}",
-    "newtEndpoint": "Newt Uç Noktası",
-    "newtId": "Newt Kimliği",
-    "newtSecretKey": "Newt Gizli Anahtarı",
+    "newtEndpoint": "Uç Nokta",
+    "newtId": "Kimlik",
+    "newtSecretKey": "Gizli",
    "architecture": "Mimari",
    "sites": "Siteler",
-    "siteWgAnyClients": "Herhangi bir WireGuard istemcisi kullanarak bağlanın. Dahili kaynaklarınıza eş IP adresini kullanarak erişmeniz gerekecek.",
+    "siteWgAnyClients": "Herhangi bir WireGuard istemcisi kullanarak bağlanın. Dahili kaynaklara eş IP adresini kullanarak erişmeniz gerekecek.",
    "siteWgCompatibleAllClients": "Tüm WireGuard istemcileriyle uyumlu",
    "siteWgManualConfigurationRequired": "Manuel yapılandırma gerekli",
    "userErrorNotAdminOrOwner": "Kullanıcı yönetici veya sahibi değil",
    "pangolinSettings": "Ayarlar - Pangolin",
    "accessRoleYour": "Rolünüz:",
-    "accessRoleSelect2": "Bir rol seçin",
-    "accessUserSelect": "Bir kullanıcı seçin",
+    "accessRoleSelect2": "Rolleri seçin",
+    "accessUserSelect": "Kullanıcıları seçin",
    "otpEmailEnter": "Bir e-posta girin",
    "otpEmailEnterDescription": "E-posta girdikten sonra girdi alanına yazıp enter'a basın.",
    "otpEmailErrorInvalid": "Geçersiz e-posta adresi. Joker karakter (*) yerel kısmın tamamı olmalıdır.",
@@ -671,7 +685,7 @@
    "resourcePincodeSetupTitle": "Pincode Ayarla",
    "resourcePincodeSetupTitleDescription": "Bu kaynağı korumak için bir pincode ayarlayın",
    "resourceRoleDescription": "Yöneticiler her zaman bu kaynağa erişebilir.",
-    "resourceUsersRoles": "Kullanıcılar ve Roller",
+    "resourceUsersRoles": "Erişim Kontrolleri",
    "resourceUsersRolesDescription": "Bu kaynağı kimlerin ziyaret edebileceği kullanıcıları ve rolleri yapılandırın",
    "resourceUsersRolesSubmit": "Kullanıcıları ve Rolleri Kaydet",
    "resourceWhitelistSave": "Başarıyla kaydedildi",
@@ -702,6 +716,7 @@
    "resourceTransferSubmit": "Kaynağı Aktar",
    "siteDestination": "Hedef Site",
    "searchSites": "Siteleri ara",
+    "countries": "Ülkeler",
    "accessRoleCreate": "Rol Oluştur",
    "accessRoleCreateDescription": "Kullanıcıları gruplamak ve izinlerini yönetmek için yeni bir rol oluşturun.",
    "accessRoleCreateSubmit": "Rol Oluştur",
@@ -909,11 +924,30 @@
    "passwordResetSent": "Bu e-posta adresine bir şifre sıfırlama kodu gönderilecektir.",
    "passwordResetCode": "Sıfırlama Kodu",
    "passwordResetCodeDescription": "E-posta gelen kutunuzda sıfırlama kodunu kontrol edin.",
+    "generatePasswordResetCode": "Parola Sıfırlama Kodunu Oluştur",
+    "passwordResetCodeGenerated": "Parola Sıfırlama Kodu Oluşturuldu",
+    "passwordResetCodeGeneratedDescription": "Bu kodu kullanıcı ile paylaşın. Parolalarını sıfırlamak için bunu kullanabilirler.",
+    "passwordResetUrl": "Parola Sıfırlama URL'si",
    "passwordNew": "Yeni Şifre",
    "passwordNewConfirm": "Yeni Şifreyi Onayla",
+    "changePassword": "Parola Değiştir",
+    "changePasswordDescription": "Hesap şifrenizi güncelleyin",
+    "oldPassword": "Mevcut Şifre",
+    "newPassword": "Yeni Şifre",
+    "confirmNewPassword": "Yeni Şifreyi Onayla",
+    "changePasswordError": "Parola değiştirme başarısız oldu",
+    "changePasswordErrorDescription": "Parolanız değiştiriliyor.",
+    "changePasswordSuccess": "Şifre Başarıyla Değiştirildi",
+    "changePasswordSuccessDescription": "Parolanız başarıyla güncellendi",
+    "passwordExpiryRequired": "Şifre Süresi Gereklidir",
+    "passwordExpiryDescription": "Bu kuruluş, parolanızı {maxDays} günde bir değiştirmenizi gerektirir.",
+    "changePasswordNow": "Şifrenizi Şimdi Değiştirin",
    "pincodeAuth": "Kimlik Doğrulama Kodu",
    "pincodeSubmit2": "Kodu Gönder",
    "passwordResetSubmit": "Sıfırlama İsteği",
+    "passwordResetAlreadyHaveCode": "Parola Sıfırlama Kodunu Giriniz",
+    "passwordResetSmtpRequired": "Yönetici ile iletişime geçin",
+    "passwordResetSmtpRequiredDescription": "Parolanızı sıfırlamak için bir parola sıfırlama kodu gereklidir. Yardım için yönetici ile iletişime geçin.",
    "passwordBack": "Şifreye Geri Dön",
    "loginBack": "Girişe geri dön",
    "signup": "Kaydol",
@@ -1079,12 +1113,15 @@
    "actionListSiteResources": "Site Kaynaklarını Listele",
    "actionUpdateSiteResource": "Site Kaynağını Güncelle",
    "actionListInvitations": "Davetiyeleri Listele",
+    "actionExportLogs": "Kayıtları Dışa Aktar",
+    "actionViewLogs": "Kayıtları Görüntüle",
    "noneSelected": "Hiçbiri seçili değil",
    "orgNotFound2": "Hiçbir organizasyon bulunamadı.",
    "searchProgress": "Ara...",
    "create": "Oluştur",
    "orgs": "Organizasyonlar",
    "loginError": "Giriş yaparken bir hata oluştu",
+    "loginRequiredForDevice": "Cihazınızı kimlik doğrulamak için giriş yapılması gereklidir.",
    "passwordForgot": "Şifrenizi mi unuttunuz?",
    "otpAuth": "İki Faktörlü Kimlik Doğrulama",
    "otpAuthDescription": "Authenticator uygulamanızdan veya tek kullanımlık yedek kodlarınızdan birini girin.",
@@ -1139,18 +1176,47 @@
    "sidebarHome": "Ana Sayfa",
    "sidebarSites": "Siteler",
    "sidebarResources": "Kaynaklar",
+    "sidebarProxyResources": "Herkese Açık",
+    "sidebarClientResources": "Özel",
    "sidebarAccessControl": "Erişim Kontrolü",
+    "sidebarLogsAndAnalytics": "Kayıtlar & Analitik",
    "sidebarUsers": "Kullanıcılar",
+    "sidebarAdmin": "Yönetici",
    "sidebarInvitations": "Davetiye",
    "sidebarRoles": "Roller",
-    "sidebarShareableLinks": "Paylaşılabilir Bağlantılar",
+    "sidebarShareableLinks": "Bağlantılar",
    "sidebarApiKeys": "API Anahtarları",
    "sidebarSettings": "Ayarlar",
    "sidebarAllUsers": "Tüm Kullanıcılar",
    "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
    "sidebarLicense": "Lisans",
    "sidebarClients": "İstemciler",
+    "sidebarUserDevices": "Kullanıcılar",
+    "sidebarMachineClients": "Makineler",
    "sidebarDomains": "Alan Adları",
+    "sidebarGeneral": "Genel",
+    "sidebarLogAndAnalytics": "Kayıt & Analiz",
+    "sidebarBluePrints": "Planlar",
+    "sidebarOrganization": "Organizasyon",
+    "sidebarLogsAnalytics": "Analitik",
+    "blueprints": "Planlar",
+    "blueprintsDescription": "Deklaratif yapılandırmaları uygulayın ve önceki çalışmaları görüntüleyin",
+    "blueprintAdd": "Plan Ekle",
+    "blueprintGoBack": "Tüm Planları Gör",
+    "blueprintCreate": "Plan Oluştur",
+    "blueprintCreateDescription2": "Yeni bir plan oluşturup uygulamak için aşağıdaki adımları izleyin",
+    "blueprintDetails": "Mavi Yazılım Detayları",
+    "blueprintDetailsDescription": "Uygulanan mavi yazılımın sonucunu ve oluşan hataları görün",
+    "blueprintInfo": "Plan Bilgileri",
+    "message": "Mesaj",
+    "blueprintContentsDescription": "Altyapıyı tanımlayan YAML içeriğini belirleyin",
+    "blueprintErrorCreateDescription": "Plan uygulanırken bir hata oluştu",
+    "blueprintErrorCreate": "Plan oluşturulurken hata oluştu",
+    "searchBlueprintProgress": "Planlarda ara...",
+    "appliedAt": "Uygulama Zamanı",
+    "source": "Kaynak",
+    "contents": "İçerik",
+    "parsedContents": "Verilerin Ayrıştırılmış İçeriği (Salt Okunur)",
    "enableDockerSocket": "Docker Soketini Etkinleştir",
    "enableDockerSocketDescription": "Plan etiketleri için Docker Socket etiket toplamasını etkinleştirin. Newt'e soket yolu sağlanmalıdır.",
    "enableDockerSocketLink": "Daha fazla bilgi",
@@ -1199,15 +1265,15 @@
    "loading": "Yükleniyor",
    "restart": "Yeniden Başlat",
    "domains": "Alan Adları",
-    "domainsDescription": "Organizasyonunuz için alan adlarını yönetin",
+    "domainsDescription": "Organizasyonda kullanılabilir alan adlarını oluşturun ve yönetin",
    "domainsSearch": "Alan adlarını ara...",
    "domainAdd": "Alan Adı Ekle",
    "domainAddDescription": "Organizasyonunuz için yeni bir alan adı kaydedin",
    "domainCreate": "Alan Adı Oluştur",
    "domainCreatedDescription": "Alan adı başarıyla oluşturuldu",
    "domainDeletedDescription": "Alan adı başarıyla silindi",
-    "domainQuestionRemove": "Alan adını hesabınızdan kaldırmak istediğinizden emin misiniz?",
-    "domainMessageRemove": "Kaldırıldığında, alan adı hesabınızla ilişkilendirilmeyecek.",
+    "domainQuestionRemove": "Alan adını kaldırmak istediğinizden emin misiniz?",
+    "domainMessageRemove": "Kaldırıldığında, alan adı artık organizasyonunuzla ilişkilendirilmez.",
    "domainConfirmDelete": "Alan Adı Silinmesini Onayla",
    "domainDelete": "Alan Adını Sil",
    "domain": "Alan Adı",
@@ -1248,6 +1314,15 @@
    "settingsErrorUpdateDescription": "Ayarları güncellerken bir hata oluştu",
    "sidebarCollapse": "Daralt",
    "sidebarExpand": "Genişlet",
+    "productUpdateMoreInfo": "{noOfUpdates} daha fazla güncelleme",
+    "productUpdateInfo": "{noOfUpdates} güncellemeler",
+    "productUpdateWhatsNew": "Neler Yeni",
+    "productUpdateTitle": "Ürün Güncellemeleri",
+    "productUpdateEmpty": "Güncelleme yok",
+    "dismissAll": "Hepsini Kapat",
+    "pangolinUpdateAvailable": "Güncelleme Mevcut",
+    "pangolinUpdateAvailableInfo": "Sürüm {version} yüklenmeye hazır",
+    "pangolinUpdateAvailableReleaseNotes": "Yayın Notlarını Görüntüle",
    "newtUpdateAvailable": "Güncelleme Mevcut",
    "newtUpdateAvailableInfo": "Newt'in yeni bir versiyonu mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
    "domainPickerEnterDomain": "Alan Adı",
@@ -1260,7 +1335,7 @@
    "domainPickerSortAsc": "A-Z",
    "domainPickerSortDesc": "Z-A",
    "domainPickerCheckingAvailability": "Kullanılabilirlik kontrol ediliyor...",
-    "domainPickerNoMatchingDomains": "Eşleşen domain bulunamadı. Farklı bir domain deneyin veya organizasyonunuzun domain ayarlarını kontrol edin.",
+    "domainPickerNoMatchingDomains": "Eşleşen alan adı bulunamadı. Farklı bir alan adı deneyin veya organizasyonunuzun alan ayarlarını kontrol edin.",
    "domainPickerOrganizationDomains": "Organizasyon Alan Adları",
    "domainPickerProvidedDomains": "Sağlanan Alan Adları",
    "domainPickerSubdomain": "Alt Alan: {subdomain}",
@@ -1305,9 +1380,9 @@
    "billingPortalError": "Portal Hatası",
    "billingDataUsageInfo": "Buluta bağlandığınızda, güvenli tünellerinizden aktarılan tüm verilerden ücret alınırsınız. Bu, tüm sitelerinizdeki gelen ve giden trafiği içerir. Limitinize ulaştığınızda, planınızı yükseltmeli veya kullanımı azaltmalısınız, aksi takdirde siteleriniz bağlantıyı keser. Düğümler kullanırken verilerden ücret alınmaz.",
    "billingOnlineTimeInfo": "Sitelerinizin buluta ne kadar süre bağlı kaldığına göre ücretlendirilirsiniz. Örneğin, 44,640 dakika, bir sitenin 24/7 boyunca tam bir ay boyunca çalışması anlamına gelir. Limitinize ulaştığınızda, planınızı yükseltmeyip kullanımı azaltmazsanız siteleriniz bağlantıyı keser. Düğümler kullanırken zamandan ücret alınmaz.",
-    "billingUsersInfo": "Kuruluşunuzdaki her kullanıcı için ücretlendirilirsiniz. Faturalandırma, hesabınızdaki aktif kullanıcı hesaplarının sayısına göre günlük olarak hesaplanır.",
-    "billingDomainInfo": "Kuruluşunuzdaki her alan adı için ücretlendirilirsiniz. Faturalandırma, hesabınızdaki aktif alan adları hesaplarının sayısına göre günlük olarak hesaplanır.",
-    "billingRemoteExitNodesInfo": "Kuruluşunuzdaki her yönetilen Düğüm için ücretlendirilirsiniz. Faturalandırma, hesabınızdaki aktif yönetilen Düğümler sayısına göre günlük olarak hesaplanır.",
+    "billingUsersInfo": "Kuruluşunuzdaki her kullanıcı için ücretlendirilirsiniz. Faturalandırma, organizasyonunuza kayıtlı aktif kullanıcı hesaplarının sayısına göre günlük olarak hesaplanır.",
+    "billingDomainInfo": "Kuruluşunuzdaki her alan adı için ücretlendirilirsiniz. Faturalandırma, organizasyonunuza kayıtlı aktif alan adları hesaplarının sayısına göre günlük olarak hesaplanır.",
+    "billingRemoteExitNodesInfo": "Kuruluşunuzdaki her yönetilen Düğüm için ücretlendirilirsiniz. Faturalandırma, organizasyonunuza kayıtlı aktif yönetilen Düğümler sayısına göre günlük olarak hesaplanır.",
    "domainNotFound": "Alan Adı Bulunamadı",
    "domainNotFoundDescription": "Bu kaynak devre dışıdır çünkü alan adı sistemimizde artık mevcut değil. Bu kaynak için yeni bir alan adı belirleyin.",
    "failed": "Başarısız",
@@ -1340,6 +1415,19 @@
    "securityKeyUnknownError": "Güvenlik anahtarınızı kullanırken bir sorun oluştu. Lütfen tekrar deneyin.",
    "twoFactorRequired": "Güvenlik anahtarını kaydetmek için iki faktörlü kimlik doğrulama gereklidir.",
    "twoFactor": "İki Faktörlü Kimlik Doğrulama",
+    "twoFactorAuthentication": "İki Faktörlü Kimlik Doğrulama",
+    "twoFactorDescription": "Bu kuruluş iki faktörlü kimlik doğrulama gerektirir.",
+    "enableTwoFactor": "İki Faktörlü Kimlik Doğrulamayı Etkinleştir",
+    "organizationSecurityPolicy": "Kuruluş Güvenlik Politikası",
+    "organizationSecurityPolicyDescription": "Bu kuruluşun güvenlik gereksinimlerine erişmeden önce karşılanması gereken güvenlik gereksinimleri vardır.",
+    "securityRequirements": "Güvenlik Gereksinimleri",
+    "allRequirementsMet": "Tüm gereksinimler karşılandı",
+    "completeRequirementsToContinue": "Bu kuruluşa erişmeye devam etmek için aşağıdaki gereksinimleri tamamlayın",
+    "youCanNowAccessOrganization": "Artık bu kuruluşa erişebilirsiniz",
+    "reauthenticationRequired": "Oturum Süresi",
+    "reauthenticationDescription": "Bu kuruluş, {maxDays} günde bir oturum açmanızı gerektirir.",
+    "reauthenticationDescriptionHours": "Bu kuruluş, {maxHours} saatte bir oturum açmanızı gerektirir.",
+    "reauthenticateNow": "Tekrar Giriş Yap",
    "adminEnabled2FaOnYourAccount": "Yöneticiniz {email} için iki faktörlü kimlik doğrulamayı etkinleştirdi. Devam etmek için kurulum işlemini tamamlayın.",
    "securityKeyAdd": "Güvenlik Anahtarı Ekle",
    "securityKeyRegisterTitle": "Yeni Güvenlik Anahtarı Kaydet",
@@ -1377,28 +1465,31 @@
        "and": "ve",
        "privacyPolicy": "gizlilik politikası"
    },
+    "signUpMarketing": {
+        "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."
+    },
    "siteRequired": "Site gerekli.",
    "olmTunnel": "Olm Tüneli",
    "olmTunnelDescription": "Müşteri bağlantıları için Olm kullanın",
    "errorCreatingClient": "Müşteri oluşturulurken hata oluştu",
    "clientDefaultsNotFound": "Müşteri varsayılanları bulunamadı",
    "createClient": "Müşteri Oluştur",
-    "createClientDescription": "Sitelerinize bağlanmak için yeni bir müşteri oluşturun",
+    "createClientDescription": "Özel kaynaklara erişmek için yeni bir istemci oluşturun",
    "seeAllClients": "Tüm Müşterileri Gör",
    "clientInformation": "Müşteri Bilgileri",
    "clientNamePlaceholder": "Müşteri adı",
    "address": "Adres",
    "subnetPlaceholder": "Alt ağ",
-    "addressDescription": "Bu müşteri için bağlantıda kullanılacak adres",
+    "addressDescription": "İstemcinin dahili adresi. Organizasyon alt ağı içinde olmalıdır.",
    "selectSites": "Siteleri seçin",
    "sitesDescription": "Müşteri seçilen sitelere bağlantı kuracaktır",
    "clientInstallOlm": "Olm Yükle",
    "clientInstallOlmDescription": "Sisteminizde Olm çalıştırın",
    "clientOlmCredentials": "Olm Kimlik Bilgileri",
-    "clientOlmCredentialsDescription": "Bu, Olm'in sunucu ile kimlik doğrulaması yapacağı yöntemdir",
-    "olmEndpoint": "Olm Uç Noktası",
-    "olmId": "Olm Kimliği",
-    "olmSecretKey": "Olm Gizli Anahtarı",
+    "clientOlmCredentialsDescription": "Bu, istemcinin sunucu ile kimlik doğrulaması yapacağı yöntemdir",
+    "olmEndpoint": "Uç Nokta",
+    "olmId": "Kimlik",
+    "olmSecretKey": "Gizli",
    "clientCredentialsSave": "Kimlik Bilgilerinizi Kaydedin",
    "clientCredentialsSaveDescription": "Bunu yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyaladığınızdan emin olun.",
    "generalSettingsDescription": "Bu müşteri için genel ayarları yapılandırın",
@@ -1410,9 +1501,7 @@
    "sitesFetchError": "Siteler alınırken bir hata oluştu.",
    "olmErrorFetchReleases": "Olm yayınları alınırken bir hata oluştu.",
    "olmErrorFetchLatest": "En son Olm yayını alınırken bir hata oluştu.",
-    "remoteSubnets": "Uzak Alt Ağlar",
    "enterCidrRange": "CIDR aralığını girin",
-    "remoteSubnetsDescription": "Bu siteye uzaktan erişilebilen CIDR aralıklarını ekleyin. 10.0.0.0/24 formatını kullanın. Bu YALNIZCA VPN istemci bağlantıları için geçerlidir.",
    "resourceEnableProxy": "Genel Proxy'i Etkinleştir",
    "resourceEnableProxyDescription": "Bu kaynağa genel proxy erişimini etkinleştirin. Bu sayede ağ dışından açık bir port üzerinden kaynağa bulut aracılığıyla erişim sağlanır. Traefik yapılandırması gereklidir.",
    "externalProxyEnabled": "Dış Proxy Etkinleştirildi",
@@ -1430,14 +1519,15 @@
    "enableHealthChecksDescription": "Bu hedefin sağlığını izleyin. Gerekirse hedef dışındaki bir son noktayı izleyebilirsiniz.",
    "healthScheme": "Yöntem",
    "healthSelectScheme": "Yöntem Seç",
+    "healthCheckPortInvalid": "Sağlık Kontrolü portu 1 ile 65535 arasında olmalıdır",
    "healthCheckPath": "Yol",
    "healthHostname": "IP / Hostname",
    "healthPort": "Bağlantı Noktası",
    "healthCheckPathDescription": "Sağlık durumunu kontrol etmek için yol.",
-    "healthyIntervalSeconds": "Sağlıklı Aralık",
-    "unhealthyIntervalSeconds": "Sağlıksız Aralık",
+    "healthyIntervalSeconds": "Sağlıklı Aralık (saniye)",
+    "unhealthyIntervalSeconds": "Sağlıksız Aralık (saniye)",
    "IntervalSeconds": "Sağlıklı Aralık",
-    "timeoutSeconds": "Zaman Aşımı",
+    "timeoutSeconds": "Zaman Aşımı (saniye)",
    "timeIsInSeconds": "Zaman saniye cinsindendir",
    "retryAttempts": "Tekrar Deneme Girişimleri",
    "expectedResponseCodes": "Beklenen Yanıt Kodları",
@@ -1473,16 +1563,22 @@
    "resourceEditDomain": "Alan Adını Düzenle",
    "siteName": "Site Adı",
    "proxyPort": "Bağlantı Noktası",
-    "resourcesTableProxyResources": "Proxy Kaynaklar",
-    "resourcesTableClientResources": "İstemci Kaynaklar",
+    "resourcesTableProxyResources": "Herkese Açık",
+    "resourcesTableClientResources": "Özel",
    "resourcesTableNoProxyResourcesFound": "Hiçbir proxy kaynağı bulunamadı.",
    "resourcesTableNoInternalResourcesFound": "Hiçbir dahili kaynak bulunamadı.",
    "resourcesTableDestination": "Hedef",
-    "resourcesTableTheseResourcesForUseWith": "Bu kaynaklar ile kullanılmak için",
+    "resourcesTableAlias": "Takma Ad",
    "resourcesTableClients": "İstemciler",
    "resourcesTableAndOnlyAccessibleInternally": "veyalnızca bir istemci ile bağlandığında dahili olarak erişilebilir.",
-    "editInternalResourceDialogEditClientResource": "İstemci Kaynağı Düzenleyin",
-    "editInternalResourceDialogUpdateResourceProperties": "{resourceName} için kaynak özelliklerini ve hedef yapılandırmasını güncelleyin.",
+    "resourcesTableNoTargets": "Hedef yok",
+    "resourcesTableHealthy": "Sağlıklı",
+    "resourcesTableDegraded": "Düşük Performanslı",
+    "resourcesTableOffline": "Çevrimdışı",
+    "resourcesTableUnknown": "Bilinmiyor",
+    "resourcesTableNotMonitored": "İzlenmiyor",
+    "editInternalResourceDialogEditClientResource": "Özel Kaynak Düzenleyin",
+    "editInternalResourceDialogUpdateResourceProperties": "{resourceName} için kaynak ayarlarını ve erişim kontrollerini güncelleyin",
    "editInternalResourceDialogResourceProperties": "Kaynak Özellikleri",
    "editInternalResourceDialogName": "Ad",
    "editInternalResourceDialogProtocol": "Protokol",
@@ -1501,11 +1597,22 @@
    "editInternalResourceDialogInvalidIPAddressFormat": "Geçersiz IP adresi formatı",
    "editInternalResourceDialogDestinationPortMin": "Hedef bağlantı noktası en az 1 olmalıdır",
    "editInternalResourceDialogDestinationPortMax": "Hedef bağlantı noktası 65536'dan küçük olmalıdır",
+    "editInternalResourceDialogPortModeRequired": "Port modu için protokol, proxy portu ve hedef porta ihtiyaç vardır",
+    "editInternalResourceDialogMode": "Mod",
+    "editInternalResourceDialogModePort": "Bağlantı Noktası",
+    "editInternalResourceDialogModeHost": "Ev Sahibi",
+    "editInternalResourceDialogModeCidr": "CIDR",
+    "editInternalResourceDialogDestination": "Hedef",
+    "editInternalResourceDialogDestinationHostDescription": "Site ağındaki kaynağın IP adresi veya ana bilgisayar adı.",
+    "editInternalResourceDialogDestinationIPDescription": "Kaynağın site ağındaki IP veya ana bilgisayar adresi.",
+    "editInternalResourceDialogDestinationCidrDescription": "Site ağındaki kaynağın CIDR aralığı.",
+    "editInternalResourceDialogAlias": "Takma Ad",
+    "editInternalResourceDialogAliasDescription": "Bu kaynak için isteğe bağlı dahili DNS takma adı.",
    "createInternalResourceDialogNoSitesAvailable": "Site Bulunamadı",
    "createInternalResourceDialogNoSitesAvailableDescription": "Dahili kaynak oluşturmak için en az bir Newt sitesine ve alt ağa sahip olmalısınız.",
    "createInternalResourceDialogClose": "Kapat",
-    "createInternalResourceDialogCreateClientResource": "İstemci Kaynağı Oluştur",
-    "createInternalResourceDialogCreateClientResourceDescription": "Seçilen siteye bağlı istemciler için erişilebilir olacak yeni bir kaynak oluşturun.",
+    "createInternalResourceDialogCreateClientResource": "Özel Kaynak Oluştur",
+    "createInternalResourceDialogCreateClientResourceDescription": "Seçilen siteye bağlı istemcilere erişilebilir olacak yeni bir kaynak oluşturun",
    "createInternalResourceDialogResourceProperties": "Kaynak Özellikleri",
    "createInternalResourceDialogName": "Ad",
    "createInternalResourceDialogSite": "Site",
@@ -1534,11 +1641,22 @@
    "createInternalResourceDialogInvalidIPAddressFormat": "Geçersiz IP adresi formatı",
    "createInternalResourceDialogDestinationPortMin": "Hedef bağlantı noktası en az 1 olmalıdır",
    "createInternalResourceDialogDestinationPortMax": "Hedef bağlantı noktası 65536'dan küçük olmalıdır",
+    "createInternalResourceDialogPortModeRequired": "Port modu için protokol, proxy portu ve hedef porta ihtiyaç vardır",
+    "createInternalResourceDialogMode": "Mod",
+    "createInternalResourceDialogModePort": "Bağlantı Noktası",
+    "createInternalResourceDialogModeHost": "Ev Sahibi",
+    "createInternalResourceDialogModeCidr": "CIDR",
+    "createInternalResourceDialogDestination": "Hedef",
+    "createInternalResourceDialogDestinationHostDescription": "Site ağındaki kaynağın IP adresi veya ana bilgisayar adı.",
+    "createInternalResourceDialogDestinationCidrDescription": "Site ağındaki kaynağın CIDR aralığı.",
+    "createInternalResourceDialogAlias": "Takma Ad",
+    "createInternalResourceDialogAliasDescription": "Bu kaynak için isteğe bağlı dahili DNS takma adı.",
    "siteConfiguration": "Yapılandırma",
    "siteAcceptClientConnections": "İstemci Bağlantılarını Kabul Et",
-    "siteAcceptClientConnectionsDescription": "Bu Newt örneğini bir geçit olarak kullanarak diğer cihazların bağlanmasına izin verin.",
-    "siteAddress": "Site Adresi",
-    "siteAddressDescription": "İstemcilerin bağlanması için hostun IP adresini belirtin. Bu, Pangolin ağındaki sitenin iç adresidir ve istemciler için atlas olmalıdır. Org alt ağına düşmelidir.",
+    "siteAcceptClientConnectionsDescription": "Kullanıcı cihazları ve istemcilerin bu sitedeki kaynaklara erişmesine izin verin. Bu daha sonra değiştirilebilir.",
+    "siteAddress": "Site Adresi (Gelişmiş)",
+    "siteAddressDescription": "Site için dahili adres. Organizasyon alt ağı içinde olmalıdır.",
+    "siteNameDescription": "Sonradan değiştirilebilecek sitenin görünen adı.",
    "autoLoginExternalIdp": "Harici IDP ile Otomatik Giriş",
    "autoLoginExternalIdpDescription": "Kullanıcıyı kimlik doğrulama için otomatik olarak harici IDP'ye yönlendirin.",
    "selectIdp": "IDP Seç",
@@ -1552,7 +1670,7 @@
    "autoLoginErrorNoRedirectUrl": "Kimlik sağlayıcıdan yönlendirme URL'si alınamadı.",
    "autoLoginErrorGeneratingUrl": "Kimlik doğrulama URL'si oluşturulamadı.",
    "remoteExitNodeManageRemoteExitNodes": "Uzak Düğümler",
-    "remoteExitNodeDescription": "Kendi konum ağlarınızdan bir veya daha fazlasını barındırarak, bağlantı kurulumları için buluta bağımlılığı azaltın.",
+    "remoteExitNodeDescription": "Ağ bağlantınızı genişletmek ve buluta bağlı kalmayı azaltmak için bir veya daha fazla uzak düğüm barındırın",
    "remoteExitNodes": "Düğümler",
    "searchRemoteExitNodes": "Düğüm ara...",
    "remoteExitNodeAdd": "Düğüm Ekle",
@@ -1589,7 +1707,7 @@
        },
        "generate": {
            "title": "Oluşturulan Kimlik Bilgileri",
-            "description": "Düğümünüzü yapılandırmak için oluşturulan bu kimlik bilgilerini kullanın",
+            "description": "Düğümünüzü yapılandırmak için bu oluşturulan kimlik bilgilerini kullanın",
            "nodeIdTitle": "Düğüm ID",
            "secretTitle": "Gizli",
            "saveCredentialsTitle": "Kimlik Bilgilerini Yapılandırmaya Ekle",
@@ -1671,7 +1789,7 @@
    "idpAzureConfiguration": "Azure Entra ID Yapılandırması",
    "idpAzureConfigurationDescription": "Azure Entra ID OAuth2 kimlik bilgilerinizi yapılandırın",
    "idpTenantId": "Kiracı Kimliği",
-    "idpTenantIdPlaceholder": "kiraci-kimliginiz",
+    "idpTenantIdPlaceholder": "kiracı Kimliği",
    "idpAzureTenantIdDescription": "Azure kiracı kimliğiniz (Azure Active Directory genel bakışında bulunur)",
    "idpAzureClientIdDescription": "Azure Uygulama Kaydı İstemci Kimliğiniz",
    "idpAzureClientSecretDescription": "Azure Uygulama Kaydı İstemci Sırrınız",
@@ -1726,7 +1844,49 @@
    "resourceExposePortsEditFile": "Dosyayı düzenle: docker-compose.yml",
    "emailVerificationRequired": "E-posta doğrulaması gereklidir. Bu adımı tamamlamak için lütfen tekrar {dashboardUrl}/auth/login üzerinden oturum açın. Sonra buraya geri dönün.",
    "twoFactorSetupRequired": "İki faktörlü kimlik doğrulama ayarı gereklidir. Bu adımı tamamlamak için lütfen tekrar {dashboardUrl}/auth/login üzerinden oturum açın. Sonra buraya geri dönün.",
+    "additionalSecurityRequired": "Ek Güvenlik Gereklidir",
+    "organizationRequiresAdditionalSteps": "Bu kuruluş, kaynaklara erişmeden önce ek güvenlik adımları gerektirir.",
+    "completeTheseSteps": "Bu adımları tamamlayın",
+    "enableTwoFactorAuthentication": "İki faktörlü kimlik doğrulamayı etkinleştir",
+    "completeSecuritySteps": "Güvenlik Adımlarını Tamamla",
+    "securitySettings": "Güvenlik Ayarları",
+    "securitySettingsDescription": "Kuruluşunuz için güvenlik politikalarını yapılandırın",
+    "requireTwoFactorForAllUsers": "Tüm Kullanıcılar için İki Faktörlü Kimlik Doğrulama Gerektir",
+    "requireTwoFactorDescription": "Etkinleştirildiğinde, bu kuruluştaki tüm dahili kullanıcıların, kuruluşa erişmek için iki faktörlü kimlik doğrulama etkinleştirilmiş olmalıdır.",
+    "requireTwoFactorDisabledDescription": "Bu özellik, geçerli bir lisans (Kurumsal) veya aktif bir abonelik (SaaS) gerektirir",
+    "requireTwoFactorCannotEnableDescription": "Tüm kullanıcılar için etkinleştirilmeden önce hesabınızda iki faktörlü kimlik doğrulamayı etkinleştirmeniz gerekir",
+    "maxSessionLength": "Maksimum Oturum Süresi",
+    "maxSessionLengthDescription": "Kullanıcı oturumları için maksimum süreyi ayarlayın. Bu süre sonra kullanıcıların tekrar kimlik doğrulaması gerekecektir.",
+    "maxSessionLengthDisabledDescription": "Bu özellik, geçerli bir lisans (Kurumsal) veya aktif bir abonelik (SaaS) gerektirir",
+    "selectSessionLength": "Oturum süresini seçin",
+    "unenforced": "Zorunlu Değil",
+    "1Hour": "1 saat",
+    "3Hours": "3 saat",
+    "6Hours": "6 saat",
+    "12Hours": "12 saat",
+    "1DaySession": "1 gün",
+    "3Days": "3 gün",
+    "7Days": "7 gün",
+    "14Days": "14 gün",
+    "30DaysSession": "30 gün",
+    "90DaysSession": "90 gün",
+    "180DaysSession": "180 gün",
+    "passwordExpiryDays": "Şifre Sona Ermesi",
+    "editPasswordExpiryDescription": "Kullanıcıların parolalarını değiştirmeleri gereken gün sayısını ayarlayın.",
+    "selectPasswordExpiry": "Şifre sona ermesini seçin",
+    "30Days": "30 gün",
+    "1Day": "1 gün",
+    "60Days": "60 gün",
+    "90Days": "90 gün",
+    "180Days": "180 gün",
+    "1Year": "1 yıl",
+    "subscriptionBadge": "Abonelik Gerekiyor",
+    "securityPolicyChangeWarning": "Güvenlik Politikası Değişiklik Uyarısı",
+    "securityPolicyChangeDescription": "Güvenlik politikası ayarlarını değiştirmek üzeresiniz. Değişiklikleri kaydettikten sonra, bu politika güncellemelerine uyum sağlamak amacıyla tekrar kimlik doğrulamanız gerekebilir. Uyum sağlamayan tüm kullanıcıların da tekrar kimlik doğrulaması gerekecektir.",
+    "securityPolicyChangeConfirmMessage": "Onaylıyorum",
+    "securityPolicyChangeWarningText": "Bu, organizasyondaki tüm kullanıcıları etkileyecektir",
    "authPageErrorUpdateMessage": "Kimlik doğrulama sayfası ayarları güncellenirken bir hata oluştu.",
+    "authPageErrorUpdate": "Kimlik doğrulama sayfası güncellenemedi",
    "authPageUpdated": "Kimlik doğrulama sayfası başarıyla güncellendi",
    "healthCheckNotAvailable": "Yerel",
    "rewritePath": "Yolu Yeniden Yaz",
@@ -1753,8 +1913,12 @@
    "enterpriseEdition": "Kurumsal Sürüm",
    "unlicensed": "Lisansız",
    "beta": "Beta",
-    "manageClients": "Müşteri Yönetimi",
-    "manageClientsDescription": "Müşteriler, sitelerinize bağlanabilen cihazlardır.",
+    "manageUserDevices": "Kullanıcı Cihazları",
+    "manageUserDevicesDescription": "Kullanıcıların kaynaklara özel olarak bağlanmak için kullandığı cihazları görüntüleyin ve yönetin",
+    "manageMachineClients": "Makine İstemcilerini Yönetin",
+    "manageMachineClientsDescription": "Sunucuların ve sistemlerin kaynaklara özel olarak bağlanmak için kullandığı istemcileri oluşturun ve yönetin",
+    "clientsTableUserClients": "Kullanıcı",
+    "clientsTableMachineClients": "Makine",
    "licenseTableValidUntil": "Geçerli İki Tarih Kadar",
    "saasLicenseKeysSettingsTitle": "Kurumsal Lisanslar",
    "saasLicenseKeysSettingsDescription": "Kendi barındırdığınız Pangolin örnekleri için kurumsal lisans anahtarları oluşturun ve yönetin.",
@@ -1889,7 +2053,222 @@
    "pathRewriteStripLabel": "sil",
    "sidebarEnableEnterpriseLicense": "Kurumsal Lisans Etkinleştir",
    "cannotbeUndone": "Bu geri alınamaz.",
-    "toConfirm": "doğrulamak için",
+    "toConfirm": "onaylamak için.",
    "deleteClientQuestion": "Müşteriyi siteden ve organizasyondan kaldırmak istediğinizden emin misiniz?",
-    "clientMessageRemove": "Kaldırıldıktan sonra müşteri siteye bağlanamayacaktır."
+    "clientMessageRemove": "Kaldırıldıktan sonra müşteri siteye bağlanamayacaktır.",
+    "sidebarLogs": "Kayıtlar",
+    "request": "İstek",
+    "requests": "İstekler",
+    "logs": "Günlükler",
+    "logsSettingsDescription": "Bu organizasyondan toplanan günlükleri izleyin",
+    "searchLogs": "Günlüklerde ara...",
+    "action": "Eylem",
+    "actor": "Aktör",
+    "timestamp": "Zaman damgası",
+    "accessLogs": "Erişim Günlükleri",
+    "exportCsv": "CSV Dışa Aktar",
+    "actorId": "Aktör Kimliği",
+    "allowedByRule": "Kurallara Göre İzin Verildi",
+    "allowedNoAuth": "Kimlik Doğrulama Yok İzin Verildi",
+    "validAccessToken": "Geçerli Erişim Jetonu",
+    "validHeaderAuth": "Geçerli Başlık Doğrulama",
+    "validPincode": "Geçerli Pincode",
+    "validPassword": "Geçerli Şifre",
+    "validEmail": "Geçerli E-posta",
+    "validSSO": "Geçerli SSO",
+    "resourceBlocked": "Kaynak Engellendi",
+    "droppedByRule": "Kurallara Göre Çıkartıldı",
+    "noSessions": "Oturum Yok",
+    "temporaryRequestToken": "Geçici İstek Jetonu",
+    "noMoreAuthMethods": "Daha Fazla Kimlik Doğrulama Yöntemi Yok",
+    "ip": "IP",
+    "reason": "Sebep",
+    "requestLogs": "İstek Günlükleri",
+    "requestAnalytics": "İstek Analizi",
+    "host": "Sunucu",
+    "location": "Konum",
+    "actionLogs": "Eylem Günlükleri",
+    "sidebarLogsRequest": "İstek Günlükleri",
+    "sidebarLogsAccess": "Erişim Günlükleri",
+    "sidebarLogsAction": "Eylem Günlükleri",
+    "logRetention": "Kayıt Saklama",
+    "logRetentionDescription": "Bu organizasyon için farklı türdeki günlüklerin ne kadar süre saklanacağını yönetin veya devre dışı bırakın",
+    "requestLogsDescription": "Bu organizasyondaki kaynaklar için ayrıntılı istek günlüklerini görüntüleyin",
+    "requestAnalyticsDescription": "Bu organizasyondaki kaynaklar için ayrıntılı istek analizlerini görüntüleyin.",
+    "logRetentionRequestLabel": "İstek Günlüğü Saklama",
+    "logRetentionRequestDescription": "İstek günlüklerini ne kadar süre tutacağını belirle",
+    "logRetentionAccessLabel": "Erişim Günlüğü Saklama",
+    "logRetentionAccessDescription": "Erişim günlüklerini ne kadar süre tutacağını belirle",
+    "logRetentionActionLabel": "Eylem Günlüğü Saklama",
+    "logRetentionActionDescription": "Eylem günlüklerini ne kadar süre tutacağını belirle",
+    "logRetentionDisabled": "Devre Dışı",
+    "logRetention3Days": "3 gün",
+    "logRetention7Days": "7 gün",
+    "logRetention14Days": "14 gün",
+    "logRetention30Days": "30 gün",
+    "logRetention90Days": "90 gün",
+    "logRetentionForever": "Sonsuza kadar",
+    "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
+    "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
+    "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
+    "licenseRequiredToUse": "Bu özelliği kullanmak için bir kurumsal lisans gereklidir.",
+    "certResolver": "Sertifika Çözücü",
+    "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
+    "selectCertResolver": "Sertifika Çözücü Seçin",
+    "enterCustomResolver": "Özel Çözücü Girin",
+    "preferWildcardCert": "Joker Sertifikayı Tercih Et",
+    "unverified": "Doğrulanmadı",
+    "domainSetting": "Alan Adı Ayarları",
+    "domainSettingDescription": "Alan adı için ayarları yapılandırın",
+    "preferWildcardCertDescription": "Joker sertifika üretmeye çalışın (doğru yapılandırılmış bir sertifika çözücü gereklidir).",
+    "recordName": "Kayıt Adı",
+    "auto": "Otomatik",
+    "TTL": "TTL",
+    "howToAddRecords": "Kayıtları Nasıl Ekleyebilirsiniz",
+    "dnsRecord": "DNS Kayıtları",
+    "required": "Gerekli",
+    "domainSettingsUpdated": "Alan adına yönelik ayarlar başarıyla güncellendi",
+    "orgOrDomainIdMissing": "Organizasyon veya Alan Adı Kimliği eksik",
+    "loadingDNSRecords": "DNS kayıtları yükleniyor...",
+    "olmUpdateAvailableInfo": "Olm'nin güncellenmiş bir sürümü mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
+    "client": "İstemci",
+    "proxyProtocol": "Proxy Protokol Ayarları",
+    "proxyProtocolDescription": "TCP hizmetleri için istemci IP adreslerini korumak amacıyla Proxy Protokolünü yapılandırın.",
+    "enableProxyProtocol": "Proxy Protokolünü Etkinleştir",
+    "proxyProtocolInfo": "TCP ara yüzlerini koruyarak istemci IP adreslerini saklayın",
+    "proxyProtocolVersion": "Proxy Protokol Versiyonu",
+    "version1": " Versiyon 1 (Önerilen)",
+    "version2": "Versiyon 2",
+    "versionDescription": "Versiyon 1 metin tabanlı ve yaygın olarak desteklenir. Versiyon 2 ise ikili ve daha verimlidir ama daha az uyumludur.",
+    "warning": "Uyarı",
+    "proxyProtocolWarning": "Arka uç uygulamanız, Proxy Protokol bağlantılarını kabul etmek üzere yapılandırılmalıdır. Arka ucunuz Proxy Protokolünü desteklemiyorsa, bunu etkinleştirmek tüm bağlantıları koparır. Traefik'ten gelen Proxy Protokol başlıklarına güvenecek şekilde arka ucunuzu yapılandırdığınızdan emin olun.",
+    "restarting": "Yeniden Başlatılıyor...",
+    "manual": "Manuel",
+    "messageSupport": "Destek Mesajı Gönder",
+    "supportNotAvailableTitle": "Destek Yok",
+    "supportNotAvailableDescription": "Destek şu anda mevcut değil. Destek'e bir e-posta gönderebilirsiniz: support@pangolin.net.",
+    "supportRequestSentTitle": "Destek İsteği Gönderildi",
+    "supportRequestSentDescription": "Mesajınız başarıyla gönderildi.",
+    "supportRequestFailedTitle": "İsteği Gönderme Başarısız",
+    "supportRequestFailedDescription": "Destek isteği gönderilirken bir hata oluştu.",
+    "supportSubjectRequired": "Konu gerekli",
+    "supportSubjectMaxLength": "Konu en fazla 255 karakter olabilir",
+    "supportMessageRequired": "Mesaj gerekli",
+    "supportReplyTo": "Yanıtla",
+    "supportSubject": "Konu",
+    "supportSubjectPlaceholder": "Konu girin",
+    "supportMessage": "Mesaj",
+    "supportMessagePlaceholder": "Mesajınızı girin",
+    "supportSending": "Gönderiliyor...",
+    "supportSend": "Gönder",
+    "supportMessageSent": "Mesaj Gönderildi!",
+    "supportWillContact": "En kısa sürede size geri döneceğiz!",
+    "selectLogRetention": "Kayıt saklama seç",
+    "terms": "Şartlar",
+    "privacy": "Gizlilik",
+    "security": "Güvenlik",
+    "docs": "Belgeler",
+    "deviceActivation": "Cihaz aktivasyonu",
+    "deviceCodeInvalidFormat": "Kod 9 karakter olmalı (ör. A1AJ-N5JD)",
+    "deviceCodeInvalidOrExpired": "Geçersiz veya süresi dolmuş kod",
+    "deviceCodeVerifyFailed": "Cihaz kodu doğrulanamadı",
+    "signedInAs": "Olarak giriş yapıldı",
+    "deviceCodeEnterPrompt": "Cihazda gösterilen kodu girin",
+    "continue": "Devam Et",
+    "deviceUnknownLocation": "Bilinmeyen konum",
+    "deviceAuthorizationRequested": "Bu yetkilendirme {tarih} tarihinde {konum} konumundan talep edildi. Bu cihaza güvenmenizi sağlayın, çünkü hesap erişimine sahip olacaktır.",
+    "deviceLabel": "Cihaz: {cihazadı}",
+    "deviceWantsAccess": "hesabınıza erişmek istiyor",
+    "deviceExistingAccess": "Mevcut erişim:",
+    "deviceFullAccess": "Hesabınıza tam erişim",
+    "deviceOrganizationsAccess": "Hesabınızın erişim hakkına sahip olduğu tüm organizasyonlara erişim",
+    "deviceAuthorize": "{uygulamaAdi} yetkilendir",
+    "deviceConnected": "Cihaz Bağlandı!",
+    "deviceAuthorizedMessage": "Cihazınız, hesabınıza erişim izni almıştır.",
+    "pangolinCloud": "Pangolin Cloud",
+    "viewDevices": "Cihazları Görüntüle",
+    "viewDevicesDescription": "Bağlantılı cihazlarınızı yönetin",
+    "noDevices": "Cihaz bulunamadı",
+    "dateCreated": "Oluşturulma Tarihi",
+    "unnamedDevice": "Adı Olmayan Cihaz",
+    "deviceQuestionRemove": "Bu cihazı silmek istediğinizden emin misiniz?",
+    "deviceMessageRemove": "Bu eylem geri alınamaz.",
+    "deviceDeleteConfirm": "Cihazı Sil",
+    "deleteDevice": "Cihazı Sil",
+    "errorLoadingDevices": "Cihaz yüklenirken hata oluştu",
+    "failedToLoadDevices": "Cihazlar yüklenemedi",
+    "deviceDeleted": "Cihaz silindi",
+    "deviceDeletedDescription": "Cihaz başarıyla silindi.",
+    "errorDeletingDevice": "Cihaz silinirken hata",
+    "failedToDeleteDevice": "Cihaz silinirken hata oluştu",
+    "showColumns": "Sütunları Göster",
+    "hideColumns": "Sütunları Gizle",
+    "columnVisibility": "Sütun Görünürlüğü",
+    "toggleColumn": "{columnName} sütununu aç/kapat",
+    "allColumns": "Tüm Sütunlar",
+    "defaultColumns": "Varsayılan Sütunlar",
+    "customizeView": "Görünümü Özelleştir",
+    "viewOptions": "Görünüm Seçenekleri",
+    "selectAll": "Tümünü Seç",
+    "selectNone": "Hiçbirini Seçme",
+    "selectedResources": "Seçilen Kaynaklar",
+    "enableSelected": "Seçilenleri Etkinleştir",
+    "disableSelected": "Seçilenleri Devre Dışı Bırak",
+    "checkSelectedStatus": "Seçilenlerin Durumunu Kontrol Et",
+    "clients": "İstemciler",
+    "accessClientSelect": "Makine istemcilerini seçiniz",
+    "resourceClientDescription": "Bu kaynağa erişebilecek makine istemcileri",
+    "regenerate": "Yeniden Üret",
+    "credentials": "Kimlik Bilgileri",
+    "savecredentials": "Kimlik Bilgilerini Kaydet",
+    "regenerateCredentialsButton": "Kimlik Bilgilerini Yeniden Oluştur",
+    "regenerateCredentials": "Kimlik Bilgilerini Yeniden Oluştur",
+    "generatedcredentials": "Oluşturulan Kimlik Bilgileri",
+    "copyandsavethesecredentials": "Bu kimlik bilgilerini kopyalayın ve kaydedin",
+    "copyandsavethesecredentialsdescription": "Bu sayfadan ayrıldıktan sonra bu kimlik bilgileri tekrar gösterilmeyecek. Onları şimdi güvenli bir şekilde saklayın.",
+    "credentialsSaved": "Kimlik Bilgileri Kaydedildi",
+    "credentialsSavedDescription": "Kimlik bilgileri başarılı bir şekilde yeniden oluşturuldu ve kaydedildi.",
+    "credentialsSaveError": "Kimlik Bilgileri Kayıt Hatası",
+    "credentialsSaveErrorDescription": "Kimlik bilgilerini yeniden oluştururken ve kaydederken bir hata oluştu.",
+    "regenerateCredentialsWarning": "Kimlik bilgilerini yeniden oluşturmak, öncekilerini geçersiz kılacak ve bağlantı kesintisine neden olacaktır. Bu kimlik bilgilerini kullanan yapılandırmaları güncellediğinizden emin olun.",
+    "confirm": "Onayla",
+    "regenerateCredentialsConfirmation": "Kimlik bilgilerini yeniden oluşturmak istediğinizden emin misiniz?",
+    "endpoint": "Uç Nokta",
+    "Id": "Kimlik",
+    "SecretKey": "Gizli Anahtar",
+    "niceId": "Güzel Kimlik",
+    "niceIdUpdated": "Güzel Kimlik Güncellendi",
+    "niceIdUpdatedSuccessfully": "Güzel Kimlik Başarıyla Güncellendi",
+    "niceIdUpdateError": "Güzel Kimlik güncellenirken hata",
+    "niceIdUpdateErrorDescription": "Güzel Kimlik güncellenirken bir hata oluştu.",
+    "niceIdCannotBeEmpty": "Güzel Kimlik boş olamaz",
+    "enterIdentifier": "Tanımlayıcıyı girin",
+    "identifier": "Tanımlayıcı",
+    "deviceLoginUseDifferentAccount": "Siz değil misiniz? Farklı bir hesap kullanın.",
+    "deviceLoginDeviceRequestingAccessToAccount": "Bir cihaz bu hesaba erişim talep ediyor.",
+    "noData": "Veri Yok",
+    "machineClients": "Makine İstemcileri",
+    "install": "Yükle",
+    "run": "Çalıştır",
+    "clientNameDescription": "Daha sonra değiştirilebilecek istemcinin görünen adı.",
+    "clientAddress": "İstemci Adresi (Gelişmiş)",
+    "setupFailedToFetchSubnet": "Varsayılan alt ağ alınamadı",
+    "setupSubnetAdvanced": "Alt Ağ (Gelişmiş)",
+    "setupSubnetDescription": "Bu organizasyonun dahili ağı için alt ağ.",
+    "siteRegenerateAndDisconnect": "Yeniden Oluştur ve Bağlantıyı Kes",
+    "siteRegenerateAndDisconnectConfirmation": "Kimlik bilgilerini yeniden oluşturmak ve bu sitenin bağlantısını kesmek istediğinizden emin misiniz?",
+    "siteRegenerateAndDisconnectWarning": "Bu, kimlik bilgilerini yeniden oluşturacak ve sitenin bağlantısını anında kesecektir. Site yeni kimlik bilgilerle yeniden başlatılmalıdır.",
+    "siteRegenerateCredentialsConfirmation": "Bu site için kimlik bilgilerini yeniden oluşturmak istediğinizden emin misiniz?",
+    "siteRegenerateCredentialsWarning": "Bu, kimlik bilgilerini yeniden oluşturacak. Site manuel olarak yeniden başlatılana ve yeni kimlik bilgileri kullanılana kadar bağlı kalacak.",
+    "clientRegenerateAndDisconnect": "Yeniden Oluştur ve Bağlantıyı Kes",
+    "clientRegenerateAndDisconnectConfirmation": "Kimlik bilgilerini yeniden oluşturmak ve bu istemcinin bağlantısını kesmek istediğinizden emin misiniz?",
+    "clientRegenerateAndDisconnectWarning": "Bu, kimlik bilgilerini yeniden oluşturacak ve istemcinin bağlantısını hemen kesecek. İstemci, yeni kimlik bilgilerle yeniden başlatılmalıdır.",
+    "clientRegenerateCredentialsConfirmation": "Bu istemci için kimlik bilgilerini yeniden oluşturmak istediğinizden emin misiniz?",
+    "clientRegenerateCredentialsWarning": "Bu, kimlik bilgilerini yeniden oluşturacak. İstemci, manuel olarak yeniden başlatılana ve yeni kimlik bilgileri kullanılana kadar bağlı kalacak.",
+    "remoteExitNodeRegenerateAndDisconnect": "Yeniden Oluştur ve Bağlantıyı Kes",
+    "remoteExitNodeRegenerateAndDisconnectConfirmation": "Kimlik bilgilerini yeniden oluşturmak ve bu uzak çıkış düğümünün bağlantısını kesmek istediğinizden emin misiniz?",
+    "remoteExitNodeRegenerateAndDisconnectWarning": "Bu, kimlik bilgilerini yeniden oluşturacak ve hemen uzak çıkış düğümünün bağlantısını kesecek. Uzak çıkış düğümü, yeni kimlik bilgileri ile yeniden başlatılmalıdır.",
+    "remoteExitNodeRegenerateCredentialsConfirmation": "Bu uzak çıkış düğümü için kimlik bilgilerini yeniden oluşturmak istediğinizden emin misiniz?",
+    "remoteExitNodeRegenerateCredentialsWarning": "Bu, kimlik bilgilerini yeniden oluşturacak. Uzak çıkış düğümü, manuel olarak yeniden başlatılana ve yeni kimlik bilgiler kullanılana kadar bağlı kalacak.",
+    "agent": "Aracı"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -1,12 +1,15 @@
+import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";

 const withNextIntl = createNextIntlPlugin();

-/** @type {import("next").NextConfig} */
-const nextConfig = {
+const nextConfig: NextConfig = {
    eslint: {
        ignoreDuringBuilds: true
    },
+    experimental: {
+        reactCompiler: true
+    },
    output: "standalone"
 };

--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -22,8 +22,8 @@
        "set:oss": "echo 'export const build = \"oss\" as any;' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
        "set:saas": "echo 'export const build = \"saas\" as any;' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
        "set:enterprise": "echo 'export const build = \"enterprise\" as any;' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
-        "set:sqlite": "echo 'export * from \"./sqlite\";' > server/db/index.ts",
-        "set:pg": "echo 'export * from \"./pg\";' > server/db/index.ts",
+        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts",
+        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts",
        "next:build": "next build",
        "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
        "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
@@ -32,26 +32,29 @@
        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs"
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "^7.3.4",
-        "@aws-sdk/client-s3": "3.908.0",
+        "@asteasolutions/zod-to-openapi": "8.1.0",
+        "@faker-js/faker": "^10.1.0",
+        "@headlessui/react": "^2.2.9",
+        "@aws-sdk/client-s3": "3.943.0",
        "@hookform/resolvers": "5.2.2",
+        "@monaco-editor/react": "^4.7.0",
        "@node-rs/argon2": "^2.0.2",
        "@oslojs/crypto": "1.0.1",
        "@oslojs/encoding": "1.1.0",
-        "@radix-ui/react-avatar": "1.1.10",
+        "@radix-ui/react-avatar": "1.1.11",
        "@radix-ui/react-checkbox": "1.3.3",
        "@radix-ui/react-collapsible": "1.1.12",
        "@radix-ui/react-dialog": "1.1.15",
        "@radix-ui/react-dropdown-menu": "2.1.16",
        "@radix-ui/react-icons": "1.3.2",
-        "@radix-ui/react-label": "2.1.7",
+        "@radix-ui/react-label": "2.1.8",
        "@radix-ui/react-popover": "1.1.15",
-        "@radix-ui/react-progress": "^1.1.7",
+        "@radix-ui/react-progress": "^1.1.8",
        "@radix-ui/react-radio-group": "1.3.8",
        "@radix-ui/react-scroll-area": "^1.2.10",
        "@radix-ui/react-select": "2.2.6",
-        "@radix-ui/react-separator": "1.1.7",
-        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-separator": "1.1.8",
+        "@radix-ui/react-slot": "1.2.4",
        "@radix-ui/react-switch": "1.2.6",
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
@@ -62,11 +65,12 @@
        "@simplewebauthn/browser": "^13.2.2",
        "@simplewebauthn/server": "^13.2.2",
        "@tailwindcss/forms": "^0.5.10",
+        "@tanstack/react-query": "^5.90.6",
        "@tanstack/react-table": "8.21.3",
        "arctic": "^3.7.0",
-        "axios": "^1.12.2",
+        "axios": "^1.13.2",
        "better-sqlite3": "11.7.0",
-        "canvas-confetti": "1.9.3",
+        "canvas-confetti": "1.9.4",
        "class-variance-authority": "^0.7.1",
        "clsx": "2.1.1",
        "cmdk": "1.1.1",
@@ -75,89 +79,103 @@
        "cookies": "^0.9.1",
        "cors": "2.8.5",
        "crypto-js": "^4.2.0",
-        "drizzle-orm": "0.44.6",
-        "eslint": "9.37.0",
-        "eslint-config-next": "15.5.6",
-        "express": "5.1.0",
-        "express-rate-limit": "8.1.0",
-        "glob": "11.0.3",
+        "d3": "^7.9.0",
+        "date-fns": "4.1.0",
+        "drizzle-orm": "0.45.0",
+        "eslint": "9.39.1",
+        "eslint-config-next": "16.0.7",
+        "express": "5.2.1",
+        "express-rate-limit": "8.2.1",
+        "glob": "11.1.0",
        "helmet": "8.1.0",
-        "http-errors": "2.0.0",
+        "http-errors": "2.0.1",
        "i": "^0.3.7",
        "input-otp": "1.4.2",
-        "ioredis": "5.8.1",
+        "ioredis": "5.8.2",
        "jmespath": "^0.16.0",
-        "js-yaml": "4.1.0",
+        "js-yaml": "4.1.1",
        "jsonwebtoken": "^9.0.2",
-        "lucide-react": "^0.545.0",
-        "maxmind": "5.0.0",
+        "lucide-react": "^0.556.0",
+        "maxmind": "5.0.1",
        "moment": "2.30.1",
-        "next": "15.5.6",
-        "next-intl": "^4.3.12",
+        "next": "15.5.7",
+        "next-intl": "^4.4.0",
        "next-themes": "0.4.6",
+        "nextjs-toploader": "^3.9.17",
        "node-cache": "5.1.2",
        "node-fetch": "3.3.2",
-        "nodemailer": "7.0.9",
-        "npm": "^11.6.2",
+        "nodemailer": "7.0.11",
+        "npm": "^11.6.4",
+        "nprogress": "^0.2.0",
        "oslo": "1.2.1",
        "pg": "^8.16.2",
-        "posthog-node": "^5.9.5",
+        "posthog-node": "^5.11.2",
        "qrcode.react": "4.2.0",
-        "react": "19.2.0",
-        "react-dom": "19.2.0",
+        "react": "19.2.1",
+        "react-day-picker": "9.11.3",
+        "react-dom": "19.2.1",
        "react-easy-sort": "^1.8.0",
-        "react-hook-form": "7.65.0",
+        "react-hook-form": "7.68.0",
        "react-icons": "^5.5.0",
        "rebuild": "0.1.2",
+        "recharts": "^2.15.4",
        "reodotdev": "^1.0.0",
-        "resend": "^6.1.2",
+        "resend": "^6.4.2",
        "semver": "^7.7.3",
        "stripe": "18.2.1",
        "swagger-ui-express": "^5.0.1",
-        "tailwind-merge": "3.3.1",
+        "topojson-client": "^3.1.0",
+        "tailwind-merge": "3.4.0",
        "tw-animate-css": "^1.3.8",
        "uuid": "^13.0.0",
        "vaul": "1.1.2",
+        "visionscarto-world-atlas": "^1.0.0",
        "winston": "3.18.3",
        "winston-daily-rotate-file": "5.0.0",
        "ws": "8.18.3",
+        "yaml": "^2.8.1",
        "yargs": "18.0.0",
-        "zod": "3.25.76",
-        "zod-validation-error": "3.5.2"
+        "zod": "4.1.12",
+        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.51.0",
+        "@dotenvx/dotenvx": "1.51.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "4.3.1",
-        "@tailwindcss/postcss": "^4.1.14",
+        "@react-email/preview-server": "4.3.2",
+        "@tailwindcss/postcss": "^4.1.17",
+        "@tanstack/react-query-devtools": "^5.90.2",
        "@types/better-sqlite3": "7.6.12",
-        "@types/cookie-parser": "1.4.9",
+        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
        "@types/crypto-js": "^4.2.2",
-        "@types/express": "5.0.3",
+        "@types/d3": "^7.4.3",
+        "@types/express": "5.0.6",
        "@types/express-session": "^1.18.2",
        "@types/jmespath": "^0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "^9.0.10",
-        "@types/node": "24.8.1",
-        "@types/nodemailer": "7.0.2",
-        "@types/pg": "8.15.5",
-        "@types/react": "19.2.2",
-        "@types/react-dom": "19.2.2",
+        "@types/node": "24.10.1",
+        "@types/nprogress": "^0.2.3",
+        "@types/nodemailer": "7.0.4",
+        "@types/pg": "8.15.6",
+        "@types/react": "19.2.7",
+        "@types/react-dom": "19.2.3",
        "@types/semver": "^7.7.1",
        "@types/swagger-ui-express": "^4.1.8",
+        "@types/topojson-client": "^3.1.5",
        "@types/ws": "8.18.1",
-        "@types/yargs": "17.0.33",
-        "drizzle-kit": "0.31.5",
-        "esbuild": "0.25.11",
-        "esbuild-node-externals": "1.18.0",
+        "babel-plugin-react-compiler": "^1.0.0",
+        "@types/yargs": "17.0.35",
+        "drizzle-kit": "0.31.8",
+        "esbuild": "0.27.1",
+        "esbuild-node-externals": "1.20.1",
        "postcss": "^8",
-        "react-email": "4.3.1",
+        "react-email": "4.3.2",
        "tailwindcss": "^4.1.4",
        "tsc-alias": "1.8.16",
-        "tsx": "4.20.6",
+        "tsx": "4.21.0",
        "typescript": "^5",
-        "typescript-eslint": "^8.46.0"
+        "typescript-eslint": "^8.46.3"
    },
    "overrides": {
        "emblor": {
@@ -165,4 +183,4 @@
            "react-dom": "19.0.0"
        }
    }
-}
+}
--- a/src/app/favicon.ico
+++ b/src/app/favicon.ico
--- a/server/apiServer.ts
+++ b/server/apiServer.ts
@@ -79,6 +79,12 @@ export function createApiServer() {
    // Add request timeout middleware
    apiServer.use(requestTimeoutMiddleware(60000)); // 60 second timeout

+    apiServer.use(logIncomingMiddleware);
+
+    if (build !== "oss") {
+        apiServer.use(`${prefix}/hybrid`, hybridRouter); // put before rate limiting because we will rate limit there separately because some of the routes are heavily used
+    }
+
    if (!dev) {
        apiServer.use(
            rateLimit({
@@ -101,11 +107,7 @@ export function createApiServer() {
    }

    // API routes
-    apiServer.use(logIncomingMiddleware);
    apiServer.use(prefix, unauthenticated);
-    if (build !== "oss") {
-        apiServer.use(`${prefix}/hybrid`, hybridRouter);
-    }
    apiServer.use(prefix, authenticated);

    // WebSocket routes
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -19,6 +19,7 @@ export enum ActionsEnum {
    getSite = "getSite",
    listSites = "listSites",
    updateSite = "updateSite",
+    reGenerateSecret = "reGenerateSecret",
    createResource = "createResource",
    deleteResource = "deleteResource",
    getResource = "getResource",
@@ -81,7 +82,11 @@ export enum ActionsEnum {
    listClients = "listClients",
    getClient = "getClient",
    listOrgDomains = "listOrgDomains",
+    getDomain = "getDomain",
+    updateOrgDomain = "updateOrgDomain",
+    getDNSRecords = "getDNSRecords",
    createNewt = "createNewt",
+    createOlm = "createOlm",
    createIdp = "createIdp",
    updateIdp = "updateIdp",
    deleteIdp = "deleteIdp",
@@ -116,7 +121,11 @@ export enum ActionsEnum {
    updateLoginPage = "updateLoginPage",
    getLoginPage = "getLoginPage",
    deleteLoginPage = "deleteLoginPage",
-    applyBlueprint = "applyBlueprint"
+    listBlueprints = "listBlueprints",
+    getBlueprint = "getBlueprint",
+    applyBlueprint = "applyBlueprint",
+    viewLogs = "viewLogs",
+    exportLogs = "exportLogs"
 }

 export async function checkUserActionPermission(
@@ -193,7 +202,6 @@ export async function checkUserActionPermission(
            .limit(1);

        return roleActionPermission.length > 0;
-
    } catch (error) {
        console.error("Error checking user action permission:", error);
        throw createHttpError(
--- a/server/auth/sessions/app.ts
+++ b/server/auth/sessions/app.ts
@@ -36,12 +36,15 @@ export async function createSession(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const session: Session = {
-        sessionId: sessionId,
-        userId,
-        expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime()
-    };
-    await db.insert(sessions).values(session);
+    const [session] = await db
+        .insert(sessions)
+        .values({
+            sessionId: sessionId,
+            userId,
+            expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),
+            issuedAt: new Date().getTime()
+        })
+        .returning();
    return session;
 }

--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -50,7 +50,8 @@ export async function createResourceSession(opts: {
        doNotExtend: opts.doNotExtend || false,
        accessTokenId: opts.accessTokenId || null,
        isRequestToken: opts.isRequestToken || false,
-        userSessionId: opts.userSessionId || null
+        userSessionId: opts.userSessionId || null,
+        issuedAt: new Date().getTime()
    };

    await db.insert(resourceSessions).values(session);
--- a/server/auth/sessions/verifySession.ts
+++ b/server/auth/sessions/verifySession.ts
@@ -1,9 +1,43 @@
 import { Request } from "express";
-import { validateSessionToken, SESSION_COOKIE_NAME } from "@server/auth/sessions/app";
+import {
+    validateSessionToken,
+    SESSION_COOKIE_NAME
+} from "@server/auth/sessions/app";

-export async function verifySession(req: Request) {
+export async function verifySession(req: Request, forceLogin?: boolean) {
    const res = await validateSessionToken(
-        req.cookies[SESSION_COOKIE_NAME] ?? "",
+        req.cookies[SESSION_COOKIE_NAME] ?? ""
    );
+
+    if (!forceLogin) {
+        return res;
+    }
+    if (!res.session || !res.user) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+    if (res.session.deviceAuthUsed) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+    if (!res.session.issuedAt) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+    const mins = 5 * 60 * 1000;
+    const now = new Date().getTime();
+    if (now - res.session.issuedAt > mins) {
+        return {
+            session: null,
+            user: null
+        };
+    }
+
    return res;
 }
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,4 +1,4 @@
-import { cleanup as wsCleanup } from "@server/routers/ws";
+import { cleanup as wsCleanup } from "#dynamic/routers/ws";

 async function cleanup() {
    await wsCleanup();
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,7 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { db, resources, siteResources } from "@server/db";
+import { clients, db, resources, siteResources } from "@server/db";
+import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { __DIRNAME } from "@server/lib/consts";
@@ -15,6 +16,25 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));

+export async function getUniqueClientName(orgId: string): Promise<string> {
+    let loops = 0;
+    while (true) {
+        if (loops > 100) {
+            throw new Error("Could not generate a unique name");
+        }
+
+        const name = generateName();
+        const count = await db
+            .select({ niceId: clients.niceId, orgId: clients.orgId })
+            .from(clients)
+            .where(and(eq(clients.niceId, name), eq(clients.orgId, orgId)));
+        if (count.length === 0) {
+            return name;
+        }
+        loops++;
+    }
+}
+
 export async function getUniqueSiteName(orgId: string): Promise<string> {
    let loops = 0;
    while (true) {
@@ -42,18 +62,36 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
        }

        const name = generateName();
-        const count = await db
-            .select({ niceId: resources.niceId, orgId: resources.orgId })
-            .from(resources)
-            .where(and(eq(resources.niceId, name), eq(resources.orgId, orgId)));
-        if (count.length === 0) {
+        const [resourceCount, siteResourceCount] = await Promise.all([
+            db
+                .select({ niceId: resources.niceId, orgId: resources.orgId })
+                .from(resources)
+                .where(
+                    and(eq(resources.niceId, name), eq(resources.orgId, orgId))
+                ),
+            db
+                .select({
+                    niceId: siteResources.niceId,
+                    orgId: siteResources.orgId
+                })
+                .from(siteResources)
+                .where(
+                    and(
+                        eq(siteResources.niceId, name),
+                        eq(siteResources.orgId, orgId)
+                    )
+                )
+        ]);
+        if (resourceCount.length === 0 && siteResourceCount.length === 0) {
            return name;
        }
        loops++;
    }
 }

-export async function getUniqueSiteResourceName(orgId: string): Promise<string> {
+export async function getUniqueSiteResourceName(
+    orgId: string
+): Promise<string> {
    let loops = 0;
    while (true) {
        if (loops > 100) {
@@ -61,11 +99,27 @@ export async function getUniqueSiteResourceName(orgId: string): Promise<string>
        }

        const name = generateName();
-        const count = await db
-            .select({ niceId: siteResources.niceId, orgId: siteResources.orgId })
-            .from(siteResources)
-            .where(and(eq(siteResources.niceId, name), eq(siteResources.orgId, orgId)));
-        if (count.length === 0) {
+        const [resourceCount, siteResourceCount] = await Promise.all([
+            db
+                .select({ niceId: resources.niceId, orgId: resources.orgId })
+                .from(resources)
+                .where(
+                    and(eq(resources.niceId, name), eq(resources.orgId, orgId))
+                ),
+            db
+                .select({
+                    niceId: siteResources.niceId,
+                    orgId: siteResources.orgId
+                })
+                .from(siteResources)
+                .where(
+                    and(
+                        eq(siteResources.niceId, name),
+                        eq(siteResources.orgId, orgId)
+                    )
+                )
+        ]);
+        if (resourceCount.length === 0 && siteResourceCount.length === 0) {
            return name;
        }
        loops++;
@@ -74,9 +128,7 @@ export async function getUniqueSiteResourceName(orgId: string): Promise<string>

 export async function getUniqueExitNodeEndpointName(): Promise<string> {
    let loops = 0;
-    const count = await db
-        .select()
-        .from(exitNodes);
+    const count = await db.select().from(exitNodes);
    while (true) {
        if (loops > 100) {
            throw new Error("Could not generate a unique name");
@@ -95,14 +147,11 @@ export async function getUniqueExitNodeEndpointName(): Promise<string> {
    }
 }

-
 export function generateName(): string {
    const name = (
-        names.descriptors[
-            Math.floor(Math.random() * names.descriptors.length)
-        ] +
+        names.descriptors[randomInt(names.descriptors.length)] +
        "-" +
-        names.animals[Math.floor(Math.random() * names.animals.length)]
+        names.animals[randomInt(names.animals.length)]
    )
        .toLowerCase()
        .replace(/\s/g, "-");
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -13,9 +13,12 @@ function createDb() {
                connection_string: process.env.POSTGRES_CONNECTION_STRING
            };
            if (process.env.POSTGRES_REPLICA_CONNECTION_STRINGS) {
-                const replicas = process.env.POSTGRES_REPLICA_CONNECTION_STRINGS.split(",").map((conn) => ({
-                    connection_string: conn.trim()
-                }));
+                const replicas =
+                    process.env.POSTGRES_REPLICA_CONNECTION_STRINGS.split(
+                        ","
+                    ).map((conn) => ({
+                        connection_string: conn.trim()
+                    }));
                config.postgres.replicas = replicas;
            }
        } else {
@@ -40,28 +43,44 @@ function createDb() {
        connectionString,
        max: poolConfig?.max_connections || 20,
        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000,
+        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
    });

    const replicas = [];

    if (!replicaConnections.length) {
-        replicas.push(DrizzlePostgres(primaryPool));
+        replicas.push(
+            DrizzlePostgres(primaryPool, {
+                logger: process.env.QUERY_LOGGING == "true"
+            })
+        );
    } else {
        for (const conn of replicaConnections) {
            const replicaPool = new Pool({
                connectionString: conn.connection_string,
                max: poolConfig?.max_replica_connections || 20,
                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000,
+                connectionTimeoutMillis:
+                    poolConfig?.connection_timeout_ms || 5000
            });
-            replicas.push(DrizzlePostgres(replicaPool));
+            replicas.push(
+                DrizzlePostgres(replicaPool, {
+                    logger: process.env.QUERY_LOGGING == "true"
+                })
+            );
        }
    }

-    return withReplicas(DrizzlePostgres(primaryPool), replicas as any);
+    return withReplicas(
+        DrizzlePostgres(primaryPool, {
+            logger: process.env.QUERY_LOGGING == "true"
+        }),
+        replicas as any
+    );
 }

 export const db = createDb();
 export default db;
-export type Transaction = Parameters<Parameters<typeof db["transaction"]>[0]>[0];
+export type Transaction = Parameters<
+    Parameters<(typeof db)["transaction"]>[0]
+>[0];
--- a/server/db/pg/migrate.ts
+++ b/server/db/pg/migrate.ts
@@ -11,6 +11,7 @@ const runMigrations = async () => {
            migrationsFolder: migrationsFolder
        });
        console.log("Migrations completed successfully.");
+        process.exit(0);
    } catch (error) {
        console.error("Error running migrations:", error);
        process.exit(1);
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -6,7 +6,8 @@ import {
    integer,
    bigint,
    real,
-    text
+    text,
+    index
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
@@ -166,6 +167,7 @@ export const remoteExitNodes = pgTable("remoteExitNode", {
    secretHash: varchar("secretHash").notNull(),
    dateCreated: varchar("dateCreated").notNull(),
    version: varchar("version"),
+    secondaryVersion: varchar("secondaryVersion"), // This is to detect the new nodes after the transition to pangolin-node
    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
        onDelete: "cascade"
    })
@@ -213,6 +215,43 @@ export const sessionTransferToken = pgTable("sessionTransferToken", {
    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
 });

+export const actionAuditLog = pgTable("actionAuditLog", {
+    id: serial("id").primaryKey(),
+    timestamp: bigint("timestamp", { mode: "number" }).notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: varchar("actorType", { length: 50 }).notNull(),
+    actor: varchar("actor", { length: 255 }).notNull(),
+    actorId: varchar("actorId", { length: 255 }).notNull(),
+    action: varchar("action", { length: 100 }).notNull(),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_actionAuditLog_timestamp").on(table.timestamp),
+    index("idx_actionAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
+export const accessAuditLog = pgTable("accessAuditLog", {
+    id: serial("id").primaryKey(),
+    timestamp: bigint("timestamp", { mode: "number" }).notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: varchar("actorType", { length: 50 }),
+    actor: varchar("actor", { length: 255 }),
+    actorId: varchar("actorId", { length: 255 }),
+    resourceId: integer("resourceId"),
+    ip: varchar("ip", { length: 45 }),
+    type: varchar("type", { length: 100 }).notNull(),
+    action: boolean("action").notNull(),
+    location: text("location"),
+    userAgent: text("userAgent"),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_identityAuditLog_timestamp").on(table.timestamp),
+    index("idx_identityAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
@@ -230,3 +269,5 @@ export type RemoteExitNodeSession = InferSelectModel<
 >;
 export type ExitNodeOrg = InferSelectModel<typeof exitNodeOrgs>;
 export type LoginPage = InferSelectModel<typeof loginPage>;
+export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
+export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -6,10 +6,12 @@ import {
    integer,
    bigint,
    real,
-    text
+    text,
+    index
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import { randomUUID } from "crypto";
+import { alias } from "yargs";

 export const domains = pgTable("domains", {
    domainId: varchar("domainId").primaryKey(),
@@ -18,15 +20,41 @@ export const domains = pgTable("domains", {
    type: varchar("type"), // "ns", "cname", "wildcard"
    verified: boolean("verified").notNull().default(false),
    failed: boolean("failed").notNull().default(false),
-    tries: integer("tries").notNull().default(0)
+    tries: integer("tries").notNull().default(0),
+    certResolver: varchar("certResolver"),
+    customCertResolver: varchar("customCertResolver"),
+    preferWildcardCert: boolean("preferWildcardCert")
+});
+
+export const dnsRecords = pgTable("dnsRecords", {
+    id: serial("id").primaryKey(),
+    domainId: varchar("domainId")
+        .notNull()
+        .references(() => domains.domainId, { onDelete: "cascade" }),
+    recordType: varchar("recordType").notNull(), // "NS" | "CNAME" | "A" | "TXT"
+    baseDomain: varchar("baseDomain"),
+    value: varchar("value").notNull(),
+    verified: boolean("verified").notNull().default(false)
 });

 export const orgs = pgTable("orgs", {
    orgId: varchar("orgId").primaryKey(),
    name: varchar("name").notNull(),
    subnet: varchar("subnet"),
+    utilitySubnet: varchar("utilitySubnet"), // this is the subnet for utility addresses
    createdAt: text("createdAt"),
-    settings: text("settings") // JSON blob of org-specific settings
+    requireTwoFactor: boolean("requireTwoFactor"),
+    maxSessionLengthHours: integer("maxSessionLengthHours"),
+    passwordExpiryDays: integer("passwordExpiryDays"),
+    settingsLogRetentionDaysRequest: integer("settingsLogRetentionDaysRequest") // where 0 = dont keep logs and -1 = keep forever, and 9001 = end of the following year
+        .notNull()
+        .default(7),
+    settingsLogRetentionDaysAccess: integer("settingsLogRetentionDaysAccess") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
+    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0)
 });

 export const orgDomains = pgTable("orgDomains", {
@@ -62,8 +90,7 @@ export const sites = pgTable("sites", {
    publicKey: varchar("publicKey"),
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
-    remoteSubnets: text("remoteSubnets") // comma-separated list of subnets that this site can access
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
 });

 export const resources = pgTable("resources", {
@@ -100,9 +127,11 @@ export const resources = pgTable("resources", {
    setHostHeader: varchar("setHostHeader"),
    enableProxy: boolean("enableProxy").default(true),
    skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
-        onDelete: "cascade"
+        onDelete: "set null"
    }),
-    headers: text("headers") // comma-separated list of headers to add to the request
+    headers: text("headers"), // comma-separated list of headers to add to the request
+    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
 });

 export const targets = pgTable("targets", {
@@ -147,7 +176,8 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
    hcFollowRedirects: boolean("hcFollowRedirects").default(true),
    hcMethod: varchar("hcMethod").default("GET"),
    hcStatus: integer("hcStatus"), // http code
-    hcHealth: text("hcHealth").default("unknown") // "unknown", "healthy", "unhealthy"
+    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcTlsServerName: text("hcTlsServerName"),
 });

 export const exitNodes = pgTable("exitNodes", {
@@ -176,11 +206,41 @@ export const siteResources = pgTable("siteResources", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
-    protocol: varchar("protocol").notNull(),
-    proxyPort: integer("proxyPort").notNull(),
-    destinationPort: integer("destinationPort").notNull(),
-    destinationIp: varchar("destinationIp").notNull(),
-    enabled: boolean("enabled").notNull().default(true)
+    mode: varchar("mode").notNull(), // "host" | "cidr" | "port"
+    protocol: varchar("protocol"), // only for port mode
+    proxyPort: integer("proxyPort"), // only for port mode
+    destinationPort: integer("destinationPort"), // only for port mode
+    destination: varchar("destination").notNull(), // ip, cidr, hostname; validate against the mode
+    enabled: boolean("enabled").notNull().default(true),
+    alias: varchar("alias"),
+    aliasAddress: varchar("aliasAddress")
+});
+
+export const clientSiteResources = pgTable("clientSiteResources", {
+    clientId: integer("clientId")
+        .notNull()
+        .references(() => clients.clientId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+});
+
+export const roleSiteResources = pgTable("roleSiteResources", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+});
+
+export const userSiteResources = pgTable("userSiteResources", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
 });

 export const users = pgTable("user", {
@@ -200,7 +260,8 @@ export const users = pgTable("user", {
    dateCreated: varchar("dateCreated").notNull(),
    termsAcceptedTimestamp: varchar("termsAcceptedTimestamp"),
    termsVersion: varchar("termsVersion"),
-    serverAdmin: boolean("serverAdmin").notNull().default(false)
+    serverAdmin: boolean("serverAdmin").notNull().default(false),
+    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" })
 });

 export const newts = pgTable("newt", {
@@ -226,7 +287,9 @@ export const sessions = pgTable("session", {
    userId: varchar("userId")
        .notNull()
        .references(() => users.userId, { onDelete: "cascade" }),
-    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    issuedAt: bigint("issuedAt", { mode: "number" }),
+    deviceAuthUsed: boolean("deviceAuthUsed").notNull().default(false)
 });

 export const newtSessions = pgTable("newtSession", {
@@ -443,7 +506,8 @@ export const resourceSessions = pgTable("resourceSessions", {
        {
            onDelete: "cascade"
        }
-    )
+    ),
+    issuedAt: bigint("issuedAt", { mode: "number" })
 });

 export const resourceWhitelist = pgTable("resourceWhitelist", {
@@ -567,7 +631,7 @@ export const idpOrg = pgTable("idpOrg", {
 });

 export const clients = pgTable("clients", {
-    clientId: serial("id").primaryKey(),
+    clientId: serial("clientId").primaryKey(),
    orgId: varchar("orgId")
        .references(() => orgs.orgId, {
            onDelete: "cascade"
@@ -576,6 +640,12 @@ export const clients = pgTable("clients", {
    exitNodeId: integer("exitNode").references(() => exitNodes.exitNodeId, {
        onDelete: "set null"
    }),
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
+        onDelete: "cascade"
+    }),
+    niceId: varchar("niceId").notNull(),
+    olmId: text("olmId"), // to lock it to a specific olm optionally
    name: varchar("name").notNull(),
    pubKey: varchar("pubKey"),
    subnet: varchar("subnet").notNull(),
@@ -590,23 +660,40 @@ export const clients = pgTable("clients", {
    maxConnections: integer("maxConnections")
 });

-export const clientSites = pgTable("clientSites", {
-    clientId: integer("clientId")
-        .notNull()
-        .references(() => clients.clientId, { onDelete: "cascade" }),
-    siteId: integer("siteId")
-        .notNull()
-        .references(() => sites.siteId, { onDelete: "cascade" }),
-    isRelayed: boolean("isRelayed").notNull().default(false),
-    endpoint: varchar("endpoint")
-});
+export const clientSitesAssociationsCache = pgTable(
+    "clientSitesAssociationsCache",
+    {
+        clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
+            .notNull(),
+        siteId: integer("siteId").notNull(),
+        isRelayed: boolean("isRelayed").notNull().default(false),
+        endpoint: varchar("endpoint"),
+        publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
+    }
+);
+
+export const clientSiteResourcesAssociationsCache = pgTable(
+    "clientSiteResourcesAssociationsCache",
+    {
+        clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
+            .notNull(),
+        siteResourceId: integer("siteResourceId").notNull()
+    }
+);

 export const olms = pgTable("olms", {
    olmId: varchar("id").primaryKey(),
    secretHash: varchar("secretHash").notNull(),
    dateCreated: varchar("dateCreated").notNull(),
    version: text("version"),
+    agent: text("agent"),
+    name: varchar("name"),
    clientId: integer("clientId").references(() => clients.clientId, {
+        // we will switch this depending on the current org it wants to connect to
+        onDelete: "set null"
+    }),
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
    })
 });
@@ -671,6 +758,72 @@ export const setupTokens = pgTable("setupTokens", {
    dateUsed: varchar("dateUsed")
 });

+// Blueprint runs
+export const blueprints = pgTable("blueprints", {
+    blueprintId: serial("blueprintId").primaryKey(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    name: varchar("name").notNull(),
+    source: varchar("source").notNull(),
+    createdAt: integer("createdAt").notNull(),
+    succeeded: boolean("succeeded").notNull(),
+    contents: text("contents").notNull(),
+    message: text("message")
+});
+export const requestAuditLog = pgTable(
+    "requestAuditLog",
+    {
+        id: serial("id").primaryKey(),
+        timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        action: boolean("action").notNull(),
+        reason: integer("reason").notNull(),
+        actorType: text("actorType"),
+        actor: text("actor"),
+        actorId: text("actorId"),
+        resourceId: integer("resourceId"),
+        ip: text("ip"),
+        location: text("location"),
+        userAgent: text("userAgent"),
+        metadata: text("metadata"),
+        headers: text("headers"), // JSON blob
+        query: text("query"), // JSON blob
+        originalRequestURL: text("originalRequestURL"),
+        scheme: text("scheme"),
+        host: text("host"),
+        path: text("path"),
+        method: text("method"),
+        tls: boolean("tls")
+    },
+    (table) => [
+        index("idx_requestAuditLog_timestamp").on(table.timestamp),
+        index("idx_requestAuditLog_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
+
+export const deviceWebAuthCodes = pgTable("deviceWebAuthCodes", {
+    codeId: serial("codeId").primaryKey(),
+    code: text("code").notNull().unique(),
+    ip: text("ip"),
+    city: text("city"),
+    deviceName: text("deviceName"),
+    applicationName: text("applicationName").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+    verified: boolean("verified").notNull().default(false),
+    userId: varchar("userId").references(() => users.userId, {
+        onDelete: "cascade"
+    })
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -711,7 +864,7 @@ export type ApiKey = InferSelectModel<typeof apiKeys>;
 export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
 export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;
 export type Client = InferSelectModel<typeof clients>;
-export type ClientSite = InferSelectModel<typeof clientSites>;
+export type ClientSite = InferSelectModel<typeof clientSitesAssociationsCache>;
 export type Olm = InferSelectModel<typeof olms>;
 export type OlmSession = InferSelectModel<typeof olmSessions>;
 export type UserClient = InferSelectModel<typeof userClients>;
@@ -722,3 +875,9 @@ export type SetupToken = InferSelectModel<typeof setupTokens>;
 export type HostMeta = InferSelectModel<typeof hostMeta>;
 export type TargetHealthCheck = InferSelectModel<typeof targetHealthCheck>;
 export type IdpOidcConfig = InferSelectModel<typeof idpOidcConfig>;
+export type Blueprint = InferSelectModel<typeof blueprints>;
+export type LicenseKey = InferSelectModel<typeof licenseKey>;
+export type SecurityKey = InferSelectModel<typeof securityKeys>;
+export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
+export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
+export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,4 @@
-import { db, loginPage, LoginPage, loginPageOrg } from "@server/db";
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
 import {
    Resource,
    ResourcePassword,
@@ -23,6 +23,7 @@ export type ResourceWithAuth = {
    pincode: ResourcePincode | null;
    password: ResourcePassword | null;
    headerAuth: ResourceHeaderAuth | null;
+    org: Org;
 };

 export type UserSessionWithUser = {
@@ -51,6 +52,10 @@ export async function getResourceByDomain(
            resourceHeaderAuth,
            eq(resourceHeaderAuth.resourceId, resources.resourceId)
        )
+        .innerJoin(
+            orgs,
+            eq(orgs.orgId, resources.orgId)
+        )
        .where(eq(resources.fullDomain, domain))
        .limit(1);

@@ -62,7 +67,8 @@ export async function getResourceByDomain(
        resource: result.resources,
        pincode: result.resourcePincode,
        password: result.resourcePassword,
-        headerAuth: result.resourceHeaderAuth
+        headerAuth: result.resourceHeaderAuth,
+        org: result.orgs
    };
 }

--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -13,12 +13,16 @@ bootstrapVolume();

 function createDb() {
    const sqlite = new Database(location);
-    return DrizzleSqlite(sqlite, { schema });
+    return DrizzleSqlite(sqlite, {
+        schema
+    });
 }

 export const db = createDb();
 export default db;
-export type Transaction = Parameters<Parameters<typeof db["transaction"]>[0]>[0];
+export type Transaction = Parameters<
+    Parameters<(typeof db)["transaction"]>[0]
+>[0];

 function checkFileExists(filePath: string): boolean {
    try {
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -2,10 +2,12 @@ import {
    sqliteTable,
    integer,
    text,
-    real
+    real,
+    index
 } from "drizzle-orm/sqlite-core";
 import { InferSelectModel } from "drizzle-orm";
 import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+import { metadata } from "@app/app/[orgId]/settings/layout";

 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -160,6 +162,7 @@ export const remoteExitNodes = sqliteTable("remoteExitNode", {
    secretHash: text("secretHash").notNull(),
    dateCreated: text("dateCreated").notNull(),
    version: text("version"),
+    secondaryVersion: text("secondaryVersion"), // This is to detect the new nodes after the transition to pangolin-node
    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
        onDelete: "cascade"
    })
@@ -207,6 +210,43 @@ export const sessionTransferToken = sqliteTable("sessionTransferToken", {
    expiresAt: integer("expiresAt").notNull()
 });

+export const actionAuditLog = sqliteTable("actionAuditLog", {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: text("actorType").notNull(),
+    actor: text("actor").notNull(),
+    actorId: text("actorId").notNull(),
+    action: text("action").notNull(),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_actionAuditLog_timestamp").on(table.timestamp),
+    index("idx_actionAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
+export const accessAuditLog = sqliteTable("accessAuditLog", {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    actorType: text("actorType"),
+    actor: text("actor"),
+    actorId: text("actorId"),
+    resourceId: integer("resourceId"),
+    ip: text("ip"),
+    location: text("location"),
+    type: text("type").notNull(),
+    action: integer("action", { mode: "boolean" }).notNull(),
+    userAgent: text("userAgent"),
+    metadata: text("metadata")
+}, (table) => ([
+    index("idx_identityAuditLog_timestamp").on(table.timestamp),
+    index("idx_identityAuditLog_org_timestamp").on(table.orgId, table.timestamp)
+]));
+
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
@@ -224,3 +264,5 @@ export type RemoteExitNodeSession = InferSelectModel<
 >;
 export type ExitNodeOrg = InferSelectModel<typeof exitNodeOrgs>;
 export type LoginPage = InferSelectModel<typeof loginPage>;
+export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
+export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,6 +1,7 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
+import { sqliteTable, text, integer, index } from "drizzle-orm/sqlite-core";
+import { no } from "zod/v4/locales";

 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -11,15 +12,41 @@ export const domains = sqliteTable("domains", {
    type: text("type"), // "ns", "cname", "wildcard"
    verified: integer("verified", { mode: "boolean" }).notNull().default(false),
    failed: integer("failed", { mode: "boolean" }).notNull().default(false),
-    tries: integer("tries").notNull().default(0)
+    tries: integer("tries").notNull().default(0),
+    certResolver: text("certResolver"),
+    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" })
+});
+
+export const dnsRecords = sqliteTable("dnsRecords", {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    domainId: text("domainId")
+        .notNull()
+        .references(() => domains.domainId, { onDelete: "cascade" }),
+
+    recordType: text("recordType").notNull(), // "NS" | "CNAME" | "A" | "TXT"
+    baseDomain: text("baseDomain"),
+    value: text("value").notNull(),
+    verified: integer("verified", { mode: "boolean" }).notNull().default(false)
 });

 export const orgs = sqliteTable("orgs", {
    orgId: text("orgId").primaryKey(),
    name: text("name").notNull(),
    subnet: text("subnet"),
+    utilitySubnet: text("utilitySubnet"), // this is the subnet for utility addresses
    createdAt: text("createdAt"),
-    settings: text("settings") // JSON blob of org-specific settings
+    requireTwoFactor: integer("requireTwoFactor", { mode: "boolean" }),
+    maxSessionLengthHours: integer("maxSessionLengthHours"), // hours
+    passwordExpiryDays: integer("passwordExpiryDays"), // days
+    settingsLogRetentionDaysRequest: integer("settingsLogRetentionDaysRequest") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(7),
+    settingsLogRetentionDaysAccess: integer("settingsLogRetentionDaysAccess") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
+    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0)
 });

 export const userDomains = sqliteTable("userDomains", {
@@ -68,8 +95,7 @@ export const sites = sqliteTable("sites", {
    listenPort: integer("listenPort"),
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
-        .default(true),
-    remoteSubnets: text("remoteSubnets") // comma-separated list of subnets that this site can access
+        .default(true)
 });

 export const resources = sqliteTable("resources", {
@@ -112,9 +138,13 @@ export const resources = sqliteTable("resources", {
    setHostHeader: text("setHostHeader"),
    enableProxy: integer("enableProxy", { mode: "boolean" }).default(true),
    skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
-        onDelete: "cascade"
+        onDelete: "set null"
    }),
-    headers: text("headers") // comma-separated list of headers to add to the request
+    headers: text("headers"), // comma-separated list of headers to add to the request
+    proxyProtocol: integer("proxyProtocol", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
 });

 export const targets = sqliteTable("targets", {
@@ -142,11 +172,15 @@ export const targets = sqliteTable("targets", {
 });

 export const targetHealthCheck = sqliteTable("targetHealthCheck", {
-    targetHealthCheckId: integer("targetHealthCheckId").primaryKey({ autoIncrement: true }),
+    targetHealthCheckId: integer("targetHealthCheckId").primaryKey({
+        autoIncrement: true
+    }),
    targetId: integer("targetId")
        .notNull()
        .references(() => targets.targetId, { onDelete: "cascade" }),
-    hcEnabled: integer("hcEnabled", { mode: "boolean" }).notNull().default(false),
+    hcEnabled: integer("hcEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
    hcPath: text("hcPath"),
    hcScheme: text("hcScheme"),
    hcMode: text("hcMode").default("http"),
@@ -156,10 +190,13 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
    hcUnhealthyInterval: integer("hcUnhealthyInterval").default(30), // in seconds
    hcTimeout: integer("hcTimeout").default(5), // in seconds
    hcHeaders: text("hcHeaders"),
-    hcFollowRedirects: integer("hcFollowRedirects", { mode: "boolean" }).default(true),
+    hcFollowRedirects: integer("hcFollowRedirects", {
+        mode: "boolean"
+    }).default(true),
    hcMethod: text("hcMethod").default("GET"),
    hcStatus: integer("hcStatus"), // http code
-    hcHealth: text("hcHealth").default("unknown") // "unknown", "healthy", "unhealthy"
+    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcTlsServerName: text("hcTlsServerName")
 });

 export const exitNodes = sqliteTable("exitNodes", {
@@ -190,11 +227,41 @@ export const siteResources = sqliteTable("siteResources", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
-    protocol: text("protocol").notNull(),
-    proxyPort: integer("proxyPort").notNull(),
-    destinationPort: integer("destinationPort").notNull(),
-    destinationIp: text("destinationIp").notNull(),
-    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true)
+    mode: text("mode").notNull(), // "host" | "cidr" | "port"
+    protocol: text("protocol"), // only for port mode
+    proxyPort: integer("proxyPort"), // only for port mode
+    destinationPort: integer("destinationPort"), // only for port mode
+    destination: text("destination").notNull(), // ip, cidr, hostname
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    alias: text("alias"),
+    aliasAddress: text("aliasAddress")
+});
+
+export const clientSiteResources = sqliteTable("clientSiteResources", {
+    clientId: integer("clientId")
+        .notNull()
+        .references(() => clients.clientId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+});
+
+export const roleSiteResources = sqliteTable("roleSiteResources", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+});
+
+export const userSiteResources = sqliteTable("userSiteResources", {
+    userId: text("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    siteResourceId: integer("siteResourceId")
+        .notNull()
+        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
 });

 export const users = sqliteTable("user", {
@@ -222,7 +289,8 @@ export const users = sqliteTable("user", {
    termsVersion: text("termsVersion"),
    serverAdmin: integer("serverAdmin", { mode: "boolean" })
        .notNull()
-        .default(false)
+        .default(false),
+    lastPasswordChange: integer("lastPasswordChange")
 });

 export const securityKeys = sqliteTable("webauthnCredentials", {
@@ -269,7 +337,7 @@ export const newts = sqliteTable("newt", {
 });

 export const clients = sqliteTable("clients", {
-    clientId: integer("id").primaryKey({ autoIncrement: true }),
+    clientId: integer("clientId").primaryKey({ autoIncrement: true }),
    orgId: text("orgId")
        .references(() => orgs.orgId, {
            onDelete: "cascade"
@@ -278,8 +346,14 @@ export const clients = sqliteTable("clients", {
    exitNodeId: integer("exitNode").references(() => exitNodes.exitNodeId, {
        onDelete: "set null"
    }),
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
+        onDelete: "cascade"
+    }),
+    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
    pubKey: text("pubKey"),
+    olmId: text("olmId"), // to lock it to a specific olm optionally
    subnet: text("subnet").notNull(),
    megabytesIn: integer("bytesIn"),
    megabytesOut: integer("bytesOut"),
@@ -291,25 +365,42 @@ export const clients = sqliteTable("clients", {
    lastHolePunch: integer("lastHolePunch")
 });

-export const clientSites = sqliteTable("clientSites", {
-    clientId: integer("clientId")
-        .notNull()
-        .references(() => clients.clientId, { onDelete: "cascade" }),
-    siteId: integer("siteId")
-        .notNull()
-        .references(() => sites.siteId, { onDelete: "cascade" }),
-    isRelayed: integer("isRelayed", { mode: "boolean" })
-        .notNull()
-        .default(false),
-    endpoint: text("endpoint")
-});
+export const clientSitesAssociationsCache = sqliteTable(
+    "clientSitesAssociationsCache",
+    {
+        clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
+            .notNull(),
+        siteId: integer("siteId").notNull(),
+        isRelayed: integer("isRelayed", { mode: "boolean" })
+            .notNull()
+            .default(false),
+        endpoint: text("endpoint"),
+        publicKey: text("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
+    }
+);
+
+export const clientSiteResourcesAssociationsCache = sqliteTable(
+    "clientSiteResourcesAssociationsCache",
+    {
+        clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
+            .notNull(),
+        siteResourceId: integer("siteResourceId").notNull()
+    }
+);

 export const olms = sqliteTable("olms", {
    olmId: text("id").primaryKey(),
    secretHash: text("secretHash").notNull(),
    dateCreated: text("dateCreated").notNull(),
    version: text("version"),
+    agent: text("agent"),
+    name: text("name"),
    clientId: integer("clientId").references(() => clients.clientId, {
+        // we will switch this depending on the current org it wants to connect to
+        onDelete: "set null"
+    }),
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
    })
 });
@@ -327,7 +418,11 @@ export const sessions = sqliteTable("session", {
    userId: text("userId")
        .notNull()
        .references(() => users.userId, { onDelete: "cascade" }),
-    expiresAt: integer("expiresAt").notNull()
+    expiresAt: integer("expiresAt").notNull(),
+    issuedAt: integer("issuedAt"),
+    deviceAuthUsed: integer("deviceAuthUsed", { mode: "boolean" })
+        .notNull()
+        .default(false)
 });

 export const newtSessions = sqliteTable("newtSession", {
@@ -577,7 +672,8 @@ export const resourceSessions = sqliteTable("resourceSessions", {
        {
            onDelete: "cascade"
        }
-    )
+    ),
+    issuedAt: integer("issuedAt")
 });

 export const resourceWhitelist = sqliteTable("resourceWhitelist", {
@@ -710,6 +806,74 @@ export const idpOrg = sqliteTable("idpOrg", {
    orgMapping: text("orgMapping")
 });

+// Blueprint runs
+export const blueprints = sqliteTable("blueprints", {
+    blueprintId: integer("blueprintId").primaryKey({
+        autoIncrement: true
+    }),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    name: text("name").notNull(),
+    source: text("source").notNull(),
+    createdAt: integer("createdAt").notNull(),
+    succeeded: integer("succeeded", { mode: "boolean" }).notNull(),
+    contents: text("contents").notNull(),
+    message: text("message")
+});
+export const requestAuditLog = sqliteTable(
+    "requestAuditLog",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        action: integer("action", { mode: "boolean" }).notNull(),
+        reason: integer("reason").notNull(),
+        actorType: text("actorType"),
+        actor: text("actor"),
+        actorId: text("actorId"),
+        resourceId: integer("resourceId"),
+        ip: text("ip"),
+        location: text("location"),
+        userAgent: text("userAgent"),
+        metadata: text("metadata"),
+        headers: text("headers"), // JSON blob
+        query: text("query"), // JSON blob
+        originalRequestURL: text("originalRequestURL"),
+        scheme: text("scheme"),
+        host: text("host"),
+        path: text("path"),
+        method: text("method"),
+        tls: integer("tls", { mode: "boolean" })
+    },
+    (table) => [
+        index("idx_requestAuditLog_timestamp").on(table.timestamp),
+        index("idx_requestAuditLog_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
+
+export const deviceWebAuthCodes = sqliteTable("deviceWebAuthCodes", {
+    codeId: integer("codeId").primaryKey({ autoIncrement: true }),
+    code: text("code").notNull().unique(),
+    ip: text("ip"),
+    city: text("city"),
+    deviceName: text("deviceName"),
+    applicationName: text("applicationName").notNull(),
+    expiresAt: integer("expiresAt").notNull(),
+    createdAt: integer("createdAt").notNull(),
+    verified: integer("verified", { mode: "boolean" }).notNull().default(false),
+    userId: text("userId").references(() => users.userId, {
+        onDelete: "cascade"
+    })
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -746,8 +910,9 @@ export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
 export type VersionMigration = InferSelectModel<typeof versionMigrations>;
 export type ResourceRule = InferSelectModel<typeof resourceRules>;
 export type Domain = InferSelectModel<typeof domains>;
+export type DnsRecord = InferSelectModel<typeof dnsRecords>;
 export type Client = InferSelectModel<typeof clients>;
-export type ClientSite = InferSelectModel<typeof clientSites>;
+export type ClientSite = InferSelectModel<typeof clientSitesAssociationsCache>;
 export type RoleClient = InferSelectModel<typeof roleClients>;
 export type UserClient = InferSelectModel<typeof userClients>;
 export type SupporterKey = InferSelectModel<typeof supporterKey>;
@@ -761,3 +926,9 @@ export type SetupToken = InferSelectModel<typeof setupTokens>;
 export type HostMeta = InferSelectModel<typeof hostMeta>;
 export type TargetHealthCheck = InferSelectModel<typeof targetHealthCheck>;
 export type IdpOidcConfig = InferSelectModel<typeof idpOidcConfig>;
+export type Blueprint = InferSelectModel<typeof blueprints>;
+export type LicenseKey = InferSelectModel<typeof licenseKey>;
+export type SecurityKey = InferSelectModel<typeof securityKeys>;
+export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
+export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
+export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
--- a/server/emails/templates/SupportEmail.tsx
+++ b/server/emails/templates/SupportEmail.tsx
@@ -0,0 +1,56 @@
+import React from "react";
+import { Body, Head, Html, Preview, Tailwind } from "@react-email/components";
+import { themeColors } from "./lib/theme";
+import {
+    EmailContainer,
+    EmailGreeting,
+    EmailLetterHead,
+    EmailText
+} from "./components/Email";
+
+interface SupportEmailProps {
+    email: string;
+    username: string;
+    subject: string;
+    body: string;
+}
+
+export const SupportEmail = ({
+    username,
+    email,
+    body,
+    subject
+}: SupportEmailProps) => {
+    const previewText = subject;
+
+    return (
+        <Html>
+            <Head />
+            <Preview>{previewText}</Preview>
+            <Tailwind config={themeColors}>
+                <Body className="font-sans bg-gray-50">
+                    <EmailContainer>
+                        <EmailLetterHead />
+
+                        <EmailGreeting>Hi support,</EmailGreeting>
+
+                        <EmailText>
+                            You have received a new support request from{" "}
+                            <strong>{username}</strong> ({email}).
+                        </EmailText>
+
+                        <EmailText>
+                            <strong>Subject:</strong> {subject}
+                        </EmailText>
+
+                        <EmailText>
+                            <strong>Message:</strong> {body}
+                        </EmailText>
+                    </EmailContainer>
+                </Body>
+            </Tailwind>
+        </Html>
+    );
+};
+
+export default SupportEmail;
--- a/server/index.ts
+++ b/server/index.ts
@@ -5,21 +5,24 @@ import { runSetupFunctions } from "./setup";
 import { createApiServer } from "./apiServer";
 import { createNextServer } from "./nextServer";
 import { createInternalServer } from "./internalServer";
+import { createIntegrationApiServer } from "./integrationApiServer";
 import {
    ApiKey,
    ApiKeyOrg,
    RemoteExitNode,
    Session,
+    SiteResource,
    User,
    UserOrg
 } from "@server/db";
-import { createIntegrationApiServer } from "./integrationApiServer";
 import config from "@server/lib/config";
 import { setHostMeta } from "@server/lib/hostMeta";
-import { initTelemetryClient } from "./lib/telemetry.js";
-import { TraefikConfigManager } from "./lib/traefik/TraefikConfigManager.js";
+import { initTelemetryClient } from "@server/lib/telemetry";
+import { TraefikConfigManager } from "@server/lib/traefik/TraefikConfigManager";
 import { initCleanup } from "#dynamic/cleanup";
 import license from "#dynamic/license/license";
+import { initLogCleanupInterval } from "@server/lib/cleanupLogs";
+import { fetchServerIp } from "@server/lib/serverIpService";

 async function startServers() {
    await setHostMeta();
@@ -31,14 +34,17 @@ async function startServers() {

    await runSetupFunctions();

+    await fetchServerIp();
+
    initTelemetryClient();

+    initLogCleanupInterval();
+
    // Start all servers
    const apiServer = createApiServer();
    const internalServer = createInternalServer();

-    let nextServer;
-    nextServer = await createNextServer();
+    const nextServer = await createNextServer();
    if (config.getRawConfig().traefik.file_mode) {
        const monitor = new TraefikConfigManager();
        await monitor.start();
@@ -72,6 +78,8 @@ declare global {
            userOrgId?: string;
            userOrgIds?: string[];
            remoteExitNode?: RemoteExitNode;
+            siteResource?: SiteResource;
+            orgPolicyAllowed?: boolean;
        }
    }
 }
--- a/server/lib/billing/getOrgTierData.ts
+++ b/server/lib/billing/getOrgTierData.ts
@@ -1,8 +1,8 @@
 export async function getOrgTierData(
    orgId: string
 ): Promise<{ tier: string | null; active: boolean }> {
-    let tier = null;
-    let active = false;
+    const tier = null;
+    const active = false;

    return { tier, active };
 }
--- a/server/lib/billing/usageService.ts
+++ b/server/lib/billing/usageService.ts
@@ -1,5 +1,4 @@
 import { eq, sql, and } from "drizzle-orm";
-import NodeCache from "node-cache";
 import { v4 as uuidv4 } from "uuid";
 import { PutObjectCommand } from "@aws-sdk/client-s3";
 import * as fs from "fs/promises";
@@ -20,6 +19,7 @@ import logger from "@server/logger";
 import { sendToClient } from "#dynamic/routers/ws";
 import { build } from "@server/build";
 import { s3Client } from "@server/lib/s3";
+import cache from "@server/lib/cache"; 

 interface StripeEvent {
    identifier?: string;
@@ -43,7 +43,6 @@ export function noop() {
 }

 export class UsageService {
-    private cache: NodeCache;
    private bucketName: string | undefined;
    private currentEventFile: string | null = null;
    private currentFileStartTime: number = 0;
@@ -51,7 +50,6 @@ export class UsageService {
    private uploadingFiles: Set<string> = new Set();

    constructor() {
-        this.cache = new NodeCache({ stdTTL: 300 }); // 5 minute TTL
        if (noop()) {
            return;
        }
@@ -399,7 +397,7 @@ export class UsageService {
        featureId: FeatureId
    ): Promise<string | null> {
        const cacheKey = `customer_${orgId}_${featureId}`;
-        const cached = this.cache.get<string>(cacheKey);
+        const cached = cache.get<string>(cacheKey);

        if (cached) {
            return cached;
@@ -422,7 +420,7 @@ export class UsageService {
            const customerId = customer.customerId;

            // Cache the result
-            this.cache.set(cacheKey, customerId);
+            cache.set(cacheKey, customerId, 300); // 5 minute TTL

            return customerId;
        } catch (error) {
@@ -700,10 +698,6 @@ export class UsageService {
        await this.uploadFileToS3();
    }

-    public clearCache(): void {
-        this.cache.flushAll();
-    }
-
    /**
     * Scan the events directory for files older than 1 minute and upload them if not empty.
     */
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -1,22 +1,36 @@
-import { db, newts, Target } from "@server/db";
+import { db, newts, blueprints, Blueprint } from "@server/db";
 import { Config, ConfigSchema } from "./types";
 import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
-import { resources, targets, sites } from "@server/db";
-import { eq, and, asc, or, ne, count, isNotNull } from "drizzle-orm";
+import { sites } from "@server/db";
+import { eq, and, isNotNull } from "drizzle-orm";
 import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
 import { addTargets as addClientTargets } from "@server/routers/client/targets";
 import {
    ClientResourcesResults,
    updateClientResources
 } from "./clientResources";
+import { BlueprintSource } from "@server/routers/blueprints/types";
+import { stringify as stringifyYaml } from "yaml";
+import { faker } from "@faker-js/faker";
+import { handleMessagingForUpdatedSiteResource } from "@server/routers/siteResource";

-export async function applyBlueprint(
-    orgId: string,
-    configData: unknown,
-    siteId?: number
-): Promise<void> {
+type ApplyBlueprintArgs = {
+    orgId: string;
+    configData: unknown;
+    name?: string;
+    siteId?: number;
+    source?: BlueprintSource;
+};
+
+export async function applyBlueprint({
+    orgId,
+    configData,
+    siteId,
+    name,
+    source = "API"
+}: ApplyBlueprintArgs): Promise<Blueprint> {
    // Validate the input data
    const validationResult = ConfigSchema.safeParse(configData);
    if (!validationResult.success) {
@@ -24,6 +38,9 @@ export async function applyBlueprint(
    }

    const config: Config = validationResult.data;
+    let blueprintSucceeded: boolean = false;
+    let blueprintMessage: string;
+    let error: any | null = null;

    try {
        let proxyResourcesResults: ProxyResourcesResults = [];
@@ -41,22 +58,63 @@ export async function applyBlueprint(
                trx,
                siteId
            );
-        });

-        logger.debug(
-            `Successfully updated proxy resources for org ${orgId}: ${JSON.stringify(proxyResourcesResults)}`
-        );
+            logger.debug(
+                `Successfully updated proxy resources for org ${orgId}: ${JSON.stringify(proxyResourcesResults)}`
+            );

-        // We need to update the targets on the newts from the successfully updated information
-        for (const result of proxyResourcesResults) {
-            for (const target of result.targetsToUpdate) {
-                const [site] = await db
+            // We need to update the targets on the newts from the successfully updated information
+            for (const result of proxyResourcesResults) {
+                for (const target of result.targetsToUpdate) {
+                    const [site] = await trx
+                        .select()
+                        .from(sites)
+                        .innerJoin(newts, eq(sites.siteId, newts.siteId))
+                        .where(
+                            and(
+                                eq(sites.siteId, target.siteId),
+                                eq(sites.orgId, orgId),
+                                eq(sites.type, "newt"),
+                                isNotNull(sites.pubKey)
+                            )
+                        )
+                        .limit(1);
+
+                    if (site) {
+                        logger.debug(
+                            `Updating target ${target.targetId} on site ${site.sites.siteId}`
+                        );
+
+                        // see if you can find a matching target health check from the healthchecksToUpdate array
+                        const matchingHealthcheck =
+                            result.healthchecksToUpdate.find(
+                                (hc) => hc.targetId === target.targetId
+                            );
+
+                        await addProxyTargets(
+                            site.newt.newtId,
+                            [target],
+                            matchingHealthcheck ? [matchingHealthcheck] : [],
+                            result.proxyResource.protocol,
+                            result.proxyResource.proxyPort
+                        );
+                    }
+                }
+            }
+
+            logger.debug(
+                `Successfully updated client resources for org ${orgId}: ${JSON.stringify(clientResourcesResults)}`
+            );
+
+            // We need to update the targets on the newts from the successfully updated information
+            for (const result of clientResourcesResults) {
+                const [site] = await trx
                    .select()
                    .from(sites)
                    .innerJoin(newts, eq(sites.siteId, newts.siteId))
                    .where(
                        and(
-                            eq(sites.siteId, target.siteId),
+                            eq(sites.siteId, result.newSiteResource.siteId),
                            eq(sites.orgId, orgId),
                            eq(sites.type, "newt"),
                            isNotNull(sites.pubKey)
@@ -64,114 +122,67 @@ export async function applyBlueprint(
                    )
                    .limit(1);

-                if (site) {
+                if (!site) {
                    logger.debug(
-                        `Updating target ${target.targetId} on site ${site.sites.siteId}`
-                    );
-
-                    // see if you can find a matching target health check from the healthchecksToUpdate array
-                    const matchingHealthcheck =
-                        result.healthchecksToUpdate.find(
-                            (hc) => hc.targetId === target.targetId
-                        );
-
-                    await addProxyTargets(
-                        site.newt.newtId,
-                        [target],
-                        matchingHealthcheck ? [matchingHealthcheck] : [],
-                        result.proxyResource.protocol,
-                        result.proxyResource.proxyPort
+                        `No newt site found for client resource ${result.newSiteResource.siteResourceId}, skipping target update`
                    );
+                    continue;
                }
-            }
-        }

-        logger.debug(
-            `Successfully updated client resources for org ${orgId}: ${JSON.stringify(clientResourcesResults)}`
-        );
-
-        // We need to update the targets on the newts from the successfully updated information
-        for (const result of clientResourcesResults) {
-            const [site] = await db
-                .select()
-                .from(sites)
-                .innerJoin(newts, eq(sites.siteId, newts.siteId))
-                .where(
-                    and(
-                        eq(sites.siteId, result.resource.siteId),
-                        eq(sites.orgId, orgId),
-                        eq(sites.type, "newt"),
-                        isNotNull(sites.pubKey)
-                    )
-                )
-                .limit(1);
-
-            if (site) {
                logger.debug(
-                    `Updating client resource ${result.resource.siteResourceId} on site ${site.sites.siteId}`
+                    `Updating client resource ${result.newSiteResource.siteResourceId} on site ${site.sites.siteId}`
                );

-                await addClientTargets(
-                    site.newt.newtId,
-                    result.resource.destinationIp,
-                    result.resource.destinationPort,
-                    result.resource.protocol,
-                    result.resource.proxyPort
+                await handleMessagingForUpdatedSiteResource(
+                    result.oldSiteResource,
+                    result.newSiteResource,
+                    { siteId: site.sites.siteId, orgId: site.sites.orgId },
+                    trx
                );
+
+                // await addClientTargets(
+                //     site.newt.newtId,
+                //     result.resource.destination,
+                //     result.resource.destinationPort,
+                //     result.resource.protocol,
+                //     result.resource.proxyPort
+                // );
            }
-        }
-    } catch (error) {
-        logger.error(`Failed to update database from config: ${error}`);
-        throw error;
-    }
-}
+        });

-// await updateDatabaseFromConfig("org_i21aifypnlyxur2", {
-//     resources: {
-//         "resource-nice-id": {
-//             name: "this is my resource",
-//             protocol: "http",
-//             "full-domain": "level1.test.example.com",
-//             "host-header": "example.com",
-//             "tls-server-name": "example.com",
-//             auth: {
-//                 pincode: 123456,
-//                 password: "sadfasdfadsf",
-//                 "sso-enabled": true,
-//                 "sso-roles": ["Member"],
-//                 "sso-users": ["owen@pangolin.net"],
-//                 "whitelist-users": ["owen@pangolin.net"]
-//             },
-//             targets: [
-//                 {
-//                     site: "glossy-plains-viscacha-rat",
-//                     hostname: "localhost",
-//                     method: "http",
-//                     port: 8000,
-//                     healthcheck: {
-//                         port: 8000,
-//                         hostname: "localhost"
-//                     }
-//                 },
-//                 {
-//                     site: "glossy-plains-viscacha-rat",
-//                     hostname: "localhost",
-//                     method: "http",
-//                     port: 8001
-//                 }
-//             ]
-//         },
-// "resource-nice-id2": {
-//     name: "http server",
-//     protocol: "tcp",
-//     "proxy-port": 3000,
-//     targets: [
-//         {
-//             site: "glossy-plains-viscacha-rat",
-//             hostname: "localhost",
-//             port: 3000,
-//         }
-//     ]
-// }
-//     }
-// });
+        blueprintSucceeded = true;
+        blueprintMessage = "Blueprint applied successfully";
+    } catch (err) {
+        blueprintSucceeded = false;
+        blueprintMessage = `Blueprint applied with errors: ${err}`;
+        logger.error(blueprintMessage);
+        error = err;
+    }
+
+    let blueprint: Blueprint | null = null;
+    await db.transaction(async (trx) => {
+        const newBlueprint = await trx
+            .insert(blueprints)
+            .values({
+                orgId,
+                name:
+                    name ??
+                    `${faker.word.adjective()} ${faker.word.adjective()} ${faker.word.noun()}`,
+                contents: stringifyYaml(configData),
+                createdAt: Math.floor(Date.now() / 1000),
+                succeeded: blueprintSucceeded,
+                message: blueprintMessage,
+                source
+            })
+            .returning();
+
+        blueprint = newBlueprint[0];
+    });
+
+    if (!blueprint || (source !== "UI" && !blueprintSucceeded)) {
+        //             ^^^^^^^^^^^^^^^ The UI considers a failed blueprint as a valid response
+        throw error ?? "Unknown Server Error";
+    }
+
+    return blueprint;
+}
--- a/server/lib/blueprints/applyNewtDockerBlueprint.ts
+++ b/server/lib/blueprints/applyNewtDockerBlueprint.ts
@@ -29,15 +29,29 @@ export async function applyNewtDockerBlueprint(

        logger.debug(`Received Docker blueprint: ${JSON.stringify(blueprint)}`);

+        // make sure this is not an empty object
+        if (isEmptyObject(blueprint)) {
+            return;
+        }
+
+        if (isEmptyObject(blueprint["proxy-resources"]) && isEmptyObject(blueprint["client-resources"])) {
+            return;
+        }
+
        // Update the blueprint in the database
-        await applyBlueprint(site.orgId, blueprint, site.siteId);
+        await applyBlueprint({
+            orgId: site.orgId,
+            configData: blueprint,
+            siteId: site.siteId,
+            source: "NEWT"
+        });
    } catch (error) {
        logger.error(`Failed to update database from config: ${error}`);
        await sendToClient(newtId, {
            type: "newt/blueprint/results",
            data: {
                success: false,
-                message: `Failed to update database from config: ${error}`
+                message: `Failed to apply blueprint from config: ${error}`
            }
        });
        return;
@@ -51,3 +65,10 @@ export async function applyNewtDockerBlueprint(
        }
    });
 }
+
+function isEmptyObject(obj: any) {
+    if (obj === null || obj === undefined) {
+        return true;
+    }
+    return Object.keys(obj).length === 0 && obj.constructor === Object;
+}
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -1,17 +1,23 @@
 import {
+    clients,
+    clientSiteResources,
+    roles,
+    roleSiteResources,
    SiteResource,
    siteResources,
    Transaction,
+    userOrgs,
+    users,
+    userSiteResources
 } from "@server/db";
 import { sites } from "@server/db";
-import { eq, and } from "drizzle-orm";
-import {
-    Config,
-} from "./types";
+import { eq, and, ne, inArray } from "drizzle-orm";
+import { Config } from "./types";
 import logger from "@server/logger";

 export type ClientResourcesResults = {
-    resource: SiteResource;
+    newSiteResource: SiteResource;
+    oldSiteResource?: SiteResource;
 }[];

 export async function updateClientResources(
@@ -69,16 +75,22 @@ export async function updateClientResources(
        }

        if (existingResource) {
+            if (existingResource.siteId !== site.siteId) {
+                throw new Error(
+                    `You can not change the site of an existing client resource (${resourceNiceId}). Please delete and recreate it instead.`
+                );
+            }
+
            // Update existing resource
            const [updatedResource] = await trx
                .update(siteResources)
                .set({
                    name: resourceData.name || resourceNiceId,
-                    siteId: site.siteId,
-                    proxyPort: resourceData["proxy-port"]!,
-                    destinationIp: resourceData.hostname,
-                    destinationPort: resourceData["internal-port"],
-                    protocol: resourceData.protocol
+                    mode: resourceData.mode,
+                    destination: resourceData.destination,
+                    enabled: true, // hardcoded for now
+                    // enabled: resourceData.enabled ?? true,
+                    alias: resourceData.alias || null
                })
                .where(
                    eq(
@@ -88,7 +100,110 @@ export async function updateClientResources(
                )
                .returning();

-                results.push({ resource: updatedResource });
+            const siteResourceId = existingResource.siteResourceId;
+            const orgId = existingResource.orgId;
+
+            await trx
+                .delete(clientSiteResources)
+                .where(eq(clientSiteResources.siteResourceId, siteResourceId));
+
+            if (resourceData.machines.length > 0) {
+                // get clientIds from niceIds
+                const clientsToUpdate = await trx
+                    .select()
+                    .from(clients)
+                    .where(
+                        and(
+                            inArray(clients.niceId, resourceData.machines),
+                            eq(clients.orgId, orgId)
+                        )
+                    );
+
+                const clientIds = clientsToUpdate.map(
+                    (client) => client.clientId
+                );
+
+                await trx.insert(clientSiteResources).values(
+                    clientIds.map((clientId) => ({
+                        clientId,
+                        siteResourceId
+                    }))
+                );
+            }
+
+            await trx
+                .delete(userSiteResources)
+                .where(eq(userSiteResources.siteResourceId, siteResourceId));
+
+            if (resourceData.users.length > 0) {
+                // get userIds from username
+                const usersToUpdate = await trx
+                    .select()
+                    .from(users)
+                    .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+                    .where(
+                        and(
+                            inArray(users.username, resourceData.users),
+                            eq(userOrgs.orgId, orgId)
+                        )
+                    );
+
+                const userIds = usersToUpdate.map((user) => user.user.userId);
+
+                await trx
+                    .insert(userSiteResources)
+                    .values(
+                        userIds.map((userId) => ({ userId, siteResourceId }))
+                    );
+            }
+
+            // Get all admin role IDs for this org to exclude from deletion
+            const adminRoles = await trx
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)));
+            const adminRoleIds = adminRoles.map((role) => role.roleId);
+
+            if (adminRoleIds.length > 0) {
+                await trx.delete(roleSiteResources).where(
+                    and(
+                        eq(roleSiteResources.siteResourceId, siteResourceId),
+                        ne(roleSiteResources.roleId, adminRoleIds[0]) // delete all but the admin role
+                    )
+                );
+            } else {
+                await trx
+                    .delete(roleSiteResources)
+                    .where(
+                        eq(roleSiteResources.siteResourceId, siteResourceId)
+                    );
+            }
+
+            if (resourceData.roles.length > 0) {
+                // Re-add specified roles but we need to get the roleIds from the role name in the array
+                const rolesToUpdate = await trx
+                    .select()
+                    .from(roles)
+                    .where(
+                        and(
+                            eq(roles.orgId, orgId),
+                            inArray(roles.name, resourceData.roles)
+                        )
+                    );
+
+                const roleIds = rolesToUpdate.map((role) => role.roleId);
+
+                await trx
+                    .insert(roleSiteResources)
+                    .values(
+                        roleIds.map((roleId) => ({ roleId, siteResourceId }))
+                    );
+            }
+
+            results.push({
+                newSiteResource: updatedResource,
+                oldSiteResource: existingResource
+            });
        } else {
            // Create new resource
            const [newResource] = await trx
@@ -98,18 +213,103 @@ export async function updateClientResources(
                    siteId: site.siteId,
                    niceId: resourceNiceId,
                    name: resourceData.name || resourceNiceId,
-                    proxyPort: resourceData["proxy-port"]!,
-                    destinationIp: resourceData.hostname,
-                    destinationPort: resourceData["internal-port"],
-                    protocol: resourceData.protocol
+                    mode: resourceData.mode,
+                    destination: resourceData.destination,
+                    enabled: true, // hardcoded for now
+                    // enabled: resourceData.enabled ?? true,
+                    alias: resourceData.alias || null
                })
                .returning();

+            const siteResourceId = newResource.siteResourceId;
+
+            const [adminRole] = await trx
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                .limit(1);
+
+            if (!adminRole) {
+                throw new Error(`Admin role not found for org ${orgId}`);
+            }
+
+            await trx.insert(roleSiteResources).values({
+                roleId: adminRole.roleId,
+                siteResourceId: siteResourceId
+            });
+
+            if (resourceData.roles.length > 0) {
+                // get roleIds from role names
+                const rolesToUpdate = await trx
+                    .select()
+                    .from(roles)
+                    .where(
+                        and(
+                            eq(roles.orgId, orgId),
+                            inArray(roles.name, resourceData.roles)
+                        )
+                    );
+
+                const roleIds = rolesToUpdate.map((role) => role.roleId);
+
+                await trx
+                    .insert(roleSiteResources)
+                    .values(
+                        roleIds.map((roleId) => ({ roleId, siteResourceId }))
+                    );
+            }
+
+            if (resourceData.users.length > 0) {
+                // get userIds from username
+                const usersToUpdate = await trx
+                    .select()
+                    .from(users)
+                    .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+                    .where(
+                        and(
+                            inArray(users.username, resourceData.users),
+                            eq(userOrgs.orgId, orgId)
+                        )
+                    );
+
+                const userIds = usersToUpdate.map((user) => user.user.userId);
+
+                await trx
+                    .insert(userSiteResources)
+                    .values(
+                        userIds.map((userId) => ({ userId, siteResourceId }))
+                    );
+            }
+
+            if (resourceData.machines.length > 0) {
+                // get clientIds from niceIds
+                const clientsToUpdate = await trx
+                    .select()
+                    .from(clients)
+                    .where(
+                        and(
+                            inArray(clients.niceId, resourceData.machines),
+                            eq(clients.orgId, orgId)
+                        )
+                    );
+
+                const clientIds = clientsToUpdate.map(
+                    (client) => client.clientId
+                );
+
+                await trx.insert(clientSiteResources).values(
+                    clientIds.map((clientId) => ({
+                        clientId,
+                        siteResourceId
+                    }))
+                );
+            }
+
            logger.info(
                `Created new client resource ${newResource.name} (${newResource.siteResourceId}) for org ${orgId}`
            );

-            results.push({ resource: newResource });
+            results.push({ newSiteResource: newResource });
        }
    }

--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -30,6 +30,7 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
+import { get } from "http";

 export type ProxyResourcesResults = {
    proxyResource: Resource;
@@ -114,7 +115,12 @@ export async function updateProxyResources(
                    internalPort: internalPortToCreate,
                    path: targetData.path,
                    pathMatchType: targetData["path-match"],
-                    rewritePath: targetData.rewritePath,
+                    rewritePath:
+                        targetData.rewritePath ||
+                        targetData["rewrite-path"] ||
+                        (targetData["rewrite-match"] === "stripPrefix"
+                            ? "/"
+                            : undefined),
                    rewritePathType: targetData["rewrite-match"],
                    priority: targetData.priority
                })
@@ -139,10 +145,14 @@ export async function updateProxyResources(
                    hcHostname: healthcheckData?.hostname,
                    hcPort: healthcheckData?.port,
                    hcInterval: healthcheckData?.interval,
-                    hcUnhealthyInterval: healthcheckData?.unhealthyInterval,
+                    hcUnhealthyInterval:
+                        healthcheckData?.unhealthyInterval ||
+                        healthcheckData?.["unhealthy-interval"],
                    hcTimeout: healthcheckData?.timeout,
                    hcHeaders: hcHeaders,
-                    hcFollowRedirects: healthcheckData?.followRedirects,
+                    hcFollowRedirects:
+                        healthcheckData?.followRedirects ||
+                        healthcheckData?.["follow-redirects"],
                    hcMethod: healthcheckData?.method,
                    hcStatus: healthcheckData?.status,
                    hcHealth: "unknown"
@@ -211,6 +221,8 @@ export async function updateProxyResources(
                        domainId: domain ? domain.domainId : null,
                        enabled: resourceEnabled,
                        sso: resourceData.auth?.["sso-enabled"] || false,
+                        skipToIdpId:
+                            resourceData.auth?.["auto-login-idp"] || null,
                        ssl: resourceSsl,
                        setHostHeader: resourceData["host-header"] || null,
                        tlsServerName: resourceData["tls-server-name"] || null,
@@ -392,7 +404,12 @@ export async function updateProxyResources(
                            enabled: targetData.enabled,
                            path: targetData.path,
                            pathMatchType: targetData["path-match"],
-                            rewritePath: targetData.rewritePath,
+                            rewritePath:
+                                targetData.rewritePath ||
+                                targetData["rewrite-path"] ||
+                                (targetData["rewrite-match"] === "stripPrefix"
+                                    ? "/"
+                                    : undefined),
                            rewritePathType: targetData["rewrite-match"],
                            priority: targetData.priority
                        })
@@ -452,10 +469,13 @@ export async function updateProxyResources(
                            hcPort: healthcheckData?.port,
                            hcInterval: healthcheckData?.interval,
                            hcUnhealthyInterval:
-                                healthcheckData?.unhealthyInterval,
+                                healthcheckData?.unhealthyInterval ||
+                                healthcheckData?.["unhealthy-interval"],
                            hcTimeout: healthcheckData?.timeout,
                            hcHeaders: hcHeaders,
-                            hcFollowRedirects: healthcheckData?.followRedirects,
+                            hcFollowRedirects:
+                                healthcheckData?.followRedirects ||
+                                healthcheckData?.["follow-redirects"],
                            hcMethod: healthcheckData?.method,
                            hcStatus: healthcheckData?.status
                        })
@@ -527,7 +547,8 @@ export async function updateProxyResources(
                    if (
                        existingRule.action !== getRuleAction(rule.action) ||
                        existingRule.match !== rule.match.toUpperCase() ||
-                        existingRule.value !== rule.value
+                        existingRule.value !==
+                            getRuleValue(rule.match.toUpperCase(), rule.value)
                    ) {
                        validateRule(rule);
                        await trx
@@ -535,7 +556,10 @@ export async function updateProxyResources(
                            .set({
                                action: getRuleAction(rule.action),
                                match: rule.match.toUpperCase(),
-                                value: rule.value
+                                value: getRuleValue(
+                                    rule.match.toUpperCase(),
+                                    rule.value
+                                )
                            })
                            .where(
                                eq(resourceRules.ruleId, existingRule.ruleId)
@@ -547,7 +571,10 @@ export async function updateProxyResources(
                        resourceId: existingResource.resourceId,
                        action: getRuleAction(rule.action),
                        match: rule.match.toUpperCase(),
-                        value: rule.value,
+                        value: getRuleValue(
+                            rule.match.toUpperCase(),
+                            rule.value
+                        ),
                        priority: index + 1 // start priorities at 1
                    });
                }
@@ -592,6 +619,7 @@ export async function updateProxyResources(
                    domainId: domain ? domain.domainId : null,
                    enabled: resourceEnabled,
                    sso: resourceData.auth?.["sso-enabled"] || false,
+                    skipToIdpId: resourceData.auth?.["auto-login-idp"] || null,
                    setHostHeader: resourceData["host-header"] || null,
                    tlsServerName: resourceData["tls-server-name"] || null,
                    ssl: resourceSsl,
@@ -705,7 +733,7 @@ export async function updateProxyResources(
                    resourceId: newResource.resourceId,
                    action: getRuleAction(rule.action),
                    match: rule.match.toUpperCase(),
-                    value: rule.value,
+                    value: getRuleValue(rule.match.toUpperCase(), rule.value),
                    priority: index + 1 // start priorities at 1
                });
            }
@@ -735,6 +763,14 @@ function getRuleAction(input: string) {
    return action;
 }

+function getRuleValue(match: string, value: string) {
+    // if the match is a country, uppercase the value
+    if (match == "COUNTRY") {
+        return value.toUpperCase();
+    }
+    return value;
+}
+
 function validateRule(rule: any) {
    if (rule.match === "cidr") {
        if (!isValidCIDR(rule.value)) {
@@ -763,10 +799,6 @@ async function syncRoleResources(
        .where(eq(roleResources.resourceId, resourceId));

    for (const roleName of ssoRoles) {
-        if (roleName === "Admin") {
-            continue; // never add admin access
-        }
-
        const [role] = await trx
            .select()
            .from(roles)
@@ -777,6 +809,10 @@ async function syncRoleResources(
            throw new Error(`Role not found: ${roleName} in org ${orgId}`);
        }

+        if (role.isAdmin) {
+            continue; // never add admin access
+        }
+
        const existingRoleResource = existingRoleResources.find(
            (rr) => rr.roleId === role.roleId
        );
@@ -824,16 +860,16 @@ async function syncUserResources(
        .from(userResources)
        .where(eq(userResources.resourceId, resourceId));

-    for (const email of ssoUsers) {
+    for (const username of ssoUsers) {
        const [user] = await trx
            .select()
            .from(users)
            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(and(eq(users.email, email), eq(userOrgs.orgId, orgId)))
+            .where(and(eq(users.username, username), eq(userOrgs.orgId, orgId)))
            .limit(1);

        if (!user) {
-            throw new Error(`User not found: ${email} in org ${orgId}`);
+            throw new Error(`User not found: ${username} in org ${orgId}`);
        }

        const existingUserResource = existingUserResources.find(
@@ -861,7 +897,11 @@ async function syncUserResources(
            )
            .limit(1);

-        if (user && user.user.email && !ssoUsers.includes(user.user.email)) {
+        if (
+            user &&
+            user.user.username &&
+            !ssoUsers.includes(user.user.username)
+        ) {
            await trx
                .delete(userResources)
                .where(
@@ -1046,7 +1086,7 @@ async function getDomainId(

    // remove the base domain of the domain
    let subdomain = null;
-    if (domainSelection.type == "ns") {
+    if (domainSelection.type == "ns" || domainSelection.type == "wildcard") {
        if (fullDomain != baseDomain) {
            subdomain = fullDomain.replace(`.${baseDomain}`, "");
        }
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -7,18 +7,24 @@ export const SiteSchema = z.object({

 export const TargetHealthCheckSchema = z.object({
    hostname: z.string(),
-    port: z.number().int().min(1).max(65535),
+    port: z.int().min(1).max(65535),
    enabled: z.boolean().optional().default(true),
-    path: z.string().optional(),
+    path: z.string().optional().default("/"),
    scheme: z.string().optional(),
    mode: z.string().default("http"),
-    interval: z.number().int().default(30),
-    unhealthyInterval: z.number().int().default(30),
-    timeout: z.number().int().default(5),
-    headers: z.array(z.object({ name: z.string(), value: z.string() })).nullable().optional().default(null),
-    followRedirects: z.boolean().default(true),
+    interval: z.int().default(30),
+    "unhealthy-interval": z.int().default(30),
+    unhealthyInterval: z.int().optional(), // deprecated alias
+    timeout: z.int().default(5),
+    headers: z
+        .array(z.object({ name: z.string(), value: z.string() }))
+        .nullable()
+        .optional()
+        .default(null),
+    "follow-redirects": z.boolean().default(true),
+    followRedirects: z.boolean().optional(), // deprecated alias
    method: z.string().default("GET"),
-    status: z.number().int().optional()
+    status: z.int().optional()
 });

 // Schema for individual target within a resource
@@ -26,15 +32,19 @@ export const TargetSchema = z.object({
    site: z.string().optional(),
    method: z.enum(["http", "https", "h2c"]).optional(),
    hostname: z.string(),
-    port: z.number().int().min(1).max(65535),
+    port: z.int().min(1).max(65535),
    enabled: z.boolean().optional().default(true),
-    "internal-port": z.number().int().min(1).max(65535).optional(),
+    "internal-port": z.int().min(1).max(65535).optional(),
    path: z.string().optional(),
    "path-match": z.enum(["exact", "prefix", "regex"]).optional().nullable(),
    healthcheck: TargetHealthCheckSchema.optional(),
-    rewritePath: z.string().optional(),
-    "rewrite-match": z.enum(["exact", "prefix", "regex", "stripPrefix"]).optional().nullable(),
-    priority: z.number().int().min(1).max(1000).optional().default(100)
+    rewritePath: z.string().optional(), // deprecated alias
+    "rewrite-path": z.string().optional(),
+    "rewrite-match": z
+        .enum(["exact", "prefix", "regex", "stripPrefix"])
+        .optional()
+        .nullable(),
+    priority: z.int().min(1).max(1000).optional().default(100)
 });
 export type TargetData = z.infer<typeof TargetSchema>;

@@ -42,20 +52,23 @@ export const AuthSchema = z.object({
    // pincode has to have 6 digits
    pincode: z.number().min(100000).max(999999).optional(),
    password: z.string().min(1).optional(),
-    "basic-auth": z.object({
-        user: z.string().min(1),
-        password: z.string().min(1)
-    }).optional(),
+    "basic-auth": z
+        .object({
+            user: z.string().min(1),
+            password: z.string().min(1)
+        })
+        .optional(),
    "sso-enabled": z.boolean().optional().default(false),
    "sso-roles": z
        .array(z.string())
        .optional()
        .default([])
        .refine((roles) => !roles.includes("Admin"), {
-            message: "Admin role cannot be included in sso-roles"
+            error: "Admin role cannot be included in sso-roles"
        }),
-    "sso-users": z.array(z.string().email()).optional().default([]),
-    "whitelist-users": z.array(z.string().email()).optional().default([]),
+    "sso-users": z.array(z.email()).optional().default([]),
+    "whitelist-users": z.array(z.email()).optional().default([]),
+    "auto-login-idp": z.int().positive().optional()
 });

 export const RuleSchema = z.object({
@@ -76,7 +89,7 @@ export const ResourceSchema = z
        protocol: z.enum(["http", "tcp", "udp"]).optional(),
        ssl: z.boolean().optional(),
        "full-domain": z.string().optional(),
-        "proxy-port": z.number().int().min(1).max(65535).optional(),
+        "proxy-port": z.int().min(1).max(65535).optional(),
        enabled: z.boolean().optional(),
        targets: z.array(TargetSchema.nullable()).optional().default([]),
        auth: AuthSchema.optional(),
@@ -97,9 +110,8 @@ export const ResourceSchema = z
            );
        },
        {
-            message:
-                "Resource must either be targets-only (only 'targets' field) or have both 'name' and 'protocol' fields at a minimum",
-            path: ["name", "protocol"]
+            path: ["name", "protocol"],
+            error: "Resource must either be targets-only (only 'targets' field) or have both 'name' and 'protocol' fields at a minimum"
        }
    )
    .refine(
@@ -114,6 +126,19 @@ export const ResourceSchema = z
                    (target) => target == null || target.method !== undefined
                );
            }
+            return true;
+        },
+        {
+            path: ["targets"],
+            error: "When protocol is 'http', all targets must have a 'method' field"
+        }
+    )
+    .refine(
+        (resource) => {
+            if (isTargetsOnlyResource(resource)) {
+                return true;
+            }
+
            // If protocol is tcp or udp, no target should have method field
            if (resource.protocol === "tcp" || resource.protocol === "udp") {
                return resource.targets.every(
@@ -122,19 +147,9 @@ export const ResourceSchema = z
            }
            return true;
        },
-        (resource) => {
-            if (resource.protocol === "http") {
-                return {
-                    message:
-                        "When protocol is 'http', all targets must have a 'method' field",
-                    path: ["targets"]
-                };
-            }
-            return {
-                message:
-                    "When protocol is 'tcp' or 'udp', targets must not have a 'method' field",
-                path: ["targets"]
-            };
+        {
+            path: ["targets"],
+            error: "When protocol is 'tcp' or 'udp', targets must not have a 'method' field"
        }
    )
    .refine(
@@ -153,9 +168,8 @@ export const ResourceSchema = z
            return true;
        },
        {
-            message:
-                "When protocol is 'http', a 'full-domain' must be provided",
-            path: ["full-domain"]
+            path: ["full-domain"],
+            error: "When protocol is 'http', a 'full-domain' must be provided"
        }
    )
    .refine(
@@ -171,9 +185,8 @@ export const ResourceSchema = z
            return true;
        },
        {
-            message:
-                "When protocol is 'tcp' or 'udp', 'proxy-port' must be provided",
-            path: ["proxy-port", "exit-node"]
+            path: ["proxy-port", "exit-node"],
+            error: "When protocol is 'tcp' or 'udp', 'proxy-port' must be provided"
        }
    )
    .refine(
@@ -190,9 +203,8 @@ export const ResourceSchema = z
            return true;
        },
        {
-            message:
-                "When protocol is 'tcp' or 'udp', 'auth' must not be provided",
-            path: ["auth"]
+            path: ["auth"],
+            error: "When protocol is 'tcp' or 'udp', 'auth' must not be provided"
        }
    );

@@ -200,188 +212,219 @@ export function isTargetsOnlyResource(resource: any): boolean {
    return Object.keys(resource).length === 1 && resource.targets;
 }

-export const ClientResourceSchema = z.object({
-    name: z.string().min(2).max(100),
-    site: z.string().min(2).max(100).optional(),
-    protocol: z.enum(["tcp", "udp"]),
-    "proxy-port": z.number().min(1).max(65535),
-    "hostname": z.string().min(1).max(255),
-    "internal-port": z.number().min(1).max(65535),
-    enabled: z.boolean().optional().default(true)
-});
+export const ClientResourceSchema = z
+    .object({
+        name: z.string().min(1).max(255),
+        mode: z.enum(["host", "cidr"]),
+        site: z.string(),
+        // protocol: z.enum(["tcp", "udp"]).optional(),
+        // proxyPort: z.int().positive().optional(),
+        // destinationPort: z.int().positive().optional(),
+        destination: z.string().min(1),
+        // enabled: z.boolean().default(true),
+        alias: z
+            .string()
+            .regex(
+                /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
+                "Alias must be a fully qualified domain name (e.g., example.com)"
+            )
+            .optional(),
+        roles: z
+            .array(z.string())
+            .optional()
+            .default([])
+            .refine((roles) => !roles.includes("Admin"), {
+                error: "Admin role cannot be included in roles"
+            }),
+        users: z.array(z.email()).optional().default([]),
+        machines: z.array(z.string()).optional().default([])
+    })
+    .refine(
+        (data) => {
+            if (data.mode === "host") {
+                // Check if it's a valid IP address using zod (v4 or v6)
+                const isValidIP = z
+                    .union([z.ipv4(), z.ipv6()])
+                    .safeParse(data.destination).success;
+
+                if (isValidIP) {
+                    return true;
+                }
+
+                // Check if it's a valid domain (hostname pattern, TLD not required)
+                const domainRegex =
+                    /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)*[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/;
+                const isValidDomain = domainRegex.test(data.destination);
+                const isValidAlias = data.alias && domainRegex.test(data.alias);
+
+                return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
+            }
+            return true;
+        },
+        {
+            message:
+                "Destination must be a valid IP address or valid domain AND alias is required"
+        }
+    )
+    .refine(
+        (data) => {
+            if (data.mode === "cidr") {
+                // Check if it's a valid CIDR (v4 or v6)
+                const isValidCIDR = z
+                    .union([z.cidrv4(), z.cidrv6()])
+                    .safeParse(data.destination).success;
+                return isValidCIDR;
+            }
+            return true;
+        },
+        {
+            message: "Destination must be a valid CIDR notation for cidr mode"
+        }
+    );

 // Schema for the entire configuration object
 export const ConfigSchema = z
    .object({
-        "proxy-resources": z.record(z.string(), ResourceSchema).optional().default({}),
-        "client-resources": z.record(z.string(), ClientResourceSchema).optional().default({}),
-        sites: z.record(z.string(), SiteSchema).optional().default({})
+        "proxy-resources": z
+            .record(z.string(), ResourceSchema)
+            .optional()
+            .prefault({}),
+        "public-resources": z
+            .record(z.string(), ResourceSchema)
+            .optional()
+            .prefault({}),
+        "client-resources": z
+            .record(z.string(), ClientResourceSchema)
+            .optional()
+            .prefault({}),
+        "private-resources": z
+            .record(z.string(), ClientResourceSchema)
+            .optional()
+            .prefault({}),
+        sites: z.record(z.string(), SiteSchema).optional().prefault({})
    })
-    .refine(
+    .transform((data) => {
+        // Merge public-resources into proxy-resources
+        if (data["public-resources"]) {
+            data["proxy-resources"] = {
+                ...data["proxy-resources"],
+                ...data["public-resources"]
+            };
+            delete (data as any)["public-resources"];
+        }
+        
+        // Merge private-resources into client-resources
+        if (data["private-resources"]) {
+            data["client-resources"] = {
+                ...data["client-resources"],
+                ...data["private-resources"]
+            };
+            delete (data as any)["private-resources"];
+        }
+        
+        return data as {
+            "proxy-resources": Record<string, z.infer<typeof ResourceSchema>>;
+            "client-resources": Record<string, z.infer<typeof ClientResourceSchema>>;
+            sites: Record<string, z.infer<typeof SiteSchema>>;
+        };
+    })
+    .superRefine((config, ctx) => {
        // Enforce the full-domain uniqueness across resources in the same stack
-        (config) => {
-            // Extract all full-domain values with their resource keys
-            const fullDomainMap = new Map<string, string[]>();
+        const fullDomainMap = new Map<string, string[]>();

-            Object.entries(config["proxy-resources"]).forEach(
-                ([resourceKey, resource]) => {
-                    const fullDomain = resource["full-domain"];
-                    if (fullDomain) {
-                        // Only process if full-domain is defined
-                        if (!fullDomainMap.has(fullDomain)) {
-                            fullDomainMap.set(fullDomain, []);
-                        }
-                        fullDomainMap.get(fullDomain)!.push(resourceKey);
+        Object.entries(config["proxy-resources"]).forEach(
+            ([resourceKey, resource]) => {
+                const fullDomain = resource["full-domain"];
+                if (fullDomain) {
+                    // Only process if full-domain is defined
+                    if (!fullDomainMap.has(fullDomain)) {
+                        fullDomainMap.set(fullDomain, []);
                    }
+                    fullDomainMap.get(fullDomain)!.push(resourceKey);
                }
-            );
+            }
+        );

-            // Find duplicates
-            const duplicates = Array.from(fullDomainMap.entries()).filter(
-                ([_, resourceKeys]) => resourceKeys.length > 1
-            );
+        const fullDomainDuplicates = Array.from(fullDomainMap.entries())
+            .filter(([_, resourceKeys]) => resourceKeys.length > 1)
+            .map(
+                ([fullDomain, resourceKeys]) =>
+                    `'${fullDomain}' used by resources: ${resourceKeys.join(", ")}`
+            )
+            .join("; ");

-            return duplicates.length === 0;
-        },
-        (config) => {
-            // Extract duplicates for error message
-            const fullDomainMap = new Map<string, string[]>();
-
-            Object.entries(config["proxy-resources"]).forEach(
-                ([resourceKey, resource]) => {
-                    const fullDomain = resource["full-domain"];
-                    if (fullDomain) {
-                        // Only process if full-domain is defined
-                        if (!fullDomainMap.has(fullDomain)) {
-                            fullDomainMap.set(fullDomain, []);
-                        }
-                        fullDomainMap.get(fullDomain)!.push(resourceKey);
-                    }
-                }
-            );
-
-            const duplicates = Array.from(fullDomainMap.entries())
-                .filter(([_, resourceKeys]) => resourceKeys.length > 1)
-                .map(
-                    ([fullDomain, resourceKeys]) =>
-                        `'${fullDomain}' used by resources: ${resourceKeys.join(", ")}`
-                )
-                .join("; ");
-
-            return {
-                message: `Duplicate 'full-domain' values found: ${duplicates}`,
-                path: ["resources"]
-            };
+        if (fullDomainDuplicates.length !== 0) {
+            ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["proxy-resources"],
+                message: `Duplicate 'full-domain' values found: ${fullDomainDuplicates}`
+            });
        }
-    )
-    .refine(
-        // Enforce proxy-port uniqueness within proxy-resources
-        (config) => {
-            const proxyPortMap = new Map<number, string[]>();

-            Object.entries(config["proxy-resources"]).forEach(
-                ([resourceKey, resource]) => {
-                    const proxyPort = resource["proxy-port"];
-                    if (proxyPort !== undefined) {
-                        if (!proxyPortMap.has(proxyPort)) {
-                            proxyPortMap.set(proxyPort, []);
-                        }
-                        proxyPortMap.get(proxyPort)!.push(resourceKey);
+        // Enforce proxy-port uniqueness within proxy-resources per protocol
+        const protocolPortMap = new Map<string, string[]>();
+
+        Object.entries(config["proxy-resources"]).forEach(
+            ([resourceKey, resource]) => {
+                const proxyPort = resource["proxy-port"];
+                const protocol = resource.protocol;
+                if (proxyPort !== undefined && protocol !== undefined) {
+                    const key = `${protocol}:${proxyPort}`;
+                    if (!protocolPortMap.has(key)) {
+                        protocolPortMap.set(key, []);
                    }
+                    protocolPortMap.get(key)!.push(resourceKey);
                }
-            );
+            }
+        );

-            // Find duplicates
-            const duplicates = Array.from(proxyPortMap.entries()).filter(
-                ([_, resourceKeys]) => resourceKeys.length > 1
-            );
+        const portDuplicates = Array.from(protocolPortMap.entries())
+            .filter(([_, resourceKeys]) => resourceKeys.length > 1)
+            .map(([protocolPort, resourceKeys]) => {
+                const [protocol, port] = protocolPort.split(":");
+                return `${protocol.toUpperCase()} port ${port} used by proxy-resources: ${resourceKeys.join(", ")}`;
+            })
+            .join("; ");

-            return duplicates.length === 0;
-        },
-        (config) => {
-            // Extract duplicates for error message
-            const proxyPortMap = new Map<number, string[]>();
-
-            Object.entries(config["proxy-resources"]).forEach(
-                ([resourceKey, resource]) => {
-                    const proxyPort = resource["proxy-port"];
-                    if (proxyPort !== undefined) {
-                        if (!proxyPortMap.has(proxyPort)) {
-                            proxyPortMap.set(proxyPort, []);
-                        }
-                        proxyPortMap.get(proxyPort)!.push(resourceKey);
-                    }
-                }
-            );
-
-            const duplicates = Array.from(proxyPortMap.entries())
-                .filter(([_, resourceKeys]) => resourceKeys.length > 1)
-                .map(
-                    ([proxyPort, resourceKeys]) =>
-                        `port ${proxyPort} used by proxy-resources: ${resourceKeys.join(", ")}`
-                )
-                .join("; ");
-
-            return {
-                message: `Duplicate 'proxy-port' values found in proxy-resources: ${duplicates}`,
-                path: ["proxy-resources"]
-            };
+        if (portDuplicates.length !== 0) {
+            ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["proxy-resources"],
+                message: `Duplicate 'proxy-port' values found in proxy-resources: ${portDuplicates}`
+            });
        }
-    )
-    .refine(
-        // Enforce proxy-port uniqueness within client-resources
-        (config) => {
-            const proxyPortMap = new Map<number, string[]>();

-            Object.entries(config["client-resources"]).forEach(
-                ([resourceKey, resource]) => {
-                    const proxyPort = resource["proxy-port"];
-                    if (proxyPort !== undefined) {
-                        if (!proxyPortMap.has(proxyPort)) {
-                            proxyPortMap.set(proxyPort, []);
-                        }
-                        proxyPortMap.get(proxyPort)!.push(resourceKey);
+        // Enforce alias uniqueness within client-resources
+        const aliasMap = new Map<string, string[]>();
+
+        Object.entries(config["client-resources"]).forEach(
+            ([resourceKey, resource]) => {
+                const alias = resource.alias;
+                if (alias !== undefined) {
+                    if (!aliasMap.has(alias)) {
+                        aliasMap.set(alias, []);
                    }
+                    aliasMap.get(alias)!.push(resourceKey);
                }
-            );
+            }
+        );

-            // Find duplicates
-            const duplicates = Array.from(proxyPortMap.entries()).filter(
-                ([_, resourceKeys]) => resourceKeys.length > 1
-            );
+        const aliasDuplicates = Array.from(aliasMap.entries())
+            .filter(([_, resourceKeys]) => resourceKeys.length > 1)
+            .map(
+                ([alias, resourceKeys]) =>
+                    `alias '${alias}' used by client-resources: ${resourceKeys.join(", ")}`
+            )
+            .join("; ");

-            return duplicates.length === 0;
-        },
-        (config) => {
-            // Extract duplicates for error message
-            const proxyPortMap = new Map<number, string[]>();
-
-            Object.entries(config["client-resources"]).forEach(
-                ([resourceKey, resource]) => {
-                    const proxyPort = resource["proxy-port"];
-                    if (proxyPort !== undefined) {
-                        if (!proxyPortMap.has(proxyPort)) {
-                            proxyPortMap.set(proxyPort, []);
-                        }
-                        proxyPortMap.get(proxyPort)!.push(resourceKey);
-                    }
-                }
-            );
-
-            const duplicates = Array.from(proxyPortMap.entries())
-                .filter(([_, resourceKeys]) => resourceKeys.length > 1)
-                .map(
-                    ([proxyPort, resourceKeys]) =>
-                        `port ${proxyPort} used by client-resources: ${resourceKeys.join(", ")}`
-                )
-                .join("; ");
-
-            return {
-                message: `Duplicate 'proxy-port' values found in client-resources: ${duplicates}`,
-                path: ["client-resources"]
-            };
+        if (aliasDuplicates.length !== 0) {
+            ctx.addIssue({
+                code: z.ZodIssueCode.custom,
+                path: ["client-resources"],
+                message: `Duplicate 'alias' values found in client-resources: ${aliasDuplicates}`
+            });
        }
-    );
+    });

 // Type inference from the schema
 export type Site = z.infer<typeof SiteSchema>;
--- a/server/lib/cache.ts
+++ b/server/lib/cache.ts
@@ -0,0 +1,5 @@
+import NodeCache from "node-cache";
+
+export const cache = new NodeCache({ stdTTL: 3600, checkperiod: 120 });
+
+export default cache;
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -0,0 +1,290 @@
+import {
+    clients,
+    db,
+    olms,
+    orgs,
+    roleClients,
+    roles,
+    userClients,
+    userOrgs,
+    Transaction
+} from "@server/db";
+import { eq, and, notInArray } from "drizzle-orm";
+import { listExitNodes } from "#dynamic/lib/exitNodes";
+import { getNextAvailableClientSubnet } from "@server/lib/ip";
+import logger from "@server/logger";
+import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
+import { sendTerminateClient } from "@server/routers/client/terminate";
+import { getUniqueClientName } from "@server/db/names";
+
+export async function calculateUserClientsForOrgs(
+    userId: string,
+    trx?: Transaction
+): Promise<void> {
+    const execute = async (transaction: Transaction) => {
+        // Get all OLMs for this user
+        const userOlms = await transaction
+            .select()
+            .from(olms)
+            .where(eq(olms.userId, userId));
+
+        if (userOlms.length === 0) {
+            // No OLMs for this user, but we should still clean up any orphaned clients
+            await cleanupOrphanedClients(userId, transaction);
+            return;
+        }
+
+        // Get all user orgs
+        const allUserOrgs = await transaction
+            .select()
+            .from(userOrgs)
+            .where(eq(userOrgs.userId, userId));
+
+        const userOrgIds = allUserOrgs.map((uo) => uo.orgId);
+
+        // For each OLM, ensure there's a client in each org the user is in
+        for (const olm of userOlms) {
+            for (const userOrg of allUserOrgs) {
+                const orgId = userOrg.orgId;
+
+                const [org] = await transaction
+                    .select()
+                    .from(orgs)
+                    .where(eq(orgs.orgId, orgId));
+
+                if (!org) {
+                    logger.warn(
+                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): org not found`
+                    );
+                    continue;
+                }
+
+                if (!org.subnet) {
+                    logger.warn(
+                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): org has no subnet configured`
+                    );
+                    continue;
+                }
+
+                // Get admin role for this org (needed for access grants)
+                const [adminRole] = await transaction
+                    .select()
+                    .from(roles)
+                    .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                    .limit(1);
+
+                if (!adminRole) {
+                    logger.warn(
+                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): no admin role found`
+                    );
+                    continue;
+                }
+
+                // Check if a client already exists for this OLM+user+org combination
+                const [existingClient] = await transaction
+                    .select()
+                    .from(clients)
+                    .where(
+                        and(
+                            eq(clients.userId, userId),
+                            eq(clients.orgId, orgId),
+                            eq(clients.olmId, olm.olmId)
+                        )
+                    )
+                    .limit(1);
+
+                if (existingClient) {
+                    // Ensure admin role has access to the client
+                    const [existingRoleClient] = await transaction
+                        .select()
+                        .from(roleClients)
+                        .where(
+                            and(
+                                eq(roleClients.roleId, adminRole.roleId),
+                                eq(
+                                    roleClients.clientId,
+                                    existingClient.clientId
+                                )
+                            )
+                        )
+                        .limit(1);
+
+                    if (!existingRoleClient) {
+                        await transaction.insert(roleClients).values({
+                            roleId: adminRole.roleId,
+                            clientId: existingClient.clientId
+                        });
+                        logger.debug(
+                            `Granted admin role access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
+                        );
+                    }
+
+                    // Ensure user has access to the client
+                    const [existingUserClient] = await transaction
+                        .select()
+                        .from(userClients)
+                        .where(
+                            and(
+                                eq(userClients.userId, userId),
+                                eq(
+                                    userClients.clientId,
+                                    existingClient.clientId
+                                )
+                            )
+                        )
+                        .limit(1);
+
+                    if (!existingUserClient) {
+                        await transaction.insert(userClients).values({
+                            userId,
+                            clientId: existingClient.clientId
+                        });
+                        logger.debug(
+                            `Granted user access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
+                        );
+                    }
+
+                    logger.debug(
+                        `Client already exists for OLM ${olm.olmId} in org ${orgId} (user ${userId}), skipping creation`
+                    );
+                    continue;
+                }
+
+                // Get exit nodes for this org
+                const exitNodesList = await listExitNodes(orgId);
+
+                if (exitNodesList.length === 0) {
+                    logger.warn(
+                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): no exit nodes found`
+                    );
+                    continue;
+                }
+
+                const randomExitNode =
+                    exitNodesList[
+                        Math.floor(Math.random() * exitNodesList.length)
+                    ];
+
+                // Get next available subnet
+                const newSubnet = await getNextAvailableClientSubnet(orgId);
+                if (!newSubnet) {
+                    logger.warn(
+                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): no available subnet found`
+                    );
+                    continue;
+                }
+
+                const subnet = newSubnet.split("/")[0];
+                const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`;
+
+                const niceId = await getUniqueClientName(orgId);
+
+                // Create the client
+                const [newClient] = await transaction
+                    .insert(clients)
+                    .values({
+                        userId,
+                        orgId: userOrg.orgId,
+                        exitNodeId: randomExitNode.exitNodeId,
+                        name: olm.name || "User Client",
+                        subnet: updatedSubnet,
+                        olmId: olm.olmId,
+                        type: "olm",
+                        niceId
+                    })
+                    .returning();
+
+                await rebuildClientAssociationsFromClient(
+                    newClient,
+                    transaction
+                );
+
+                // Grant admin role access to the client
+                await transaction.insert(roleClients).values({
+                    roleId: adminRole.roleId,
+                    clientId: newClient.clientId
+                });
+
+                // Grant user access to the client
+                await transaction.insert(userClients).values({
+                    userId,
+                    clientId: newClient.clientId
+                });
+
+                logger.debug(
+                    `Created client for OLM ${olm.olmId} in org ${orgId} (user ${userId}) with access granted to admin role and user`
+                );
+            }
+        }
+
+        // Clean up clients in orgs the user is no longer in
+        await cleanupOrphanedClients(userId, transaction, userOrgIds);
+    };
+
+    if (trx) {
+        // Use provided transaction
+        await execute(trx);
+    } else {
+        // Create new transaction
+        await db.transaction(async (transaction) => {
+            await execute(transaction);
+        });
+    }
+}
+
+async function cleanupOrphanedClients(
+    userId: string,
+    trx: Transaction,
+    userOrgIds: string[] = []
+): Promise<void> {
+    // Find all OLM clients for this user that should be deleted
+    // If userOrgIds is empty, delete all OLM clients (user has no orgs)
+    // If userOrgIds has values, delete clients in orgs they're not in
+    const clientsToDelete = await trx
+        .select({ clientId: clients.clientId })
+        .from(clients)
+        .where(
+            userOrgIds.length > 0
+                ? and(
+                      eq(clients.userId, userId),
+                      notInArray(clients.orgId, userOrgIds)
+                  )
+                : and(eq(clients.userId, userId))
+        );
+
+    if (clientsToDelete.length > 0) {
+        const deletedClients = await trx
+            .delete(clients)
+            .where(
+                userOrgIds.length > 0
+                    ? and(
+                          eq(clients.userId, userId),
+                          notInArray(clients.orgId, userOrgIds)
+                      )
+                    : and(eq(clients.userId, userId))
+            )
+            .returning();
+
+        // Rebuild associations for each deleted client to clean up related data
+        for (const deletedClient of deletedClients) {
+            await rebuildClientAssociationsFromClient(deletedClient, trx);
+
+            if (deletedClient.olmId) {
+                await sendTerminateClient(
+                    deletedClient.clientId,
+                    deletedClient.olmId
+                );
+            }
+        }
+
+        if (userOrgIds.length === 0) {
+            logger.debug(
+                `Deleted all ${clientsToDelete.length} OLM client(s) for user ${userId} (user has no orgs)`
+            );
+        } else {
+            logger.debug(
+                `Deleted ${clientsToDelete.length} orphaned OLM client(s) for user ${userId} in orgs they're no longer in`
+            );
+        }
+    }
+}
--- a/server/lib/checkOrgAccessPolicy.ts
+++ b/server/lib/checkOrgAccessPolicy.ts
@@ -0,0 +1,41 @@
+import { Org, ResourceSession, Session, User } from "@server/db";
+
+export type CheckOrgAccessPolicyProps = {
+    orgId?: string;
+    org?: Org;
+    userId?: string;
+    user?: User;
+    sessionId?: string;
+    session?: Session;
+};
+
+export type CheckOrgAccessPolicyResult = {
+    allowed: boolean;
+    error?: string;
+    policies?: {
+        requiredTwoFactor?: boolean;
+        maxSessionLength?: {
+            compliant: boolean;
+            maxSessionLengthHours: number;
+            sessionAgeHours: number;
+        };
+        passwordAge?: {
+            compliant: boolean;
+            maxPasswordAgeDays: number;
+            passwordAgeDays: number;
+        };
+    };
+};
+
+export async function enforceResourceSessionLength(
+    resourceSession: ResourceSession,
+    org: Org
+): Promise<{ valid: boolean; error?: string }> {
+    return { valid: true };
+}
+
+export async function checkOrgAccessPolicy(
+    props: CheckOrgAccessPolicyProps
+): Promise<CheckOrgAccessPolicyResult> {
+    return { allowed: true };
+}
--- a/server/lib/cleanupLogs.test.ts
+++ b/server/lib/cleanupLogs.test.ts
@@ -0,0 +1,201 @@
+import { assertEquals } from "@test/assert";
+
+// Helper to create a timestamp from a date string (UTC)
+function dateToTimestamp(dateStr: string): number {
+    return Math.floor(new Date(dateStr).getTime() / 1000);
+}
+
+// Testable version of calculateCutoffTimestamp that accepts a "now" timestamp
+// This matches the logic in cleanupLogs.ts but allows injecting the current time
+function calculateCutoffTimestampWithNow(retentionDays: number, nowTimestamp: number): number {
+    if (retentionDays === 9001) {
+        // Special case: data is erased at the end of the year following the year it was generated
+        // This means we delete logs from 2 years ago or older (logs from year Y are deleted after Dec 31 of year Y+1)
+        const currentYear = new Date(nowTimestamp * 1000).getUTCFullYear();
+        // Cutoff is the start of the year before last (Jan 1, currentYear - 1 at 00:00:00)
+        // Any logs before this date are from 2+ years ago and should be deleted
+        const cutoffDate = new Date(Date.UTC(currentYear - 1, 0, 1, 0, 0, 0));
+        return Math.floor(cutoffDate.getTime() / 1000);
+    } else {
+        return nowTimestamp - retentionDays * 24 * 60 * 60;
+    }
+}
+
+function testCalculateCutoffTimestamp() {
+    console.log("Running calculateCutoffTimestamp tests...");
+
+    // Test 1: Normal retention days (e.g., 30 days)
+    {
+        const now = dateToTimestamp("2025-12-06T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(30, now);
+        const expected = now - (30 * 24 * 60 * 60);
+        assertEquals(result, expected, "30 days retention calculation failed");
+    }
+
+    // Test 2: Normal retention days (e.g., 90 days)
+    {
+        const now = dateToTimestamp("2025-06-15T00:00:00Z");
+        const result = calculateCutoffTimestampWithNow(90, now);
+        const expected = now - (90 * 24 * 60 * 60);
+        assertEquals(result, expected, "90 days retention calculation failed");
+    }
+
+    // Test 3: Special case 9001 - December 2025 (before Dec 31)
+    // Data from 2024 should NOT be deleted yet (must wait until after Dec 31, 2025)
+    // Data from 2023 and earlier should be deleted
+    // Cutoff should be Jan 1, 2024 (start of currentYear - 1)
+    {
+        const now = dateToTimestamp("2025-12-06T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2024-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (Dec 2025) - should cutoff at Jan 1, 2024");
+    }
+
+    // Test 4: Special case 9001 - January 2026
+    // Data from 2024 should now be deleted (Dec 31, 2025 has passed)
+    // Cutoff should be Jan 1, 2025 (start of currentYear - 1)
+    {
+        const now = dateToTimestamp("2026-01-15T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2025-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (Jan 2026) - should cutoff at Jan 1, 2025");
+    }
+
+    // Test 5: Special case 9001 - December 31, 2025 at 23:59:59 UTC
+    // Still in 2025, so data from 2024 should NOT be deleted yet
+    // Cutoff should be Jan 1, 2024
+    {
+        const now = dateToTimestamp("2025-12-31T23:59:59Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2024-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (Dec 31, 2025 23:59:59) - should cutoff at Jan 1, 2024");
+    }
+
+    // Test 6: Special case 9001 - January 1, 2026 at 00:00:01 UTC
+    // Now in 2026, so data from 2024 should be deleted
+    // Cutoff should be Jan 1, 2025
+    {
+        const now = dateToTimestamp("2026-01-01T00:00:01Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2025-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (Jan 1, 2026 00:00:01) - should cutoff at Jan 1, 2025");
+    }
+
+    // Test 7: Special case 9001 - Mid year 2025
+    // Cutoff should still be Jan 1, 2024
+    {
+        const now = dateToTimestamp("2025-06-15T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2024-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (mid 2025) - should cutoff at Jan 1, 2024");
+    }
+
+    // Test 8: Special case 9001 - Early 2024
+    // Cutoff should be Jan 1, 2023
+    {
+        const now = dateToTimestamp("2024-02-01T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2023-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (early 2024) - should cutoff at Jan 1, 2023");
+    }
+
+    // Test 9: 1 day retention
+    {
+        const now = dateToTimestamp("2025-12-06T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(1, now);
+        const expected = now - (1 * 24 * 60 * 60);
+        assertEquals(result, expected, "1 day retention calculation failed");
+    }
+
+    // Test 10: 365 days retention (1 year)
+    {
+        const now = dateToTimestamp("2025-12-06T12:00:00Z");
+        const result = calculateCutoffTimestampWithNow(365, now);
+        const expected = now - (365 * 24 * 60 * 60);
+        assertEquals(result, expected, "365 days retention calculation failed");
+    }
+
+    // Test 11: Verify 9001 deletes logs correctly across year boundary
+    // If we're in 2025, logs from Dec 31, 2023 (timestamp) should be DELETED (before cutoff)
+    // But logs from Jan 1, 2024 (timestamp) should be KEPT (at or after cutoff)
+    {
+        const now = dateToTimestamp("2025-12-06T12:00:00Z");
+        const cutoff = calculateCutoffTimestampWithNow(9001, now);
+        const logFromDec2023 = dateToTimestamp("2023-12-31T23:59:59Z");
+        const logFromJan2024 = dateToTimestamp("2024-01-01T00:00:00Z");
+        
+        // Log from Dec 2023 should be before cutoff (deleted)
+        assertEquals(logFromDec2023 < cutoff, true, "Log from Dec 2023 should be deleted");
+        // Log from Jan 2024 should be at or after cutoff (kept)
+        assertEquals(logFromJan2024 >= cutoff, true, "Log from Jan 2024 should be kept");
+    }
+
+    // Test 12: Verify 9001 in 2026 - logs from 2024 should now be deleted
+    {
+        const now = dateToTimestamp("2026-03-15T12:00:00Z");
+        const cutoff = calculateCutoffTimestampWithNow(9001, now);
+        const logFromDec2024 = dateToTimestamp("2024-12-31T23:59:59Z");
+        const logFromJan2025 = dateToTimestamp("2025-01-01T00:00:00Z");
+        
+        // Log from Dec 2024 should be before cutoff (deleted)
+        assertEquals(logFromDec2024 < cutoff, true, "Log from Dec 2024 should be deleted in 2026");
+        // Log from Jan 2025 should be at or after cutoff (kept)
+        assertEquals(logFromJan2025 >= cutoff, true, "Log from Jan 2025 should be kept in 2026");
+    }
+
+    // Test 13: Edge case - exactly at year boundary for 9001
+    // On Jan 1, 2025 00:00:00 UTC, cutoff should be Jan 1, 2024
+    {
+        const now = dateToTimestamp("2025-01-01T00:00:00Z");
+        const result = calculateCutoffTimestampWithNow(9001, now);
+        const expected = dateToTimestamp("2024-01-01T00:00:00Z");
+        assertEquals(result, expected, "9001 retention (Jan 1, 2025 00:00:00) - should cutoff at Jan 1, 2024");
+    }
+
+    // Test 14: Verify data from 2024 is kept throughout 2025 when using 9001
+    // Example: Log created on July 15, 2024 should be kept until Dec 31, 2025
+    {
+        // Running in June 2025
+        const nowJune2025 = dateToTimestamp("2025-06-15T12:00:00Z");
+        const cutoffJune2025 = calculateCutoffTimestampWithNow(9001, nowJune2025);
+        const logFromJuly2024 = dateToTimestamp("2024-07-15T12:00:00Z");
+        
+        // Log from July 2024 should be KEPT in June 2025
+        assertEquals(logFromJuly2024 >= cutoffJune2025, true, "Log from July 2024 should be kept in June 2025");
+        
+        // Running in January 2026
+        const nowJan2026 = dateToTimestamp("2026-01-15T12:00:00Z");
+        const cutoffJan2026 = calculateCutoffTimestampWithNow(9001, nowJan2026);
+        
+        // Log from July 2024 should be DELETED in January 2026
+        assertEquals(logFromJuly2024 < cutoffJan2026, true, "Log from July 2024 should be deleted in Jan 2026");
+    }
+
+    // Test 15: Verify the exact requirement - data from 2024 must be purged on December 31, 2025
+    // On Dec 31, 2025 (still 2025), data from 2024 should still exist
+    // On Jan 1, 2026 (now 2026), data from 2024 can be deleted
+    {
+        const logFromMid2024 = dateToTimestamp("2024-06-15T12:00:00Z");
+        
+        // Dec 31, 2025 23:59:59 - still 2025, log should be kept
+        const nowDec31_2025 = dateToTimestamp("2025-12-31T23:59:59Z");
+        const cutoffDec31 = calculateCutoffTimestampWithNow(9001, nowDec31_2025);
+        assertEquals(logFromMid2024 >= cutoffDec31, true, "Log from mid-2024 should be kept on Dec 31, 2025");
+        
+        // Jan 1, 2026 00:00:00 - now 2026, log can be deleted
+        const nowJan1_2026 = dateToTimestamp("2026-01-01T00:00:00Z");
+        const cutoffJan1 = calculateCutoffTimestampWithNow(9001, nowJan1_2026);
+        assertEquals(logFromMid2024 < cutoffJan1, true, "Log from mid-2024 should be deleted on Jan 1, 2026");
+    }
+
+    console.log("All calculateCutoffTimestamp tests passed!");
+}
+
+// Run all tests
+try {
+    testCalculateCutoffTimestamp();
+    console.log("All tests passed successfully!");
+} catch (error) {
+    console.error("Test failed:", error);
+    process.exit(1);
+}
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -0,0 +1,76 @@
+import { db, orgs } from "@server/db";
+import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAudit";
+import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
+import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
+import { gt, or } from "drizzle-orm";
+
+export function initLogCleanupInterval() {
+    return setInterval(
+        async () => {
+            const orgsToClean = await db
+                .select({
+                    orgId: orgs.orgId,
+                    settingsLogRetentionDaysAction:
+                        orgs.settingsLogRetentionDaysAction,
+                    settingsLogRetentionDaysAccess:
+                        orgs.settingsLogRetentionDaysAccess,
+                    settingsLogRetentionDaysRequest:
+                        orgs.settingsLogRetentionDaysRequest
+                })
+                .from(orgs)
+                .where(
+                    or(
+                        gt(orgs.settingsLogRetentionDaysAction, 0),
+                        gt(orgs.settingsLogRetentionDaysAccess, 0),
+                        gt(orgs.settingsLogRetentionDaysRequest, 0)
+                    )
+                );
+
+            for (const org of orgsToClean) {
+                const {
+                    orgId,
+                    settingsLogRetentionDaysAction,
+                    settingsLogRetentionDaysAccess,
+                    settingsLogRetentionDaysRequest
+                } = org;
+
+                if (settingsLogRetentionDaysAction > 0) {
+                    await cleanUpOldActionLogs(
+                        orgId,
+                        settingsLogRetentionDaysAction
+                    );
+                }
+
+                if (settingsLogRetentionDaysAccess > 0) {
+                    await cleanUpOldAccessLogs(
+                        orgId,
+                        settingsLogRetentionDaysAccess
+                    );
+                }
+
+                if (settingsLogRetentionDaysRequest > 0) {
+                    await cleanUpOldRequestLogs(
+                        orgId,
+                        settingsLogRetentionDaysRequest
+                    );
+                }
+            }
+        },
+        3 * 60 * 60 * 1000
+    ); // every 3 hours
+}
+
+export function calculateCutoffTimestamp(retentionDays: number): number {
+    const now = Math.floor(Date.now() / 1000);
+    if (retentionDays === 9001) {
+        // Special case: data is erased at the end of the year following the year it was generated
+        // This means we delete logs from 2 years ago or older (logs from year Y are deleted after Dec 31 of year Y+1)
+        const currentYear = new Date().getFullYear();
+        // Cutoff is the start of the year before last (Jan 1, currentYear - 1 at 00:00:00)
+        // Any logs before this date are from 2+ years ago and should be deleted
+        const cutoffDate = new Date(Date.UTC(currentYear - 1, 0, 1, 0, 0, 0));
+        return Math.floor(cutoffDate.getTime() / 1000);
+    } else {
+        return now - retentionDays * 24 * 60 * 60;
+    }
+}
--- a/server/lib/config.ts
+++ b/server/lib/config.ts
@@ -85,7 +85,13 @@ export class Config {
            ? "true"
            : "false";

-        process.env.FLAGS_ENABLE_CLIENTS = parsedConfig.flags?.enable_clients
+        process.env.PRODUCT_UPDATES_NOTIFICATION_ENABLED = parsedConfig.app
+            .notifications.product_updates
+            ? "true"
+            : "false";
+
+        process.env.NEW_RELEASES_NOTIFICATION_ENABLED = parsedConfig.app
+            .notifications.new_releases
            ? "true"
            : "false";

@@ -158,7 +164,7 @@ export class Config {

        try {
            const response = await fetch(
-                "https://api.fossorial.io/api/v1/license/validate",
+                `https://api.fossorial.io/api/v1/license/validate`,
                {
                    method: "POST",
                    headers: {
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.11.0";
+export const APP_VERSION = "1.13.0-rc.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/createUserAccountOrg.ts
+++ b/server/lib/createUserAccountOrg.ts
@@ -18,6 +18,7 @@ import { defaultRoleAllowedActions } from "@server/routers/role";
 import { FeatureId, limitsService, sandboxLimitSet } from "@server/lib/billing";
 import { createCustomer } from "#dynamic/lib/billing";
 import { usageService } from "@server/lib/billing/usageService";
+import config from "@server/lib/config";

 export async function createUserAccountOrg(
    userId: string,
@@ -76,6 +77,8 @@ export async function createUserAccountOrg(
            .from(domains)
            .where(eq(domains.configManaged, true));

+        const utilitySubnet = config.getRawConfig().orgs.utility_subnet_group;
+
        const newOrg = await trx
            .insert(orgs)
            .values({
@@ -83,6 +86,7 @@ export async function createUserAccountOrg(
                name,
                // subnet
                subnet: "100.90.128.0/24", // TODO: this should not be hardcoded - or can it be the same in all orgs?
+                utilitySubnet: utilitySubnet,
                createdAt: new Date().toISOString()
            })
            .returning();
--- a/server/lib/geoip.ts
+++ b/server/lib/geoip.ts
@@ -6,7 +6,7 @@ export async function getCountryCodeForIp(
 ): Promise<string | undefined> {
    try {
        if (!maxmindLookup) {
-            logger.warn(
+            logger.debug(
                "MaxMind DB path not configured, cannot perform GeoIP lookup"
            );
            return;
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -1,7 +1,15 @@
-import { db } from "@server/db";
+import {
+    clientSitesAssociationsCache,
+    db,
+    SiteResource,
+    siteResources,
+    Transaction
+} from "@server/db";
 import { clients, orgs, sites } from "@server/db";
 import { and, eq, isNotNull } from "drizzle-orm";
 import config from "@server/lib/config";
+import z from "zod";
+import logger from "@server/logger";

 interface IPRange {
    start: bigint;
@@ -279,6 +287,56 @@ export async function getNextAvailableClientSubnet(
    return subnet;
 }

+export async function getNextAvailableAliasAddress(
+    orgId: string
+): Promise<string> {
+    const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+
+    if (!org) {
+        throw new Error(`Organization with ID ${orgId} not found`);
+    }
+
+    if (!org.subnet) {
+        throw new Error(`Organization with ID ${orgId} has no subnet defined`);
+    }
+
+    if (!org.utilitySubnet) {
+        throw new Error(
+            `Organization with ID ${orgId} has no utility subnet defined`
+        );
+    }
+
+    const existingAddresses = await db
+        .select({
+            aliasAddress: siteResources.aliasAddress
+        })
+        .from(siteResources)
+        .where(
+            and(
+                isNotNull(siteResources.aliasAddress),
+                eq(siteResources.orgId, orgId)
+            )
+        );
+
+    const addresses = [
+        ...existingAddresses.map(
+            (site) => `${site.aliasAddress?.split("/")[0]}/32`
+        ),
+        // reserve a /29 for the dns server and other stuff
+        `${org.utilitySubnet.split("/")[0]}/29`
+    ].filter((address) => address !== null) as string[];
+
+    let subnet = findNextAvailableCidr(addresses, 32, org.utilitySubnet);
+    if (!subnet) {
+        throw new Error("No available subnets remaining in space");
+    }
+
+    // remove the cidr
+    subnet = subnet.split("/")[0];
+
+    return subnet;
+}
+
 export async function getNextAvailableOrgSubnet(): Promise<string> {
    const existingAddresses = await db
        .select({
@@ -300,3 +358,113 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {

    return subnet;
 }
+
+export function generateRemoteSubnets(allSiteResources: SiteResource[]): string[] {
+    const remoteSubnets = allSiteResources
+        .filter((sr) => {
+            if (sr.mode === "cidr") return true;
+            if (sr.mode === "host") {
+                // check if its a valid IP using zod
+                const ipSchema = z.union([z.ipv4(), z.ipv6()]);
+                const parseResult = ipSchema.safeParse(sr.destination);
+                return parseResult.success;
+            }
+            return false;
+        })
+        .map((sr) => {
+            if (sr.mode === "cidr") return sr.destination;
+            if (sr.mode === "host") {
+                return `${sr.destination}/32`;
+            }
+            return ""; // This should never be reached due to filtering, but satisfies TypeScript
+        })
+        .filter((subnet) => subnet !== ""); // Remove empty strings just to be safe
+    // remove duplicates
+    return Array.from(new Set(remoteSubnets));
+}
+
+export type Alias = { alias: string | null; aliasAddress: string | null };
+
+export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
+    let aliasConfigs = allSiteResources
+        .filter((sr) => sr.alias && sr.aliasAddress && sr.mode == "host")
+        .map((sr) => ({
+            alias: sr.alias,
+            aliasAddress: sr.aliasAddress
+        }));
+    return aliasConfigs;
+}
+
+export type SubnetProxyTarget = {
+    sourcePrefix: string; // must be a cidr
+    destPrefix: string; // must be a cidr
+    rewriteTo?: string; // must be a cidr
+    portRange?: {
+        min: number;
+        max: number;
+    }[];
+};
+
+export function generateSubnetProxyTargets(
+    siteResource: SiteResource,
+    clients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[]
+): SubnetProxyTarget[] {
+    const targets: SubnetProxyTarget[] = [];
+
+    if (clients.length === 0) {
+        logger.debug(
+            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
+        );
+        return [];
+    }
+
+    for (const clientSite of clients) {
+        if (!clientSite.subnet) {
+            logger.debug(
+                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
+            );
+            continue;
+        }
+
+        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
+
+        if (siteResource.mode == "host") {
+            let destination = siteResource.destination;
+            // check if this is a valid ip
+            const ipSchema = z.union([z.ipv4(), z.ipv6()]);
+            if (ipSchema.safeParse(destination).success) {
+                destination = `${destination}/32`;
+
+                targets.push({
+                    sourcePrefix: clientPrefix,
+                    destPrefix: destination
+                });
+            }
+
+            if (siteResource.alias && siteResource.aliasAddress) {
+                // also push a match for the alias address
+                targets.push({
+                    sourcePrefix: clientPrefix,
+                    destPrefix: `${siteResource.aliasAddress}/32`,
+                    rewriteTo: destination
+                });
+            }
+        } else if (siteResource.mode == "cidr") {
+            targets.push({
+                sourcePrefix: clientPrefix,
+                destPrefix: siteResource.destination
+            });
+        }
+    }
+
+    // print a nice representation of the targets
+    // logger.debug(
+    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
+    // );
+
+    return targets;
+}
--- a/server/lib/lock.ts
+++ b/server/lib/lock.ts
@@ -0,0 +1,111 @@
+export class LockManager {
+    /**
+     * Acquire a distributed lock using Redis SET with NX and PX options
+     * @param lockKey - Unique identifier for the lock
+     * @param ttlMs - Time to live in milliseconds
+     * @returns Promise<boolean> - true if lock acquired, false otherwise
+     */
+    async acquireLock(
+        lockKey: string,
+        ttlMs: number = 30000
+    ): Promise<boolean> {
+        return true;
+    }
+
+    /**
+     * Release a lock using Lua script to ensure atomicity
+     * @param lockKey - Unique identifier for the lock
+     */
+    async releaseLock(lockKey: string): Promise<void> {}
+
+    /**
+     * Force release a lock regardless of owner (use with caution)
+     * @param lockKey - Unique identifier for the lock
+     */
+    async forceReleaseLock(lockKey: string): Promise<void> {}
+
+    /**
+     * Check if a lock exists and get its info
+     * @param lockKey - Unique identifier for the lock
+     * @returns Promise<{exists: boolean, ownedByMe: boolean, ttl: number}>
+     */
+    async getLockInfo(lockKey: string): Promise<{
+        exists: boolean;
+        ownedByMe: boolean;
+        ttl: number;
+        owner?: string;
+    }> {
+        return { exists: true, ownedByMe: true, ttl: 0 };
+    }
+
+    /**
+     * Extend the TTL of an existing lock owned by this worker
+     * @param lockKey - Unique identifier for the lock
+     * @param ttlMs - New TTL in milliseconds
+     * @returns Promise<boolean> - true if extended successfully
+     */
+    async extendLock(lockKey: string, ttlMs: number): Promise<boolean> {
+        return true;
+    }
+
+    /**
+     * Attempt to acquire lock with retries and exponential backoff
+     * @param lockKey - Unique identifier for the lock
+     * @param ttlMs - Time to live in milliseconds
+     * @param maxRetries - Maximum number of retry attempts
+     * @param baseDelayMs - Base delay between retries in milliseconds
+     * @returns Promise<boolean> - true if lock acquired
+     */
+    async acquireLockWithRetry(
+        lockKey: string,
+        ttlMs: number = 30000,
+        maxRetries: number = 5,
+        baseDelayMs: number = 100
+    ): Promise<boolean> {
+        return true;
+    }
+
+    /**
+     * Execute a function while holding a lock
+     * @param lockKey - Unique identifier for the lock
+     * @param fn - Function to execute while holding the lock
+     * @param ttlMs - Lock TTL in milliseconds
+     * @returns Promise<T> - Result of the executed function
+     */
+    async withLock<T>(
+        lockKey: string,
+        fn: () => Promise<T>,
+        ttlMs: number = 30000
+    ): Promise<T> {
+        const acquired = await this.acquireLock(lockKey, ttlMs);
+
+        if (!acquired) {
+            throw new Error(`Failed to acquire lock: ${lockKey}`);
+        }
+
+        try {
+            return await fn();
+        } finally {
+            await this.releaseLock(lockKey);
+        }
+    }
+
+    /**
+     * Clean up expired locks - Redis handles this automatically, but this method
+     * can be used to get statistics about locks
+     * @returns Promise<{activeLocksCount: number, locksOwnedByMe: number}>
+     */
+    async getLockStatistics(): Promise<{
+        activeLocksCount: number;
+        locksOwnedByMe: number;
+    }> {
+        return { activeLocksCount: 0, locksOwnedByMe: 0 };
+    }
+
+    /**
+     * Close the Redis connection
+     */
+    async disconnect(): Promise<void> {}
+}
+
+export const lockManager = new LockManager();
--- a/server/lib/logAccessAudit.ts
+++ b/server/lib/logAccessAudit.ts
@@ -0,0 +1,17 @@
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    return;
+}
+
+export async function logAccessAudit(data: {
+    action: boolean;
+    type: string;
+    orgId: string;
+    resourceId?: number;
+    user?: { username: string; userId: string };
+    apiKey?: { name: string | null; apiKeyId: string };
+    metadata?: any;
+    userAgent?: string;
+    requestIp?: string;
+}) {
+    return;
+}
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -14,10 +14,8 @@ export const configSchema = z
    .object({
        app: z
            .object({
-                dashboard_url: z
-                    .string()
-                    .url()
-                    .pipe(z.string().url())
+                dashboard_url: z.url()
+                    .pipe(z.url())
                    .transform((url) => url.toLowerCase())
                    .optional(),
                log_level: z
@@ -31,7 +29,14 @@ export const configSchema = z
                        anonymous_usage: z.boolean().optional().default(true)
                    })
                    .optional()
-                    .default({})
+                    .prefault({}),
+                notifications: z
+                    .object({
+                        product_updates: z.boolean().optional().default(true),
+                        new_releases: z.boolean().optional().default(true)
+                    })
+                    .optional()
+                    .prefault({})
            })
            .optional()
            .default({
@@ -40,6 +45,10 @@ export const configSchema = z
                log_failed_attempts: false,
                telemetry: {
                    anonymous_usage: true
+                },
+                notifications: {
+                    product_updates: true,
+                    new_releases: true
                }
            }),
        domains: z
@@ -50,7 +59,7 @@ export const configSchema = z
                        .string()
                        .nonempty("base_domain must not be empty")
                        .transform((url) => url.toLowerCase()),
-                    cert_resolver: z.string().optional().default("letsencrypt"),
+                    cert_resolver: z.string().optional(), // null falls back to traefik.cert_resolver
                    prefer_wildcard_cert: z.boolean().optional().default(false)
                })
            )
@@ -96,7 +105,7 @@ export const configSchema = z
                        token: z.string().optional().default("P-Access-Token")
                    })
                    .optional()
-                    .default({}),
+                    .prefault({}),
                resource_session_request_param: z
                    .string()
                    .optional()
@@ -121,7 +130,7 @@ export const configSchema = z
                        credentials: z.boolean().optional()
                    })
                    .optional(),
-                trust_proxy: z.number().int().gte(0).optional().default(1),
+                trust_proxy: z.int().gte(0).optional().default(1),
                secret: z.string().pipe(z.string().min(8)).optional(),
                maxmind_db_path: z.string().optional()
            })
@@ -178,7 +187,7 @@ export const configSchema = z
                            .default(5000)
                    })
                    .optional()
-                    .default({})
+                    .prefault({})
            })
            .optional(),
        traefik: z
@@ -204,10 +213,14 @@ export const configSchema = z
                    .optional()
                    .default(["newt", "wireguard", "local"]),
                allow_raw_resources: z.boolean().optional().default(true),
-                file_mode: z.boolean().optional().default(false)
+                file_mode: z.boolean().optional().default(false),
+                pp_transport_prefix: z
+                    .string()
+                    .optional()
+                    .default("pp-transport-v")
            })
            .optional()
-            .default({}),
+            .prefault({}),
        gerbil: z
            .object({
                exit_node_name: z.string().optional(),
@@ -216,6 +229,11 @@ export const configSchema = z
                    .default(51820)
                    .transform(stoi)
                    .pipe(portSchema),
+                clients_start_port: portSchema
+                    .optional()
+                    .default(21820)
+                    .transform(stoi)
+                    .pipe(portSchema),
                base_endpoint: z
                    .string()
                    .optional()
@@ -232,16 +250,18 @@ export const configSchema = z
                    .default(30)
            })
            .optional()
-            .default({}),
+            .prefault({}),
        orgs: z
            .object({
                block_size: z.number().positive().gt(0).optional().default(24),
-                subnet_group: z.string().optional().default("100.90.128.0/24")
+                subnet_group: z.string().optional().default("100.90.128.0/24"),
+                utility_subnet_group: z.string().optional().default("100.96.128.0/24") //just hardcode this for now as well
            })
            .optional()
            .default({
                block_size: 24,
-                subnet_group: "100.90.128.0/24"
+                subnet_group: "100.90.128.0/24",
+                utility_subnet_group: "100.96.128.0/24"
            }),
        rate_limits: z
            .object({
@@ -261,7 +281,7 @@ export const configSchema = z
                            .default(500)
                    })
                    .optional()
-                    .default({}),
+                    .prefault({}),
                auth: z
                    .object({
                        window_minutes: z
@@ -278,10 +298,10 @@ export const configSchema = z
                            .default(500)
                    })
                    .optional()
-                    .default({})
+                    .prefault({})
            })
            .optional()
-            .default({}),
+            .prefault({}),
        email: z
            .object({
                smtp_host: z.string().optional(),
@@ -293,7 +313,7 @@ export const configSchema = z
                    .transform(getEnvOrYaml("EMAIL_SMTP_PASS")),
                smtp_secure: z.boolean().optional(),
                smtp_tls_reject_unauthorized: z.boolean().optional(),
-                no_reply: z.string().email().optional()
+                no_reply: z.email().optional()
            })
            .optional(),
        flags: z
@@ -305,8 +325,7 @@ export const configSchema = z
                enable_integration_api: z.boolean().optional(),
                disable_local_sites: z.boolean().optional(),
                disable_basic_wireguard_sites: z.boolean().optional(),
-                disable_config_managed_domains: z.boolean().optional(),
-                enable_clients: z.boolean().optional().default(true)
+                disable_config_managed_domains: z.boolean().optional()
            })
            .optional(),
        dns: z
@@ -314,11 +333,18 @@ export const configSchema = z
                nameservers: z
                    .array(z.string().optional().optional())
                    .optional()
-                    .default(["ns1.pangolin.net", "ns2.pangolin.net", "ns3.pangolin.net"]),
-                cname_extension: z.string().optional().default("cname.pangolin.net")
+                    .default([
+                        "ns1.pangolin.net",
+                        "ns2.pangolin.net",
+                        "ns3.pangolin.net"
+                    ]),
+                cname_extension: z
+                    .string()
+                    .optional()
+                    .default("cname.pangolin.net")
            })
            .optional()
-            .default({})
+            .prefault({})
    })
    .refine(
        (data) => {
@@ -333,7 +359,7 @@ export const configSchema = z
            return true;
        },
        {
-            message: "At least one domain must be defined"
+            error: "At least one domain must be defined"
        }
    )
    .refine(
@@ -348,7 +374,7 @@ export const configSchema = z
            );
        },
        {
-            message: "Server secret must be defined"
+            error: "Server secret must be defined"
        }
    )
    .refine(
@@ -360,7 +386,7 @@ export const configSchema = z
            );
        },
        {
-            message: "Dashboard URL must be defined"
+            error: "Dashboard URL must be defined"
        }
    );

--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
--- a/server/lib/resend.ts
+++ b/server/lib/resend.ts
@@ -1,7 +1,8 @@
 export enum AudienceIds {
-    General = "",
-    Subscribed = "",
-    Churned = ""
+  SignUps = "",
+  Subscribed = "",
+  Churned = "",
+  Newsletter = ""
 }

 let resend;
@@ -12,4 +13,4 @@ export async function moveEmailToAudience(
    audienceId: AudienceIds
 ) {
    return;
-}
+}
--- a/server/lib/serverIpService.ts
+++ b/server/lib/serverIpService.ts
@@ -0,0 +1,29 @@
+import logger from "@server/logger";
+import axios from "axios";
+
+let serverIp: string | null = null;
+
+const services = [
+    "https://checkip.amazonaws.com",
+    "https://ifconfig.io/ip",
+    "https://api.ipify.org",
+];
+
+export async function fetchServerIp() {
+    for (const url of services) {
+        try {
+            const response = await axios.get(url, { timeout: 5000 });
+            serverIp = response.data.trim();
+            logger.debug("Detected public IP: " + serverIp);
+            return;
+        } catch (err: any) {
+            console.warn(`Failed to fetch server IP from ${url}: ${err.message || err.code}`);
+        }
+    }
+
+    console.error("All attempts to fetch server IP failed.");
+}
+
+export function getServerIp() {
+    return serverIp;
+}
--- a/server/lib/telemetry.ts
+++ b/server/lib/telemetry.ts
@@ -4,7 +4,7 @@ import { getHostMeta } from "./hostMeta";
 import logger from "@server/logger";
 import { apiKeys, db, roles } from "@server/db";
 import { sites, users, orgs, resources, clients, idp } from "@server/db";
-import { eq, count, notInArray } from "drizzle-orm";
+import { eq, count, notInArray, and } from "drizzle-orm";
 import { APP_VERSION } from "./consts";
 import crypto from "crypto";
 import { UserType } from "@server/types/UserTypes";
@@ -113,7 +113,12 @@ class TelemetryClient {
            const [customRoles] = await db
                .select({ count: count() })
                .from(roles)
-                .where(notInArray(roles.name, ["Admin", "Member"]));
+                .where(
+                    and(
+                        eq(roles.isAdmin, false),
+                        notInArray(roles.name, ["Member"])
+                    )
+                );

            const adminUsers = await db
                .select({ email: users.email })
@@ -188,7 +193,7 @@ class TelemetryClient {
                    license_tier: licenseStatus.tier || "unknown"
                }
            };
-            logger.debug("Sending enterprise startup telemtry payload:", {
+            logger.debug("Sending enterprise startup telemetry payload:", {
                payload
            });
            // this.client.capture(payload);
@@ -200,10 +205,7 @@ class TelemetryClient {
                event: "supporter_status",
                properties: {
                    valid: stats.supporterStatus.valid,
-                    tier: stats.supporterStatus.tier,
-                    github_username: stats.supporterStatus.githubUsername
-                        ? this.anon(stats.supporterStatus.githubUsername)
-                        : "None"
+                    tier: stats.supporterStatus.tier
                }
            });
        }
@@ -217,21 +219,6 @@ class TelemetryClient {
                install_timestamp: hostMeta.createdAt
            }
        });
-
-        for (const email of stats.adminUsers) {
-            // There should only be on admin user, but just in case
-            if (email) {
-                this.client.capture({
-                    distinctId: this.anon(email),
-                    event: "admin_user",
-                    properties: {
-                        host_id: hostMeta.hostMetaId,
-                        app_version: stats.appVersion,
-                        hashed_email: this.anon(email)
-                    }
-                });
-            }
-        }
    }

    private async collectAndSendAnalytics() {
@@ -262,19 +249,38 @@ class TelemetryClient {
                    num_clients: stats.numClients,
                    num_identity_providers: stats.numIdentityProviders,
                    num_sites_online: stats.numSitesOnline,
-                    resources: stats.resources.map((r) => ({
-                        name: this.anon(r.name),
-                        sso_enabled: r.sso,
-                        protocol: r.protocol,
-                        http_enabled: r.http
-                    })),
-                    sites: stats.sites.map((s) => ({
-                        site_name: this.anon(s.siteName),
-                        megabytes_in: s.megabytesIn,
-                        megabytes_out: s.megabytesOut,
-                        type: s.type,
-                        online: s.online
-                    })),
+                    num_resources_sso_enabled: stats.resources.filter(
+                        (r) => r.sso
+                    ).length,
+                    num_resources_non_http: stats.resources.filter(
+                        (r) => !r.http
+                    ).length,
+                    num_newt_sites: stats.sites.filter((s) => s.type === "newt")
+                        .length,
+                    num_local_sites: stats.sites.filter(
+                        (s) => s.type === "local"
+                    ).length,
+                    num_wg_sites: stats.sites.filter(
+                        (s) => s.type === "wireguard"
+                    ).length,
+                    avg_megabytes_in:
+                        stats.sites.length > 0
+                            ? Math.round(
+                                  stats.sites.reduce(
+                                      (sum, s) => sum + (s.megabytesIn ?? 0),
+                                      0
+                                  ) / stats.sites.length
+                              )
+                            : 0,
+                    avg_megabytes_out:
+                        stats.sites.length > 0
+                            ? Math.round(
+                                  stats.sites.reduce(
+                                      (sum, s) => sum + (s.megabytesOut ?? 0),
+                                      0
+                                  ) / stats.sites.length
+                              )
+                            : 0,
                    num_api_keys: stats.numApiKeys,
                    num_custom_roles: stats.numCustomRoles
                }
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -142,8 +142,24 @@ export class TraefikConfigManager {
                const wildcardExists = await this.fileExists(wildcardPath);

                let lastModified: Date | null = null;
-                const expiresAt: Date | null = null;
+                let expiresAt: number | null = null;
                let wildcard = false;
+                const expiresAtPath = path.join(domainDir, ".expires_at");
+                const expiresAtExists = await this.fileExists(expiresAtPath);
+
+                if (expiresAtExists) {
+                    try {
+                        const expiresAtStr = fs
+                            .readFileSync(expiresAtPath, "utf8")
+                            .trim();
+                        expiresAt = parseInt(expiresAtStr, 10);
+                        if (isNaN(expiresAt)) {
+                            expiresAt = null;
+                        }
+                    } catch {
+                        expiresAt = null;
+                    }
+                }

                if (lastUpdateExists) {
                    try {
@@ -179,7 +195,7 @@ export class TraefikConfigManager {

                state.set(domain, {
                    exists: certExists && keyExists,
-                    lastModified,
+                    lastModified: lastModified ? Math.floor(lastModified.getTime() / 1000) : null,
                    expiresAt,
                    wildcard
                });
@@ -259,9 +275,9 @@ export class TraefikConfigManager {

            // Check if certificate is expiring soon (within 30 days)
            if (localState.expiresAt) {
-                const daysUntilExpiry =
-                    (localState.expiresAt - Math.floor(Date.now() / 1000)) /
-                    (1000 * 60 * 60 * 24);
+                const nowInSeconds = Math.floor(Date.now() / 1000);
+                const secondsUntilExpiry = localState.expiresAt - nowInSeconds;
+                const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
                if (daysUntilExpiry < 30) {
                    logger.info(
                        `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
@@ -309,10 +325,7 @@ export class TraefikConfigManager {
                this.lastActiveDomains = new Set(domains);
            }

-            if (
-                process.env.USE_PANGOLIN_DNS === "true" &&
-                build != "oss"
-            ) {
+            if (process.env.USE_PANGOLIN_DNS === "true" && build != "oss") {
                // Scan current local certificate state
                this.lastLocalCertificateState =
                    await this.scanLocalCertificateState();
@@ -450,7 +463,8 @@ export class TraefikConfigManager {
                currentExitNode,
                config.getRawConfig().traefik.site_types,
                build == "oss", // filter out the namespace domains in open source
-                build != "oss" // generate the login pages on the cloud and hybrid
+                build != "oss", // generate the login pages on the cloud and hybrid,
+                build == "saas" ? false : config.getRawConfig().traefik.allow_raw_resources // dont allow raw resources on saas otherwise use config
            );

            const domains = new Set<string>();
@@ -502,6 +516,25 @@ export class TraefikConfigManager {
                };
            }

+            // tcp:
+            //     serversTransports:
+            //         pp-transport-v1:
+            //         proxyProtocol:
+            //             version: 1
+            //         pp-transport-v2:
+            //         proxyProtocol:
+            //             version: 2
+
+            if (build != "saas") {
+                // add the serversTransports section if not present
+                if (traefikConfig.tcp && !traefikConfig.tcp.serversTransports) {
+                    traefikConfig.tcp.serversTransports = {
+                        "pp-transport-v1": { proxyProtocol: { version: 1 } },
+                        "pp-transport-v2": { proxyProtocol: { version: 2 } }
+                    };
+                }
+            }
+
            return { domains, traefikConfig };
        } catch (error) {
            // pull data out of the axios error to log
@@ -753,6 +786,16 @@ export class TraefikConfigManager {
                        "utf8"
                    );

+                    // Store the certificate expiry time
+                    if (cert.expiresAt) {
+                        const expiresAtPath = path.join(domainDir, ".expires_at");
+                        fs.writeFileSync(
+                            expiresAtPath,
+                            cert.expiresAt.toString(),
+                            "utf8"
+                        );
+                    }
+
                    logger.info(
                        `Certificate updated for domain: ${cert.domain}${cert.wildcard ? " (wildcard)" : ""}`
                    );
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -1,4 +1,4 @@
-import { db, targetHealthCheck } from "@server/db";
+import { db, targetHealthCheck, domains } from "@server/db";
 import {
    and,
    eq,
@@ -23,7 +23,8 @@ export async function getTraefikConfig(
    exitNodeId: number,
    siteTypes: string[],
    filterOutNamespaceDomains = false,
-    generateLoginPageRouters = false
+    generateLoginPageRouters = false,
+    allowRawResources = true
 ): Promise<any> {
    // Define extended target type with site information
    type TargetWithSite = Target & {
@@ -56,6 +57,8 @@ export async function getTraefikConfig(
            setHostHeader: resources.setHostHeader,
            enableProxy: resources.enableProxy,
            headers: resources.headers,
+            proxyProtocol: resources.proxyProtocol,
+            proxyProtocolVersion: resources.proxyProtocolVersion,
            // Target fields
            targetId: targets.targetId,
            targetEnabled: targets.enabled,
@@ -75,11 +78,15 @@ export async function getTraefikConfig(
            siteType: sites.type,
            siteOnline: sites.online,
            subnet: sites.subnet,
-            exitNodeId: sites.exitNodeId
+            exitNodeId: sites.exitNodeId,
+            // Domain cert resolver fields
+            domainCertResolver: domains.certResolver,
+            preferWildcardCert: domains.preferWildcardCert
        })
        .from(sites)
        .innerJoin(targets, eq(targets.siteId, sites.siteId))
        .innerJoin(resources, eq(resources.resourceId, targets.resourceId))
+        .leftJoin(domains, eq(domains.domainId, resources.domainId))
        .leftJoin(
            targetHealthCheck,
            eq(targetHealthCheck.targetId, targets.targetId)
@@ -101,7 +108,7 @@ export async function getTraefikConfig(
                    isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
                ),
                inArray(sites.type, siteTypes),
-                config.getRawConfig().traefik.allow_raw_resources
+                allowRawResources
                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
                    : eq(resources.http, true)
            )
@@ -164,11 +171,16 @@ export async function getTraefikConfig(
                enableProxy: row.enableProxy,
                targets: [],
                headers: row.headers,
+                proxyProtocol: row.proxyProtocol,
+                proxyProtocolVersion: row.proxyProtocolVersion ?? 1,
                path: row.path, // the targets will all have the same path
                pathMatchType: row.pathMatchType, // the targets will all have the same pathMatchType
                rewritePath: row.rewritePath,
                rewritePathType: row.rewritePathType,
-                priority: priority // may be null, we fallback later
+                priority: priority,
+                // Store domain cert resolver fields
+                domainCertResolver: row.domainCertResolver,
+                preferWildcardCert: row.preferWildcardCert
            });
        }

@@ -247,21 +259,35 @@ export async function getTraefikConfig(
                wildCard = resource.fullDomain;
            }

-            const configDomain = config.getDomain(resource.domainId);
+            const globalDefaultResolver =
+                config.getRawConfig().traefik.cert_resolver;
+            const globalDefaultPreferWildcard =
+                config.getRawConfig().traefik.prefer_wildcard_cert;

-            let certResolver: string, preferWildcardCert: boolean;
-            if (!configDomain) {
-                certResolver = config.getRawConfig().traefik.cert_resolver;
-                preferWildcardCert =
-                    config.getRawConfig().traefik.prefer_wildcard_cert;
+            const domainCertResolver = resource.domainCertResolver;
+            const preferWildcardCert = resource.preferWildcardCert;
+
+            let resolverName: string | undefined;
+            let preferWildcard: boolean | undefined;
+            // Handle both letsencrypt & custom cases
+            if (domainCertResolver) {
+                resolverName = domainCertResolver.trim();
            } else {
-                certResolver = configDomain.cert_resolver;
-                preferWildcardCert = configDomain.prefer_wildcard_cert;
+                resolverName = globalDefaultResolver;
+            }
+
+            if (
+                preferWildcardCert !== undefined &&
+                preferWildcardCert !== null
+            ) {
+                preferWildcard = preferWildcardCert;
+            } else {
+                preferWildcard = globalDefaultPreferWildcard;
            }

            const tls = {
-                certResolver: certResolver,
-                ...(preferWildcardCert
+                certResolver: resolverName,
+                ...(preferWildcard
                    ? {
                          domains: [
                              {
@@ -319,9 +345,9 @@ export async function getTraefikConfig(
                        routerMiddlewares.push(rewriteMiddlewareName);
                    }

-                    logger.debug(
-                        `Created path rewrite middleware ${rewriteMiddlewareName}: ${resource.pathMatchType}(${resource.path}) -> ${resource.rewritePathType}(${resource.rewritePath})`
-                    );
+                    // logger.debug(
+                    //     `Created path rewrite middleware ${rewriteMiddlewareName}: ${resource.pathMatchType}(${resource.path}) -> ${resource.rewritePathType}(${resource.rewritePath})`
+                    // );
                } catch (error) {
                    logger.error(
                        `Failed to create path rewrite middleware for resource ${resource.resourceId}: ${error}`
@@ -562,6 +588,8 @@ export async function getTraefikConfig(
                ...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {})
            };

+            const ppPrefix = config.getRawConfig().traefik.pp_transport_prefix;
+
            config_output[protocol].services[serviceName] = {
                loadBalancer: {
                    servers: (() => {
@@ -615,6 +643,11 @@ export async function getTraefikConfig(
                                }
                            });
                    })(),
+                    ...(resource.proxyProtocol && protocol == "tcp"
+                        ? {
+                              serversTransport: `${ppPrefix}${resource.proxyProtocolVersion || 1}@file` // TODO: does @file here cause issues?
+                          }
+                        : {}),
                    ...(resource.stickySession
                        ? {
                              sticky: {
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -1,11 +1,12 @@
 import z from "zod";
+import ipaddr from "ipaddr.js";

 export function isValidCIDR(cidr: string): boolean {
-    return z.string().cidr().safeParse(cidr).success;
+    return z.cidrv4().safeParse(cidr).success || z.cidrv6().safeParse(cidr).success;
 }

 export function isValidIP(ip: string): boolean {
-    return z.string().ip().safeParse(ip).success;
+    return z.ipv4().safeParse(ip).success || z.ipv6().safeParse(ip).success;
 }

 export function isValidUrlGlobPattern(pattern: string): boolean {
@@ -68,11 +69,11 @@ export function isUrlValid(url: string | undefined) {
    if (!url) return true; // the link is optional in the schema so if it's empty it's valid
    var pattern = new RegExp(
        "^(https?:\\/\\/)?" + // protocol
-            "((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|" + // domain name
-            "((\\d{1,3}\\.){3}\\d{1,3}))" + // OR ip (v4) address
-            "(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*" + // port and path
-            "(\\?[;&a-z\\d%_.~+=-]*)?" + // query string
-            "(\\#[-a-z\\d_]*)?$",
+        "((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|" + // domain name
+        "((\\d{1,3}\\.){3}\\d{1,3}))" + // OR ip (v4) address
+        "(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*" + // port and path
+        "(\\?[;&a-z\\d%_.~+=-]*)?" + // query string
+        "(\\#[-a-z\\d_]*)?$",
        "i"
    );
    return !!pattern.test(url);
@@ -83,12 +84,15 @@ export function isTargetValid(value: string | undefined) {

    const DOMAIN_REGEX =
        /^[a-zA-Z0-9_](?:[a-zA-Z0-9-_]{0,61}[a-zA-Z0-9_])?(?:\.[a-zA-Z0-9_](?:[a-zA-Z0-9-_]{0,61}[a-zA-Z0-9_])?)*$/;
-    const IPV4_REGEX =
-        /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
-    const IPV6_REGEX = /^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$/i;
+    // const IPV4_REGEX =
+    //     /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
+    // const IPV6_REGEX = /^(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}$/i;

-    if (IPV4_REGEX.test(value) || IPV6_REGEX.test(value)) {
-        return true;
+    try {
+        const addr = ipaddr.parse(value);
+        return addr.kind() === "ipv4" || addr.kind() === "ipv6";
+    } catch {
+        // fall through to domain regex check
    }

    return DOMAIN_REGEX.test(value);
@@ -169,10 +173,10 @@ export function isSecondLevelDomain(domain: string): boolean {
    }

    const trimmedDomain = domain.trim().toLowerCase();
-    
+
    // Split into parts
    const parts = trimmedDomain.split('.');
-    
+
    // Should have exactly 2 parts for a second-level domain (e.g., "example.com")
    if (parts.length !== 2) {
        return false;
--- a/server/license/license.ts
+++ b/server/license/license.ts
@@ -40,6 +40,10 @@ export class License {
    public setServerSecret(secret: string) {
        this.serverSecret = secret;
    }
+
+    public async isUnlocked() {
+        return false;
+    }
 }

 await setHostMeta();
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -11,6 +11,7 @@ export * from "./verifyRoleAccess";
 export * from "./verifyUserAccess";
 export * from "./verifyAdmin";
 export * from "./verifySetResourceUsers";
+export * from "./verifySetResourceClients";
 export * from "./verifyUserInRole";
 export * from "./verifyAccessTokenAccess";
 export * from "./requestTimeout";
@@ -24,6 +25,7 @@ export * from "./integration";
 export * from "./verifyUserHasAction";
 export * from "./verifyApiKeyAccess";
 export * from "./verifyDomainAccess";
-export * from "./verifyClientsEnabled";
 export * from "./verifyUserIsOrgOwner";
 export * from "./verifySiteResourceAccess";
+export * from "./logActionAudit";
+export * from "./verifyOlmAccess";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -7,6 +7,7 @@ export * from "./verifyApiKeyTargetAccess";
 export * from "./verifyApiKeyRoleAccess";
 export * from "./verifyApiKeyUserAccess";
 export * from "./verifyApiKeySetResourceUsers";
+export * from "./verifyApiKeySetResourceClients";
 export * from "./verifyAccessTokenAccess";
 export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
--- a/server/middlewares/integration/verifyApiKeySetResourceClients.ts
+++ b/server/middlewares/integration/verifyApiKeySetResourceClients.ts
@@ -0,0 +1,73 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeySetResourceClients(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const apiKey = req.apiKey;
+    const singleClientId = req.params.clientId || req.body.clientId || req.query.clientId;
+    const { clientIds } = req.body;
+    const allClientIds = clientIds || (singleClientId ? [parseInt(singleClientId as string)] : []);
+
+    if (!apiKey) {
+        return next(
+            createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+        );
+    }
+
+    if (apiKey.isRoot) {
+        // Root keys can access any client in any org
+        return next();
+    }
+
+    if (!req.apiKeyOrg) {
+        return next(
+            createHttpError(
+                HttpCode.FORBIDDEN,
+                "Key does not have access to this organization"
+            )
+        );
+    }
+
+    if (allClientIds.length === 0) {
+        return next();
+    }
+
+    try {
+        const orgId = req.apiKeyOrg.orgId;
+        const clientsData = await db
+            .select()
+            .from(clients)
+            .where(
+                and(
+                    inArray(clients.clientId, allClientIds),
+                    eq(clients.orgId, orgId)
+                )
+            );
+
+        if (clientsData.length !== allClientIds.length) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to one or more specified clients"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error checking if key has access to the specified clients"
+            )
+        );
+    }
+}
+
--- a/server/middlewares/integration/verifyApiKeySetResourceUsers.ts
+++ b/server/middlewares/integration/verifyApiKeySetResourceUsers.ts
@@ -11,7 +11,9 @@ export async function verifyApiKeySetResourceUsers(
    next: NextFunction
 ) {
    const apiKey = req.apiKey;
-    const userIds = req.body.userIds;
+    const singleUserId = req.params.userId || req.body.userId || req.query.userId;
+    const { userIds } = req.body;
+    const allUserIds = userIds || (singleUserId ? [singleUserId] : []);

    if (!apiKey) {
        return next(
@@ -33,11 +35,7 @@ export async function verifyApiKeySetResourceUsers(
        );
    }

-    if (!userIds) {
-        return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid user IDs"));
-    }
-
-    if (userIds.length === 0) {
+    if (allUserIds.length === 0) {
        return next();
    }

@@ -48,12 +46,12 @@ export async function verifyApiKeySetResourceUsers(
            .from(userOrgs)
            .where(
                and(
-                    inArray(userOrgs.userId, userIds),
+                    inArray(userOrgs.userId, allUserIds),
                    eq(userOrgs.orgId, orgId)
                )
            );

-        if (userOrgsData.length !== userIds.length) {
+        if (userOrgsData.length !== allUserIds.length) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
--- a/server/middlewares/integration/verifyApiKeySiteResourceAccess.ts
+++ b/server/middlewares/integration/verifyApiKeySiteResourceAccess.ts
@@ -13,8 +13,6 @@ export async function verifyApiKeySiteResourceAccess(
    try {
        const apiKey = req.apiKey;
        const siteResourceId = parseInt(req.params.siteResourceId);
-        const siteId = parseInt(req.params.siteId);
-        const orgId = req.params.orgId;

        if (!apiKey) {
            return next(
@@ -22,11 +20,11 @@ export async function verifyApiKeySiteResourceAccess(
            );
        }

-        if (!siteResourceId || !siteId || !orgId) {
+        if (!siteResourceId) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
-                    "Missing required parameters"
+                    "Missing siteResourceId parameter"
                )
            );
        }
@@ -41,9 +39,7 @@ export async function verifyApiKeySiteResourceAccess(
            .select()
            .from(siteResources)
            .where(and(
-                eq(siteResources.siteResourceId, siteResourceId),
-                eq(siteResources.siteId, siteId),
-                eq(siteResources.orgId, orgId)
+                eq(siteResources.siteResourceId, siteResourceId)
            ))
            .limit(1);

@@ -64,11 +60,11 @@ export async function verifyApiKeySiteResourceAccess(
                .where(
                    and(
                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
-                        eq(apiKeyOrg.orgId, orgId)
+                        eq(apiKeyOrg.orgId, siteResource.orgId)
                    )
                )
                .limit(1);
-            
+
            if (apiKeyOrgRes.length === 0) {
                return next(
                    createHttpError(
@@ -77,12 +73,11 @@ export async function verifyApiKeySiteResourceAccess(
                    )
                );
            }
-            
+
            req.apiKeyOrg = apiKeyOrgRes[0];
        }

        // Attach the siteResource to the request for use in the next middleware/route
-        // @ts-ignore - Extending Request type
        req.siteResource = siteResource;

        return next();
--- a/server/middlewares/logActionAudit.ts
+++ b/server/middlewares/logActionAudit.ts
@@ -0,0 +1,16 @@
+import { ActionsEnum } from "@server/auth/actions";
+import { Request, Response, NextFunction } from "express";
+
+export function logActionAudit(action: ActionsEnum) {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        next();
+    };
+}
+
+export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
+    return;
+}
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -5,6 +5,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyAccessTokenAccess(
    req: Request,
@@ -96,6 +97,24 @@ export async function verifyAccessTokenAccess(
            req.userOrgId = resource[0].orgId!;
        }

+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -4,6 +4,7 @@ import { roles, userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyAdmin(
    req: Request,
@@ -43,6 +44,24 @@ export async function verifyAdmin(
        );
    }

+    if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+        const policyCheck = await checkOrgAccessPolicy({
+            orgId: req.userOrg.orgId,
+            userId,
+            session: req.session
+        });
+        req.orgPolicyAllowed = policyCheck.allowed;
+        if (!policyCheck.allowed || policyCheck.error) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Failed organization access policy check: " +
+                        (policyCheck.error || "Unknown error")
+                )
+            );
+        }
+    }
+
    const userRole = await db
        .select()
        .from(roles)
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -4,6 +4,7 @@ import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";

 export async function verifyApiKeyAccess(
    req: Request,
@@ -84,6 +85,24 @@ export async function verifyApiKeyAccess(
            );
        }

+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
        const userOrgRoleId = req.userOrg.roleId;
        req.userOrgRoleId = userOrgRoleId;

--- a/Show More
+++ b/Show More