Customize table a little more

Add basic provisioning room v1 and update keys
Provisioning room basics done
2026-03-30 14:36:46 +00:00 · 2026-03-29 20:29:31 -07:00 · 2026-03-29 16:28:51 -07:00 · 2026-03-29 14:20:58 -07:00 · 2026-03-29 13:59:14 -07:00 · 2026-03-29 13:55:23 -07:00
204 changed files with 12298 additions and 2605 deletions
--- a/license.py
+++ b/license.py
@@ -0,0 +1,115 @@
 import os
 import sys
 # --- Configuration ---
 # The header text to be added to the files.
 HEADER_TEXT = """/*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 """
 def should_add_header(file_path):
    """
    Checks if a file should receive the commercial license header.
    Returns True if 'private' is in the path or file content.
    """
    # Check if 'private' is in the file path (case-insensitive)
    if 'server/private' in file_path.lower():
        return True
    # Check if 'private' is in the file content (case-insensitive)
    # try:
    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
    #         content = f.read()
    #         if 'private' in content.lower():
    #             return True
    # except Exception as e:
    #     print(f"Could not read file {file_path}: {e}")
    return False
 def process_directory(root_dir):
    """
    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
    skipping any 'node_modules' directories.
    """
    print(f"Scanning directory: {root_dir}")
    files_processed = 0
    headers_added = 0
    for root, dirs, files in os.walk(root_dir):
        # --- MODIFICATION ---
        # Exclude 'node_modules' directories from the scan to improve performance.
        if 'node_modules' in dirs:
            dirs.remove('node_modules')
        for file in files:
            if file.endswith('.ts') or file.endswith('.tsx'):
                file_path = os.path.join(root, file)
                files_processed += 1
                try:
                    with open(file_path, 'r+', encoding='utf-8') as f:
                        original_content = f.read()
                        has_header = original_content.startswith(HEADER_TEXT.strip())
                        if should_add_header(file_path):
                            # Add header only if it's not already there
                            if not has_header:
                                f.seek(0, 0) # Go to the beginning of the file
                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
                                print(f"Added header to: {file_path}")
                                headers_added += 1
                            else:
                                print(f"Header already exists in: {file_path}")
                        else:
                            # Remove header if it exists but shouldn't be there
                            if has_header:
                                # Find the end of the header and remove it (including following newlines)
                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
                                if original_content.startswith(header_with_newlines):
                                    content_without_header = original_content[len(header_with_newlines):]
                                else:
                                    # Handle case where there might be different newline patterns
                                    header_end = len(HEADER_TEXT.strip())
                                    # Skip any newlines after the header
                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
                                        header_end += 1
                                    content_without_header = original_content[header_end:]
                                f.seek(0)
                                f.write(content_without_header)
                                f.truncate()
                                print(f"Removed header from: {file_path}")
                                headers_added += 1  # Reusing counter for modifications
                except Exception as e:
                    print(f"Error processing file {file_path}: {e}")
    print("\n--- Scan Complete ---")
    print(f"Total .ts or .tsx files found: {files_processed}")
    print(f"Files modified (headers added/removed): {headers_added}")
 if __name__ == "__main__":
    # Get the target directory from the command line arguments.
    # If no directory is provided, it uses the current directory ('.').
    if len(sys.argv) > 1:
        target_directory = sys.argv[1]
    else:
        target_directory = '.' # Default to current directory
    if not os.path.isdir(target_directory):
        print(f"Error: Directory '{target_directory}' not found.")
        sys.exit(1)
    process_directory(os.path.abspath(target_directory))
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Изтрийте потребител",
    "actionListUsers": "Изброяване на потребители",
    "actionAddUserRole": "Добавяне на роля на потребител",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Генериране на токен за достъп",
    "actionDeleteAccessToken": "Изтриване на токен за достъп",
    "actionListAccessTokens": "Изброяване на токени за достъп",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Odstranit uživatele",
    "actionListUsers": "Seznam uživatelů",
    "actionAddUserRole": "Přidat uživatelskou roli",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Generovat přístupový token",
    "actionDeleteAccessToken": "Odstranit přístupový token",
    "actionListAccessTokens": "Seznam přístupových tokenů",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Benutzer entfernen",
    "actionListUsers": "Benutzer auflisten",
    "actionAddUserRole": "Benutzerrolle hinzufügen",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Zugriffstoken generieren",
    "actionDeleteAccessToken": "Zugriffstoken löschen",
    "actionListAccessTokens": "Zugriffstoken auflisten",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -148,6 +148,11 @@
    "createLink": "Create Link",
    "resourcesNotFound": "No resources found",
    "resourceSearch": "Search resources",
    "machineSearch": "Search machines",
    "machinesSearch": "Search machine clients...",
    "machineNotFound": "No machines found",
    "userDeviceSearch": "Search user devices",
    "userDevicesSearch": "Search user devices...",
    "openMenu": "Open menu",
    "resource": "Resource",
    "title": "Title",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Delete API Key",
    "apiKeysManage": "Manage API Keys",
    "apiKeysDescription": "API keys are used to authenticate with the integration API",
    "provisioningKeysTitle": "Provisioning Key",
    "provisioningKeysManage": "Manage Provisioning Keys",
    "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
    "provisioningManage": "Provisioning",
    "provisioningDescription": "Manage provisioning keys and review pending sites awaiting approval.",
    "pendingSites": "Pending Sites",
    "siteApproveSuccess": "Site approved successfully",
    "siteApproveError": "Error approving site",
    "provisioningKeys": "Provisioning Keys",
    "searchProvisioningKeys": "Search provisioning keys...",
    "provisioningKeysAdd": "Generate Provisioning Key",
    "provisioningKeysErrorDelete": "Error deleting provisioning key",
    "provisioningKeysErrorDeleteMessage": "Error deleting provisioning key",
    "provisioningKeysQuestionRemove": "Are you sure you want to remove this provisioning key from the organization?",
    "provisioningKeysMessageRemove": "Once removed, the key can no longer be used for site provisioning.",
    "provisioningKeysDeleteConfirm": "Confirm Delete Provisioning Key",
    "provisioningKeysDelete": "Delete Provisioning key",
    "provisioningKeysCreate": "Generate Provisioning Key",
    "provisioningKeysCreateDescription": "Generate a new provisioning key for the organization",
    "provisioningKeysSeeAll": "See all provisioning keys",
    "provisioningKeysSave": "Save the provisioning key",
    "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
    "provisioningKeysErrorCreate": "Error creating provisioning key",
    "provisioningKeysList": "New provisioning key",
    "provisioningKeysMaxBatchSize": "Max batch size",
    "provisioningKeysUnlimitedBatchSize": "Unlimited batch size (no limit)",
    "provisioningKeysMaxBatchUnlimited": "Unlimited",
    "provisioningKeysMaxBatchSizeInvalid": "Enter a valid max batch size (1–1,000,000).",
    "provisioningKeysValidUntil": "Valid until",
    "provisioningKeysValidUntilHint": "Leave empty for no expiration.",
    "provisioningKeysValidUntilInvalid": "Enter a valid date and time.",
    "provisioningKeysNumUsed": "Times used",
    "provisioningKeysLastUsed": "Last used",
    "provisioningKeysNoExpiry": "No expiration",
    "provisioningKeysNeverUsed": "Never",
    "provisioningKeysEdit": "Edit Provisioning Key",
    "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
    "provisioningKeysApproveNewSites": "Approve new sites",
    "provisioningKeysApproveNewSitesDescription": "Automatically approve sites that register with this key.",
    "provisioningKeysUpdateError": "Error updating provisioning key",
    "provisioningKeysUpdated": "Provisioning key updated",
    "provisioningKeysUpdatedDescription": "Your changes have been saved.",
    "provisioningKeysBannerTitle": "Site Provisioning Keys",
    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup — no need to set up separate credentials for each site.",
    "provisioningKeysBannerButtonText": "Learn More",
    "pendingSitesBannerTitle": "Pending Sites",
    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review. Approve each site before it becomes active and gains access to your resources.",
    "pendingSitesBannerButtonText": "Learn More",
    "apiKeysSettings": "{apiKeyName} Settings",
    "userTitle": "Manage All Users",
    "userDescription": "View and manage all users in the system",
@@ -509,9 +562,12 @@
    "userSaved": "User saved",
    "userSavedDescription": "The user has been updated.",
    "autoProvisioned": "Auto Provisioned",
    "autoProvisionSettings": "Auto Provision Settings",
    "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
    "accessControlsDescription": "Manage what this user can access and do in the organization",
    "accessControlsSubmit": "Save Access Controls",
    "singleRolePerUserPlanNotice": "Your plan only supports one role per user.",
    "singleRolePerUserEditionNotice": "This edition only supports one role per user.",
    "roles": "Roles",
    "accessUsersRoles": "Manage Users & Roles",
    "accessUsersRolesDescription": "Invite users and add them to roles to manage access to the organization",
@@ -887,7 +943,7 @@
    "defaultMappingsRole": "Default Role Mapping",
    "defaultMappingsRoleDescription": "The result of this expression must return the role name as defined in the organization as a string.",
    "defaultMappingsOrg": "Default Organization Mapping",
-    "defaultMappingsOrgDescription": "This expression must return the org ID or true for the user to be allowed to access the organization.",
+    "defaultMappingsOrgDescription": "When set, this expression must return the organization ID or true for the user to access that organization. When unset, defining an organization policy for that org is enough: the user is allowed in as long as a valid role mapping can be resolved for them within the organization.",
    "defaultMappingsSubmit": "Save Default Mappings",
    "orgPoliciesEdit": "Edit Organization Policy",
    "org": "Organization",
@@ -1040,7 +1096,6 @@
    "pageNotFoundDescription": "Oops! The page you're looking for doesn't exist.",
    "overview": "Overview",
    "home": "Home",
    "accessControl": "Access Control",
    "settings": "Settings",
    "usersAll": "All Users",
    "license": "License",
@@ -1150,6 +1205,7 @@
    "actionRemoveUser": "Remove User",
    "actionListUsers": "List Users",
    "actionAddUserRole": "Add User Role",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Generate Access Token",
    "actionDeleteAccessToken": "Delete Access Token",
    "actionListAccessTokens": "List Access Tokens",
@@ -1266,6 +1322,7 @@
    "sidebarRoles": "Roles",
    "sidebarShareableLinks": "Links",
    "sidebarApiKeys": "API Keys",
    "sidebarProvisioning": "Provisioning",
    "sidebarSettings": "Settings",
    "sidebarAllUsers": "All Users",
    "sidebarIdentityProviders": "Identity Providers",
@@ -1939,6 +1996,25 @@
    "invalidValue": "Invalid value",
    "idpTypeLabel": "Identity Provider Type",
    "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
    "roleMappingModeFixedRoles": "Fixed Roles",
    "roleMappingModeMappingBuilder": "Mapping Builder",
    "roleMappingModeRawExpression": "Raw Expression",
    "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
    "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
    "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
    "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
    "roleMappingClaimPath": "Claim Path",
    "roleMappingClaimPathPlaceholder": "groups",
    "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
    "roleMappingMatchValue": "Match Value",
    "roleMappingAssignRoles": "Assign Roles",
    "roleMappingAddMappingRule": "Add Mapping Rule",
    "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
    "roleMappingRawExpressionResultDescriptionSingleRole": "Expression must evaluate to a string (a single role name).",
    "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
    "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
    "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
    "roleMappingRemoveRule": "Remove",
    "idpGoogleConfiguration": "Google Configuration",
    "idpGoogleConfigurationDescription": "Configure the Google OAuth2 credentials",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2345,6 +2421,12 @@
    "logRetentionEndOfFollowingYear": "End of following year",
    "actionLogsDescription": "View a history of actions performed in this organization",
    "accessLogsDescription": "View access auth requests for resources in this organization",
    "connectionLogs": "Connection Logs",
    "connectionLogsDescription": "View connection logs for tunnels in this organization",
    "sidebarLogsConnection": "Connection Logs",
    "sourceAddress": "Source Address",
    "destinationAddress": "Destination Address",
    "duration": "Duration",
    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Certificate Resolver",
@@ -2511,9 +2593,9 @@
    "remoteExitNodeRegenerateCredentialsConfirmation": "Are you sure you want to regenerate the credentials for this remote exit node?",
    "remoteExitNodeRegenerateCredentialsWarning": "This will regenerate the credentials. The remote exit node will stay connected until you manually restart it and use the new credentials.",
    "agent": "Agent",
-    "personalUseOnly":  "Personal Use Only",
+    "personalUseOnly": "Personal Use Only",
-    "loginPageLicenseWatermark":  "This instance is licensed for personal use only.",
+    "loginPageLicenseWatermark": "This instance is licensed for personal use only.",
-    "instanceIsUnlicensed":  "This instance is unlicensed.",
+    "instanceIsUnlicensed": "This instance is unlicensed.",
    "portRestrictions": "Port Restrictions",
    "allPorts": "All",
    "custom": "Custom",
@@ -2567,7 +2649,7 @@
    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
    "forced": "Forced",
    "forcedModeDescription": "Always show the maintenance page regardless of backend health. Use this for planned maintenance when you want to prevent all access.",
-    "warning:" : "Warning:",
+    "warning:": "Warning:",
    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
    "pageTitle": "Page Title",
    "pageTitleDescription": "The main heading displayed on the maintenance page",
@@ -2684,5 +2766,6 @@
    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
    "approvalsEmptyStateButtonText": "Manage Roles",
-    "domainErrorTitle": "We are having trouble verifying your domain"
+    "domainErrorTitle": "We are having trouble verifying your domain",
    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab."
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Eliminar usuario",
    "actionListUsers": "Listar usuarios",
    "actionAddUserRole": "Añadir rol de usuario",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Generar token de acceso",
    "actionDeleteAccessToken": "Eliminar token de acceso",
    "actionListAccessTokens": "Lista de Tokens de Acceso",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Supprimer un utilisateur",
    "actionListUsers": "Lister les utilisateurs",
    "actionAddUserRole": "Ajouter un rôle utilisateur",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Générer un jeton d'accès",
    "actionDeleteAccessToken": "Supprimer un jeton d'accès",
    "actionListAccessTokens": "Lister les jetons d'accès",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Rimuovi Utente",
    "actionListUsers": "Elenca Utenti",
    "actionAddUserRole": "Aggiungi Ruolo Utente",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Genera Token di Accesso",
    "actionDeleteAccessToken": "Elimina Token di Accesso",
    "actionListAccessTokens": "Elenca Token di Accesso",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "사용자 제거",
    "actionListUsers": "사용자 목록",
    "actionAddUserRole": "사용자 역할 추가",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "액세스 토큰 생성",
    "actionDeleteAccessToken": "액세스 토큰 삭제",
    "actionListAccessTokens": "액세스 토큰 목록",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Fjern bruker",
    "actionListUsers": "List opp brukere",
    "actionAddUserRole": "Legg til brukerrolle",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Generer tilgangstoken",
    "actionDeleteAccessToken": "Slett tilgangstoken",
    "actionListAccessTokens": "List opp tilgangstokener",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Gebruiker verwijderen",
    "actionListUsers": "Gebruikers weergeven",
    "actionAddUserRole": "Gebruikersrol toevoegen",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Genereer Toegangstoken",
    "actionDeleteAccessToken": "Verwijder toegangstoken",
    "actionListAccessTokens": "Lijst toegangstokens",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Usuń użytkownika",
    "actionListUsers": "Lista użytkowników",
    "actionAddUserRole": "Dodaj rolę użytkownika",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Wygeneruj token dostępu",
    "actionDeleteAccessToken": "Usuń token dostępu",
    "actionListAccessTokens": "Lista tokenów dostępu",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Remover Utilizador",
    "actionListUsers": "Listar Utilizadores",
    "actionAddUserRole": "Adicionar Função ao Utilizador",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Gerar Token de Acesso",
    "actionDeleteAccessToken": "Eliminar Token de Acesso",
    "actionListAccessTokens": "Listar Tokens de Acesso",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Удалить пользователя",
    "actionListUsers": "Список пользователей",
    "actionAddUserRole": "Добавить роль пользователя",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Сгенерировать токен доступа",
    "actionDeleteAccessToken": "Удалить токен доступа",
    "actionListAccessTokens": "Список токенов доступа",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "Kullanıcıyı Kaldır",
    "actionListUsers": "Kullanıcıları Listele",
    "actionAddUserRole": "Kullanıcı Rolü Ekle",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Erişim Jetonu Oluştur",
    "actionDeleteAccessToken": "Erişim Jetonunu Sil",
    "actionListAccessTokens": "Erişim Jetonlarını Listele",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1148,6 +1148,7 @@
    "actionRemoveUser": "删除用户",
    "actionListUsers": "列出用户",
    "actionAddUserRole": "添加用户角色",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "生成访问令牌",
    "actionDeleteAccessToken": "删除访问令牌",
    "actionListAccessTokens": "访问令牌",
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -1091,6 +1091,7 @@
  "actionRemoveUser": "刪除用戶",
  "actionListUsers": "列出用戶",
  "actionAddUserRole": "添加用戶角色",
  "actionSetUserOrgRoles": "Set User Roles",
  "actionGenerateAccessToken": "生成訪問令牌",
  "actionDeleteAccessToken": "刪除訪問令牌",
  "actionListAccessTokens": "訪問令牌",
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,9 +1,10 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
+import { userActions, roleActions } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export enum ActionsEnum {
    createOrgUser = "createOrgUser",
@@ -53,6 +54,8 @@ export enum ActionsEnum {
    listRoleResources = "listRoleResources",
    // listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
    removeUserRole = "removeUserRole",
    setUserOrgRoles = "setUserOrgRoles",
    // addUserSite = "addUserSite",
    // addUserAction = "addUserAction",
    // removeUserAction = "removeUserAction",
@@ -109,6 +112,10 @@ export enum ActionsEnum {
    listApiKeyActions = "listApiKeyActions",
    listApiKeys = "listApiKeys",
    getApiKey = "getApiKey",
    createSiteProvisioningKey = "createSiteProvisioningKey",
    listSiteProvisioningKeys = "listSiteProvisioningKeys",
    updateSiteProvisioningKey = "updateSiteProvisioningKey",
    deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
    getCertificate = "getCertificate",
    restartCertificate = "restartCertificate",
    billing = "billing",
@@ -154,29 +161,16 @@ export async function checkUserActionPermission(
    }
    try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;
-        // If userOrgRoleId is not available on the request, fetch it
+        if (userOrgRoleIds === undefined) {
-        if (userOrgRoleId === undefined) {
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
-            const userOrgRole = await db
+            if (userOrgRoleIds.length === 0) {
                .select()
                .from(userOrgs)
                .where(
                    and(
                        eq(userOrgs.userId, userId),
                        eq(userOrgs.orgId, req.userOrgId!)
                    )
                )
                .limit(1);
            if (userOrgRole.length === 0) {
                throw createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                );
            }
            userOrgRoleId = userOrgRole[0].roleId;
        }
        // Check if the user has direct permission for the action in the current org
@@ -187,7 +181,7 @@ export async function checkUserActionPermission(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                )
            )
            .limit(1);
@@ -196,14 +190,14 @@ export async function checkUserActionPermission(
            return true;
        }
-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
        const roleActionPermission = await db
            .select()
            .from(roleActions)
            .where(
                and(
                    eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                    eq(roleActions.orgId, req.userOrgId!)
                )
            )
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 export async function canUserAccessResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
+    const roleResourceAccess =
-        .select()
+        roleIds.length > 0
-        .from(roleResources)
+            ? await db
-        .where(
+                  .select()
-            and(
+                  .from(roleResources)
-                eq(roleResources.resourceId, resourceId),
+                  .where(
-                eq(roleResources.roleId, roleId)
+                      and(
-            )
+                          eq(roleResources.resourceId, resourceId),
-        )
+                          inArray(roleResources.roleId, roleIds)
-        .limit(1);
+                      )
                  )
                  .limit(1)
            : [];
    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 export async function canUserAccessSiteResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
+    const roleResourceAccess =
-        .select()
+        roleIds.length > 0
-        .from(roleSiteResources)
+            ? await db
-        .where(
+                  .select()
-            and(
+                  .from(roleSiteResources)
-                eq(roleSiteResources.siteResourceId, resourceId),
+                  .where(
-                eq(roleSiteResources.roleId, roleId)
+                      and(
-            )
+                          eq(roleSiteResources.siteResourceId, resourceId),
-        )
+                          inArray(roleSiteResources.roleId, roleIds)
-        .limit(1);
+                      )
                  )
                  .limit(1)
            : [];
    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,9 +1,13 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 async function cleanup() {
    await stopPingAccumulator();
    await flushBandwidthToDb();
    await flushConnectionLogToDb();
    await flushSiteBandwidthToDb();
    await wsCleanup();
@@ -14,4 +18,4 @@ export async function initCleanup() {
    // Handle process termination
    process.on("SIGTERM", () => cleanup());
    process.on("SIGINT", () => cleanup());
-}
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -7,7 +7,8 @@ import {
    bigint,
    real,
    text,
-    index
+    index,
    primaryKey
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -17,7 +18,9 @@ import {
    users,
    exitNodes,
    sessions,
-    clients
+    clients,
    siteResources,
    sites
 } from "./schema";
 export const certificates = pgTable("certificates", {
@@ -89,7 +92,9 @@ export const subscriptions = pgTable("subscriptions", {
 export const subscriptionItems = pgTable("subscriptionItems", {
    subscriptionItemId: serial("subscriptionItemId").primaryKey(),
-    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
+    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", {
        length: 255
    }),
    subscriptionId: varchar("subscriptionId", { length: 255 })
        .notNull()
        .references(() => subscriptions.subscriptionId, {
@@ -302,6 +307,45 @@ export const accessAuditLog = pgTable(
    ]
 );
 export const connectionAuditLog = pgTable(
    "connectionAuditLog",
    {
        id: serial("id").primaryKey(),
        sessionId: text("sessionId").notNull(),
        siteResourceId: integer("siteResourceId").references(
            () => siteResources.siteResourceId,
            { onDelete: "cascade" }
        ),
        orgId: text("orgId").references(() => orgs.orgId, {
            onDelete: "cascade"
        }),
        siteId: integer("siteId").references(() => sites.siteId, {
            onDelete: "cascade"
        }),
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
        sourceAddr: text("sourceAddr").notNull(),
        destAddr: text("destAddr").notNull(),
        protocol: text("protocol").notNull(),
        startedAt: integer("startedAt").notNull(),
        endedAt: integer("endedAt"),
        bytesTx: integer("bytesTx"),
        bytesRx: integer("bytesRx")
    },
    (table) => [
        index("idx_accessAuditLog_startedAt").on(table.startedAt),
        index("idx_accessAuditLog_org_startedAt").on(
            table.orgId,
            table.startedAt
        ),
        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
    ]
 );
 export const approvals = pgTable("approvals", {
    approvalId: serial("approvalId").primaryKey(),
    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -329,13 +373,49 @@ export const approvals = pgTable("approvals", {
 });
 export const bannedEmails = pgTable("bannedEmails", {
-    email: varchar("email", { length: 255 }).primaryKey(),
+    email: varchar("email", { length: 255 }).primaryKey()
 });
 export const bannedIps = pgTable("bannedIps", {
-    ip: varchar("ip", { length: 255 }).primaryKey(),
+    ip: varchar("ip", { length: 255 }).primaryKey()
 });
 export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
    siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
        length: 255
    }).primaryKey(),
    name: varchar("name", { length: 255 }).notNull(),
    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
    lastChars: varchar("lastChars", { length: 4 }).notNull(),
    createdAt: varchar("dateCreated", { length: 255 }).notNull(),
    lastUsed: varchar("lastUsed", { length: 255 }),
    maxBatchSize: integer("maxBatchSize"), // null = no limit
    numUsed: integer("numUsed").notNull().default(0),
    validUntil: varchar("validUntil", { length: 255 }),
    approveNewSites: boolean("approveNewSites").notNull().default(true)
 });
 export const siteProvisioningKeyOrg = pgTable(
    "siteProvisioningKeyOrg",
    {
        siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
            length: 255
        })
            .notNull()
            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
                onDelete: "cascade"
            }),
        orgId: varchar("orgId", { length: 255 })
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" })
    },
    (table) => [
        primaryKey({
            columns: [table.siteProvisioningKeyId, table.orgId]
        })
    ]
 );
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -357,3 +437,4 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -6,9 +6,11 @@ import {
    index,
    integer,
    pgTable,
    primaryKey,
    real,
    serial,
    text,
    unique,
    varchar
 } from "drizzle-orm/pg-core";
@@ -55,6 +57,9 @@ export const orgs = pgTable("orgs", {
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: boolean("isBillingOrg"),
@@ -95,7 +100,8 @@ export const sites = pgTable("sites", {
    publicKey: varchar("publicKey"),
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
    status: varchar("status").$type<"pending" | "approved">()
 });
 export const resources = pgTable("resources", {
@@ -335,9 +341,6 @@ export const userOrgs = pgTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId),
    isOwner: boolean("isOwner").notNull().default(false),
    autoProvisioned: boolean("autoProvisioned").default(false),
    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -386,6 +389,22 @@ export const roles = pgTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 export const userOrgRoles = pgTable(
    "userOrgRoles",
    {
        userId: varchar("userId")
            .notNull()
            .references(() => users.userId, { onDelete: "cascade" }),
        orgId: varchar("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 export const roleActions = pgTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -453,12 +472,22 @@ export const userInvites = pgTable("userInvites", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    email: varchar("email").notNull(),
    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
-    tokenHash: varchar("token").notNull(),
+    tokenHash: varchar("token").notNull()
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId, { onDelete: "cascade" })
 });
 export const userInviteRoles = pgTable(
    "userInviteRoles",
    {
        inviteId: varchar("inviteId")
            .notNull()
            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
 );
 export const resourcePincode = pgTable("resourcePincode", {
    pincodeId: serial("pincodeId").primaryKey(),
    resourceId: integer("resourceId")
@@ -1034,7 +1063,9 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,12 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
+import {
    db,
    loginPage,
    LoginPage,
    loginPageOrg,
    Org,
    orgs,
    roles
 } from "@server/db";
 import {
    Resource,
    ResourcePassword,
@@ -12,13 +20,12 @@ import {
    resources,
    roleResources,
    sessions,
    userOrgs,
    userResources,
    users,
    ResourceHeaderAuthExtendedCompatibility,
    resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 export type ResourceWithAuth = {
    resource: Resource | null;
@@ -104,24 +111,15 @@ export async function getUserSessionWithUser(
 }
 /**
- * Get user organization role
+ * Get role name by role ID (for display).
 */
-export async function getUserOrgRole(userId: string, orgId: string) {
+export async function getRoleName(roleId: number): Promise<string | null> {
-    const userOrgRole = await db
+    const [row] = await db
-        .select({
+        .select({ name: roles.name })
-            userId: userOrgs.userId,
+        .from(roles)
-            orgId: userOrgs.orgId,
+        .where(eq(roles.roleId, roleId))
            roleId: userOrgs.roleId,
            isOwner: userOrgs.isOwner,
            autoProvisioned: userOrgs.autoProvisioned,
            roleName: roles.name
        })
        .from(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .limit(1);
-
+    return row?.name ?? null;
    return userOrgRole.length > 0 ? userOrgRole[0] : null;
 }
 /**
@@ -129,7 +127,7 @@ export async function getUserOrgRole(userId: string, orgId: string) {
 */
 export async function getRoleResourceAccess(
    resourceId: number,
-    roleId: number
+    roleIds: number[]
 ) {
    const roleResourceAccess = await db
        .select()
@@ -137,12 +135,11 @@ export async function getRoleResourceAccess(
        .where(
            and(
                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                inArray(roleResources.roleId, roleIds)
            )
-        )
+        );
        .limit(1);
-    return roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
 }
 /**
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -2,11 +2,12 @@ import { InferSelectModel } from "drizzle-orm";
 import {
    index,
    integer,
    primaryKey,
    real,
    sqliteTable,
    text
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";
+import { clients, domains, exitNodes, orgs, sessions, siteResources, sites, users } from "./schema";
 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -294,6 +295,45 @@ export const accessAuditLog = sqliteTable(
    ]
 );
 export const connectionAuditLog = sqliteTable(
    "connectionAuditLog",
    {
        id: integer("id").primaryKey({ autoIncrement: true }),
        sessionId: text("sessionId").notNull(),
        siteResourceId: integer("siteResourceId").references(
            () => siteResources.siteResourceId,
            { onDelete: "cascade" }
        ),
        orgId: text("orgId").references(() => orgs.orgId, {
            onDelete: "cascade"
        }),
        siteId: integer("siteId").references(() => sites.siteId, {
            onDelete: "cascade"
        }),
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
        sourceAddr: text("sourceAddr").notNull(),
        destAddr: text("destAddr").notNull(),
        protocol: text("protocol").notNull(),
        startedAt: integer("startedAt").notNull(),
        endedAt: integer("endedAt"),
        bytesTx: integer("bytesTx"),
        bytesRx: integer("bytesRx")
    },
    (table) => [
        index("idx_accessAuditLog_startedAt").on(table.startedAt),
        index("idx_accessAuditLog_org_startedAt").on(
            table.orgId,
            table.startedAt
        ),
        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
    ]
 );
 export const approvals = sqliteTable("approvals", {
    approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -318,7 +358,6 @@ export const approvals = sqliteTable("approvals", {
        .notNull()
 });
 export const bannedEmails = sqliteTable("bannedEmails", {
    email: text("email").primaryKey()
 });
@@ -327,6 +366,40 @@ export const bannedIps = sqliteTable("bannedIps", {
    ip: text("ip").primaryKey()
 });
 export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
    siteProvisioningKeyId: text("siteProvisioningKeyId").primaryKey(),
    name: text("name").notNull(),
    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
    lastChars: text("lastChars").notNull(),
    createdAt: text("dateCreated").notNull(),
    lastUsed: text("lastUsed"),
    maxBatchSize: integer("maxBatchSize"), // null = no limit
    numUsed: integer("numUsed").notNull().default(0),
    validUntil: text("validUntil"),
    approveNewSites: integer("approveNewSites", { mode: "boolean" })
        .notNull()
        .default(true)
 });
 export const siteProvisioningKeyOrg = sqliteTable(
    "siteProvisioningKeyOrg",
    {
        siteProvisioningKeyId: text("siteProvisioningKeyId")
            .notNull()
            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
                onDelete: "cascade"
            }),
        orgId: text("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" })
    },
    (table) => [
        primaryKey({
            columns: [table.siteProvisioningKeyId, table.orgId]
        })
    ]
 );
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -348,3 +421,4 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,6 +1,13 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
    index,
    integer,
    primaryKey,
    sqliteTable,
    text,
    unique
 } from "drizzle-orm/sqlite-core";
 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -47,6 +54,9 @@ export const orgs = sqliteTable("orgs", {
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
@@ -100,7 +110,8 @@ export const sites = sqliteTable("sites", {
    listenPort: integer("listenPort"),
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
-        .default(true)
+        .default(true),
    status: text("status").$type<"pending" | "approved">()
 });
 export const resources = sqliteTable("resources", {
@@ -643,9 +654,6 @@ export const userOrgs = sqliteTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId),
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
@@ -700,6 +708,22 @@ export const roles = sqliteTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 export const userOrgRoles = sqliteTable(
    "userOrgRoles",
    {
        userId: text("userId")
            .notNull()
            .references(() => users.userId, { onDelete: "cascade" }),
        orgId: text("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 export const roleActions = sqliteTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -785,12 +809,22 @@ export const userInvites = sqliteTable("userInvites", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    email: text("email").notNull(),
    expiresAt: integer("expiresAt").notNull(),
-    tokenHash: text("token").notNull(),
+    tokenHash: text("token").notNull()
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId, { onDelete: "cascade" })
 });
 export const userInviteRoles = sqliteTable(
    "userInviteRoles",
    {
        inviteId: text("inviteId")
            .notNull()
            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
 );
 export const resourcePincode = sqliteTable("resourcePincode", {
    pincodeId: integer("pincodeId").primaryKey({
        autoIncrement: true
@@ -1133,7 +1167,9 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
            session: Session;
            userOrg?: UserOrg;
            apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
            userOrgId?: string;
            userOrgIds?: string[];
            remoteExitNode?: RemoteExitNode;
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -8,6 +8,7 @@ export enum TierFeature {
    LogExport = "logExport",
    AccessLogs = "accessLogs", // set the retention period to none on downgrade
    ActionLogs = "actionLogs", // set the retention period to none on downgrade
    ConnectionLogs = "connectionLogs",
    RotateCredentials = "rotateCredentials",
    MaintencePage = "maintencePage", // handle downgrade
    DevicePosture = "devicePosture",
@@ -15,7 +16,9 @@ export enum TierFeature {
    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
    AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam"
+    SshPam = "sshPam",
    FullRbac = "fullRbac",
    SiteProvisioningKeys = "siteProvisioningKeys" // handle downgrade by revoking keys if needed
 }
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -26,6 +29,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.LogExport]: ["tier3", "enterprise"],
    [TierFeature.AccessLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.ActionLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.ConnectionLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.RotateCredentials]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.MaintencePage]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DevicePosture]: ["tier2", "tier3", "enterprise"],
@@ -48,5 +52,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "enterprise"
    ],
    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
    [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.SiteProvisioningKeys]: ["enterprise"]
 };
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -10,6 +10,7 @@ import {
    roles,
    Transaction,
    userClients,
    userOrgRoles,
    userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -39,20 +40,36 @@ export async function calculateUserClientsForOrgs(
            return;
        }
-        // Get all user orgs
+        // Get all user orgs with all roles (for org list and role-based logic)
-        const allUserOrgs = await transaction
+        const userOrgRoleRows = await transaction
            .select()
            .from(userOrgs)
-            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
+            .innerJoin(
                userOrgRoles,
                and(
                    eq(userOrgs.userId, userOrgRoles.userId),
                    eq(userOrgs.orgId, userOrgRoles.orgId)
                )
            )
            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
            .where(eq(userOrgs.userId, userId));
-        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
+        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
        const orgIdToRoleRows = new Map<
            string,
            (typeof userOrgRoleRows)[0][]
        >();
        for (const r of userOrgRoleRows) {
            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
            list.push(r);
            orgIdToRoleRows.set(r.userOrgs.orgId, list);
        }
        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
-            for (const userRoleOrg of allUserOrgs) {
+            for (const orgId of orgIdToRoleRows.keys()) {
-                const { userOrgs: userOrg, roles: role } = userRoleOrg;
+                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
-                const orgId = userOrg.orgId;
+                const userOrg = roleRowsForOrg[0].userOrgs;
                const [org] = await transaction
                    .select()
@@ -196,7 +213,7 @@ export async function calculateUserClientsForOrgs(
                const requireApproval =
                    build !== "oss" &&
                    isOrgLicensed &&
-                    role.requireDeviceApproval;
+                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
                const newClientData: InferInsertModel<typeof clients> = {
                    userId,
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -2,6 +2,7 @@ import { db, orgs } from "@server/db";
 import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAudit";
 import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
 import { cleanUpOldLogs as cleanUpOldConnectionLogs } from "#dynamic/routers/newt";
 import { gt, or } from "drizzle-orm";
 import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";
 import { build } from "@server/build";
@@ -20,14 +21,17 @@ export function initLogCleanupInterval() {
                    settingsLogRetentionDaysAccess:
                        orgs.settingsLogRetentionDaysAccess,
                    settingsLogRetentionDaysRequest:
-                        orgs.settingsLogRetentionDaysRequest
+                        orgs.settingsLogRetentionDaysRequest,
                    settingsLogRetentionDaysConnection:
                        orgs.settingsLogRetentionDaysConnection
                })
                .from(orgs)
                .where(
                    or(
                        gt(orgs.settingsLogRetentionDaysAction, 0),
                        gt(orgs.settingsLogRetentionDaysAccess, 0),
-                        gt(orgs.settingsLogRetentionDaysRequest, 0)
+                        gt(orgs.settingsLogRetentionDaysRequest, 0),
                        gt(orgs.settingsLogRetentionDaysConnection, 0)
                    )
                );
@@ -37,7 +41,8 @@ export function initLogCleanupInterval() {
                    orgId,
                    settingsLogRetentionDaysAction,
                    settingsLogRetentionDaysAccess,
-                    settingsLogRetentionDaysRequest
+                    settingsLogRetentionDaysRequest,
                    settingsLogRetentionDaysConnection
                } = org;
                if (settingsLogRetentionDaysAction > 0) {
@@ -60,6 +65,13 @@ export function initLogCleanupInterval() {
                        settingsLogRetentionDaysRequest
                    );
                }
                if (settingsLogRetentionDaysConnection > 0) {
                    await cleanUpOldConnectionLogs(
                        orgId,
                        settingsLogRetentionDaysConnection
                    );
                }
            }
            await cleanUpOldFingerprintSnapshots(365);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -571,6 +571,133 @@ export function generateSubnetProxyTargets(
    return targets;
 }
 export type SubnetProxyTargetV2 = {
    sourcePrefixes: string[]; // must be cidrs
    destPrefix: string; // must be a cidr
    disableIcmp?: boolean;
    rewriteTo?: string; // must be a cidr
    portRange?: {
        min: number;
        max: number;
        protocol: "tcp" | "udp";
    }[];
    resourceId?: number;
 };
 export function generateSubnetProxyTargetV2(
    siteResource: SiteResource,
    clients: {
        clientId: number;
        pubKey: string | null;
        subnet: string | null;
    }[]
 ): SubnetProxyTargetV2 | undefined {
    if (clients.length === 0) {
        logger.debug(
            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
        );
        return;
    }
    let target: SubnetProxyTargetV2 | null = null;
    const portRange = [
        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
        ...parsePortRangeString(siteResource.udpPortRangeString, "udp")
    ];
    const disableIcmp = siteResource.disableIcmp ?? false;
    if (siteResource.mode == "host") {
        let destination = siteResource.destination;
        // check if this is a valid ip
        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
        if (ipSchema.safeParse(destination).success) {
            destination = `${destination}/32`;
            target = {
                sourcePrefixes: [],
                destPrefix: destination,
                portRange,
                disableIcmp,
                resourceId: siteResource.siteResourceId,
            };
        }
        if (siteResource.alias && siteResource.aliasAddress) {
            // also push a match for the alias address
            target = {
                sourcePrefixes: [],
                destPrefix: `${siteResource.aliasAddress}/32`,
                rewriteTo: destination,
                portRange,
                disableIcmp,
                resourceId: siteResource.siteResourceId,
            };
        }
    } else if (siteResource.mode == "cidr") {
        target = {
            sourcePrefixes: [],
            destPrefix: siteResource.destination,
            portRange,
            disableIcmp,
            resourceId: siteResource.siteResourceId,
        };
    }
    if (!target) {
        return;
    }
    for (const clientSite of clients) {
        if (!clientSite.subnet) {
            logger.debug(
                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
            );
            continue;
        }
        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
        // add client prefix to source prefixes
        target.sourcePrefixes.push(clientPrefix);
    }
    // print a nice representation of the targets
    // logger.debug(
    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
    // );
    return target;
 }
 /**
 * Converts a SubnetProxyTargetV2 to an array of SubnetProxyTarget (v1)
 * by expanding each source prefix into its own target entry.
 * @param targetV2 - The v2 target to convert
 * @returns Array of v1 SubnetProxyTarget objects
 */
 export function convertSubnetProxyTargetsV2ToV1(
     targetsV2: SubnetProxyTargetV2[]
 ): SubnetProxyTarget[] {
     return targetsV2.flatMap((targetV2) =>
         targetV2.sourcePrefixes.map((sourcePrefix) => ({
             sourcePrefix,
             destPrefix: targetV2.destPrefix,
             ...(targetV2.disableIcmp !== undefined && {
                 disableIcmp: targetV2.disableIcmp
             }),
             ...(targetV2.rewriteTo !== undefined && {
                 rewriteTo: targetV2.rewriteTo
             }),
             ...(targetV2.portRange !== undefined && {
                 portRange: targetV2.portRange
             })
         }))
     );
 }
 // Custom schema for validating port range strings
 // Format: "80,443,8000-9000" or "*" for all ports, or empty string
 export const portRangeStringSchema = z
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -79,6 +79,7 @@ export const configSchema = z
                    .default(3001)
                    .transform(stoi)
                    .pipe(portSchema),
                badger_override: z.string().optional(),
                next_port: portSchema
                    .optional()
                    .default(3002)
@@ -302,8 +303,8 @@ export const configSchema = z
            .optional()
            .default({
                block_size: 24,
-                subnet_group: "100.90.128.0/24",
+                subnet_group: "100.90.128.0/20",
-                utility_subnet_group: "100.96.128.0/24"
+                utility_subnet_group: "100.96.128.0/20"
            }),
        rate_limits: z
            .object({
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -14,6 +14,7 @@ import {
    siteResources,
    sites,
    Transaction,
    userOrgRoles,
    userOrgs,
    userSiteResources
 } from "@server/db";
@@ -32,7 +33,7 @@ import logger from "@server/logger";
 import {
    generateAliasConfig,
    generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
    parseEndpoint,
    formatEndpoint
 } from "@server/lib/ip";
@@ -77,10 +78,10 @@ export async function getClientSiteResourceAccess(
    // get all of the users in these roles
    const userIdsFromRoles = await trx
        .select({
-            userId: userOrgs.userId
+            userId: userOrgRoles.userId
        })
-        .from(userOrgs)
+        .from(userOrgRoles)
-        .where(inArray(userOrgs.roleId, roleIds))
+        .where(inArray(userOrgRoles.roleId, roleIds))
        .then((rows) => rows.map((row) => row.userId));
    const newAllUserIds = Array.from(
@@ -660,19 +661,16 @@ async function handleSubnetProxyTargetUpdates(
        );
        if (addedClients.length > 0) {
-            const targetsToAdd = generateSubnetProxyTargets(
+            const targetToAdd = generateSubnetProxyTargetV2(
                siteResource,
                addedClients
            );
-            if (targetsToAdd.length > 0) {
+            if (targetToAdd) {
                logger.info(
                    `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
                );
                proxyJobs.push(
                    addSubnetProxyTargets(
                        newt.newtId,
-                        targetsToAdd,
+                        [targetToAdd],
                        newt.version
                    )
                );
@@ -700,19 +698,16 @@ async function handleSubnetProxyTargetUpdates(
        );
        if (removedClients.length > 0) {
-            const targetsToRemove = generateSubnetProxyTargets(
+            const targetToRemove = generateSubnetProxyTargetV2(
                siteResource,
                removedClients
            );
-            if (targetsToRemove.length > 0) {
+            if (targetToRemove) {
                logger.info(
                    `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
                );
                proxyJobs.push(
                    removeSubnetProxyTargets(
                        newt.newtId,
-                        targetsToRemove,
+                        [targetToRemove],
                        newt.version
                    )
                );
@@ -820,12 +815,12 @@ export async function rebuildClientAssociationsFromClient(
        // Role-based access
        const roleIds = await trx
-            .select({ roleId: userOrgs.roleId })
+            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgs)
+            .from(userOrgRoles)
            .where(
                and(
-                    eq(userOrgs.userId, client.userId),
+                    eq(userOrgRoles.userId, client.userId),
-                    eq(userOrgs.orgId, client.orgId)
+                    eq(userOrgRoles.orgId, client.orgId)
                )
            ) // this needs to be locked onto this org or else cross-org access could happen
            .then((rows) => rows.map((row) => row.roleId));
@@ -1169,7 +1164,7 @@ async function handleMessagesForClientResources(
            }
            for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1177,11 +1172,11 @@ async function handleMessagesForClientResources(
                    }
                ]);
-                if (targets.length > 0) {
+                if (target) {
                    proxyJobs.push(
                        addSubnetProxyTargets(
                            newt.newtId,
-                            targets,
+                            [target],
                            newt.version
                        )
                    );
@@ -1246,7 +1241,7 @@ async function handleMessagesForClientResources(
            }
            for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1254,11 +1249,11 @@ async function handleMessagesForClientResources(
                    }
                ]);
-                if (targets.length > 0) {
+                if (target) {
                    proxyJobs.push(
                        removeSubnetProxyTargets(
                            newt.newtId,
-                            targets,
+                            [target],
                            newt.version
                        )
                    );
--- a/server/lib/tokenCache.ts
+++ b/server/lib/tokenCache.ts
@@ -0,0 +1,22 @@
 /**
 * Returns a cached plaintext token from Redis if one exists and decrypts
 * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
 * encrypted value in Redis with the given TTL, and returns it.
 *
 * Failures at the Redis layer are non-fatal – the function always falls
 * through to session creation so the caller is never blocked by a Redis outage.
 *
 * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
 * @param secret     Server secret used for AES encryption/decryption
 * @param ttlSeconds Cache TTL in seconds (should match session expiry)
 * @param createSession Factory that mints a new session and returns its raw token
 */
 export async function getOrCreateCachedToken(
    cacheKey: string,
    secret: string,
    ttlSeconds: number,
    createSession: () => Promise<string>
 ): Promise<string> {
    const token = await createSession();
    return token;
 }
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -6,7 +6,7 @@ import {
    siteResources,
    sites,
    Transaction,
-    UserOrg,
+    userOrgRoles,
    userOrgs,
    userResources,
    userSiteResources,
@@ -19,9 +19,22 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
    org: Org,
    values: typeof userOrgs.$inferInsert,
    roleIds: number[],
    trx: Transaction | typeof db = db
 ) {
    const uniqueRoleIds = [...new Set(roleIds)];
    if (uniqueRoleIds.length === 0) {
        throw new Error("assignUserToOrg requires at least one roleId");
    }
    const [userOrg] = await trx.insert(userOrgs).values(values).returning();
    await trx.insert(userOrgRoles).values(
        uniqueRoleIds.map((roleId) => ({
            userId: userOrg.userId,
            orgId: userOrg.orgId,
            roleId
        }))
    );
    // calculate if the user is in any other of the orgs before we count it as an add to the billing org
    if (org.billingOrgId) {
@@ -58,6 +71,14 @@ export async function removeUserFromOrg(
    userId: string,
    trx: Transaction | typeof db = db
 ) {
    await trx
        .delete(userOrgRoles)
        .where(
            and(
                eq(userOrgRoles.userId, userId),
                eq(userOrgRoles.orgId, org.orgId)
            )
        );
    await trx
        .delete(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
--- a/server/lib/userOrgRoles.ts
+++ b/server/lib/userOrgRoles.ts
@@ -0,0 +1,36 @@
 import { db, roles, userOrgRoles } from "@server/db";
 import { and, eq } from "drizzle-orm";
 /**
 * Get all role IDs a user has in an organization.
 * Returns empty array if the user has no roles in the org (callers must treat as no access).
 */
 export async function getUserOrgRoleIds(
    userId: string,
    orgId: string
 ): Promise<number[]> {
    const rows = await db
        .select({ roleId: userOrgRoles.roleId })
        .from(userOrgRoles)
        .where(
            and(
                eq(userOrgRoles.userId, userId),
                eq(userOrgRoles.orgId, orgId)
            )
        );
    return rows.map((r) => r.roleId);
 }
 export async function getUserOrgRoles(
    userId: string,
    orgId: string
 ): Promise<{ roleId: number; roleName: string }[]> {
    const rows = await db
        .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
        .from(userOrgRoles)
        .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
        .where(
            and(eq(userOrgRoles.userId, userId), eq(userOrgRoles.orgId, orgId))
        );
    return rows;
 }
--- a/server/middlewares/getUserOrgs.ts
+++ b/server/middlewares/getUserOrgs.ts
@@ -21,8 +21,7 @@ export async function getUserOrgs(
    try {
        const userOrganizations = await db
            .select({
-                orgId: userOrgs.orgId,
+                orgId: userOrgs.orgId
                roleId: userOrgs.roleId
            })
            .from(userOrgs)
            .where(eq(userOrgs.userId, userId));
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -17,6 +17,7 @@ export * from "./verifyAccessTokenAccess";
 export * from "./requestTimeout";
 export * from "./verifyClientAccess";
 export * from "./verifyUserHasAction";
 export * from "./verifyUserCanSetUserOrgRoles";
 export * from "./verifyUserIsServerAdmin";
 export * from "./verifyIsLoggedInUser";
 export * from "./verifyIsLoggedInUser";
@@ -24,6 +25,7 @@ export * from "./verifyClientAccess";
 export * from "./integration";
 export * from "./verifyUserHasAction";
 export * from "./verifyApiKeyAccess";
 export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
 export * from "./verifySiteResourceAccess";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -1,6 +1,7 @@
 export * from "./verifyApiKey";
 export * from "./verifyApiKeyOrgAccess";
 export * from "./verifyApiKeyHasAction";
 export * from "./verifyApiKeyCanSetUserOrgRoles";
 export * from "./verifyApiKeySiteAccess";
 export * from "./verifyApiKeyResourceAccess";
 export * from "./verifyApiKeyTargetAccess";
--- a/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
+++ b/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
@@ -0,0 +1,74 @@
 import { Request, Response, NextFunction } from "express";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { ActionsEnum } from "@server/auth/actions";
 import { db } from "@server/db";
 import { apiKeyActions } from "@server/db";
 import { and, eq } from "drizzle-orm";
 async function apiKeyHasAction(apiKeyId: string, actionId: ActionsEnum) {
    const [row] = await db
        .select()
        .from(apiKeyActions)
        .where(
            and(
                eq(apiKeyActions.apiKeyId, apiKeyId),
                eq(apiKeyActions.actionId, actionId)
            )
        );
    return !!row;
 }
 /**
 * Allows setUserOrgRoles on the key, or both addUserRole and removeUserRole.
 */
 export function verifyApiKeyCanSetUserOrgRoles() {
    return async function (
        req: Request,
        res: Response,
        next: NextFunction
    ): Promise<any> {
        try {
            if (!req.apiKey) {
                return next(
                    createHttpError(
                        HttpCode.UNAUTHORIZED,
                        "API Key not authenticated"
                    )
                );
            }
            const keyId = req.apiKey.apiKeyId;
            if (await apiKeyHasAction(keyId, ActionsEnum.setUserOrgRoles)) {
                return next();
            }
            const hasAdd = await apiKeyHasAction(keyId, ActionsEnum.addUserRole);
            const hasRemove = await apiKeyHasAction(
                keyId,
                ActionsEnum.removeUserRole
            );
            if (hasAdd && hasRemove) {
                return next();
            }
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Key does not have permission perform this action"
                )
            );
        } catch (error) {
            logger.error("Error verifying API key set user org roles:", error);
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Error verifying key action access"
                )
            );
        }
    };
 }
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyAccessTokenAccess(
    req: Request,
@@ -93,7 +94,10 @@ export async function verifyAccessTokenAccess(
                )
            );
        } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
                req.userOrg.userId,
                resource[0].orgId!
            );
            req.userOrgId = resource[0].orgId!;
        }
@@ -118,7 +122,7 @@ export async function verifyAccessTokenAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
        });
        if (!resourceAllowed) {
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyAdmin(
    req: Request,
@@ -62,13 +63,29 @@ export async function verifyAdmin(
        }
    }
-    const userRole = await db
+    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
    if (req.userOrgRoleIds.length === 0) {
        return next(
            createHttpError(
                HttpCode.FORBIDDEN,
                "User does not have Admin access"
            )
        );
    }
    const userAdminRoles = await db
        .select()
        .from(roles)
-        .where(eq(roles.roleId, req.userOrg.roleId))
+        .where(
            and(
                inArray(roles.roleId, req.userOrgRoleIds),
                eq(roles.isAdmin, true)
            )
        )
        .limit(1);
-    if (userRole.length === 0 || !userRole[0].isAdmin) {
+    if (userAdminRoles.length === 0) {
        return next(
            createHttpError(
                HttpCode.FORBIDDEN,
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyApiKeyAccess(
    req: Request,
@@ -103,8 +104,10 @@ export async function verifyApiKeyAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            orgId
        );
        return next();
    } catch (error) {
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyClientAccess(
    req: Request,
@@ -113,21 +114,30 @@ export async function verifyClientAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            client.orgId
        );
        req.userOrgId = client.orgId;
-        // Check role-based site access first
+        // Check role-based client access (any of user's roles)
-        const [roleClientAccess] = await db
+        const roleClientAccessList =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleClients)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleClients)
-                    eq(roleClients.clientId, client.clientId),
+                      .where(
-                    eq(roleClients.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(roleClients.clientId, client.clientId),
-            )
+                              inArray(
-            .limit(1);
+                                  roleClients.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        const [roleClientAccess] = roleClientAccessList;
        if (roleClientAccess) {
            // User has access to the site through their role
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs, apiKeyOrg } from "@server/db";
+import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyDomainAccess(
    req: Request,
@@ -63,7 +64,7 @@ export async function verifyDomainAccess(
                .where(
                    and(
                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, apiKeyOrg.orgId)
+                        eq(userOrgs.orgId, orgId)
                    )
                )
                .limit(1);
@@ -97,8 +98,7 @@ export async function verifyDomainAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
        req.userOrgRoleId = userOrgRoleId;
        return next();
    } catch (error) {
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
-import { db, orgs } from "@server/db";
+import { db } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyOrgAccess(
    req: Request,
@@ -64,8 +65,8 @@ export async function verifyOrgAccess(
            }
        }
-        // User has access, attach the user's role to the request for potential future use
+        // User has access, attach the user's role(s) to the request for potential future use
-        req.userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
        req.userOrgId = orgId;
        return next();
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyResourceAccess(
    req: Request,
@@ -107,20 +108,28 @@ export async function verifyResourceAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            resource.orgId
        );
        req.userOrgId = resource.orgId;
-        const roleResourceAccess = await db
+        const roleResourceAccess =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleResources)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleResources)
-                    eq(roleResources.resourceId, resource.resourceId),
+                      .where(
-                    eq(roleResources.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(roleResources.resourceId, resource.resourceId),
-            )
+                              inArray(
-            .limit(1);
+                                  roleResources.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyRoleAccess(
    req: Request,
@@ -99,7 +100,6 @@ export async function verifyRoleAccess(
        }
        if (!req.userOrg) {
            // get the userORg
            const userOrg = await db
                .select()
                .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                .limit(1);
            req.userOrg = userOrg[0];
-            req.userOrgRoleId = userOrg[0].roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
        }
        if (!req.userOrg) {
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifySiteAccess(
    req: Request,
@@ -112,21 +113,29 @@ export async function verifySiteAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            site.orgId
        );
        req.userOrgId = site.orgId;
-        // Check role-based site access first
+        // Check role-based site access first (any of user's roles)
-        const roleSiteAccess = await db
+        const roleSiteAccess =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleSites)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleSites)
-                    eq(roleSites.siteId, site.siteId),
+                      .where(
-                    eq(roleSites.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(roleSites.siteId, site.siteId),
-            )
+                              inArray(
-            .limit(1);
+                                  roleSites.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        if (roleSiteAccess.length > 0) {
            // User's role has access to the site
--- a/server/middlewares/verifySiteProvisioningKeyAccess.ts
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -0,0 +1,131 @@
 import { Request, Response, NextFunction } from "express";
 import { db, userOrgs, siteProvisioningKeys, siteProvisioningKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 export async function verifySiteProvisioningKeyAccess(
    req: Request,
    res: Response,
    next: NextFunction
 ) {
    try {
        const userId = req.user!.userId;
        const siteProvisioningKeyId = req.params.siteProvisioningKeyId;
        const orgId = req.params.orgId;
        if (!userId) {
            return next(
                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
            );
        }
        if (!orgId) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
            );
        }
        if (!siteProvisioningKeyId) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid key ID")
            );
        }
        const [row] = await db
            .select()
            .from(siteProvisioningKeys)
            .innerJoin(
                siteProvisioningKeyOrg,
                and(
                    eq(
                        siteProvisioningKeys.siteProvisioningKeyId,
                        siteProvisioningKeyOrg.siteProvisioningKeyId
                    ),
                    eq(siteProvisioningKeyOrg.orgId, orgId)
                )
            )
            .where(
                eq(
                    siteProvisioningKeys.siteProvisioningKeyId,
                    siteProvisioningKeyId
                )
            )
            .limit(1);
        if (!row?.siteProvisioningKeys) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
                )
            );
        }
        if (!row.siteProvisioningKeyOrg.orgId) {
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    `Site provisioning key with ID ${siteProvisioningKeyId} does not have an organization ID`
                )
            );
        }
        if (!req.userOrg) {
            const userOrgRole = await db
                .select()
                .from(userOrgs)
                .where(
                    and(
                        eq(userOrgs.userId, userId),
                        eq(
                            userOrgs.orgId,
                            row.siteProvisioningKeyOrg.orgId
                        )
                    )
                )
                .limit(1);
            req.userOrg = userOrgRole[0];
        }
        if (!req.userOrg) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                )
            );
        }
        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
            const policyCheck = await checkOrgAccessPolicy({
                orgId: req.userOrg.orgId,
                userId,
                session: req.session
            });
            req.orgPolicyAllowed = policyCheck.allowed;
            if (!policyCheck.allowed || policyCheck.error) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "Failed organization access policy check: " +
                            (policyCheck.error || "Unknown error")
                    )
                );
            }
        }
        const userOrgRoleId = req.userOrg.roleId;
        req.userOrgRoleId = userOrgRoleId;
        return next();
    } catch (error) {
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Error verifying site provisioning key access"
            )
        );
    }
 }
--- a/server/middlewares/verifySiteResourceAccess.ts
+++ b/server/middlewares/verifySiteResourceAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifySiteResourceAccess(
    req: Request,
@@ -109,23 +110,34 @@ export async function verifySiteResourceAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            siteResource.orgId
        );
        req.userOrgId = siteResource.orgId;
        // Attach the siteResource to the request for use in the next middleware/route
        req.siteResource = siteResource;
-        const roleResourceAccess = await db
+        const roleResourceAccess =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleSiteResources)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleSiteResources)
-                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
+                      .where(
-                    eq(roleSiteResources.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(
-            )
+                                  roleSiteResources.siteResourceId,
-            .limit(1);
+                                  siteResourceIdNum
                              ),
                              inArray(
                                  roleSiteResources.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyTargetAccess(
    req: Request,
@@ -99,7 +100,10 @@ export async function verifyTargetAccess(
                )
            );
        } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
                req.userOrg.userId,
                resource[0].orgId!
            );
            req.userOrgId = resource[0].orgId!;
        }
@@ -126,7 +130,7 @@ export async function verifyTargetAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
        });
        if (!resourceAllowed) {
--- a/server/middlewares/verifyUserCanSetUserOrgRoles.ts
+++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
@@ -0,0 +1,54 @@
 import { Request, Response, NextFunction } from "express";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 /**
 * Allows the new setUserOrgRoles action, or legacy permission pair addUserRole + removeUserRole.
 */
 export function verifyUserCanSetUserOrgRoles() {
    return async function (
        req: Request,
        res: Response,
        next: NextFunction
    ): Promise<any> {
        try {
            const canSet = await checkUserActionPermission(
                ActionsEnum.setUserOrgRoles,
                req
            );
            if (canSet) {
                return next();
            }
            const canAdd = await checkUserActionPermission(
                ActionsEnum.addUserRole,
                req
            );
            const canRemove = await checkUserActionPermission(
                ActionsEnum.removeUserRole,
                req
            );
            if (canAdd && canRemove) {
                return next();
            }
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have permission perform this action"
                )
            );
        } catch (error) {
            logger.error("Error verifying set user org roles access:", error);
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Error verifying role access"
                )
            );
        }
    };
 }
--- a/server/middlewares/verifyUserInRole.ts
+++ b/server/middlewares/verifyUserInRole.ts
@@ -12,7 +12,7 @@ export async function verifyUserInRole(
        const roleId = parseInt(
            req.params.roleId || req.body.roleId || req.query.roleId
        );
-        const userRoleId = req.userOrgRoleId;
+        const userOrgRoleIds = req.userOrgRoleIds ?? [];
        if (isNaN(roleId)) {
            return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
            );
        }
-        if (!userRoleId) {
+        if (userOrgRoleIds.length === 0) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
            );
        }
-        if (userRoleId !== roleId) {
+        if (!userOrgRoleIds.includes(roleId)) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -14,10 +14,14 @@
 import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 async function cleanup() {
    await stopPingAccumulator();
    await flushBandwidthToDb();
    await flushConnectionLogToDb();
    await flushSiteBandwidthToDb();
    await rateLimitService.cleanup();
    await wsCleanup();
@@ -29,4 +33,4 @@ export async function initCleanup() {
    // Handle process termination
    process.on("SIGTERM", () => cleanup());
    process.on("SIGINT", () => cleanup());
-}
+}
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,3 +1,16 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -57,7 +57,10 @@ export const privateConfigSchema = z.object({
        .object({
            host: z.string(),
            port: portSchema,
-            password: z.string().optional(),
+            password: z
                .string()
                .optional()
                .transform(getEnvOrYaml("REDIS_PASSWORD")),
            db: z.int().nonnegative().optional().default(0),
            replicas: z
                .array(
--- a/server/private/lib/tokenCache.ts
+++ b/server/private/lib/tokenCache.ts
@@ -0,0 +1,77 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import redisManager from "#private/lib/redis";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 /**
 * Returns a cached plaintext token from Redis if one exists and decrypts
 * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
 * encrypted value in Redis with the given TTL, and returns it.
 *
 * Failures at the Redis layer are non-fatal – the function always falls
 * through to session creation so the caller is never blocked by a Redis outage.
 *
 * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
 * @param secret     Server secret used for AES encryption/decryption
 * @param ttlSeconds Cache TTL in seconds (should match session expiry)
 * @param createSession Factory that mints a new session and returns its raw token
 */
 export async function getOrCreateCachedToken(
    cacheKey: string,
    secret: string,
    ttlSeconds: number,
    createSession: () => Promise<string>
 ): Promise<string> {
    if (redisManager.isRedisEnabled()) {
        try {
            const cached = await redisManager.get(cacheKey);
            if (cached) {
                const token = decrypt(cached, secret);
                if (token) {
                    logger.debug(`Token cache hit for key: ${cacheKey}`);
                    return token;
                }
                // Decryption produced an empty string – treat as a miss
                logger.warn(
                    `Token cache decryption returned empty string for key: ${cacheKey}, treating as miss`
                );
            }
        } catch (e) {
            logger.warn(
                `Token cache read/decrypt failed for key ${cacheKey}, falling through to session creation:`,
                e
            );
        }
    }
    const token = await createSession();
    if (redisManager.isRedisEnabled()) {
        try {
            const encrypted = encrypt(token, secret);
            await redisManager.set(cacheKey, encrypted, ttlSeconds);
            logger.debug(
                `Token cached in Redis for key: ${cacheKey} (TTL ${ttlSeconds}s)`
            );
        } catch (e) {
            logger.warn(
                `Token cache write failed for key ${cacheKey} (session was still created):`,
                e
            );
        }
    }
    return token;
 }
--- a/server/private/middlewares/verifyIdpAccess.ts
+++ b/server/private/middlewares/verifyIdpAccess.ts
@@ -13,9 +13,10 @@
 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyIdpAccess(
    req: Request,
@@ -84,8 +85,10 @@ export async function verifyIdpAccess(
            );
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            idpRes.idpOrg.orgId
        );
        return next();
    } catch (error) {
--- a/server/private/middlewares/verifyRemoteExitNodeAccess.ts
+++ b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
@@ -12,11 +12,12 @@
 */
 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
+import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
-import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
+import { userOrgs } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyRemoteExitNodeAccess(
    req: Request,
@@ -103,8 +104,10 @@ export async function verifyRemoteExitNodeAccess(
            );
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            exitNodeOrg.orgId
        );
        return next();
    } catch (error) {
--- a/server/private/routers/auditLogs/exportConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
@@ -0,0 +1,99 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
 import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import {
    queryConnectionAuditLogsParams,
    queryConnectionAuditLogsQuery,
    queryConnection,
    countConnectionQuery
 } from "./queryConnectionAuditLog";
 import { generateCSV } from "@server/routers/auditLogs/generateCSV";
 import { MAX_EXPORT_LIMIT } from "@server/routers/auditLogs";
 registry.registerPath({
    method: "get",
    path: "/org/{orgId}/logs/connection/export",
    description: "Export the connection audit log for an organization as CSV",
    tags: [OpenAPITags.Logs],
    request: {
        query: queryConnectionAuditLogsQuery,
        params: queryConnectionAuditLogsParams
    },
    responses: {}
 });
 export async function exportConnectionAuditLogs(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedQuery = queryConnectionAuditLogsQuery.safeParse(req.query);
        if (!parsedQuery.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedQuery.error)
                )
            );
        }
        const parsedParams = queryConnectionAuditLogsParams.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error)
                )
            );
        }
        const data = { ...parsedQuery.data, ...parsedParams.data };
        const [{ count }] = await countConnectionQuery(data);
        if (count > MAX_EXPORT_LIMIT) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    `Export limit exceeded. Your selection contains ${count} rows, but the maximum is ${MAX_EXPORT_LIMIT} rows. Please select a shorter time range to reduce the data.`
                )
            );
        }
        const baseQuery = queryConnection(data);
        const log = await baseQuery.limit(data.limit).offset(data.offset);
        const csvData = generateCSV(log);
        res.setHeader("Content-Type", "text/csv");
        res.setHeader(
            "Content-Disposition",
            `attachment; filename="connection-audit-logs-${data.orgId}-${Date.now()}.csv"`
        );
        return res.send(csvData);
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/auditLogs/index.ts
+++ b/server/private/routers/auditLogs/index.ts
@@ -15,3 +15,5 @@ export * from "./queryActionAuditLog";
 export * from "./exportActionAuditLog";
 export * from "./queryAccessAuditLog";
 export * from "./exportAccessAuditLog";
 export * from "./queryConnectionAuditLog";
 export * from "./exportConnectionAuditLog";
--- a/server/private/routers/auditLogs/queryConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -0,0 +1,524 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import {
    connectionAuditLog,
    logsDb,
    siteResources,
    sites,
    clients,
    users,
    primaryDb
 } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
 import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
 import { QueryConnectionAuditLogResponse } from "@server/routers/auditLogs/types";
 import response from "@server/lib/response";
 import logger from "@server/logger";
 import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
 export const queryConnectionAuditLogsQuery = z.object({
    // iso string just validate its a parseable date
    timeStart: z
        .string()
        .refine((val) => !isNaN(Date.parse(val)), {
            error: "timeStart must be a valid ISO date string"
        })
        .transform((val) => Math.floor(new Date(val).getTime() / 1000))
        .prefault(() => getSevenDaysAgo().toISOString())
        .openapi({
            type: "string",
            format: "date-time",
            description:
                "Start time as ISO date string (defaults to 7 days ago)"
        }),
    timeEnd: z
        .string()
        .refine((val) => !isNaN(Date.parse(val)), {
            error: "timeEnd must be a valid ISO date string"
        })
        .transform((val) => Math.floor(new Date(val).getTime() / 1000))
        .optional()
        .prefault(() => new Date().toISOString())
        .openapi({
            type: "string",
            format: "date-time",
            description:
                "End time as ISO date string (defaults to current time)"
        }),
    protocol: z.string().optional(),
    sourceAddr: z.string().optional(),
    destAddr: z.string().optional(),
    clientId: z
        .string()
        .optional()
        .transform(Number)
        .pipe(z.int().positive())
        .optional(),
    siteId: z
        .string()
        .optional()
        .transform(Number)
        .pipe(z.int().positive())
        .optional(),
    siteResourceId: z
        .string()
        .optional()
        .transform(Number)
        .pipe(z.int().positive())
        .optional(),
    userId: z.string().optional(),
    limit: z
        .string()
        .optional()
        .default("1000")
        .transform(Number)
        .pipe(z.int().positive()),
    offset: z
        .string()
        .optional()
        .default("0")
        .transform(Number)
        .pipe(z.int().nonnegative())
 });
 export const queryConnectionAuditLogsParams = z.object({
    orgId: z.string()
 });
 export const queryConnectionAuditLogsCombined =
    queryConnectionAuditLogsQuery.merge(queryConnectionAuditLogsParams);
 type Q = z.infer<typeof queryConnectionAuditLogsCombined>;
 function getWhere(data: Q) {
    return and(
        gt(connectionAuditLog.startedAt, data.timeStart),
        lt(connectionAuditLog.startedAt, data.timeEnd),
        eq(connectionAuditLog.orgId, data.orgId),
        data.protocol
            ? eq(connectionAuditLog.protocol, data.protocol)
            : undefined,
        data.sourceAddr
            ? eq(connectionAuditLog.sourceAddr, data.sourceAddr)
            : undefined,
        data.destAddr
            ? eq(connectionAuditLog.destAddr, data.destAddr)
            : undefined,
        data.clientId
            ? eq(connectionAuditLog.clientId, data.clientId)
            : undefined,
        data.siteId
            ? eq(connectionAuditLog.siteId, data.siteId)
            : undefined,
        data.siteResourceId
            ? eq(connectionAuditLog.siteResourceId, data.siteResourceId)
            : undefined,
        data.userId
            ? eq(connectionAuditLog.userId, data.userId)
            : undefined
    );
 }
 export function queryConnection(data: Q) {
    return logsDb
        .select({
            sessionId: connectionAuditLog.sessionId,
            siteResourceId: connectionAuditLog.siteResourceId,
            orgId: connectionAuditLog.orgId,
            siteId: connectionAuditLog.siteId,
            clientId: connectionAuditLog.clientId,
            userId: connectionAuditLog.userId,
            sourceAddr: connectionAuditLog.sourceAddr,
            destAddr: connectionAuditLog.destAddr,
            protocol: connectionAuditLog.protocol,
            startedAt: connectionAuditLog.startedAt,
            endedAt: connectionAuditLog.endedAt,
            bytesTx: connectionAuditLog.bytesTx,
            bytesRx: connectionAuditLog.bytesRx
        })
        .from(connectionAuditLog)
        .where(getWhere(data))
        .orderBy(
            desc(connectionAuditLog.startedAt),
            desc(connectionAuditLog.id)
        );
 }
 export function countConnectionQuery(data: Q) {
    const countQuery = logsDb
        .select({ count: count() })
        .from(connectionAuditLog)
        .where(getWhere(data));
    return countQuery;
 }
 async function enrichWithDetails(
    logs: Awaited<ReturnType<typeof queryConnection>>
 ) {
    // Collect unique IDs from logs
    const siteResourceIds = [
        ...new Set(
            logs
                .map((log) => log.siteResourceId)
                .filter((id): id is number => id !== null && id !== undefined)
        )
    ];
    const siteIds = [
        ...new Set(
            logs
                .map((log) => log.siteId)
                .filter((id): id is number => id !== null && id !== undefined)
        )
    ];
    const clientIds = [
        ...new Set(
            logs
                .map((log) => log.clientId)
                .filter((id): id is number => id !== null && id !== undefined)
        )
    ];
    const userIds = [
        ...new Set(
            logs
                .map((log) => log.userId)
                .filter((id): id is string => id !== null && id !== undefined)
        )
    ];
    // Fetch resource details from main database
    const resourceMap = new Map<
        number,
        { name: string; niceId: string }
    >();
    if (siteResourceIds.length > 0) {
        const resourceDetails = await primaryDb
            .select({
                siteResourceId: siteResources.siteResourceId,
                name: siteResources.name,
                niceId: siteResources.niceId
            })
            .from(siteResources)
            .where(inArray(siteResources.siteResourceId, siteResourceIds));
        for (const r of resourceDetails) {
            resourceMap.set(r.siteResourceId, {
                name: r.name,
                niceId: r.niceId
            });
        }
    }
    // Fetch site details from main database
    const siteMap = new Map<number, { name: string; niceId: string }>();
    if (siteIds.length > 0) {
        const siteDetails = await primaryDb
            .select({
                siteId: sites.siteId,
                name: sites.name,
                niceId: sites.niceId
            })
            .from(sites)
            .where(inArray(sites.siteId, siteIds));
        for (const s of siteDetails) {
            siteMap.set(s.siteId, { name: s.name, niceId: s.niceId });
        }
    }
    // Fetch client details from main database
    const clientMap = new Map<
        number,
        { name: string; niceId: string; type: string }
    >();
    if (clientIds.length > 0) {
        const clientDetails = await primaryDb
            .select({
                clientId: clients.clientId,
                name: clients.name,
                niceId: clients.niceId,
                type: clients.type
            })
            .from(clients)
            .where(inArray(clients.clientId, clientIds));
        for (const c of clientDetails) {
            clientMap.set(c.clientId, {
                name: c.name,
                niceId: c.niceId,
                type: c.type
            });
        }
    }
    // Fetch user details from main database
    const userMap = new Map<
        string,
        { email: string | null }
    >();
    if (userIds.length > 0) {
        const userDetails = await primaryDb
            .select({
                userId: users.userId,
                email: users.email
            })
            .from(users)
            .where(inArray(users.userId, userIds));
        for (const u of userDetails) {
            userMap.set(u.userId, { email: u.email });
        }
    }
    // Enrich logs with details
    return logs.map((log) => ({
        ...log,
        resourceName: log.siteResourceId
            ? resourceMap.get(log.siteResourceId)?.name ?? null
            : null,
        resourceNiceId: log.siteResourceId
            ? resourceMap.get(log.siteResourceId)?.niceId ?? null
            : null,
        siteName: log.siteId
            ? siteMap.get(log.siteId)?.name ?? null
            : null,
        siteNiceId: log.siteId
            ? siteMap.get(log.siteId)?.niceId ?? null
            : null,
        clientName: log.clientId
            ? clientMap.get(log.clientId)?.name ?? null
            : null,
        clientNiceId: log.clientId
            ? clientMap.get(log.clientId)?.niceId ?? null
            : null,
        clientType: log.clientId
            ? clientMap.get(log.clientId)?.type ?? null
            : null,
        userEmail: log.userId
            ? userMap.get(log.userId)?.email ?? null
            : null
    }));
 }
 async function queryUniqueFilterAttributes(
    timeStart: number,
    timeEnd: number,
    orgId: string
 ) {
    const baseConditions = and(
        gt(connectionAuditLog.startedAt, timeStart),
        lt(connectionAuditLog.startedAt, timeEnd),
        eq(connectionAuditLog.orgId, orgId)
    );
    // Get unique protocols
    const uniqueProtocols = await logsDb
        .selectDistinct({
            protocol: connectionAuditLog.protocol
        })
        .from(connectionAuditLog)
        .where(baseConditions);
    // Get unique destination addresses
    const uniqueDestAddrs = await logsDb
        .selectDistinct({
            destAddr: connectionAuditLog.destAddr
        })
        .from(connectionAuditLog)
        .where(baseConditions);
    // Get unique client IDs
    const uniqueClients = await logsDb
        .selectDistinct({
            clientId: connectionAuditLog.clientId
        })
        .from(connectionAuditLog)
        .where(baseConditions);
    // Get unique resource IDs
    const uniqueResources = await logsDb
        .selectDistinct({
            siteResourceId: connectionAuditLog.siteResourceId
        })
        .from(connectionAuditLog)
        .where(baseConditions);
    // Get unique user IDs
    const uniqueUsers = await logsDb
        .selectDistinct({
            userId: connectionAuditLog.userId
        })
        .from(connectionAuditLog)
        .where(baseConditions);
    // Enrich client IDs with names from main database
    const clientIds = uniqueClients
        .map((row) => row.clientId)
        .filter((id): id is number => id !== null);
    let clientsWithNames: Array<{ id: number; name: string }> = [];
    if (clientIds.length > 0) {
        const clientDetails = await primaryDb
            .select({
                clientId: clients.clientId,
                name: clients.name
            })
            .from(clients)
            .where(inArray(clients.clientId, clientIds));
        clientsWithNames = clientDetails.map((c) => ({
            id: c.clientId,
            name: c.name
        }));
    }
    // Enrich resource IDs with names from main database
    const resourceIds = uniqueResources
        .map((row) => row.siteResourceId)
        .filter((id): id is number => id !== null);
    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
    if (resourceIds.length > 0) {
        const resourceDetails = await primaryDb
            .select({
                siteResourceId: siteResources.siteResourceId,
                name: siteResources.name
            })
            .from(siteResources)
            .where(inArray(siteResources.siteResourceId, resourceIds));
        resourcesWithNames = resourceDetails.map((r) => ({
            id: r.siteResourceId,
            name: r.name
        }));
    }
    // Enrich user IDs with emails from main database
    const userIdsList = uniqueUsers
        .map((row) => row.userId)
        .filter((id): id is string => id !== null);
    let usersWithEmails: Array<{ id: string; email: string | null }> = [];
    if (userIdsList.length > 0) {
        const userDetails = await primaryDb
            .select({
                userId: users.userId,
                email: users.email
            })
            .from(users)
            .where(inArray(users.userId, userIdsList));
        usersWithEmails = userDetails.map((u) => ({
            id: u.userId,
            email: u.email
        }));
    }
    return {
        protocols: uniqueProtocols
            .map((row) => row.protocol)
            .filter((protocol): protocol is string => protocol !== null),
        destAddrs: uniqueDestAddrs
            .map((row) => row.destAddr)
            .filter((addr): addr is string => addr !== null),
        clients: clientsWithNames,
        resources: resourcesWithNames,
        users: usersWithEmails
    };
 }
 registry.registerPath({
    method: "get",
    path: "/org/{orgId}/logs/connection",
    description: "Query the connection audit log for an organization",
    tags: [OpenAPITags.Logs],
    request: {
        query: queryConnectionAuditLogsQuery,
        params: queryConnectionAuditLogsParams
    },
    responses: {}
 });
 export async function queryConnectionAuditLogs(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedQuery = queryConnectionAuditLogsQuery.safeParse(req.query);
        if (!parsedQuery.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedQuery.error)
                )
            );
        }
        const parsedParams = queryConnectionAuditLogsParams.safeParse(
            req.params
        );
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error)
                )
            );
        }
        const data = { ...parsedQuery.data, ...parsedParams.data };
        const baseQuery = queryConnection(data);
        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
        // Enrich with resource, site, client, and user details
        const log = await enrichWithDetails(logsRaw);
        const totalCountResult = await countConnectionQuery(data);
        const totalCount = totalCountResult[0].count;
        const filterAttributes = await queryUniqueFilterAttributes(
            data.timeStart,
            data.timeEnd,
            data.orgId
        );
        return response<QueryConnectionAuditLogResponse>(res, {
            data: {
                log: log,
                pagination: {
                    total: totalCount,
                    limit: data.limit,
                    offset: data.offset
                },
                filterAttributes
            },
            success: true,
            error: false,
            message: "Connection audit logs retrieved successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -26,9 +26,12 @@ import {
    orgs,
    resources,
    roles,
-    siteResources
+    siteResources,
    userOrgRoles,
    siteProvisioningKeyOrg,
    siteProvisioningKeys,
 } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 /**
 * Get the maximum allowed retention days for a given tier
@@ -291,6 +294,14 @@ async function disableFeature(
                await disableSshPam(orgId);
                break;
            case TierFeature.FullRbac:
                await disableFullRbac(orgId);
                break;
            case TierFeature.SiteProvisioningKeys:
                await disableSiteProvisioningKeys(orgId);
                break;
            default:
                logger.warn(
                    `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -326,6 +337,61 @@ async function disableSshPam(orgId: string): Promise<void> {
    );
 }
 async function disableFullRbac(orgId: string): Promise<void> {
    logger.info(`Disabled full RBAC for org ${orgId}`);
 }
 async function disableSiteProvisioningKeys(orgId: string): Promise<void> {
    const rows = await db
        .select({
            siteProvisioningKeyId:
                siteProvisioningKeyOrg.siteProvisioningKeyId
        })
        .from(siteProvisioningKeyOrg)
        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
    for (const { siteProvisioningKeyId } of rows) {
        await db.transaction(async (trx) => {
            await trx
                .delete(siteProvisioningKeyOrg)
                .where(
                    and(
                        eq(
                            siteProvisioningKeyOrg.siteProvisioningKeyId,
                            siteProvisioningKeyId
                        ),
                        eq(siteProvisioningKeyOrg.orgId, orgId)
                    )
                );
            const remaining = await trx
                .select()
                .from(siteProvisioningKeyOrg)
                .where(
                    eq(
                        siteProvisioningKeyOrg.siteProvisioningKeyId,
                        siteProvisioningKeyId
                    )
                );
            if (remaining.length === 0) {
                await trx
                    .delete(siteProvisioningKeys)
                    .where(
                        eq(
                            siteProvisioningKeys.siteProvisioningKeyId,
                            siteProvisioningKeyId
                        )
                    );
            }
        });
    }
    logger.info(
        `Removed site provisioning keys for org ${orgId} after tier downgrade`
    );
 }
 async function disableLoginPageBranding(orgId: string): Promise<void> {
    const [existingBranding] = await db
        .select()
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -26,6 +26,8 @@ import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
 import * as approval from "#private/routers/approvals";
 import * as ssh from "#private/routers/ssh";
 import * as user from "#private/routers/user";
 import * as siteProvisioning from "#private/routers/siteProvisioning";
 import {
    verifyOrgAccess,
@@ -33,7 +35,11 @@ import {
    verifyUserIsServerAdmin,
    verifySiteAccess,
    verifyClientAccess,
-    verifyLimits
+    verifyLimits,
    verifyRoleAccess,
    verifyUserAccess,
    verifyUserCanSetUserOrgRoles,
    verifySiteProvisioningKeyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -478,6 +484,25 @@ authenticated.get(
    logs.exportAccessAuditLogs
 );
 authenticated.get(
    "/org/:orgId/logs/connection",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.connectionLogs),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.exportLogs),
    logs.queryConnectionAuditLogs
 );
 authenticated.get(
    "/org/:orgId/logs/connection/export",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.logExport),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.exportLogs),
    logActionAudit(ActionsEnum.exportLogs),
    logs.exportConnectionAuditLogs
 );
 authenticated.post(
    "/re-key/:clientId/regenerate-client-secret",
    verifyClientAccess, // this is first to set the org id
@@ -518,3 +543,75 @@ authenticated.post(
    // logActionAudit(ActionsEnum.signSshKey), // it is handled inside of the function below so we can include more metadata
    ssh.signSshKey
 );
 authenticated.post(
    "/user/:userId/add-role/:roleId",
    verifyRoleAccess,
    verifyUserAccess,
    verifyLimits,
    verifyUserHasAction(ActionsEnum.addUserRole),
    logActionAudit(ActionsEnum.addUserRole),
    user.addUserRole
 );
 authenticated.delete(
    "/user/:userId/remove-role/:roleId",
    verifyRoleAccess,
    verifyUserAccess,
    verifyLimits,
    verifyUserHasAction(ActionsEnum.removeUserRole),
    logActionAudit(ActionsEnum.removeUserRole),
    user.removeUserRole
 );
 authenticated.post(
    "/user/:userId/org/:orgId/roles",
    verifyOrgAccess,
    verifyUserAccess,
    verifyLimits,
    verifyUserCanSetUserOrgRoles(),
    logActionAudit(ActionsEnum.setUserOrgRoles),
    user.setUserOrgRoles
 );
 authenticated.put(
    "/org/:orgId/site-provisioning-key",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
    verifyOrgAccess,
    verifyLimits,
    verifyUserHasAction(ActionsEnum.createSiteProvisioningKey),
    logActionAudit(ActionsEnum.createSiteProvisioningKey),
    siteProvisioning.createSiteProvisioningKey
 );
 authenticated.get(
    "/org/:orgId/site-provisioning-keys",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.listSiteProvisioningKeys),
    siteProvisioning.listSiteProvisioningKeys
 );
 authenticated.delete(
    "/org/:orgId/site-provisioning-key/:siteProvisioningKeyId",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
    verifyOrgAccess,
    verifySiteProvisioningKeyAccess,
    verifyUserHasAction(ActionsEnum.deleteSiteProvisioningKey),
    logActionAudit(ActionsEnum.deleteSiteProvisioningKey),
    siteProvisioning.deleteSiteProvisioningKey
 );
 authenticated.patch(
    "/org/:orgId/site-provisioning-key/:siteProvisioningKeyId",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.siteProvisioningKeys),
    verifyOrgAccess,
    verifySiteProvisioningKeyAccess,
    verifyUserHasAction(ActionsEnum.updateSiteProvisioningKey),
    logActionAudit(ActionsEnum.updateSiteProvisioningKey),
    siteProvisioning.updateSiteProvisioningKey
 );
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -52,7 +52,9 @@ import {
    userOrgs,
    roleResources,
    userResources,
-    resourceRules
+    resourceRules,
    userOrgRoles,
    roles
 } from "@server/db";
 import { eq, and, inArray, isNotNull, ne } from "drizzle-orm";
 import { response } from "@server/lib/response";
@@ -104,6 +106,13 @@ const getUserOrgSessionVerifySchema = z.strictObject({
    sessionId: z.string().min(1, "Session ID is required")
 });
 const getRoleNameParamsSchema = z.strictObject({
    roleId: z
        .string()
        .transform(Number)
        .pipe(z.int().positive("Role ID must be a positive integer"))
 });
 const getRoleResourceAccessParamsSchema = z.strictObject({
    roleId: z
        .string()
@@ -115,6 +124,23 @@ const getRoleResourceAccessParamsSchema = z.strictObject({
        .pipe(z.int().positive("Resource ID must be a positive integer"))
 });
 const getResourceAccessParamsSchema = z.strictObject({
    resourceId: z
        .string()
        .transform(Number)
        .pipe(z.int().positive("Resource ID must be a positive integer"))
 });
 const getResourceAccessQuerySchema = z.strictObject({
    roleIds: z
        .union([z.array(z.string()), z.string()])
        .transform((val) =>
            (Array.isArray(val) ? val : [val])
                .map(Number)
                .filter((n) => !isNaN(n))
        )
 });
 const getUserResourceAccessParamsSchema = z.strictObject({
    userId: z.string().min(1, "User ID is required"),
    resourceId: z
@@ -760,7 +786,7 @@ hybridRouter.get(
 // Get user organization role
 hybridRouter.get(
-    "/user/:userId/org/:orgId/role",
+    "/user/:userId/org/:orgId/roles",
    async (req: Request, res: Response, next: NextFunction) => {
        try {
            const parsedParams = getUserOrgRoleParamsSchema.safeParse(
@@ -796,23 +822,129 @@ hybridRouter.get(
                );
            }
-            const userOrgRole = await db
+            const userOrgRoleRows = await db
-                .select()
+                .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
-                .from(userOrgs)
+                .from(userOrgRoles)
                .innerJoin(roles, eq(roles.roleId, userOrgRoles.roleId))
                .where(
-                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
+                    and(
-                )
+                        eq(userOrgRoles.userId, userId),
-                .limit(1);
+                        eq(userOrgRoles.orgId, orgId)
                    )
                );
-            const result = userOrgRole.length > 0 ? userOrgRole[0] : null;
+            logger.debug(`User ${userId} has roles in org ${orgId}:`, userOrgRoleRows);
-            return response<typeof userOrgs.$inferSelect | null>(res, {
+            return response<{ roleId: number, roleName: string }[]>(res, {
-                data: result,
+                data: userOrgRoleRows,
                success: true,
                error: false,
-                message: result
+                message:
-                    ? "User org role retrieved successfully"
+                    userOrgRoleRows.length > 0
-                    : "User org role not found",
+                        ? "User org roles retrieved successfully"
                        : "User has no roles in this organization",
                status: HttpCode.OK
            });
        } catch (error) {
            logger.error(error);
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Failed to get user org role"
                )
            );
        }
    }
 );
 // DEPRICATED Get user organization role
 // used for backward compatibility with old remote nodes
 hybridRouter.get(
    "/user/:userId/org/:orgId/role", // <- note the missing s
    async (req: Request, res: Response, next: NextFunction) => {
        try {
            const parsedParams = getUserOrgRoleParamsSchema.safeParse(
                req.params
            );
            if (!parsedParams.success) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        fromError(parsedParams.error).toString()
                    )
                );
            }
            const { userId, orgId } = parsedParams.data;
            const remoteExitNode = req.remoteExitNode;
            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        "Remote exit node not found"
                    )
                );
            }
            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
                return next(
                    createHttpError(
                        HttpCode.UNAUTHORIZED,
                        "User is not authorized to access this organization"
                    )
                );
            }
            // get the roles on the user
            const userOrgRoleRows = await db
                .select({ roleId: userOrgRoles.roleId })
                .from(userOrgRoles)
                .where(
                    and(
                        eq(userOrgRoles.userId, userId),
                        eq(userOrgRoles.orgId, orgId)
                    )
                );
            const roleIds = userOrgRoleRows.map((r) => r.roleId);
            let roleId: number | null = null;
            if (userOrgRoleRows.length === 0) {
                // User has no roles in this organization
                roleId = null;
            } else if (userOrgRoleRows.length === 1) {
                // User has exactly one role, return it
                roleId = userOrgRoleRows[0].roleId;
            } else {
                // User has multiple roles
                // Check if any of these roles are also assigned to a resource
                // If we find a match, prefer that role; otherwise return the first role
                // Get all resources that have any of these roles assigned
                const roleResourceMatches = await db
                    .select({ roleId: roleResources.roleId })
                    .from(roleResources)
                    .where(inArray(roleResources.roleId, roleIds))
                    .limit(1);
                if (roleResourceMatches.length > 0) {
                    // Return the first role that's also on a resource
                    roleId = roleResourceMatches[0].roleId;
                } else {
                    // No resource match found, return the first role
                    roleId = userOrgRoleRows[0].roleId;
                }
            }
            return response<{ roleId: number | null }>(res, {
                data: { roleId },
                success: true,
                error: false,
                message:
                    roleIds.length > 0
                        ? "User org roles retrieved successfully"
                        : "User has no roles in this organization",
                status: HttpCode.OK
            });
        } catch (error) {
@@ -890,6 +1022,60 @@ hybridRouter.get(
    }
 );
 // Get role name by ID
 hybridRouter.get(
    "/role/:roleId/name",
    async (req: Request, res: Response, next: NextFunction) => {
        try {
            const parsedParams = getRoleNameParamsSchema.safeParse(req.params);
            if (!parsedParams.success) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        fromError(parsedParams.error).toString()
                    )
                );
            }
            const { roleId } = parsedParams.data;
            const remoteExitNode = req.remoteExitNode;
            if (!remoteExitNode?.exitNodeId) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        "Remote exit node not found"
                    )
                );
            }
            const [role] = await db
                .select({ name: roles.name })
                .from(roles)
                .where(eq(roles.roleId, roleId))
                .limit(1);
            return response<string | null>(res, {
                data: role?.name ?? null,
                success: true,
                error: false,
                message: role
                    ? "Role name retrieved successfully"
                    : "Role not found",
                status: HttpCode.OK
            });
        } catch (error) {
            logger.error(error);
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Failed to get role name"
                )
            );
        }
    }
 );
 // Check if role has access to resource
 hybridRouter.get(
    "/role/:roleId/resource/:resourceId/access",
@@ -975,6 +1161,101 @@ hybridRouter.get(
    }
 );
 // Check if role has access to resource
 hybridRouter.get(
    "/resource/:resourceId/access",
    async (req: Request, res: Response, next: NextFunction) => {
        try {
            const parsedParams = getResourceAccessParamsSchema.safeParse(
                req.params
            );
            if (!parsedParams.success) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        fromError(parsedParams.error).toString()
                    )
                );
            }
            const { resourceId } = parsedParams.data;
            const parsedQuery = getResourceAccessQuerySchema.safeParse(
                req.query
            );
            const roleIds = parsedQuery.success ? parsedQuery.data.roleIds : [];
            const remoteExitNode = req.remoteExitNode;
            if (!remoteExitNode?.exitNodeId) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        "Remote exit node not found"
                    )
                );
            }
            const [resource] = await db
                .select()
                .from(resources)
                .where(eq(resources.resourceId, resourceId))
                .limit(1);
            if (
                await checkExitNodeOrg(
                    remoteExitNode.exitNodeId,
                    resource.orgId
                )
            ) {
                // If the exit node is not allowed for the org, return an error
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "Exit node not allowed for this organization"
                    )
                );
            }
            const roleResourceAccess = await db
                .select({
                    resourceId: roleResources.resourceId,
                    roleId: roleResources.roleId
                })
                .from(roleResources)
                .where(
                    and(
                        eq(roleResources.resourceId, resourceId),
                        inArray(roleResources.roleId, roleIds)
                    )
                );
            const result =
                roleResourceAccess.length > 0 ? roleResourceAccess : null;
            return response<{ resourceId: number; roleId: number }[] | null>(
                res,
                {
                    data: result,
                    success: true,
                    error: false,
                    message: result
                        ? "Role resource access retrieved successfully"
                        : "Role resource access not found",
                    status: HttpCode.OK
                }
            );
        } catch (error) {
            logger.error(error);
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Failed to get role resource access"
                )
            );
        }
    }
 );
 // Check if user has direct access to resource
 hybridRouter.get(
    "/user/:userId/resource/:resourceId/access",
@@ -1873,7 +2154,8 @@ hybridRouter.post(
                    // userAgent: data.userAgent, // TODO: add this
                    // headers: data.body.headers,
                    // query: data.body.query,
-                    originalRequestURL: sanitizeString(logEntry.originalRequestURL) ?? "",
+                    originalRequestURL:
                        sanitizeString(logEntry.originalRequestURL) ?? "",
                    scheme: sanitizeString(logEntry.scheme) ?? "",
                    host: sanitizeString(logEntry.host) ?? "",
                    path: sanitizeString(logEntry.path) ?? "",
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -20,8 +20,11 @@ import {
    verifyApiKeyIsRoot,
    verifyApiKeyOrgAccess,
    verifyApiKeyIdpAccess,
    verifyApiKeyRoleAccess,
    verifyApiKeyUserAccess,
    verifyLimits
 } from "@server/middlewares";
 import * as user from "#private/routers/user";
 import {
    verifyValidSubscription,
    verifyValidLicense
@@ -91,6 +94,25 @@ authenticated.get(
    logs.exportAccessAuditLogs
 );
 authenticated.get(
    "/org/:orgId/logs/connection",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.connectionLogs),
    verifyApiKeyOrgAccess,
    verifyApiKeyHasAction(ActionsEnum.exportLogs),
    logs.queryConnectionAuditLogs
 );
 authenticated.get(
    "/org/:orgId/logs/connection/export",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.logExport),
    verifyApiKeyOrgAccess,
    verifyApiKeyHasAction(ActionsEnum.exportLogs),
    logActionAudit(ActionsEnum.exportLogs),
    logs.exportConnectionAuditLogs
 );
 authenticated.put(
    "/org/:orgId/idp/oidc",
    verifyValidLicense,
@@ -140,3 +162,23 @@ authenticated.get(
    verifyApiKeyHasAction(ActionsEnum.listIdps),
    orgIdp.listOrgIdps
 );
 authenticated.post(
    "/user/:userId/add-role/:roleId",
    verifyApiKeyRoleAccess,
    verifyApiKeyUserAccess,
    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.addUserRole),
    logActionAudit(ActionsEnum.addUserRole),
    user.addUserRole
 );
 authenticated.delete(
    "/user/:userId/remove-role/:roleId",
    verifyApiKeyRoleAccess,
    verifyApiKeyUserAccess,
    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
    logActionAudit(ActionsEnum.removeUserRole),
    user.removeUserRole
 );
--- a/server/private/routers/newt/handleConnectionLogMessage.ts
+++ b/server/private/routers/newt/handleConnectionLogMessage.ts
@@ -0,0 +1,394 @@
 import { db, logsDb } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { connectionAuditLog, sites, Newt, clients, orgs } from "@server/db";
 import { and, eq, lt, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 import { inflate } from "zlib";
 import { promisify } from "util";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 const zlibInflate = promisify(inflate);
 // Retry configuration for deadlock handling
 const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 // How often to flush accumulated connection log data to the database
 const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
 // Maximum number of records to buffer before forcing a flush
 const MAX_BUFFERED_RECORDS = 500;
 // Maximum number of records to insert in a single batch
 const INSERT_BATCH_SIZE = 100;
 interface ConnectionSessionData {
    sessionId: string;
    resourceId: number;
    sourceAddr: string;
    destAddr: string;
    protocol: string;
    startedAt: string; // ISO 8601 timestamp
    endedAt?: string; // ISO 8601 timestamp
    bytesTx?: number;
    bytesRx?: number;
 }
 interface ConnectionLogRecord {
    sessionId: string;
    siteResourceId: number;
    orgId: string;
    siteId: number;
    clientId: number | null;
    userId: string | null;
    sourceAddr: string;
    destAddr: string;
    protocol: string;
    startedAt: number; // epoch seconds
    endedAt: number | null;
    bytesTx: number | null;
    bytesRx: number | null;
 }
 // In-memory buffer of records waiting to be flushed
 let buffer: ConnectionLogRecord[] = [];
 /**
 * Check if an error is a deadlock error
 */
 function isDeadlockError(error: any): boolean {
    return (
        error?.code === "40P01" ||
        error?.cause?.code === "40P01" ||
        (error?.message && error.message.includes("deadlock"))
    );
 }
 /**
 * Execute a function with retry logic for deadlock handling
 */
 async function withDeadlockRetry<T>(
    operation: () => Promise<T>,
    context: string
 ): Promise<T> {
    let attempt = 0;
    while (true) {
        try {
            return await operation();
        } catch (error: any) {
            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
                attempt++;
                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
                const jitter = Math.random() * baseDelay;
                const delay = baseDelay + jitter;
                logger.warn(
                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
                );
                await new Promise((resolve) => setTimeout(resolve, delay));
                continue;
            }
            throw error;
        }
    }
 }
 /**
 * Decompress a base64-encoded zlib-compressed string into parsed JSON.
 */
 async function decompressConnectionLog(
    compressed: string
 ): Promise<ConnectionSessionData[]> {
    const compressedBuffer = Buffer.from(compressed, "base64");
    const decompressed = await zlibInflate(compressedBuffer);
    const jsonString = decompressed.toString("utf-8");
    const parsed = JSON.parse(jsonString);
    if (!Array.isArray(parsed)) {
        throw new Error("Decompressed connection log data is not an array");
    }
    return parsed;
 }
 /**
 * Convert an ISO 8601 timestamp string to epoch seconds.
 * Returns null if the input is falsy.
 */
 function toEpochSeconds(isoString: string | undefined | null): number | null {
    if (!isoString) {
        return null;
    }
    const ms = new Date(isoString).getTime();
    if (isNaN(ms)) {
        return null;
    }
    return Math.floor(ms / 1000);
 }
 /**
 * Flush all buffered connection log records to the database.
 *
 * Swaps out the buffer before writing so that any records added during the
 * flush are captured in the new buffer rather than being lost. Entries that
 * fail to write are re-queued back into the buffer so they will be retried
 * on the next flush.
 *
 * This function is exported so that the application's graceful-shutdown
 * cleanup handler can call it before the process exits.
 */
 export async function flushConnectionLogToDb(): Promise<void> {
    if (buffer.length === 0) {
        return;
    }
    // Atomically swap out the buffer so new data keeps flowing in
    const snapshot = buffer;
    buffer = [];
    logger.debug(
        `Flushing ${snapshot.length} connection log record(s) to the database`
    );
    // Insert in batches to avoid overly large SQL statements
    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
        try {
            await withDeadlockRetry(async () => {
                await logsDb.insert(connectionAuditLog).values(batch);
            }, `flush connection log batch (${batch.length} records)`);
        } catch (error) {
            logger.error(
                `Failed to flush connection log batch of ${batch.length} records:`,
                error
            );
            // Re-queue the failed batch so it is retried on the next flush
            buffer = [...batch, ...buffer];
            // Cap buffer to prevent unbounded growth if DB is unreachable
            if (buffer.length > MAX_BUFFERED_RECORDS * 5) {
                const dropped = buffer.length - MAX_BUFFERED_RECORDS * 5;
                buffer = buffer.slice(0, MAX_BUFFERED_RECORDS * 5);
                logger.warn(
                    `Connection log buffer overflow, dropped ${dropped} oldest records`
                );
            }
            // Stop trying further batches from this snapshot — they'll be
            // picked up by the next flush via the re-queued records above
            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
            if (remaining.length > 0) {
                buffer = [...remaining, ...buffer];
            }
            break;
        }
    }
 }
 const flushTimer = setInterval(async () => {
    try {
        await flushConnectionLogToDb();
    } catch (error) {
        logger.error(
            "Unexpected error during periodic connection log flush:",
            error
        );
    }
 }, FLUSH_INTERVAL_MS);
 // Calling unref() means this timer will not keep the Node.js event loop alive
 // on its own — the process can still exit normally when there is no other work
 // left.  The graceful-shutdown path will call flushConnectionLogToDb() explicitly
 // before process.exit(), so no data is lost.
 flushTimer.unref();
 export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
    try {
        await logsDb
            .delete(connectionAuditLog)
            .where(
                and(
                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
                    eq(connectionAuditLog.orgId, orgId)
                )
            );
        // logger.debug(
        //     `Cleaned up connection audit logs older than ${retentionDays} days`
        // );
    } catch (error) {
        logger.error("Error cleaning up old connection audit logs:", error);
    }
 }
 export const handleConnectionLogMessage: MessageHandler = async (context) => {
    const { message, client } = context;
    const newt = client as Newt;
    if (!newt) {
        logger.warn("Connection log received but no newt client in context");
        return;
    }
    if (!newt.siteId) {
        logger.warn("Connection log received but newt has no siteId");
        return;
    }
    if (!message.data?.compressed) {
        logger.warn("Connection log message missing compressed data");
        return;
    }
    // Look up the org for this site
    const [site] = await db
        .select({ orgId: sites.orgId, orgSubnet: orgs.subnet })
        .from(sites)
        .innerJoin(orgs, eq(sites.orgId, orgs.orgId))
        .where(eq(sites.siteId, newt.siteId));
    if (!site) {
        logger.warn(
            `Connection log received but site ${newt.siteId} not found in database`
        );
        return;
    }
    const orgId = site.orgId;
    // Extract the CIDR suffix (e.g. "/16") from the org subnet so we can
    // reconstruct the exact subnet string stored on each client record.
    const cidrSuffix = site.orgSubnet?.includes("/")
        ? site.orgSubnet.substring(site.orgSubnet.indexOf("/"))
        : null;
    let sessions: ConnectionSessionData[];
    try {
        sessions = await decompressConnectionLog(message.data.compressed);
    } catch (error) {
        logger.error("Failed to decompress connection log data:", error);
        return;
    }
    if (sessions.length === 0) {
        return;
    }
    logger.debug(`Sessions: ${JSON.stringify(sessions)}`)
    // Build a map from sourceAddr → { clientId, userId } by querying clients
    // whose subnet field matches exactly. Client subnets are stored with the
    // org's CIDR suffix (e.g. "100.90.128.5/16"), so we reconstruct that from
    // each unique sourceAddr + the org's CIDR suffix and do a targeted IN query.
    const ipToClient = new Map<string, { clientId: number; userId: string | null }>();
    if (cidrSuffix) {
        // Collect unique source addresses so we only query for what we need
        const uniqueSourceAddrs = new Set<string>();
        for (const session of sessions) {
            if (session.sourceAddr) {
                uniqueSourceAddrs.add(session.sourceAddr);
            }
        }
        if (uniqueSourceAddrs.size > 0) {
            // Construct the exact subnet strings as stored in the DB
            const subnetQueries = Array.from(uniqueSourceAddrs).map(
                (addr) => {
                    // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
                    const ip = addr.includes(":") ? addr.split(":")[0] : addr;
                    return `${ip}${cidrSuffix}`;
                }
            );
            logger.debug(`Subnet queries: ${JSON.stringify(subnetQueries)}`);
            const matchedClients = await db
                .select({
                    clientId: clients.clientId,
                    userId: clients.userId,
                    subnet: clients.subnet
                })
                .from(clients)
                .where(
                    and(
                        eq(clients.orgId, orgId),
                        inArray(clients.subnet, subnetQueries)
                    )
                );
            for (const c of matchedClients) {
                const ip = c.subnet.split("/")[0];
                logger.debug(`Client ${c.clientId} subnet ${c.subnet} matches ${ip}`);
                ipToClient.set(ip, { clientId: c.clientId, userId: c.userId });
            }
        }
    }
    // Convert to DB records and add to the buffer
    for (const session of sessions) {
        // Validate required fields
        if (
            !session.sessionId ||
            !session.resourceId ||
            !session.sourceAddr ||
            !session.destAddr ||
            !session.protocol
        ) {
            logger.debug(
                `Skipping connection log session with missing required fields: ${JSON.stringify(session)}`
            );
            continue;
        }
        const startedAt = toEpochSeconds(session.startedAt);
        if (startedAt === null) {
            logger.debug(
                `Skipping connection log session with invalid startedAt: ${session.startedAt}`
            );
            continue;
        }
        // Match the source address to a client. The sourceAddr is the
        // client's IP on the WireGuard network, which corresponds to the IP
        // portion of the client's subnet CIDR (e.g. "100.90.128.5/24").
        // Strip port if present (e.g. "100.90.128.1:38004" → "100.90.128.1")
        const sourceIp = session.sourceAddr.includes(":") ? session.sourceAddr.split(":")[0] : session.sourceAddr;
        const clientInfo = ipToClient.get(sourceIp) ?? null;
        buffer.push({
            sessionId: session.sessionId,
            siteResourceId: session.resourceId,
            orgId,
            siteId: newt.siteId,
            clientId: clientInfo?.clientId ?? null,
            userId: clientInfo?.userId ?? null,
            sourceAddr: session.sourceAddr,
            destAddr: session.destAddr,
            protocol: session.protocol,
            startedAt,
            endedAt: toEpochSeconds(session.endedAt),
            bytesTx: session.bytesTx ?? null,
            bytesRx: session.bytesRx ?? null
        });
    }
    logger.debug(
        `Buffered ${sessions.length} connection log session(s) from newt ${newt.newtId} (site ${newt.siteId})`
    );
    // If the buffer has grown large enough, trigger an immediate flush
    if (buffer.length >= MAX_BUFFERED_RECORDS) {
        // Fire and forget — errors are handled inside flushConnectionLogToDb
        flushConnectionLogToDb().catch((error) => {
            logger.error(
                "Unexpected error during size-triggered connection log flush:",
                error
            );
        });
    }
 };
--- a/server/private/routers/newt/index.ts
+++ b/server/private/routers/newt/index.ts
@@ -0,0 +1 @@
 export * from "./handleConnectionLogMessage";
--- a/server/private/routers/org/sendUsageNotifications.ts
+++ b/server/private/routers/org/sendUsageNotifications.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, users, roles, orgs } from "@server/db";
+import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,7 +95,14 @@ async function getOrgAdmins(orgId: string) {
        })
        .from(userOrgs)
        .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+        .leftJoin(
            userOrgRoles,
            and(
                eq(userOrgs.userId, userOrgRoles.userId),
                eq(userOrgs.orgId, userOrgRoles.orgId)
            )
        )
        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
        .where(
            and(
                eq(userOrgs.orgId, orgId),
@@ -103,8 +110,11 @@ async function getOrgAdmins(orgId: string) {
            )
        );
-    // Filter to only include users with verified emails
+    // Dedupe by userId (user may have multiple roles)
-    const orgAdmins = admins.filter(
+    const byUserId = new Map(
        admins.map((a) => [a.userId, a])
    );
    const orgAdmins = Array.from(byUserId.values()).filter(
        (admin) => admin.email && admin.email.length > 0
    );
--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -79,7 +79,7 @@ export async function createRemoteExitNode(
        const { remoteExitNodeId, secret } = parsedBody.data;
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
+++ b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
@@ -23,8 +23,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
    createRemoteExitNodeSession,
-    validateRemoteExitNodeSessionToken
+    validateRemoteExitNodeSessionToken,
    EXPIRES
 } from "#private/auth/sessions/remoteExitNode";
 import { getOrCreateCachedToken } from "@server/private/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -103,14 +105,23 @@ export async function getRemoteExitNodeToken(
            );
        }
-        const resToken = generateSessionToken();
+        // Return a cached token if one exists to prevent thundering herd on
-        await createRemoteExitNodeSession(
+        // simultaneous restarts; falls back to creating a fresh session when
-            resToken,
+        // Redis is unavailable or the cache has expired.
-            existingRemoteExitNode.remoteExitNodeId
+        const resToken = await getOrCreateCachedToken(
            `remote_exit_node:token_cache:${existingRemoteExitNode.remoteExitNodeId}`,
            config.getRawConfig().server.secret!,
            Math.floor(EXPIRES / 1000),
            async () => {
                const token = generateSessionToken();
                await createRemoteExitNodeSession(
                    token,
                    existingRemoteExitNode.remoteExitNodeId
                );
                return token;
            }
        );
        // logger.debug(`Created RemoteExitNode token response: ${JSON.stringify(resToken)}`);
        return response<{ token: string }>(res, {
            data: {
                token: resToken
--- a/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/createSiteProvisioningKey.ts
@@ -0,0 +1,149 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { NextFunction, Request, Response } from "express";
 import { db, siteProvisioningKeyOrg, siteProvisioningKeys } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import createHttpError from "http-errors";
 import response from "@server/lib/response";
 import moment from "moment";
 import {
    generateId,
    generateIdFromEntropySize
 } from "@server/auth/sessions/app";
 import logger from "@server/logger";
 import { hashPassword } from "@server/auth/password";
 import type { CreateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
 const paramsSchema = z.object({
    orgId: z.string().nonempty()
 });
 const bodySchema = z
    .strictObject({
        name: z.string().min(1).max(255),
        maxBatchSize: z.union([
            z.null(),
            z.coerce.number().int().positive().max(1_000_000)
        ]),
        validUntil: z.string().max(255).optional(),
        approveNewSites: z.boolean().optional().default(true)
    })
    .superRefine((data, ctx) => {
        const v = data.validUntil;
        if (v == null || v.trim() === "") {
            return;
        }
        if (Number.isNaN(Date.parse(v))) {
            ctx.addIssue({
                code: "custom",
                message: "Invalid validUntil",
                path: ["validUntil"]
            });
        }
    });
 export type CreateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
 export async function createSiteProvisioningKey(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    const parsedParams = paramsSchema.safeParse(req.params);
    if (!parsedParams.success) {
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
                fromError(parsedParams.error).toString()
            )
        );
    }
    const parsedBody = bodySchema.safeParse(req.body);
    if (!parsedBody.success) {
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
                fromError(parsedBody.error).toString()
            )
        );
    }
    const { orgId } = parsedParams.data;
    const { name, maxBatchSize, approveNewSites } = parsedBody.data;
    const vuRaw = parsedBody.data.validUntil;
    const validUntil =
        vuRaw == null || vuRaw.trim() === ""
            ? null
            : new Date(Date.parse(vuRaw)).toISOString();
    const siteProvisioningKeyId = `spk-${generateId(15)}`;
    const siteProvisioningKey = generateIdFromEntropySize(25);
    const siteProvisioningKeyHash = await hashPassword(siteProvisioningKey);
    const lastChars = siteProvisioningKey.slice(-4);
    const createdAt = moment().toISOString();
    const provisioningKey = `${siteProvisioningKeyId}.${siteProvisioningKey}`;
    await db.transaction(async (trx) => {
        await trx.insert(siteProvisioningKeys).values({
            siteProvisioningKeyId,
            name,
            siteProvisioningKeyHash,
            createdAt,
            lastChars,
            lastUsed: null,
            maxBatchSize,
            numUsed: 0,
            validUntil,
            approveNewSites
        });
        await trx.insert(siteProvisioningKeyOrg).values({
            siteProvisioningKeyId,
            orgId
        });
    });
    try {
        return response<CreateSiteProvisioningKeyResponse>(res, {
            data: {
                siteProvisioningKeyId,
                orgId,
                name,
                siteProvisioningKey: provisioningKey,
                lastChars,
                createdAt,
                lastUsed: null,
                maxBatchSize,
                numUsed: 0,
                validUntil,
                approveNewSites
            },
            success: true,
            error: false,
            message: "Site provisioning key created",
            status: HttpCode.CREATED
        });
    } catch (e) {
        logger.error(e);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Failed to create site provisioning key"
            )
        );
    }
 }
--- a/server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/deleteSiteProvisioningKey.ts
@@ -0,0 +1,129 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
    db,
    siteProvisioningKeyOrg,
    siteProvisioningKeys
 } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 const paramsSchema = z.object({
    siteProvisioningKeyId: z.string().nonempty(),
    orgId: z.string().nonempty()
 });
 export async function deleteSiteProvisioningKey(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = paramsSchema.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error).toString()
                )
            );
        }
        const { siteProvisioningKeyId, orgId } = parsedParams.data;
        const [row] = await db
            .select()
            .from(siteProvisioningKeys)
            .where(
                eq(
                    siteProvisioningKeys.siteProvisioningKeyId,
                    siteProvisioningKeyId
                )
            )
            .innerJoin(
                siteProvisioningKeyOrg,
                and(
                    eq(
                        siteProvisioningKeys.siteProvisioningKeyId,
                        siteProvisioningKeyOrg.siteProvisioningKeyId
                    ),
                    eq(siteProvisioningKeyOrg.orgId, orgId)
                )
            )
            .limit(1);
        if (!row) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
                )
            );
        }
        await db.transaction(async (trx) => {
            await trx
                .delete(siteProvisioningKeyOrg)
                .where(
                    and(
                        eq(
                            siteProvisioningKeyOrg.siteProvisioningKeyId,
                            siteProvisioningKeyId
                        ),
                        eq(siteProvisioningKeyOrg.orgId, orgId)
                    )
                );
            const siteProvisioningKeyOrgs = await trx
                .select()
                .from(siteProvisioningKeyOrg)
                .where(
                    eq(
                        siteProvisioningKeyOrg.siteProvisioningKeyId,
                        siteProvisioningKeyId
                    )
                );
            if (siteProvisioningKeyOrgs.length === 0) {
                await trx
                    .delete(siteProvisioningKeys)
                    .where(
                        eq(
                            siteProvisioningKeys.siteProvisioningKeyId,
                            siteProvisioningKeyId
                        )
                    );
            }
        });
        return response(res, {
            data: null,
            success: true,
            error: false,
            message: "Site provisioning key deleted successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/siteProvisioning/index.ts
+++ b/server/private/routers/siteProvisioning/index.ts
@@ -0,0 +1,17 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 export * from "./createSiteProvisioningKey";
 export * from "./listSiteProvisioningKeys";
 export * from "./deleteSiteProvisioningKey";
 export * from "./updateSiteProvisioningKey";
--- a/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
+++ b/server/private/routers/siteProvisioning/listSiteProvisioningKeys.ts
@@ -0,0 +1,127 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import {
    db,
    siteProvisioningKeyOrg,
    siteProvisioningKeys
 } from "@server/db";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
 import type { ListSiteProvisioningKeysResponse } from "@server/routers/siteProvisioning/types";
 const paramsSchema = z.object({
    orgId: z.string().nonempty()
 });
 const querySchema = z.object({
    limit: z
        .string()
        .optional()
        .default("1000")
        .transform(Number)
        .pipe(z.int().positive()),
    offset: z
        .string()
        .optional()
        .default("0")
        .transform(Number)
        .pipe(z.int().nonnegative())
 });
 function querySiteProvisioningKeys(orgId: string) {
    return db
        .select({
            siteProvisioningKeyId:
                siteProvisioningKeys.siteProvisioningKeyId,
            orgId: siteProvisioningKeyOrg.orgId,
            lastChars: siteProvisioningKeys.lastChars,
            createdAt: siteProvisioningKeys.createdAt,
            name: siteProvisioningKeys.name,
            lastUsed: siteProvisioningKeys.lastUsed,
            maxBatchSize: siteProvisioningKeys.maxBatchSize,
            numUsed: siteProvisioningKeys.numUsed,
            validUntil: siteProvisioningKeys.validUntil,
            approveNewSites: siteProvisioningKeys.approveNewSites
        })
        .from(siteProvisioningKeyOrg)
        .innerJoin(
            siteProvisioningKeys,
            eq(
                siteProvisioningKeys.siteProvisioningKeyId,
                siteProvisioningKeyOrg.siteProvisioningKeyId
            )
        )
        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
 }
 export async function listSiteProvisioningKeys(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = paramsSchema.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error)
                )
            );
        }
        const parsedQuery = querySchema.safeParse(req.query);
        if (!parsedQuery.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedQuery.error)
                )
            );
        }
        const { orgId } = parsedParams.data;
        const { limit, offset } = parsedQuery.data;
        const siteProvisioningKeysList = await querySiteProvisioningKeys(orgId)
            .limit(limit)
            .offset(offset);
        return response<ListSiteProvisioningKeysResponse>(res, {
            data: {
                siteProvisioningKeys: siteProvisioningKeysList,
                pagination: {
                    total: siteProvisioningKeysList.length,
                    limit,
                    offset
                }
            },
            success: true,
            error: false,
            message: "Site provisioning keys retrieved successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
+++ b/server/private/routers/siteProvisioning/updateSiteProvisioningKey.ts
@@ -0,0 +1,206 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
    db,
    siteProvisioningKeyOrg,
    siteProvisioningKeys
 } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import type { UpdateSiteProvisioningKeyResponse } from "@server/routers/siteProvisioning/types";
 const paramsSchema = z.object({
    siteProvisioningKeyId: z.string().nonempty(),
    orgId: z.string().nonempty()
 });
 const bodySchema = z
    .strictObject({
        maxBatchSize: z
            .union([
                z.null(),
                z.coerce.number().int().positive().max(1_000_000)
            ])
            .optional(),
        validUntil: z.string().max(255).optional(),
        approveNewSites: z.boolean().optional()
    })
    .superRefine((data, ctx) => {
        if (
            data.maxBatchSize === undefined &&
            data.validUntil === undefined &&
            data.approveNewSites === undefined
        ) {
            ctx.addIssue({
                code: "custom",
                message: "Provide maxBatchSize and/or validUntil and/or approveNewSites",
                path: ["maxBatchSize"]
            });
        }
        const v = data.validUntil;
        if (v == null || v.trim() === "") {
            return;
        }
        if (Number.isNaN(Date.parse(v))) {
            ctx.addIssue({
                code: "custom",
                message: "Invalid validUntil",
                path: ["validUntil"]
            });
        }
    });
 export type UpdateSiteProvisioningKeyBody = z.infer<typeof bodySchema>;
 export async function updateSiteProvisioningKey(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = paramsSchema.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error).toString()
                )
            );
        }
        const parsedBody = bodySchema.safeParse(req.body);
        if (!parsedBody.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedBody.error).toString()
                )
            );
        }
        const { siteProvisioningKeyId, orgId } = parsedParams.data;
        const body = parsedBody.data;
        const [row] = await db
            .select()
            .from(siteProvisioningKeys)
            .where(
                eq(
                    siteProvisioningKeys.siteProvisioningKeyId,
                    siteProvisioningKeyId
                )
            )
            .innerJoin(
                siteProvisioningKeyOrg,
                and(
                    eq(
                        siteProvisioningKeys.siteProvisioningKeyId,
                        siteProvisioningKeyOrg.siteProvisioningKeyId
                    ),
                    eq(siteProvisioningKeyOrg.orgId, orgId)
                )
            )
            .limit(1);
        if (!row) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
                )
            );
        }
        const setValues: {
            maxBatchSize?: number | null;
            validUntil?: string | null;
            approveNewSites?: boolean;
        } = {};
        if (body.maxBatchSize !== undefined) {
            setValues.maxBatchSize = body.maxBatchSize;
        }
        if (body.validUntil !== undefined) {
            setValues.validUntil =
                body.validUntil.trim() === ""
                    ? null
                    : new Date(Date.parse(body.validUntil)).toISOString();
        }
        if (body.approveNewSites !== undefined) {
            setValues.approveNewSites = body.approveNewSites;
        }
        await db
            .update(siteProvisioningKeys)
            .set(setValues)
            .where(
                eq(
                    siteProvisioningKeys.siteProvisioningKeyId,
                    siteProvisioningKeyId
                )
            );
        const [updated] = await db
            .select({
                siteProvisioningKeyId:
                    siteProvisioningKeys.siteProvisioningKeyId,
                name: siteProvisioningKeys.name,
                lastChars: siteProvisioningKeys.lastChars,
                createdAt: siteProvisioningKeys.createdAt,
                lastUsed: siteProvisioningKeys.lastUsed,
                maxBatchSize: siteProvisioningKeys.maxBatchSize,
                numUsed: siteProvisioningKeys.numUsed,
                validUntil: siteProvisioningKeys.validUntil,
                approveNewSites: siteProvisioningKeys.approveNewSites
            })
            .from(siteProvisioningKeys)
            .where(
                eq(
                    siteProvisioningKeys.siteProvisioningKeyId,
                    siteProvisioningKeyId
                )
            )
            .limit(1);
        if (!updated) {
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Failed to load updated site provisioning key"
                )
            );
        }
        return response<UpdateSiteProvisioningKeyResponse>(res, {
            data: {
                ...updated,
                orgId
            },
            success: true,
            error: false,
            message: "Site provisioning key updated successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -24,6 +24,7 @@ import {
    sites,
    userOrgs
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
@@ -31,7 +32,7 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { eq, or, and } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "@server/lib/sshCA";
 import config from "@server/lib/config";
@@ -125,7 +126,7 @@ export async function signSshKey(
            resource: resourceQueryString
        } = parsedBody.data;
        const userId = req.user?.userId;
-        const roleId = req.userOrgRoleId!;
+        const roleIds = req.userOrgRoleIds ?? [];
        if (!userId) {
            return next(
@@ -133,6 +134,15 @@ export async function signSshKey(
            );
        }
        if (roleIds.length === 0) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User has no role in organization"
                )
            );
        }
        const [userOrg] = await db
            .select()
            .from(userOrgs)
@@ -339,7 +349,7 @@ export async function signSshKey(
        const hasAccess = await canUserAccessSiteResource({
            userId: userId,
            resourceId: resource.siteResourceId,
-            roleId: roleId
+            roleIds
        });
        if (!hasAccess) {
@@ -351,28 +361,39 @@ export async function signSshKey(
            );
        }
-        const [roleRow] = await db
+        const roleRows = await db
            .select()
            .from(roles)
-            .where(eq(roles.roleId, roleId))
+            .where(inArray(roles.roleId, roleIds));
            .limit(1);
-        let parsedSudoCommands: string[] = [];
+        const parsedSudoCommands: string[] = [];
-        let parsedGroups: string[] = [];
+        const parsedGroupsSet = new Set<string>();
-        try {
+        let homedir: boolean | null = null;
-            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
-            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
+        let sudoMode: "none" | "commands" | "all" = "none";
-        } catch {
+        for (const roleRow of roleRows) {
-            parsedSudoCommands = [];
+            try {
                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
            } catch {
                // skip
            }
            try {
                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
            } catch {
                // skip
            }
            if (roleRow?.sshCreateHomeDir === true) homedir = true;
            const m = roleRow?.sshSudoMode ?? "none";
            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
                sudoMode = m as "none" | "commands" | "all";
            }
        }
-        try {
+        const parsedGroups = Array.from(parsedGroupsSet);
-            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+        if (homedir === null && roleRows.length > 0) {
-            if (!Array.isArray(parsedGroups)) parsedGroups = [];
+            homedir = roleRows[0].sshCreateHomeDir ?? null;
        } catch {
            parsedGroups = [];
        }
        const homedir = roleRow?.sshCreateHomeDir ?? null;
        const sudoMode = roleRow?.sshSudoMode ?? "none";
        // get the site
        const [newt] = await db
@@ -463,6 +484,24 @@ export async function signSshKey(
            })
        });
        await logAccessAudit({
            action: true,
            type: "ssh",
            orgId: orgId,
            resourceId: resource.siteResourceId,
            user: req.user
                ? { username: req.user.username ?? "", userId: req.user.userId }
                : undefined,
            metadata: {
                resourceName: resource.name,
                siteId: resource.siteId,
                sshUsername: usernameToUse,
                sshHost: sshHost
            },
            userAgent: req.headers["user-agent"],
            requestIp: req.ip
        });
        return response<SignSshKeyResponse>(res, {
            data: {
                certificate: cert.certificate,
--- a/server/private/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -1,14 +1,27 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db, UserOrg } from "@server/db";
+import stoi from "@server/lib/stoi";
-import { userOrgs, roles } from "@server/db";
+import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
@@ -17,11 +30,9 @@ const addUserRoleParamsSchema = z.strictObject({
    roleId: z.string().transform(stoi).pipe(z.number())
 });
 export type AddUserRoleResponse = z.infer<typeof addUserRoleParamsSchema>;
 registry.registerPath({
    method: "post",
-    path: "/role/{roleId}/add/{userId}",
+    path: "/user/{userId}/add-role/{roleId}",
    description: "Add a role to a user.",
    tags: [OpenAPITags.Role, OpenAPITags.User],
    request: {
@@ -111,20 +122,23 @@ export async function addUserRole(
            );
        }
-        let newUserRole: UserOrg | null = null;
+        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
            null;
        await db.transaction(async (trx) => {
-            [newUserRole] = await trx
+            const inserted = await trx
-                .update(userOrgs)
+                .insert(userOrgRoles)
-                .set({ roleId })
+                .values({
-                .where(
+                    userId,
-                    and(
+                    orgId: role.orgId,
-                        eq(userOrgs.userId, userId),
+                    roleId
-                        eq(userOrgs.orgId, role.orgId)
+                })
-                    )
+                .onConflictDoNothing()
                )
                .returning();
-            // get the client associated with this user in this org
+            if (inserted.length > 0) {
                newUserRole = inserted[0];
            }
            const orgClients = await trx
                .select()
                .from(clients)
@@ -133,17 +147,15 @@ export async function addUserRole(
                        eq(clients.userId, userId),
                        eq(clients.orgId, role.orgId)
                    )
-                )
+                );
                .limit(1);
            for (const orgClient of orgClients) {
                // we just changed the user's role, so we need to rebuild client associations and what they have access to
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });
        return response(res, {
-            data: newUserRole,
+            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
            success: true,
            error: false,
            message: "Role added to user successfully",
--- a/server/private/routers/user/index.ts
+++ b/server/private/routers/user/index.ts
@@ -0,0 +1,16 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 export * from "./addUserRole";
 export * from "./removeUserRole";
 export * from "./setUserOrgRoles";
--- a/server/private/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -0,0 +1,171 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
 import { db } from "@server/db";
 import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 const removeUserRoleParamsSchema = z.strictObject({
    userId: z.string(),
    roleId: z.string().transform(stoi).pipe(z.number())
 });
 registry.registerPath({
    method: "delete",
    path: "/user/{userId}/remove-role/{roleId}",
    description:
        "Remove a role from a user. User must have at least one role left in the org.",
    tags: [OpenAPITags.Role, OpenAPITags.User],
    request: {
        params: removeUserRoleParamsSchema
    },
    responses: {}
 });
 export async function removeUserRole(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = removeUserRoleParamsSchema.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error).toString()
                )
            );
        }
        const { userId, roleId } = parsedParams.data;
        if (req.user && !req.userOrg) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "You do not have access to this organization"
                )
            );
        }
        const [role] = await db
            .select()
            .from(roles)
            .where(eq(roles.roleId, roleId))
            .limit(1);
        if (!role) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
            );
        }
        const [existingUser] = await db
            .select()
            .from(userOrgs)
            .where(
                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
            )
            .limit(1);
        if (!existingUser) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    "User not found or does not belong to the specified organization"
                )
            );
        }
        if (existingUser.isOwner) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Cannot change the roles of the owner of the organization"
                )
            );
        }
        const remainingRoles = await db
            .select({ roleId: userOrgRoles.roleId })
            .from(userOrgRoles)
            .where(
                and(
                    eq(userOrgRoles.userId, userId),
                    eq(userOrgRoles.orgId, role.orgId)
                )
            );
        if (remainingRoles.length <= 1) {
            const hasThisRole = remainingRoles.some((r) => r.roleId === roleId);
            if (hasThisRole) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "User must have at least one role in the organization. Remove the last role is not allowed."
                    )
                );
            }
        }
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
                .where(
                    and(
                        eq(userOrgRoles.userId, userId),
                        eq(userOrgRoles.orgId, role.orgId),
                        eq(userOrgRoles.roleId, roleId)
                    )
                );
            const orgClients = await trx
                .select()
                .from(clients)
                .where(
                    and(
                        eq(clients.userId, userId),
                        eq(clients.orgId, role.orgId)
                    )
                );
            for (const orgClient of orgClients) {
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });
        return response(res, {
            data: { userId, orgId: role.orgId, roleId },
            success: true,
            error: false,
            message: "Role removed from user successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/user/setUserOrgRoles.ts
+++ b/server/private/routers/user/setUserOrgRoles.ts
@@ -0,0 +1,163 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 const setUserOrgRolesParamsSchema = z.strictObject({
    orgId: z.string(),
    userId: z.string()
 });
 const setUserOrgRolesBodySchema = z.strictObject({
    roleIds: z.array(z.int().positive()).min(1)
 });
 export async function setUserOrgRoles(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = setUserOrgRolesParamsSchema.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error).toString()
                )
            );
        }
        const parsedBody = setUserOrgRolesBodySchema.safeParse(req.body);
        if (!parsedBody.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedBody.error).toString()
                )
            );
        }
        const { orgId, userId } = parsedParams.data;
        const { roleIds } = parsedBody.data;
        if (req.user && !req.userOrg) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "You do not have access to this organization"
                )
            );
        }
        const uniqueRoleIds = [...new Set(roleIds)];
        const [existingUser] = await db
            .select()
            .from(userOrgs)
            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
            .limit(1);
        if (!existingUser) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    "User not found in this organization"
                )
            );
        }
        if (existingUser.isOwner) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Cannot change the roles of the owner of the organization"
                )
            );
        }
        const orgRoles = await db
            .select({ roleId: roles.roleId })
            .from(roles)
            .where(
                and(
                    eq(roles.orgId, orgId),
                    inArray(roles.roleId, uniqueRoleIds)
                )
            );
        if (orgRoles.length !== uniqueRoleIds.length) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "One or more role IDs are invalid for this organization"
                )
            );
        }
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
                .where(
                    and(
                        eq(userOrgRoles.userId, userId),
                        eq(userOrgRoles.orgId, orgId)
                    )
                );
            if (uniqueRoleIds.length > 0) {
                await trx.insert(userOrgRoles).values(
                    uniqueRoleIds.map((roleId) => ({
                        userId,
                        orgId,
                        roleId
                    }))
                );
            }
            const orgClients = await trx
                .select()
                .from(clients)
                .where(
                    and(eq(clients.userId, userId), eq(clients.orgId, orgId))
                );
            for (const orgClient of orgClients) {
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });
        return response(res, {
            data: { userId, orgId, roleIds: uniqueRoleIds },
            success: true,
            error: false,
            message: "User roles set successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -18,10 +18,12 @@ import {
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
 import { handleConnectionLogMessage } from "#dynamic/routers/newt";
 export const messageHandlers: Record<string, MessageHandler> = {
    "remoteExitNode/register": handleRemoteExitNodeRegisterMessage,
-    "remoteExitNode/ping": handleRemoteExitNodePingMessage
+    "remoteExitNode/ping": handleRemoteExitNodePingMessage,
    "newt/access-log": handleConnectionLogMessage,
 };
 if (build != "saas") {
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -19,17 +19,14 @@ import { Socket } from "net";
 import {
    Newt,
    newts,
    NewtSession,
    olms,
    Olm,
-    OlmSession,
+    olms,
    RemoteExitNode,
    RemoteExitNodeSession,
    remoteExitNodes,
    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
 import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import logger from "@server/logger";
@@ -197,11 +194,7 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
-// Tracks the last Unix timestamp (seconds) at which a ping was flushed to the
+
 // DB for a given siteId. Resets on server restart which is fine – the first
 // ping after startup will always write, re-establishing the online state.
 const lastPingDbWrite: Map<number, number> = new Map();
 const PING_DB_WRITE_INTERVAL = 45; // seconds
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
@@ -853,32 +846,16 @@ const setupConnection = async (
        );
    });
    // Handle WebSocket protocol-level pings from older newt clients that do
    // not send application-level "newt/ping" messages. Update the site's
    // online state and lastPing timestamp so the offline checker treats them
    // the same as modern newt clients.
    if (clientType === "newt") {
        const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
            if (!newtClient.siteId) return;
-            const now = Math.floor(Date.now() / 1000);
+            // Record the ping in the accumulator instead of writing to the
-            const lastWrite = lastPingDbWrite.get(newtClient.siteId) ?? 0;
+            // database on every WS ping frame. The accumulator flushes all
-            if (now - lastWrite < PING_DB_WRITE_INTERVAL) return;
+            // pending pings in a single batched UPDATE every ~10s, which
-            lastPingDbWrite.set(newtClient.siteId, now);
+            // prevents connection pool exhaustion under load (especially
-            try {
+            // with cross-region latency to the database).
-                await db
+            recordPing(newtClient.siteId);
                    .update(sites)
                    .set({
                        online: true,
                        lastPing: now
                    })
                    .where(eq(sites.siteId, newtClient.siteId));
            } catch (error) {
                logger.error(
                    "Error updating newt site online state on WS ping",
                    { error }
                );
            }
        });
    }
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -208,7 +208,7 @@ export async function listAccessTokens(
                .where(
                    or(
                        eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                    )
                );
        } else {
--- a/server/routers/auditLogs/types.ts
+++ b/server/routers/auditLogs/types.ts
@@ -91,3 +91,50 @@ export type QueryAccessAuditLogResponse = {
        locations: string[];
    };
 };
 export type QueryConnectionAuditLogResponse = {
    log: {
        sessionId: string;
        siteResourceId: number | null;
        orgId: string | null;
        siteId: number | null;
        clientId: number | null;
        userId: string | null;
        sourceAddr: string;
        destAddr: string;
        protocol: string;
        startedAt: number;
        endedAt: number | null;
        bytesTx: number | null;
        bytesRx: number | null;
        resourceName: string | null;
        resourceNiceId: string | null;
        siteName: string | null;
        siteNiceId: string | null;
        clientName: string | null;
        clientNiceId: string | null;
        clientType: string | null;
        userEmail: string | null;
    }[];
    pagination: {
        total: number;
        limit: number;
        offset: number;
    };
    filterAttributes: {
        protocols: string[];
        destAddrs: string[];
        clients: {
            id: number;
            name: string;
        }[];
        resources: {
            id: number;
            name: string | null;
        }[];
        users: {
            id: string;
            email: string | null;
        }[];
    };
 };
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -4,11 +4,11 @@ import {
    getResourceByDomain,
    getResourceRules,
    getRoleResourceAccess,
    getUserOrgRole,
    getUserResourceAccess,
    getOrgLoginPage,
    getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
 import { getUserOrgRoles } from "@server/lib/userOrgRoles";
 import {
    LoginPage,
    Org,
@@ -30,7 +30,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import { getAsnForIp } from "@server/lib/asn";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { verifyPassword } from "@server/auth/password";
 import {
    checkOrgAccessPolicy,
@@ -797,7 +796,8 @@ async function notAllowed(
 ) {
    let loginPage: LoginPage | null = null;
    if (orgId) {
-        const subscribed = await isSubscribed( // this is fine because the org login page is only a saas feature
+        const subscribed = await isSubscribed(
            // this is fine because the org login page is only a saas feature
            orgId,
            tierMatrix.loginPageDomain
        );
@@ -854,7 +854,10 @@ async function headerAuthChallenged(
 ) {
    let loginPage: LoginPage | null = null;
    if (orgId) {
-        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain); // this is fine because the org login page is only a saas feature
+        const subscribed = await isSubscribed(
            orgId,
            tierMatrix.loginPageDomain
        ); // this is fine because the org login page is only a saas feature
        if (subscribed) {
            loginPage = await getOrgLoginPage(orgId);
        }
@@ -916,9 +919,9 @@ async function isUserAllowedToAccessResource(
        return null;
    }
-    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);
+    const userOrgRoles = await getUserOrgRoles(user.userId, resource.orgId);
-    if (!userOrgRole) {
+    if (!userOrgRoles.length) {
        return null;
    }
@@ -936,15 +939,14 @@ async function isUserAllowedToAccessResource(
    const roleResourceAccess = await getRoleResourceAccess(
        resource.resourceId,
-        userOrgRole.roleId
+        userOrgRoles.map((r) => r.roleId)
    );
-
+    if (roleResourceAccess && roleResourceAccess.length > 0) {
    if (roleResourceAccess) {
        return {
            username: user.username,
            email: user.email,
            name: user.name,
-            role: userOrgRole.roleName
+            role: userOrgRoles.map((r) => r.roleName).join(", ")
        };
    }
@@ -958,7 +960,7 @@ async function isUserAllowedToAccessResource(
            username: user.username,
            email: user.email,
            name: user.name,
-            role: userOrgRole.roleName
+            role: userOrgRoles.map((r) => r.roleName).join(", ")
        };
    }
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -92,7 +92,7 @@ export async function createClient(
        const { orgId } = parsedParams.data;
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -234,7 +234,7 @@ export async function createClient(
                clientId: newClient.clientId
            });
-            if (req.user && req.userOrgRoleId != adminRole.roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
                // make sure the user can access the client
                trx.insert(userClients).values({
                    userId: req.user.userId,
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -297,7 +297,7 @@ export async function listClients(
                .where(
                    or(
                        eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                    )
                );
        } else {
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -316,7 +316,7 @@ export async function listUserDevices(
                .where(
                    or(
                        eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                    )
                );
        } else {
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -1,15 +1,54 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms, Transaction } from "@server/db";
+import { db, newts, olms } from "@server/db";
 import {
    Alias,
    convertSubnetProxyTargetsV2ToV1,
    SubnetProxyTarget,
    SubnetProxyTargetV2
 } from "@server/lib/ip";
 import { canCompress } from "@server/lib/clientVersionChecks";
 import { Alias, SubnetProxyTarget } from "@server/lib/ip";
 import logger from "@server/logger";
 import { eq } from "drizzle-orm";
 import semver from "semver";
 const NEWT_V2_TARGETS_VERSION = ">=1.10.3";
 export async function convertTargetsIfNessicary(
    newtId: string,
    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
 ) {
    // get the newt
    const [newt] = await db
        .select()
        .from(newts)
        .where(eq(newts.newtId, newtId));
    if (!newt) {
        throw new Error(`No newt found for id: ${newtId}`);
    }
    // check the semver
    if (
        newt.version &&
        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
    ) {
        logger.debug(
            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
        );
        targets = convertSubnetProxyTargetsV2ToV1(
            targets as SubnetProxyTargetV2[]
        );
    }
    return targets;
 }
 export async function addTargets(
    newtId: string,
-    targets: SubnetProxyTarget[],
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[],
    version?: string | null
 ) {
    targets = await convertTargetsIfNessicary(newtId, targets);
    await sendToClient(
        newtId,
        {
@@ -22,9 +61,11 @@ export async function addTargets(
 export async function removeTargets(
    newtId: string,
-    targets: SubnetProxyTarget[],
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[],
    version?: string | null
 ) {
    targets = await convertTargetsIfNessicary(newtId, targets);
    await sendToClient(
        newtId,
        {
@@ -38,11 +79,39 @@ export async function removeTargets(
 export async function updateTargets(
    newtId: string,
    targets: {
-        oldTargets: SubnetProxyTarget[];
+        oldTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
-        newTargets: SubnetProxyTarget[];
+        newTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
    },
    version?: string | null
 ) {
    // get the newt
    const [newt] = await db
        .select()
        .from(newts)
        .where(eq(newts.newtId, newtId));
    if (!newt) {
        logger.error(`addTargetsL No newt found for id: ${newtId}`);
        return;
    }
    // check the semver
    if (
        newt.version &&
        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
    ) {
        logger.debug(
            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
        );
        targets = {
            oldTargets: convertSubnetProxyTargetsV2ToV1(
                targets.oldTargets as SubnetProxyTargetV2[]
            ),
            newTargets: convertSubnetProxyTargetsV2ToV1(
                targets.newTargets as SubnetProxyTargetV2[]
            )
        };
    }
    await sendToClient(
        newtId,
        {
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -102,6 +102,8 @@ authenticated.put(
    logActionAudit(ActionsEnum.createSite),
    site.createSite
 );
 authenticated.get(
    "/org/:orgId/sites",
    verifyOrgAccess,
@@ -644,6 +646,7 @@ authenticated.delete(
    logActionAudit(ActionsEnum.deleteRole),
    role.deleteRole
 );
 authenticated.post(
    "/role/:roleId/add/:userId",
    verifyRoleAccess,
@@ -651,7 +654,7 @@ authenticated.post(
    verifyLimits,
    verifyUserHasAction(ActionsEnum.addUserRole),
    logActionAudit(ActionsEnum.addUserRole),
-    user.addUserRole
+    user.addUserRoleLegacy
 );
 authenticated.post(
@@ -1202,6 +1205,22 @@ authRouter.post(
    }),
    newt.getNewtToken
 );
 authRouter.post(
    "/newt/register",
    rateLimit({
        windowMs: 15 * 60 * 1000,
        max: 30,
        keyGenerator: (req) =>
            `newtRegister:${req.body.provisioningKey?.split(".")[0] || ipKeyGenerator(req.ip || "")}`,
        handler: (req, res, next) => {
            const message = `You can only register a newt ${30} times every ${15} minutes. Please try again later.`;
            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
        },
        store: createStore()
    }),
    newt.registerNewt
 );
 authRouter.post(
    "/olm/get-token",
    rateLimit({
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { eq, sql } from "drizzle-orm";
+import { sql } from "drizzle-orm";
 import { sites } from "@server/db";
 import { db } from "@server/db";
 import logger from "@server/logger";
 import createHttpError from "http-errors";
@@ -31,7 +30,10 @@ const MAX_RETRIES = 3;
 const BASE_DELAY_MS = 50;
 // How often to flush accumulated bandwidth data to the database
-const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+const FLUSH_INTERVAL_MS = 300_000; // 300 seconds
 // Maximum number of sites to include in a single batch UPDATE statement
 const BATCH_CHUNK_SIZE = 250;
 // In-memory accumulator: publicKey -> AccumulatorEntry
 let accumulator = new Map<string, AccumulatorEntry>();
@@ -75,13 +77,33 @@ async function withDeadlockRetry<T>(
    }
 }
 /**
 * Execute a raw SQL query that returns rows, in a way that works across both
 * the PostgreSQL driver (which exposes `execute`) and the SQLite driver (which
 * exposes `all`).  Drizzle's typed query builder doesn't support bulk
 * UPDATE … FROM (VALUES …) natively, so we drop to raw SQL here.
 */
 async function dbQueryRows<T extends Record<string, unknown>>(
    query: Parameters<(typeof sql)["join"]>[0][number]
 ): Promise<T[]> {
    const anyDb = db as any;
    if (typeof anyDb.execute === "function") {
        // PostgreSQL (node-postgres via Drizzle) — returns { rows: [...] } or an array
        const result = await anyDb.execute(query);
        return (Array.isArray(result) ? result : (result.rows ?? [])) as T[];
    }
    // SQLite (better-sqlite3 via Drizzle) — returns an array directly
    return (await anyDb.all(query)) as T[];
 }
 /**
 * Flush all accumulated site bandwidth data to the database.
 *
 * Swaps out the accumulator before writing so that any bandwidth messages
 * received during the flush are captured in the new accumulator rather than
- * being lost or causing contention. Entries that fail to write are re-queued
+ * being lost or causing contention. Sites are updated in chunks via a single
- * back into the accumulator so they will be retried on the next flush.
+ * batch UPDATE per chunk. Failed chunks are discarded — exact per-flush
 * accuracy is not critical and re-queuing is not worth the added complexity.
 *
 * This function is exported so that the application's graceful-shutdown
 * cleanup handler can call it before the process exits.
@@ -108,76 +130,76 @@ export async function flushSiteBandwidthToDb(): Promise<void> {
        `Flushing accumulated bandwidth data for ${sortedEntries.length} site(s) to the database`
    );
-    // Aggregate billing usage by org, collected during the DB update loop.
+    // Build a lookup so post-processing can reach each entry by publicKey.
    const snapshotMap = new Map(sortedEntries);
    // Aggregate billing usage by org across all chunks.
    const orgUsageMap = new Map<string, number>();
-    for (const [publicKey, { bytesIn, bytesOut, exitNodeId, calcUsage }] of sortedEntries) {
+    // Process in chunks so individual queries stay at a reasonable size.
    for (let i = 0; i < sortedEntries.length; i += BATCH_CHUNK_SIZE) {
        const chunk = sortedEntries.slice(i, i + BATCH_CHUNK_SIZE);
        const chunkEnd = i + chunk.length - 1;
        // Build a parameterised VALUES list: (pubKey, bytesIn, bytesOut), ...
        // Both PostgreSQL and SQLite (≥ 3.33.0, which better-sqlite3 bundles)
        // support UPDATE … FROM (VALUES …), letting us update the whole chunk
        // in a single query instead of N individual round-trips.
        const valuesList = chunk.map(([publicKey, { bytesIn, bytesOut }]) =>
            sql`(${publicKey}, ${bytesIn}, ${bytesOut})`
        );
        const valuesClause = sql.join(valuesList, sql`, `);
        let rows: { orgId: string; pubKey: string }[] = [];
        try {
-            const updatedSite = await withDeadlockRetry(async () => {
+            rows = await withDeadlockRetry(async () => {
-                const [result] = await db
+                return dbQueryRows<{ orgId: string; pubKey: string }>(sql`
-                    .update(sites)
+                    UPDATE sites
-                    .set({
+                    SET
-                        megabytesOut: sql`COALESCE(${sites.megabytesOut}, 0) + ${bytesIn}`,
+                        "bytesOut"            = COALESCE("bytesOut", 0) + v.bytes_in,
-                        megabytesIn: sql`COALESCE(${sites.megabytesIn}, 0) + ${bytesOut}`,
+                        "bytesIn"             = COALESCE("bytesIn", 0)  + v.bytes_out,
-                        lastBandwidthUpdate: currentTime,
+                        "lastBandwidthUpdate" = ${currentTime}
-                    })
+                    FROM (VALUES ${valuesClause}) AS v(pub_key, bytes_in, bytes_out)
-                    .where(eq(sites.pubKey, publicKey))
+                    WHERE sites."pubKey" = v.pub_key
-                    .returning({
+                    RETURNING sites."orgId" AS "orgId", sites."pubKey" AS "pubKey"
-                        orgId: sites.orgId,
+                `);
-                        siteId: sites.siteId
+            }, `flush bandwidth chunk [${i}–${chunkEnd}]`);
                    });
                return result;
            }, `flush bandwidth for site ${publicKey}`);
            if (updatedSite) {
                if (exitNodeId) {
                    const notAllowed = await checkExitNodeOrg(
                        exitNodeId,
                        updatedSite.orgId
                    );
                    if (notAllowed) {
                        logger.warn(
                            `Exit node ${exitNodeId} is not allowed for org ${updatedSite.orgId}`
                        );
                        // Skip usage tracking for this site but continue
                        // processing the rest.
                        continue;
                    }
                }
                if (calcUsage) {
                    const totalBandwidth = bytesIn + bytesOut;
                    const current = orgUsageMap.get(updatedSite.orgId) ?? 0;
                    orgUsageMap.set(updatedSite.orgId, current + totalBandwidth);
                }
            }
        } catch (error) {
            logger.error(
-                `Failed to flush bandwidth for site ${publicKey}:`,
+                `Failed to flush bandwidth chunk [${i}–${chunkEnd}], discarding ${chunk.length} site(s):`,
                error
            );
            // Discard the chunk — exact per-flush accuracy is not critical.
            continue;
        }
-            // Re-queue the failed entry so it is retried on the next flush
+        // Collect billing usage from the returned rows.
-            // rather than silently dropped.
+        for (const { orgId, pubKey } of rows) {
-            const existing = accumulator.get(publicKey);
+            const entry = snapshotMap.get(pubKey);
-            if (existing) {
+            if (!entry) continue;
-                existing.bytesIn += bytesIn;
+
-                existing.bytesOut += bytesOut;
+            const { bytesIn, bytesOut, exitNodeId, calcUsage } = entry;
-            } else {
+
-                accumulator.set(publicKey, {
+            if (exitNodeId) {
-                    bytesIn,
+                const notAllowed = await checkExitNodeOrg(exitNodeId, orgId);
-                    bytesOut,
+                if (notAllowed) {
-                    exitNodeId,
+                    logger.warn(
-                    calcUsage
+                        `Exit node ${exitNodeId} is not allowed for org ${orgId}`
-                });
+                    );
                    continue;
                }
            }
            if (calcUsage) {
                const current = orgUsageMap.get(orgId) ?? 0;
                orgUsageMap.set(orgId, current + bytesIn + bytesOut);
            }
        }
    }
-    // Process billing usage updates outside the site-update loop to keep
+    // Process billing usage updates after all chunks are written.
    // lock scope small and concerns separated.
    if (orgUsageMap.size > 0) {
        // Sort org IDs for consistent lock ordering.
        const sortedOrgIds = [...orgUsageMap.keys()].sort();
        for (const orgId of sortedOrgIds) {
--- a/server/routers/idp/createOidcIdp.ts
+++ b/server/routers/idp/createOidcIdp.ts
@@ -25,7 +25,8 @@ const bodySchema = z.strictObject({
    namePath: z.string().optional(),
    scopes: z.string().nonempty(),
    autoProvision: z.boolean().optional(),
-    tags: z.string().optional()
+    tags: z.string().optional(),
    variant: z.enum(["oidc", "google", "azure"]).optional().default("oidc")
 });
 export type CreateIdpResponse = {
@@ -77,7 +78,8 @@ export async function createOidcIdp(
            namePath,
            name,
            autoProvision,
-            tags
+            tags,
            variant
        } = parsedBody.data;
        if (
@@ -121,7 +123,8 @@ export async function createOidcIdp(
                scopes,
                identifierPath,
                emailPath,
-                namePath
+                namePath,
                variant
            });
        });
--- a/server/routers/idp/updateOidcIdp.ts
+++ b/server/routers/idp/updateOidcIdp.ts
@@ -31,7 +31,8 @@ const bodySchema = z.strictObject({
    autoProvision: z.boolean().optional(),
    defaultRoleMapping: z.string().optional(),
    defaultOrgMapping: z.string().optional(),
-    tags: z.string().optional()
+    tags: z.string().optional(),
    variant: z.enum(["oidc", "google", "azure"]).optional()
 });
 export type UpdateIdpResponse = {
@@ -96,7 +97,8 @@ export async function updateOidcIdp(
            autoProvision,
            defaultRoleMapping,
            defaultOrgMapping,
-            tags
+            tags,
            variant
        } = parsedBody.data;
        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
@@ -159,7 +161,8 @@ export async function updateOidcIdp(
                scopes,
                identifierPath,
                emailPath,
-                namePath
+                namePath,
                variant
            };
            keysToUpdate = Object.keys(configData).filter(
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -13,6 +13,7 @@ import {
    orgs,
    Role,
    roles,
    userOrgRoles,
    userOrgs,
    users
 } from "@server/db";
@@ -35,11 +36,13 @@ import { usageService } from "@server/lib/billing/usageService";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import {
    assignUserToOrg,
    removeUserFromOrg
 } from "@server/lib/userOrg";
 import { unwrapRoleMapping } from "@app/lib/idpRoleMapping";
 const ensureTrailingSlash = (url: string): string => {
    return url;
@@ -366,7 +369,7 @@ export async function validateOidcCallback(
            const defaultRoleMapping = existingIdp.idp.defaultRoleMapping;
            const defaultOrgMapping = existingIdp.idp.defaultOrgMapping;
-            const userOrgInfo: { orgId: string; roleId: number }[] = [];
+            const userOrgInfo: { orgId: string; roleIds: number[] }[] = [];
            for (const org of allOrgs) {
                const [idpOrgRes] = await db
                    .select()
@@ -378,8 +381,6 @@ export async function validateOidcCallback(
                        )
                    );
                let roleId: number | undefined = undefined;
                const orgMapping = idpOrgRes?.orgMapping || defaultOrgMapping;
                const hydratedOrgMapping = hydrateOrgMapping(
                    orgMapping,
@@ -404,38 +405,55 @@ export async function validateOidcCallback(
                    idpOrgRes?.roleMapping || defaultRoleMapping;
                if (roleMapping) {
                    logger.debug("Role Mapping", { roleMapping });
-                    const roleName = jmespath.search(claims, roleMapping);
+                    const roleMappingJmes = unwrapRoleMapping(
                        roleMapping
                    ).evaluationExpression;
                    const roleMappingResult = jmespath.search(
                        claims,
                        roleMappingJmes
                    );
                    const roleNames = normalizeRoleMappingResult(
                        roleMappingResult
                    );
-                    if (!roleName) {
+                    const supportsMultiRole = await isLicensedOrSubscribed(
-                        logger.error("Role name not found in the ID token", {
+                        org.orgId,
-                            roleName
+                        tierMatrix.fullRbac
                    );
                    const effectiveRoleNames = supportsMultiRole
                        ? roleNames
                        : roleNames.slice(0, 1);
                    if (!effectiveRoleNames.length) {
                        logger.error("Role mapping returned no valid roles", {
                            roleMappingResult
                        });
                        continue;
                    }
-                    const [roleRes] = await db
+                    const roleRes = await db
                        .select()
                        .from(roles)
                        .where(
                            and(
                                eq(roles.orgId, org.orgId),
-                                eq(roles.name, roleName)
+                                inArray(roles.name, effectiveRoleNames)
                            )
                        );
-                    if (!roleRes) {
+                    if (!roleRes.length) {
-                        logger.error("Role not found", {
+                        logger.error("No mapped roles found in organization", {
                            orgId: org.orgId,
-                            roleName
+                            roleNames: effectiveRoleNames
                        });
                        continue;
                    }
-                    roleId = roleRes.roleId;
+                    const roleIds = [...new Set(roleRes.map((r) => r.roleId))];
                    userOrgInfo.push({
                        orgId: org.orgId,
-                        roleId
+                        roleIds
                    });
                }
            }
@@ -570,32 +588,28 @@ export async function validateOidcCallback(
                    }
                }
-                // Update roles for existing auto-provisioned orgs where the role has changed
+                // Sync roles 1:1 with IdP policy for existing auto-provisioned orgs
-                const orgsToUpdate = autoProvisionedOrgs.filter(
+                for (const currentOrg of autoProvisionedOrgs) {
-                    (currentOrg) => {
+                    const newRole = userOrgInfo.find(
-                        const newOrg = userOrgInfo.find(
+                        (newOrg) => newOrg.orgId === currentOrg.orgId
-                            (newOrg) => newOrg.orgId === currentOrg.orgId
+                    );
-                        );
+                    if (!newRole) continue;
                        return newOrg && newOrg.roleId !== currentOrg.roleId;
                    }
                );
-                if (orgsToUpdate.length > 0) {
+                    await trx
-                    for (const org of orgsToUpdate) {
+                        .delete(userOrgRoles)
-                        const newRole = userOrgInfo.find(
+                        .where(
-                            (newOrg) => newOrg.orgId === org.orgId
+                            and(
                                eq(userOrgRoles.userId, userId!),
                                eq(userOrgRoles.orgId, currentOrg.orgId)
                            )
                        );
-                        if (newRole) {
+
-                            await trx
+                    for (const roleId of newRole.roleIds) {
-                                .update(userOrgs)
+                        await trx.insert(userOrgRoles).values({
-                                .set({ roleId: newRole.roleId })
+                            userId: userId!,
-                                .where(
+                            orgId: currentOrg.orgId,
-                                    and(
+                            roleId
-                                        eq(userOrgs.userId, userId!),
+                        });
                                        eq(userOrgs.orgId, org.orgId)
                                    )
                                );
                        }
                    }
                }
@@ -609,6 +623,10 @@ export async function validateOidcCallback(
                if (orgsToAdd.length > 0) {
                    for (const org of orgsToAdd) {
                        if (org.roleIds.length === 0) {
                            continue;
                        }
                        const [fullOrg] = await trx
                            .select()
                            .from(orgs)
@@ -619,9 +637,9 @@ export async function validateOidcCallback(
                                {
                                    orgId: org.orgId,
                                    userId: userId!,
                                    roleId: org.roleId,
                                    autoProvisioned: true,
                                },
                                org.roleIds,
                                trx
                            );
                        }
@@ -748,3 +766,25 @@ function hydrateOrgMapping(
    }
    return orgMapping.split("{{orgId}}").join(orgId);
 }
 function normalizeRoleMappingResult(
    result: unknown
 ): string[] {
    if (typeof result === "string") {
        const role = result.trim();
        return role ? [role] : [];
    }
    if (Array.isArray(result)) {
        return [
            ...new Set(
                result
                    .filter((value): value is string => typeof value === "string")
                    .map((value) => value.trim())
                    .filter(Boolean)
            )
        ];
    }
    return [];
 }
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -16,6 +16,7 @@ import {
    verifyApiKey,
    verifyApiKeyOrgAccess,
    verifyApiKeyHasAction,
    verifyApiKeyCanSetUserOrgRoles,
    verifyApiKeySiteAccess,
    verifyApiKeyResourceAccess,
    verifyApiKeyTargetAccess,
@@ -595,7 +596,7 @@ authenticated.post(
    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.addUserRole),
    logActionAudit(ActionsEnum.addUserRole),
-    user.addUserRole
+    user.addUserRoleLegacy
 );
 authenticated.post(
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -16,8 +16,8 @@ import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
 import {
    formatEndpoint,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
-    SubnetProxyTarget
+    SubnetProxyTargetV2
 } from "@server/lib/ip";
 export async function buildClientConfigurationForNewtClient(
@@ -143,7 +143,7 @@ export async function buildClientConfigurationForNewtClient(
        .from(siteResources)
        .where(eq(siteResources.siteId, siteId));
-    const targetsToSend: SubnetProxyTarget[] = [];
+    const targetsToSend: SubnetProxyTargetV2[] = [];
    for (const resource of allSiteResources) {
        // Get clients associated with this specific resource
@@ -168,12 +168,14 @@ export async function buildClientConfigurationForNewtClient(
                )
            );
-        const resourceTargets = generateSubnetProxyTargets(
+        const resourceTarget = generateSubnetProxyTargetV2(
            resource,
            resourceClients
        );
-        targetsToSend.push(...resourceTargets);
+        if (resourceTarget) {
            targetsToSend.push(resourceTarget);
        }
    }
    return {
--- a/server/routers/newt/createNewt.ts
+++ b/server/routers/newt/createNewt.ts
@@ -46,7 +46,7 @@ export async function createNewt(
        const { newtId, secret } = parsedBody.data;
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,6 +1,8 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
-import { db } from "@server/db";
+import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
 import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
 import { EXPIRES } from "@server/auth/sessions/newt";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { eq } from "drizzle-orm";
@@ -92,8 +94,19 @@ export async function getNewtToken(
            );
        }
-        const resToken = generateSessionToken();
+        // Return a cached token if one exists to prevent thundering herd on
-        await createNewtSession(resToken, existingNewt.newtId);
+        // simultaneous restarts; falls back to creating a fresh session when
        // Redis is unavailable or the cache has expired.
        const resToken = await getOrCreateCachedToken(
            `newt:token_cache:${existingNewt.newtId}`,
            config.getRawConfig().server.secret!,
            Math.floor(EXPIRES / 1000),
            async () => {
                const token = generateSessionToken();
                await createNewtSession(token, existingNewt.newtId);
                return token;
            }
        );
        return response<{ token: string; serverVersion: string }>(res, {
            data: {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Owen	1e9544af07	Customize table a little more	2026-03-29 20:29:31 -07:00
Owen	fcf92d4e2c	Add basic provisioning room v1 and update keys	2026-03-29 16:28:51 -07:00
Owen	77cef554be	Provisioning room basics done	2026-03-29 14:20:58 -07:00
Owen	9dc9b6a2c3	Merge branch 'logging-provision' into dev	2026-03-29 13:59:14 -07:00
Owen	9808a48da0	Merge branch 'multi-role' into dev	2026-03-29 13:55:23 -07:00
Milo Schwartz	8a6960d9c3	Merge pull request #2670 from Fredkiss3/feat/selector-filtering Feat: selector filtering	2026-03-29 12:26:51 -07:00
Milo Schwartz	d966ef66e1	Merge pull request #2643 from Fredkiss3/fix/wireguard-site-ip fix: Display actual values for WireGuard site credentials	2026-03-29 12:23:16 -07:00
Milo Schwartz	ed97cf5d97	Merge pull request #2697 from Fredkiss3/feat/modify-private-resource-niceid feat: edit niceid in private resources	2026-03-29 12:18:21 -07:00
Owen	a3b088f8d2	Merge branch 'dev' into logging-provision	2026-03-29 12:18:13 -07:00
miloschwartz	2828dee94c	support multi role on create user and invites	2026-03-29 12:11:22 -07:00
miloschwartz	ee6fb34906	Merge branch 'multi-role' of https://github.com/fosrl/pangolin into multi-role	2026-03-29 12:01:55 -07:00
miloschwartz	bff2ba7cc2	add learn more link	2026-03-29 11:34:07 -07:00
Owen	8e821b397f	Add migration	2026-03-28 21:41:21 -07:00
Owen	6f71af278e	Add basic migration files	2026-03-28 21:29:32 -07:00
Owen	757bb39622	Support overriding badger for testing	2026-03-28 21:24:13 -07:00
Owen	00ef6d617f	Handle the roles better in the verify session	2026-03-28 21:24:13 -07:00
miloschwartz	d1b2105c80	support search in tags input	2026-03-28 18:29:40 -07:00
miloschwartz	50ee28b1f7	fix no admin user in roles dropdown	2026-03-28 18:23:07 -07:00
miloschwartz	ba529ad14e	hide google and azure idp properly	2026-03-28 18:20:56 -07:00
miloschwartz	6ab0555148	respect full rbac feature in auto provisioning	2026-03-28 18:09:36 -07:00
miloschwartz	c6f269b3fa	set roles 1:1 on auto provision	2026-03-28 17:29:01 -07:00
miloschwartz	7bcb852dba	add google and azure templates to global idp	2026-03-27 18:10:19 -07:00
miloschwartz	ed604c8810	Merge branch 'multi-role' of https://github.com/fosrl/pangolin into multi-role	2026-03-27 17:35:50 -07:00
miloschwartz	bea20674a8	support policy buildiner in global idp	2026-03-27 17:35:35 -07:00
Owen	177926932b	Update hybrid for multi role	2026-03-27 17:07:58 -07:00
Owen	04dfbd0a14	Chainid send through	2026-03-27 12:04:41 -07:00
Owen	a143b7de7c	Merge branch 'multi-role' of github.com:fosrl/pangolin into multi-role	2026-03-26 21:47:13 -07:00
Owen	63372b174f	Merge branch 'dev' into multi-role	2026-03-26 21:46:29 -07:00
miloschwartz	ad7d68d2b4	basic idp mapping builder	2026-03-26 21:46:01 -07:00
Owen	e05af54f76	Use standard component	2026-03-26 21:36:51 -07:00
miloschwartz	13eadeaa8f	support legacy one role per user	2026-03-26 18:19:10 -07:00
Owen	19a686b3e4	Add restrictions around provisioning key	2026-03-26 16:49:43 -07:00
miloschwartz	d046084e84	delete role move to new role	2026-03-26 16:44:30 -07:00
miloschwartz	e13a076939	ui improvements	2026-03-26 16:37:31 -07:00
Owen	b4ca6432db	Fix double id	2026-03-26 16:24:44 -07:00
Owen	c80c7df1d0	Batch set bandwidth	2026-03-25 20:44:08 -07:00
Owen	99a064b77a	Fix import problems	2026-03-25 20:44:08 -07:00
Owen	9b84623d0c	Cache token for thundering hurd	2026-03-25 20:44:08 -07:00
Owen	6bb6cf8a48	Clean up	2026-03-25 20:44:08 -07:00
Owen	348fcbcabf	Try to solve th problem	2026-03-25 20:44:08 -07:00
Owen	1f4cde5f7f	Add license script	2026-03-25 20:44:08 -07:00
Owen	3e3b02021c	Add ssh access log	2026-03-25 20:44:08 -07:00
Owen	17eb93d045	Add better pooling controls	2026-03-25 20:44:08 -07:00
Owen	660420ddef	Disable everything if not paid	2026-03-25 20:44:08 -07:00
Owen	395cab795c	Batch set bandwidth	2026-03-25 20:35:21 -07:00
miloschwartz	0fecbe704b	Merge branch 'dev' into multi-role	2026-03-24 22:01:13 -07:00
Owen	ce59a8a52b	Merge branch 'main' into dev	2026-03-24 20:38:16 -07:00
miloschwartz	2091b5f359	Merge branch 'logging-provision' of https://github.com/fosrl/pangolin into logging-provision	2026-03-24 20:30:14 -07:00
Owen Schwartz	62c63ddcaa	Merge pull request #2710 from fosrl/thundering-herd thundering herd	2026-03-24 20:29:01 -07:00
Owen	dfd604c781	Fix import problems	2026-03-24 20:27:34 -07:00
miloschwartz	3525b367b3	move to private routes	2026-03-24 20:27:15 -07:00
Owen	0b5b6ed5a3	Adjust register endpoint	2026-03-24 18:26:10 -07:00
Owen	6fe9494df4	Merge branch 'logging-provision' of github.com:fosrl/pangolin into logging-provision	2026-03-24 18:17:42 -07:00
Owen	b2eab95a3b	Pass at first endpoints	2026-03-24 18:17:33 -07:00
Owen	38d30b0214	Add license script	2026-03-24 18:13:57 -07:00
Owen	c96c5e8ae8	Cache token for thundering hurd	2026-03-24 18:12:51 -07:00
Owen	6f71e9f0f2	Clean up	2026-03-24 17:55:14 -07:00
Owen	d17ec6dc1f	Try to solve th problem	2026-03-24 17:39:43 -07:00
miloschwartz	212b7a104f	Merge branch 'logging-provision' of https://github.com/fosrl/pangolin into logging-provision	2026-03-24 17:01:36 -07:00
miloschwartz	d21dfb750e	ui for provisioning key	2026-03-24 17:01:20 -07:00
Owen	fff38aac85	Add ssh access log	2026-03-24 16:26:56 -07:00
miloschwartz	7db58f920c	add site provisioning key crud	2026-03-24 16:19:00 -07:00
Fred KISSIE	e9b16b8801	Merge branch 'dev' into feat/modify-private-resource-niceid	2026-03-25 00:13:35 +01:00
Owen	5a2a97b23a	Add better pooling controls	2026-03-24 16:12:13 -07:00
Owen	5b894e8682	Disable everything if not paid	2026-03-24 16:01:54 -07:00
Fred KISSIE	84925f724d	💄 update UI	2026-03-24 23:43:01 +01:00
Owen	7b78b91449	Fix resource link	2026-03-23 22:00:53 -07:00
Owen	f9bff5954f	Add filters and refine table and query	2026-03-23 21:49:22 -07:00
Owen	2c6e9507b5	Connection log page working	2026-03-23 21:41:53 -07:00
Owen	6471571bc6	Add ui for connection logs	2026-03-23 20:18:03 -07:00
Owen	fe40ea58c1	Source client info into schema	2026-03-23 20:05:54 -07:00
Owen	0d4edcd1c7	make private	2026-03-23 17:23:51 -07:00
Owen	7d8797840a	Add connection log	2026-03-23 17:01:34 -07:00
Owen Schwartz	19f8c1772f	Merge pull request #2698 from fosrl/msg-opt Improve proxy list message size	2026-03-23 16:05:24 -07:00
Owen	37d331e813	Update version	2026-03-23 16:05:05 -07:00
Owen	c660df55cd	Merge branch 'dev' into msg-opt	2026-03-23 16:00:50 -07:00
Fred KISSIE	60982bf19f	🚧 edit niceid in private resources	2026-03-23 22:55:59 +01:00
Owen Schwartz	7c8b865379	Merge pull request #2695 from noe-charmet/redis-password-env Allow setting Redis password from env	2026-03-23 12:02:45 -07:00
Noe Charmet	3cca0c09c0	Allow setting Redis password from env	2026-03-23 11:18:55 +01:00
Fred KISSIE	e0fa5607e5	push	2026-03-20 04:37:57 +01:00
Fred KISSIE	572c9bf319	Merge branch 'dev' into feat/selector-filtering	2026-03-20 04:24:48 +01:00
Fred KISSIE	52cac4aa21	🚚 rename component	2026-03-20 04:17:35 +01:00
Fred KISSIE	e358d12765	♻️ submit	2026-03-20 04:15:18 +01:00
Fred KISSIE	02697e27a4	♻️ refactor	2026-03-20 04:02:51 +01:00
Fred KISSIE	ce58e71c44	♻️ make machine selector a multi-combobox	2026-03-20 03:59:10 +01:00
Fred KISSIE	e15703164d	♻️ resource selector in create share link form	2026-03-19 04:44:24 +01:00
Fred KISSIE	8f33e25782	♻️ use site selector on private resources	2026-03-19 01:18:27 +01:00
Fred KISSIE	722595c131	♻️ make site selector popover its own component	2026-03-19 00:35:26 +01:00
Fred KISSIE	c9be84a8a8	Merge branch 'dev' into feat/selector-filtering	2026-03-18 23:38:25 +01:00
Fred KISSIE	435cae06a2	♻️ refactor	2026-03-17 04:16:24 +01:00
Fred KISSIE	18ed38889f	♻️ filter sites server side in resource target	2026-03-17 04:07:02 +01:00
Fred KISSIE	84b082e194	♻️ show actual values for wireguard site credentials whenever possible	2026-03-12 23:36:35 +01:00
Owen	b01fcc70fe	Fix ts and add note about ipv4	2026-03-03 14:45:18 -08:00
Owen	35fed74e49	Merge branch 'dev' into msg-opt	2026-03-02 18:52:35 -08:00
Owen	6cf1b9b010	Support improved targets msg v2	2026-03-02 18:51:48 -08:00
Owen	dae169540b	Fix defaults for orgs	2026-03-02 16:49:17 -08:00
miloschwartz	20e547a0f6	first pass	2026-02-24 17:58:11 -08:00
		`@@ -0,0 +1 @@`
							`export * from "./handleConnectionLogMessage";`