Bump the prod-minor-updates group with 8 updates

Bumps the prod-minor-updates group with 8 updates: | Package | From | To | | --- | --- | --- | | [@asteasolutions/zod-to-openapi](https://github.com/asteasolutions/zod-to-openapi) | `8.4.1` | `8.5.0` | | [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) | `3.1011.0` | `3.1020.0` | | [@faker-js/faker](https://github.com/faker-js/faker) | `10.3.0` | `10.4.0` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.90.21` | `5.95.2` | | [axios](https://github.com/axios/axios) | `1.13.5` | `1.14.1` | | [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.71.2` | `7.72.0` | | [resend](https://github.com/resend/resend-node) | `6.9.2` | `6.10.0` | | [ws](https://github.com/websockets/ws) | `8.19.0` | `8.20.0` | Updates `@asteasolutions/zod-to-openapi` from 8.4.1 to 8.5.0 - [Release notes](https://github.com/asteasolutions/zod-to-openapi/releases) - [Commits](https://github.com/asteasolutions/zod-to-openapi/compare/v8.4.1...v8.5.0) Updates `@aws-sdk/client-s3` from 3.1011.0 to 3.1020.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1020.0/clients/client-s3) Updates `@faker-js/faker` from 10.3.0 to 10.4.0 - [Release notes](https://github.com/faker-js/faker/releases) - [Changelog](https://github.com/faker-js/faker/blob/next/CHANGELOG.md) - [Commits](https://github.com/faker-js/faker/compare/v10.3.0...v10.4.0) Updates `@tanstack/react-query` from 5.90.21 to 5.95.2 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.95.2/packages/react-query) Updates `axios` from 1.13.5 to 1.14.1 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/commits) Updates `react-hook-form` from 7.71.2 to 7.72.0 - [Release notes](https://github.com/react-hook-form/react-hook-form/releases) - [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md) - [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.71.2...v7.72.0) Updates `resend` from 6.9.2 to 6.10.0 - [Release notes](https://github.com/resend/resend-node/releases) - [Commits](https://github.com/resend/resend-node/compare/v6.9.2...v6.10.0) Updates `ws` from 8.19.0 to 8.20.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](https://github.com/websockets/ws/compare/8.19.0...8.20.0) --- updated-dependencies: - dependency-name: "@asteasolutions/zod-to-openapi" dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1020.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@faker-js/faker" dependency-version: 10.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@tanstack/react-query" dependency-version: 5.95.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: axios dependency-version: 1.14.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: react-hook-form dependency-version: 7.72.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: resend dependency-version: 6.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: ws dependency-version: 8.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #2753 from fosrl/dev
2026-03-31 23:16:38 +00:00 · 2026-03-31 22:34:30 +00:00 · 2026-03-31 15:27:47 -07:00 · 2026-03-31 15:26:39 -07:00 · 2026-03-31 15:24:25 -07:00 · 2026-03-31 15:21:34 -07:00
313 changed files with 25091 additions and 7688 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -77,7 +77,7 @@ jobs:
                  fi

            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                  fi

            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -264,7 +264,7 @@ jobs:
              shell: bash

            - name: Install Go
-              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+              uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
              with:
                  go-version: 1.24

@@ -299,7 +299,7 @@ jobs:
              shell: bash

            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
              with:
                  name: install-bin
                  path: install/bin/
@@ -407,7 +407,7 @@ jobs:
              shell: bash

            - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
@@ -415,7 +415,7 @@ jobs:

            - name: Install cosign
              # cosign is used to sign and verify container images (key and keyless)
-              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

            - name: Dual-sign and verify (GHCR & Docker Hub)
              # Sign each image by digest using keyless (OIDC) and key-based signing,
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,7 +24,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Set up Node.js
-              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
              with:
                node-version: '24'

--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
          skopeo --version

      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

      - name: Input check
        run: |
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: '24'

--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@

 <p align="center">
    <strong>
-        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
+        Get started with Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
    </strong>
 </p>

@@ -60,9 +60,9 @@ Pangolin is an open-source, identity-based remote access platform built on WireG

 | <img width=500 /> | Description |
 |-----------------|--------------|
+| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
 | **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
 | **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
-| **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/nodes) and connect to our control plane. |

 ## Key Features

@@ -85,17 +85,16 @@ Download the Pangolin client for your platform:

 ## Get Started

+### Sign up now
+
+Create an account at [app.pangolin.net](https://app.pangolin.net) to get started with Pangolin Cloud. A generous free tier is available.
+
 ### Check out the docs

 We encourage everyone to read the full documentation first, which is
 available at [docs.pangolin.net](https://docs.pangolin.net). This README provides only a very brief subset of
 the docs to illustrate some basic ideas.

-### Sign up and try now
-
-For Pangolin's managed service, you will first need to create an account at
-[app.pangolin.net](https://app.pangolin.net). We have a generous free tier to get started.
-
 ## Licensing

 Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,7 +3,7 @@
 If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:

 1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
-2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) with the following information:

 -   Description and location of the vulnerability.
 -   Potential impact of the vulnerability.
--- a/install/config.go
+++ b/install/config.go
@@ -99,11 +99,6 @@ func ReadAppConfig(configPath string) (*AppConfigValues, error) {
 	return values, nil
 }

-// findPattern finds the start of a pattern in a string
-func findPattern(s, pattern string) int {
-	return bytes.Index([]byte(s), []byte(pattern))
-}
-
 func copyDockerService(sourceFile, destFile, serviceName string) error {
 	// Read source file
 	sourceData, err := os.ReadFile(sourceFile)
@@ -187,7 +182,7 @@ func backupConfig() error {
 	return nil
 }

-func MarshalYAMLWithIndent(data any, indent int) ([]byte, error) {
+func MarshalYAMLWithIndent(data any, indent int) (resp []byte, err error) {
 	buffer := new(bytes.Buffer)
 	encoder := yaml.NewEncoder(buffer)
 	encoder.SetIndent(indent)
@@ -196,7 +191,12 @@ func MarshalYAMLWithIndent(data any, indent int) ([]byte, error) {
 		return nil, err
 	}

-	defer encoder.Close()
+	defer func() {
+		if cerr := encoder.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()
+
 	return buffer.Bytes(), nil
 }

--- a/install/config/crowdsec/traefik_config.yml
+++ b/install/config/crowdsec/traefik_config.yml
@@ -81,11 +81,17 @@ entryPoints:
    transport:
      respondingTimeouts:
        readTimeout: "30m"
+    http3:
+      advertisedPort: 443
    http:
      tls:
        certResolver: "letsencrypt"
-      middlewares: 
-        - crowdsec@file
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true

 serversTransport:
-  insecureSkipVerify: true
+  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -38,6 +38,7 @@ services:
      - 51820:51820/udp
      - 21820:21820/udp
      - 443:443
+      - 443:443/udp # For http3 QUIC if desired
      - 80:80
 {{end}}
  traefik:
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -40,6 +40,8 @@ entryPoints:
    transport:
      respondingTimeouts:
        readTimeout: "30m"
+    http3:
+      advertisedPort: 443
    http:
      tls:
        certResolver: "letsencrypt"
--- a/install/go.mod
+++ b/install/go.mod
@@ -1,11 +1,11 @@
 module installer

-go 1.24.0
+go 1.25.0

 require (
-	github.com/charmbracelet/huh v0.8.0
+	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.40.0
+	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -14,8 +14,8 @@ github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGs
 github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
-github.com/charmbracelet/huh v0.8.0 h1:Xz/Pm2h64cXQZn/Jvele4J3r7DDiqFCNIVteYukxDvY=
-github.com/charmbracelet/huh v0.8.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
+github.com/charmbracelet/huh v1.0.0 h1:wOnedH8G4qzJbmhftTqrpppyqHakl/zbbNdXIWJyIxw=
+github.com/charmbracelet/huh v1.0.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
--- a/install/input.go
+++ b/install/input.go
@@ -85,33 +85,6 @@ func readString(prompt string, defaultValue string) string {
 	return value
 }

-func readStringNoDefault(prompt string) string {
-	var value string
-
-	for {
-		input := huh.NewInput().
-			Title(prompt).
-			Value(&value).
-			Validate(func(s string) error {
-				if s == "" {
-					return fmt.Errorf("this field is required")
-				}
-				return nil
-			})
-
-		err := runField(input)
-		handleAbort(err)
-
-		if value != "" {
-			// Print the answer so it remains visible in terminal history
-			if !isAccessibleMode() {
-				fmt.Printf("%s: %s\n", prompt, value)
-			}
-			return value
-		}
-	}
-}
-
 func readPassword(prompt string) string {
 	var value string

--- a/install/main.go
+++ b/install/main.go
@@ -8,12 +8,12 @@ import (
 	"io"
 	"io/fs"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"text/template"
 	"time"
@@ -90,6 +90,13 @@ func main() {
 	var config Config
 	var alreadyInstalled = false

+	// Determine installation directory
+	installDir := findOrSelectInstallDirectory()
+	if err := os.Chdir(installDir); err != nil {
+		fmt.Printf("Error changing to installation directory: %v\n", err)
+		os.Exit(1)
+	}
+
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
 		config = collectUserInput()
@@ -287,6 +294,117 @@ func main() {
 	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }

+func hasExistingInstall(dir string) bool {
+	configPath := filepath.Join(dir, "config", "config.yml")
+	_, err := os.Stat(configPath)
+	return err == nil
+}
+
+func findOrSelectInstallDirectory() string {
+	const defaultInstallDir = "/opt/pangolin"
+
+	// Get current working directory
+	cwd, err := os.Getwd()
+	if err != nil {
+		fmt.Printf("Error getting current directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// 1. Check current directory for existing install
+	if hasExistingInstall(cwd) {
+		fmt.Printf("Found existing Pangolin installation in current directory: %s\n", cwd)
+		return cwd
+	}
+
+	// 2. Check default location (/opt/pangolin) for existing install
+	if cwd != defaultInstallDir && hasExistingInstall(defaultInstallDir) {
+		fmt.Printf("\nFound existing Pangolin installation at: %s\n", defaultInstallDir)
+		if readBool(fmt.Sprintf("Would you like to use the existing installation at %s?", defaultInstallDir), true) {
+			return defaultInstallDir
+		}
+	}
+
+	// 3. No existing install found, prompt for installation directory
+	fmt.Println("\n=== Installation Directory ===")
+	fmt.Println("No existing Pangolin installation detected.")
+
+	installDir := readString("Enter the installation directory", defaultInstallDir)
+
+	// Expand ~ to home directory if present
+	if strings.HasPrefix(installDir, "~") {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			fmt.Printf("Error getting home directory: %v\n", err)
+			os.Exit(1)
+		}
+		installDir = filepath.Join(home, installDir[1:])
+	}
+
+	// Convert to absolute path
+	absPath, err := filepath.Abs(installDir)
+	if err != nil {
+		fmt.Printf("Error resolving path: %v\n", err)
+		os.Exit(1)
+	}
+	installDir = absPath
+
+	// Check if directory exists
+	if _, err := os.Stat(installDir); os.IsNotExist(err) {
+		// Directory doesn't exist, create it
+		if readBool(fmt.Sprintf("Directory %s does not exist. Create it?", installDir), true) {
+			if err := os.MkdirAll(installDir, 0755); err != nil {
+				fmt.Printf("Error creating directory: %v\n", err)
+				os.Exit(1)
+			}
+			fmt.Printf("Created directory: %s\n", installDir)
+
+			// Offer to change ownership if running via sudo
+			changeDirectoryOwnership(installDir)
+		} else {
+			fmt.Println("Installation cancelled.")
+			os.Exit(0)
+		}
+	}
+
+	fmt.Printf("Installation directory: %s\n", installDir)
+	return installDir
+}
+
+func changeDirectoryOwnership(dir string) {
+	// Check if we're running via sudo by looking for SUDO_USER
+	sudoUser := os.Getenv("SUDO_USER")
+	if sudoUser == "" || os.Geteuid() != 0 {
+		return
+	}
+
+	sudoUID := os.Getenv("SUDO_UID")
+	sudoGID := os.Getenv("SUDO_GID")
+
+	if sudoUID == "" || sudoGID == "" {
+		return
+	}
+
+	fmt.Printf("\nRunning as root via sudo (original user: %s)\n", sudoUser)
+	if readBool(fmt.Sprintf("Would you like to change ownership of %s to user '%s'? This makes it easier to manage config files without sudo.", dir, sudoUser), true) {
+		uid, err := strconv.Atoi(sudoUID)
+		if err != nil {
+			fmt.Printf("Warning: Could not parse SUDO_UID: %v\n", err)
+			return
+		}
+		gid, err := strconv.Atoi(sudoGID)
+		if err != nil {
+			fmt.Printf("Warning: Could not parse SUDO_GID: %v\n", err)
+			return
+		}
+
+		if err := os.Chown(dir, uid, gid); err != nil {
+			fmt.Printf("Warning: Could not change ownership: %v\n", err)
+		} else {
+			fmt.Printf("Changed ownership of %s to %s\n", dir, sudoUser)
+		}
+	}
+}
+
 func podmanOrDocker() SupportedContainer {
 	inputContainer := readString("Would you like to run Pangolin as Docker or Podman containers?", "docker")

@@ -430,9 +548,9 @@ func createConfigFiles(config Config) error {
 	}

 	// Walk through all embedded files
-	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, err error) error {
-		if err != nil {
-			return err
+	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, walkErr error) (err error) {
+		if walkErr != nil {
+			return walkErr
 		}

 		// Skip the root fs directory itself
@@ -483,7 +601,11 @@ func createConfigFiles(config Config) error {
 		if err != nil {
 			return fmt.Errorf("failed to create %s: %v", path, err)
 		}
-		defer outFile.Close()
+		defer func() {
+			if cerr := outFile.Close(); cerr != nil && err == nil {
+				err = cerr
+			}
+		}()

 		// Execute template
 		if err := tmpl.Execute(outFile, config); err != nil {
@@ -499,18 +621,26 @@ func createConfigFiles(config Config) error {
 	return nil
 }

-func copyFile(src, dst string) error {
+func copyFile(src, dst string) (err error) {
 	source, err := os.Open(src)
 	if err != nil {
 		return err
 	}
-	defer source.Close()
+	defer func() {
+		if cerr := source.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()

 	destination, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
-	defer destination.Close()
+	defer func() {
+		if cerr := destination.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+	}()

 	_, err = io.Copy(destination, source)
 	return err
@@ -622,32 +752,6 @@ func generateRandomSecretKey() string {
 	return base64.StdEncoding.EncodeToString(secret)
 }

-func getPublicIP() string {
-	client := &http.Client{
-		Timeout: 10 * time.Second,
-	}
-
-	resp, err := client.Get("https://ifconfig.io/ip")
-	if err != nil {
-		return ""
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return ""
-	}
-
-	ip := strings.TrimSpace(string(body))
-
-	// Validate that it's a valid IP address
-	if net.ParseIP(ip) != nil {
-		return ip
-	}
-
-	return ""
-}
-
 // Run external commands with stdio/stderr attached.
 func run(name string, args ...string) error {
 	cmd := exec.Command(name, args...)
--- a/license.py
+++ b/license.py
@@ -0,0 +1,115 @@
+import os
+import sys
+
+# --- Configuration ---
+# The header text to be added to the files.
+HEADER_TEXT = """/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+"""
+
+def should_add_header(file_path):
+    """
+    Checks if a file should receive the commercial license header.
+    Returns True if 'private' is in the path or file content.
+    """
+    # Check if 'private' is in the file path (case-insensitive)
+    if 'server/private' in file_path.lower():
+        return True
+
+    # Check if 'private' is in the file content (case-insensitive)
+    # try:
+    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+    #         content = f.read()
+    #         if 'private' in content.lower():
+    #             return True
+    # except Exception as e:
+    #     print(f"Could not read file {file_path}: {e}")
+
+    return False
+
+def process_directory(root_dir):
+    """
+    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
+    skipping any 'node_modules' directories.
+    """
+    print(f"Scanning directory: {root_dir}")
+    files_processed = 0
+    headers_added = 0
+
+    for root, dirs, files in os.walk(root_dir):
+        # --- MODIFICATION ---
+        # Exclude 'node_modules' directories from the scan to improve performance.
+        if 'node_modules' in dirs:
+            dirs.remove('node_modules')
+
+        for file in files:
+            if file.endswith('.ts') or file.endswith('.tsx'):
+                file_path = os.path.join(root, file)
+                files_processed += 1
+
+                try:
+                    with open(file_path, 'r+', encoding='utf-8') as f:
+                        original_content = f.read()
+                        has_header = original_content.startswith(HEADER_TEXT.strip())
+                        
+                        if should_add_header(file_path):
+                            # Add header only if it's not already there
+                            if not has_header:
+                                f.seek(0, 0) # Go to the beginning of the file
+                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
+                                print(f"Added header to: {file_path}")
+                                headers_added += 1
+                            else:
+                                print(f"Header already exists in: {file_path}")
+                        else:
+                            # Remove header if it exists but shouldn't be there
+                            if has_header:
+                                # Find the end of the header and remove it (including following newlines)
+                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
+                                if original_content.startswith(header_with_newlines):
+                                    content_without_header = original_content[len(header_with_newlines):]
+                                else:
+                                    # Handle case where there might be different newline patterns
+                                    header_end = len(HEADER_TEXT.strip())
+                                    # Skip any newlines after the header
+                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
+                                        header_end += 1
+                                    content_without_header = original_content[header_end:]
+                                
+                                f.seek(0)
+                                f.write(content_without_header)
+                                f.truncate()
+                                print(f"Removed header from: {file_path}")
+                                headers_added += 1  # Reusing counter for modifications
+
+                except Exception as e:
+                    print(f"Error processing file {file_path}: {e}")
+
+    print("\n--- Scan Complete ---")
+    print(f"Total .ts or .tsx files found: {files_processed}")
+    print(f"Files modified (headers added/removed): {headers_added}")
+
+
+if __name__ == "__main__":
+    # Get the target directory from the command line arguments.
+    # If no directory is provided, it uses the current directory ('.').
+    if len(sys.argv) > 1:
+        target_directory = sys.argv[1]
+    else:
+        target_directory = '.' # Default to current directory
+
+    if not os.path.isdir(target_directory):
+        print(f"Error: Directory '{target_directory}' not found.")
+        sys.exit(1)
+
+    process_directory(os.path.abspath(target_directory))
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -148,6 +148,11 @@
    "createLink": "Създаване на връзка",
    "resourcesNotFound": "Не са намерени ресурси",
    "resourceSearch": "Търсене на ресурси",
+    "machineSearch": "Търсене на машини",
+    "machinesSearch": "Търсене на клиенти на машини...",
+    "machineNotFound": "Не са намерени машини",
+    "userDeviceSearch": "Търсене на устройства на потребителя",
+    "userDevicesSearch": "Търсене на устройства на потребителя...",
    "openMenu": "Отваряне на менюто",
    "resource": "Ресурс",
    "title": "Заглавие",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
    "resourceRaw": "Суров TCP/UDP ресурс",
    "resourceRawDescription": "Прокси заявки чрез сурови TCP/UDP, използвайки порт номер.",
-    "resourceRawDescriptionCloud": "Прокси заявките през суров TCP/UDP, използвайки номер на порт. ИЗИСКВА ИЗПОЛЗВАНЕ НА ОТДАЛЕЧЕН УЗЕЛ.",
+    "resourceRawDescriptionCloud": "Получавайте заявки чрез суров TCP/UDP с използване на портен номер. Изисква се сайтовете да се свързват към отдалечен възел.",
    "resourceCreate": "Създайте ресурс",
    "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
    "resourceSeeAll": "Вижте всички ресурси",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Изтрийте API ключа",
    "apiKeysManage": "Управление на API ключове",
    "apiKeysDescription": "API ключове се използват за удостоверяване с интеграционния API",
+    "provisioningKeysTitle": "Ключ за осигуряване",
+    "provisioningKeysManage": "Управление на ключове за осигуряване",
+    "provisioningKeysDescription": "Ключовете за осигуряване се използват за удостоверяване на автоматичното осигуряване на сайта за вашата организация.",
+    "provisioningManage": "Осигуряване",
+    "provisioningDescription": "Управление на ключовете за осигуряване и преглед на чаканещите сайтове за одобрение.",
+    "pendingSites": "Чаканещи сайтове",
+    "siteApproveSuccess": "Сайтът е одобрен успешно",
+    "siteApproveError": "Грешка при одобряването на сайта",
+    "provisioningKeys": "Ключове за осигуряване",
+    "searchProvisioningKeys": "Търсене на ключове за осигуряване...",
+    "provisioningKeysAdd": "Генериране на ключ за осигуряване",
+    "provisioningKeysErrorDelete": "Грешка при изтриване на ключ за осигуряване",
+    "provisioningKeysErrorDeleteMessage": "Грешка при изтриване на ключ за осигуряване",
+    "provisioningKeysQuestionRemove": "Сигурни ли сте, че искате да премахнете този ключ за осигуряване от организацията?",
+    "provisioningKeysMessageRemove": "След като бъде премахнат, ключът няма да бъде използван за осигуряване на сайтове.",
+    "provisioningKeysDeleteConfirm": "Потвърдете изтриването на ключ за осигуряване",
+    "provisioningKeysDelete": "Изтриване на ключ за осигуряване",
+    "provisioningKeysCreate": "Генериране на ключ за осигуряване",
+    "provisioningKeysCreateDescription": "Генерирайте нов ключ за осигуряване за организацията",
+    "provisioningKeysSeeAll": "Вижте всички ключове за осигуряване",
+    "provisioningKeysSave": "Запазете ключа за осигуряване",
+    "provisioningKeysSaveDescription": "Ще можете да видите това само веднъж. Копирайте го на сигурно място.",
+    "provisioningKeysErrorCreate": "Грешка при създаване на ключ за осигуряване",
+    "provisioningKeysList": "Нов ключ за осигуряване",
+    "provisioningKeysMaxBatchSize": "Максимален размер на пакет",
+    "provisioningKeysUnlimitedBatchSize": "Неограничен размер на партида (без лимит)",
+    "provisioningKeysMaxBatchUnlimited": "Неограничено",
+    "provisioningKeysMaxBatchSizeInvalid": "Въведете валиден максимален размер на партида (1–1,000,000).",
+    "provisioningKeysValidUntil": "Валиден до",
+    "provisioningKeysValidUntilHint": "Оставете празно за неограничено валидност.",
+    "provisioningKeysValidUntilInvalid": "Въведете валидна дата и час.",
+    "provisioningKeysNumUsed": "Брой използвания",
+    "provisioningKeysLastUsed": "Последно използван",
+    "provisioningKeysNoExpiry": "Без изтичане",
+    "provisioningKeysNeverUsed": "Никога",
+    "provisioningKeysEdit": "Редактиране на ключ за осигуряване",
+    "provisioningKeysEditDescription": "Актуализирайте максималния размер на партида и времето на изтичане за този ключ.",
+    "provisioningKeysApproveNewSites": "Одобрете нови сайтове",
+    "provisioningKeysApproveNewSitesDescription": "Автоматично одобряване на сайтове, които се регистрират с този ключ.",
+    "provisioningKeysUpdateError": "Грешка при актуализирането на ключа за осигуряване",
+    "provisioningKeysUpdated": "Ключът за осигуряване е актуализиран",
+    "provisioningKeysUpdatedDescription": "Вашите промени бяха запазени.",
+    "provisioningKeysBannerTitle": "Ключове за осигуряване на сайта",
+    "provisioningKeysBannerDescription": "Генерирайте ключ за осигуряване и го използвайте с Newt конектора за автоматично създаване на сайтове при първото стартиране — няма нужда от създаване на отделни идентификационни данни за всеки сайт.",
+    "provisioningKeysBannerButtonText": "Научете повече",
+    "pendingSitesBannerTitle": "Чакащи сайтове",
+    "pendingSitesBannerDescription": "Сайтовете, които се свързват чрез ключ за осигуряване, се появяват тук за преглед. Одобрете всеки сайт, преди да стане активен и да получи достъп до вашите ресурси.",
+    "pendingSitesBannerButtonText": "Научете повече",
    "apiKeysSettings": "Настройки на {apiKeyName}",
    "userTitle": "Управление на всички потребители",
    "userDescription": "Преглед и управление на всички потребители в системата",
@@ -509,9 +562,12 @@
    "userSaved": "Потребителят е запазен",
    "userSavedDescription": "Потребителят беше актуализиран.",
    "autoProvisioned": "Автоматично предоставено",
+    "autoProvisionSettings": "Настройки за автоматично осигуряване",
    "autoProvisionedDescription": "Позволете този потребител да бъде автоматично управляван от доставчик на идентификационни данни",
    "accessControlsDescription": "Управлявайте какво може да достъпва и прави този потребител в организацията",
    "accessControlsSubmit": "Запазване на контролите за достъп",
+    "singleRolePerUserPlanNotice": "Вашият план поддържа само една роля на потребител.",
+    "singleRolePerUserEditionNotice": "Това издание поддържа само една роля на потребител.",
    "roles": "Роли",
    "accessUsersRoles": "Управление на потребители и роли",
    "accessUsersRolesDescription": "Поканете потребители и ги добавете към роли, за да управлявате достъпа до организацията",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Въведете конфигурационния токен от сървърната конзола.",
    "setupTokenRequired": "Необходим е конфигурационен токен",
    "actionUpdateSite": "Актуализиране на сайт",
+    "actionResetSiteBandwidth": "Нулиране на честотната лента на организацията",
    "actionListSiteRoles": "Изброяване на позволените роли за сайта",
    "actionCreateResource": "Създаване на ресурс",
    "actionDeleteResource": "Изтриване на ресурс",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Изтрийте потребител",
    "actionListUsers": "Изброяване на потребители",
    "actionAddUserRole": "Добавяне на роля на потребител",
+    "actionSetUserOrgRoles": "Задайте роли на потребители",
    "actionGenerateAccessToken": "Генериране на токен за достъп",
    "actionDeleteAccessToken": "Изтриване на токен за достъп",
    "actionListAccessTokens": "Изброяване на токени за достъп",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Роли",
    "sidebarShareableLinks": "Връзки",
    "sidebarApiKeys": "API ключове",
+    "sidebarProvisioning": "Осигуряване",
    "sidebarSettings": "Настройки",
    "sidebarAllUsers": "Всички потребители",
    "sidebarIdentityProviders": "Идентификационни доставчици",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Име на пространство: {namespace}",
    "domainPickerShowMore": "Покажи повече",
    "regionSelectorTitle": "Избор на регион",
+    "domainPickerRemoteExitNodeWarning": "Предоставените домейни не се поддържат, когато сайтовете се свързват към отдалечени крайни възли. За да бъдат ресурсите налични на отдалечени възли, използвайте персонализиран домейн вместо това.",
    "regionSelectorInfo": "Изборът на регион ни помага да предоставим по-добра производителност за вашето местоположение. Не е необходимо да сте в същия регион като сървъра.",
    "regionSelectorPlaceholder": "Изберете регион",
    "regionSelectorComingSoon": "Очаква се скоро",
@@ -1888,6 +1948,40 @@
    "exitNode": "Изходен възел",
    "country": "Държава",
    "rulesMatchCountry": "Понастоящем на базата на изходния IP",
+    "region": "Регион",
+    "selectRegion": "Изберете регион",
+    "searchRegions": "Търсене на региони...",
+    "noRegionFound": "Регионът не е намерен.",
+    "rulesMatchRegion": "Изберете регионална групировка на държави",
+    "rulesErrorInvalidRegion": "Невалиден регион",
+    "rulesErrorInvalidRegionDescription": "Моля, изберете валиден регион.",
+    "regionAfrica": "Африка",
+    "regionNorthernAfrica": "Северна Африка",
+    "regionEasternAfrica": "Източна Африка",
+    "regionMiddleAfrica": "Централна Африка",
+    "regionSouthernAfrica": "Южна Африка",
+    "regionWesternAfrica": "Западна Африка",
+    "regionAmericas": "Америките",
+    "regionCaribbean": "Карибите",
+    "regionCentralAmerica": "Централна Америка",
+    "regionSouthAmerica": "Южна Америка",
+    "regionNorthernAmerica": "Северна Америка",
+    "regionAsia": "Азия",
+    "regionCentralAsia": "Централна Азия",
+    "regionEasternAsia": "Източна Азия",
+    "regionSouthEasternAsia": "Югоизточна Азия",
+    "regionSouthernAsia": "Южна Азия",
+    "regionWesternAsia": "Западна Азия",
+    "regionEurope": "Европа",
+    "regionEasternEurope": "Източна Европа",
+    "regionNorthernEurope": "Северна Европа",
+    "regionSouthernEurope": "Южна Европа",
+    "regionWesternEurope": "Западна Европа",
+    "regionOceania": "Океания",
+    "regionAustraliaAndNewZealand": "Австралия и Нова Зеландия",
+    "regionMelanesia": "Меланезия",
+    "regionMicronesia": "Микронезия",
+    "regionPolynesia": "Полинезия",
    "managedSelfHosted": {
        "title": "Управлявано Самостоятелно-хоствано",
        "description": "По-надежден и по-нисък поддръжка на Самостоятелно-хостван Панголиин сървър с допълнителни екстри",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Невалидна стойност",
    "idpTypeLabel": "Тип на доставчика на идентичност",
    "roleMappingExpressionPlaceholder": "напр.: contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Фиксирани роли",
+    "roleMappingModeMappingBuilder": "Строител на карти",
+    "roleMappingModeRawExpression": "Необработено израз",
+    "roleMappingFixedRolesPlaceholderSelect": "Изберете една или повече роли",
+    "roleMappingFixedRolesPlaceholderFreeform": "Въведете имена на роли (точно съвпадение на организацията)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Присвойте същият набор от роли на всеки автоматично осигурен потребител.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "За стандартните политики въведете имена на роли, които съществуват във всяка организация, където е осигурен потребител. Имената трябва да съвпадат точно.",
+    "roleMappingClaimPath": "Път на иск",
+    "roleMappingClaimPathPlaceholder": "групи",
+    "roleMappingClaimPathDescription": "Път в съдържанието на маркера, който съдържа изходни стойности (например групи).",
+    "roleMappingMatchValue": "Съвпадение на стойност",
+    "roleMappingAssignRoles": "Присвояване на роли",
+    "roleMappingAddMappingRule": "Добавяне на правило за картироване",
+    "roleMappingRawExpressionResultDescription": "Изразът трябва да бъде оценен на низ или масив от низове.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Изразът трябва да бъде оценен на низ (едно име на роля).",
+    "roleMappingMatchValuePlaceholder": "Съвпадение на стойност (например: администратор)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Въведете имена на роли (точно по организация)",
+    "roleMappingBuilderFreeformRowHint": "Имената на ролите трябва да съвпадат с роля във всяка целева организация.",
+    "roleMappingRemoveRule": "Премахни",
    "idpGoogleConfiguration": "Конфигурация на Google",
    "idpGoogleConfigurationDescription": "Конфигурирайте Google OAuth2 идентификационни данни",
    "idpGoogleClientIdDescription": "Google OAuth2 идентификационен клиент",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Колко дълго да се задържат логовете за достъп",
    "logRetentionActionLabel": "Задържане на логове за действия",
    "logRetentionActionDescription": "Колко дълго да се задържат логовете за действия",
+    "logRetentionConnectionLabel": "Запазване на дневниците на връзките",
+    "logRetentionConnectionDescription": "Колко дълго да се съхраняват дневниците на връзките",
    "logRetentionDisabled": "Деактивирано",
    "logRetention3Days": "3 дни",
    "logRetention7Days": "7 дни",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Край на следващата година",
    "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
    "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
-    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "Необходимо е <enterpriseEditionLink>изданието Enterprise</enterpriseEditionLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Логове на връзката",
+    "connectionLogsDescription": "Вижте логовете на връзките за тунелите в тази организация",
+    "sidebarLogsConnection": "Логове на връзката",
+    "sidebarLogsStreaming": "Потоци",
+    "sourceAddress": "Източен адрес",
+    "destinationAddress": "Адрес на дестинация",
+    "duration": "Продължителност",
+    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> за използване на тази функция. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> е необходим за използване на тази функция. Тази функция също е налична в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
    "certResolver": "Решавач на сертификати",
    "certResolverDescription": "Изберете решавач на сертификати за използване за този ресурс.",
    "selectCertResolver": "Изберете решавач на сертификати",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Активирайте одобрения на устройства",
    "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
    "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
-    "approvalsEmptyStateButtonText": "Управлявайте роли"
+    "approvalsEmptyStateButtonText": "Управлявайте роли",
+    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн",
+    "idpAdminAutoProvisionPoliciesTabHint": "Конфигурирайте картографирането на ролите и организационните политики на раздела <policiesTabLink>Настройки за автоматично осигуряване</policiesTabLink>.",
+    "streamingTitle": "Събитийни потоци",
+    "streamingDescription": "Предавайте събития от вашата организация до външни дестинации в реално време.",
+    "streamingUnnamedDestination": "Неименувана дестинация",
+    "streamingNoUrlConfigured": "Не е конфигуриран URL",
+    "streamingAddDestination": "Добавяне на дестинация",
+    "streamingHttpWebhookTitle": "HTTP Уеб хук",
+    "streamingHttpWebhookDescription": "Изпратете събития до всяка HTTP крайна точка с гъвкаво удостоверяване и шаблониране.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Предавайте събития на хранилище, съвместимо с S3. Очаквайте скоро.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Пресочвайте събития директно към вашият акаунт в Datadog. Очаквайте скоро.",
+    "streamingTypePickerDescription": "Изберете вид на дестинацията, за да започнете.",
+    "streamingFailedToLoad": "Неуспешно зареждане на дестинации",
+    "streamingUnexpectedError": "Възникна неочаквана грешка.",
+    "streamingFailedToUpdate": "Неуспешно актуализиране на дестинация",
+    "streamingDeletedSuccess": "Дестинацията беше изтрита успешно",
+    "streamingFailedToDelete": "Неуспешно изтриване на дестинацията",
+    "streamingDeleteTitle": "Изтриване на дестинация",
+    "streamingDeleteButtonText": "Изтриване на дестинация",
+    "streamingDeleteDialogAreYouSure": "Сигурни ли сте, че искате да изтриете",
+    "streamingDeleteDialogThisDestination": "тази дестинация",
+    "streamingDeleteDialogPermanentlyRemoved": "? Всички конфигурации ще бъдат премахнати завинаги.",
+    "httpDestEditTitle": "Редактиране на дестинация",
+    "httpDestAddTitle": "Добавяне на HTTP дестинация",
+    "httpDestEditDescription": "Актуализирайте конфигурацията за този HTTP събитий.",
+    "httpDestAddDescription": "Конфигурирайте нов HTTP крайна точка, за да получавате събития на вашата организация.",
+    "httpDestTabSettings": "Настройки",
+    "httpDestTabHeaders": "Заглавки",
+    "httpDestTabBody": "Тяло",
+    "httpDestTabLogs": "Логове",
+    "httpDestNamePlaceholder": "Моята HTTP дестинация",
+    "httpDestUrlLabel": "Дестинация URL",
+    "httpDestUrlErrorHttpRequired": "URL адресът трябва да използва http или https",
+    "httpDestUrlErrorHttpsRequired": "SSL е необходимо за облачни инсталации",
+    "httpDestUrlErrorInvalid": "Въведете валиден URL (напр. https://example.com/webhook)",
+    "httpDestAuthTitle": "Удостоверяване",
+    "httpDestAuthDescription": "Изберете как заявленията ви се удостоверяват.",
+    "httpDestAuthNoneTitle": "Без удостоверяване",
+    "httpDestAuthNoneDescription": "Изпращане на заявки без заглавие за удостоверяване.",
+    "httpDestAuthBearerTitle": "Bearer Токен",
+    "httpDestAuthBearerDescription": "Добавя заглавие за удостоверяване Bearer <token> към всяка заявка.",
+    "httpDestAuthBearerPlaceholder": "Вашият API ключ или токен",
+    "httpDestAuthBasicTitle": "Основно удостоверяване",
+    "httpDestAuthBasicDescription": "Добавя заглавие за удостоверяване Basic <credentials> към всяка заявка. Осигурете идентификационни данни като потребителско име:парола.",
+    "httpDestAuthBasicPlaceholder": "потребителско име:парола",
+    "httpDestAuthCustomTitle": "Персонализирано заглавие",
+    "httpDestAuthCustomDescription": "Посочете персонализирано име и стойност на заглавието за удостоверяване (например X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Имя на заглавието (напр. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Стойност на заглавието",
+    "httpDestCustomHeadersTitle": "Персонализирани заглавия за HTTP",
+    "httpDestCustomHeadersDescription": "Добавяне на персонализирани заглавия към всяка изходяща заявка. Полезно за статични токени или персонални Content-Type. По подразбиране се изпраща Content-Type: application/json.",
+    "httpDestNoHeadersConfigured": "Персонализирани заглавия не са конфигурирани. Кликнете \"Добавяне на заглавие\" да добавите такова.",
+    "httpDestHeaderNamePlaceholder": "Име на заглавието",
+    "httpDestHeaderValuePlaceholder": "Стойност на заглавието",
+    "httpDestAddHeader": "Добавяне на заглавие",
+    "httpDestBodyTemplateTitle": "Шаблон на персонализирано тяло",
+    "httpDestBodyTemplateDescription": "Управлявайте структурата на JSON съобщението, изпратено до вашата крайна точка. Ако е деактивирано, по подразбиране се изпраща JSON обект за всяко събитие.",
+    "httpDestEnableBodyTemplate": "Активиране на персонализиран шаблон на тяло",
+    "httpDestBodyTemplateLabel": "Шаблон за тяло (JSON)",
+    "httpDestBodyTemplateHint": "Използвайте шаблонни променливи за позоваване на полетата на събитията в съобщението си.",
+    "httpDestPayloadFormatTitle": "Формат на полезния товар",
+    "httpDestPayloadFormatDescription": "Как се сериализират събитията във всеки заявка.",
+    "httpDestFormatJsonArrayTitle": "JSON масив",
+    "httpDestFormatJsonArrayDescription": "Една заявка на партида, тялото е JSON масив. Съвместим с повечето общи уеб куки и Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Една заявка на партида, тялото е ново линии отделени JSON — един обект на ред, няма външен масив. Изисквано от Splunk HEC, Elastic / OpenSearch и Grafana.",
+    "httpDestFormatSingleTitle": "Едно събитие на заявка",
+    "httpDestFormatSingleDescription": "Изпращат се отделни HTTP POST за всяко индивидуално събитие. Използвайте само за крайни точки, които не могат да обработват партиди.",
+    "httpDestLogTypesTitle": "Видове логове",
+    "httpDestLogTypesDescription": "Изберете кои видове журнални записи ще се предават към тази дестинация. Предаването ще се прави само за активирани видове журнални записи.",
+    "httpDestAccessLogsTitle": "Логове за достъп",
+    "httpDestAccessLogsDescription": "Опити за достъп до ресурс, включително удостоверени и отказани заявки.",
+    "httpDestActionLogsTitle": "Логове на действия",
+    "httpDestActionLogsDescription": "Административни действия, извършени от потребители в организацията.",
+    "httpDestConnectionLogsTitle": "Логове на връзката",
+    "httpDestConnectionLogsDescription": "Събития на свързване и прекъсване на сайта и тунела, включително свръзки и прекъсвания.",
+    "httpDestRequestLogsTitle": "Заявки за логове",
+    "httpDestRequestLogsDescription": "Регистри за HTTP заявките към проксирани ресурси, включително метод, път и код на отговор.",
+    "httpDestSaveChanges": "Запази промените",
+    "httpDestCreateDestination": "Създаване на дестинация",
+    "httpDestUpdatedSuccess": "Дестинацията беше актуализирана успешно",
+    "httpDestCreatedSuccess": "Дестинацията беше създадена успешно",
+    "httpDestUpdateFailed": "Неуспешно актуализиране на дестинацията",
+    "httpDestCreateFailed": "Неуспешно създаване на дестинацията"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -148,6 +148,11 @@
    "createLink": "Vytvořit odkaz",
    "resourcesNotFound": "Nebyly nalezeny žádné zdroje",
    "resourceSearch": "Vyhledat zdroje",
+    "machineSearch": "Vyhledávací stroje",
+    "machinesSearch": "Hledat klienty stroje...",
+    "machineNotFound": "Nebyly nalezeny žádné stroje",
+    "userDeviceSearch": "Hledat uživatelská zařízení",
+    "userDevicesSearch": "Hledat uživatelská zařízení...",
    "openMenu": "Otevřít nabídku",
    "resource": "Zdroj",
    "title": "Název",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
    "resourceRaw": "Surový TCP/UDP zdroj",
    "resourceRawDescription": "Proxy požadavky přes nezpracovaný TCP/UDP pomocí čísla portu.",
-    "resourceRawDescriptionCloud": "Požadavky na proxy přes syrové TCP/UDP pomocí portového čísla. ŽÁDOSTI POUŽÍVAT POUŽITÍ Z REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy požadavky na syrové TCP/UDP pomocí čísla portu. Vyžaduje připojení stránek ke vzdálenému uzlu.",
    "resourceCreate": "Vytvořit zdroj",
    "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
    "resourceSeeAll": "Zobrazit všechny zdroje",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Odstranit klíč API",
    "apiKeysManage": "Správa API klíčů",
    "apiKeysDescription": "API klíče se používají k ověření s integračním API",
+    "provisioningKeysTitle": "Zajišťovací klíč",
+    "provisioningKeysManage": "Spravovat zajišťovací klíče",
+    "provisioningKeysDescription": "Zajišťovací klíče slouží k ověření automatického poskytování služeb vaší organizaci.",
+    "provisioningManage": "Zajištění",
+    "provisioningDescription": "Spravovat klíče pro nastavení a zkontrolovat čekající stránky čekající na schválení.",
+    "pendingSites": "Nevyřízené weby",
+    "siteApproveSuccess": "Web byl úspěšně schválen",
+    "siteApproveError": "Chyba při schvalování webu",
+    "provisioningKeys": "Poskytovací klíče",
+    "searchProvisioningKeys": "Hledat klíče k zajišťování...",
+    "provisioningKeysAdd": "Generovat zajišťovací klíč",
+    "provisioningKeysErrorDelete": "Chyba při odstraňování klíče pro úpravu",
+    "provisioningKeysErrorDeleteMessage": "Chyba při odstraňování klíče pro úpravu",
+    "provisioningKeysQuestionRemove": "Jste si jisti, že chcete odstranit tento konfigurační klíč z organizace?",
+    "provisioningKeysMessageRemove": "Jakmile je klíč odstraněn, nelze již použít pro poskytování služeb.",
+    "provisioningKeysDeleteConfirm": "Potvrdit odstranění zajišťovacího klíče",
+    "provisioningKeysDelete": "Odstranit zajišťovací klíč",
+    "provisioningKeysCreate": "Generovat zajišťovací klíč",
+    "provisioningKeysCreateDescription": "Vygenerovat nový klíč pro organizaci",
+    "provisioningKeysSeeAll": "Zobrazit všechny doplňovací klíče",
+    "provisioningKeysSave": "Uložit konfigurační klíč",
+    "provisioningKeysSaveDescription": "Toto můžete vidět pouze jednou. Zkopírujte ho na bezpečné místo.",
+    "provisioningKeysErrorCreate": "Chyba při vytváření doplňovacího klíče",
+    "provisioningKeysList": "Nový klíč pro poskytování informací",
+    "provisioningKeysMaxBatchSize": "Maximální velikost dávky",
+    "provisioningKeysUnlimitedBatchSize": "Neomezená velikost šarže (bez omezení)",
+    "provisioningKeysMaxBatchUnlimited": "Bez omezení",
+    "provisioningKeysMaxBatchSizeInvalid": "Zadejte platnou maximální velikost šarže (1–1,000,000).",
+    "provisioningKeysValidUntil": "Platné do",
+    "provisioningKeysValidUntilHint": "Ponechte prázdné, pokud vyprší platnost.",
+    "provisioningKeysValidUntilInvalid": "Zadejte platné datum a čas.",
+    "provisioningKeysNumUsed": "Časy použití",
+    "provisioningKeysLastUsed": "Naposledy použito",
+    "provisioningKeysNoExpiry": "Bez vypršení platnosti",
+    "provisioningKeysNeverUsed": "Nikdy",
+    "provisioningKeysEdit": "Upravit zajišťovací klíč",
+    "provisioningKeysEditDescription": "Aktualizujte maximální velikost dávky a dobu vypršení platnosti tohoto klíče.",
+    "provisioningKeysApproveNewSites": "Schválit nové stránky",
+    "provisioningKeysApproveNewSitesDescription": "Automaticky schvalovat weby, které se registrují pomocí tohoto klíče.",
+    "provisioningKeysUpdateError": "Chyba při aktualizaci klíče",
+    "provisioningKeysUpdated": "Zajišťovací klíč byl aktualizován",
+    "provisioningKeysUpdatedDescription": "Vaše změny byly uloženy.",
+    "provisioningKeysBannerTitle": "Klíče pro poskytování webu",
+    "provisioningKeysBannerDescription": "Vygenerujte konfigurační klíč a používejte jej pomocí nového konektoru k automatickému vytváření stránek při prvním startu – není třeba nastavovat samostatné přihlašovací údaje pro každý web.",
+    "provisioningKeysBannerButtonText": "Zjistit více",
+    "pendingSitesBannerTitle": "Nevyřízené weby",
+    "pendingSitesBannerDescription": "Zde se zobrazují stránky, které se připojují pomocí doplňovacího klíče. Schválte každý web předtím, než bude aktivní, a získejte přístup k vašim zdrojům.",
+    "pendingSitesBannerButtonText": "Zjistit více",
    "apiKeysSettings": "Nastavení {apiKeyName}",
    "userTitle": "Spravovat všechny uživatele",
    "userDescription": "Zobrazit a spravovat všechny uživatele v systému",
@@ -509,9 +562,12 @@
    "userSaved": "Uživatel uložen",
    "userSavedDescription": "Uživatel byl aktualizován.",
    "autoProvisioned": "Automaticky poskytnuto",
+    "autoProvisionSettings": "Automatická nastavení",
    "autoProvisionedDescription": "Povolit tomuto uživateli automaticky spravovat poskytovatel identity",
    "accessControlsDescription": "Spravovat co může tento uživatel přistupovat a dělat v organizaci",
    "accessControlsSubmit": "Uložit kontroly přístupu",
+    "singleRolePerUserPlanNotice": "Váš plán podporuje pouze jednu roli na uživatele.",
+    "singleRolePerUserEditionNotice": "Tato verze podporuje pouze jednu roli na uživatele.",
    "roles": "Role",
    "accessUsersRoles": "Spravovat uživatele a role",
    "accessUsersRolesDescription": "Pozvěte uživatele a přidejte je do rolí pro správu přístupu k organizaci",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Zadejte nastavovací token z konzole serveru.",
    "setupTokenRequired": "Je vyžadován token nastavení",
    "actionUpdateSite": "Aktualizovat stránku",
+    "actionResetSiteBandwidth": "Resetovat šířku pásma organizace",
    "actionListSiteRoles": "Seznam povolených rolí webu",
    "actionCreateResource": "Vytvořit zdroj",
    "actionDeleteResource": "Odstranit dokument",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Odstranit uživatele",
    "actionListUsers": "Seznam uživatelů",
    "actionAddUserRole": "Přidat uživatelskou roli",
+    "actionSetUserOrgRoles": "Nastavit uživatelské role",
    "actionGenerateAccessToken": "Generovat přístupový token",
    "actionDeleteAccessToken": "Odstranit přístupový token",
    "actionListAccessTokens": "Seznam přístupových tokenů",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Role",
    "sidebarShareableLinks": "Odkazy",
    "sidebarApiKeys": "API klíče",
+    "sidebarProvisioning": "Zajištění",
    "sidebarSettings": "Nastavení",
    "sidebarAllUsers": "Všichni uživatelé",
    "sidebarIdentityProviders": "Poskytovatelé identity",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Jmenný prostor: {namespace}",
    "domainPickerShowMore": "Zobrazit více",
    "regionSelectorTitle": "Vybrat region",
+    "domainPickerRemoteExitNodeWarning": "Poskytnuté domény nejsou podporovány, když se stránky připojují k vzdáleným výstupním uzlům. Pro dostupné zdroje na vzdálených uzlech použijte vlastní doménu.",
    "regionSelectorInfo": "Výběr regionu nám pomáhá poskytovat lepší výkon pro vaši polohu. Nemusíte být ve stejném regionu jako váš server.",
    "regionSelectorPlaceholder": "Vyberte region",
    "regionSelectorComingSoon": "Již brzy",
@@ -1888,6 +1948,40 @@
    "exitNode": "Ukončit uzel",
    "country": "L 343, 22.12.2009, s. 1).",
    "rulesMatchCountry": "Aktuálně založené na zdrojové IP adrese",
+    "region": "Oblasti",
+    "selectRegion": "Vyberte region",
+    "searchRegions": "Hledat regiony...",
+    "noRegionFound": "Nebyl nalezen žádný region.",
+    "rulesMatchRegion": "Vyberte regionální seskupení zemí",
+    "rulesErrorInvalidRegion": "Neplatný region",
+    "rulesErrorInvalidRegionDescription": "Vyberte prosím platný region.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Severní Afrika",
+    "regionEasternAfrica": "Východní Afrika",
+    "regionMiddleAfrica": "Střední Afrika",
+    "regionSouthernAfrica": "Jižní Afrika",
+    "regionWesternAfrica": "Západní Afrika",
+    "regionAmericas": "Ameriky",
+    "regionCaribbean": "Karibské",
+    "regionCentralAmerica": "Střední Amerika",
+    "regionSouthAmerica": "Jižní Amerika",
+    "regionNorthernAmerica": "Severní Amerika",
+    "regionAsia": "Asie",
+    "regionCentralAsia": "Střední Asie",
+    "regionEasternAsia": "Východní Asie",
+    "regionSouthEasternAsia": "jihovýchodní Asie",
+    "regionSouthernAsia": "Jižní Asie",
+    "regionWesternAsia": "Západní Asie",
+    "regionEurope": "L 347, 20.12.2013, s. 965).",
+    "regionEasternEurope": "Východní Evropa",
+    "regionNorthernEurope": "Severní Evropa",
+    "regionSouthernEurope": "Jižní Evropa",
+    "regionWesternEurope": "Západní Evropa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Austrálie a Nový Zéland",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Spravované vlastní hostování",
        "description": "Spolehlivější a nízko udržovaný Pangolinův server s dalšími zvony a bičkami",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Neplatná hodnota",
    "idpTypeLabel": "Typ poskytovatele identity",
    "roleMappingExpressionPlaceholder": "např. obsahuje(skupiny, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Pevné role",
+    "roleMappingModeMappingBuilder": "Tvorba mapování",
+    "roleMappingModeRawExpression": "Surový výraz",
+    "roleMappingFixedRolesPlaceholderSelect": "Vyberte jednu nebo více rolí",
+    "roleMappingFixedRolesPlaceholderFreeform": "Napište názvy rolí (shoda podle organizace)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Přiřadit stejnou roli nastavenou každému uživateli automatického poskytování.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Pro výchozí zásady zadejte názvy rolí, které existují v každé organizaci, kde jsou uživatelé poskytováni. Jména musí přesně odpovídat.",
+    "roleMappingClaimPath": "Cesta k žádosti",
+    "roleMappingClaimPathPlaceholder": "skupiny",
+    "roleMappingClaimPathDescription": "Cesta k užitečnému zatížení tokenu, která obsahuje zdrojové hodnoty (například skupiny).",
+    "roleMappingMatchValue": "Hodnota zápasu",
+    "roleMappingAssignRoles": "Přiřadit role",
+    "roleMappingAddMappingRule": "Přidat pravidlo pro mapování",
+    "roleMappingRawExpressionResultDescription": "Výraz se musí vyhodnotit do pole řetězce nebo řetězce.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Výraz musí být vyhodnocen na řetězec (jediný název role).",
+    "roleMappingMatchValuePlaceholder": "Hodnota zápasu (například: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Napište názvy rolí (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Názvy rolí musí odpovídat roli v každé cílové organizaci.",
+    "roleMappingRemoveRule": "Odstranit",
    "idpGoogleConfiguration": "Konfigurace Google",
    "idpGoogleConfigurationDescription": "Konfigurace přihlašovacích údajů Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Jak dlouho uchovávat přístupové záznamy",
    "logRetentionActionLabel": "Uchovávání protokolu akcí",
    "logRetentionActionDescription": "Jak dlouho uchovávat záznamy akcí",
+    "logRetentionConnectionLabel": "Uchovávání protokolu připojení",
+    "logRetentionConnectionDescription": "Jak dlouho uchovávat protokoly připojení",
    "logRetentionDisabled": "Zakázáno",
    "logRetention3Days": "3 dny",
    "logRetention7Days": "7 dní",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Konec následujícího roku",
    "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
    "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
-    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Tato funkce je také dostupná v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Protokoly připojení",
+    "connectionLogsDescription": "Zobrazit protokoly připojení pro tunely v této organizaci",
+    "sidebarLogsConnection": "Protokoly připojení",
+    "sidebarLogsStreaming": "Streamování",
+    "sourceAddress": "Zdrojová adresa",
+    "destinationAddress": "Cílová adresa",
+    "duration": "Doba trvání",
+    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> nebo <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Rezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
    "certResolver": "Oddělovač certifikátů",
    "certResolverDescription": "Vyberte řešitele certifikátů pro tento dokument.",
    "selectCertResolver": "Vyberte řešič certifikátů",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Povolit schválení zařízení",
    "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
    "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
-    "approvalsEmptyStateButtonText": "Spravovat role"
+    "approvalsEmptyStateButtonText": "Spravovat role",
+    "domainErrorTitle": "Máme problém s ověřením tvé domény",
+    "idpAdminAutoProvisionPoliciesTabHint": "Nastavte pravidla mapování rolí a organizace na kartě <policiesTabLink>Automatická úprava nastavení</policiesTabLink>.",
+    "streamingTitle": "Streamování událostí",
+    "streamingDescription": "Streamujte události z vaší organizace do externích destinací v reálném čase.",
+    "streamingUnnamedDestination": "Nepojmenovaný cíl",
+    "streamingNoUrlConfigured": "Není nakonfigurována žádná URL",
+    "streamingAddDestination": "Přidat cíl",
+    "streamingHttpWebhookTitle": "HTTP webový háček",
+    "streamingHttpWebhookDescription": "Odeslat události na libovolný HTTP koncový bod s pružnou autentizací a šablonou.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Streamujte události do úložiště, které je kompatibilní se S3. Brzy přijde.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Přeposlat události přímo do vašeho účtu Datadog účtu. Brzy přijde.",
+    "streamingTypePickerDescription": "Vyberte cílový typ pro začátek.",
+    "streamingFailedToLoad": "Nepodařilo se načíst destinace",
+    "streamingUnexpectedError": "Došlo k neočekávané chybě.",
+    "streamingFailedToUpdate": "Nepodařilo se aktualizovat cíl",
+    "streamingDeletedSuccess": "Cíl byl úspěšně odstraněn",
+    "streamingFailedToDelete": "Nepodařilo se odstranit cíl",
+    "streamingDeleteTitle": "Odstranit cíl",
+    "streamingDeleteButtonText": "Odstranit cíl",
+    "streamingDeleteDialogAreYouSure": "Jste si jisti, že chcete odstranit",
+    "streamingDeleteDialogThisDestination": "tato destinace",
+    "streamingDeleteDialogPermanentlyRemoved": "? Všechny konfigurace budou trvale odstraněny.",
+    "httpDestEditTitle": "Upravit cíl",
+    "httpDestAddTitle": "Přidat cíl HTTP",
+    "httpDestEditDescription": "Aktualizovat konfiguraci pro tuto destinaci HTTP události",
+    "httpDestAddDescription": "Konfigurace nového koncového bodu HTTP pro příjem událostí vaší organizace.",
+    "httpDestTabSettings": "Nastavení",
+    "httpDestTabHeaders": "Záhlaví",
+    "httpDestTabBody": "Tělo",
+    "httpDestTabLogs": "Logy",
+    "httpDestNamePlaceholder": "Moje HTTP cíl",
+    "httpDestUrlLabel": "Cílová adresa URL",
+    "httpDestUrlErrorHttpRequired": "URL musí používat http nebo https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS je vyžadován při nasazení do cloudu",
+    "httpDestUrlErrorInvalid": "Zadejte platnou URL (např. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autentifikace",
+    "httpDestAuthDescription": "Zvolte, jak jsou požadavky na tvůj koncový bod ověřeny.",
+    "httpDestAuthNoneTitle": "Žádné ověření",
+    "httpDestAuthNoneDescription": "Odešle žádosti bez záhlaví autorizace.",
+    "httpDestAuthBearerTitle": "Token na doručitele",
+    "httpDestAuthBearerDescription": "Přidá autorizaci: Hlavička Bearer <token> ke každému požadavku.",
+    "httpDestAuthBearerPlaceholder": "Váš API klíč nebo token",
+    "httpDestAuthBasicTitle": "Základní ověření",
+    "httpDestAuthBasicDescription": "Přidá autorizaci: Základní <credentials> hlavička. Poskytněte přihlašovací údaje jako uživatelské jméno:password.",
+    "httpDestAuthBasicPlaceholder": "uživatelské jméno:heslo",
+    "httpDestAuthCustomTitle": "Vlastní záhlaví",
+    "httpDestAuthCustomDescription": "Zadejte název a hodnotu vlastního HTTP hlavičky pro ověření (např. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Název záhlaví (např. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Hodnota záhlaví",
+    "httpDestCustomHeadersTitle": "Vlastní HTTP hlavičky",
+    "httpDestCustomHeadersDescription": "Přidat vlastní hlavičky ke každému odchozímu požadavku. Užitečné pro statické tokeny nebo vlastní Typ obsahu. Ve výchozím nastavení je typ obsahu: application/json.",
+    "httpDestNoHeadersConfigured": "Nejsou nakonfigurovány žádné vlastní záhlaví. Pro přidání klikněte na \"Přidat záhlaví\".",
+    "httpDestHeaderNamePlaceholder": "Název záhlaví",
+    "httpDestHeaderValuePlaceholder": "Hodnota",
+    "httpDestAddHeader": "Přidat záhlaví",
+    "httpDestBodyTemplateTitle": "Vlastní šablona těla",
+    "httpDestBodyTemplateDescription": "Ovládá strukturu užitečného zatížení JSON odeslanou na váš koncový bod. Pokud je vypnuto, je pro každou událost zaslán výchozí objekt JSON.",
+    "httpDestEnableBodyTemplate": "Povolit vlastní šablonu těla",
+    "httpDestBodyTemplateLabel": "Šablona těla (JSON)",
+    "httpDestBodyTemplateHint": "Použijte šablonové proměnné pro referenční pole události ve vašem užitečném zatížení.",
+    "httpDestPayloadFormatTitle": "Formát datového zatížení",
+    "httpDestPayloadFormatDescription": "Jak jsou události serializovány v každém žádajícím subjektu.",
+    "httpDestFormatJsonArrayTitle": "JSON pole",
+    "httpDestFormatJsonArrayDescription": "Jeden požadavek na každou šarži, tělo je pole JSON. Kompatibilní s většinou generických webových háčků a Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Jeden požadavek na každou šarži, tělo je nově ohraničené JSON – jeden objekt na jednu čáru, bez vnějšího pole. Vyžaduje Splunk HEC, Elastic / OpenSearch, a Grafana Loki.",
+    "httpDestFormatSingleTitle": "Jedna událost na požadavek",
+    "httpDestFormatSingleDescription": "Odešle samostatnou HTTP POST pro každou jednotlivou událost. Používejte pouze pro koncové body, které nemohou zpracovávat dávky.",
+    "httpDestLogTypesTitle": "Typy protokolů",
+    "httpDestLogTypesDescription": "Vyberte, které typy logů jsou přesměrovány do této destinace. Budou streamovány pouze povolené typy logů.",
+    "httpDestAccessLogsTitle": "Protokoly přístupu",
+    "httpDestAccessLogsDescription": "Pokusy o přístup k dokumentům, včetně ověřených a zamítnutých požadavků.",
+    "httpDestActionLogsTitle": "Záznamy akcí",
+    "httpDestActionLogsDescription": "Správní opatření prováděná uživateli v rámci organizace.",
+    "httpDestConnectionLogsTitle": "Protokoly připojení",
+    "httpDestConnectionLogsDescription": "Události týkající se připojení lokality a tunelu, včetně připojení a odpojení.",
+    "httpDestRequestLogsTitle": "Záznamy požadavků",
+    "httpDestRequestLogsDescription": "HTTP záznamy požadavků pro proxy zdroje, včetně metod, cesty a kódu odpovědi.",
+    "httpDestSaveChanges": "Uložit změny",
+    "httpDestCreateDestination": "Vytvořit cíl",
+    "httpDestUpdatedSuccess": "Cíl byl úspěšně aktualizován",
+    "httpDestCreatedSuccess": "Cíl byl úspěšně vytvořen",
+    "httpDestUpdateFailed": "Nepodařilo se aktualizovat cíl",
+    "httpDestCreateFailed": "Nepodařilo se vytvořit cíl"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -148,6 +148,11 @@
    "createLink": "Link erstellen",
    "resourcesNotFound": "Keine Ressourcen gefunden",
    "resourceSearch": "Suche Ressourcen",
+    "machineSearch": "Maschinen suchen",
+    "machinesSearch": "Suche Maschinen-Klienten...",
+    "machineNotFound": "Keine Maschinen gefunden",
+    "userDeviceSearch": "Benutzergeräte durchsuchen",
+    "userDevicesSearch": "Benutzergeräte durchsuchen...",
    "openMenu": "Menü öffnen",
    "resource": "Ressource",
    "title": "Titel",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
    "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
    "resourceRawDescription": "Proxy-Anfragen über rohes TCP/UDP mit einer Portnummer.",
-    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit einer Portnummer. Erfordert die NUTZUNG eines REMOTE Knotens.",
+    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit Portnummer. Benötigt Sites, um sich mit einem entfernten Knoten zu verbinden.",
    "resourceCreate": "Ressource erstellen",
    "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
    "resourceSeeAll": "Alle Ressourcen anzeigen",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "API-Schlüssel löschen",
    "apiKeysManage": "API-Schlüssel verwalten",
    "apiKeysDescription": "API-Schlüssel werden zur Authentifizierung mit der Integrations-API verwendet",
+    "provisioningKeysTitle": "Bereitstellungsschlüssel",
+    "provisioningKeysManage": "Bereitstellungsschlüssel verwalten",
+    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Seiten für Ihr Unternehmen zu authentifizieren.",
+    "provisioningManage": "Bereitstellung",
+    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Seiten prüfen, die noch auf Genehmigung warten.",
+    "pendingSites": "Ausstehende Seiten",
+    "siteApproveSuccess": "Site erfolgreich freigegeben",
+    "siteApproveError": "Fehler beim Bestätigen der Seite",
+    "provisioningKeys": "Bereitstellungsschlüssel",
+    "searchProvisioningKeys": "Bereitstellungsschlüssel suchen...",
+    "provisioningKeysAdd": "Bereitstellungsschlüssel generieren",
+    "provisioningKeysErrorDelete": "Fehler beim Löschen des Bereitstellungsschlüssels",
+    "provisioningKeysErrorDeleteMessage": "Fehler beim Löschen des Bereitstellungsschlüssels",
+    "provisioningKeysQuestionRemove": "Sind Sie sicher, dass Sie diesen Bereitstellungsschlüssel aus der Organisation entfernen möchten?",
+    "provisioningKeysMessageRemove": "Einmal entfernt, kann der Schlüssel nicht mehr für die Bereitstellung der Site verwendet werden.",
+    "provisioningKeysDeleteConfirm": "Bereitstellungsschlüssel löschen bestätigen",
+    "provisioningKeysDelete": "Bereitstellungsschlüssel löschen",
+    "provisioningKeysCreate": "Bereitstellungsschlüssel generieren",
+    "provisioningKeysCreateDescription": "Einen neuen Bereitstellungsschlüssel für die Organisation generieren",
+    "provisioningKeysSeeAll": "Alle Bereitstellungsschlüssel anzeigen",
+    "provisioningKeysSave": "Bereitstellungsschlüssel speichern",
+    "provisioningKeysSaveDescription": "Sie können dies nur einmal sehen. Kopieren Sie es an einen sicheren Ort.",
+    "provisioningKeysErrorCreate": "Fehler beim Erstellen des Bereitstellungsschlüssels",
+    "provisioningKeysList": "Neuer Bereitstellungsschlüssel",
+    "provisioningKeysMaxBatchSize": "Max. Batch-Größe",
+    "provisioningKeysUnlimitedBatchSize": "Unbegrenzte Batch-Größe (kein Limit)",
+    "provisioningKeysMaxBatchUnlimited": "Unbegrenzt",
+    "provisioningKeysMaxBatchSizeInvalid": "Geben Sie eine gültige maximale Batchgröße ein (1–1.000.000).",
+    "provisioningKeysValidUntil": "Gültig bis",
+    "provisioningKeysValidUntilHint": "Leer lassen für keine Verjährung.",
+    "provisioningKeysValidUntilInvalid": "Geben Sie ein gültiges Datum und Zeit ein.",
+    "provisioningKeysNumUsed": "Verwendete Zeiten",
+    "provisioningKeysLastUsed": "Zuletzt verwendet",
+    "provisioningKeysNoExpiry": "Kein Ablauf",
+    "provisioningKeysNeverUsed": "Nie",
+    "provisioningKeysEdit": "Bereitstellungsschlüssel bearbeiten",
+    "provisioningKeysEditDescription": "Aktualisieren Sie die maximale Batch-Größe und Ablaufzeit für diesen Schlüssel.",
+    "provisioningKeysApproveNewSites": "Neue Seiten genehmigen",
+    "provisioningKeysApproveNewSitesDescription": "Sites, die sich mit diesem Schlüssel registrieren, automatisch freigeben.",
+    "provisioningKeysUpdateError": "Fehler beim Aktualisieren des Bereitstellungsschlüssels",
+    "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
+    "provisioningKeysUpdatedDescription": "Ihre Änderungen wurden gespeichert.",
+    "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
+    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Konnektor, um beim ersten Start automatisch Sites zu erstellen – keine Notwendigkeit, separate Anmeldeinformationen für jede Seite einzurichten.",
+    "provisioningKeysBannerButtonText": "Mehr erfahren",
+    "pendingSitesBannerTitle": "Ausstehende Seiten",
+    "pendingSitesBannerDescription": "Sites, die sich mit einem Bereitstellungsschlüssel verbinden, erscheinen hier zur Überprüfung. Bestätigen Sie jede Site, bevor sie aktiv wird und erhalten Zugriff auf Ihre Ressourcen.",
+    "pendingSitesBannerButtonText": "Mehr erfahren",
    "apiKeysSettings": "{apiKeyName} Einstellungen",
    "userTitle": "Alle Benutzer verwalten",
    "userDescription": "Alle Benutzer im System anzeigen und verwalten",
@@ -509,9 +562,12 @@
    "userSaved": "Benutzer gespeichert",
    "userSavedDescription": "Der Benutzer wurde aktualisiert.",
    "autoProvisioned": "Automatisch bereitgestellt",
+    "autoProvisionSettings": "Auto-Bereitstellungseinstellungen",
    "autoProvisionedDescription": "Erlaube diesem Benutzer die automatische Verwaltung durch Identitätsanbieter",
    "accessControlsDescription": "Verwalten Sie, worauf dieser Benutzer in der Organisation zugreifen und was er tun kann",
    "accessControlsSubmit": "Zugriffskontrollen speichern",
+    "singleRolePerUserPlanNotice": "Ihr Plan unterstützt nur eine Rolle pro Benutzer.",
+    "singleRolePerUserEditionNotice": "Diese Ausgabe unterstützt nur eine Rolle pro Benutzer.",
    "roles": "Rollen",
    "accessUsersRoles": "Benutzer & Rollen verwalten",
    "accessUsersRolesDescription": "Lade Benutzer ein und füge sie zu Rollen hinzu, um den Zugriff auf die Organisation zu verwalten",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Geben Sie das Setup-Token von der Serverkonsole ein.",
    "setupTokenRequired": "Setup-Token ist erforderlich",
    "actionUpdateSite": "Standorte aktualisieren",
+    "actionResetSiteBandwidth": "Organisations-Bandbreite zurücksetzen",
    "actionListSiteRoles": "Erlaubte Standort-Rollen auflisten",
    "actionCreateResource": "Ressource erstellen",
    "actionDeleteResource": "Ressource löschen",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Benutzer entfernen",
    "actionListUsers": "Benutzer auflisten",
    "actionAddUserRole": "Benutzerrolle hinzufügen",
+    "actionSetUserOrgRoles": "Benutzerrollen festlegen",
    "actionGenerateAccessToken": "Zugriffstoken generieren",
    "actionDeleteAccessToken": "Zugriffstoken löschen",
    "actionListAccessTokens": "Zugriffstoken auflisten",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Rollen",
    "sidebarShareableLinks": "Links",
    "sidebarApiKeys": "API-Schlüssel",
+    "sidebarProvisioning": "Bereitstellung",
    "sidebarSettings": "Einstellungen",
    "sidebarAllUsers": "Alle Benutzer",
    "sidebarIdentityProviders": "Identitätsanbieter",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mehr anzeigen",
    "regionSelectorTitle": "Region auswählen",
+    "domainPickerRemoteExitNodeWarning": "Angegebene Domains werden nicht unterstützt, wenn sich Websites mit externen Exit-Knoten verbinden. Damit Ressourcen auf entfernten Knoten verfügbar sind, verwenden Sie stattdessen eine eigene Domain.",
    "regionSelectorInfo": "Das Auswählen einer Region hilft uns, eine bessere Leistung für Ihren Standort bereitzustellen. Sie müssen sich nicht in derselben Region wie Ihr Server befinden.",
    "regionSelectorPlaceholder": "Wähle eine Region",
    "regionSelectorComingSoon": "Kommt bald",
@@ -1888,6 +1948,40 @@
    "exitNode": "Exit-Node",
    "country": "Land",
    "rulesMatchCountry": "Derzeit basierend auf der Quell-IP",
+    "region": "Region",
+    "selectRegion": "Region wählen...",
+    "searchRegions": "Regionen suchen...",
+    "noRegionFound": "Keine Region gefunden.",
+    "rulesMatchRegion": "Wählen Sie eine Regionalgruppe von Ländern",
+    "rulesErrorInvalidRegion": "Ungültige Region",
+    "rulesErrorInvalidRegionDescription": "Bitte wählen Sie eine gültige Region aus.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Nordafrika",
+    "regionEasternAfrica": "Ostafrika",
+    "regionMiddleAfrica": "Zentralafrika",
+    "regionSouthernAfrica": "Südliches Afrika",
+    "regionWesternAfrica": "Westafrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karibik",
+    "regionCentralAmerica": "Mittelamerika",
+    "regionSouthAmerica": "Südamerika",
+    "regionNorthernAmerica": "Nordamerika",
+    "regionAsia": "Asien",
+    "regionCentralAsia": "Zentralasien",
+    "regionEasternAsia": "Ostasien",
+    "regionSouthEasternAsia": "Südostasien",
+    "regionSouthernAsia": "Südasien",
+    "regionWesternAsia": "Westasien",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Osteuropa",
+    "regionNorthernEurope": "Nordeuropa",
+    "regionSouthernEurope": "Südeuropa",
+    "regionWesternEurope": "Westeuropa",
+    "regionOceania": "Ozeanien",
+    "regionAustraliaAndNewZealand": "Australien und Neuseeland",
+    "regionMelanesia": "Melanesien",
+    "regionMicronesia": "Mikronesien",
+    "regionPolynesia": "Polynesien",
    "managedSelfHosted": {
        "title": "Verwaltetes Selbsthosted",
        "description": "Zuverlässiger und wartungsarmer Pangolin Server mit zusätzlichen Glocken und Pfeifen",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Ungültiger Wert",
    "idpTypeLabel": "Identitätsanbietertyp",
    "roleMappingExpressionPlaceholder": "z. B. enthalten(Gruppen, 'admin') && 'Admin' || 'Mitglied'",
+    "roleMappingModeFixedRoles": "Feste Rollen",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Roher Ausdruck",
+    "roleMappingFixedRolesPlaceholderSelect": "Wählen Sie eine oder mehrere Rollen",
+    "roleMappingFixedRolesPlaceholderFreeform": "Rollennamen eingeben (exakte Übereinstimmung pro Organisation)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Weisen Sie jedem auto-provisionierten Benutzer die gleiche Rolle zu.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Für Standardrichtlinien geben Sie Rollennamen ein, die in jeder Organisation existieren, in der Benutzer angegeben sind. Namen müssen exakt übereinstimmen.",
+    "roleMappingClaimPath": "Pfad einfordern",
+    "roleMappingClaimPathPlaceholder": "gruppen",
+    "roleMappingClaimPathDescription": "Pfad in der Token Payload mit Quellwerten (zum Beispiel Gruppen).",
+    "roleMappingMatchValue": "Match-Wert",
+    "roleMappingAssignRoles": "Rollen zuweisen",
+    "roleMappingAddMappingRule": "Zuordnungsregel hinzufügen",
+    "roleMappingRawExpressionResultDescription": "Ausdruck muss zu einem String oder String Array ausgewertet werden.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Ausdruck muss zu einem String (einem einzigen Rollennamen) ausgewertet werden.",
+    "roleMappingMatchValuePlaceholder": "Match-Wert (z. B.: Admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Rollennamen eingeben (exakt pro Ort)",
+    "roleMappingBuilderFreeformRowHint": "Rollennamen müssen mit einer Rolle in jeder Zielorganisation übereinstimmen.",
+    "roleMappingRemoveRule": "Entfernen",
    "idpGoogleConfiguration": "Google-Konfiguration",
    "idpGoogleConfigurationDescription": "Google OAuth2 Zugangsdaten konfigurieren",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Wie lange Zugriffsprotokolle beibehalten werden sollen",
    "logRetentionActionLabel": "Aktionsprotokoll-Speicherung",
    "logRetentionActionDescription": "Dauer des Action-Logs",
+    "logRetentionConnectionLabel": "Verbindungsprotokoll-Speicherung",
+    "logRetentionConnectionDescription": "Wie lange Verbindungsprotokolle gespeichert werden sollen",
    "logRetentionDisabled": "Deaktiviert",
    "logRetention3Days": "3 Tage",
    "logRetention7Days": "7 Tage",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
    "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
    "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
-    "licenseRequiredToUse": "Um diese Funktion nutzen zu können, ist eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
-    "ossEnterpriseEditionRequired": "Um diese Funktion nutzen zu können, ist die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
+    "connectionLogs": "Verbindungsprotokolle",
+    "connectionLogsDescription": "Verbindungsprotokolle für Tunnel in dieser Organisation anzeigen",
+    "sidebarLogsConnection": "Verbindungsprotokolle",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Quelladresse",
+    "destinationAddress": "Zieladresse",
+    "duration": "Dauer",
+    "licenseRequiredToUse": "Eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz oder <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> wird benötigt, um diese Funktion nutzen zu können. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "Die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> wird benötigt, um diese Funktion nutzen zu können. Diese Funktion ist auch in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>verfügbar. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
    "certResolver": "Zertifikatsauflöser",
    "certResolverDescription": "Wählen Sie den Zertifikatslöser aus, der für diese Ressource verwendet werden soll.",
    "selectCertResolver": "Zertifikatsauflöser auswählen",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Gerätegenehmigungen aktivieren",
    "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
    "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
-    "approvalsEmptyStateButtonText": "Rollen verwalten"
+    "approvalsEmptyStateButtonText": "Rollen verwalten",
+    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain",
+    "idpAdminAutoProvisionPoliciesTabHint": "Konfigurieren Sie Rollenzuordnungs- und Organisationsrichtlinien auf der Registerkarte <policiesTabLink>Auto-Bereitstellungseinstellungen</policiesTabLink>.",
+    "streamingTitle": "Event Streaming",
+    "streamingDescription": "Streamen Sie Events aus Ihrem Unternehmen in Echtzeit zu externen Zielen.",
+    "streamingUnnamedDestination": "Unbenanntes Ziel",
+    "streamingNoUrlConfigured": "Keine URL konfiguriert",
+    "streamingAddDestination": "Ziel hinzufügen",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Sende Ereignisse an jeden HTTP-Endpunkt mit flexibler Authentifizierung und Vorlage.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Streame Ereignisse in eine S3-kompatible Objekt-Speicher-Eimer. Kommt bald.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Events direkt an Ihr Datadog Konto weiterleiten. Kommen Sie bald.",
+    "streamingTypePickerDescription": "Wählen Sie einen Zieltyp aus, um loszulegen.",
+    "streamingFailedToLoad": "Fehler beim Laden der Ziele",
+    "streamingUnexpectedError": "Ein unerwarteter Fehler ist aufgetreten.",
+    "streamingFailedToUpdate": "Fehler beim Aktualisieren des Ziels",
+    "streamingDeletedSuccess": "Ziel erfolgreich gelöscht",
+    "streamingFailedToDelete": "Fehler beim Löschen des Ziels",
+    "streamingDeleteTitle": "Ziel löschen",
+    "streamingDeleteButtonText": "Ziel löschen",
+    "streamingDeleteDialogAreYouSure": "Sind Sie sicher, dass Sie löschen möchten",
+    "streamingDeleteDialogThisDestination": "dieses Ziel",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle Konfiguration wird dauerhaft entfernt.",
+    "httpDestEditTitle": "Ziel bearbeiten",
+    "httpDestAddTitle": "HTTP-Ziel hinzufügen",
+    "httpDestEditDescription": "Aktualisiere die Konfiguration für dieses HTTP-Streaming-Ziel.",
+    "httpDestAddDescription": "Konfigurieren Sie einen neuen HTTP-Endpunkt, um die Ereignisse Ihrer Organisation zu empfangen.",
+    "httpDestTabSettings": "Einstellungen",
+    "httpDestTabHeaders": "Kopfzeilen",
+    "httpDestTabBody": "Körper",
+    "httpDestTabLogs": "Logs",
+    "httpDestNamePlaceholder": "Mein HTTP-Ziel",
+    "httpDestUrlLabel": "Ziel-URL",
+    "httpDestUrlErrorHttpRequired": "URL muss http oder https verwenden",
+    "httpDestUrlErrorHttpsRequired": "HTTPS wird für Cloud-Deployment benötigt",
+    "httpDestUrlErrorInvalid": "Geben Sie eine gültige URL ein (z.B. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentifizierung",
+    "httpDestAuthDescription": "Legen Sie fest, wie Anfragen an Ihren Endpunkt authentifiziert werden.",
+    "httpDestAuthNoneTitle": "Keine Authentifizierung",
+    "httpDestAuthNoneDescription": "Sendet Anfragen ohne Autorisierungs-Header.",
+    "httpDestAuthBearerTitle": "Bären-Token",
+    "httpDestAuthBearerDescription": "Fügt eine Berechtigung hinzu: Bearer <token> Header zu jeder Anfrage.",
+    "httpDestAuthBearerPlaceholder": "Ihr API-Schlüssel oder Token",
+    "httpDestAuthBasicTitle": "Einfacher Auth",
+    "httpDestAuthBasicDescription": "Fügt eine Autorisierung hinzu: Basic <credentials> Kopfzeile hinzu. Geben Sie Anmeldedaten als Benutzername:password an.",
+    "httpDestAuthBasicPlaceholder": "benutzername:password",
+    "httpDestAuthCustomTitle": "Eigene Kopfzeile",
+    "httpDestAuthCustomDescription": "Geben Sie einen eigenen HTTP-Header-Namen und einen Wert für die Authentifizierung an (z.B. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Headername (z.B. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header-Wert",
+    "httpDestCustomHeadersTitle": "Eigene HTTP-Header",
+    "httpDestCustomHeadersDescription": "Fügen Sie jeder ausgehenden Anfrage benutzerdefinierte Kopfzeilen hinzu. Nützlich für statische Tokens oder einen benutzerdefinierten Content-Typ. Standardmäßig wird Content-Type: application/json gesendet.",
+    "httpDestNoHeadersConfigured": "Keine benutzerdefinierten Header konfiguriert. Klicken Sie auf \"Header hinzufügen\", um einen hinzuzufügen.",
+    "httpDestHeaderNamePlaceholder": "Header-Name",
+    "httpDestHeaderValuePlaceholder": "Wert",
+    "httpDestAddHeader": "Header hinzufügen",
+    "httpDestBodyTemplateTitle": "Eigene Body-Vorlage",
+    "httpDestBodyTemplateDescription": "Steuere die JSON-Payload-Struktur, die an deinen Endpunkt gesendet wurde. Wenn deaktiviert, wird für jede Veranstaltung ein Standard-JSON-Objekt gesendet.",
+    "httpDestEnableBodyTemplate": "Eigene Körpervorlage aktivieren",
+    "httpDestBodyTemplateLabel": "Body-Vorlage (JSON)",
+    "httpDestBodyTemplateHint": "Verwenden Sie Template-Variablen, um Ereignisfelder in Ihrer Payload zu referenzieren.",
+    "httpDestPayloadFormatTitle": "Payload-Format",
+    "httpDestPayloadFormatDescription": "Wie Ereignisse in jedes Anfragegremium serialisiert werden.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "Eine Anfrage pro Stapel ist ein JSON-Array. Kompatibel mit den meisten generischen Webhooks und Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Eine Anfrage pro Batch, der Körper ist newline-getrenntes JSON — ein Objekt pro Zeile, kein äußeres Array. Benötigt von Splunk HEC, Elastic / OpenSearch, und Grafana Loki.",
+    "httpDestFormatSingleTitle": "Ein Ereignis pro Anfrage",
+    "httpDestFormatSingleDescription": "Sendet eine separate HTTP-POST für jedes einzelne Ereignis. Nur für Endpunkte, die Batches nicht handhaben können.",
+    "httpDestLogTypesTitle": "Log-Typen",
+    "httpDestLogTypesDescription": "Wählen Sie, welche Log-Typen an dieses Ziel weitergeleitet werden. Nur aktivierte Log-Typen werden gestreamt.",
+    "httpDestAccessLogsTitle": "Zugriffsprotokolle",
+    "httpDestAccessLogsDescription": "Ressourcenzugriffe, einschließlich authentifizierter und abgelehnter Anfragen.",
+    "httpDestActionLogsTitle": "Aktionsprotokolle",
+    "httpDestActionLogsDescription": "Administrative Maßnahmen, die von Benutzern innerhalb der Organisation durchgeführt werden.",
+    "httpDestConnectionLogsTitle": "Verbindungsprotokolle",
+    "httpDestConnectionLogsDescription": "Site- und Tunnelverbindungen, einschließlich Verbindungen und Trennungen.",
+    "httpDestRequestLogsTitle": "Logs anfordern",
+    "httpDestRequestLogsDescription": "HTTP-Request-Protokolle für proxiierte Ressourcen, einschließlich Methode, Pfad und Antwort-Code.",
+    "httpDestSaveChanges": "Änderungen speichern",
+    "httpDestCreateDestination": "Ziel erstellen",
+    "httpDestUpdatedSuccess": "Ziel erfolgreich aktualisiert",
+    "httpDestCreatedSuccess": "Ziel erfolgreich erstellt",
+    "httpDestUpdateFailed": "Fehler beim Aktualisieren des Ziels",
+    "httpDestCreateFailed": "Fehler beim Erstellen des Ziels"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -148,6 +148,11 @@
    "createLink": "Create Link",
    "resourcesNotFound": "No resources found",
    "resourceSearch": "Search resources",
+    "machineSearch": "Search machines",
+    "machinesSearch": "Search machine clients...",
+    "machineNotFound": "No machines found",
+    "userDeviceSearch": "Search user devices",
+    "userDevicesSearch": "Search user devices...",
    "openMenu": "Open menu",
    "resource": "Resource",
    "title": "Title",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
    "resourceRawDescription": "Proxy requests over raw TCP/UDP using a port number.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. REQUIRES THE USE OF A REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
    "resourceSeeAll": "See All Resources",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Delete API Key",
    "apiKeysManage": "Manage API Keys",
    "apiKeysDescription": "API keys are used to authenticate with the integration API",
+    "provisioningKeysTitle": "Provisioning Key",
+    "provisioningKeysManage": "Manage Provisioning Keys",
+    "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
+    "provisioningManage": "Provisioning",
+    "provisioningDescription": "Manage provisioning keys and review pending sites awaiting approval.",
+    "pendingSites": "Pending Sites",
+    "siteApproveSuccess": "Site approved successfully",
+    "siteApproveError": "Error approving site",
+    "provisioningKeys": "Provisioning Keys",
+    "searchProvisioningKeys": "Search provisioning keys...",
+    "provisioningKeysAdd": "Generate Provisioning Key",
+    "provisioningKeysErrorDelete": "Error deleting provisioning key",
+    "provisioningKeysErrorDeleteMessage": "Error deleting provisioning key",
+    "provisioningKeysQuestionRemove": "Are you sure you want to remove this provisioning key from the organization?",
+    "provisioningKeysMessageRemove": "Once removed, the key can no longer be used for site provisioning.",
+    "provisioningKeysDeleteConfirm": "Confirm Delete Provisioning Key",
+    "provisioningKeysDelete": "Delete Provisioning key",
+    "provisioningKeysCreate": "Generate Provisioning Key",
+    "provisioningKeysCreateDescription": "Generate a new provisioning key for the organization",
+    "provisioningKeysSeeAll": "See all provisioning keys",
+    "provisioningKeysSave": "Save the provisioning key",
+    "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
+    "provisioningKeysErrorCreate": "Error creating provisioning key",
+    "provisioningKeysList": "New provisioning key",
+    "provisioningKeysMaxBatchSize": "Max batch size",
+    "provisioningKeysUnlimitedBatchSize": "Unlimited batch size (no limit)",
+    "provisioningKeysMaxBatchUnlimited": "Unlimited",
+    "provisioningKeysMaxBatchSizeInvalid": "Enter a valid max batch size (1–1,000,000).",
+    "provisioningKeysValidUntil": "Valid until",
+    "provisioningKeysValidUntilHint": "Leave empty for no expiration.",
+    "provisioningKeysValidUntilInvalid": "Enter a valid date and time.",
+    "provisioningKeysNumUsed": "Times used",
+    "provisioningKeysLastUsed": "Last used",
+    "provisioningKeysNoExpiry": "No expiration",
+    "provisioningKeysNeverUsed": "Never",
+    "provisioningKeysEdit": "Edit Provisioning Key",
+    "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
+    "provisioningKeysApproveNewSites": "Approve new sites",
+    "provisioningKeysApproveNewSitesDescription": "Automatically approve sites that register with this key.",
+    "provisioningKeysUpdateError": "Error updating provisioning key",
+    "provisioningKeysUpdated": "Provisioning key updated",
+    "provisioningKeysUpdatedDescription": "Your changes have been saved.",
+    "provisioningKeysBannerTitle": "Site Provisioning Keys",
+    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup — no need to set up separate credentials for each site.",
+    "provisioningKeysBannerButtonText": "Learn More",
+    "pendingSitesBannerTitle": "Pending Sites",
+    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review. Approve each site before it becomes active and gains access to your resources.",
+    "pendingSitesBannerButtonText": "Learn More",
    "apiKeysSettings": "{apiKeyName} Settings",
    "userTitle": "Manage All Users",
    "userDescription": "View and manage all users in the system",
@@ -509,9 +562,12 @@
    "userSaved": "User saved",
    "userSavedDescription": "The user has been updated.",
    "autoProvisioned": "Auto Provisioned",
+    "autoProvisionSettings": "Auto Provision Settings",
    "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
    "accessControlsDescription": "Manage what this user can access and do in the organization",
    "accessControlsSubmit": "Save Access Controls",
+    "singleRolePerUserPlanNotice": "Your plan only supports one role per user.",
+    "singleRolePerUserEditionNotice": "This edition only supports one role per user.",
    "roles": "Roles",
    "accessUsersRoles": "Manage Users & Roles",
    "accessUsersRolesDescription": "Invite users and add them to roles to manage access to the organization",
@@ -568,6 +624,8 @@
    "targetErrorInvalidPortDescription": "Please enter a valid port number",
    "targetErrorNoSite": "No site selected",
    "targetErrorNoSiteDescription": "Please select a site for the target",
+    "targetTargetsCleared": "Targets cleared",
+    "targetTargetsClearedDescription": "All targets have been removed from this resource",
    "targetCreated": "Target created",
    "targetCreatedDescription": "Target has been created successfully",
    "targetErrorCreate": "Failed to create target",
@@ -887,7 +945,7 @@
    "defaultMappingsRole": "Default Role Mapping",
    "defaultMappingsRoleDescription": "The result of this expression must return the role name as defined in the organization as a string.",
    "defaultMappingsOrg": "Default Organization Mapping",
-    "defaultMappingsOrgDescription": "This expression must return the org ID or true for the user to be allowed to access the organization.",
+    "defaultMappingsOrgDescription": "When set, this expression must return the organization ID or true for the user to access that organization. When unset, defining an organization policy for that org is enough: the user is allowed in as long as a valid role mapping can be resolved for them within the organization.",
    "defaultMappingsSubmit": "Save Default Mappings",
    "orgPoliciesEdit": "Edit Organization Policy",
    "org": "Organization",
@@ -1040,7 +1098,6 @@
    "pageNotFoundDescription": "Oops! The page you're looking for doesn't exist.",
    "overview": "Overview",
    "home": "Home",
-    "accessControl": "Access Control",
    "settings": "Settings",
    "usersAll": "All Users",
    "license": "License",
@@ -1120,6 +1177,7 @@
    "setupTokenDescription": "Enter the setup token from the server console.",
    "setupTokenRequired": "Setup token is required",
    "actionUpdateSite": "Update Site",
+    "actionResetSiteBandwidth": "Reset Organization Bandwidth",
    "actionListSiteRoles": "List Allowed Site Roles",
    "actionCreateResource": "Create Resource",
    "actionDeleteResource": "Delete Resource",
@@ -1149,6 +1207,7 @@
    "actionRemoveUser": "Remove User",
    "actionListUsers": "List Users",
    "actionAddUserRole": "Add User Role",
+    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Generate Access Token",
    "actionDeleteAccessToken": "Delete Access Token",
    "actionListAccessTokens": "List Access Tokens",
@@ -1265,6 +1324,7 @@
    "sidebarRoles": "Roles",
    "sidebarShareableLinks": "Links",
    "sidebarApiKeys": "API Keys",
+    "sidebarProvisioning": "Provisioning",
    "sidebarSettings": "Settings",
    "sidebarAllUsers": "All Users",
    "sidebarIdentityProviders": "Identity Providers",
@@ -1427,6 +1487,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Show More",
    "regionSelectorTitle": "Select Region",
+    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Selecting a region helps us provide better performance for your location. You do not have to be in the same region as your server.",
    "regionSelectorPlaceholder": "Choose a region",
    "regionSelectorComingSoon": "Coming Soon",
@@ -1889,6 +1950,40 @@
    "exitNode": "Exit Node",
    "country": "Country",
    "rulesMatchCountry": "Currently based on source IP",
+    "region": "Region",
+    "selectRegion": "Select region",
+    "searchRegions": "Search regions...",
+    "noRegionFound": "No region found.",
+    "rulesMatchRegion": "Select a regional grouping of countries",
+    "rulesErrorInvalidRegion": "Invalid region",
+    "rulesErrorInvalidRegionDescription": "Please select a valid region.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "Northern Africa",
+    "regionEasternAfrica": "Eastern Africa",
+    "regionMiddleAfrica": "Middle Africa",
+    "regionSouthernAfrica": "Southern Africa",
+    "regionWesternAfrica": "Western Africa",
+    "regionAmericas": "Americas",
+    "regionCaribbean": "Caribbean",
+    "regionCentralAmerica": "Central America",
+    "regionSouthAmerica": "South America",
+    "regionNorthernAmerica": "Northern America",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Central Asia",
+    "regionEasternAsia": "Eastern Asia",
+    "regionSouthEasternAsia": "South-Eastern Asia",
+    "regionSouthernAsia": "Southern Asia",
+    "regionWesternAsia": "Western Asia",
+    "regionEurope": "Europe",
+    "regionEasternEurope": "Eastern Europe",
+    "regionNorthernEurope": "Northern Europe",
+    "regionSouthernEurope": "Southern Europe",
+    "regionWesternEurope": "Western Europe",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia and New Zealand",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Managed Self-Hosted",
        "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
@@ -1937,6 +2032,25 @@
    "invalidValue": "Invalid value",
    "idpTypeLabel": "Identity Provider Type",
    "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Fixed Roles",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Raw Expression",
+    "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
+    "roleMappingClaimPath": "Claim Path",
+    "roleMappingClaimPathPlaceholder": "groups",
+    "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
+    "roleMappingMatchValue": "Match Value",
+    "roleMappingAssignRoles": "Assign Roles",
+    "roleMappingAddMappingRule": "Add Mapping Rule",
+    "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expression must evaluate to a string (a single role name).",
+    "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
+    "roleMappingRemoveRule": "Remove",
    "idpGoogleConfiguration": "Google Configuration",
    "idpGoogleConfigurationDescription": "Configure the Google OAuth2 credentials",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2333,6 +2447,8 @@
    "logRetentionAccessDescription": "How long to retain access logs",
    "logRetentionActionLabel": "Action Log Retention",
    "logRetentionActionDescription": "How long to retain action logs",
+    "logRetentionConnectionLabel": "Connection Log Retention",
+    "logRetentionConnectionDescription": "How long to retain connection logs",
    "logRetentionDisabled": "Disabled",
    "logRetention3Days": "3 days",
    "logRetention7Days": "7 days",
@@ -2343,8 +2459,15 @@
    "logRetentionEndOfFollowingYear": "End of following year",
    "actionLogsDescription": "View a history of actions performed in this organization",
    "accessLogsDescription": "View access auth requests for resources in this organization",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Connection Logs",
+    "connectionLogsDescription": "View connection logs for tunnels in this organization",
+    "sidebarLogsConnection": "Connection Logs",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Source Address",
+    "destinationAddress": "Destination Address",
+    "duration": "Duration",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
    "certResolver": "Certificate Resolver",
    "certResolverDescription": "Select the certificate resolver to use for this resource.",
    "selectCertResolver": "Select Certificate Resolver",
@@ -2509,9 +2632,9 @@
    "remoteExitNodeRegenerateCredentialsConfirmation": "Are you sure you want to regenerate the credentials for this remote exit node?",
    "remoteExitNodeRegenerateCredentialsWarning": "This will regenerate the credentials. The remote exit node will stay connected until you manually restart it and use the new credentials.",
    "agent": "Agent",
-    "personalUseOnly":  "Personal Use Only",
-    "loginPageLicenseWatermark":  "This instance is licensed for personal use only.",
-    "instanceIsUnlicensed":  "This instance is unlicensed.",
+    "personalUseOnly": "Personal Use Only",
+    "loginPageLicenseWatermark": "This instance is licensed for personal use only.",
+    "instanceIsUnlicensed": "This instance is unlicensed.",
    "portRestrictions": "Port Restrictions",
    "allPorts": "All",
    "custom": "Custom",
@@ -2565,7 +2688,7 @@
    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
    "forced": "Forced",
    "forcedModeDescription": "Always show the maintenance page regardless of backend health. Use this for planned maintenance when you want to prevent all access.",
-    "warning:" : "Warning:",
+    "warning:": "Warning:",
    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
    "pageTitle": "Page Title",
    "pageTitleDescription": "The main heading displayed on the maintenance page",
@@ -2681,5 +2804,91 @@
    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "approvalsEmptyStateButtonText": "Manage Roles",
+    "domainErrorTitle": "We are having trouble verifying your domain",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
+    "streamingTitle": "Event Streaming",
+    "streamingDescription": "Stream events from your organization to external destinations in real time.",
+    "streamingUnnamedDestination": "Unnamed destination",
+    "streamingNoUrlConfigured": "No URL configured",
+    "streamingAddDestination": "Add Destination",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Send events to any HTTP endpoint with flexible authentication and templating.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Stream events to an S3-compatible object storage bucket. Coming soon.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Forward events directly to your Datadog account. Coming soon.",
+    "streamingTypePickerDescription": "Choose a destination type to get started.",
+    "streamingFailedToLoad": "Failed to load destinations",
+    "streamingUnexpectedError": "An unexpected error occurred.",
+    "streamingFailedToUpdate": "Failed to update destination",
+    "streamingDeletedSuccess": "Destination deleted successfully",
+    "streamingFailedToDelete": "Failed to delete destination",
+    "streamingDeleteTitle": "Delete Destination",
+    "streamingDeleteButtonText": "Delete Destination",
+    "streamingDeleteDialogAreYouSure": "Are you sure you want to delete",
+    "streamingDeleteDialogThisDestination": "this destination",
+    "streamingDeleteDialogPermanentlyRemoved": "? All configuration will be permanently removed.",
+    "httpDestEditTitle": "Edit Destination",
+    "httpDestAddTitle": "Add HTTP Destination",
+    "httpDestEditDescription": "Update the configuration for this HTTP event streaming destination.",
+    "httpDestAddDescription": "Configure a new HTTP endpoint to receive your organization's events.",
+    "httpDestTabSettings": "Settings",
+    "httpDestTabHeaders": "Headers",
+    "httpDestTabBody": "Body",
+    "httpDestTabLogs": "Logs",
+    "httpDestNamePlaceholder": "My HTTP destination",
+    "httpDestUrlLabel": "Destination URL",
+    "httpDestUrlErrorHttpRequired": "URL must use http or https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS is required on cloud deployments",
+    "httpDestUrlErrorInvalid": "Enter a valid URL (e.g. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentication",
+    "httpDestAuthDescription": "Choose how requests to your endpoint are authenticated.",
+    "httpDestAuthNoneTitle": "No Authentication",
+    "httpDestAuthNoneDescription": "Sends requests without an Authorization header.",
+    "httpDestAuthBearerTitle": "Bearer Token",
+    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer <token> header to each request.",
+    "httpDestAuthBearerPlaceholder": "Your API key or token",
+    "httpDestAuthBasicTitle": "Basic Auth",
+    "httpDestAuthBasicDescription": "Adds an Authorization: Basic <credentials> header. Provide credentials as username:password.",
+    "httpDestAuthBasicPlaceholder": "username:password",
+    "httpDestAuthCustomTitle": "Custom Header",
+    "httpDestAuthCustomDescription": "Specify a custom HTTP header name and value for authentication (e.g. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Header name (e.g. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header value",
+    "httpDestCustomHeadersTitle": "Custom HTTP Headers",
+    "httpDestCustomHeadersDescription": "Add custom headers to every outgoing request. Useful for static tokens or a custom Content-Type. By default, Content-Type: application/json is sent.",
+    "httpDestNoHeadersConfigured": "No custom headers configured. Click \"Add Header\" to add one.",
+    "httpDestHeaderNamePlaceholder": "Header name",
+    "httpDestHeaderValuePlaceholder": "Value",
+    "httpDestAddHeader": "Add Header",
+    "httpDestBodyTemplateTitle": "Custom Body Template",
+    "httpDestBodyTemplateDescription": "Control the JSON payload structure sent to your endpoint. If disabled, a default JSON object is sent for each event.",
+    "httpDestEnableBodyTemplate": "Enable custom body template",
+    "httpDestBodyTemplateLabel": "Body Template (JSON)",
+    "httpDestBodyTemplateHint": "Use template variables to reference event fields in your payload.",
+    "httpDestPayloadFormatTitle": "Payload Format",
+    "httpDestPayloadFormatDescription": "How events are serialised into each request body.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "One request per batch, body is a JSON array. Compatible with most generic webhooks and Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "One request per batch, body is newline-delimited JSON — one object per line, no outer array. Required by Splunk HEC, Elastic / OpenSearch, and Grafana Loki.",
+    "httpDestFormatSingleTitle": "One Event Per Request",
+    "httpDestFormatSingleDescription": "Sends a separate HTTP POST for each individual event. Use only for endpoints that cannot handle batches.",
+    "httpDestLogTypesTitle": "Log Types",
+    "httpDestLogTypesDescription": "Choose which log types are forwarded to this destination. Only enabled log types will be streamed.",
+    "httpDestAccessLogsTitle": "Access Logs",
+    "httpDestAccessLogsDescription": "Resource access attempts, including authenticated and denied requests.",
+    "httpDestActionLogsTitle": "Action Logs",
+    "httpDestActionLogsDescription": "Administrative actions performed by users within the organization.",
+    "httpDestConnectionLogsTitle": "Connection Logs",
+    "httpDestConnectionLogsDescription": "Site and tunnel connection events, including connects and disconnects.",
+    "httpDestRequestLogsTitle": "Request Logs",
+    "httpDestRequestLogsDescription": "HTTP request logs for proxied resources, including method, path, and response code.",
+    "httpDestSaveChanges": "Save Changes",
+    "httpDestCreateDestination": "Create Destination",
+    "httpDestUpdatedSuccess": "Destination updated successfully",
+    "httpDestCreatedSuccess": "Destination created successfully",
+    "httpDestUpdateFailed": "Failed to update destination",
+    "httpDestCreateFailed": "Failed to create destination"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -148,6 +148,11 @@
    "createLink": "Crear enlace",
    "resourcesNotFound": "No se encontraron recursos",
    "resourceSearch": "Buscar recursos",
+    "machineSearch": "Buscar máquinas",
+    "machinesSearch": "Buscar clientes...",
+    "machineNotFound": "No hay máquinas",
+    "userDeviceSearch": "Buscar dispositivos de usuario",
+    "userDevicesSearch": "Buscar dispositivos de usuario...",
    "openMenu": "Abrir menú",
    "resource": "Recurso",
    "title": "Título",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
    "resourceRaw": "Recurso TCP/UDP sin procesar",
    "resourceRawDescription": "Proxy proporciona solicitudes sobre TCP/UDP usando un número de puerto.",
-    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. REQUIERE EL USO DE UN NODO REMOTE.",
+    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. Requiere que los sitios se conecten a un nodo remoto.",
    "resourceCreate": "Crear Recurso",
    "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
    "resourceSeeAll": "Ver todos los recursos",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Borrar Clave API",
    "apiKeysManage": "Administrar claves API",
    "apiKeysDescription": "Las claves API se utilizan para autenticar con la API de integración",
+    "provisioningKeysTitle": "Clave de aprovisionamiento",
+    "provisioningKeysManage": "Administrar Claves de Aprovisionamiento",
+    "provisioningKeysDescription": "Las claves de aprovisionamiento se utilizan para autenticar la provisión automatizada del sitio para su organización.",
+    "provisioningManage": "Aprovisionamiento",
+    "provisioningDescription": "Administrar las claves de aprovisionamiento y revisar los sitios pendientes de aprobación.",
+    "pendingSites": "Sitios pendientes",
+    "siteApproveSuccess": "Sitio aprobado con éxito",
+    "siteApproveError": "Error al aprobar el sitio",
+    "provisioningKeys": "Claves de aprovisionamiento",
+    "searchProvisioningKeys": "Buscar claves de suministro...",
+    "provisioningKeysAdd": "Generar clave de aprovisionamiento",
+    "provisioningKeysErrorDelete": "Error al eliminar la clave de aprovisionamiento",
+    "provisioningKeysErrorDeleteMessage": "Error al eliminar la clave de aprovisionamiento",
+    "provisioningKeysQuestionRemove": "¿Está seguro que desea eliminar esta clave de aprovisionamiento de la organización?",
+    "provisioningKeysMessageRemove": "Una vez eliminada, la clave ya no se puede utilizar para la disposición del sitio.",
+    "provisioningKeysDeleteConfirm": "Confirmar Eliminar Clave de Aprovisionamiento",
+    "provisioningKeysDelete": "Eliminar clave de aprovisionamiento",
+    "provisioningKeysCreate": "Generar clave de aprovisionamiento",
+    "provisioningKeysCreateDescription": "Generar una nueva clave de aprovisionamiento para la organización",
+    "provisioningKeysSeeAll": "Ver todas las claves de aprovisionamiento",
+    "provisioningKeysSave": "Guardar la clave de aprovisionamiento",
+    "provisioningKeysSaveDescription": "Sólo podrás verlo una vez. Copítalo a un lugar seguro.",
+    "provisioningKeysErrorCreate": "Error al crear la clave de provisioning",
+    "provisioningKeysList": "Nueva clave de aprovisionamiento",
+    "provisioningKeysMaxBatchSize": "Tamaño máximo de lote",
+    "provisioningKeysUnlimitedBatchSize": "Tamaño ilimitado del lote (sin límite)",
+    "provisioningKeysMaxBatchUnlimited": "Ilimitado",
+    "provisioningKeysMaxBatchSizeInvalid": "Introduzca un tamaño máximo de lote válido (1–1,000,000).",
+    "provisioningKeysValidUntil": "Válido hasta",
+    "provisioningKeysValidUntilHint": "Dejar vacío para no expirar.",
+    "provisioningKeysValidUntilInvalid": "Introduzca una fecha y hora válidas.",
+    "provisioningKeysNumUsed": "Tiempos usados",
+    "provisioningKeysLastUsed": "Último uso",
+    "provisioningKeysNoExpiry": "No expiración",
+    "provisioningKeysNeverUsed": "Nunca",
+    "provisioningKeysEdit": "Editar clave de aprovisionamiento",
+    "provisioningKeysEditDescription": "Actualizar el tamaño máximo de lote y el tiempo de caducidad para esta clave.",
+    "provisioningKeysApproveNewSites": "Aprobar nuevos sitios",
+    "provisioningKeysApproveNewSitesDescription": "Aprobar automáticamente los sitios que se registran con esta clave.",
+    "provisioningKeysUpdateError": "Error al actualizar la clave de aprovisionamiento",
+    "provisioningKeysUpdated": "Clave de aprovisionamiento actualizada",
+    "provisioningKeysUpdatedDescription": "Sus cambios han sido guardados.",
+    "provisioningKeysBannerTitle": "Claves de aprovisionamiento del sitio",
+    "provisioningKeysBannerDescription": "Generar una clave de aprovisionamiento y usarla con el conector Newt para crear automáticamente sitios en el primer inicio — no es necesario configurar credenciales separadas para cada sitio.",
+    "provisioningKeysBannerButtonText": "Saber más",
+    "pendingSitesBannerTitle": "Sitios pendientes",
+    "pendingSitesBannerDescription": "Los sitios que se conectan usando una clave de aprovisionamiento aparecen aquí para su revisión. Aprobar cada sitio antes de que se active y obtenga acceso a sus recursos.",
+    "pendingSitesBannerButtonText": "Saber más",
    "apiKeysSettings": "Ajustes {apiKeyName}",
    "userTitle": "Administrar todos los usuarios",
    "userDescription": "Ver y administrar todos los usuarios en el sistema",
@@ -509,9 +562,12 @@
    "userSaved": "Usuario guardado",
    "userSavedDescription": "El usuario ha sido actualizado.",
    "autoProvisioned": "Auto asegurado",
+    "autoProvisionSettings": "Configuración de Auto Provision",
    "autoProvisionedDescription": "Permitir a este usuario ser administrado automáticamente por el proveedor de identidad",
    "accessControlsDescription": "Administrar lo que este usuario puede acceder y hacer en la organización",
    "accessControlsSubmit": "Guardar controles de acceso",
+    "singleRolePerUserPlanNotice": "Tu plan sólo soporta un rol por usuario.",
+    "singleRolePerUserEditionNotice": "Esta edición sólo soporta un rol por usuario.",
    "roles": "Roles",
    "accessUsersRoles": "Administrar usuarios y roles",
    "accessUsersRolesDescription": "Invitar usuarios y añadirlos a roles para administrar el acceso a la organización",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Ingrese el token de configuración desde la consola del servidor.",
    "setupTokenRequired": "Se requiere el token de configuración",
    "actionUpdateSite": "Actualizar sitio",
+    "actionResetSiteBandwidth": "Restablecer ancho de banda de la organización",
    "actionListSiteRoles": "Lista de roles permitidos del sitio",
    "actionCreateResource": "Crear Recurso",
    "actionDeleteResource": "Eliminar Recurso",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Eliminar usuario",
    "actionListUsers": "Listar usuarios",
    "actionAddUserRole": "Añadir rol de usuario",
+    "actionSetUserOrgRoles": "Establecer roles de usuario",
    "actionGenerateAccessToken": "Generar token de acceso",
    "actionDeleteAccessToken": "Eliminar token de acceso",
    "actionListAccessTokens": "Lista de Tokens de Acceso",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Roles",
    "sidebarShareableLinks": "Enlaces",
    "sidebarApiKeys": "Claves API",
+    "sidebarProvisioning": "Aprovisionamiento",
    "sidebarSettings": "Ajustes",
    "sidebarAllUsers": "Todos los usuarios",
    "sidebarIdentityProviders": "Proveedores de identidad",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Espacio de nombres: {namespace}",
    "domainPickerShowMore": "Mostrar más",
    "regionSelectorTitle": "Seleccionar Región",
+    "domainPickerRemoteExitNodeWarning": "Los dominios suministrados no son compatibles cuando los sitios se conectan a nodos de salida remotos. Para que los recursos estén disponibles en nodos remotos, utilice un dominio personalizado en su lugar.",
    "regionSelectorInfo": "Seleccionar una región nos ayuda a brindar un mejor rendimiento para tu ubicación. No tienes que estar en la misma región que tu servidor.",
    "regionSelectorPlaceholder": "Elige una región",
    "regionSelectorComingSoon": "Próximamente",
@@ -1888,6 +1948,40 @@
    "exitNode": "Nodo de Salida",
    "country": "País",
    "rulesMatchCountry": "Actualmente basado en IP de origen",
+    "region": "Región",
+    "selectRegion": "Seleccionar región",
+    "searchRegions": "Buscar regiones...",
+    "noRegionFound": "Región no encontrada.",
+    "rulesMatchRegion": "Seleccione una agrupación regional de países",
+    "rulesErrorInvalidRegion": "Región no válida",
+    "rulesErrorInvalidRegionDescription": "Por favor, seleccione una región válida.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "África septentrional",
+    "regionEasternAfrica": "África oriental",
+    "regionMiddleAfrica": "África central",
+    "regionSouthernAfrica": "África del Sur",
+    "regionWesternAfrica": "África Occidental",
+    "regionAmericas": "Américas",
+    "regionCaribbean": "Caribe",
+    "regionCentralAmerica": "América Central",
+    "regionSouthAmerica": "América del Sur",
+    "regionNorthernAmerica": "América del Norte",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Asia Central",
+    "regionEasternAsia": "Asia oriental",
+    "regionSouthEasternAsia": "Asia sudoriental",
+    "regionSouthernAsia": "Asia meridional",
+    "regionWesternAsia": "Asia Occidental",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa del Este",
+    "regionNorthernEurope": "Europa septentrional",
+    "regionSouthernEurope": "Europa meridional",
+    "regionWesternEurope": "Europa Occidental",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia y Nueva Zelanda",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Autogestionado",
        "description": "Servidor Pangolin autoalojado más fiable y de bajo mantenimiento con campanas y silbidos extra",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Valor inválido",
    "idpTypeLabel": "Tipo de proveedor de identidad",
    "roleMappingExpressionPlaceholder": "e.g., contiene(grupos, 'administrador') && 'administrador' || 'miembro'",
+    "roleMappingModeFixedRoles": "Roles fijos",
+    "roleMappingModeMappingBuilder": "Constructor de mapeo",
+    "roleMappingModeRawExpression": "Expresión sin procesar",
+    "roleMappingFixedRolesPlaceholderSelect": "Seleccione uno o más roles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Nombre de rol de tipo (coincidencia exacta por organización)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Asignar el mismo rol establecido a cada usuario auto-provisionado.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Para las políticas predeterminadas, escriba nombres de roles que existen en cada organización donde los usuarios son proporcionados. Los nombres deben coincidir exactamente.",
+    "roleMappingClaimPath": "Reclamar ruta",
+    "roleMappingClaimPathPlaceholder": "grupos",
+    "roleMappingClaimPathDescription": "Ruta en el payload del token que contiene valores de origen (por ejemplo, grupos).",
+    "roleMappingMatchValue": "Valor de partida",
+    "roleMappingAssignRoles": "Asignar roles",
+    "roleMappingAddMappingRule": "Añadir regla de mapeo",
+    "roleMappingRawExpressionResultDescription": "La expresión debe evaluar a un array de cadenas o cadenas.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "La expresión debe evaluar una cadena (un solo nombre de rol).",
+    "roleMappingMatchValuePlaceholder": "Valor coincidente (por ejemplo: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Escriba nombres de rol (exacto por org)",
+    "roleMappingBuilderFreeformRowHint": "Los nombres de rol deben coincidir con un rol en cada organización objetivo.",
+    "roleMappingRemoveRule": "Eliminar",
    "idpGoogleConfiguration": "Configuración de Google",
    "idpGoogleConfigurationDescription": "Configurar las credenciales de Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Cuánto tiempo retener los registros de acceso",
    "logRetentionActionLabel": "Retención de registro de acción",
    "logRetentionActionDescription": "Cuánto tiempo retener los registros de acción",
+    "logRetentionConnectionLabel": "Retención de Registro de Conexión",
+    "logRetentionConnectionDescription": "Cuánto tiempo conservar los registros de conexión",
    "logRetentionDisabled": "Deshabilitado",
    "logRetention3Days": "3 días",
    "logRetention7Days": "7 días",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Fin del año siguiente",
    "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
    "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
-    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> para utilizar esta función. Esta característica también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>versión Enterprise</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Registros de conexión",
+    "connectionLogsDescription": "Ver registros de conexión para túneles en esta organización",
+    "sidebarLogsConnection": "Registros de conexión",
+    "sidebarLogsStreaming": "Transmisión",
+    "sourceAddress": "Dirección de origen",
+    "destinationAddress": "Dirección de destino",
+    "duration": "Duración",
+    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> para usar esta función. <bookADemoLink>Reserve una demostración o prueba POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserva una demostración o prueba POC</bookADemoLink>.",
    "certResolver": "Resolver certificado",
    "certResolverDescription": "Seleccione la resolución de certificados a utilizar para este recurso.",
    "selectCertResolver": "Seleccionar Resolver Certificado",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Habilitar aprobaciones de dispositivo",
    "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
    "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
-    "approvalsEmptyStateButtonText": "Administrar roles"
+    "approvalsEmptyStateButtonText": "Administrar roles",
+    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configure el mapeo de roles y las políticas de organización en la pestaña <policiesTabLink>Configuración de provisión automática</policiesTabLink>.",
+    "streamingTitle": "Transmisión de Eventos",
+    "streamingDescription": "Transmita eventos desde su organización a destinos externos en tiempo real.",
+    "streamingUnnamedDestination": "Destino sin nombre",
+    "streamingNoUrlConfigured": "No hay URL configurada",
+    "streamingAddDestination": "Añadir destino",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Enviar eventos a cualquier extremo HTTP con autenticación flexible y plantilla.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Transmite eventos a un bucket de almacenamiento de objetos compatible con S3. Próximamente.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Reenviar eventos directamente a tu cuenta de Datadog. Próximamente.",
+    "streamingTypePickerDescription": "Elija un tipo de destino para empezar.",
+    "streamingFailedToLoad": "Error al cargar destinos",
+    "streamingUnexpectedError": "Se ha producido un error inesperado.",
+    "streamingFailedToUpdate": "Error al actualizar destino",
+    "streamingDeletedSuccess": "Destino eliminado correctamente",
+    "streamingFailedToDelete": "Error al eliminar destino",
+    "streamingDeleteTitle": "Eliminar destino",
+    "streamingDeleteButtonText": "Eliminar destino",
+    "streamingDeleteDialogAreYouSure": "¿Está seguro que desea eliminar",
+    "streamingDeleteDialogThisDestination": "este destino",
+    "streamingDeleteDialogPermanentlyRemoved": "? Toda la configuración se eliminará permanentemente.",
+    "httpDestEditTitle": "Editar destino",
+    "httpDestAddTitle": "Añadir destino HTTP",
+    "httpDestEditDescription": "Actualizar la configuración para este destino de transmisión de eventos HTTP.",
+    "httpDestAddDescription": "Configure un nuevo extremo HTTP para recibir los eventos de su organización.",
+    "httpDestTabSettings": "Ajustes",
+    "httpDestTabHeaders": "Encabezados",
+    "httpDestTabBody": "Cuerpo",
+    "httpDestTabLogs": "Registros",
+    "httpDestNamePlaceholder": "Mi destino HTTP",
+    "httpDestUrlLabel": "URL de destino",
+    "httpDestUrlErrorHttpRequired": "URL debe usar http o https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS es necesario en implementaciones en la nube",
+    "httpDestUrlErrorInvalid": "Introduzca una URL válida (ej. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticación",
+    "httpDestAuthDescription": "Elija cómo están autenticadas las solicitudes en su punto final.",
+    "httpDestAuthNoneTitle": "Sin autenticación",
+    "httpDestAuthNoneDescription": "Envía solicitudes sin un encabezado de autorización.",
+    "httpDestAuthBearerTitle": "Tóken de portador",
+    "httpDestAuthBearerDescription": "Añade una autorización: portador <token> encabezado a cada solicitud.",
+    "httpDestAuthBearerPlaceholder": "Tu clave o token API",
+    "httpDestAuthBasicTitle": "Auth Básica",
+    "httpDestAuthBasicDescription": "Añade una Autorización: encabezado básico <credentials> . Proporcione credenciales como nombre de usuario: contraseña.",
+    "httpDestAuthBasicPlaceholder": "usuario:contraseña",
+    "httpDestAuthCustomTitle": "Cabecera personalizada",
+    "httpDestAuthCustomDescription": "Especifique un nombre de cabecera HTTP personalizado y un valor para la autenticación (por ejemplo, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nombre de cabecera (ej. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valor de cabecera",
+    "httpDestCustomHeadersTitle": "Cabeceras HTTP personalizadas",
+    "httpDestCustomHeadersDescription": "Añadir cabeceras personalizadas a cada petición saliente. Útil para tokens estáticos o un tipo de contenido personalizado. De forma predeterminada, Content Type: application/json es enviado.",
+    "httpDestNoHeadersConfigured": "No hay cabeceras personalizadas. Haga clic en \"Añadir cabecera\" para añadir una.",
+    "httpDestHeaderNamePlaceholder": "Nombre de cabecera",
+    "httpDestHeaderValuePlaceholder": "Valor",
+    "httpDestAddHeader": "Añadir cabecera",
+    "httpDestBodyTemplateTitle": "Plantilla de cuerpo personalizada",
+    "httpDestBodyTemplateDescription": "Controla la estructura de carga de JSON enviada a tu punto final. Si está desactivado, se envía un objeto JSON por defecto para cada evento.",
+    "httpDestEnableBodyTemplate": "Activar plantilla de cuerpo personalizado",
+    "httpDestBodyTemplateLabel": "Plantilla de cuerpo (JSON)",
+    "httpDestBodyTemplateHint": "Utilice variables de plantilla para referenciar los campos del evento en su carga útil.",
+    "httpDestPayloadFormatTitle": "Formato de carga",
+    "httpDestPayloadFormatDescription": "Cómo se serializan los eventos en cada cuerpo de solicitud.",
+    "httpDestFormatJsonArrayTitle": "Matriz JSON",
+    "httpDestFormatJsonArrayDescription": "Una petición por lote, cuerpo es una matriz JSON. Compatible con la mayoría de los webhooks y Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Una petición por lote, el cuerpo es JSON delimitado por línea — un objeto por línea, sin arrays externos. Requerido por Splunk HEC, Elastic / OpenSearch, y Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un evento por solicitud",
+    "httpDestFormatSingleDescription": "Envía un HTTP POST separado para cada evento individual. Úsalo sólo para los extremos que no pueden manejar lotes.",
+    "httpDestLogTypesTitle": "Tipos de Log",
+    "httpDestLogTypesDescription": "Elija qué tipos de registro son reenviados a este destino. Sólo los tipos de registro habilitados serán transmitidos.",
+    "httpDestAccessLogsTitle": "Registros de acceso",
+    "httpDestAccessLogsDescription": "Intentos de acceso a recursos, incluyendo solicitudes autenticadas y denegadas.",
+    "httpDestActionLogsTitle": "Registros de acción",
+    "httpDestActionLogsDescription": "Acciones administrativas realizadas por los usuarios dentro de la organización.",
+    "httpDestConnectionLogsTitle": "Registros de conexión",
+    "httpDestConnectionLogsDescription": "Eventos de conexión de sitios y túneles, incluyendo conexiones y desconexiones.",
+    "httpDestRequestLogsTitle": "Registros de Solicitud",
+    "httpDestRequestLogsDescription": "Registros de peticiones HTTP para recursos proxyficados, incluyendo método, ruta y código de respuesta.",
+    "httpDestSaveChanges": "Guardar Cambios",
+    "httpDestCreateDestination": "Crear destino",
+    "httpDestUpdatedSuccess": "Destino actualizado correctamente",
+    "httpDestCreatedSuccess": "Destino creado correctamente",
+    "httpDestUpdateFailed": "Error al actualizar destino",
+    "httpDestCreateFailed": "Error al crear el destino"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -148,6 +148,11 @@
    "createLink": "Créer un lien",
    "resourcesNotFound": "Aucune ressource trouvée",
    "resourceSearch": "Rechercher des ressources",
+    "machineSearch": "Rechercher des machines",
+    "machinesSearch": "Rechercher des clients de la machine...",
+    "machineNotFound": "Aucune machine trouvée",
+    "userDeviceSearch": "Rechercher des périphériques utilisateur",
+    "userDevicesSearch": "Rechercher des appareils utilisateurs...",
    "openMenu": "Ouvrir le menu",
    "resource": "Ressource",
    "title": "Titre de la page",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
    "resourceRaw": "Ressource TCP/UDP brute",
    "resourceRawDescription": "Proxy les demandes sur TCP/UDP brut en utilisant un numéro de port.",
-    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. REQUISE L'UTILISATION D'UN Nœud DE REMOTE.",
+    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. Nécessite des sites pour se connecter à un noeud distant.",
    "resourceCreate": "Créer une ressource",
    "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
    "resourceSeeAll": "Voir toutes les ressources",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Supprimer la clé d'API",
    "apiKeysManage": "Gérer les clés d'API",
    "apiKeysDescription": "Les clés d'API sont utilisées pour s'authentifier avec l'API d'intégration",
+    "provisioningKeysTitle": "Clé de provisioning",
+    "provisioningKeysManage": "Gérer les clés de provisioning",
+    "provisioningKeysDescription": "Les clés de provisioning sont utilisées pour authentifier la fourniture automatique de sites pour votre organisation.",
+    "provisioningManage": "Mise en place",
+    "provisioningDescription": "Gérer les clés de provisioning et examiner les sites en attente d'approbation.",
+    "pendingSites": "Sites en attente",
+    "siteApproveSuccess": "Site approuvé avec succès",
+    "siteApproveError": "Erreur lors de l'approbation du site",
+    "provisioningKeys": "Clés de provisionnement",
+    "searchProvisioningKeys": "Recherche des clés de provision...",
+    "provisioningKeysAdd": "Générer une clé de provisioning",
+    "provisioningKeysErrorDelete": "Erreur lors de la suppression de la clé de provisioning",
+    "provisioningKeysErrorDeleteMessage": "Erreur lors de la suppression de la clé de provisioning",
+    "provisioningKeysQuestionRemove": "Êtes-vous sûr de vouloir supprimer cette clé de provisioning de l'organisation ?",
+    "provisioningKeysMessageRemove": "Une fois supprimée, la clé ne peut plus être utilisée pour le provisionnement du site.",
+    "provisioningKeysDeleteConfirm": "Confirmer la suppression de la clé de provisioning",
+    "provisioningKeysDelete": "Supprimer la clé de provisioning",
+    "provisioningKeysCreate": "Générer une clé de provisioning",
+    "provisioningKeysCreateDescription": "Générer une nouvelle clé de provisioning pour l'organisation",
+    "provisioningKeysSeeAll": "Voir toutes les clés de provisioning",
+    "provisioningKeysSave": "Enregistrer la clé de provisioning",
+    "provisioningKeysSaveDescription": "Vous ne pourrez voir cela qu'une seule fois. Copiez-le dans un endroit sécurisé.",
+    "provisioningKeysErrorCreate": "Erreur lors de la création de la clé de provisioning",
+    "provisioningKeysList": "Nouvelle clé de provisioning",
+    "provisioningKeysMaxBatchSize": "Taille maximale du lot",
+    "provisioningKeysUnlimitedBatchSize": "Taille de lot illimitée (sans limite)",
+    "provisioningKeysMaxBatchUnlimited": "Illimité",
+    "provisioningKeysMaxBatchSizeInvalid": "Entrez une taille de lot maximale valide (1–1 000 000).",
+    "provisioningKeysValidUntil": "Valable jusqu'au",
+    "provisioningKeysValidUntilHint": "Laisser vide pour ne pas expirer.",
+    "provisioningKeysValidUntilInvalid": "Entrez une date et une heure valides.",
+    "provisioningKeysNumUsed": "Nombre de fois utilisées",
+    "provisioningKeysLastUsed": "Dernière utilisation",
+    "provisioningKeysNoExpiry": "Pas d'expiration",
+    "provisioningKeysNeverUsed": "Jamais",
+    "provisioningKeysEdit": "Modifier la clé de provisioning",
+    "provisioningKeysEditDescription": "Mettre à jour la taille maximale du lot et la durée d'expiration de cette clé.",
+    "provisioningKeysApproveNewSites": "Approuver les nouveaux sites",
+    "provisioningKeysApproveNewSitesDescription": "Approuver automatiquement les sites qui s'inscrivent avec cette clé.",
+    "provisioningKeysUpdateError": "Erreur lors de la mise à jour de la clé de provisioning",
+    "provisioningKeysUpdated": "Clé de provisioning mise à jour",
+    "provisioningKeysUpdatedDescription": "Vos modifications ont été enregistrées.",
+    "provisioningKeysBannerTitle": "Clés de provisioning du site",
+    "provisioningKeysBannerDescription": "Générez une clé de provisioning et utilisez-la avec le connecteur Newt pour créer automatiquement des sites au premier démarrage — pas besoin de configurer des identifiants distincts pour chaque site.",
+    "provisioningKeysBannerButtonText": "En savoir plus",
+    "pendingSitesBannerTitle": "Sites en attente",
+    "pendingSitesBannerDescription": "Les sites qui se connectent à l'aide d'une clé de provisioning apparaissent ici pour être revus. Approuver chaque site avant qu'il ne devienne actif et qu'il accède à vos ressources.",
+    "pendingSitesBannerButtonText": "En savoir plus",
    "apiKeysSettings": "Paramètres de {apiKeyName}",
    "userTitle": "Gérer tous les utilisateurs",
    "userDescription": "Voir et gérer tous les utilisateurs du système",
@@ -509,9 +562,12 @@
    "userSaved": "Utilisateur enregistré",
    "userSavedDescription": "L'utilisateur a été mis à jour.",
    "autoProvisioned": "Auto-provisionné",
+    "autoProvisionSettings": "Paramètres de la fourniture automatique",
    "autoProvisionedDescription": "Permettre à cet utilisateur d'être géré automatiquement par le fournisseur d'identité",
    "accessControlsDescription": "Gérer ce que cet utilisateur peut accéder et faire dans l'organisation",
    "accessControlsSubmit": "Enregistrer les contrôles d'accès",
+    "singleRolePerUserPlanNotice": "Votre plan ne prend en charge qu'un seul rôle par utilisateur.",
+    "singleRolePerUserEditionNotice": "Cette édition ne prend en charge qu'un rôle par utilisateur.",
    "roles": "Rôles",
    "accessUsersRoles": "Gérer les utilisateurs et les rôles",
    "accessUsersRolesDescription": "Invitez des utilisateurs et ajoutez-les aux rôles pour gérer l'accès à l'organisation",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Entrez le jeton de configuration depuis la console du serveur.",
    "setupTokenRequired": "Le jeton de configuration est requis.",
    "actionUpdateSite": "Mettre à jour un site",
+    "actionResetSiteBandwidth": "Réinitialiser la bande passante de l'organisation",
    "actionListSiteRoles": "Lister les rôles autorisés du site",
    "actionCreateResource": "Créer une ressource",
    "actionDeleteResource": "Supprimer une ressource",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Supprimer un utilisateur",
    "actionListUsers": "Lister les utilisateurs",
    "actionAddUserRole": "Ajouter un rôle utilisateur",
+    "actionSetUserOrgRoles": "Définir les rôles de l'utilisateur",
    "actionGenerateAccessToken": "Générer un jeton d'accès",
    "actionDeleteAccessToken": "Supprimer un jeton d'accès",
    "actionListAccessTokens": "Lister les jetons d'accès",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Rôles",
    "sidebarShareableLinks": "Liens",
    "sidebarApiKeys": "Clés API",
+    "sidebarProvisioning": "Mise en place",
    "sidebarSettings": "Réglages",
    "sidebarAllUsers": "Tous les utilisateurs",
    "sidebarIdentityProviders": "Fournisseurs d'identité",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Espace de noms : {namespace}",
    "domainPickerShowMore": "Afficher plus",
    "regionSelectorTitle": "Sélectionner Région",
+    "domainPickerRemoteExitNodeWarning": "Les domaines fournis ne sont pas pris en charge lorsque les sites se connectent à des nœuds de sortie distants. Pour que les ressources soient disponibles sur des nœuds distants, utilisez un domaine personnalisé à la place.",
    "regionSelectorInfo": "Sélectionner une région nous aide à offrir de meilleures performances pour votre localisation. Vous n'avez pas besoin d'être dans la même région que votre serveur.",
    "regionSelectorPlaceholder": "Choisissez une région",
    "regionSelectorComingSoon": "Bientôt disponible",
@@ -1888,6 +1948,40 @@
    "exitNode": "Nœud de sortie",
    "country": "Pays",
    "rulesMatchCountry": "Actuellement basé sur l'IP source",
+    "region": "Région",
+    "selectRegion": "Sélectionner une région",
+    "searchRegions": "Rechercher des régions...",
+    "noRegionFound": "Aucune région trouvée.",
+    "rulesMatchRegion": "Sélectionnez un groupement régional de pays",
+    "rulesErrorInvalidRegion": "Région invalide",
+    "rulesErrorInvalidRegionDescription": "Veuillez sélectionner une région valide.",
+    "regionAfrica": "L'Afrique",
+    "regionNorthernAfrica": "Afrique du Nord",
+    "regionEasternAfrica": "Afrique de l'Est",
+    "regionMiddleAfrica": "Afrique Moyenne",
+    "regionSouthernAfrica": "Afrique australe",
+    "regionWesternAfrica": "Afrique de l'Ouest",
+    "regionAmericas": "Amériques",
+    "regionCaribbean": "Caraïbes",
+    "regionCentralAmerica": "Amérique centrale",
+    "regionSouthAmerica": "Amérique du Sud",
+    "regionNorthernAmerica": "Amérique du Nord",
+    "regionAsia": "L'Asie",
+    "regionCentralAsia": "Asie centrale",
+    "regionEasternAsia": "Asie de l'Est",
+    "regionSouthEasternAsia": "Asie du Sud-Est",
+    "regionSouthernAsia": "Asie du Sud",
+    "regionWesternAsia": "Asie de l'Ouest",
+    "regionEurope": "L’Europe",
+    "regionEasternEurope": "Europe de l'Est",
+    "regionNorthernEurope": "Europe du Nord",
+    "regionSouthernEurope": "Europe du Sud",
+    "regionWesternEurope": "Europe occidentale",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australie et Nouvelle-Zélande",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Gestion autonome",
        "description": "Serveur Pangolin auto-hébergé avec des cloches et des sifflets supplémentaires",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Valeur non valide",
    "idpTypeLabel": "Type de fournisseur d'identité",
    "roleMappingExpressionPlaceholder": "ex: contenu(groupes) && 'admin' || 'membre'",
+    "roleMappingModeFixedRoles": "Rôles fixes",
+    "roleMappingModeMappingBuilder": "Constructeur de cartographie",
+    "roleMappingModeRawExpression": "Expression brute",
+    "roleMappingFixedRolesPlaceholderSelect": "Sélectionnez un ou plusieurs rôles",
+    "roleMappingFixedRolesPlaceholderFreeform": "Tapez les noms des rôles (correspondance exacte par organisation)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assigner le même jeu de rôles à chaque utilisateur auto-provisionné.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Pour les politiques par défaut, les noms de rôles de type qui existent dans chaque organisation où les utilisateurs sont fournis. Les noms doivent correspondre exactement.",
+    "roleMappingClaimPath": "Chemin de revendication",
+    "roleMappingClaimPathPlaceholder": "Groupes",
+    "roleMappingClaimPathDescription": "Chemin dans le bloc de jeton qui contient les valeurs source (par exemple, les groupes).",
+    "roleMappingMatchValue": "Valeur de la correspondance",
+    "roleMappingAssignRoles": "Assigner des rôles",
+    "roleMappingAddMappingRule": "Ajouter une règle de mappage",
+    "roleMappingRawExpressionResultDescription": "L'expression doit être évaluée à une chaîne ou un tableau de chaînes.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "L'expression doit être évaluée à une chaîne (un seul nom de rôle).",
+    "roleMappingMatchValuePlaceholder": "Valeur de la correspondance (par exemple: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Tapez les noms des rôles (exact par org)",
+    "roleMappingBuilderFreeformRowHint": "Les noms de rôle doivent correspondre à un rôle dans chaque organisation cible.",
+    "roleMappingRemoveRule": "Supprimer",
    "idpGoogleConfiguration": "Configuration Google",
    "idpGoogleConfigurationDescription": "Configurer les identifiants Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Durée de conservation des journaux d'accès",
    "logRetentionActionLabel": "Retention du journal des actions",
    "logRetentionActionDescription": "Durée de conservation du journal des actions",
+    "logRetentionConnectionLabel": "Rétention du journal de connexion",
+    "logRetentionConnectionDescription": "Durée de conservation des logs de connexion",
    "logRetentionDisabled": "Désactivé",
    "logRetention3Days": "3 jours",
    "logRetention7Days": "7 jours",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
    "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
    "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
-    "licenseRequiredToUse": "Une licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> est nécessaire pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Journaux de connexion",
+    "connectionLogsDescription": "Voir les journaux de connexion pour les tunnels de cette organisation",
+    "sidebarLogsConnection": "Journaux de connexion",
+    "sidebarLogsStreaming": "Streaming en cours",
+    "sourceAddress": "Adresse source",
+    "destinationAddress": "Adresse de destination",
+    "duration": "Durée",
+    "licenseRequiredToUse": "Une <enterpriseLicenseLink>licence Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> est requise pour utiliser cette fonctionnalité. <bookADemoLink>Réservez une démonstration ou une évaluation de POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Réservez une démo ou un essai POC</bookADemoLink>.",
    "certResolver": "Résolveur de certificat",
    "certResolverDescription": "Sélectionnez le solveur de certificat à utiliser pour cette ressource.",
    "selectCertResolver": "Sélectionnez le résolveur de certificat",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Activer les autorisations de l'appareil",
    "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
    "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
-    "approvalsEmptyStateButtonText": "Gérer les rôles"
+    "approvalsEmptyStateButtonText": "Gérer les rôles",
+    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configurer les politiques de mappage des rôles et de l'organisation dans l'onglet <policiesTabLink>Paramètres de la fourniture automatique</policiesTabLink>.",
+    "streamingTitle": "Streaming d'événements",
+    "streamingDescription": "Diffusez en temps réel des événements de votre organisation vers des destinations externes.",
+    "streamingUnnamedDestination": "Destination sans nom",
+    "streamingNoUrlConfigured": "Aucune URL configurée",
+    "streamingAddDestination": "Ajouter une destination",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Envoyez des événements à n'importe quel point de terminaison HTTP avec une authentification flexible et un template.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Flux d'événements vers un compartiment de stockage d'objet compatible S3. Bientôt.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Transférer des événements directement sur votre compte Datadog. Prochainement.",
+    "streamingTypePickerDescription": "Choisissez un type de destination pour commencer.",
+    "streamingFailedToLoad": "Impossible de charger les destinations",
+    "streamingUnexpectedError": "Une erreur inattendue s'est produite.",
+    "streamingFailedToUpdate": "Impossible de mettre à jour la destination",
+    "streamingDeletedSuccess": "Destination supprimée avec succès",
+    "streamingFailedToDelete": "Impossible de supprimer la destination",
+    "streamingDeleteTitle": "Supprimer la destination",
+    "streamingDeleteButtonText": "Supprimer la destination",
+    "streamingDeleteDialogAreYouSure": "Êtes-vous sûr de vouloir supprimer",
+    "streamingDeleteDialogThisDestination": "cette destination",
+    "streamingDeleteDialogPermanentlyRemoved": "? Toutes les configurations seront définitivement supprimées.",
+    "httpDestEditTitle": "Modifier la destination",
+    "httpDestAddTitle": "Ajouter une destination HTTP",
+    "httpDestEditDescription": "Mettre à jour la configuration pour cette destination de streaming d'événements HTTP.",
+    "httpDestAddDescription": "Configurez un nouveau point de terminaison HTTP pour recevoir les événements de votre organisation.",
+    "httpDestTabSettings": "Réglages",
+    "httpDestTabHeaders": "En-têtes",
+    "httpDestTabBody": "Corps",
+    "httpDestTabLogs": "Journaux",
+    "httpDestNamePlaceholder": "Ma destination HTTP",
+    "httpDestUrlLabel": "URL de destination",
+    "httpDestUrlErrorHttpRequired": "L'URL doit utiliser http ou https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS est requis pour les déploiements du cloud",
+    "httpDestUrlErrorInvalid": "Entrez une URL valide (par exemple https://example.com/webhook)",
+    "httpDestAuthTitle": "Authentification",
+    "httpDestAuthDescription": "Choisissez comment les requêtes à votre terminaison sont authentifiées.",
+    "httpDestAuthNoneTitle": "Aucune authentification",
+    "httpDestAuthNoneDescription": "Envoie des requêtes sans en-tête d'autorisation.",
+    "httpDestAuthBearerTitle": "Jeton de Porteur",
+    "httpDestAuthBearerDescription": "Ajoute un en-tête Authorization: Bearer <token> à chaque requête.",
+    "httpDestAuthBearerPlaceholder": "Votre clé API ou votre jeton",
+    "httpDestAuthBasicTitle": "Authentification basique",
+    "httpDestAuthBasicDescription": "Ajoute une autorisation : en-tête de base <credentials> . Fournissez des informations d'identification comme nom d'utilisateur:mot de passe.",
+    "httpDestAuthBasicPlaceholder": "nom d'utilisateur:mot de passe",
+    "httpDestAuthCustomTitle": "En-tête personnalisé",
+    "httpDestAuthCustomDescription": "Spécifiez un nom d'en-tête HTTP personnalisé et une valeur pour l'authentification (par exemple X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nom de l'en-tête (par exemple X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valeur de l'en-tête",
+    "httpDestCustomHeadersTitle": "En-têtes HTTP personnalisés",
+    "httpDestCustomHeadersDescription": "Ajouter des en-têtes personnalisés à chaque requête sortante. Utile pour les jetons statiques ou un type de contenu personnalisé. Par défaut, Content-Type: application/json est envoyé.",
+    "httpDestNoHeadersConfigured": "Aucun en-tête personnalisé configuré. Cliquez sur \"Ajouter un en-tête\" pour en ajouter un.",
+    "httpDestHeaderNamePlaceholder": "Nom de l'en-tête",
+    "httpDestHeaderValuePlaceholder": "Valeur",
+    "httpDestAddHeader": "Ajouter un en-tête",
+    "httpDestBodyTemplateTitle": "Modèle de corps personnalisé",
+    "httpDestBodyTemplateDescription": "Contrôle la structure de charge utile JSON envoyée à votre terminal. Si désactivé, un objet JSON par défaut est envoyé pour chaque événement.",
+    "httpDestEnableBodyTemplate": "Activer le modèle de corps personnalisé",
+    "httpDestBodyTemplateLabel": "Modèle de corps (JSON)",
+    "httpDestBodyTemplateHint": "Utilisez les variables de modèle pour référencer les champs d'événement dans votre charge utile.",
+    "httpDestPayloadFormatTitle": "Format de la charge utile",
+    "httpDestPayloadFormatDescription": "Comment les événements sont sérialisés dans chaque corps de requête.",
+    "httpDestFormatJsonArrayTitle": "Tableau JSON",
+    "httpDestFormatJsonArrayDescription": "Une requête par lot, le corps est un tableau JSON. Compatible avec la plupart des webhooks génériques et des datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Une requête par lot, body est un JSON délimité par une nouvelle ligne — un objet par ligne, pas de tableau extérieur. Requis par Splunk HEC, Elastic / OpenSearch, et Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un événement par demande",
+    "httpDestFormatSingleDescription": "Envoie un POST HTTP séparé pour chaque événement individuel. Utilisé uniquement pour les terminaux qui ne peuvent pas gérer des lots.",
+    "httpDestLogTypesTitle": "Types de logs",
+    "httpDestLogTypesDescription": "Choisissez quels types de journaux sont envoyés à cette destination. Seuls les types de journaux activés seront diffusés.",
+    "httpDestAccessLogsTitle": "Journaux d'accès",
+    "httpDestAccessLogsDescription": "Tentatives d'accès aux ressources, y compris les demandes authentifiées et refusées.",
+    "httpDestActionLogsTitle": "Journaux des actions",
+    "httpDestActionLogsDescription": "Actions administratives effectuées par les utilisateurs au sein de l'organisation.",
+    "httpDestConnectionLogsTitle": "Journaux de connexion",
+    "httpDestConnectionLogsDescription": "Événements de connexion du site et du tunnel, y compris les connexions et les déconnexions.",
+    "httpDestRequestLogsTitle": "Journal des requêtes",
+    "httpDestRequestLogsDescription": "Journaux des requêtes HTTP pour les ressources proxiées, y compris la méthode, le chemin et le code de réponse.",
+    "httpDestSaveChanges": "Enregistrer les modifications",
+    "httpDestCreateDestination": "Créer une destination",
+    "httpDestUpdatedSuccess": "Destination mise à jour avec succès",
+    "httpDestCreatedSuccess": "Destination créée avec succès",
+    "httpDestUpdateFailed": "Impossible de mettre à jour la destination",
+    "httpDestCreateFailed": "Impossible de créer la destination"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -148,6 +148,11 @@
    "createLink": "Crea Collegamento",
    "resourcesNotFound": "Nessuna risorsa trovata",
    "resourceSearch": "Cerca risorse",
+    "machineSearch": "Ricerca macchine",
+    "machinesSearch": "Cerca client macchina...",
+    "machineNotFound": "Nessuna macchina trovata",
+    "userDeviceSearch": "Cerca dispositivi utente",
+    "userDevicesSearch": "Cerca dispositivi utente...",
    "openMenu": "Apri menu",
    "resource": "Risorsa",
    "title": "Titolo",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
    "resourceRaw": "Risorsa Raw TCP/UDP",
    "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
-    "resourceRawDescriptionCloud": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta. RICHIEDE L'USO DI UN NODO REMOTO.",
+    "resourceRawDescriptionCloud": "Richiesta proxy su TCP/UDP grezzo utilizzando un numero di porta. Richiede siti per connettersi a un nodo remoto.",
    "resourceCreate": "Crea Risorsa",
    "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
    "resourceSeeAll": "Vedi Tutte Le Risorse",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Elimina Chiave API",
    "apiKeysManage": "Gestisci Chiavi API",
    "apiKeysDescription": "Le chiavi API sono utilizzate per autenticarsi con l'API di integrazione",
+    "provisioningKeysTitle": "Chiave Di Provvedimento",
+    "provisioningKeysManage": "Gestisci Chiavi Di Provvedimento",
+    "provisioningKeysDescription": "Le chiavi di provisioning vengono utilizzate per autenticare il provisioning automatico del sito per la tua organizzazione.",
+    "provisioningManage": "Accantonamento",
+    "provisioningDescription": "Gestire le chiavi di provisioning e rivedere i siti in attesa di approvazione.",
+    "pendingSites": "Siti In Attesa",
+    "siteApproveSuccess": "Sito approvato con successo",
+    "siteApproveError": "Errore nell'approvazione del sito",
+    "provisioningKeys": "Chiavi Di Provvedimento",
+    "searchProvisioningKeys": "Cerca i tasti di provisioning ...",
+    "provisioningKeysAdd": "Genera Chiave Di Provvedimento",
+    "provisioningKeysErrorDelete": "Errore nell'eliminare la chiave di provisioning",
+    "provisioningKeysErrorDeleteMessage": "Errore nell'eliminare la chiave di provisioning",
+    "provisioningKeysQuestionRemove": "Sei sicuro di voler rimuovere questa chiave di provisioning dall'organizzazione?",
+    "provisioningKeysMessageRemove": "Una volta rimossa, la chiave non può più essere utilizzata per il provisioning.",
+    "provisioningKeysDeleteConfirm": "Conferma Elimina Chiave Provvisoria",
+    "provisioningKeysDelete": "Elimina chiave di provisioning",
+    "provisioningKeysCreate": "Genera Chiave Di Provvedimento",
+    "provisioningKeysCreateDescription": "Genera una nuova chiave di provisioning per l'organizzazione",
+    "provisioningKeysSeeAll": "Vedi tutte le chiavi di provisioning",
+    "provisioningKeysSave": "Salva la chiave di provisioning",
+    "provisioningKeysSaveDescription": "Sarai in grado di vedere solo una volta. Copiarlo in un posto sicuro.",
+    "provisioningKeysErrorCreate": "Errore nella creazione della chiave di provisioning",
+    "provisioningKeysList": "Nuova chiave di provisioning",
+    "provisioningKeysMaxBatchSize": "Dimensione massima lotto",
+    "provisioningKeysUnlimitedBatchSize": "Dimensione illimitata del lotto (nessun limite)",
+    "provisioningKeysMaxBatchUnlimited": "Illimitato",
+    "provisioningKeysMaxBatchSizeInvalid": "Inserisci un lotto massimo valido (1–1.000.000).",
+    "provisioningKeysValidUntil": "Valido fino al",
+    "provisioningKeysValidUntilHint": "Lasciare vuoto per nessuna scadenza.",
+    "provisioningKeysValidUntilInvalid": "Inserisci una data e ora valide.",
+    "provisioningKeysNumUsed": "Volte usate",
+    "provisioningKeysLastUsed": "Ultimo utilizzo",
+    "provisioningKeysNoExpiry": "Nessuna scadenza",
+    "provisioningKeysNeverUsed": "Mai",
+    "provisioningKeysEdit": "Modifica Chiave Di Provvedimento",
+    "provisioningKeysEditDescription": "Aggiorna la dimensione massima del lotto e il tempo di scadenza per questa chiave.",
+    "provisioningKeysApproveNewSites": "Approva nuovi siti",
+    "provisioningKeysApproveNewSitesDescription": "Approvare automaticamente i siti che si registrano con questa chiave.",
+    "provisioningKeysUpdateError": "Errore nell'aggiornamento della chiave di provisioning",
+    "provisioningKeysUpdated": "Chiave di accantonamento aggiornata",
+    "provisioningKeysUpdatedDescription": "Le tue modifiche sono state salvate.",
+    "provisioningKeysBannerTitle": "Chiavi Di Provvedimento Sito",
+    "provisioningKeysBannerDescription": "Generare una chiave di provisioning e usarla con il connettore Newt per creare automaticamente siti al primo avvio — non è necessario impostare credenziali separate per ogni sito.",
+    "provisioningKeysBannerButtonText": "Scopri di più",
+    "pendingSitesBannerTitle": "Siti In Attesa",
+    "pendingSitesBannerDescription": "I siti che si connettono utilizzando una chiave di provisioning appaiono qui per la revisione. Approva ogni sito prima che diventi attivo e ottenga l'accesso alle tue risorse.",
+    "pendingSitesBannerButtonText": "Scopri di più",
    "apiKeysSettings": "Impostazioni {apiKeyName}",
    "userTitle": "Gestisci Tutti Gli Utenti",
    "userDescription": "Visualizza e gestisci tutti gli utenti del sistema",
@@ -509,9 +562,12 @@
    "userSaved": "Utente salvato",
    "userSavedDescription": "L'utente è stato aggiornato.",
    "autoProvisioned": "Auto Provisioned",
+    "autoProvisionSettings": "Impostazioni Automatiche Di Fornitura",
    "autoProvisionedDescription": "Permetti a questo utente di essere gestito automaticamente dal provider di identità",
    "accessControlsDescription": "Gestisci cosa questo utente può accedere e fare nell'organizzazione",
    "accessControlsSubmit": "Salva Controlli di Accesso",
+    "singleRolePerUserPlanNotice": "Il tuo piano supporta solo un ruolo per utente.",
+    "singleRolePerUserEditionNotice": "Questa edizione supporta solo un ruolo per utente.",
    "roles": "Ruoli",
    "accessUsersRoles": "Gestisci Utenti e Ruoli",
    "accessUsersRolesDescription": "Invita gli utenti e aggiungili ai ruoli per gestire l'accesso all'organizzazione",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Inserisci il token di configurazione dalla console del server.",
    "setupTokenRequired": "Il token di configurazione è richiesto",
    "actionUpdateSite": "Aggiorna Sito",
+    "actionResetSiteBandwidth": "Reimposta Larghezza Banda Dell'Organizzazione",
    "actionListSiteRoles": "Elenca Ruoli Sito Consentiti",
    "actionCreateResource": "Crea Risorsa",
    "actionDeleteResource": "Elimina Risorsa",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Rimuovi Utente",
    "actionListUsers": "Elenca Utenti",
    "actionAddUserRole": "Aggiungi Ruolo Utente",
+    "actionSetUserOrgRoles": "Imposta Ruoli Utente",
    "actionGenerateAccessToken": "Genera Token di Accesso",
    "actionDeleteAccessToken": "Elimina Token di Accesso",
    "actionListAccessTokens": "Elenca Token di Accesso",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Ruoli",
    "sidebarShareableLinks": "Collegamenti",
    "sidebarApiKeys": "Chiavi API",
+    "sidebarProvisioning": "Accantonamento",
    "sidebarSettings": "Impostazioni",
    "sidebarAllUsers": "Tutti Gli Utenti",
    "sidebarIdentityProviders": "Fornitori Di Identità",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mostra Altro",
    "regionSelectorTitle": "Seleziona regione",
+    "domainPickerRemoteExitNodeWarning": "I domini forniti non sono supportati quando i siti si connettono a nodi di uscita remoti. Affinché le risorse siano disponibili su nodi remoti, utilizza invece un dominio personalizzato.",
    "regionSelectorInfo": "Selezionare una regione ci aiuta a fornire migliori performance per la tua posizione. Non devi necessariamente essere nella stessa regione del tuo server.",
    "regionSelectorPlaceholder": "Scegli una regione",
    "regionSelectorComingSoon": "Prossimamente",
@@ -1888,6 +1948,40 @@
    "exitNode": "Nodo di Uscita",
    "country": "Paese",
    "rulesMatchCountry": "Attualmente basato sull'IP di origine",
+    "region": "Regione",
+    "selectRegion": "Seleziona regione",
+    "searchRegions": "Cerca regioni...",
+    "noRegionFound": "Nessuna regione trovata.",
+    "rulesMatchRegion": "Seleziona un raggruppamento regionale di paesi",
+    "rulesErrorInvalidRegion": "Regione non valida",
+    "rulesErrorInvalidRegionDescription": "Seleziona una regione valida.",
+    "regionAfrica": "Africa",
+    "regionNorthernAfrica": "Africa Settentrionale",
+    "regionEasternAfrica": "Africa Orientale",
+    "regionMiddleAfrica": "Africa Centrale",
+    "regionSouthernAfrica": "Africa Meridionale",
+    "regionWesternAfrica": "Africa Occidentale",
+    "regionAmericas": "Americhe",
+    "regionCaribbean": "Caraibi",
+    "regionCentralAmerica": "America Centrale",
+    "regionSouthAmerica": "America Del Sud",
+    "regionNorthernAmerica": "America Del Nord",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Asia Centrale",
+    "regionEasternAsia": "Asia Orientale",
+    "regionSouthEasternAsia": "Asia Sudorientale",
+    "regionSouthernAsia": "Asia Meridionale",
+    "regionWesternAsia": "Asia Occidentale",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Orientale",
+    "regionNorthernEurope": "Europa Settentrionale",
+    "regionSouthernEurope": "Europa Meridionale",
+    "regionWesternEurope": "Europa Occidentale",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia e Nuova Zelanda",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Gestito Auto-Ospitato",
        "description": "Server Pangolin self-hosted più affidabile e a bassa manutenzione con campanelli e fischietti extra",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Valore non valido",
    "idpTypeLabel": "Tipo Provider Identità",
    "roleMappingExpressionPlaceholder": "es. contiene(gruppi, 'admin') && 'Admin' <unk> <unk> 'Membro'",
+    "roleMappingModeFixedRoles": "Ruoli Fissi",
+    "roleMappingModeMappingBuilder": "Mapping Builder",
+    "roleMappingModeRawExpression": "Espressione Raw",
+    "roleMappingFixedRolesPlaceholderSelect": "Seleziona uno o più ruoli",
+    "roleMappingFixedRolesPlaceholderFreeform": "Digita nomi dei ruoli (corrispondenza esatta per organizzazione)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Assegna lo stesso ruolo impostato a ogni utente auto-provisioned.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Per i criteri predefiniti, digita i nomi dei ruoli che esistono in ogni organizzazione in cui gli utenti sono forniti. I nomi devono corrispondere esattamente.",
+    "roleMappingClaimPath": "Richiedi Percorso",
+    "roleMappingClaimPathPlaceholder": "gruppi",
+    "roleMappingClaimPathDescription": "Percorso nel payload del token che contiene valori sorgente (ad esempio, gruppi).",
+    "roleMappingMatchValue": "Valore Della Partita",
+    "roleMappingAssignRoles": "Assegna Ruoli",
+    "roleMappingAddMappingRule": "Aggiungi Regola Mappatura",
+    "roleMappingRawExpressionResultDescription": "Espressione deve essere valutata in una stringa o array di stringhe.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Espressione deve valutare in una stringa (un singolo nome ruolo).",
+    "roleMappingMatchValuePlaceholder": "Valore della corrispondenza (per esempio: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Digita i nomi dei ruoli (esatto per org)",
+    "roleMappingBuilderFreeformRowHint": "I nomi dei ruoli devono corrispondere a un ruolo in ogni organizzazione di destinazione.",
+    "roleMappingRemoveRule": "Rimuovi",
    "idpGoogleConfiguration": "Configurazione Google",
    "idpGoogleConfigurationDescription": "Configura le credenziali di Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Per quanto tempo conservare i log di accesso",
    "logRetentionActionLabel": "Ritenzione Registro Azioni",
    "logRetentionActionDescription": "Per quanto tempo conservare i log delle azioni",
+    "logRetentionConnectionLabel": "Ritenzione Registro Di Connessione",
+    "logRetentionConnectionDescription": "Per quanto tempo conservare i log di connessione",
    "logRetentionDisabled": "Disabilitato",
    "logRetention3Days": "3 giorni",
    "logRetention7Days": "7 giorni",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
    "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
    "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
-    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Log Di Connessione",
+    "connectionLogsDescription": "Visualizza i log di connessione per i tunnel in questa organizzazione",
+    "sidebarLogsConnection": "Log Di Connessione",
+    "sidebarLogsStreaming": "Streaming",
+    "sourceAddress": "Indirizzo Di Origine",
+    "destinationAddress": "Indirizzo Di Destinazione",
+    "duration": "Durata",
+    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzione è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
    "certResolver": "Risolutore Di Certificato",
    "certResolverDescription": "Selezionare il risolutore di certificati da usare per questa risorsa.",
    "selectCertResolver": "Seleziona Risolutore Di Certificato",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Abilita Approvazioni Dispositivo",
    "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
    "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
-    "approvalsEmptyStateButtonText": "Gestisci Ruoli"
+    "approvalsEmptyStateButtonText": "Gestisci Ruoli",
+    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configura la mappatura dei ruoli e le politiche di organizzazione nella scheda <policiesTabLink>Auto Provision Settings</policiesTabLink>.",
+    "streamingTitle": "Streaming Eventi",
+    "streamingDescription": "Trasmetti eventi dalla tua organizzazione a destinazioni esterne in tempo reale.",
+    "streamingUnnamedDestination": "Destinazione senza nome",
+    "streamingNoUrlConfigured": "Nessun URL configurato",
+    "streamingAddDestination": "Aggiungi Destinazione",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Invia eventi a qualsiasi endpoint HTTP con autenticazione e template flessibili.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Trasmetti eventi su un contenitore di archiviazione per oggetti compatibile con S3. Presto in arrivo.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Inoltra gli eventi direttamente al tuo account Datadog. In arrivo.",
+    "streamingTypePickerDescription": "Scegli un tipo di destinazione per iniziare.",
+    "streamingFailedToLoad": "Impossibile caricare le destinazioni",
+    "streamingUnexpectedError": "Si è verificato un errore imprevisto.",
+    "streamingFailedToUpdate": "Impossibile aggiornare la destinazione",
+    "streamingDeletedSuccess": "Destinazione eliminata con successo",
+    "streamingFailedToDelete": "Impossibile eliminare la destinazione",
+    "streamingDeleteTitle": "Elimina Destinazione",
+    "streamingDeleteButtonText": "Elimina Destinazione",
+    "streamingDeleteDialogAreYouSure": "Sei sicuro di voler eliminare",
+    "streamingDeleteDialogThisDestination": "questa destinazione",
+    "streamingDeleteDialogPermanentlyRemoved": "? Tutta la configurazione verrà definitivamente rimossa.",
+    "httpDestEditTitle": "Modifica Destinazione",
+    "httpDestAddTitle": "Aggiungi Destinazione HTTP",
+    "httpDestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming di eventi HTTP.",
+    "httpDestAddDescription": "Configura un nuovo endpoint HTTP per ricevere gli eventi della tua organizzazione.",
+    "httpDestTabSettings": "Impostazioni",
+    "httpDestTabHeaders": "Intestazioni",
+    "httpDestTabBody": "Corpo",
+    "httpDestTabLogs": "Registri",
+    "httpDestNamePlaceholder": "La mia destinazione HTTP",
+    "httpDestUrlLabel": "Url Di Destinazione",
+    "httpDestUrlErrorHttpRequired": "L'URL deve usare http o https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS è richiesto sulle distribuzioni cloud",
+    "httpDestUrlErrorInvalid": "Inserisci un URL valido (es. https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticazione",
+    "httpDestAuthDescription": "Scegli come vengono autenticate le richieste al tuo endpoint.",
+    "httpDestAuthNoneTitle": "Nessuna Autenticazione",
+    "httpDestAuthNoneDescription": "Invia richieste senza intestazione autorizzazione.",
+    "httpDestAuthBearerTitle": "Token Del Portatore",
+    "httpDestAuthBearerDescription": "Aggiunge un'intestazione Autorizzazione: Bearer <token> ad ogni richiesta.",
+    "httpDestAuthBearerPlaceholder": "La tua chiave API o token",
+    "httpDestAuthBasicTitle": "Autenticazione Base",
+    "httpDestAuthBasicDescription": "Aggiunge un'autorizzazione: intestazione di base <credentials> . Fornisce le credenziali come username:password.",
+    "httpDestAuthBasicPlaceholder": "username:password",
+    "httpDestAuthCustomTitle": "Intestazione Personalizzata",
+    "httpDestAuthCustomDescription": "Specifica un nome e un valore di intestazione HTTP personalizzati per l'autenticazione (ad esempio X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nome intestazione (es. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valore intestazione",
+    "httpDestCustomHeadersTitle": "Intestazioni Http Personalizzate",
+    "httpDestCustomHeadersDescription": "Aggiungi intestazioni personalizzate ad ogni richiesta in uscita. Utile per token statici o un tipo di contenuto personalizzato. Come impostazione predefinita, viene inviato il tipo di contenuto/json.",
+    "httpDestNoHeadersConfigured": "Nessuna intestazione personalizzata configurata. Fare clic su \"Aggiungi intestazione\" per aggiungerne una.",
+    "httpDestHeaderNamePlaceholder": "Nome intestazione",
+    "httpDestHeaderValuePlaceholder": "Valore",
+    "httpDestAddHeader": "Aggiungi Intestazione",
+    "httpDestBodyTemplateTitle": "Modello Corpo Personalizzato",
+    "httpDestBodyTemplateDescription": "Controlla la struttura JSON payload inviata al tuo endpoint. Se disabilitata, viene inviato un oggetto JSON predefinito per ogni evento.",
+    "httpDestEnableBodyTemplate": "Abilita modello corpo personalizzato",
+    "httpDestBodyTemplateLabel": "Modello Corpo (JSON)",
+    "httpDestBodyTemplateHint": "Usa le variabili del modello per fare riferimento ai campi dell'evento nel tuo payload.",
+    "httpDestPayloadFormatTitle": "Formato Payload",
+    "httpDestPayloadFormatDescription": "Come gli eventi sono serializzati in ogni organismo di richiesta.",
+    "httpDestFormatJsonArrayTitle": "JSON Array",
+    "httpDestFormatJsonArrayDescription": "Una richiesta per lotto, corpo è un array JSON. Compatibile con la maggior parte dei webhooks generici e Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Una richiesta per lotto, corpo è newline-delimited JSON — un oggetto per linea, nessun array esterno. Richiesto da Splunk HEC, Elastic / OpenSearch, e Grafana Loki.",
+    "httpDestFormatSingleTitle": "Un Evento Per Richiesta",
+    "httpDestFormatSingleDescription": "Invia un HTTP POST separato per ogni singolo evento. Usa solo per gli endpoint che non possono gestire i batch.",
+    "httpDestLogTypesTitle": "Tipi Di Log",
+    "httpDestLogTypesDescription": "Scegli quali tipi di log vengono inoltrati a questa destinazione. Verranno trasmessi solo i tipi di log abilitati.",
+    "httpDestAccessLogsTitle": "Log Accesso",
+    "httpDestAccessLogsDescription": "Tentativi di accesso alle risorse, comprese le richieste autenticate e negate.",
+    "httpDestActionLogsTitle": "Log Azioni",
+    "httpDestActionLogsDescription": "Azioni amministrative eseguite dagli utenti all'interno dell'organizzazione.",
+    "httpDestConnectionLogsTitle": "Log Di Connessione",
+    "httpDestConnectionLogsDescription": "Eventi di connessione al sito e al tunnel, inclusi collegamenti e disconnessioni.",
+    "httpDestRequestLogsTitle": "Log Richiesta",
+    "httpDestRequestLogsDescription": "Registri di richiesta HTTP per le risorse proxy, inclusi metodo, percorso e codice di risposta.",
+    "httpDestSaveChanges": "Salva Modifiche",
+    "httpDestCreateDestination": "Crea Destinazione",
+    "httpDestUpdatedSuccess": "Destinazione aggiornata con successo",
+    "httpDestCreatedSuccess": "Destinazione creata con successo",
+    "httpDestUpdateFailed": "Impossibile aggiornare la destinazione",
+    "httpDestCreateFailed": "Impossibile creare la destinazione"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -148,6 +148,11 @@
    "createLink": "링크 생성",
    "resourcesNotFound": "리소스가 발견되지 않았습니다.",
    "resourceSearch": "리소스 검색",
+    "machineSearch": "기계 검색",
+    "machinesSearch": "기계 클라이언트 검색...",
+    "machineNotFound": "기계를 찾을 수 없습니다",
+    "userDeviceSearch": "사용자 장치 검색",
+    "userDevicesSearch": "사용자 장치 검색...",
    "openMenu": "메뉴 열기",
    "resource": "리소스",
    "title": "제목",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
    "resourceRaw": "원시 TCP/UDP 리소스",
    "resourceRawDescription": "포트 번호를 사용하여 RAW TCP/UDP로 요청을 프록시합니다.",
-    "resourceRawDescriptionCloud": "원시 TCP/UDP를 포트 번호를 사용하여 프록시 요청합니다. 원격 노드 사용이 필요합니다.",
+    "resourceRawDescriptionCloud": "포트 번호를 사용하여 원격 노드에 연결해야 합니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
    "resourceCreate": "리소스 생성",
    "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
    "resourceSeeAll": "모든 리소스 보기",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "API 키 삭제",
    "apiKeysManage": "API 키 관리",
    "apiKeysDescription": "API 키는 통합 API와 인증하는 데 사용됩니다.",
+    "provisioningKeysTitle": "프로비저닝 키",
+    "provisioningKeysManage": "프로비저닝 키 관리",
+    "provisioningKeysDescription": "프로비저닝 키는 조직의 자동 사이트 프로비저닝 인증에 사용됩니다.",
+    "provisioningManage": "프로비저닝",
+    "provisioningDescription": "프로비저닝 키를 관리하고 승인을 기다리는 사이트를 검토합니다.",
+    "pendingSites": "대기중인 사이트",
+    "siteApproveSuccess": "사이트가 성공적으로 승인되었습니다",
+    "siteApproveError": "사이트 승인 오류",
+    "provisioningKeys": "프로비저닝 키",
+    "searchProvisioningKeys": "프로비저닝 키 검색...",
+    "provisioningKeysAdd": "프로비저닝 키 생성",
+    "provisioningKeysErrorDelete": "프로비저닝 키 삭제 오류",
+    "provisioningKeysErrorDeleteMessage": "프로비저닝 키 삭제 오류",
+    "provisioningKeysQuestionRemove": "이 프로비저닝 키를 조직에서 제거하시겠습니까?",
+    "provisioningKeysMessageRemove": "제거 후에는 이 키를 사이트 프로비저닝에 사용할 수 없습니다.",
+    "provisioningKeysDeleteConfirm": "프로비저닝 키 삭제 확인",
+    "provisioningKeysDelete": "프로비저닝 키 삭제",
+    "provisioningKeysCreate": "프로비저닝 키 생성",
+    "provisioningKeysCreateDescription": "조직을 위한 새로운 프로비저닝 키 생성",
+    "provisioningKeysSeeAll": "모든 프로비저닝 키 보기",
+    "provisioningKeysSave": "프로비저닝 키 저장",
+    "provisioningKeysSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
+    "provisioningKeysErrorCreate": "프로비저닝 키 생성 오류",
+    "provisioningKeysList": "새 프로비저닝 키",
+    "provisioningKeysMaxBatchSize": "최대 배치 크기",
+    "provisioningKeysUnlimitedBatchSize": "무제한 배치 크기 (제한 없음)",
+    "provisioningKeysMaxBatchUnlimited": "무제한",
+    "provisioningKeysMaxBatchSizeInvalid": "유효한 최대 배치 크기를 입력하세요 (1–1,000,000).",
+    "provisioningKeysValidUntil": "유효 기간",
+    "provisioningKeysValidUntilHint": "만료 날짜를 설정하지 않을 경우 빈칸으로 남겨 두세요.",
+    "provisioningKeysValidUntilInvalid": "유효한 날짜와 시간을 입력하세요.",
+    "provisioningKeysNumUsed": "사용 횟수",
+    "provisioningKeysLastUsed": "마지막 사용",
+    "provisioningKeysNoExpiry": "만료 없음",
+    "provisioningKeysNeverUsed": "절대",
+    "provisioningKeysEdit": "프로비저닝 키 수정",
+    "provisioningKeysEditDescription": "이 키의 최대 배치 크기 및 만료 시간을 업데이트하세요.",
+    "provisioningKeysApproveNewSites": "새로운 사이트 승인",
+    "provisioningKeysApproveNewSitesDescription": "이 키를 등록하는 사이트를 자동으로 승인합니다.",
+    "provisioningKeysUpdateError": "프로비저닝 키 업데이트 오류",
+    "provisioningKeysUpdated": "프로비저닝 키가 업데이트되었습니다",
+    "provisioningKeysUpdatedDescription": "변경 사항이 저장되었습니다.",
+    "provisioningKeysBannerTitle": "사이트 프로비저닝 키",
+    "provisioningKeysBannerDescription": "프로비저닝 키를 생성하여 Newt 커넥터와 함께 사용해 첫 실행 시 자동으로 사이트를 생성하세요 — 각 사이트마다 별도의 인증을 설정할 필요가 없습니다.",
+    "provisioningKeysBannerButtonText": "자세히 알아보기",
+    "pendingSitesBannerTitle": "대기중인 사이트",
+    "pendingSitesBannerDescription": "프로비저닝 키를 사용하여 연결하는 사이트는 검토 대기 중입니다. 사이트가 활성화되어 리소스에 액세스하기 전에 각 사이트를 승인하세요.",
+    "pendingSitesBannerButtonText": "자세히 알아보기",
    "apiKeysSettings": "{apiKeyName} 설정",
    "userTitle": "모든 사용자 관리",
    "userDescription": "시스템의 모든 사용자를 보고 관리합니다",
@@ -509,9 +562,12 @@
    "userSaved": "사용자 저장됨",
    "userSavedDescription": "사용자가 업데이트되었습니다.",
    "autoProvisioned": "자동 프로비저닝됨",
+    "autoProvisionSettings": "자동 프로비저닝 설정",
    "autoProvisionedDescription": "이 사용자가 ID 공급자에 의해 자동으로 관리될 수 있도록 허용합니다",
    "accessControlsDescription": "이 사용자가 조직에서 접근하고 수행할 수 있는 작업을 관리하세요",
    "accessControlsSubmit": "접근 제어 저장",
+    "singleRolePerUserPlanNotice": "계획에는 사용자당 한 가지 역할만 지원됩니다.",
+    "singleRolePerUserEditionNotice": "이 판에는 사용자당 한 가지 역할만 지원됩니다.",
    "roles": "역할",
    "accessUsersRoles": "사용자 및 역할 관리",
    "accessUsersRolesDescription": "사용자를 초대하고 역할에 추가하여 조직에 대한 접근을 관리하세요",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "서버 콘솔에서 설정 토큰 입력.",
    "setupTokenRequired": "설정 토큰이 필요합니다",
    "actionUpdateSite": "사이트 업데이트",
+    "actionResetSiteBandwidth": "조직 대역폭 재설정",
    "actionListSiteRoles": "허용된 사이트 역할 목록",
    "actionCreateResource": "리소스 생성",
    "actionDeleteResource": "리소스 삭제",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "사용자 제거",
    "actionListUsers": "사용자 목록",
    "actionAddUserRole": "사용자 역할 추가",
+    "actionSetUserOrgRoles": "사용자 역할 설정",
    "actionGenerateAccessToken": "액세스 토큰 생성",
    "actionDeleteAccessToken": "액세스 토큰 삭제",
    "actionListAccessTokens": "액세스 토큰 목록",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "역할",
    "sidebarShareableLinks": "링크",
    "sidebarApiKeys": "API 키",
+    "sidebarProvisioning": "프로비저닝",
    "sidebarSettings": "설정",
    "sidebarAllUsers": "모든 사용자",
    "sidebarIdentityProviders": "신원 공급자",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "이름 공간: {namespace}",
    "domainPickerShowMore": "더보기",
    "regionSelectorTitle": "지역 선택",
+    "domainPickerRemoteExitNodeWarning": "제공된 도메인은 원격 종료 노드에 연결된 사이트에서 지원되지 않습니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
    "regionSelectorInfo": "지역을 선택하면 위치에 따라 더 나은 성능이 제공됩니다. 서버와 같은 지역에 있을 필요는 없습니다.",
    "regionSelectorPlaceholder": "지역 선택",
    "regionSelectorComingSoon": "곧 출시 예정",
@@ -1888,6 +1948,40 @@
    "exitNode": "종단 노드",
    "country": "국가",
    "rulesMatchCountry": "현재 소스 IP를 기반으로 합니다",
+    "region": "지역",
+    "selectRegion": "지역 선택",
+    "searchRegions": "지역 검색...",
+    "noRegionFound": "지역을 찾을 수 없습니다.",
+    "rulesMatchRegion": "국가의 지역 구성을 선택합니다",
+    "rulesErrorInvalidRegion": "잘못된 지역",
+    "rulesErrorInvalidRegionDescription": "유효한 지역을 선택하세요.",
+    "regionAfrica": "아프리카",
+    "regionNorthernAfrica": "북부 아프리카",
+    "regionEasternAfrica": "동부 아프리카",
+    "regionMiddleAfrica": "중부 아프리카",
+    "regionSouthernAfrica": "남부 아프리카",
+    "regionWesternAfrica": "서부 아프리카",
+    "regionAmericas": "아메리카",
+    "regionCaribbean": "카리브",
+    "regionCentralAmerica": "중앙 아메리카",
+    "regionSouthAmerica": "남아메리카",
+    "regionNorthernAmerica": "북미",
+    "regionAsia": "아시아",
+    "regionCentralAsia": "중앙 아시아",
+    "regionEasternAsia": "동아시아",
+    "regionSouthEasternAsia": "동남아시아",
+    "regionSouthernAsia": "남아시아",
+    "regionWesternAsia": "서아시아",
+    "regionEurope": "유럽",
+    "regionEasternEurope": "동부 유럽",
+    "regionNorthernEurope": "북부 유럽",
+    "regionSouthernEurope": "남부 유럽",
+    "regionWesternEurope": "서부 유럽",
+    "regionOceania": "오세아니아",
+    "regionAustraliaAndNewZealand": "호주와 뉴질랜드",
+    "regionMelanesia": "멜라네시아",
+    "regionMicronesia": "미크로네시아",
+    "regionPolynesia": "폴리네시아",
    "managedSelfHosted": {
        "title": "관리 자체 호스팅",
        "description": "더 신뢰할 수 있고 낮은 유지보수의 자체 호스팅 팡골린 서버, 추가 기능 포함",
@@ -1936,6 +2030,25 @@
    "invalidValue": "잘못된 값",
    "idpTypeLabel": "신원 공급자 유형",
    "roleMappingExpressionPlaceholder": "예: contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "고정 역할",
+    "roleMappingModeMappingBuilder": "매핑 빌더",
+    "roleMappingModeRawExpression": "원시 표현식",
+    "roleMappingFixedRolesPlaceholderSelect": "하나 이상의 역할을 선택하세요",
+    "roleMappingFixedRolesPlaceholderFreeform": "역할 이름 입력 (조직마다 정확히 일치)",
+    "roleMappingFixedRolesDescriptionSameForAll": "모든 자동 프로비전 사용자에게 동일한 역할 세트를 할당합니다.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "기본 정책의 경우 사용자가 프로비저닝된 조직의 역할 이름을 입력하세요. 이름은 정확히 일치해야 합니다.",
+    "roleMappingClaimPath": "클레임 경로",
+    "roleMappingClaimPathPlaceholder": "그룹",
+    "roleMappingClaimPathDescription": "토큰 페이로드에서 소스 값을 포함하는 경로 (예: 그룹).",
+    "roleMappingMatchValue": "매치 값",
+    "roleMappingAssignRoles": "역할 할당",
+    "roleMappingAddMappingRule": "매핑 규칙 추가",
+    "roleMappingRawExpressionResultDescription": "표현식은 문자열 또는 문자열 배열로 평가되어야 합니다.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "표현식은 문자열 (단일 역할 이름)로 평가되어야 합니다.",
+    "roleMappingMatchValuePlaceholder": "매치 값 (예: 관리자)",
+    "roleMappingAssignRolesPlaceholderFreeform": "역할 이름 입력 (조직마다 정확히)",
+    "roleMappingBuilderFreeformRowHint": "역할 이름은 각 대상 조직의 역할과 일치해야 합니다.",
+    "roleMappingRemoveRule": "제거",
    "idpGoogleConfiguration": "Google 구성",
    "idpGoogleConfigurationDescription": "Google OAuth2 자격 증명을 구성합니다.",
    "idpGoogleClientIdDescription": "Google OAuth2 클라이언트 ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "접근 로그를 얼마나 오래 보관할지",
    "logRetentionActionLabel": "작업 로그 보관",
    "logRetentionActionDescription": "작업 로그를 얼마나 오래 보관할지",
+    "logRetentionConnectionLabel": "연결 로그 보유 기간",
+    "logRetentionConnectionDescription": "연결 로그를 얼마나 오래 보유할지",
    "logRetentionDisabled": "비활성화됨",
    "logRetention3Days": "3 일",
    "logRetention7Days": "7 일",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "다음 연도 말",
    "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
    "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
-    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
-    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
+    "connectionLogs": "연결 로그",
+    "connectionLogsDescription": "이 조직의 터널 연결 로그 보기",
+    "sidebarLogsConnection": "연결 로그",
+    "sidebarLogsStreaming": "스트리밍",
+    "sourceAddress": "소스 주소",
+    "destinationAddress": "대상 주소",
+    "duration": "지속 시간",
+    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이(가) 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
    "certResolver": "인증서 해결사",
    "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
    "selectCertResolver": "인증서 해결사 선택",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "장치 승인 활성화",
    "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
    "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
-    "approvalsEmptyStateButtonText": "역할 관리"
+    "approvalsEmptyStateButtonText": "역할 관리",
+    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다.",
+    "idpAdminAutoProvisionPoliciesTabHint": "<policiesTabLink>자동 프로비저닝 설정</policiesTabLink> 탭에서 역할 매핑 및 조직 정책을 구성합니다.",
+    "streamingTitle": "이벤트 스트리밍",
+    "streamingDescription": "조직의 이벤트를 외부 목적지로 실시간 전송합니다.",
+    "streamingUnnamedDestination": "이름이 없는 대상지",
+    "streamingNoUrlConfigured": "설정된 URL이 없습니다",
+    "streamingAddDestination": "대상지 추가",
+    "streamingHttpWebhookTitle": "HTTP 웹훅",
+    "streamingHttpWebhookDescription": "유연한 인증 및 템플릿 작성 기능을 갖춘 HTTP 엔드포인트에 이벤트를 전송합니다.",
+    "streamingS3Title": "아마존 S3",
+    "streamingS3Description": "S3 호환 객체 스토리지 버킷에 이벤트를 스트리밍합니다. 곧 제공됩니다.",
+    "streamingDatadogTitle": "데이터독",
+    "streamingDatadogDescription": "이벤트를 직접 Datadog 계정으로 전달합니다. 곧 제공됩니다.",
+    "streamingTypePickerDescription": "목표 유형을 선택하여 시작합니다.",
+    "streamingFailedToLoad": "대상 로드에 실패했습니다",
+    "streamingUnexpectedError": "예기치 않은 오류가 발생했습니다.",
+    "streamingFailedToUpdate": "대상지를 업데이트하는 데 실패했습니다",
+    "streamingDeletedSuccess": "대상지가 성공적으로 삭제되었습니다",
+    "streamingFailedToDelete": "대상지 삭제 실패",
+    "streamingDeleteTitle": "대상지 삭제",
+    "streamingDeleteButtonText": "대상지 삭제",
+    "streamingDeleteDialogAreYouSure": "삭제하시겠습니까",
+    "streamingDeleteDialogThisDestination": "이 대상지",
+    "streamingDeleteDialogPermanentlyRemoved": "? 모든 구성은 영구적으로 제거됩니다.",
+    "httpDestEditTitle": "대상지 수정",
+    "httpDestAddTitle": "HTTP 대상지 추가",
+    "httpDestEditDescription": "이 HTTP 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
+    "httpDestAddDescription": "조직의 이벤트 수신을 위한 새로운 HTTP 엔드포인트를 구성하세요.",
+    "httpDestTabSettings": "설정",
+    "httpDestTabHeaders": "헤더",
+    "httpDestTabBody": "본문",
+    "httpDestTabLogs": "로그",
+    "httpDestNamePlaceholder": "내 HTTP 대상",
+    "httpDestUrlLabel": "대상 URL",
+    "httpDestUrlErrorHttpRequired": "URL은 http 또는 https를 사용해야 합니다",
+    "httpDestUrlErrorHttpsRequired": "클라우드 배포에는 HTTPS가 필요합니다",
+    "httpDestUrlErrorInvalid": "유효한 URL을 입력하세요 (예: https://example.com/webhook)",
+    "httpDestAuthTitle": "인증",
+    "httpDestAuthDescription": "엔드포인트에 대한 요청 인증 방법을 선택하세요.",
+    "httpDestAuthNoneTitle": "인증 없음",
+    "httpDestAuthNoneDescription": "Authorization 헤더 없이 요청을 보냅니다.",
+    "httpDestAuthBearerTitle": "Bearer 토큰",
+    "httpDestAuthBearerDescription": "모든 요청에 Authorization: Bearer <token> 헤더를 추가합니다.",
+    "httpDestAuthBearerPlaceholder": "API 키 또는 토큰",
+    "httpDestAuthBasicTitle": "기본 인증",
+    "httpDestAuthBasicDescription": "Authorization: Basic <credentials> 헤더를 추가합니다. 자격 증명은 username:password 형식으로 제공하세요.",
+    "httpDestAuthBasicPlaceholder": "사용자 이름:비밀번호",
+    "httpDestAuthCustomTitle": "사용자 정의 헤더",
+    "httpDestAuthCustomDescription": "인증을 위한 사용자 정의 HTTP 헤더 이름 및 값을 지정하세요 (예: X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "헤더 이름 (예: X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "헤더 값",
+    "httpDestCustomHeadersTitle": "사용자 정의 HTTP 헤더",
+    "httpDestCustomHeadersDescription": "모든 발신 요청에 사용자 정의 헤더를 추가합니다. 정적 토큰 또는 사용자 정의 Content-Type에 유용합니다. 기본적으로 Content-Type: application/json이 전송됩니다.",
+    "httpDestNoHeadersConfigured": "구성된 사용자 정의 헤더가 없습니다. \"헤더 추가\"를 클릭하여 추가하세요.",
+    "httpDestHeaderNamePlaceholder": "헤더 이름",
+    "httpDestHeaderValuePlaceholder": "값",
+    "httpDestAddHeader": "헤더 추가",
+    "httpDestBodyTemplateTitle": "사용자 정의 본문 템플릿",
+    "httpDestBodyTemplateDescription": "엔드포인트에 전송되는 JSON 페이로드 구조를 제어합니다. 비활성화된 경우 각 이벤트에 대해 기본 JSON 객체가 전송됩니다.",
+    "httpDestEnableBodyTemplate": "사용자 정의 본문 템플릿 활성화",
+    "httpDestBodyTemplateLabel": "본문 템플릿 (JSON)",
+    "httpDestBodyTemplateHint": "템플릿 변수를 사용하여 페이로드에서 이벤트 필드를 참조하세요.",
+    "httpDestPayloadFormatTitle": "페이로드 형식",
+    "httpDestPayloadFormatDescription": "각 요청 본문에 이벤트가 시리얼라이즈되는 방식입니다.",
+    "httpDestFormatJsonArrayTitle": "JSON 배열",
+    "httpDestFormatJsonArrayDescription": "각 배치마다 요청 하나씩, 본문은 JSON 배열입니다. 대부분의 일반 웹훅 및 Datadog과 호환됩니다.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "각 배치마다 요청 하나씩, 본문은 줄 구분 JSON — 한 라인에 하나의 객체가 있으며 외부 배열이 없습니다. Splunk HEC, Elastic / OpenSearch, Grafana Loki에 필요합니다.",
+    "httpDestFormatSingleTitle": "각 요청 당 하나의 이벤트",
+    "httpDestFormatSingleDescription": "각 개별 이벤트에 대해 별도의 HTTP POST를 전송합니다. 배치를 처리할 수 없는 엔드포인트에만 사용하세요.",
+    "httpDestLogTypesTitle": "로그 유형",
+    "httpDestLogTypesDescription": "이 대상지에 전달될 로그 유형을 선택하세요. 활성화된 로그 유형만 스트리밍 됩니다.",
+    "httpDestAccessLogsTitle": "접근 로그",
+    "httpDestAccessLogsDescription": "인증 및 거부된 요청을 포함한 리소스 접근 시도.",
+    "httpDestActionLogsTitle": "작업 로그",
+    "httpDestActionLogsDescription": "조직 내에서 사용자가 수행한 관리 작업.",
+    "httpDestConnectionLogsTitle": "연결 로그",
+    "httpDestConnectionLogsDescription": "사이트 및 터널 연결 이벤트, 연결 및 연결 끊기를 포함합니다.",
+    "httpDestRequestLogsTitle": "요청 로그",
+    "httpDestRequestLogsDescription": "프록시된 리소스에 대한 HTTP 요청 로그, 메서드, 경로 및 응답 코드를 포함합니다.",
+    "httpDestSaveChanges": "변경 사항 저장",
+    "httpDestCreateDestination": "대상지 생성",
+    "httpDestUpdatedSuccess": "대상지가 성공적으로 업데이트되었습니다",
+    "httpDestCreatedSuccess": "대상지가 성공적으로 생성되었습니다",
+    "httpDestUpdateFailed": "대상지를 업데이트하는 데 실패했습니다",
+    "httpDestCreateFailed": "대상지를 생성하는 데 실패했습니다"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -148,6 +148,11 @@
    "createLink": "Opprett lenke",
    "resourcesNotFound": "Ingen ressurser funnet",
    "resourceSearch": "Søk i ressurser",
+    "machineSearch": "Søk etter maskiner",
+    "machinesSearch": "Søk etter maskinklienter...",
+    "machineNotFound": "Ingen maskiner funnet",
+    "userDeviceSearch": "Søk etter brukerenheter",
+    "userDevicesSearch": "Søk etter brukerenheter...",
    "openMenu": "Åpne meny",
    "resource": "Ressurs",
    "title": "Tittel",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
    "resourceRaw": "Rå TCP/UDP-ressurs",
    "resourceRawDescription": "Proxy forespørsler over rå TCP/UDP ved å bruke et portnummer.",
-    "resourceRawDescriptionCloud": "Proxy ber om et portnummer. Om du vil bruke et sportsnummer.",
+    "resourceRawDescriptionCloud": "Proxy forespørsler om rå TCP/UDP ved hjelp av et portnummer. Krever sider for å koble til en ekstern node.",
    "resourceCreate": "Opprett ressurs",
    "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
    "resourceSeeAll": "Se alle ressurser",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Slett API-nøkkel",
    "apiKeysManage": "Administrer API-nøkler",
    "apiKeysDescription": "API-nøkler brukes for å autentisere med integrasjons-API",
+    "provisioningKeysTitle": "Foreløpig nøkkel",
+    "provisioningKeysManage": "Behandle bestemmende nøkler",
+    "provisioningKeysDescription": "Bestemmelsesnøkler brukes til å godkjenne automatisert nettstedsløsning for din organisasjon.",
+    "provisioningManage": "Levering",
+    "provisioningDescription": "Administrer foreløpig nøkler og gjennomgå ventende nettsteder som venter på godkjenning.",
+    "pendingSites": "Ventende nettsteder",
+    "siteApproveSuccess": "Vellykket godkjenning av nettsted",
+    "siteApproveError": "Feil ved godkjenning av side",
+    "provisioningKeys": "Foreløpig nøkler",
+    "searchProvisioningKeys": "Søk varer i lagrings nøkler...",
+    "provisioningKeysAdd": "Generer fremvisende nøkkel",
+    "provisioningKeysErrorDelete": "Feil under sletting av foreløpig nøkkel",
+    "provisioningKeysErrorDeleteMessage": "Feil under sletting av foreløpig nøkkel",
+    "provisioningKeysQuestionRemove": "Er du sikker på at du vil fjerne denne midlertidig nøkkelen fra organisasjonen?",
+    "provisioningKeysMessageRemove": "Når nøkkelen er fjernet, kan den ikke lenger brukes til anleggsavsetning.",
+    "provisioningKeysDeleteConfirm": "Bekreft sletting av bestemmelsesnøkkel",
+    "provisioningKeysDelete": "Slett bestemmelsesnøkkel",
+    "provisioningKeysCreate": "Generer fremvisende nøkkel",
+    "provisioningKeysCreateDescription": "Generer en ny foreløpig nøkkel til organisasjonen",
+    "provisioningKeysSeeAll": "Se alle foreløpig nøkler",
+    "provisioningKeysSave": "Lagre den midlertidig nøkkelen",
+    "provisioningKeysSaveDescription": "Du kan bare se denne én gang. Kopier det til et sikkert sted.",
+    "provisioningKeysErrorCreate": "Feil under oppretting av foreløpig nøkkel",
+    "provisioningKeysList": "Ny provisorisk nøkkel",
+    "provisioningKeysMaxBatchSize": "Maks størrelse på bunt",
+    "provisioningKeysUnlimitedBatchSize": "Ubegrenset mengde bunt (ingen begrensning)",
+    "provisioningKeysMaxBatchUnlimited": "Ubegrenset",
+    "provisioningKeysMaxBatchSizeInvalid": "Angi en gyldig sjakkstørrelse (1–1 000.000).",
+    "provisioningKeysValidUntil": "Gyldig til",
+    "provisioningKeysValidUntilHint": "La stå tomt for ingen utløp.",
+    "provisioningKeysValidUntilInvalid": "Angi en gyldig dato og klokkeslett.",
+    "provisioningKeysNumUsed": "Antall ganger brukt",
+    "provisioningKeysLastUsed": "Sist brukt",
+    "provisioningKeysNoExpiry": "Ingen utløpsdato",
+    "provisioningKeysNeverUsed": "Aldri",
+    "provisioningKeysEdit": "Rediger bestemmelsesnøkkel",
+    "provisioningKeysEditDescription": "Oppdater maksimal størrelse for bunt og utløpstid for denne nøkkelen.",
+    "provisioningKeysApproveNewSites": "Godkjenn nye nettsteder",
+    "provisioningKeysApproveNewSitesDescription": "Godkjenn automatisk nettsteder som registrerer deg med denne nøkkelen.",
+    "provisioningKeysUpdateError": "Feil under oppdatering av foreløpig nøkkel",
+    "provisioningKeysUpdated": "Foreslå nøkkel oppdatert",
+    "provisioningKeysUpdatedDescription": "Dine endringer er lagret.",
+    "provisioningKeysBannerTitle": "Sidens bestemmende nøkler",
+    "provisioningKeysBannerDescription": "Generer en foreløpig nøkkel og bruk den med Nyhetskontakten for å automatisk opprette sider ved første oppstart — trenger ikke å sette opp separat innloggingsinformasjon for hver side.",
+    "provisioningKeysBannerButtonText": "Lær mer",
+    "pendingSitesBannerTitle": "Ventende nettsteder",
+    "pendingSitesBannerDescription": "Nettsteder som kobler deg til ved hjelp av en bestemmelsestekst, vises her for gjennomgang. Godkjenn hvert nettsted før det blir aktivt og får tilgang til ressursene dine.",
+    "pendingSitesBannerButtonText": "Lær mer",
    "apiKeysSettings": "{apiKeyName} Innstillinger",
    "userTitle": "Administrer alle brukere",
    "userDescription": "Vis og administrer alle brukere i systemet",
@@ -509,9 +562,12 @@
    "userSaved": "Bruker lagret",
    "userSavedDescription": "Brukeren har blitt oppdatert.",
    "autoProvisioned": "Auto avlyst",
+    "autoProvisionSettings": "Auto leveringsinnstillinger",
    "autoProvisionedDescription": "Tillat denne brukeren å bli automatisk administrert av en identitetsleverandør",
    "accessControlsDescription": "Administrer hva denne brukeren kan få tilgang til og gjøre i organisasjonen",
    "accessControlsSubmit": "Lagre tilgangskontroller",
+    "singleRolePerUserPlanNotice": "Din plan støtter bare én rolle per bruker.",
+    "singleRolePerUserEditionNotice": "Denne utgaven støtter bare én rolle per bruker.",
    "roles": "Roller",
    "accessUsersRoles": "Administrer brukere og roller",
    "accessUsersRolesDescription": "Inviter brukere og legg dem til roller for å administrere tilgang til organisasjonen",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Skriv inn oppsetttoken fra serverkonsollen.",
    "setupTokenRequired": "Oppsetttoken er nødvendig",
    "actionUpdateSite": "Oppdater område",
+    "actionResetSiteBandwidth": "Tilbakestill organisasjons-båndbredde",
    "actionListSiteRoles": "List opp tillatte områderoller",
    "actionCreateResource": "Opprett ressurs",
    "actionDeleteResource": "Slett ressurs",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Fjern bruker",
    "actionListUsers": "List opp brukere",
    "actionAddUserRole": "Legg til brukerrolle",
+    "actionSetUserOrgRoles": "Angi brukerroller",
    "actionGenerateAccessToken": "Generer tilgangstoken",
    "actionDeleteAccessToken": "Slett tilgangstoken",
    "actionListAccessTokens": "List opp tilgangstokener",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Roller",
    "sidebarShareableLinks": "Lenker",
    "sidebarApiKeys": "API-nøkler",
+    "sidebarProvisioning": "Levering",
    "sidebarSettings": "Innstillinger",
    "sidebarAllUsers": "Alle brukere",
    "sidebarIdentityProviders": "Identitetsleverandører",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Navnerom: {namespace}",
    "domainPickerShowMore": "Vis mer",
    "regionSelectorTitle": "Velg Region",
+    "domainPickerRemoteExitNodeWarning": "Tilbudte domener støttes ikke når sider kobles til eksterne avkjøringsnoder. For ressurser som skal være tilgjengelige på eksterne noder, brukes et egendefinert domene i stedet.",
    "regionSelectorInfo": "Å velge en region hjelper oss med å gi bedre ytelse for din lokasjon. Du trenger ikke være i samme region som serveren.",
    "regionSelectorPlaceholder": "Velg en region",
    "regionSelectorComingSoon": "Kommer snart",
@@ -1888,6 +1948,40 @@
    "exitNode": "Utgangsnode",
    "country": "Land",
    "rulesMatchCountry": "For tiden basert på kilde IP",
+    "region": "Fylke",
+    "selectRegion": "Velg region",
+    "searchRegions": "Søk etter områder...",
+    "noRegionFound": "Ingen region funnet.",
+    "rulesMatchRegion": "Velg en regional gruppering av land",
+    "rulesErrorInvalidRegion": "Ugyldig område",
+    "rulesErrorInvalidRegionDescription": "Vennligst velg et gyldig område.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "[country name] Nord-Afrika",
+    "regionEasternAfrica": "Øst-Afrika",
+    "regionMiddleAfrica": "Middle Africa",
+    "regionSouthernAfrica": "Sør-Afrika",
+    "regionWesternAfrica": "[country name] Vest-Afrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karibia",
+    "regionCentralAmerica": "Sentral-Amerika",
+    "regionSouthAmerica": "Sør-Amerika",
+    "regionNorthernAmerica": "Nord-Amerika",
+    "regionAsia": "Asia",
+    "regionCentralAsia": "Sentral-Asia",
+    "regionEasternAsia": "Øst-Asia",
+    "regionSouthEasternAsia": "Sørøst-Asia",
+    "regionSouthernAsia": "Sørlige Asia",
+    "regionWesternAsia": "Vest-Asia",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Øst-Europa",
+    "regionNorthernEurope": "Nord-Europa",
+    "regionSouthernEurope": "Sørlige Europa",
+    "regionWesternEurope": "Vest-Europa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia og New Zealand",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Administrert selv-hostet",
        "description": "Sikre og lavvedlikeholdsservere, selvbetjente Pangolin med ekstra klokker, og understell",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Ugyldig verdi",
    "idpTypeLabel": "Identitet leverandør type",
    "roleMappingExpressionPlaceholder": "F.eks. inneholder(grupper, 'admin') && 'Admin' ⋅'Medlem'",
+    "roleMappingModeFixedRoles": "Fast roller",
+    "roleMappingModeMappingBuilder": "Kartlegger bygger",
+    "roleMappingModeRawExpression": "Rå uttrykk",
+    "roleMappingFixedRolesPlaceholderSelect": "Velg en eller flere roller",
+    "roleMappingFixedRolesPlaceholderFreeform": "Skriv inn rollenavn (eksakt treff per organisasjon)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Tilordne den samme rollen som er satt til hver automatisk midlertidig bruker.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "For standard policyer, type rollenavn som eksisterer i hver organisasjon der brukerne tilbys. Navn må stemmer nøyaktig.",
+    "roleMappingClaimPath": "Krev sti",
+    "roleMappingClaimPathPlaceholder": "grupper",
+    "roleMappingClaimPathDescription": "Sti i i token nyttelast som inneholder kildeverdier (for eksempel grupper).",
+    "roleMappingMatchValue": "Treff verdi",
+    "roleMappingAssignRoles": "Tilordne roller",
+    "roleMappingAddMappingRule": "Legg til tilordningsregel",
+    "roleMappingRawExpressionResultDescription": "Uttrykk skal vurderes til en streng eller en tekststreng.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Uttrykk må evaluere til en streng (en rollenavn).",
+    "roleMappingMatchValuePlaceholder": "Match verdi (for eksempel: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Angi rollenavn (eksakt per org)",
+    "roleMappingBuilderFreeformRowHint": "Rollenavn må samsvare med en rolle i hver målorganisasjon.",
+    "roleMappingRemoveRule": "Fjern",
    "idpGoogleConfiguration": "Google Konfigurasjon",
    "idpGoogleConfigurationDescription": "Konfigurer Google OAuth2 legitimasjonen",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Hvor lenge du vil beholde adgangslogger",
    "logRetentionActionLabel": "Handlings logg nytt",
    "logRetentionActionDescription": "Hvor lenge handlingen skal lagres",
+    "logRetentionConnectionLabel": "Logg nyhet",
+    "logRetentionConnectionDescription": "Hvor lenge du vil beholde tilkoblingslogger",
    "logRetentionDisabled": "Deaktivert",
    "logRetention3Days": "3 dager",
    "logRetention7Days": "7 dager",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Slutt på neste år",
    "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
    "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
-    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens er påkrevd for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Loggfiler for tilkobling",
+    "connectionLogsDescription": "Vis tilkoblingslogger for tunneler i denne organisasjonen",
+    "sidebarLogsConnection": "Loggfiler for tilkobling",
+    "sidebarLogsStreaming": "Strømming",
+    "sourceAddress": "Kilde adresse",
+    "destinationAddress": "Måladresse (Automatic Translation)",
+    "duration": "Varighet",
+    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens eller <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> er påkrevd for å bruke denne funksjonen. <bookADemoLink>Bestill en demo eller POC prøveversjon</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Bestill en demo eller POC studie</bookADemoLink>.",
    "certResolver": "Sertifikat løser",
    "certResolverDescription": "Velg sertifikatløser som skal brukes for denne ressursen.",
    "selectCertResolver": "Velg sertifikatløser",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Aktiver enhetsgodkjenninger",
    "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
    "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
-    "approvalsEmptyStateButtonText": "Administrer Roller"
+    "approvalsEmptyStateButtonText": "Administrer Roller",
+    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt",
+    "idpAdminAutoProvisionPoliciesTabHint": "Konfigurer rollegartlegging og organisasjonspolicyer på <policiesTabLink>Auto leveringsinnstillinger</policiesTabLink> fanen.",
+    "streamingTitle": "Hendelse Strømming",
+    "streamingDescription": "Stream hendelser fra din organisasjon til eksterne destinasjoner i sanntid.",
+    "streamingUnnamedDestination": "Plassering uten navn",
+    "streamingNoUrlConfigured": "Ingen URL konfigurert",
+    "streamingAddDestination": "Legg til mål",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Send hendelser til alle HTTP-endepunkter med fleksibel autentisering og maling.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Strøm hendelser til en S3-kompatibel objektlagringskjøt. Kommer snart.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Videresend arrangementer direkte til din Datadog-konto. Kommer snart.",
+    "streamingTypePickerDescription": "Velg en måltype for å komme i gang.",
+    "streamingFailedToLoad": "Kan ikke laste inn destinasjoner",
+    "streamingUnexpectedError": "En uventet feil oppstod.",
+    "streamingFailedToUpdate": "Kunne ikke oppdatere destinasjon",
+    "streamingDeletedSuccess": "Målet ble slettet",
+    "streamingFailedToDelete": "Kunne ikke slette destinasjon",
+    "streamingDeleteTitle": "Slett mål",
+    "streamingDeleteButtonText": "Slett mål",
+    "streamingDeleteDialogAreYouSure": "Er du sikker på at du vil slette",
+    "streamingDeleteDialogThisDestination": "denne destinasjonen",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle konfigurasjoner vil bli slettet permanent.",
+    "httpDestEditTitle": "Rediger mål",
+    "httpDestAddTitle": "Legg til HTTP-destinasjon",
+    "httpDestEditDescription": "Oppdater konfigurasjonen for denne HTTP-hendelsesstrømmedestinasjonen.",
+    "httpDestAddDescription": "Konfigurer et nytt HTTP endepunkt for å motta organisasjonens hendelser.",
+    "httpDestTabSettings": "Innstillinger",
+    "httpDestTabHeaders": "Overskrifter",
+    "httpDestTabBody": "Innhold",
+    "httpDestTabLogs": "Logger",
+    "httpDestNamePlaceholder": "Min HTTP destinasjon",
+    "httpDestUrlLabel": "Destinasjons URL",
+    "httpDestUrlErrorHttpRequired": "URL-adressen må bruke httpp eller https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS er nødvendig for distribusjon av sky",
+    "httpDestUrlErrorInvalid": "Skriv inn en gyldig nettadresse (f.eks. https://eksempel.com/webhook)",
+    "httpDestAuthTitle": "Autentisering",
+    "httpDestAuthDescription": "Velg hvordan ønsker til sluttpunktet ditt er autentisert.",
+    "httpDestAuthNoneTitle": "Ingen godkjenning",
+    "httpDestAuthNoneDescription": "Sender forespørsler uten autorisasjonsoverskrift.",
+    "httpDestAuthBearerTitle": "Bærer Symbol",
+    "httpDestAuthBearerDescription": "Legger til en autorisasjon: Bearer <token> header til hver forespørsel.",
+    "httpDestAuthBearerPlaceholder": "Din API-nøkkel eller token",
+    "httpDestAuthBasicTitle": "Standard Auth",
+    "httpDestAuthBasicDescription": "Legger til en godkjenning: Grunnleggende <credentials> overskrift. Angi legitimasjon som brukernavn:passord.",
+    "httpDestAuthBasicPlaceholder": "brukernavn:passord",
+    "httpDestAuthCustomTitle": "Egendefinert topptekst",
+    "httpDestAuthCustomDescription": "Angi et egendefinert HTTP headers navn og verdi for autentisering (f.eks X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Topptekst navn (f.eks X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header verdi",
+    "httpDestCustomHeadersTitle": "Egendefinerte HTTP-overskrifter",
+    "httpDestCustomHeadersDescription": "Legg til egendefinerte overskrifter til hver utgående forespørsel. Nyttig for statisk tokens eller en egendefinert innholdstype. Som standard blir innholdstype: applikasjon/json sendt.",
+    "httpDestNoHeadersConfigured": "Ingen egendefinerte overskrifter konfigurert. Klikk \"Legg til topptekst\" for å legge til en.",
+    "httpDestHeaderNamePlaceholder": "Navn på topptekst",
+    "httpDestHeaderValuePlaceholder": "Verdi",
+    "httpDestAddHeader": "Legg til topptekst",
+    "httpDestBodyTemplateTitle": "Egendefinert hovedmal",
+    "httpDestBodyTemplateDescription": "Kontroller JSON nyttelaststrukturen sendt til ditt endepunkt. Hvis deaktivert, sendes et standard JSON-objekt for hver hendelse.",
+    "httpDestEnableBodyTemplate": "Aktiver egendefinert meldingsmal",
+    "httpDestBodyTemplateLabel": "Kroppsmal (JSON)",
+    "httpDestBodyTemplateHint": "Bruk designmal variabler for å referere til eventfelt i din betaling.",
+    "httpDestPayloadFormatTitle": "Mål format",
+    "httpDestPayloadFormatDescription": "Hvordan blir hendelser serialisert inn i hver forespørselsorgan.",
+    "httpDestFormatJsonArrayTitle": "JSON liste",
+    "httpDestFormatJsonArrayDescription": "Én forespørsel per batch, innholdet er en JSON-liste. Kompatibel med de mest generiske webhooks og Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Én forespørsel per sats, innholdet er nytt avgrenset JSON — et objekt per linje, ingen ytterarray. Kreves av Splunk HEC, Elastisk/OpenSearch, og Grafana Loki.",
+    "httpDestFormatSingleTitle": "En hendelse per forespørsel",
+    "httpDestFormatSingleDescription": "Sender en separat HTTP POST for hver enkelt hendelse. Bruk bare for endepunkter som ikke kan håndtere batcher.",
+    "httpDestLogTypesTitle": "Logg typer",
+    "httpDestLogTypesDescription": "Velg hvilke loggtyper som blir videresendt til dette målet. Bare aktiverte loggtyper vil bli strømmet.",
+    "httpDestAccessLogsTitle": "Tilgangslogger (Automatic Translation)",
+    "httpDestAccessLogsDescription": "Adgangsforsøk for ressurser, inkludert godkjente og nektet forespørsler.",
+    "httpDestActionLogsTitle": "Handlingslogger",
+    "httpDestActionLogsDescription": "Administrative tiltak som utføres av brukere innenfor organisasjonen.",
+    "httpDestConnectionLogsTitle": "Loggfiler for tilkobling",
+    "httpDestConnectionLogsDescription": "Utstyrs- og tunneltilkoblingshendelser, inkludert forbindelser og frakobling.",
+    "httpDestRequestLogsTitle": "Forespørselslogger (Automatic Translation)",
+    "httpDestRequestLogsDescription": "HTTP-forespørsel logger for bekreftede ressurser, inkludert metode, bane og responskode.",
+    "httpDestSaveChanges": "Lagre endringer",
+    "httpDestCreateDestination": "Opprett mål",
+    "httpDestUpdatedSuccess": "Målet er oppdatert",
+    "httpDestCreatedSuccess": "Målet er opprettet",
+    "httpDestUpdateFailed": "Kunne ikke oppdatere destinasjon",
+    "httpDestCreateFailed": "Kan ikke opprette mål"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -148,6 +148,11 @@
    "createLink": "Koppeling aanmaken",
    "resourcesNotFound": "Geen bronnen gevonden",
    "resourceSearch": "Zoek bronnen",
+    "machineSearch": "Zoek machines",
+    "machinesSearch": "Zoek machine-clients...",
+    "machineNotFound": "Geen machines gevonden",
+    "userDeviceSearch": "Gebruikersapparaten zoeken",
+    "userDevicesSearch": "Gebruikersapparaten zoeken...",
    "openMenu": "Menu openen",
    "resource": "Bron",
    "title": "Aanspreektitel",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
    "resourceRaw": "TCP/UDP bron",
    "resourceRawDescription": "Proxyverzoeken via ruwe TCP/UDP met een poortnummer.",
-    "resourceRawDescriptionCloud": "Proxy vraagt om onbewerkte TCP/UDP met behulp van een poortnummer. VEREIST HET GEBRUIK VAN EEN AFSTANDSBEDIENING NODE.",
+    "resourceRawDescriptionCloud": "Proxy verzoeken over rauwe TCP/UDP met behulp van een poortnummer. Vereist sites om verbinding te maken met een remote node.",
    "resourceCreate": "Bron maken",
    "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
    "resourceSeeAll": "Alle bronnen bekijken",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "API-sleutel verwijderen",
    "apiKeysManage": "API-sleutels beheren",
    "apiKeysDescription": "API-sleutels worden gebruikt om te verifiëren met de integratie-API",
+    "provisioningKeysTitle": "Vertrekkende sleutel",
+    "provisioningKeysManage": "Beheren van Provisioning Sleutels",
+    "provisioningKeysDescription": "Provisionerende sleutels worden gebruikt om geautomatiseerde sitebepaling voor uw organisatie te verifiëren.",
+    "provisioningManage": "Provisie",
+    "provisioningDescription": "Voorzieningssleutels beheren en sites beoordelen in afwachting van goedkeuring.",
+    "pendingSites": "Openstaande sites",
+    "siteApproveSuccess": "Site succesvol goedgekeurd",
+    "siteApproveError": "Fout bij goedkeuren website",
+    "provisioningKeys": "Verhelderende sleutels",
+    "searchProvisioningKeys": "Zoek provisioningsleutels ...",
+    "provisioningKeysAdd": "Genereer Provisioning Sleutel",
+    "provisioningKeysErrorDelete": "Fout bij verwijderen provisioning sleutel",
+    "provisioningKeysErrorDeleteMessage": "Fout bij verwijderen provisioning sleutel",
+    "provisioningKeysQuestionRemove": "Weet u zeker dat u deze proefsleutel van de organisatie wilt verwijderen?",
+    "provisioningKeysMessageRemove": "Eenmaal verwijderd, kan de sleutel niet meer worden gebruikt voor site-instructie.",
+    "provisioningKeysDeleteConfirm": "Bevestig Verwijderen Provisione-sleutel",
+    "provisioningKeysDelete": "Provisione-sleutel verwijderen",
+    "provisioningKeysCreate": "Genereer Provisioning Sleutel",
+    "provisioningKeysCreateDescription": "Een nieuwe provisioningsleutel voor de organisatie genereren",
+    "provisioningKeysSeeAll": "Bekijk alle provisioning sleutels",
+    "provisioningKeysSave": "Sla de provisioning sleutel op",
+    "provisioningKeysSaveDescription": "Je kunt dit slechts één keer zien. Kopieer het naar een veilige plaats.",
+    "provisioningKeysErrorCreate": "Fout bij aanmaken provisioning sleutel",
+    "provisioningKeysList": "Nieuwe provisioning sleutel",
+    "provisioningKeysMaxBatchSize": "Maximale batchgrootte",
+    "provisioningKeysUnlimitedBatchSize": "Onbeperkte batchgrootte (geen limiet)",
+    "provisioningKeysMaxBatchUnlimited": "Onbeperkt",
+    "provisioningKeysMaxBatchSizeInvalid": "Voer een geldige maximale batchgrootte in (1–1.000,000).",
+    "provisioningKeysValidUntil": "Geldig tot",
+    "provisioningKeysValidUntilHint": "Laat leeg voor geen vervaldatum.",
+    "provisioningKeysValidUntilInvalid": "Voer een geldige datum en tijd in.",
+    "provisioningKeysNumUsed": "Aantal keer gebruikt",
+    "provisioningKeysLastUsed": "Laatst gebruikt",
+    "provisioningKeysNoExpiry": "Geen vervaldatum",
+    "provisioningKeysNeverUsed": "Nooit",
+    "provisioningKeysEdit": "Wijzig Provisioning Sleutel",
+    "provisioningKeysEditDescription": "Werk de maximale batchgrootte en verlooptijd voor deze sleutel bij.",
+    "provisioningKeysApproveNewSites": "Goedkeuren van nieuwe sites",
+    "provisioningKeysApproveNewSitesDescription": "Automatisch sites goedkeuren die zich registreren met deze sleutel.",
+    "provisioningKeysUpdateError": "Fout tijdens bijwerken provisioning sleutel",
+    "provisioningKeysUpdated": "Provisie sleutel bijgewerkt",
+    "provisioningKeysUpdatedDescription": "Uw wijzigingen zijn opgeslagen.",
+    "provisioningKeysBannerTitle": "Bewerkingssleutels voor websites",
+    "provisioningKeysBannerDescription": "Genereer een provisioning-sleutel en gebruik deze met de Newt-connector om automatisch sites aan te maken bij het opstarten van de eerste opstart- het is niet nodig om afzonderlijke inloggegevens in te stellen voor elke site.",
+    "provisioningKeysBannerButtonText": "Meer informatie",
+    "pendingSitesBannerTitle": "Openstaande sites",
+    "pendingSitesBannerDescription": "Sites die met elkaar verbinden met behulp van een provisioning-sleutel verschijnen hier voor beoordeling. Accepteer elke site voordat deze actief wordt en krijgt toegang tot uw bronnen.",
+    "pendingSitesBannerButtonText": "Meer informatie",
    "apiKeysSettings": "{apiKeyName} instellingen",
    "userTitle": "Alle gebruikers beheren",
    "userDescription": "Bekijk en beheer alle gebruikers in het systeem",
@@ -509,9 +562,12 @@
    "userSaved": "Gebruiker opgeslagen",
    "userSavedDescription": "De gebruiker is bijgewerkt.",
    "autoProvisioned": "Automatisch bevestigen",
+    "autoProvisionSettings": "Auto Provisie Instellingen",
    "autoProvisionedDescription": "Toestaan dat deze gebruiker automatisch wordt beheerd door een identiteitsprovider",
    "accessControlsDescription": "Beheer wat deze gebruiker toegang heeft tot en doet in de organisatie",
    "accessControlsSubmit": "Bewaar Toegangsbesturing",
+    "singleRolePerUserPlanNotice": "Uw plan ondersteunt slechts één rol per gebruiker.",
+    "singleRolePerUserEditionNotice": "Deze editie ondersteunt slechts één rol per gebruiker.",
    "roles": "Rollen",
    "accessUsersRoles": "Beheer Gebruikers & Rollen",
    "accessUsersRolesDescription": "Nodig gebruikers uit en voeg ze toe aan de rollen om toegang tot de organisatie te beheren",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Voer het setup-token in vanaf de serverconsole.",
    "setupTokenRequired": "Setup-token is vereist",
    "actionUpdateSite": "Site bijwerken",
+    "actionResetSiteBandwidth": "Reset organisatieschandbreedte",
    "actionListSiteRoles": "Toon toegestane sitenollen",
    "actionCreateResource": "Bron maken",
    "actionDeleteResource": "Document verwijderen",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Gebruiker verwijderen",
    "actionListUsers": "Gebruikers weergeven",
    "actionAddUserRole": "Gebruikersrol toevoegen",
+    "actionSetUserOrgRoles": "Stel gebruikersrollen in",
    "actionGenerateAccessToken": "Genereer Toegangstoken",
    "actionDeleteAccessToken": "Verwijder toegangstoken",
    "actionListAccessTokens": "Lijst toegangstokens",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Rollen",
    "sidebarShareableLinks": "Koppelingen",
    "sidebarApiKeys": "API sleutels",
+    "sidebarProvisioning": "Provisie",
    "sidebarSettings": "Instellingen",
    "sidebarAllUsers": "Alle gebruikers",
    "sidebarIdentityProviders": "Identiteit aanbieders",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Naamruimte: {namespace}",
    "domainPickerShowMore": "Meer weergeven",
    "regionSelectorTitle": "Selecteer Regio",
+    "domainPickerRemoteExitNodeWarning": "Opgegeven domeinen worden niet ondersteund wanneer websites verbinding maken met externe sluitnodes. Gebruik in plaats daarvan een aangepast domein. Om bronnen beschikbaar te maken op externe nodes.",
    "regionSelectorInfo": "Het selecteren van een regio helpt ons om betere prestaties te leveren voor uw locatie. U hoeft niet in dezelfde regio als uw server te zijn.",
    "regionSelectorPlaceholder": "Kies een regio",
    "regionSelectorComingSoon": "Komt binnenkort",
@@ -1888,6 +1948,40 @@
    "exitNode": "Exit Node",
    "country": "Land",
    "rulesMatchCountry": "Momenteel gebaseerd op bron IP",
+    "region": "Regio",
+    "selectRegion": "Selecteer regio",
+    "searchRegions": "Zoek regio's...",
+    "noRegionFound": "Geen regio gevonden.",
+    "rulesMatchRegion": "Selecteer een regionale groepering van landen",
+    "rulesErrorInvalidRegion": "Ongeldige regio",
+    "rulesErrorInvalidRegionDescription": "Selecteer een geldige regio.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Noord-Afrika",
+    "regionEasternAfrica": "Oost Afrika",
+    "regionMiddleAfrica": "Midden Afrika",
+    "regionSouthernAfrica": "Zuidelijk Afrika",
+    "regionWesternAfrica": "Westelijk Afrika",
+    "regionAmericas": "Amerika's",
+    "regionCaribbean": "Caraïben",
+    "regionCentralAmerica": "Midden-Amerika",
+    "regionSouthAmerica": "Zuid Amerika",
+    "regionNorthernAmerica": "Noord-Amerika",
+    "regionAsia": "Azië",
+    "regionCentralAsia": "Centraal-Azië",
+    "regionEasternAsia": "Oost-Azië",
+    "regionSouthEasternAsia": "Zuid-Oost-Azië",
+    "regionSouthernAsia": "Zuid-Azië",
+    "regionWesternAsia": "Westelijk Azië",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Oost-Europa",
+    "regionNorthernEurope": "Noord-Europa",
+    "regionSouthernEurope": "Zuid-Europa",
+    "regionWesternEurope": "West-Europa",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australië en Nieuw-Zeeland",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Beheerde Self-Hosted",
        "description": "betrouwbaardere en slecht onderhouden Pangolin server met extra klokken en klokkenluiders",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Ongeldige waarde",
    "idpTypeLabel": "Identiteit provider type",
    "roleMappingExpressionPlaceholder": "bijvoorbeeld bevat (groepen, 'admin') && 'Admin' ½ 'Member'",
+    "roleMappingModeFixedRoles": "Vaste rollen",
+    "roleMappingModeMappingBuilder": "Toewijzing Bouwer",
+    "roleMappingModeRawExpression": "Ruwe expressie",
+    "roleMappingFixedRolesPlaceholderSelect": "Selecteer één of meer rollen",
+    "roleMappingFixedRolesPlaceholderFreeform": "Typ rolnamen (exacte overeenkomst per organisatie)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Wijs dezelfde rolset toe aan elke auto-provisioned gebruiker.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Voor standaardbeleid, typ rolnamen die bestaan in elke organisatie waar gebruikers worden opgegeven. Namen moeten exact overeenkomen.",
+    "roleMappingClaimPath": "Claim pad",
+    "roleMappingClaimPathPlaceholder": "Groepen",
+    "roleMappingClaimPathDescription": "Pad in de token payload die bronwaarden bevat (bijvoorbeeld groepen).",
+    "roleMappingMatchValue": "Kies een waarde",
+    "roleMappingAssignRoles": "Rollen toewijzen",
+    "roleMappingAddMappingRule": "Toewijzingsregel toevoegen",
+    "roleMappingRawExpressionResultDescription": "Expressie moet een tekenreeks of tekenreeks evalueren.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expressie moet evalueren naar een tekenreeks (een naam met één rol).",
+    "roleMappingMatchValuePlaceholder": "Overeenkomende waarde (bijvoorbeeld: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Typ rolnamen (exact per org)",
+    "roleMappingBuilderFreeformRowHint": "Rol namen moeten overeenkomen met een rol in elke doelorganisatie.",
+    "roleMappingRemoveRule": "Verwijderen",
    "idpGoogleConfiguration": "Google Configuratie",
    "idpGoogleConfigurationDescription": "Configureer de Google OAuth2-referenties",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Hoe lang de toegangslogboeken behouden blijven",
    "logRetentionActionLabel": "Actie log bewaring",
    "logRetentionActionDescription": "Hoe lang de action logs behouden moeten blijven",
+    "logRetentionConnectionLabel": "Connectie log bewaring",
+    "logRetentionConnectionDescription": "Hoe lang de verbindingslogs onderhouden",
    "logRetentionDisabled": "Uitgeschakeld",
    "logRetention3Days": "3 dagen",
    "logRetention7Days": "7 dagen",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
    "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
    "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
-    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Connectie Logs",
+    "connectionLogsDescription": "Toon verbindingslogs voor tunnels in deze organisatie",
+    "sidebarLogsConnection": "Connectie Logs",
+    "sidebarLogsStreaming": "Streamen",
+    "sourceAddress": "Bron adres",
+    "destinationAddress": "Adres bestemming",
+    "duration": "Duur",
+    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie of <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is vereist om deze functie te gebruiken. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
    "certResolver": "Certificaat Resolver",
    "certResolverDescription": "Selecteer de certificaat resolver die moet worden gebruikt voor deze resource.",
    "selectCertResolver": "Certificaat Resolver selecteren",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Toestel goedkeuringen inschakelen",
    "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
    "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
-    "approvalsEmptyStateButtonText": "Rollen beheren"
+    "approvalsEmptyStateButtonText": "Rollen beheren",
+    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configureer rolverrekening en organisatie beleid in het <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
+    "streamingTitle": "Event streaming",
+    "streamingDescription": "Stream events van uw organisatie naar externe bestemmingen in realtime.",
+    "streamingUnnamedDestination": "Naamloze bestemming",
+    "streamingNoUrlConfigured": "Geen URL ingesteld",
+    "streamingAddDestination": "Bestemming toevoegen",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Stuur gebeurtenissen naar elk HTTP eindpunt met flexibele authenticatie en template.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Stream events naar een S3-compatibele object-opslagemmer. Binnenkort beschikbaar.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Stuur gebeurtenissen rechtstreeks door naar je Datadog account. Binnenkort beschikbaar.",
+    "streamingTypePickerDescription": "Kies een bestemmingstype om te beginnen.",
+    "streamingFailedToLoad": "Laden van bestemmingen mislukt",
+    "streamingUnexpectedError": "Er is een onverwachte fout opgetreden.",
+    "streamingFailedToUpdate": "Bijwerken bestemming mislukt",
+    "streamingDeletedSuccess": "Bestemming succesvol verwijderd",
+    "streamingFailedToDelete": "Verwijderen van bestemming mislukt",
+    "streamingDeleteTitle": "Verwijder bestemming",
+    "streamingDeleteButtonText": "Verwijder bestemming",
+    "streamingDeleteDialogAreYouSure": "Weet u zeker dat u wilt verwijderen",
+    "streamingDeleteDialogThisDestination": "deze bestemming",
+    "streamingDeleteDialogPermanentlyRemoved": "? Alle configuratie zal permanent worden verwijderd.",
+    "httpDestEditTitle": "Bewerk bestemming",
+    "httpDestAddTitle": "Voeg HTTP bestemming toe",
+    "httpDestEditDescription": "Werk de configuratie voor deze HTTP-event streaming bestemming bij.",
+    "httpDestAddDescription": "Configureer een nieuw HTTP-eindpunt om de gebeurtenissen van uw organisatie te ontvangen.",
+    "httpDestTabSettings": "Instellingen",
+    "httpDestTabHeaders": "Kopteksten",
+    "httpDestTabBody": "Lichaam",
+    "httpDestTabLogs": "Logboeken",
+    "httpDestNamePlaceholder": "Mijn HTTP-bestemming",
+    "httpDestUrlLabel": "Bestemming URL",
+    "httpDestUrlErrorHttpRequired": "URL moet http of https gebruiken",
+    "httpDestUrlErrorHttpsRequired": "HTTPS is vereist op cloud implementaties",
+    "httpDestUrlErrorInvalid": "Voer een geldige URL in (bijv. https://example.com/webhook)",
+    "httpDestAuthTitle": "Authenticatie",
+    "httpDestAuthDescription": "Kies hoe verzoeken voor uw eindpunt zijn geverifieerd.",
+    "httpDestAuthNoneTitle": "Geen authenticatie",
+    "httpDestAuthNoneDescription": "Stuurt verzoeken zonder toestemmingskop.",
+    "httpDestAuthBearerTitle": "Betere Token",
+    "httpDestAuthBearerDescription": "Voegt een machtiging toe: Drager <token> header aan elke aanvraag.",
+    "httpDestAuthBearerPlaceholder": "Uw API-sleutel of -token",
+    "httpDestAuthBasicTitle": "Basis authenticatie",
+    "httpDestAuthBasicDescription": "Voegt een Authorizatie toe: Basis <credentials> kop. Geef inloggegevens op als gebruikersnaam:wachtwoord.",
+    "httpDestAuthBasicPlaceholder": "Gebruikersnaam:wachtwoord",
+    "httpDestAuthCustomTitle": "Aangepaste koptekst",
+    "httpDestAuthCustomDescription": "Specificeer een aangepaste HTTP header naam en waarde voor authenticatie (bijv. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Header naam (bijv. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Header waarde",
+    "httpDestCustomHeadersTitle": "Aangepaste HTTP Headers",
+    "httpDestCustomHeadersDescription": "Voeg aangepaste headers toe aan elk uitgaande verzoek. Handig voor statische tokens of een aangepast Content-Type. Standaard Content-Type: application/json wordt verzonden.",
+    "httpDestNoHeadersConfigured": "Geen aangepaste headers geconfigureerd. Klik op \"Header\" om er een toe te voegen.",
+    "httpDestHeaderNamePlaceholder": "Naam koptekst",
+    "httpDestHeaderValuePlaceholder": "Waarde",
+    "httpDestAddHeader": "Koptekst toevoegen",
+    "httpDestBodyTemplateTitle": "Aangepaste Body Sjabloon",
+    "httpDestBodyTemplateDescription": "Bestuur de JSON payload structuur verzonden naar uw eindpunt. Indien uitgeschakeld, wordt een standaard JSON object verzonden voor elke event.",
+    "httpDestEnableBodyTemplate": "Aangepaste lichaam sjabloon inschakelen",
+    "httpDestBodyTemplateLabel": "Body sjabloon (JSON)",
+    "httpDestBodyTemplateHint": "Gebruik sjabloonvariabelen om te verwijzen naar gebeurtenisvelden in uw payload.",
+    "httpDestPayloadFormatTitle": "Payload formaat",
+    "httpDestPayloadFormatDescription": "Hoe evenementen worden geserialiseerd in elk verzoeklichaam.",
+    "httpDestFormatJsonArrayTitle": "JSON matrix",
+    "httpDestFormatJsonArrayDescription": "Eén verzoek per batch, lichaam is een JSON-array. Compatibel met de meeste algemene webhooks en Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Eén aanvraag per batch, lichaam is nieuwe JSON gescheiden - één object per regel, geen buitenste array. Vereist door Splunk HEC, Elastic / OpenSearch, en Grafana Loki.",
+    "httpDestFormatSingleTitle": "Eén afspraak per verzoek",
+    "httpDestFormatSingleDescription": "Stuurt een aparte HTTP POST voor elk individueel event. Gebruik alleen voor eindpunten die geen batches kunnen verwerken.",
+    "httpDestLogTypesTitle": "Log soorten",
+    "httpDestLogTypesDescription": "Kies welke log types doorgestuurd worden naar deze bestemming. Alleen ingeschakelde log types worden gestreden.",
+    "httpDestAccessLogsTitle": "Toegang tot logboek",
+    "httpDestAccessLogsDescription": "Hulpbrontoegangspogingen, inclusief geauthenticeerde en weigerde aanvragen.",
+    "httpDestActionLogsTitle": "Actie logs",
+    "httpDestActionLogsDescription": "Administratieve acties uitgevoerd door gebruikers binnen de organisatie.",
+    "httpDestConnectionLogsTitle": "Connectie Logs",
+    "httpDestConnectionLogsDescription": "Verbinding met de Site en tunnel maken verbroken, inclusief verbindingen en verbindingen.",
+    "httpDestRequestLogsTitle": "Logboeken aanvragen",
+    "httpDestRequestLogsDescription": "HTTP request logs voor proxied hulpmiddelen, waaronder methode, pad en response code.",
+    "httpDestSaveChanges": "Wijzigingen opslaan",
+    "httpDestCreateDestination": "Maak bestemming aan",
+    "httpDestUpdatedSuccess": "Bestemming succesvol bijgewerkt",
+    "httpDestCreatedSuccess": "Bestemming succesvol aangemaakt",
+    "httpDestUpdateFailed": "Bijwerken bestemming mislukt",
+    "httpDestCreateFailed": "Aanmaken bestemming mislukt"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -148,6 +148,11 @@
    "createLink": "Utwórz link",
    "resourcesNotFound": "Nie znaleziono zasobów",
    "resourceSearch": "Szukaj zasobów",
+    "machineSearch": "Wyszukiwarki",
+    "machinesSearch": "Szukaj klientów maszyn...",
+    "machineNotFound": "Nie znaleziono maszyn",
+    "userDeviceSearch": "Szukaj urządzeń użytkownika",
+    "userDevicesSearch": "Szukaj urządzeń użytkownika...",
    "openMenu": "Otwórz menu",
    "resource": "Zasoby",
    "title": "Tytuł",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
    "resourceRaw": "Surowy zasób TCP/UDP",
    "resourceRawDescription": "Proxy zapytań przez surowe TCP/UDP przy użyciu numeru portu.",
-    "resourceRawDescriptionCloud": "Proxy żądania przesyłania danych nad surowym TCP/UDP przy użyciu numeru portu. Wymaga UŻYTKOWANIA PALIWA węzła.",
+    "resourceRawDescriptionCloud": "Żądania proxy nad surowym TCP/UDP przy użyciu numeru portu. Wymaga stron aby połączyć się ze zdalnym węzłem.",
    "resourceCreate": "Utwórz zasób",
    "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
    "resourceSeeAll": "Zobacz wszystkie zasoby",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Usuń klucz API",
    "apiKeysManage": "Zarządzaj kluczami API",
    "apiKeysDescription": "Klucze API służą do uwierzytelniania z API integracji",
+    "provisioningKeysTitle": "Klucz Zaopatrzenia",
+    "provisioningKeysManage": "Zarządzaj kluczami zaopatrzenia",
+    "provisioningKeysDescription": "Klucze zaopatrzenia są używane do uwierzytelniania zautomatyzowanego zaopatrzenia twojej organizacji.",
+    "provisioningManage": "Dostarczanie",
+    "provisioningDescription": "Zarządzaj kluczami rezerwacji i sprawdzaj oczekujące strony oczekujące na zatwierdzenie.",
+    "pendingSites": "Witryny oczekujące",
+    "siteApproveSuccess": "Witryna została pomyślnie zatwierdzona",
+    "siteApproveError": "Błąd zatwierdzania witryny",
+    "provisioningKeys": "Klucze Zaopatrzenia",
+    "searchProvisioningKeys": "Szukaj kluczy zaopatrzenia...",
+    "provisioningKeysAdd": "Wygeneruj klucz zaopatrzenia",
+    "provisioningKeysErrorDelete": "Błąd podczas usuwania klucza zaopatrzenia",
+    "provisioningKeysErrorDeleteMessage": "Błąd podczas usuwania klucza zaopatrzenia",
+    "provisioningKeysQuestionRemove": "Czy na pewno chcesz usunąć ten klucz rezerwacji z organizacji?",
+    "provisioningKeysMessageRemove": "Po usunięciu, klucz nie może być już używany do tworzenia witryny.",
+    "provisioningKeysDeleteConfirm": "Potwierdź usunięcie klucza zaopatrzenia",
+    "provisioningKeysDelete": "Usuń klucz zaopatrzenia",
+    "provisioningKeysCreate": "Wygeneruj klucz zaopatrzenia",
+    "provisioningKeysCreateDescription": "Wygeneruj nowy klucz tworzenia rezerw dla organizacji",
+    "provisioningKeysSeeAll": "Zobacz wszystkie klucze rezerwacji",
+    "provisioningKeysSave": "Zapisz klucz zaopatrzenia",
+    "provisioningKeysSaveDescription": "Możesz to zobaczyć tylko raz. Skopiuj je do bezpiecznego miejsca.",
+    "provisioningKeysErrorCreate": "Błąd podczas tworzenia klucza zaopatrzenia",
+    "provisioningKeysList": "Nowy klucz rezerwacji",
+    "provisioningKeysMaxBatchSize": "Maksymalny rozmiar partii",
+    "provisioningKeysUnlimitedBatchSize": "Nieograniczony rozmiar partii (bez limitu)",
+    "provisioningKeysMaxBatchUnlimited": "Nieograniczona",
+    "provisioningKeysMaxBatchSizeInvalid": "Wprowadź poprawny maksymalny rozmiar partii (1–1 000,000).",
+    "provisioningKeysValidUntil": "Ważny do",
+    "provisioningKeysValidUntilHint": "Pozostaw puste, aby nie wygasnąć.",
+    "provisioningKeysValidUntilInvalid": "Wprowadź prawidłową datę i godzinę.",
+    "provisioningKeysNumUsed": "Używane czasy",
+    "provisioningKeysLastUsed": "Ostatnio używane",
+    "provisioningKeysNoExpiry": "Brak wygaśnięcia",
+    "provisioningKeysNeverUsed": "Nigdy",
+    "provisioningKeysEdit": "Edytuj klucz zaopatrzenia",
+    "provisioningKeysEditDescription": "Zaktualizuj maksymalny rozmiar partii i czas wygaśnięcia dla tego klucza.",
+    "provisioningKeysApproveNewSites": "Zatwierdź nowe witryny",
+    "provisioningKeysApproveNewSitesDescription": "Automatycznie zatwierdzaj witryny, które rejestrują się za pomocą tego klucza.",
+    "provisioningKeysUpdateError": "Błąd podczas aktualizacji klucza zaopatrzenia",
+    "provisioningKeysUpdated": "Klucz zaopatrzenia zaktualizowany",
+    "provisioningKeysUpdatedDescription": "Twoje zmiany zostały zapisane.",
+    "provisioningKeysBannerTitle": "Klucze Zaopatrzenia witryny",
+    "provisioningKeysBannerDescription": "Wygeneruj klucz tworzenia rezerw i użyj go z konektorem Newt do automatycznego tworzenia witryn przy pierwszym uruchomieniu — nie ma potrzeby ustawiania oddzielnych poświadczeń dla każdej witryny.",
+    "provisioningKeysBannerButtonText": "Dowiedz się więcej",
+    "pendingSitesBannerTitle": "Witryny oczekujące",
+    "pendingSitesBannerDescription": "Witryny, które łączą się przy użyciu klucza zaopatrzenia, pojawiają się tutaj, aby przejrzeć. Zatwierdź każdą witrynę, zanim stanie się aktywna i uzyska dostęp do twoich zasobów.",
+    "pendingSitesBannerButtonText": "Dowiedz się więcej",
    "apiKeysSettings": "Ustawienia {apiKeyName}",
    "userTitle": "Zarządzaj wszystkimi użytkownikami",
    "userDescription": "Zobacz i zarządzaj wszystkimi użytkownikami w systemie",
@@ -509,9 +562,12 @@
    "userSaved": "Użytkownik zapisany",
    "userSavedDescription": "Użytkownik został zaktualizowany.",
    "autoProvisioned": "Przesłane automatycznie",
+    "autoProvisionSettings": "Ustawienia automatycznego dostarczania",
    "autoProvisionedDescription": "Pozwól temu użytkownikowi na automatyczne zarządzanie przez dostawcę tożsamości",
    "accessControlsDescription": "Zarządzaj tym, do czego użytkownik ma dostęp i co może robić w organizacji",
    "accessControlsSubmit": "Zapisz kontrole dostępu",
+    "singleRolePerUserPlanNotice": "Twój plan obsługuje tylko jedną rolę na użytkownika.",
+    "singleRolePerUserEditionNotice": "Ta edycja obsługuje tylko jedną rolę na użytkownika.",
    "roles": "Role",
    "accessUsersRoles": "Zarządzaj użytkownikami i rolami",
    "accessUsersRolesDescription": "Zaproś użytkowników i dodaj je do ról do zarządzania dostępem do organizacji",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Wprowadź token konfiguracji z konsoli serwera.",
    "setupTokenRequired": "Wymagany jest token konfiguracji",
    "actionUpdateSite": "Aktualizuj witrynę",
+    "actionResetSiteBandwidth": "Zresetuj przepustowość organizacji",
    "actionListSiteRoles": "Lista dozwolonych ról witryny",
    "actionCreateResource": "Utwórz zasób",
    "actionDeleteResource": "Usuń zasób",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Usuń użytkownika",
    "actionListUsers": "Lista użytkowników",
    "actionAddUserRole": "Dodaj rolę użytkownika",
+    "actionSetUserOrgRoles": "Ustaw role użytkownika",
    "actionGenerateAccessToken": "Wygeneruj token dostępu",
    "actionDeleteAccessToken": "Usuń token dostępu",
    "actionListAccessTokens": "Lista tokenów dostępu",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Role",
    "sidebarShareableLinks": "Linki",
    "sidebarApiKeys": "Klucze API",
+    "sidebarProvisioning": "Dostarczanie",
    "sidebarSettings": "Ustawienia",
    "sidebarAllUsers": "Wszyscy użytkownicy",
    "sidebarIdentityProviders": "Dostawcy tożsamości",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Przestrzeń nazw: {namespace}",
    "domainPickerShowMore": "Pokaż więcej",
    "regionSelectorTitle": "Wybierz region",
+    "domainPickerRemoteExitNodeWarning": "Podane domeny nie są obsługiwane, gdy witryny łączą się ze zdalnymi węzłami wyjścia. Aby zasoby były dostępne w węzłach zdalnych, użyj domeny niestandardowej.",
    "regionSelectorInfo": "Wybór regionu pomaga nam zapewnić lepszą wydajność dla Twojej lokalizacji. Nie musisz być w tym samym regionie co Twój serwer.",
    "regionSelectorPlaceholder": "Wybierz region",
    "regionSelectorComingSoon": "Wkrótce dostępne",
@@ -1888,6 +1948,40 @@
    "exitNode": "Węzeł Wyjściowy",
    "country": "Kraj",
    "rulesMatchCountry": "Obecnie bazuje na adresie IP źródła",
+    "region": "Region",
+    "selectRegion": "Wybierz region",
+    "searchRegions": "Szukaj regionów...",
+    "noRegionFound": "Nie znaleziono regionu.",
+    "rulesMatchRegion": "Wybierz regionalną grupę krajów",
+    "rulesErrorInvalidRegion": "Nieprawidłowy region",
+    "rulesErrorInvalidRegionDescription": "Proszę wybrać prawidłowy region.",
+    "regionAfrica": "Afryka",
+    "regionNorthernAfrica": "Afryka Północna",
+    "regionEasternAfrica": "Afryka Wschodnia",
+    "regionMiddleAfrica": "Afryka Środkowa",
+    "regionSouthernAfrica": "Afryka Południowa",
+    "regionWesternAfrica": "Afryka Zachodnia",
+    "regionAmericas": "Ameryka",
+    "regionCaribbean": "Karaiby",
+    "regionCentralAmerica": "Ameryka Środkowa",
+    "regionSouthAmerica": "Ameryka Południowej",
+    "regionNorthernAmerica": "Ameryka Północna",
+    "regionAsia": "Akwakultura",
+    "regionCentralAsia": "Azja Środkowa",
+    "regionEasternAsia": "Azja Wschodnia",
+    "regionSouthEasternAsia": "Azja Południowo-Wschodnia",
+    "regionSouthernAsia": "Azja Południowa",
+    "regionWesternAsia": "Azja Zachodnia",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Wschodnia",
+    "regionNorthernEurope": "Europa Północna",
+    "regionSouthernEurope": "Europa Południowa",
+    "regionWesternEurope": "Europa Zachodnia",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Australia i Nowa Zelandia",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Zarządzane Samodzielnie-Hostingowane",
        "description": "Większa niezawodność i niska konserwacja serwera Pangolin z dodatkowymi dzwonkami i sygnałami",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Nieprawidłowa wartość",
    "idpTypeLabel": "Typ dostawcy tożsamości",
    "roleMappingExpressionPlaceholder": "np. zawiera(grupy, 'admin') && 'Admin' || 'Członek'",
+    "roleMappingModeFixedRoles": "Stałe role",
+    "roleMappingModeMappingBuilder": "Konstruktor mapowania",
+    "roleMappingModeRawExpression": "Surowe wyrażenie",
+    "roleMappingFixedRolesPlaceholderSelect": "Wybierz jedną lub więcej ról",
+    "roleMappingFixedRolesPlaceholderFreeform": "Wpisz nazwy ról (dopasowanie na organizację)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Przypisz tę samą rolę do każdego automatycznie udostępnionego użytkownika.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "W przypadku domyślnych zasad nazwy ról typu które istnieją w każdej organizacji, gdzie użytkownicy są zapisywani. Nazwy muszą się dokładnie zgadzać.",
+    "roleMappingClaimPath": "Ścieżka przejęcia",
+    "roleMappingClaimPathPlaceholder": "grupy",
+    "roleMappingClaimPathDescription": "Ścieżka w payloadzie tokenów, która zawiera wartości źródłowe (np. grupy).",
+    "roleMappingMatchValue": "Wartość dopasowania",
+    "roleMappingAssignRoles": "Przypisz role",
+    "roleMappingAddMappingRule": "Dodaj regułę mapowania",
+    "roleMappingRawExpressionResultDescription": "Wyrażenie musi ocenić do tablicy ciągów lub ciągów.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Wyrażenie musi oceniać ciąg znaków (pojedyncza nazwa).",
+    "roleMappingMatchValuePlaceholder": "Wartość dopasowania (na przykład: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Wpisz nazwy ról (aktywizacja na org)",
+    "roleMappingBuilderFreeformRowHint": "Nazwy ról muszą pasować do roli w każdej organizacji docelowej.",
+    "roleMappingRemoveRule": "Usuń",
    "idpGoogleConfiguration": "Konfiguracja Google",
    "idpGoogleConfigurationDescription": "Skonfiguruj dane logowania Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Jak długo zachować dzienniki dostępu",
    "logRetentionActionLabel": "Zachowanie dziennika akcji",
    "logRetentionActionDescription": "Jak długo zachować dzienniki akcji",
+    "logRetentionConnectionLabel": "Zachowanie dziennika połączeń",
+    "logRetentionConnectionDescription": "Jak długo zachować dzienniki połączeń",
    "logRetentionDisabled": "Wyłączone",
    "logRetention3Days": "3 dni",
    "logRetention7Days": "7 dni",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Koniec następnego roku",
    "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
    "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
-    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Dzienniki połączeń",
+    "connectionLogsDescription": "Wyświetl dzienniki połączeń dla tuneli w tej organizacji",
+    "sidebarLogsConnection": "Dzienniki połączeń",
+    "sidebarLogsStreaming": "Strumieniowanie",
+    "sourceAddress": "Adres źródłowy",
+    "destinationAddress": "Adres docelowy",
+    "duration": "Czas trwania",
+    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lub <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezerwuj wersję demonstracyjną lub wersję próbną POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Zarezerwuj demo lub okres próbny POC</bookADemoLink>.",
    "certResolver": "Rozwiązywanie certyfikatów",
    "certResolverDescription": "Wybierz resolver certyfikatów do użycia dla tego zasobu.",
    "selectCertResolver": "Wybierz Resolver certyfikatów",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Włącz zatwierdzanie urządzenia",
    "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
    "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
-    "approvalsEmptyStateButtonText": "Zarządzaj rolami"
+    "approvalsEmptyStateButtonText": "Zarządzaj rolami",
+    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny",
+    "idpAdminAutoProvisionPoliciesTabHint": "Skonfiguruj mapowanie ról i zasady organizacji na karcie <policiesTabLink>Auto Provivision Settings</policiesTabLink>.",
+    "streamingTitle": "Strumieniowanie wydarzeń",
+    "streamingDescription": "Wydarzenia strumieniowe z Twojej organizacji do zewnętrznych miejsc przeznaczenia w czasie rzeczywistym.",
+    "streamingUnnamedDestination": "Miejsce przeznaczenia bez nazwy",
+    "streamingNoUrlConfigured": "Brak skonfigurowanego adresu URL",
+    "streamingAddDestination": "Dodaj cel",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Wyślij zdarzenia do dowolnego punktu końcowego HTTP z elastycznym uwierzytelnianiem i szablonem.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Zdarzenia strumieniowe do magazynu obiektów kompatybilnych z S3. Już wkrótce.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Przekaż wydarzenia bezpośrednio do Twojego konta Datadog. Już wkrótce.",
+    "streamingTypePickerDescription": "Wybierz typ docelowy, aby rozpocząć.",
+    "streamingFailedToLoad": "Nie udało się załadować miejsc docelowych",
+    "streamingUnexpectedError": "Wystąpił nieoczekiwany błąd.",
+    "streamingFailedToUpdate": "Nie udało się zaktualizować miejsca docelowego",
+    "streamingDeletedSuccess": "Cel usunięty pomyślnie",
+    "streamingFailedToDelete": "Nie udało się usunąć miejsca docelowego",
+    "streamingDeleteTitle": "Usuń cel",
+    "streamingDeleteButtonText": "Usuń cel",
+    "streamingDeleteDialogAreYouSure": "Czy na pewno chcesz usunąć",
+    "streamingDeleteDialogThisDestination": "ten cel",
+    "streamingDeleteDialogPermanentlyRemoved": "? Wszystkie konfiguracje zostaną trwale usunięte.",
+    "httpDestEditTitle": "Edytuj cel",
+    "httpDestAddTitle": "Dodaj cel HTTP",
+    "httpDestEditDescription": "Aktualizuj konfigurację dla tego celu przesyłania strumieniowego zdarzeń HTTP.",
+    "httpDestAddDescription": "Skonfiguruj nowy punkt końcowy HTTP, aby otrzymywać wydarzenia organizacji.",
+    "httpDestTabSettings": "Ustawienia",
+    "httpDestTabHeaders": "Nagłówki",
+    "httpDestTabBody": "Ciało",
+    "httpDestTabLogs": "Logi",
+    "httpDestNamePlaceholder": "Mój cel HTTP",
+    "httpDestUrlLabel": "Adres docelowy",
+    "httpDestUrlErrorHttpRequired": "Adres URL musi używać http lub https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS jest wymagany dla wdrożenia w chmurze",
+    "httpDestUrlErrorInvalid": "Wprowadź poprawny adres URL (np. https://example.com/webhook)",
+    "httpDestAuthTitle": "Uwierzytelnianie",
+    "httpDestAuthDescription": "Wybierz sposób uwierzytelniania żądań do Twojego punktu końcowego.",
+    "httpDestAuthNoneTitle": "Brak uwierzytelniania",
+    "httpDestAuthNoneDescription": "Wysyła żądania bez nagłówka autoryzacji.",
+    "httpDestAuthBearerTitle": "Token Bearer",
+    "httpDestAuthBearerDescription": "Dodaje autoryzację: nagłówek Bearer <token> do każdego żądania.",
+    "httpDestAuthBearerPlaceholder": "Twój klucz API lub token",
+    "httpDestAuthBasicTitle": "Podstawowa Autoryzacja",
+    "httpDestAuthBasicDescription": "Dodaje Autoryzacja: Nagłówek Basic <credentials> . Podaj poświadczenia jako nazwę użytkownika: hasło.",
+    "httpDestAuthBasicPlaceholder": "Nazwa użytkownika:hasło",
+    "httpDestAuthCustomTitle": "Niestandardowy nagłówek",
+    "httpDestAuthCustomDescription": "Określ niestandardową nazwę nagłówka HTTP i wartość dla uwierzytelniania (np. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nazwa nagłówka (np. klucz X-API)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Wartość nagłówka",
+    "httpDestCustomHeadersTitle": "Niestandardowe nagłówki HTTP",
+    "httpDestCustomHeadersDescription": "Dodaj własne nagłówki do każdego wychodzącego żądania. Przydatne dla tokenów statycznych lub niestandardowego typu zawartości. Domyślnie Content-Type: aplikacja/json jest wysyłane.",
+    "httpDestNoHeadersConfigured": "Nie skonfigurowano nagłówków niestandardowych. Kliknij \"Dodaj nagłówek\", aby go dodać.",
+    "httpDestHeaderNamePlaceholder": "Nazwa nagłówka",
+    "httpDestHeaderValuePlaceholder": "Wartość",
+    "httpDestAddHeader": "Dodaj nagłówek",
+    "httpDestBodyTemplateTitle": "Własny szablon ciała",
+    "httpDestBodyTemplateDescription": "Kontroluj strukturę JSON wysyłaną do Twojego punktu końcowego. Jeśli wyłączone, dla każdego zdarzenia wysyłany jest domyślny obiekt JSON.",
+    "httpDestEnableBodyTemplate": "Włącz niestandardowy szablon ciała",
+    "httpDestBodyTemplateLabel": "Szablon ciała (JSON)",
+    "httpDestBodyTemplateHint": "Użyj zmiennych szablonu do odniesienia pól zdarzeń w twoim payloadzie.",
+    "httpDestPayloadFormatTitle": "Format obciążenia",
+    "httpDestPayloadFormatDescription": "Jak zdarzenia są serializowane w każdym organie żądania.",
+    "httpDestFormatJsonArrayTitle": "Tablica JSON",
+    "httpDestFormatJsonArrayDescription": "Jedna prośba na partię, treść jest tablicą JSON. Kompatybilna z najbardziej ogólnymi webhookami i Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Jedno żądanie na partię, ciałem jest plik JSON rozdzielony na newline-delimited — jeden obiekt na wiersz, bez tablicy zewnętrznej. Wymagane przez Splunk HEC, Elastic / OpenSesearch i Grafana Loki.",
+    "httpDestFormatSingleTitle": "Jedno wydarzenie na żądanie",
+    "httpDestFormatSingleDescription": "Wysyła oddzielny POST HTTP dla każdego zdarzenia. Użyj tylko dla punktów końcowych, które nie mogą obsługiwać partii.",
+    "httpDestLogTypesTitle": "Typy logów",
+    "httpDestLogTypesDescription": "Wybierz, które typy logów są przekazywane do tego miejsca docelowego. Tylko włączone typy logów będą strumieniowane.",
+    "httpDestAccessLogsTitle": "Logi dostępu",
+    "httpDestAccessLogsDescription": "Próby dostępu do zasobów, w tym uwierzytelnione i odrzucone żądania.",
+    "httpDestActionLogsTitle": "Dzienniki działań",
+    "httpDestActionLogsDescription": "Działania administracyjne wykonywane przez użytkowników w organizacji.",
+    "httpDestConnectionLogsTitle": "Dzienniki połączeń",
+    "httpDestConnectionLogsDescription": "Zdarzenia związane z miejscem i tunelem, w tym połączenia i rozłączenia.",
+    "httpDestRequestLogsTitle": "Dzienniki żądań",
+    "httpDestRequestLogsDescription": "Logi żądań HTTP dla zasobów proxy, w tym metody, ścieżki i kodu odpowiedzi.",
+    "httpDestSaveChanges": "Zapisz zmiany",
+    "httpDestCreateDestination": "Utwórz cel",
+    "httpDestUpdatedSuccess": "Cel został pomyślnie zaktualizowany",
+    "httpDestCreatedSuccess": "Cel został utworzony pomyślnie",
+    "httpDestUpdateFailed": "Nie udało się zaktualizować miejsca docelowego",
+    "httpDestCreateFailed": "Nie udało się utworzyć miejsca docelowego"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -148,6 +148,11 @@
    "createLink": "Criar Link",
    "resourcesNotFound": "Nenhum recurso encontrado",
    "resourceSearch": "Recursos de pesquisa",
+    "machineSearch": "Procurar máquinas",
+    "machinesSearch": "Pesquisar clientes de máquina...",
+    "machineNotFound": "Nenhuma máquina encontrada",
+    "userDeviceSearch": "Procurar dispositivos do usuário",
+    "userDevicesSearch": "Pesquisar dispositivos do usuário...",
    "openMenu": "Abrir menu",
    "resource": "Recurso",
    "title": "Título",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
    "resourceRaw": "Recurso TCP/UDP bruto",
    "resourceRawDescription": "Proxies solicitações sobre TCP/UDP bruto usando um número de porta.",
-    "resourceRawDescriptionCloud": "Proxy solicita sobre TCP/UDP bruto usando um número de porta. OBRIGATÓRIO O USO DE UMA NOTA REMOTA.",
+    "resourceRawDescriptionCloud": "Proxy solicita por TCP/UDP bruto usando um número de porta. Requer que sites se conectem a um nó remoto.",
    "resourceCreate": "Criar Recurso",
    "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
    "resourceSeeAll": "Ver todos os recursos",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Excluir Chave API",
    "apiKeysManage": "Gerir Chaves API",
    "apiKeysDescription": "As chaves API são usadas para autenticar com a API de integração",
+    "provisioningKeysTitle": "Chave de provisionamento",
+    "provisioningKeysManage": "Gerenciar chaves de provisionamento",
+    "provisioningKeysDescription": "Chaves de provisionamento são usadas para autenticar o provisionamento automatizado do site para sua organização.",
+    "provisioningManage": "Provisionamento",
+    "provisioningDescription": "Gerenciar chaves de provisionamento e revisar sites pendentes aguardando aprovação.",
+    "pendingSites": "Sites pendentes",
+    "siteApproveSuccess": "Site aprovado com sucesso",
+    "siteApproveError": "Erro ao aprovar site",
+    "provisioningKeys": "Posicionando chaves",
+    "searchProvisioningKeys": "Pesquisar chaves de provisionamento...",
+    "provisioningKeysAdd": "Gerar chave de provisionamento",
+    "provisioningKeysErrorDelete": "Erro ao excluir chave de provisionamento",
+    "provisioningKeysErrorDeleteMessage": "Erro ao excluir chave de provisionamento",
+    "provisioningKeysQuestionRemove": "Tem certeza de que deseja remover esta chave de provisionamento da organização?",
+    "provisioningKeysMessageRemove": "Uma vez removida, a chave não pode mais ser usada para o provisionamento do site.",
+    "provisioningKeysDeleteConfirm": "Confirmar chave de exclusão",
+    "provisioningKeysDelete": "Apagar chave de provisionamento",
+    "provisioningKeysCreate": "Gerar chave de provisionamento",
+    "provisioningKeysCreateDescription": "Gerar uma nova chave de provisionamento para a organização",
+    "provisioningKeysSeeAll": "Ver todas as chaves provisionadas",
+    "provisioningKeysSave": "Salvar a chave de provisionamento",
+    "provisioningKeysSaveDescription": "Você só será capaz de ver esta vez. Copiá-lo para um lugar seguro.",
+    "provisioningKeysErrorCreate": "Erro ao criar chave de provisionamento",
+    "provisioningKeysList": "Nova chave de aprovisionamento",
+    "provisioningKeysMaxBatchSize": "Tamanho máximo do lote",
+    "provisioningKeysUnlimitedBatchSize": "Tamanho ilimitado em lote (sem limite)",
+    "provisioningKeysMaxBatchUnlimited": "Ilimitado",
+    "provisioningKeysMaxBatchSizeInvalid": "Informe um tamanho máximo válido em lote (1–1,000,000).",
+    "provisioningKeysValidUntil": "Valido ate",
+    "provisioningKeysValidUntilHint": "Deixe em branco para nenhuma expiração.",
+    "provisioningKeysValidUntilInvalid": "Informe uma data e hora válidas.",
+    "provisioningKeysNumUsed": "Use percentual",
+    "provisioningKeysLastUsed": "Última utilização",
+    "provisioningKeysNoExpiry": "Sem vencimento",
+    "provisioningKeysNeverUsed": "nunca",
+    "provisioningKeysEdit": "Editar chave de provisionamento",
+    "provisioningKeysEditDescription": "Atualizar o tamanho máximo do lote e tempo de expiração para esta chave.",
+    "provisioningKeysApproveNewSites": "Aprovar novos sites",
+    "provisioningKeysApproveNewSitesDescription": "Aprovar automaticamente sites que se registram com esta chave.",
+    "provisioningKeysUpdateError": "Erro ao atualizar chave de provisionamento",
+    "provisioningKeysUpdated": "Chave de provisionamento atualizada",
+    "provisioningKeysUpdatedDescription": "Suas alterações foram salvas.",
+    "provisioningKeysBannerTitle": "Chaves de provisionamento do site",
+    "provisioningKeysBannerDescription": "Gerar uma chave de provisionamento e usá-la com o conector de Newt para criar automaticamente sites na primeira inicialização — não é necessário configurar credenciais separadas para cada site.",
+    "provisioningKeysBannerButtonText": "Saiba mais",
+    "pendingSitesBannerTitle": "Sites pendentes",
+    "pendingSitesBannerDescription": "Sites que conectam usando uma chave de provisionamento aparecem aqui para revisão. Aprovar cada site antes de se tornar ativo e ganhar acesso a seus recursos.",
+    "pendingSitesBannerButtonText": "Saiba mais",
    "apiKeysSettings": "Configurações de {apiKeyName}",
    "userTitle": "Gerir Todos os Utilizadores",
    "userDescription": "Visualizar e gerir todos os utilizadores no sistema",
@@ -509,9 +562,12 @@
    "userSaved": "Usuário salvo",
    "userSavedDescription": "O utilizador foi atualizado.",
    "autoProvisioned": "Auto provisionado",
+    "autoProvisionSettings": "Configurações de provisão automática",
    "autoProvisionedDescription": "Permitir que este utilizador seja gerido automaticamente pelo provedor de identidade",
    "accessControlsDescription": "Gerir o que este utilizador pode aceder e fazer na organização",
    "accessControlsSubmit": "Guardar Controlos de Acesso",
+    "singleRolePerUserPlanNotice": "Seu plano suporta apenas uma função por usuário.",
+    "singleRolePerUserEditionNotice": "Esta edição suporta apenas uma função por usuário.",
    "roles": "Funções",
    "accessUsersRoles": "Gerir Utilizadores e Funções",
    "accessUsersRolesDescription": "Convidar usuários e adicioná-los a funções para gerenciar o acesso à organização",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Digite o token de configuração do console do servidor.",
    "setupTokenRequired": "Token de configuração é necessário",
    "actionUpdateSite": "Atualizar Site",
+    "actionResetSiteBandwidth": "Redefinir banda da organização",
    "actionListSiteRoles": "Listar Funções Permitidas do Site",
    "actionCreateResource": "Criar Recurso",
    "actionDeleteResource": "Eliminar Recurso",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Remover Utilizador",
    "actionListUsers": "Listar Utilizadores",
    "actionAddUserRole": "Adicionar Função ao Utilizador",
+    "actionSetUserOrgRoles": "Definir funções do usuário",
    "actionGenerateAccessToken": "Gerar Token de Acesso",
    "actionDeleteAccessToken": "Eliminar Token de Acesso",
    "actionListAccessTokens": "Listar Tokens de Acesso",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Papéis",
    "sidebarShareableLinks": "Links",
    "sidebarApiKeys": "Chaves API",
+    "sidebarProvisioning": "Provisionamento",
    "sidebarSettings": "Configurações",
    "sidebarAllUsers": "Todos os utilizadores",
    "sidebarIdentityProviders": "Provedores de identidade",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mostrar Mais",
    "regionSelectorTitle": "Selecionar Região",
+    "domainPickerRemoteExitNodeWarning": "Domínios fornecidos não são suportados quando os sites se conectam a nós de saída remota. Para recursos disponíveis em nós remotos, use um domínio personalizado.",
    "regionSelectorInfo": "Selecionar uma região nos ajuda a fornecer melhor desempenho para sua localização. Você não precisa estar na mesma região que seu servidor.",
    "regionSelectorPlaceholder": "Escolher uma região",
    "regionSelectorComingSoon": "Em breve",
@@ -1888,6 +1948,40 @@
    "exitNode": "Nodo de Saída",
    "country": "País",
    "rulesMatchCountry": "Atualmente baseado no IP de origem",
+    "region": "Região",
+    "selectRegion": "Selecionar região",
+    "searchRegions": "Procurar regiões...",
+    "noRegionFound": "Nenhuma região encontrada.",
+    "rulesMatchRegion": "Selecione um grupo regional de países",
+    "rulesErrorInvalidRegion": "Região inválida",
+    "rulesErrorInvalidRegionDescription": "Por favor, selecione uma região válida.",
+    "regionAfrica": "África",
+    "regionNorthernAfrica": "África do Norte",
+    "regionEasternAfrica": "África Oriental",
+    "regionMiddleAfrica": "África Média",
+    "regionSouthernAfrica": "África Austral",
+    "regionWesternAfrica": "África Ocidental",
+    "regionAmericas": "Américas",
+    "regionCaribbean": "Caribe",
+    "regionCentralAmerica": "América Central",
+    "regionSouthAmerica": "América do Sul",
+    "regionNorthernAmerica": "América do Norte",
+    "regionAsia": "Ásia",
+    "regionCentralAsia": "Ásia Central",
+    "regionEasternAsia": "Ásia Oriental",
+    "regionSouthEasternAsia": "Sudeste da Ásia",
+    "regionSouthernAsia": "Sudeste da Ásia",
+    "regionWesternAsia": "Ásia Ocidental",
+    "regionEurope": "Europa",
+    "regionEasternEurope": "Europa Oriental",
+    "regionNorthernEurope": "Europa do Norte",
+    "regionSouthernEurope": "Europa do Sul",
+    "regionWesternEurope": "Europa Ocidental",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "Austrália e Nova Zelândia",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Gerenciado Auto-Hospedado",
        "description": "Servidor Pangolin auto-hospedado mais confiável e com baixa manutenção com sinos extras e assobiamentos",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Valor Inválido",
    "idpTypeLabel": "Tipo de provedor de identidade",
    "roleMappingExpressionPlaceholder": "ex.: Contem (grupos, 'administrador') && 'Administrador' 「'Membro'",
+    "roleMappingModeFixedRoles": "Papéis fixos",
+    "roleMappingModeMappingBuilder": "Mapeando Construtor",
+    "roleMappingModeRawExpression": "Expressão Bruta",
+    "roleMappingFixedRolesPlaceholderSelect": "Selecione um ou mais papéis",
+    "roleMappingFixedRolesPlaceholderFreeform": "Digite o nome das funções (correspondência exata por organização)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Atribuir o mesmo conjunto de funções a cada usuário auto-provisionado.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Para políticas padrão, nomes de funções de tipo que existem em cada organização onde os usuários são fornecidos. Nomes devem coincidir exatamente.",
+    "roleMappingClaimPath": "Caminho da Reivindicação",
+    "roleMappingClaimPathPlaceholder": "grupos",
+    "roleMappingClaimPathDescription": "Caminho no payload token que contém valores de origem (por exemplo, grupos).",
+    "roleMappingMatchValue": "Valor Correspondente",
+    "roleMappingAssignRoles": "Atribuir Papéis",
+    "roleMappingAddMappingRule": "Adicionar regra de mapeamento",
+    "roleMappingRawExpressionResultDescription": "Expressão deve retornar à matriz string ou string.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Expressão deve ser avaliada para uma string (um nome de função única).",
+    "roleMappingMatchValuePlaceholder": "Valor do jogo (por exemplo: administrador)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Digite nomes de funções ((exact por org)",
+    "roleMappingBuilderFreeformRowHint": "Nomes de papéis devem corresponder a um papel em cada organizaçãoalvo.",
+    "roleMappingRemoveRule": "Remover",
    "idpGoogleConfiguration": "Configuração do Google",
    "idpGoogleConfigurationDescription": "Configurar as credenciais do Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Por quanto tempo manter os registros de acesso",
    "logRetentionActionLabel": "Ação de Retenção no Log",
    "logRetentionActionDescription": "Por quanto tempo manter os registros de ação",
+    "logRetentionConnectionLabel": "Retenção de registro de conexão",
+    "logRetentionConnectionDescription": "Por quanto tempo manter os registros de conexão",
    "logRetentionDisabled": "Desabilitado",
    "logRetention3Days": "3 dias",
    "logRetention7Days": "7 dias",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
    "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
    "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
-    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> é necessária para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Logs da conexão",
+    "connectionLogsDescription": "Ver logs de conexão para túneis nesta organização",
+    "sidebarLogsConnection": "Logs da conexão",
+    "sidebarLogsStreaming": "Transmitindo",
+    "sourceAddress": "Endereço de origem",
+    "destinationAddress": "Endereço de destino",
+    "duration": "Duração",
+    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> é necessária para usar este recurso. <bookADemoLink>Reserve um teste de demonstração ou POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserve uma demonstração ou avaliação POC</bookADemoLink>.",
    "certResolver": "Resolvedor de Certificado",
    "certResolverDescription": "Selecione o resolvedor de certificados para este recurso.",
    "selectCertResolver": "Selecionar solucionador de certificado",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Habilitar Aprovações do Dispositivo",
    "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
    "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
-    "approvalsEmptyStateButtonText": "Gerir Funções"
+    "approvalsEmptyStateButtonText": "Gerir Funções",
+    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio",
+    "idpAdminAutoProvisionPoliciesTabHint": "Configurar funções de mapeamento e políticas de organização na aba <policiesTabLink>Auto Provision Settings</policiesTabLink>.",
+    "streamingTitle": "Streaming do Evento",
+    "streamingDescription": "Transmita eventos de sua organização para destinos externos em tempo real.",
+    "streamingUnnamedDestination": "Destino sem nome",
+    "streamingNoUrlConfigured": "Nenhuma URL configurada",
+    "streamingAddDestination": "Adicionar destino",
+    "streamingHttpWebhookTitle": "Webhook HTTP",
+    "streamingHttpWebhookDescription": "Envie os eventos para qualquer endpoint HTTP com autenticação flexível e modelo.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Transmitir eventos para um balde de armazenamento de objetos compatível com S3. Em breve.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Encaminha eventos diretamente para a sua conta no Datadog. Em breve.",
+    "streamingTypePickerDescription": "Escolha um tipo de destino para começar.",
+    "streamingFailedToLoad": "Falha ao carregar destinos",
+    "streamingUnexpectedError": "Ocorreu um erro inesperado.",
+    "streamingFailedToUpdate": "Falha ao atualizar destino",
+    "streamingDeletedSuccess": "Destino apagado com sucesso",
+    "streamingFailedToDelete": "Falha ao excluir destino",
+    "streamingDeleteTitle": "Excluir destino",
+    "streamingDeleteButtonText": "Excluir destino",
+    "streamingDeleteDialogAreYouSure": "Tem certeza de que deseja excluir",
+    "streamingDeleteDialogThisDestination": "este destino",
+    "streamingDeleteDialogPermanentlyRemoved": "? Todas as configurações serão permanentemente removidas.",
+    "httpDestEditTitle": "Editar destino",
+    "httpDestAddTitle": "Adicionar Destino HTTP",
+    "httpDestEditDescription": "Atualizar a configuração para este destino de transmissão de eventos HTTP.",
+    "httpDestAddDescription": "Configure um novo ponto de extremidade HTTP para receber eventos da sua organização.",
+    "httpDestTabSettings": "Confirgurações",
+    "httpDestTabHeaders": "Cabeçalhos",
+    "httpDestTabBody": "Conteúdo",
+    "httpDestTabLogs": "Registros",
+    "httpDestNamePlaceholder": "Meu destino HTTP",
+    "httpDestUrlLabel": "URL de destino",
+    "httpDestUrlErrorHttpRequired": "A URL deve usar http ou https",
+    "httpDestUrlErrorHttpsRequired": "HTTPS é necessário em implantações em nuvem",
+    "httpDestUrlErrorInvalid": "Informe uma URL válida (por exemplo, https://example.com/webhook)",
+    "httpDestAuthTitle": "Autenticação",
+    "httpDestAuthDescription": "Escolha como os pedidos para seu endpoint são autenticados.",
+    "httpDestAuthNoneTitle": "Sem Autenticação",
+    "httpDestAuthNoneDescription": "Envia pedidos sem um cabeçalho de autorização.",
+    "httpDestAuthBearerTitle": "Token do portador",
+    "httpDestAuthBearerDescription": "Adiciona uma autorização: Bearer <token> header a cada requisição.",
+    "httpDestAuthBearerPlaceholder": "Sua chave de API ou token",
+    "httpDestAuthBasicTitle": "Autenticação básica",
+    "httpDestAuthBasicDescription": "Adiciona uma Autorização: cabeçalho <credentials> básico. Forneça credenciais como nome de usuário:senha.",
+    "httpDestAuthBasicPlaceholder": "Usuário:password",
+    "httpDestAuthCustomTitle": "Cabeçalho personalizado",
+    "httpDestAuthCustomDescription": "Especifique um nome e valor de cabeçalho HTTP personalizado para autenticação (por exemplo, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Nome do cabeçalho (ex: X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Valor do cabeçalho",
+    "httpDestCustomHeadersTitle": "Cabeçalhos HTTP personalizados",
+    "httpDestCustomHeadersDescription": "Adicionar cabeçalhos personalizados a todas as solicitações de saída. Útil para tokens estáticos ou um tipo de conteúdo personalizado. Por padrão, Content-Type: application/json é enviado.",
+    "httpDestNoHeadersConfigured": "Nenhum cabeçalho personalizado configurado. Clique em \"Adicionar Cabeçalho\" para adicionar um.",
+    "httpDestHeaderNamePlaceholder": "Nome do Cabeçalho",
+    "httpDestHeaderValuePlaceholder": "Valor",
+    "httpDestAddHeader": "Adicionar Cabeçalho",
+    "httpDestBodyTemplateTitle": "Modelo de corpo personalizado",
+    "httpDestBodyTemplateDescription": "Controla a estrutura de carga JSON enviada ao seu endpoint. Se desativado, um objeto JSON padrão é enviado para cada evento.",
+    "httpDestEnableBodyTemplate": "Ativar modelo personalizado de corpo",
+    "httpDestBodyTemplateLabel": "Modelo de corpo (JSON)",
+    "httpDestBodyTemplateHint": "Use variáveis de template para referenciar campos de evento em seu payload.",
+    "httpDestPayloadFormatTitle": "Formato de carga",
+    "httpDestPayloadFormatDescription": "Como os eventos são serializados em cada corpo do pedido.",
+    "httpDestFormatJsonArrayTitle": "Matriz JSON",
+    "httpDestFormatJsonArrayDescription": "Um pedido por lote, o corpo é um array JSON. Compatível com a maioria dos webhooks genéricos e Datadog.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Um pedido por lote, o corpo é um JSON delimitado por nova-linha — um objeto por linha, sem array exterior. Requerido pelo Splunk HEC, Elástico / OpenSearch, e Grafana Loki.",
+    "httpDestFormatSingleTitle": "Um Evento por Requisição",
+    "httpDestFormatSingleDescription": "Envia um POST HTTP separado para cada evento. Utilize apenas para endpoints que não podem manipular lotes.",
+    "httpDestLogTypesTitle": "Tipos de log",
+    "httpDestLogTypesDescription": "Escolha quais tipos de log são encaminhados para este destino. Somente serão racionalizados os tipos de logs habilitados.",
+    "httpDestAccessLogsTitle": "Logs de Acesso",
+    "httpDestAccessLogsDescription": "Tentativas de acesso a recursos, incluindo solicitações autenticadas e negadas.",
+    "httpDestActionLogsTitle": "Logs de Ações",
+    "httpDestActionLogsDescription": "Ações administrativas realizadas por usuários dentro da organização.",
+    "httpDestConnectionLogsTitle": "Logs da conexão",
+    "httpDestConnectionLogsDescription": "Eventos de conexão de site e túnel, incluindo conexões e desconexões.",
+    "httpDestRequestLogsTitle": "Registro de pedidos",
+    "httpDestRequestLogsDescription": "Logs de solicitação HTTP para recursos proxy incluindo o método, o caminho e o código de resposta.",
+    "httpDestSaveChanges": "Salvar as alterações",
+    "httpDestCreateDestination": "Criar destino",
+    "httpDestUpdatedSuccess": "Destino atualizado com sucesso",
+    "httpDestCreatedSuccess": "Destino criado com sucesso",
+    "httpDestUpdateFailed": "Falha ao atualizar destino",
+    "httpDestCreateFailed": "Falha ao criar destino"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -148,6 +148,11 @@
    "createLink": "Создать ссылку",
    "resourcesNotFound": "Ресурсы не найдены",
    "resourceSearch": "Поиск ресурсов",
+    "machineSearch": "Поиск машин",
+    "machinesSearch": "Поиск клиентов машины...",
+    "machineNotFound": "Машины не найдены",
+    "userDeviceSearch": "Поиск устройств пользователя",
+    "userDevicesSearch": "Поиск устройств пользователя...",
    "openMenu": "Открыть меню",
    "resource": "Ресурс",
    "title": "Заголовок",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
    "resourceRaw": "Сырой TCP/UDP-ресурс",
    "resourceRawDescription": "Проксировать запросы по сырому TCP/UDP с использованием номера порта.",
-    "resourceRawDescriptionCloud": "Прокси-запросы через необработанный TCP/UDP с использованием номера порта. ТРЕБУЕТЕСЬ ИСПОЛЬЗОВАТЬ НЕОБХОДИМЫ.",
+    "resourceRawDescriptionCloud": "Прокси запросы через необработанный TCP/UDP с использованием номера порта. Требуется подключение сайтов к удаленному узлу.",
    "resourceCreate": "Создание ресурса",
    "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
    "resourceSeeAll": "Посмотреть все ресурсы",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "Удаление ключа API",
    "apiKeysManage": "Управление ключами API",
    "apiKeysDescription": "Ключи API используются для аутентификации в интеграционном API",
+    "provisioningKeysTitle": "Ключ подготовки",
+    "provisioningKeysManage": "Управление ключами подготовки",
+    "provisioningKeysDescription": "Ключи подготовки используются для аутентификации автоматического обеспечения сайта для вашей организации.",
+    "provisioningManage": "Подготовка",
+    "provisioningDescription": "Управляйте предоставленными ключами и проверять непроверенные сайты, ожидающие утверждения.",
+    "pendingSites": "Ожидающие сайты",
+    "siteApproveSuccess": "Сайт успешно утвержден",
+    "siteApproveError": "Ошибка при утверждении сайта",
+    "provisioningKeys": "Ключи подготовки",
+    "searchProvisioningKeys": "Поиск подготовительных ключей...",
+    "provisioningKeysAdd": "Сгенерировать ключ подготовки",
+    "provisioningKeysErrorDelete": "Ошибка при удалении подготовительного ключа",
+    "provisioningKeysErrorDeleteMessage": "Ошибка при удалении подготовительного ключа",
+    "provisioningKeysQuestionRemove": "Вы уверены, что хотите удалить этот ключ подготовки из организации?",
+    "provisioningKeysMessageRemove": "После удаления ключ больше не может быть использован для размещения сайта.",
+    "provisioningKeysDeleteConfirm": "Подтвердите удаление ключа подготовки",
+    "provisioningKeysDelete": "Удалить ключ подготовки",
+    "provisioningKeysCreate": "Сгенерировать ключ подготовки",
+    "provisioningKeysCreateDescription": "Создать новый подготовительный ключ для организации",
+    "provisioningKeysSeeAll": "Посмотреть все подготовительные ключи",
+    "provisioningKeysSave": "Сохранить ключ подготовки",
+    "provisioningKeysSaveDescription": "Вы сможете увидеть это только один раз. Скопируйте его в безопасное место.",
+    "provisioningKeysErrorCreate": "Ошибка при создании ключа подготовки",
+    "provisioningKeysList": "Новый подготовительный ключ",
+    "provisioningKeysMaxBatchSize": "Макс. размер партии",
+    "provisioningKeysUnlimitedBatchSize": "Неограниченный размер партии (без ограничений)",
+    "provisioningKeysMaxBatchUnlimited": "Неограниченный",
+    "provisioningKeysMaxBatchSizeInvalid": "Введите максимальный размер пакета (1–1,000,000).",
+    "provisioningKeysValidUntil": "Действителен до",
+    "provisioningKeysValidUntilHint": "Оставьте пустым для отсутствия срока действия.",
+    "provisioningKeysValidUntilInvalid": "Введите правильную дату и время.",
+    "provisioningKeysNumUsed": "Использовано раз",
+    "provisioningKeysLastUsed": "Последнее использованное",
+    "provisioningKeysNoExpiry": "Без истечения срока",
+    "provisioningKeysNeverUsed": "Никогда",
+    "provisioningKeysEdit": "Редактировать ключ подготовки",
+    "provisioningKeysEditDescription": "Обновить максимальный размер и срок действия этого ключа.",
+    "provisioningKeysApproveNewSites": "Одобрить новые сайты",
+    "provisioningKeysApproveNewSitesDescription": "Автоматически одобрять сайты, регистрирующиеся с этим ключом.",
+    "provisioningKeysUpdateError": "Ошибка при обновлении ключа подготовки",
+    "provisioningKeysUpdated": "Ключ подготовки обновлен",
+    "provisioningKeysUpdatedDescription": "Ваши изменения были сохранены.",
+    "provisioningKeysBannerTitle": "Ключи подготовки сайта",
+    "provisioningKeysBannerDescription": "Генерировать подготовительный ключ и использовать его вместе с Новым коннектором для автоматического создания сайтов при первом запуске — нет необходимости настраивать отдельные учетные данные для каждого сайта.",
+    "provisioningKeysBannerButtonText": "Узнать больше",
+    "pendingSitesBannerTitle": "Ожидающие сайты",
+    "pendingSitesBannerDescription": "Сайты, связанные с использованием ключа подготовки, появляются здесь для проверки. Одобрите каждый сайт, прежде чем он станет активным и получит доступ к вашим ресурсам.",
+    "pendingSitesBannerButtonText": "Узнать больше",
    "apiKeysSettings": "Настройки {apiKeyName}",
    "userTitle": "Управление всеми пользователями",
    "userDescription": "Просмотр и управление всеми пользователями в системе",
@@ -509,9 +562,12 @@
    "userSaved": "Пользователь сохранён",
    "userSavedDescription": "Пользователь был обновлён.",
    "autoProvisioned": "Автоподбор",
+    "autoProvisionSettings": "Настройки автоматического обеспечения",
    "autoProvisionedDescription": "Разрешить автоматическое управление этим пользователем",
    "accessControlsDescription": "Управляйте тем, к чему этот пользователь может получить доступ и что делать в организации",
    "accessControlsSubmit": "Сохранить контроль доступа",
+    "singleRolePerUserPlanNotice": "Ваш план поддерживает только одну роль каждого пользователя.",
+    "singleRolePerUserEditionNotice": "Эта редакция поддерживает только одну роль для каждого пользователя.",
    "roles": "Роли",
    "accessUsersRoles": "Управление пользователями и ролями",
    "accessUsersRolesDescription": "Пригласить пользователей и добавить их в роли для управления доступом к организации",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Введите токен настройки из консоли сервера.",
    "setupTokenRequired": "Токен настройки обязателен",
    "actionUpdateSite": "Обновить сайт",
+    "actionResetSiteBandwidth": "Сброс пропускной способности организации",
    "actionListSiteRoles": "Список разрешенных ролей сайта",
    "actionCreateResource": "Создать ресурс",
    "actionDeleteResource": "Удалить ресурс",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Удалить пользователя",
    "actionListUsers": "Список пользователей",
    "actionAddUserRole": "Добавить роль пользователя",
+    "actionSetUserOrgRoles": "Установка ролей пользователей",
    "actionGenerateAccessToken": "Сгенерировать токен доступа",
    "actionDeleteAccessToken": "Удалить токен доступа",
    "actionListAccessTokens": "Список токенов доступа",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Роли",
    "sidebarShareableLinks": "Ссылки",
    "sidebarApiKeys": "API ключи",
+    "sidebarProvisioning": "Подготовка",
    "sidebarSettings": "Настройки",
    "sidebarAllUsers": "Все пользователи",
    "sidebarIdentityProviders": "Поставщики удостоверений",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Пространство имен: {namespace}",
    "domainPickerShowMore": "Показать еще",
    "regionSelectorTitle": "Выберите регион",
+    "domainPickerRemoteExitNodeWarning": "Предоставленные домены не поддерживаются при подключении сайтов к удаленным узлам. Для доступа к ресурсам на удаленных узлах используйте пользовательский домен.",
    "regionSelectorInfo": "Выбор региона помогает нам обеспечить лучшее качество обслуживания для вашего расположения. Вам необязательно находиться в том же регионе, что и ваш сервер.",
    "regionSelectorPlaceholder": "Выбор региона",
    "regionSelectorComingSoon": "Скоро будет",
@@ -1888,6 +1948,40 @@
    "exitNode": "Узел выхода",
    "country": "Страна",
    "rulesMatchCountry": "В настоящее время основано на исходном IP",
+    "region": "Регион",
+    "selectRegion": "Выберите регион",
+    "searchRegions": "Поиск регионов...",
+    "noRegionFound": "Регион не найден.",
+    "rulesMatchRegion": "Выберите региональную группу стран",
+    "rulesErrorInvalidRegion": "Некорректный регион",
+    "rulesErrorInvalidRegionDescription": "Пожалуйста, выберите корректный регион.",
+    "regionAfrica": "Африка",
+    "regionNorthernAfrica": "Северная Африка",
+    "regionEasternAfrica": "Восточная Африка",
+    "regionMiddleAfrica": "Центральная Африка",
+    "regionSouthernAfrica": "Южная Африка",
+    "regionWesternAfrica": "Западная Африка",
+    "regionAmericas": "Америка",
+    "regionCaribbean": "Карибы",
+    "regionCentralAmerica": "Центральная Америка",
+    "regionSouthAmerica": "Южная Америка",
+    "regionNorthernAmerica": "Северная Америка",
+    "regionAsia": "Азия",
+    "regionCentralAsia": "Центральная Азия",
+    "regionEasternAsia": "Восточная Азия",
+    "regionSouthEasternAsia": "Юго-Восточная Азия",
+    "regionSouthernAsia": "Южная Азия",
+    "regionWesternAsia": "Западная Азия",
+    "regionEurope": "Европа",
+    "regionEasternEurope": "Восточная Европа",
+    "regionNorthernEurope": "Северная Европа",
+    "regionSouthernEurope": "Южная Европа",
+    "regionWesternEurope": "Западная Европа",
+    "regionOceania": "Океания",
+    "regionAustraliaAndNewZealand": "Австралия и Новая Зеландия",
+    "regionMelanesia": "Меланезия",
+    "regionMicronesia": "Микронезия",
+    "regionPolynesia": "Полинезия",
    "managedSelfHosted": {
        "title": "Управляемый с самовывоза",
        "description": "Более надежный и низко обслуживаемый сервер Pangolin с дополнительными колокольнями и свистками",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Неверное значение",
    "idpTypeLabel": "Тип поставщика удостоверений",
    "roleMappingExpressionPlaceholder": "например, contains(groups, 'admin') && 'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "Фиксированные роли",
+    "roleMappingModeMappingBuilder": "Сопоставляющий конструктор",
+    "roleMappingModeRawExpression": "Сырое выражение",
+    "roleMappingFixedRolesPlaceholderSelect": "Выберите одну или несколько ролей",
+    "roleMappingFixedRolesPlaceholderFreeform": "Тип имен ролей (точное совпадение по организации)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Назначить одну и ту же роль, которая установлена каждому автообеспеченному пользователю.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Для политик по умолчанию, введите имена ролей, которые существуют в каждой организации, где пользователи предоставлены. Имена должны соответствовать точно.",
+    "roleMappingClaimPath": "Путь к заявлению",
+    "roleMappingClaimPathPlaceholder": "группы",
+    "roleMappingClaimPathDescription": "Путь в полезной нагрузке токенов, который содержит исходные значения (например, группы).",
+    "roleMappingMatchValue": "Значение матча",
+    "roleMappingAssignRoles": "Назначить роли",
+    "roleMappingAddMappingRule": "Добавить правило сопоставления",
+    "roleMappingRawExpressionResultDescription": "Выражение должно быть оценено к строке или строковому массиву.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "Выражение должно быть оценено строке (название одной роли).",
+    "roleMappingMatchValuePlaceholder": "Значение совпадения (например: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Введите имена ролей (точное по организациям)",
+    "roleMappingBuilderFreeformRowHint": "Имена ролей должны соответствовать роли в каждой целевой организации.",
+    "roleMappingRemoveRule": "Удалить",
    "idpGoogleConfiguration": "Конфигурация Google",
    "idpGoogleConfigurationDescription": "Настройка учетных данных Google OAuth2",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Как долго сохранять журналы доступа",
    "logRetentionActionLabel": "Сохранение журнала действий",
    "logRetentionActionDescription": "Как долго хранить журналы действий",
+    "logRetentionConnectionLabel": "Сохранение журнала подключений",
+    "logRetentionConnectionDescription": "Как долго хранить журналы подключений",
    "logRetentionDisabled": "Отключено",
    "logRetention3Days": "3 дня",
    "logRetention7Days": "7 дней",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Конец следующего года",
    "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
    "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
-    "licenseRequiredToUse": "Лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
-    "ossEnterpriseEditionRequired": "Для использования этой функции требуется <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink>. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "connectionLogs": "Журнал подключений",
+    "connectionLogsDescription": "Просмотр журналов подключения туннелей в этой организации",
+    "sidebarLogsConnection": "Журнал подключений",
+    "sidebarLogsStreaming": "Вещание",
+    "sourceAddress": "Адрес источника",
+    "destinationAddress": "Адрес назначения",
+    "duration": "Продолжительность",
+    "licenseRequiredToUse": "Требуется лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> для использования этой функции. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
    "certResolver": "Резольвер сертификата",
    "certResolverDescription": "Выберите резолвер сертификата, который будет использоваться для этого ресурса.",
    "selectCertResolver": "Выберите резолвер сертификата",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Включить утверждения устройства",
    "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
    "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
-    "approvalsEmptyStateButtonText": "Управление ролями"
+    "approvalsEmptyStateButtonText": "Управление ролями",
+    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена",
+    "idpAdminAutoProvisionPoliciesTabHint": "Настройте сопоставление ролей и организационные политики на вкладке <policiesTabLink>Настройки авто-предоставления</policiesTabLink>.",
+    "streamingTitle": "Поток событий",
+    "streamingDescription": "Трансляция событий от вашей организации к внешним направлениям в режиме реального времени.",
+    "streamingUnnamedDestination": "Место назначения без имени",
+    "streamingNoUrlConfigured": "URL-адрес не настроен",
+    "streamingAddDestination": "Добавить место назначения",
+    "streamingHttpWebhookTitle": "HTTP вебхук",
+    "streamingHttpWebhookDescription": "Отправлять события на любую конечную точку HTTP с гибкой аутентификацией и шаблоном.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Потоковая передача событий к пакету хранения объектов, совместимому с S3.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Перенаправлять события непосредственно на ваш аккаунт в Datadog. Скоро будет доступно.",
+    "streamingTypePickerDescription": "Выберите тип назначения, чтобы начать.",
+    "streamingFailedToLoad": "Не удалось загрузить места назначения",
+    "streamingUnexpectedError": "Произошла непредвиденная ошибка.",
+    "streamingFailedToUpdate": "Не удалось обновить место назначения",
+    "streamingDeletedSuccess": "Адрес назначения успешно удален",
+    "streamingFailedToDelete": "Не удалось удалить место назначения",
+    "streamingDeleteTitle": "Удалить адрес назначения",
+    "streamingDeleteButtonText": "Удалить адрес назначения",
+    "streamingDeleteDialogAreYouSure": "Вы уверены, что хотите удалить",
+    "streamingDeleteDialogThisDestination": "это место назначения",
+    "streamingDeleteDialogPermanentlyRemoved": "? Все настройки будут удалены навсегда.",
+    "httpDestEditTitle": "Изменить адрес назначения",
+    "httpDestAddTitle": "Добавить HTTP адрес",
+    "httpDestEditDescription": "Обновление конфигурации для этого HTTP события потокового назначения.",
+    "httpDestAddDescription": "Настройте новую HTTP-конечную точку для получения событий вашей организации.",
+    "httpDestTabSettings": "Настройки",
+    "httpDestTabHeaders": "Заголовки",
+    "httpDestTabBody": "Тело",
+    "httpDestTabLogs": "Логи",
+    "httpDestNamePlaceholder": "Мой HTTP адрес назначения",
+    "httpDestUrlLabel": "URL назначения",
+    "httpDestUrlErrorHttpRequired": "URL должен использовать http или https",
+    "httpDestUrlErrorHttpsRequired": "Требуется HTTPS при развертывании облака",
+    "httpDestUrlErrorInvalid": "Введите действительный URL (например, https://example.com/webhook)",
+    "httpDestAuthTitle": "Аутентификация",
+    "httpDestAuthDescription": "Выберите, как запросы к вашей конечной точке аутентифицированы.",
+    "httpDestAuthNoneTitle": "Нет аутентификации",
+    "httpDestAuthNoneDescription": "Отправляет запросы без заголовка авторизации.",
+    "httpDestAuthBearerTitle": "Жетон носителя",
+    "httpDestAuthBearerDescription": "Добавляет заголовок Authorization: Bearer <token> к каждому запросу.",
+    "httpDestAuthBearerPlaceholder": "Ваш ключ API или токен",
+    "httpDestAuthBasicTitle": "Базовая авторизация",
+    "httpDestAuthBasicDescription": "Добавляет Authorization: Basic <credentials> header. Предоставьте учетные данные в качестве имени пользователя:password.",
+    "httpDestAuthBasicPlaceholder": "имя пользователя:пароль",
+    "httpDestAuthCustomTitle": "Пользовательский заголовок",
+    "httpDestAuthCustomDescription": "Укажите пользовательское имя заголовка HTTP и значение для аутентификации (например, X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Имя заголовка (например, X-API-ключ)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Значение заголовка",
+    "httpDestCustomHeadersTitle": "Пользовательские HTTP-заголовки",
+    "httpDestCustomHeadersDescription": "Добавляет пользовательские заголовки к каждому исходящему запросу. Полезно для статических маркеров или пользовательского типа содержимого. По умолчанию отправляется Content-Type: application/json.",
+    "httpDestNoHeadersConfigured": "Пользовательские заголовки не настроены. Нажмите \"Добавить заголовок\", чтобы добавить их.",
+    "httpDestHeaderNamePlaceholder": "Название заголовка",
+    "httpDestHeaderValuePlaceholder": "Значение",
+    "httpDestAddHeader": "Добавить заголовок",
+    "httpDestBodyTemplateTitle": "Пользовательский шаблон тела",
+    "httpDestBodyTemplateDescription": "Контролируйте структуру JSON приложения, отправленную на вашу конечную точку. Если отключено, для каждого события отправляется JSON объект по умолчанию.",
+    "httpDestEnableBodyTemplate": "Включить настраиваемый шаблон тела",
+    "httpDestBodyTemplateLabel": "Шаблон тела (JSON)",
+    "httpDestBodyTemplateHint": "Использовать шаблонные переменные для ссылки поля событий в вашей полезной нагрузке.",
+    "httpDestPayloadFormatTitle": "Формат нагрузки",
+    "httpDestPayloadFormatDescription": "Как события сериализуются в каждый орган запроса.",
+    "httpDestFormatJsonArrayTitle": "JSON массив",
+    "httpDestFormatJsonArrayDescription": "По одному запросу на каждую партию, тело является JSON-массивом. Совместим с большинством общих вебхуков и Датадог.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "По одному запросу на каждую партию, тело - это JSON, разделённый новой строкой, по одному объекту на строку, без внешнего массива. Требуется в Splunk HEC, Elastic / OpenSearch, и Grafana Loki.",
+    "httpDestFormatSingleTitle": "Одно событие на запрос",
+    "httpDestFormatSingleDescription": "Отправляет отдельный HTTP POST для каждого отдельного события. Используйте только для конечных точек, которые не могут обрабатывать пакеты.",
+    "httpDestLogTypesTitle": "Типы журналов",
+    "httpDestLogTypesDescription": "Выберите, какие типы журналов пересылаются в этот пункт назначения. Только включенные типы журналов будут транслированы.",
+    "httpDestAccessLogsTitle": "Журналы доступа",
+    "httpDestAccessLogsDescription": "Попытки доступа к ресурсам, включая аутентифицированные и отклоненные запросы.",
+    "httpDestActionLogsTitle": "Журнал действий",
+    "httpDestActionLogsDescription": "Административные меры, осуществляемые пользователями в рамках организации.",
+    "httpDestConnectionLogsTitle": "Журнал подключений",
+    "httpDestConnectionLogsDescription": "События связи с сайтами и туннелями, включая соединения и отключения.",
+    "httpDestRequestLogsTitle": "Запросить журналы",
+    "httpDestRequestLogsDescription": "Журналы запросов HTTP для проксируемых ресурсов, включая метод, путь и код ответа.",
+    "httpDestSaveChanges": "Сохранить изменения",
+    "httpDestCreateDestination": "Создать адрес назначения",
+    "httpDestUpdatedSuccess": "Адрес назначения успешно обновлен",
+    "httpDestCreatedSuccess": "Адрес назначения успешно создан",
+    "httpDestUpdateFailed": "Не удалось обновить место назначения",
+    "httpDestCreateFailed": "Не удалось создать место назначения"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -148,6 +148,11 @@
    "createLink": "Bağlantı Oluştur",
    "resourcesNotFound": "Hiçbir kaynak bulunamadı",
    "resourceSearch": "Kaynak ara",
+    "machineSearch": "Makinaları ara",
+    "machinesSearch": "Makina müşteri...",
+    "machineNotFound": "Hiçbir makine bulunamadı",
+    "userDeviceSearch": "Kullanıcı cihazlarını ara",
+    "userDevicesSearch": "Kullanıcı cihazlarını ara...",
    "openMenu": "Menüyü Aç",
    "resource": "Kaynak",
    "title": "Başlık",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
    "resourceRaw": "Ham TCP/UDP Kaynağı",
    "resourceRawDescription": "Port numarası kullanarak ham TCP/UDP üzerinden proxy isteklerini yönlendirin.",
-    "resourceRawDescriptionCloud": "Bir port numarası kullanarak ham TCP/UDP üzerinden istekleri proxy ile yönlendirin. UZAKTAN BİR DÜĞÜM KULLANIMINI GEREKTİRİR.",
+    "resourceRawDescriptionCloud": "Proxy isteklerini bir port numarası kullanarak ham TCP/UDP üzerinden yapın. Sitelerin uzak bir düğüme bağlanması gereklidir.",
    "resourceCreate": "Kaynak Oluştur",
    "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
    "resourceSeeAll": "Tüm Kaynakları Gör",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "API Anahtarını Sil",
    "apiKeysManage": "API Anahtarlarını Yönet",
    "apiKeysDescription": "API anahtarları entegrasyon API'sini doğrulamak için kullanılır",
+    "provisioningKeysTitle": "Tedarik Anahtarı",
+    "provisioningKeysManage": "Tedarik Anahtarlarını Yönet",
+    "provisioningKeysDescription": "Tedarik anahtarları, organizasyonunuz için otomatik site sağlama işlemini doğrulamak için kullanılır.",
+    "provisioningManage": "Tedarik",
+    "provisioningDescription": "Tedarik anahtarlarını yönetin ve onay bekleyen siteleri gözden geçirin.",
+    "pendingSites": "Bekleyen Siteler",
+    "siteApproveSuccess": "Site başarıyla onaylandı",
+    "siteApproveError": "Site onaylanırken hata oluştu",
+    "provisioningKeys": "Tedarik Anahtarları",
+    "searchProvisioningKeys": "Tedarik anahtarlarını ara...",
+    "provisioningKeysAdd": "Tedarik Anahtarı Üret",
+    "provisioningKeysErrorDelete": "Tedarik anahtarı silinirken hata oluştu",
+    "provisioningKeysErrorDeleteMessage": "Tedarik anahtarı silinirken hata oluştu",
+    "provisioningKeysQuestionRemove": "Bu tedarik anahtarını organizasyondan kaldırmak istediğinizden emin misiniz?",
+    "provisioningKeysMessageRemove": "Kaldırıldıktan sonra, anahtar site tedariki için artık kullanılamaz.",
+    "provisioningKeysDeleteConfirm": "Tedarik Anahtarını Silmeyi Onayla",
+    "provisioningKeysDelete": "Tedarik Anahtarını Sil",
+    "provisioningKeysCreate": "Tedarik Anahtarı Üret",
+    "provisioningKeysCreateDescription": "Organizasyon için yeni bir tedarik anahtarı oluşturun",
+    "provisioningKeysSeeAll": "Tüm tedarik anahtarlarını gör",
+    "provisioningKeysSave": "Tedarik anahtarını kaydet",
+    "provisioningKeysSaveDescription": "Bunu yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyalayın.",
+    "provisioningKeysErrorCreate": "Tedarik anahtarı oluşturulurken hata oluştu",
+    "provisioningKeysList": "Yeni tedarik anahtarı",
+    "provisioningKeysMaxBatchSize": "Maksimum toplu iş boyutu",
+    "provisioningKeysUnlimitedBatchSize": "Sınırsız toplu iş boyutu (sınırlama yok)",
+    "provisioningKeysMaxBatchUnlimited": "Sınırsız",
+    "provisioningKeysMaxBatchSizeInvalid": "Geçerli bir maksimum toplu iş boyutu girin (1–1,000,000).",
+    "provisioningKeysValidUntil": "Geçerlilik tarihi",
+    "provisioningKeysValidUntilHint": "Son kullanım tarihi için boş bırakın.",
+    "provisioningKeysValidUntilInvalid": "Geçerli bir tarih ve saat girin.",
+    "provisioningKeysNumUsed": "Kullanım Sayısı",
+    "provisioningKeysLastUsed": "Son kullanım",
+    "provisioningKeysNoExpiry": "Son kullanma tarihi yok",
+    "provisioningKeysNeverUsed": "Asla",
+    "provisioningKeysEdit": "Tedarik Anahtarını Düzenle",
+    "provisioningKeysEditDescription": "Bu anahtar için maksimum toplu iş boyutunu ve son kullanma zamanını güncelleyin.",
+    "provisioningKeysApproveNewSites": "Yeni siteleri onayla",
+    "provisioningKeysApproveNewSitesDescription": "Bu anahtar ile kayıt olan siteleri otomatik olarak onayla.",
+    "provisioningKeysUpdateError": "Tedarik anahtarı güncellenirken hata oluştu",
+    "provisioningKeysUpdated": "Tedarik anahtarı güncellendi",
+    "provisioningKeysUpdatedDescription": "Değişiklikleriniz kaydedildi.",
+    "provisioningKeysBannerTitle": "Site Tedarik Anahtarları",
+    "provisioningKeysBannerDescription": "Tedarik anahtarı oluşturun ve ilk başlangıçta siteleri otomatik olarak oluşturmak için Newt konektörüyle kullanın — her site için ayrı kimlik bilgileri ayarlamaya gerek yoktur.",
+    "provisioningKeysBannerButtonText": "Daha fazla bilgi",
+    "pendingSitesBannerTitle": "Bekleyen Siteler",
+    "pendingSitesBannerDescription": "Tedarik anahtarı kullanarak bağlanan siteler burada incelenmek için görünür. Aktif hale gelmeden ve kaynaklarınıza erişim kazanmadan önce her siteyi onaylayın.",
+    "pendingSitesBannerButtonText": "Daha fazla bilgi",
    "apiKeysSettings": "{apiKeyName} Ayarları",
    "userTitle": "Tüm Kullanıcıları Yönet",
    "userDescription": "Sistemdeki tüm kullanıcıları görün ve yönetin",
@@ -509,9 +562,12 @@
    "userSaved": "Kullanıcı kaydedildi",
    "userSavedDescription": "Kullanıcı güncellenmiştir.",
    "autoProvisioned": "Otomatik Sağlandı",
+    "autoProvisionSettings": "Otomatik Tedarik Ayarları",
    "autoProvisionedDescription": "Bu kullanıcının kimlik sağlayıcısı tarafından otomatik olarak yönetilmesine izin ver",
    "accessControlsDescription": "Bu kullanıcının organizasyonda neleri erişebileceğini ve yapabileceğini yönetin",
    "accessControlsSubmit": "Erişim Kontrollerini Kaydet",
+    "singleRolePerUserPlanNotice": "Planınız yalnızca kullanıcı başına bir rol desteler.",
+    "singleRolePerUserEditionNotice": "Bu sürüm yalnızca kullanıcı başına bir rol destekler.",
    "roles": "Roller",
    "accessUsersRoles": "Kullanıcılar ve Roller Yönetin",
    "accessUsersRolesDescription": "Kullanıcılara davet gönderin ve organizasyona erişimi yönetmek için rollere ekleyin",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "Sunucu konsolundan kurulum simgesini girin.",
    "setupTokenRequired": "Kurulum simgesi gerekli",
    "actionUpdateSite": "Siteyi Güncelle",
+    "actionResetSiteBandwidth": "Organizasyon Bant Genişliğini Sıfırla",
    "actionListSiteRoles": "İzin Verilen Site Rolleri Listele",
    "actionCreateResource": "Kaynak Oluştur",
    "actionDeleteResource": "Kaynağı Sil",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "Kullanıcıyı Kaldır",
    "actionListUsers": "Kullanıcıları Listele",
    "actionAddUserRole": "Kullanıcı Rolü Ekle",
+    "actionSetUserOrgRoles": "Kullanıcı Rolleri Belirle",
    "actionGenerateAccessToken": "Erişim Jetonu Oluştur",
    "actionDeleteAccessToken": "Erişim Jetonunu Sil",
    "actionListAccessTokens": "Erişim Jetonlarını Listele",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "Roller",
    "sidebarShareableLinks": "Bağlantılar",
    "sidebarApiKeys": "API Anahtarları",
+    "sidebarProvisioning": "Tedarik",
    "sidebarSettings": "Ayarlar",
    "sidebarAllUsers": "Tüm Kullanıcılar",
    "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "Ad Alanı: {namespace}",
    "domainPickerShowMore": "Daha Fazla Göster",
    "regionSelectorTitle": "Bölge Seç",
+    "domainPickerRemoteExitNodeWarning": "Belirtilen alan adları, siteler uzak çıkış düğümlerine bağlandığında desteklenmez. Kaynakların uzak düğümlerde kullanılabilir olması için özel bir alan adı kullanın.",
    "regionSelectorInfo": "Bir bölge seçmek, konumunuz için daha iyi performans sağlamamıza yardımcı olur. Sunucunuzla aynı bölgede olmanıza gerek yoktur.",
    "regionSelectorPlaceholder": "Bölge Seçin",
    "regionSelectorComingSoon": "Yakında Geliyor",
@@ -1888,6 +1948,40 @@
    "exitNode": "Çıkış Düğümü",
    "country": "Ülke",
    "rulesMatchCountry": "Şu anda kaynak IP'ye dayanarak",
+    "region": "Bölge",
+    "selectRegion": "Bölgeyi seçin",
+    "searchRegions": "Bölgeleri ara...",
+    "noRegionFound": "Bölge bulunamadı.",
+    "rulesMatchRegion": "Başka ülkelerin bölgesel gruplandırmasını seçin",
+    "rulesErrorInvalidRegion": "Geçersiz bölge",
+    "rulesErrorInvalidRegionDescription": "Lütfen geçerli bir bölge seçin.",
+    "regionAfrica": "Afrika",
+    "regionNorthernAfrica": "Kuzey Afrika",
+    "regionEasternAfrica": "Doğu Afrika",
+    "regionMiddleAfrica": "Orta Afrika",
+    "regionSouthernAfrica": "Güney Afrika",
+    "regionWesternAfrica": "Batı Afrika",
+    "regionAmericas": "Amerika",
+    "regionCaribbean": "Karayipler",
+    "regionCentralAmerica": "Orta Amerika",
+    "regionSouthAmerica": "Güney Amerika",
+    "regionNorthernAmerica": "Kuzey Amerika",
+    "regionAsia": "Asya",
+    "regionCentralAsia": "Orta Asya",
+    "regionEasternAsia": "Doğu Asya",
+    "regionSouthEasternAsia": "Güneydoğu Asya",
+    "regionSouthernAsia": "Güney Asya",
+    "regionWesternAsia": "Batı Asya",
+    "regionEurope": "Avrupa",
+    "regionEasternEurope": "Doğu Avrupa",
+    "regionNorthernEurope": "Kuzey Avrupa",
+    "regionSouthernEurope": "Güney Avrupa",
+    "regionWesternEurope": "Batı Avrupa",
+    "regionOceania": "Okyanusya",
+    "regionAustraliaAndNewZealand": "Avustralya ve Yeni Zelanda",
+    "regionMelanesia": "Melanezya",
+    "regionMicronesia": "Mikronezya",
+    "regionPolynesia": "Polinezya",
    "managedSelfHosted": {
        "title": "Yönetilen Self-Hosted",
        "description": "Daha güvenilir ve düşük bakım gerektiren, ekstra özelliklere sahip kendi kendine barındırabileceğiniz Pangolin sunucusu",
@@ -1936,6 +2030,25 @@
    "invalidValue": "Geçersiz değer",
    "idpTypeLabel": "Kimlik Sağlayıcı Türü",
    "roleMappingExpressionPlaceholder": "örn., contains(gruplar, 'yönetici') && 'Yönetici' || 'Üye'",
+    "roleMappingModeFixedRoles": "Sabit Roller",
+    "roleMappingModeMappingBuilder": "Harita Oluşturucu",
+    "roleMappingModeRawExpression": "Ham İfade",
+    "roleMappingFixedRolesPlaceholderSelect": "Bir veya daha fazla rol seçin",
+    "roleMappingFixedRolesPlaceholderFreeform": "Rol isimlerini yazın (organizasyon başına tam eşleşme)",
+    "roleMappingFixedRolesDescriptionSameForAll": "Her otomatik tedarik edilmiş kullanıcıya aynı rol setini atayın.",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "Varsayılan politikalar için, kullanıcıların sağlandığı her organizasyonda mevcut olan rol isimlerini yazın. İsimler tam olarak eşleşmelidir.",
+    "roleMappingClaimPath": "Hak Talep Yolu",
+    "roleMappingClaimPathPlaceholder": "gruplar",
+    "roleMappingClaimPathDescription": "Kaynak değerleri içeren belirteç yükündeki yol (örneğin, gruplar).",
+    "roleMappingMatchValue": "Eşleme Değeri",
+    "roleMappingAssignRoles": "Rolleri Ata",
+    "roleMappingAddMappingRule": "Eşleme Kuralı Ekle",
+    "roleMappingRawExpressionResultDescription": "İfade bir string veya string dizisine değerlendirilmelidir.",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "İfade bir string (tek rol ismi) olarak değerlendirilmelidir.",
+    "roleMappingMatchValuePlaceholder": "Eşleme değeri (örneğin: admin)",
+    "roleMappingAssignRolesPlaceholderFreeform": "Rol isimlerini yazın (organizasyon başına tam eşleşme)",
+    "roleMappingBuilderFreeformRowHint": "Rol isimleri her hedef organizasyondaki bir rol ile eşleşmelidir.",
+    "roleMappingRemoveRule": "Kaldır",
    "idpGoogleConfiguration": "Google Yapılandırması",
    "idpGoogleConfigurationDescription": "Google OAuth2 kimlik bilgilerinizi yapılandırın",
    "idpGoogleClientIdDescription": "Google OAuth2 İstemci Kimliğiniz",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "Erişim günlüklerini ne kadar süre tutacağını belirle",
    "logRetentionActionLabel": "Eylem Günlüğü Saklama",
    "logRetentionActionDescription": "Eylem günlüklerini ne kadar süre tutacağını belirle",
+    "logRetentionConnectionLabel": "Bağlantı kayıtlarını ne kadar süre saklayacağınız",
+    "logRetentionConnectionDescription": "Bağlantı kayıtlarını ne kadar süre saklayacağınız",
    "logRetentionDisabled": "Devre Dışı",
    "logRetention3Days": "3 gün",
    "logRetention7Days": "7 gün",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
    "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
    "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
-    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
-    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
+    "connectionLogs": "Bağlantı Kayıtları",
+    "connectionLogsDescription": "Bu organizasyondaki tüneller için bağlantı geçmişine bakın",
+    "sidebarLogsConnection": "Bağlantı Kayıtları",
+    "sidebarLogsStreaming": "Akış",
+    "sourceAddress": "Kaynak Adresi",
+    "destinationAddress": "Hedef Adresi",
+    "duration": "Süre",
+    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı veya <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> gereklidir. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>’da da mevcuttur. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
    "certResolver": "Sertifika Çözücü",
    "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
    "selectCertResolver": "Sertifika Çözücü Seçin",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "Cihaz Onaylarını Etkinleştir",
    "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
    "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
-    "approvalsEmptyStateButtonText": "Rolleri Yönet"
+    "approvalsEmptyStateButtonText": "Rolleri Yönet",
+    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz",
+    "idpAdminAutoProvisionPoliciesTabHint": "Rol eşleme ve organizasyon politikalarını <policiesTabLink>Otomatik Tedarik Ayarları</policiesTabLink> sekmesinde yapılandırın.",
+    "streamingTitle": "Olay Akışı",
+    "streamingDescription": "Olayları organizasyonunuzdan dış hedeflere gerçek zamanlı olarak iletin.",
+    "streamingUnnamedDestination": "Adsız hedef",
+    "streamingNoUrlConfigured": "URL yapılandırılmadı",
+    "streamingAddDestination": "Hedef Ekle",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "Esnek kimlik doğrulama ve şablon oluşturmayla her HTTP uç noktasına olaylar gönderin.",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "Olayları S3 uyumlu bir nesne depolama kovasına iletin. Yakında gelicek.",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "Olayları doğrudan Datadog hesabınıza iletin. Yakında gelicek.",
+    "streamingTypePickerDescription": "Başlamak için bir hedef türü seçin.",
+    "streamingFailedToLoad": "Hedefler yüklenemedi",
+    "streamingUnexpectedError": "Beklenmeyen bir hata oluştu.",
+    "streamingFailedToUpdate": "Hedef güncellenemedi",
+    "streamingDeletedSuccess": "Hedef başarıyla silindi",
+    "streamingFailedToDelete": "Hedef silinemedi",
+    "streamingDeleteTitle": "Hedefi Sil",
+    "streamingDeleteButtonText": "Hedefi Sil",
+    "streamingDeleteDialogAreYouSure": "Silmek istediğinizden emin misiniz",
+    "streamingDeleteDialogThisDestination": "bu hedefi",
+    "streamingDeleteDialogPermanentlyRemoved": "? Tüm yapılandırma kalıcı olarak kaldırılacak.",
+    "httpDestEditTitle": "Hedefi Düzenle",
+    "httpDestAddTitle": "HTTP Hedefi Ekle",
+    "httpDestEditDescription": "Bu HTTP olay akışı hedefine yapılandırmayı güncelleyin.",
+    "httpDestAddDescription": "Organizasyonunuzun olaylarını almak için yeni bir HTTP uç noktası yapılandırın.",
+    "httpDestTabSettings": "Ayarlar",
+    "httpDestTabHeaders": "Başlıklar",
+    "httpDestTabBody": "Gövde",
+    "httpDestTabLogs": "Kayıtlar",
+    "httpDestNamePlaceholder": "Benim HTTP hedefim",
+    "httpDestUrlLabel": "Hedef URL",
+    "httpDestUrlErrorHttpRequired": "URL http veya https kullanmalıdır",
+    "httpDestUrlErrorHttpsRequired": "Bulut dağıtımlarında HTTPS gereklidir",
+    "httpDestUrlErrorInvalid": "Geçerli bir URL girin (örn. https://example.com/webhook)",
+    "httpDestAuthTitle": "Kimlik Doğrulama",
+    "httpDestAuthDescription": "Uç noktanıza yapılan isteklerin nasıl kimlik doğrulandığını seçin.",
+    "httpDestAuthNoneTitle": "Kimlik Doğrulama Yok",
+    "httpDestAuthNoneDescription": "Yetkilendirme başlığı olmadan istekler gönderir.",
+    "httpDestAuthBearerTitle": "Taşıyıcı Jetonu",
+    "httpDestAuthBearerDescription": "Her isteğe bir Yetkilendirme: Taşıyıcı <token> başlığı ekler.",
+    "httpDestAuthBearerPlaceholder": "API anahtarınız veya jetonunuz",
+    "httpDestAuthBasicTitle": "Temel Kimlik Doğrulama",
+    "httpDestAuthBasicDescription": "Authorization: Temel <belirtecikler> başlığı ekler. Yetkilendirmeleri kullanıcı adı:şifre olarak sağlayın.",
+    "httpDestAuthBasicPlaceholder": "kullanıcı adı:şifre",
+    "httpDestAuthCustomTitle": "Özel Başlık",
+    "httpDestAuthCustomDescription": "Kimlik doğrulama için özel bir HTTP başlık adı ve değer belirtin (örn. X-API-Key).",
+    "httpDestAuthCustomHeaderNamePlaceholder": "Başlık adı (örn. X-API-Key)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "Başlık değeri",
+    "httpDestCustomHeadersTitle": "Özel HTTP Başlıkları",
+    "httpDestCustomHeadersDescription": "Her giden isteğe özel başlıklar ekleyin. Statik jetonlar veya özel bir İçerik Türü için kullanışlıdır. Varsayılan olarak İçerik Türü: application/json gönderilir.",
+    "httpDestNoHeadersConfigured": "Özel başlık yapılandırılmamış. Bir tane eklemek için \"Başlık Ekle\"ye tıklayın.",
+    "httpDestHeaderNamePlaceholder": "Başlık adı",
+    "httpDestHeaderValuePlaceholder": "Değer",
+    "httpDestAddHeader": "Başlık Ekle",
+    "httpDestBodyTemplateTitle": "Özel Gövde Şablonu",
+    "httpDestBodyTemplateDescription": "Uç noktanıza gönderilen JSON yük yapısını kontrol edin. Devre dışı bırakılırsa, her olay için varsayılan bir JSON nesnesi gönderilir.",
+    "httpDestEnableBodyTemplate": "Özel gövde şablonunu etkinleştir",
+    "httpDestBodyTemplateLabel": "Gövde Şablonu (JSON)",
+    "httpDestBodyTemplateHint": "Yükünüzdeki olay alanlarına atıfta bulunmak için şablon değişkenlerini kullanın.",
+    "httpDestPayloadFormatTitle": "Yük Formatı",
+    "httpDestPayloadFormatDescription": "Her bir istek gövdesine olayların nasıl serileştirildiği.",
+    "httpDestFormatJsonArrayTitle": "JSON Dizisi",
+    "httpDestFormatJsonArrayDescription": "Her bir toplu işte bir istek, gövde bir JSON dizisidir. Çoğu genel webhook ve Datadog ile uyumludur.",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "Her bir toplu işte bir istek, gövde satırlarla ayrılmış JSON'dur - her satıra bir nesne, dış dizi yoktur. Splunk HEC, Elastic / OpenSearch ve Grafana Loki tarafından gereklidir.",
+    "httpDestFormatSingleTitle": "Her İstek Başına Bir Olay",
+    "httpDestFormatSingleDescription": "Her olay için ayrı bir HTTP POST gönderir. Toplu işlere yetkemeyen uç noktalar için kullanın.",
+    "httpDestLogTypesTitle": "Kayıt Türleri",
+    "httpDestLogTypesDescription": "Bu hedefe hangi kayıt türlerinin iletileceğini seçin. Yalnızca etkin kayıt türleri yayınlanacaktır.",
+    "httpDestAccessLogsTitle": "Erişim Kayıtları",
+    "httpDestAccessLogsDescription": "Kimlik doğrulanmış ve reddedilen talepler dahil kaynak erişim denemeleri.",
+    "httpDestActionLogsTitle": "Eylem Kayıtları",
+    "httpDestActionLogsDescription": "Kullanıcılar tarafından organizasyon içerisinde yapılan yönetici eylemleri.",
+    "httpDestConnectionLogsTitle": "Bağlantı Kayıtları",
+    "httpDestConnectionLogsDescription": "Site ve tünel bağlantı olayları, bağlantılar ve bağlantı kesilmeleri dahil.",
+    "httpDestRequestLogsTitle": "İstek Kayıtları",
+    "httpDestRequestLogsDescription": "Yönlendirilmiş kaynaklar için HTTP istek kayıtları, yöntem, yol ve yanıt kodu dahil.",
+    "httpDestSaveChanges": "Değişiklikleri Kaydet",
+    "httpDestCreateDestination": "Hedef Oluştur",
+    "httpDestUpdatedSuccess": "Hedef başarıyla güncellendi",
+    "httpDestCreatedSuccess": "Hedef başarıyla oluşturuldu",
+    "httpDestUpdateFailed": "Hedef güncellenemedi",
+    "httpDestCreateFailed": "Hedef oluşturulamadı"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -148,6 +148,11 @@
    "createLink": "创建链接",
    "resourcesNotFound": "找不到资源",
    "resourceSearch": "搜索资源",
+    "machineSearch": "搜索机",
+    "machinesSearch": "搜索机器客户端...",
+    "machineNotFound": "未找到任何机",
+    "userDeviceSearch": "搜索用户设备",
+    "userDevicesSearch": "搜索用户设备...",
    "openMenu": "打开菜单",
    "resource": "资源",
    "title": "标题",
@@ -175,7 +180,7 @@
    "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
    "resourceRaw": "TCP/UDP 资源",
    "resourceRawDescription": "通过使用端口号的原始TCP/UDP代理请求。",
-    "resourceRawDescriptionCloud": "正在使用端口号的 TCP/UDP 代理请求。请使用一个REMOTE",
+    "resourceRawDescriptionCloud": "正在使用端口号使用 TCP/UDP 代理请求。需要站点连接到远程节点。",
    "resourceCreate": "创建资源",
    "resourceCreateDescription": "按照下面的步骤创建新资源",
    "resourceSeeAll": "查看所有资源",
@@ -323,6 +328,54 @@
    "apiKeysDelete": "删除 API 密钥",
    "apiKeysManage": "管理 API 密钥",
    "apiKeysDescription": "API 密钥用于认证集成 API",
+    "provisioningKeysTitle": "置备密钥",
+    "provisioningKeysManage": "管理置备键",
+    "provisioningKeysDescription": "置备密钥用于验证您组织的自动站点配置。",
+    "provisioningManage": "置备中",
+    "provisioningDescription": "管理预配键和审查等待批准的站点。",
+    "pendingSites": "待定站点",
+    "siteApproveSuccess": "站点批准成功",
+    "siteApproveError": "批准站点出错",
+    "provisioningKeys": "置备键",
+    "searchProvisioningKeys": "搜索配备密钥...",
+    "provisioningKeysAdd": "生成置备键",
+    "provisioningKeysErrorDelete": "删除预配键时出错",
+    "provisioningKeysErrorDeleteMessage": "删除预配键时出错",
+    "provisioningKeysQuestionRemove": "您确定要从组织中删除此预配键吗？",
+    "provisioningKeysMessageRemove": "一旦移除，密钥不能再用于站点预配。",
+    "provisioningKeysDeleteConfirm": "确认删除置备键",
+    "provisioningKeysDelete": "删除置备键",
+    "provisioningKeysCreate": "生成置备键",
+    "provisioningKeysCreateDescription": "为组织生成一个新的预置密钥",
+    "provisioningKeysSeeAll": "查看所有预配键",
+    "provisioningKeysSave": "保存预配键",
+    "provisioningKeysSaveDescription": "您只能看到一次。复制它到一个安全的地方。",
+    "provisioningKeysErrorCreate": "创建预配键时出错",
+    "provisioningKeysList": "新建预配键",
+    "provisioningKeysMaxBatchSize": "最大批量大小",
+    "provisioningKeysUnlimitedBatchSize": "无限批量大小(无限制)",
+    "provisioningKeysMaxBatchUnlimited": "无限制",
+    "provisioningKeysMaxBatchSizeInvalid": "输入一个有效的最大批处理大小(1-1,000,000)。",
+    "provisioningKeysValidUntil": "有效期至",
+    "provisioningKeysValidUntilHint": "留空为无过期。",
+    "provisioningKeysValidUntilInvalid": "输入一个有效的日期和时间。",
+    "provisioningKeysNumUsed": "使用的时间",
+    "provisioningKeysLastUsed": "上次使用",
+    "provisioningKeysNoExpiry": "没有过期",
+    "provisioningKeysNeverUsed": "永不过期",
+    "provisioningKeysEdit": "编辑置备键",
+    "provisioningKeysEditDescription": "更新此密钥的最大批量大小和过期时间。",
+    "provisioningKeysApproveNewSites": "批准新站点",
+    "provisioningKeysApproveNewSitesDescription": "自动批准使用此密钥注册的站点。",
+    "provisioningKeysUpdateError": "更新预配键时出错",
+    "provisioningKeysUpdated": "置备密钥已更新",
+    "provisioningKeysUpdatedDescription": "您的更改已保存。",
+    "provisioningKeysBannerTitle": "站点置备密钥",
+    "provisioningKeysBannerDescription": "生成一个预配键并使用它来在首次启动时自动创建站点——无需为每个站点设置单独的凭证。",
+    "provisioningKeysBannerButtonText": "了解更多",
+    "pendingSitesBannerTitle": "待定站点",
+    "pendingSitesBannerDescription": "使用预配键连接的站点会出现在这里供审核。在站点开始运行之前批准并获取对您资源的访问权限。",
+    "pendingSitesBannerButtonText": "了解更多",
    "apiKeysSettings": "{apiKeyName} 设置",
    "userTitle": "管理所有用户",
    "userDescription": "查看和管理系统中的所有用户",
@@ -509,9 +562,12 @@
    "userSaved": "用户已保存",
    "userSavedDescription": "用户已更新。",
    "autoProvisioned": "自动设置",
+    "autoProvisionSettings": "自动提供设置",
    "autoProvisionedDescription": "允许此用户由身份提供商自动管理",
    "accessControlsDescription": "管理此用户在组织中可以访问和做什么",
    "accessControlsSubmit": "保存访问控制",
+    "singleRolePerUserPlanNotice": "您的计划仅支持每个用户一个角色。",
+    "singleRolePerUserEditionNotice": "此版本仅支持每个用户一个角色。",
    "roles": "角色",
    "accessUsersRoles": "管理用户和角色",
    "accessUsersRolesDescription": "邀请用户加入角色来管理访问组织",
@@ -1119,6 +1175,7 @@
    "setupTokenDescription": "从服务器控制台输入设置令牌。",
    "setupTokenRequired": "需要设置令牌",
    "actionUpdateSite": "更新站点",
+    "actionResetSiteBandwidth": "重置组织带宽",
    "actionListSiteRoles": "允许站点角色列表",
    "actionCreateResource": "创建资源",
    "actionDeleteResource": "删除资源",
@@ -1148,6 +1205,7 @@
    "actionRemoveUser": "删除用户",
    "actionListUsers": "列出用户",
    "actionAddUserRole": "添加用户角色",
+    "actionSetUserOrgRoles": "设置用户角色",
    "actionGenerateAccessToken": "生成访问令牌",
    "actionDeleteAccessToken": "删除访问令牌",
    "actionListAccessTokens": "访问令牌",
@@ -1264,6 +1322,7 @@
    "sidebarRoles": "角色",
    "sidebarShareableLinks": "链接",
    "sidebarApiKeys": "API密钥",
+    "sidebarProvisioning": "置备中",
    "sidebarSettings": "设置",
    "sidebarAllUsers": "所有用户",
    "sidebarIdentityProviders": "身份提供商",
@@ -1426,6 +1485,7 @@
    "domainPickerNamespace": "命名空间：{namespace}",
    "domainPickerShowMore": "显示更多",
    "regionSelectorTitle": "选择区域",
+    "domainPickerRemoteExitNodeWarning": "当站点连接到远程退出节点时不支持所提供的域。为了资源可在远程节点上使用，请使用自定义域名。",
    "regionSelectorInfo": "选择区域以帮助提升您所在地的性能。您不必与服务器在相同的区域。",
    "regionSelectorPlaceholder": "选择一个区域",
    "regionSelectorComingSoon": "即将推出",
@@ -1888,6 +1948,40 @@
    "exitNode": "出口节点",
    "country": "国家",
    "rulesMatchCountry": "当前基于源 IP",
+    "region": "地区",
+    "selectRegion": "选择区域",
+    "searchRegions": "搜索区域...",
+    "noRegionFound": "未找到区域。",
+    "rulesMatchRegion": "选择一个区域国家组",
+    "rulesErrorInvalidRegion": "无效区域",
+    "rulesErrorInvalidRegionDescription": "请选择一个有效的区域。",
+    "regionAfrica": "非洲",
+    "regionNorthernAfrica": "B. 北非地区",
+    "regionEasternAfrica": "东部非洲",
+    "regionMiddleAfrica": "中东",
+    "regionSouthernAfrica": "D. 南 非",
+    "regionWesternAfrica": "D. 西部非洲",
+    "regionAmericas": "Americas",
+    "regionCaribbean": "加勒比",
+    "regionCentralAmerica": "中美洲：",
+    "regionSouthAmerica": "南 非",
+    "regionNorthernAmerica": "北美洲：",
+    "regionAsia": "亚洲",
+    "regionCentralAsia": "B. 亚 洲",
+    "regionEasternAsia": "东亚",
+    "regionSouthEasternAsia": "D. 东南亚区域",
+    "regionSouthernAsia": "D. 亚 洲",
+    "regionWesternAsia": "西亚",
+    "regionEurope": "欧洲",
+    "regionEasternEurope": "D. 欧 洲",
+    "regionNorthernEurope": "北欧洲",
+    "regionSouthernEurope": "南欧洲",
+    "regionWesternEurope": "西欧洲",
+    "regionOceania": "Oceania",
+    "regionAustraliaAndNewZealand": "澳大利亚和新西兰",
+    "regionMelanesia": "Melanesia",
+    "regionMicronesia": "Micronesia",
+    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "托管自托管",
        "description": "更可靠和低维护自我托管的 Pangolin 服务器，带有额外的铃声和告密器",
@@ -1936,6 +2030,25 @@
    "invalidValue": "无效的值",
    "idpTypeLabel": "身份提供者类型",
    "roleMappingExpressionPlaceholder": "例如: contains(group, 'admin' &'Admin' || 'Member'",
+    "roleMappingModeFixedRoles": "固定角色",
+    "roleMappingModeMappingBuilder": "映射构建器",
+    "roleMappingModeRawExpression": "原始表达式",
+    "roleMappingFixedRolesPlaceholderSelect": "选择一个或多个角色",
+    "roleMappingFixedRolesPlaceholderFreeform": "输入角色名称 (每个组织确切匹配)",
+    "roleMappingFixedRolesDescriptionSameForAll": "将相同的角色分配给每个自动配备的用户。",
+    "roleMappingFixedRolesDescriptionDefaultPolicy": "对于缺省策略，每个提供用户的组织中存在的角色名称类型。名称必须完全匹配。",
+    "roleMappingClaimPath": "认领路径",
+    "roleMappingClaimPathPlaceholder": "组",
+    "roleMappingClaimPathDescription": "包含源值的 token 有效负载路径 (例如组)。",
+    "roleMappingMatchValue": "匹配值",
+    "roleMappingAssignRoles": "分配角色",
+    "roleMappingAddMappingRule": "添加映射规则",
+    "roleMappingRawExpressionResultDescription": "表达式必须值为字符串或字符串。",
+    "roleMappingRawExpressionResultDescriptionSingleRole": "表达式必须计算到字符串(单个角色名称)。",
+    "roleMappingMatchValuePlaceholder": "匹配值(例如: 管理员)",
+    "roleMappingAssignRolesPlaceholderFreeform": "输入角色名称 (每个组织确切)",
+    "roleMappingBuilderFreeformRowHint": "角色名称必须匹配每个目标组织的角色。",
+    "roleMappingRemoveRule": "删除",
    "idpGoogleConfiguration": "Google 配置",
    "idpGoogleConfigurationDescription": "配置 Google OAuth2 凭据",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -2332,6 +2445,8 @@
    "logRetentionAccessDescription": "保留访问日志的时间",
    "logRetentionActionLabel": "动作日志保留",
    "logRetentionActionDescription": "保留操作日志的时间",
+    "logRetentionConnectionLabel": "连接日志保留",
+    "logRetentionConnectionDescription": "保留连接日志的时间",
    "logRetentionDisabled": "已禁用",
    "logRetention3Days": "3 天",
    "logRetention7Days": "7 天",
@@ -2342,8 +2457,15 @@
    "logRetentionEndOfFollowingYear": "下一年结束",
    "actionLogsDescription": "查看此机构执行的操作历史",
    "accessLogsDescription": "查看此机构资源的访问认证请求",
-    "licenseRequiredToUse": "需要 <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> 许可才能使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 需要使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
+    "connectionLogs": "连接日志",
+    "connectionLogsDescription": "查看此机构隧道的连接日志",
+    "sidebarLogsConnection": "连接日志",
+    "sidebarLogsStreaming": "流流",
+    "sourceAddress": "源地址",
+    "destinationAddress": "目的地址",
+    "duration": "期限",
+    "licenseRequiredToUse": "使用此功能需要<enterpriseLicenseLink>企业版</enterpriseLicenseLink>许可证或<pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>。<bookADemoLink>预约演示或POC试用</bookADemoLink>。",
+    "ossEnterpriseEditionRequired": "需要 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 才能使用此功能。 此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>上获取。 <bookADemoLink>预订演示或POC 试用</bookADemoLink>。",
    "certResolver": "证书解决器",
    "certResolverDescription": "选择用于此资源的证书解析器。",
    "selectCertResolver": "选择证书解析",
@@ -2680,5 +2802,91 @@
    "approvalsEmptyStateStep2Title": "启用设备批准",
    "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
    "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
-    "approvalsEmptyStateButtonText": "管理角色"
+    "approvalsEmptyStateButtonText": "管理角色",
+    "domainErrorTitle": "我们在验证您的域名时遇到了问题",
+    "idpAdminAutoProvisionPoliciesTabHint": "在 <policiesTabLink>自动供应设置</policiesTabLink> 选项卡上配置角色映射和组织策略。",
+    "streamingTitle": "事件流",
+    "streamingDescription": "实时将事件从您的组织流到外部目的地。",
+    "streamingUnnamedDestination": "未命名目标",
+    "streamingNoUrlConfigured": "未配置URL",
+    "streamingAddDestination": "添加目标",
+    "streamingHttpWebhookTitle": "HTTP Webhook",
+    "streamingHttpWebhookDescription": "将事件发送到任意HTTP端点并灵活验证和模板。",
+    "streamingS3Title": "Amazon S3",
+    "streamingS3Description": "将事件串流到 S3 兼容的对象存储桶。即将推出。",
+    "streamingDatadogTitle": "Datadog",
+    "streamingDatadogDescription": "直接转发事件到您的Datadog 帐户。即将推出。",
+    "streamingTypePickerDescription": "选择要开始的目标类型。",
+    "streamingFailedToLoad": "加载目的地失败",
+    "streamingUnexpectedError": "发生意外错误.",
+    "streamingFailedToUpdate": "更新目标失败",
+    "streamingDeletedSuccess": "目标删除成功",
+    "streamingFailedToDelete": "删除目标失败",
+    "streamingDeleteTitle": "删除目标",
+    "streamingDeleteButtonText": "删除目标",
+    "streamingDeleteDialogAreYouSure": "您确定要删除吗？",
+    "streamingDeleteDialogThisDestination": "这个目标",
+    "streamingDeleteDialogPermanentlyRemoved": "? 所有配置将被永久删除。",
+    "httpDestEditTitle": "编辑目标",
+    "httpDestAddTitle": "添加 HTTP 目标",
+    "httpDestEditDescription": "更新此 HTTP 事件流媒体目的地的配置。",
+    "httpDestAddDescription": "配置新的 HTTP 端点来接收您的组织事件。",
+    "httpDestTabSettings": "设置",
+    "httpDestTabHeaders": "信头",
+    "httpDestTabBody": "正文内容",
+    "httpDestTabLogs": "日志",
+    "httpDestNamePlaceholder": "我的 HTTP 目标",
+    "httpDestUrlLabel": "目标网址",
+    "httpDestUrlErrorHttpRequired": "URL 必须使用 http 或 https",
+    "httpDestUrlErrorHttpsRequired": "云端部署需要HTTPS",
+    "httpDestUrlErrorInvalid": "输入一个有效的 URL (例如，https://example.com/webhook)",
+    "httpDestAuthTitle": "认证",
+    "httpDestAuthDescription": "选择如何验证您的端点的请求。",
+    "httpDestAuthNoneTitle": "无身份验证",
+    "httpDestAuthNoneDescription": "在没有授权头的情况下发送请求。",
+    "httpDestAuthBearerTitle": "持有者令牌",
+    "httpDestAuthBearerDescription": "添加授权：每个请求的标题为 <token>。",
+    "httpDestAuthBearerPlaceholder": "您的 API 密钥或令牌",
+    "httpDestAuthBasicTitle": "基本认证",
+    "httpDestAuthBasicDescription": "添加授权：基本 <credentials> 头。提供用户名：密码的凭据。",
+    "httpDestAuthBasicPlaceholder": "用户名:密码",
+    "httpDestAuthCustomTitle": "自定义标题",
+    "httpDestAuthCustomDescription": "指定自定义 HTTP 头名称和身份验证值 (例如，X-API 键)。",
+    "httpDestAuthCustomHeaderNamePlaceholder": "标题名称(例如X-API-键)",
+    "httpDestAuthCustomHeaderValuePlaceholder": "页眉值",
+    "httpDestCustomHeadersTitle": "自定义 HTTP 头",
+    "httpDestCustomHeadersDescription": "向每个输出请求添加自定义标题。用于静态令牌或自定义内容类型。默认情况下，内容类型：应用程序/json已发送。",
+    "httpDestNoHeadersConfigured": "未配置自定义头。单击\"添加头\"以添加一个。",
+    "httpDestHeaderNamePlaceholder": "标题名称",
+    "httpDestHeaderValuePlaceholder": "值",
+    "httpDestAddHeader": "添加标题",
+    "httpDestBodyTemplateTitle": "自定义实体模板",
+    "httpDestBodyTemplateDescription": "控制发送到您的端点的 JSON 有效载荷结构。如果禁用，将为每个事件发送一个 JSON 默认对象。",
+    "httpDestEnableBodyTemplate": "启用自定义实体模板",
+    "httpDestBodyTemplateLabel": "身体模板 (JSON)",
+    "httpDestBodyTemplateHint": "将模板变量用于您有效载荷中的参考事件字段。",
+    "httpDestPayloadFormatTitle": "有效载荷格式",
+    "httpDestPayloadFormatDescription": "事件如何序列化为每个请求实体。",
+    "httpDestFormatJsonArrayTitle": "JSON 数组",
+    "httpDestFormatJsonArrayDescription": "每批一个请求，实体是一个 JSON 数组。与大多数通用的 Web 钩子和数据兼容。",
+    "httpDestFormatNdjsonTitle": "NDJSON",
+    "httpDestFormatNdjsonDescription": "每批有一个请求，物体是换行符限制的 JSON ——每行一个对象，不是外部数组。 Sluk HEC、Elastic / OpenSearch和Grafana Loki所需。",
+    "httpDestFormatSingleTitle": "每个请求一个事件",
+    "httpDestFormatSingleDescription": "为每个事件单独发送一个 HTTP POST。仅用于无法处理批量的端点。",
+    "httpDestLogTypesTitle": "日志类型",
+    "httpDestLogTypesDescription": "选择转发到此目的地的日志类型。只有启用的日志类型才会被连续使用。",
+    "httpDestAccessLogsTitle": "访问日志",
+    "httpDestAccessLogsDescription": "资源访问尝试，包括已验证和拒绝的请求。",
+    "httpDestActionLogsTitle": "操作日志",
+    "httpDestActionLogsDescription": "组织内部用户采取的行政行动。",
+    "httpDestConnectionLogsTitle": "连接日志",
+    "httpDestConnectionLogsDescription": "站点和隧道连接事件，包括连接和断开连接。",
+    "httpDestRequestLogsTitle": "请求日志",
+    "httpDestRequestLogsDescription": "HTTP 请求代理资源日志，包括方法、路径和响应代码。",
+    "httpDestSaveChanges": "保存更改",
+    "httpDestCreateDestination": "创建目标",
+    "httpDestUpdatedSuccess": "目标已成功更新",
+    "httpDestCreatedSuccess": "目标创建成功",
+    "httpDestUpdateFailed": "更新目标失败",
+    "httpDestCreateFailed": "创建目标失败"
 }
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -1091,6 +1091,7 @@
  "actionRemoveUser": "刪除用戶",
  "actionListUsers": "列出用戶",
  "actionAddUserRole": "添加用戶角色",
+  "actionSetUserOrgRoles": "Set User Roles",
  "actionGenerateAccessToken": "生成訪問令牌",
  "actionDeleteAccessToken": "刪除訪問令牌",
  "actionListAccessTokens": "訪問令牌",
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -32,9 +32,9 @@
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.989.0",
-        "@faker-js/faker": "10.3.0",
+        "@asteasolutions/zod-to-openapi": "8.5.0",
+        "@aws-sdk/client-s3": "3.1021.0",
+        "@faker-js/faker": "10.4.0",
        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
        "@monaco-editor/react": "4.7.0",
@@ -62,13 +62,13 @@
        "@react-email/components": "1.0.8",
        "@react-email/render": "2.0.4",
        "@react-email/tailwind": "2.0.5",
-        "@simplewebauthn/browser": "13.2.2",
-        "@simplewebauthn/server": "13.2.3",
+        "@simplewebauthn/browser": "13.3.0",
+        "@simplewebauthn/server": "13.3.0",
        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.21",
+        "@tanstack/react-query": "5.96.0",
        "@tanstack/react-table": "8.21.3",
        "arctic": "3.7.0",
-        "axios": "1.13.5",
+        "axios": "1.14.0",
        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
        "class-variance-authority": "0.7.1",
@@ -80,61 +80,61 @@
        "d3": "7.9.0",
        "drizzle-orm": "0.45.1",
        "express": "5.2.1",
-        "express-rate-limit": "8.2.1",
+        "express-rate-limit": "8.3.0",
        "glob": "13.0.6",
        "helmet": "8.1.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
-        "ioredis": "5.9.3",
+        "ioredis": "5.10.0",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.563.0",
+        "lucide-react": "0.577.0",
        "maxmind": "5.0.5",
        "moment": "2.30.1",
-        "next": "15.5.12",
+        "next": "15.5.14",
        "next-intl": "4.8.3",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "nodemailer": "8.0.1",
+        "nodemailer": "8.0.4",
        "oslo": "1.2.1",
-        "pg": "8.19.0",
-        "posthog-node": "5.26.0",
+        "pg": "8.20.0",
+        "posthog-node": "5.28.0",
        "qrcode.react": "4.2.0",
        "react": "19.2.4",
-        "react-day-picker": "9.13.2",
+        "react-day-picker": "9.14.0",
        "react-dom": "19.2.4",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.71.2",
-        "react-icons": "5.5.0",
+        "react-hook-form": "7.72.0",
+        "react-icons": "5.6.0",
        "recharts": "2.15.4",
-        "reodotdev": "1.0.0",
-        "resend": "6.9.2",
+        "reodotdev": "1.1.0",
+        "resend": "6.10.0",
        "semver": "7.7.4",
-        "sshpk": "^1.18.0",
-        "stripe": "20.3.1",
+        "sshpk": "1.18.0",
+        "stripe": "20.4.1",
        "swagger-ui-express": "5.0.1",
        "tailwind-merge": "3.5.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
-        "use-debounce": "^10.1.0",
+        "use-debounce": "10.1.0",
        "uuid": "13.0.0",
        "vaul": "1.1.2",
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.19.0",
-        "yaml": "2.8.2",
+        "ws": "8.20.0",
+        "yaml": "2.8.3",
        "yargs": "18.0.0",
        "zod": "4.3.6",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.52.0",
+        "@dotenvx/dotenvx": "1.54.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "5.2.8",
-        "@tailwindcss/postcss": "4.1.18",
+        "@react-email/preview-server": "5.2.10",
+        "@tailwindcss/postcss": "4.2.2",
        "@tanstack/react-query-devtools": "5.91.3",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
@@ -146,31 +146,35 @@
        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.2.3",
+        "@types/node": "25.3.5",
        "@types/nodemailer": "7.0.11",
        "@types/nprogress": "0.2.3",
-        "@types/pg": "8.16.0",
+        "@types/pg": "8.18.0",
        "@types/react": "19.2.14",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
-        "@types/sshpk": "^1.17.4",
+        "@types/sshpk": "1.17.4",
        "@types/swagger-ui-express": "4.1.8",
        "@types/topojson-client": "3.1.5",
        "@types/ws": "8.18.1",
        "@types/yargs": "17.0.35",
        "babel-plugin-react-compiler": "1.0.0",
-        "drizzle-kit": "0.31.9",
-        "esbuild": "0.27.3",
+        "drizzle-kit": "0.31.10",
+        "esbuild": "0.27.4",
        "esbuild-node-externals": "1.20.1",
-        "eslint": "9.39.2",
-        "eslint-config-next": "16.1.6",
-        "postcss": "8.5.6",
+        "eslint": "10.0.3",
+        "eslint-config-next": "16.1.7",
+        "postcss": "8.5.8",
        "prettier": "3.8.1",
-        "react-email": "5.2.8",
-        "tailwindcss": "4.1.18",
+        "react-email": "5.2.10",
+        "tailwindcss": "4.2.2",
        "tsc-alias": "1.8.16",
        "tsx": "4.21.0",
        "typescript": "5.9.3",
-        "typescript-eslint": "8.55.0"
+        "typescript-eslint": "8.56.1"
+    },
+    "overrides": {
+        "esbuild": "0.27.4",
+        "dompurify": "3.3.2"
    }
 }
--- a/public/third-party/dd.png
+++ b/public/third-party/dd.png
--- a/public/third-party/s3.png
+++ b/public/third-party/s3.png
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,9 +1,10 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { userActions, roleActions } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export enum ActionsEnum {
    createOrgUser = "createOrgUser",
@@ -19,6 +20,7 @@ export enum ActionsEnum {
    getSite = "getSite",
    listSites = "listSites",
    updateSite = "updateSite",
+    resetSiteBandwidth = "resetSiteBandwidth",
    reGenerateSecret = "reGenerateSecret",
    createResource = "createResource",
    deleteResource = "deleteResource",
@@ -52,6 +54,8 @@ export enum ActionsEnum {
    listRoleResources = "listRoleResources",
    // listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
+    removeUserRole = "removeUserRole",
+    setUserOrgRoles = "setUserOrgRoles",
    // addUserSite = "addUserSite",
    // addUserAction = "addUserAction",
    // removeUserAction = "removeUserAction",
@@ -108,6 +112,10 @@ export enum ActionsEnum {
    listApiKeyActions = "listApiKeyActions",
    listApiKeys = "listApiKeys",
    getApiKey = "getApiKey",
+    createSiteProvisioningKey = "createSiteProvisioningKey",
+    listSiteProvisioningKeys = "listSiteProvisioningKeys",
+    updateSiteProvisioningKey = "updateSiteProvisioningKey",
+    deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
    getCertificate = "getCertificate",
    restartCertificate = "restartCertificate",
    billing = "billing",
@@ -132,7 +140,11 @@ export enum ActionsEnum {
    exportLogs = "exportLogs",
    listApprovals = "listApprovals",
    updateApprovals = "updateApprovals",
-    signSshKey = "signSshKey"
+    signSshKey = "signSshKey",
+    createEventStreamingDestination = "createEventStreamingDestination",
+    updateEventStreamingDestination = "updateEventStreamingDestination",
+    deleteEventStreamingDestination = "deleteEventStreamingDestination",
+    listEventStreamingDestinations = "listEventStreamingDestinations"
 }

 export async function checkUserActionPermission(
@@ -153,29 +165,16 @@ export async function checkUserActionPermission(
    }

    try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;

-        // If userOrgRoleId is not available on the request, fetch it
-        if (userOrgRoleId === undefined) {
-            const userOrgRole = await db
-                .select()
-                .from(userOrgs)
-                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, req.userOrgId!)
-                    )
-                )
-                .limit(1);
-
-            if (userOrgRole.length === 0) {
+        if (userOrgRoleIds === undefined) {
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
+            if (userOrgRoleIds.length === 0) {
                throw createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                );
            }
-
-            userOrgRoleId = userOrgRole[0].roleId;
        }

        // Check if the user has direct permission for the action in the current org
@@ -186,7 +185,7 @@ export async function checkUserActionPermission(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                )
            )
            .limit(1);
@@ -195,14 +194,14 @@ export async function checkUserActionPermission(
            return true;
        }

-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
        const roleActionPermission = await db
            .select()
            .from(roleActions)
            .where(
                and(
                    eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                    eq(roleActions.orgId, req.userOrgId!)
                )
            )
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";

 export async function canUserAccessResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleResources)
+                  .where(
+                      and(
+                          eq(roleResources.resourceId, resourceId),
+                          inArray(roleResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];

    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";

 export async function canUserAccessSiteResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleSiteResources)
-        .where(
-            and(
-                eq(roleSiteResources.siteResourceId, resourceId),
-                eq(roleSiteResources.roleId, roleId)
-            )
-        )
-        .limit(1);
+    const roleResourceAccess =
+        roleIds.length > 0
+            ? await db
+                  .select()
+                  .from(roleSiteResources)
+                  .where(
+                      and(
+                          eq(roleSiteResources.siteResourceId, resourceId),
+                          inArray(roleSiteResources.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [];

    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,6 +1,14 @@
+import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushConnectionLogToDb } from "#dynamic/routers/newt";
+import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";

 async function cleanup() {
+    await stopPingAccumulator();
+    await flushBandwidthToDb();
+    await flushConnectionLogToDb();
+    await flushSiteBandwidthToDb();
    await wsCleanup();

    process.exit(0);
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";

 function createDb() {
    const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {

    // Create connection pools instead of individual connections
    const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
        connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );

    const replicas = [];

@@ -55,14 +60,15 @@ function createDb() {
            })
        );
    } else {
+        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
@@ -85,3 +91,4 @@ export const primaryDb = db.$primary;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
+export const DB_TYPE: "pg" | "sqlite" = "pg";
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";

 function createLogsDb() {
    // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {

    // Create separate connection pool for logs database
    const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
        connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );

    const replicas = [];

@@ -58,14 +63,16 @@ function createLogsDb() {
            })
        );
    } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {

 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/poolConfig.ts
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -7,7 +7,9 @@ import {
    bigint,
    real,
    text,
-    index
+    index,
+    primaryKey,
+    uniqueIndex
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -17,7 +19,9 @@ import {
    users,
    exitNodes,
    sessions,
-    clients
+    clients,
+    siteResources,
+    sites
 } from "./schema";

 export const certificates = pgTable("certificates", {
@@ -89,7 +93,9 @@ export const subscriptions = pgTable("subscriptions", {

 export const subscriptionItems = pgTable("subscriptionItems", {
    subscriptionItemId: serial("subscriptionItemId").primaryKey(),
-    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
+    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", {
+        length: 255
+    }),
    subscriptionId: varchar("subscriptionId", { length: 255 })
        .notNull()
        .references(() => subscriptions.subscriptionId, {
@@ -286,6 +292,7 @@ export const accessAuditLog = pgTable(
        actor: varchar("actor", { length: 255 }),
        actorId: varchar("actorId", { length: 255 }),
        resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
        ip: varchar("ip", { length: 45 }),
        type: varchar("type", { length: 100 }).notNull(),
        action: boolean("action").notNull(),
@@ -302,6 +309,45 @@ export const accessAuditLog = pgTable(
    ]
 );

+export const connectionAuditLog = pgTable(
+    "connectionAuditLog",
+    {
+        id: serial("id").primaryKey(),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = pgTable("approvals", {
    approvalId: serial("approvalId").primaryKey(),
    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -328,6 +374,90 @@ export const approvals = pgTable("approvals", {
        .notNull()
 });

+export const bannedEmails = pgTable("bannedEmails", {
+    email: varchar("email", { length: 255 }).primaryKey()
+});
+
+export const bannedIps = pgTable("bannedIps", {
+    ip: varchar("ip", { length: 255 }).primaryKey()
+});
+
+export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+        length: 255
+    }).primaryKey(),
+    name: varchar("name", { length: 255 }).notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: varchar("lastChars", { length: 4 }).notNull(),
+    createdAt: varchar("dateCreated", { length: 255 }).notNull(),
+    lastUsed: varchar("lastUsed", { length: 255 }),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: varchar("validUntil", { length: 255 }),
+    approveNewSites: boolean("approveNewSites").notNull().default(true)
+});
+
+export const siteProvisioningKeyOrg = pgTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+            length: 255
+        })
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
+export const eventStreamingDestinations = pgTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: serial("destinationId").primaryKey(),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: boolean("sendConnectionLogs").notNull().default(false),
+        sendRequestLogs: boolean("sendRequestLogs").notNull().default(false),
+        sendActionLogs: boolean("sendActionLogs").notNull().default(false),
+        sendAccessLogs: boolean("sendAccessLogs").notNull().default(false),
+        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: boolean("enabled").notNull().default(true),
+        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
+    }
+);
+
+export const eventStreamingCursors = pgTable(
+    "eventStreamingCursors",
+    {
+        cursorId: serial("cursorId").primaryKey(),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
+        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -349,3 +479,19 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type SessionTransferToken = InferSelectModel<
+    typeof sessionTransferToken
+>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type SiteProvisioningKeyOrg = InferSelectModel<
+    typeof siteProvisioningKeyOrg
+>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -6,9 +6,11 @@ import {
    index,
    integer,
    pgTable,
+    primaryKey,
    real,
    serial,
    text,
+    unique,
    varchar
 } from "drizzle-orm/pg-core";

@@ -22,7 +24,8 @@ export const domains = pgTable("domains", {
    tries: integer("tries").notNull().default(0),
    certResolver: varchar("certResolver"),
    customCertResolver: varchar("customCertResolver"),
-    preferWildcardCert: boolean("preferWildcardCert")
+    preferWildcardCert: boolean("preferWildcardCert"),
+    errorMessage: text("errorMessage")
 });

 export const dnsRecords = pgTable("dnsRecords", {
@@ -54,6 +57,9 @@ export const orgs = pgTable("orgs", {
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: boolean("isBillingOrg"),
@@ -88,12 +94,14 @@ export const sites = pgTable("sites", {
    lastBandwidthUpdate: varchar("lastBandwidthUpdate"),
    type: varchar("type").notNull(), // "newt" or "wireguard"
    online: boolean("online").notNull().default(false),
+    lastPing: integer("lastPing"),
    address: varchar("address"),
    endpoint: varchar("endpoint"),
    publicKey: varchar("publicKey"),
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    status: varchar("status").$type<"pending" | "approved">().default("approved")
 });

 export const resources = pgTable("resources", {
@@ -283,8 +291,10 @@ export const users = pgTable("user", {
    dateCreated: varchar("dateCreated").notNull(),
    termsAcceptedTimestamp: varchar("termsAcceptedTimestamp"),
    termsVersion: varchar("termsVersion"),
+    marketingEmailConsent: boolean("marketingEmailConsent").default(false),
    serverAdmin: boolean("serverAdmin").notNull().default(false),
-    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" })
+    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" }),
+    locale: varchar("locale")
 });

 export const newts = pgTable("newt", {
@@ -332,9 +342,6 @@ export const userOrgs = pgTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
    isOwner: boolean("isOwner").notNull().default(false),
    autoProvisioned: boolean("autoProvisioned").default(false),
    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -383,6 +390,22 @@ export const roles = pgTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });

+export const userOrgRoles = pgTable(
+    "userOrgRoles",
+    {
+        userId: varchar("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = pgTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -450,12 +473,22 @@ export const userInvites = pgTable("userInvites", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    email: varchar("email").notNull(),
    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
-    tokenHash: varchar("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: varchar("token").notNull()
 });

+export const userInviteRoles = pgTable(
+    "userInviteRoles",
+    {
+        inviteId: varchar("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = pgTable("resourcePincode", {
    pincodeId: serial("pincodeId").primaryKey(),
    resourceId: integer("resourceId")
@@ -719,6 +752,7 @@ export const clientSitesAssociationsCache = pgTable(
            .notNull(),
        siteId: integer("siteId").notNull(),
        isRelayed: boolean("isRelayed").notNull().default(false),
+        isJitMode: boolean("isJitMode").notNull().default(false),
        endpoint: varchar("endpoint"),
        publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
@@ -1030,7 +1064,9 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,12 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
+import {
+    db,
+    loginPage,
+    LoginPage,
+    loginPageOrg,
+    Org,
+    orgs,
+    roles
+} from "@server/db";
 import {
    Resource,
    ResourcePassword,
@@ -12,13 +20,12 @@ import {
    resources,
    roleResources,
    sessions,
-    userOrgs,
    userResources,
    users,
    ResourceHeaderAuthExtendedCompatibility,
    resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";

 export type ResourceWithAuth = {
    resource: Resource | null;
@@ -104,24 +111,15 @@ export async function getUserSessionWithUser(
 }

 /**
- * Get user organization role
+ * Get role name by role ID (for display).
 */
-export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrgRole = await db
-        .select({
-            userId: userOrgs.userId,
-            orgId: userOrgs.orgId,
-            roleId: userOrgs.roleId,
-            isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned,
-            roleName: roles.name
-        })
-        .from(userOrgs)
-        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+export async function getRoleName(roleId: number): Promise<string | null> {
+    const [row] = await db
+        .select({ name: roles.name })
+        .from(roles)
+        .where(eq(roles.roleId, roleId))
        .limit(1);
-
-    return userOrgRole.length > 0 ? userOrgRole[0] : null;
+    return row?.name ?? null;
 }

 /**
@@ -129,7 +127,7 @@ export async function getUserOrgRole(userId: string, orgId: string) {
 */
 export async function getRoleResourceAccess(
    resourceId: number,
-    roleId: number
+    roleIds: number[]
 ) {
    const roleResourceAccess = await db
        .select()
@@ -137,12 +135,11 @@ export async function getRoleResourceAccess(
        .where(
            and(
                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                inArray(roleResources.roleId, roleIds)
            )
-        )
-        .limit(1);
+        );

-    return roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
 }

 /**
--- a/server/db/regions.ts
+++ b/server/db/regions.ts
@@ -0,0 +1,196 @@
+// Regions of the World
+// as of 2025-10-25
+//
+// Adapted according to the United Nations Geoscheme
+// see https://www.unicode.org/cldr/charts/48/supplemental/territory_containment_un_m_49.html
+// see https://unstats.un.org/unsd/methodology/m49
+
+export const REGIONS = [
+    {
+        name: "regionAfrica",
+        id: "002",
+        includes: [
+            {
+                name: "regionNorthernAfrica",
+                id: "015",
+                countries: ["DZ", "EG", "LY", "MA", "SD", "TN", "EH"]
+            },
+            {
+                name: "regionEasternAfrica",
+                id: "014",
+                countries: ["IO", "BI", "KM", "DJ", "ER", "ET", "TF", "KE", "MG", "MW", "MU", "YT", "MZ", "RE", "RW", "SC", "SO", "SS", "UG", "ZM", "ZW"]
+            },
+            {
+                name: "regionMiddleAfrica",
+                id: "017",
+                countries: ["AO", "CM", "CF", "TD", "CG", "CD", "GQ", "GA", "ST"]
+            },
+            {
+                name: "regionSouthernAfrica",
+                id: "018",
+                countries: ["BW", "SZ", "LS", "NA", "ZA"]
+            },
+            {
+                name: "regionWesternAfrica",
+                id: "011",
+                countries: ["BJ", "BF", "CV", "CI", "GM", "GH", "GN", "GW", "LR", "ML", "MR", "NE", "NG", "SH", "SN", "SL", "TG"]
+            }
+        ]
+    },
+    {
+        name: "regionAmericas",
+        id: "019",
+        includes: [
+            {
+                name: "regionCaribbean",
+                id: "029",
+                countries: ["AI", "AG", "AW", "BS", "BB", "BQ", "VG", "KY", "CU", "CW", "DM", "DO", "GD", "GP", "HT", "JM", "MQ", "MS", "PR", "BL", "KN", "LC", "MF", "VC", "SX", "TT", "TC", "VI"]
+            },
+            {
+                name: "regionCentralAmerica",
+                id: "013",
+                countries: ["BZ", "CR", "SV", "GT", "HN", "MX", "NI", "PA"]
+            },
+            {
+                name: "regionSouthAmerica",
+                id: "005",
+                countries: ["AR", "BO", "BV", "BR", "CL", "CO", "EC", "FK", "GF", "GY", "PY", "PE", "GS", "SR", "UY", "VE"]
+            },
+            {
+                name: "regionNorthernAmerica",
+                id: "021",
+                countries: ["BM", "CA", "GL", "PM", "US"]
+            }
+        ]
+    },
+    {
+        name: "regionAsia",
+        id: "142",
+        includes: [
+            {
+                name: "regionCentralAsia",
+                id: "143",
+                countries: ["KZ", "KG", "TJ", "TM", "UZ"]
+            },
+            {
+                name: "regionEasternAsia",
+                id: "030",
+                countries: ["CN", "HK", "MO", "KP", "JP", "MN", "KR"]
+            },
+            {
+                name: "regionSouthEasternAsia",
+                id: "035",
+                countries: ["BN", "KH", "ID", "LA", "MY", "MM", "PH", "SG", "TH", "TL", "VN"]
+            },
+            {
+                name: "regionSouthernAsia",
+                id: "034",
+                countries: ["AF", "BD", "BT", "IN", "IR", "MV", "NP", "PK", "LK"]
+            },
+            {
+                name: "regionWesternAsia",
+                id: "145",
+                countries: ["AM", "AZ", "BH", "CY", "GE", "IQ", "IL", "JO", "KW", "LB", "OM", "QA", "SA", "PS", "SY", "TR", "AE", "YE"]
+            }
+        ]
+    },
+    {
+        name: "regionEurope",
+        id: "150",
+        includes: [
+            {
+                name: "regionEasternEurope",
+                id: "151",
+                countries: ["BY", "BG", "CZ", "HU", "PL", "MD", "RO", "RU", "SK", "UA"]
+            },
+            {
+                name: "regionNorthernEurope",
+                id: "154",
+                countries: ["AX", "DK", "EE", "FO", "FI", "GG", "IS", "IE", "IM", "JE", "LV", "LT", "NO", "SJ", "SE", "GB"]
+            },
+            {
+                name: "regionSouthernEurope",
+                id: "039",
+                countries: ["AL", "AD", "BA", "HR", "GI", "GR", "VA", "IT", "MT", "ME", "MK", "PT", "SM", "RS", "SI", "ES"]
+            },
+            {
+                name: "regionWesternEurope",
+                id: "155",
+                countries: ["AT", "BE", "FR", "DE", "LI", "LU", "MC", "NL", "CH"]
+            }
+        ]
+    },
+    {
+        name: "regionOceania",
+        id: "009",
+        includes: [
+            {
+                name: "regionAustraliaAndNewZealand",
+                id: "053",
+                countries: ["AU", "CX", "CC", "HM", "NZ", "NF"]
+            },
+            {
+                name: "regionMelanesia",
+                id: "054",
+                countries: ["FJ", "NC", "PG", "SB", "VU"]
+            },
+            {
+                name: "regionMicronesia",
+                id: "057",
+                countries: ["GU", "KI", "MH", "FM", "NR", "MP", "PW", "UM"]
+            },
+            {
+                name: "regionPolynesia",
+                id: "061",
+                countries: ["AS", "CK", "PF", "NU", "PN", "WS", "TK", "TO", "TV", "WF"]
+            }
+        ]
+    }
+];
+
+type Subregion = {
+    name: string;
+    id: string;
+    countries: string[];
+};
+
+type Region = {
+    name: string;
+    id: string;
+    includes: Subregion[];
+};
+
+export function getRegionNameById(regionId: string): string | undefined {
+    // Check top-level regions
+    const region = REGIONS.find((r) => r.id === regionId);
+    if (region) {
+        return region.name;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        for (const subregion of region.includes) {
+            if (subregion.id === regionId) {
+                return subregion.name;
+            }
+        }
+    }
+
+    return undefined;
+}
+
+export function isValidRegionId(regionId: string): boolean {
+    // Check top-level regions
+    if (REGIONS.find((r) => r.id === regionId)) {
+        return true;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        if (region.includes.find((s) => s.id === regionId)) {
+            return true;
+        }
+    }
+
+    return false;
+}
--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -23,7 +23,8 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
->[0];
+    >[0];
+export const DB_TYPE: "pg" | "sqlite" = "sqlite";

 function checkFileExists(filePath: string): boolean {
    try {
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -2,11 +2,22 @@ import { InferSelectModel } from "drizzle-orm";
 import {
    index,
    integer,
+    primaryKey,
    real,
    sqliteTable,
-    text
+    text,
+    uniqueIndex
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";
+import {
+    clients,
+    domains,
+    exitNodes,
+    orgs,
+    sessions,
+    siteResources,
+    sites,
+    users
+} from "./schema";

 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -278,6 +289,7 @@ export const accessAuditLog = sqliteTable(
        actor: text("actor"),
        actorId: text("actorId"),
        resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
        ip: text("ip"),
        location: text("location"),
        type: text("type").notNull(),
@@ -294,6 +306,45 @@ export const accessAuditLog = sqliteTable(
    ]
 );

+export const connectionAuditLog = sqliteTable(
+    "connectionAuditLog",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = sqliteTable("approvals", {
    approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -318,6 +369,92 @@ export const approvals = sqliteTable("approvals", {
        .notNull()
 });

+export const bannedEmails = sqliteTable("bannedEmails", {
+    email: text("email").primaryKey()
+});
+
+export const bannedIps = sqliteTable("bannedIps", {
+    ip: text("ip").primaryKey()
+});
+
+export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: text("siteProvisioningKeyId").primaryKey(),
+    name: text("name").notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: text("lastChars").notNull(),
+    createdAt: text("dateCreated").notNull(),
+    lastUsed: text("lastUsed"),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: text("validUntil"),
+    approveNewSites: integer("approveNewSites", { mode: "boolean" })
+        .notNull()
+        .default(true)
+});
+
+export const siteProvisioningKeyOrg = sqliteTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: text("siteProvisioningKeyId")
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
+export const eventStreamingDestinations = sqliteTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: integer("destinationId").primaryKey({
+            autoIncrement: true
+        }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: integer("sendConnectionLogs", { mode: "boolean" }).notNull().default(false),
+        sendRequestLogs: integer("sendRequestLogs", { mode: "boolean" }).notNull().default(false),
+        sendActionLogs: integer("sendActionLogs", { mode: "boolean" }).notNull().default(false),
+        sendAccessLogs: integer("sendAccessLogs", { mode: "boolean" }).notNull().default(false),
+        type: text("type").notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: integer("enabled", { mode: "boolean" })
+            .notNull()
+            .default(true),
+        createdAt: integer("createdAt").notNull(),
+        updatedAt: integer("updatedAt").notNull()
+    }
+);
+
+export const eventStreamingCursors = sqliteTable(
+    "eventStreamingCursors",
+    {
+        cursorId: integer("cursorId").primaryKey({ autoIncrement: true }),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: text("logType").notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: integer("lastSentId").notNull().default(0),
+        lastSentAt: integer("lastSentAt") // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -339,3 +476,13 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,6 +1,13 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
+    index,
+    integer,
+    primaryKey,
+    sqliteTable,
+    text,
+    unique
+} from "drizzle-orm/sqlite-core";

 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -13,7 +20,8 @@ export const domains = sqliteTable("domains", {
    failed: integer("failed", { mode: "boolean" }).notNull().default(false),
    tries: integer("tries").notNull().default(0),
    certResolver: text("certResolver"),
-    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" })
+    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" }),
+    errorMessage: text("errorMessage")
 });

 export const dnsRecords = sqliteTable("dnsRecords", {
@@ -46,6 +54,9 @@ export const orgs = sqliteTable("orgs", {
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
@@ -89,6 +100,7 @@ export const sites = sqliteTable("sites", {
    lastBandwidthUpdate: text("lastBandwidthUpdate"),
    type: text("type").notNull(), // "newt" or "wireguard"
    online: integer("online", { mode: "boolean" }).notNull().default(false),
+    lastPing: integer("lastPing"),

    // exit node stuff that is how to connect to the site when it has a wg server
    address: text("address"), // this is the address of the wireguard interface in newt
@@ -98,7 +110,8 @@ export const sites = sqliteTable("sites", {
    listenPort: integer("listenPort"),
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
-        .default(true)
+        .default(true),
+    status: text("status").$type<"pending" | "approved">().default("approved")
 });

 export const resources = sqliteTable("resources", {
@@ -314,10 +327,14 @@ export const users = sqliteTable("user", {
    dateCreated: text("dateCreated").notNull(),
    termsAcceptedTimestamp: text("termsAcceptedTimestamp"),
    termsVersion: text("termsVersion"),
+    marketingEmailConsent: integer("marketingEmailConsent", {
+        mode: "boolean"
+    }).default(false),
    serverAdmin: integer("serverAdmin", { mode: "boolean" })
        .notNull()
        .default(false),
-    lastPasswordChange: integer("lastPasswordChange")
+    lastPasswordChange: integer("lastPasswordChange"),
+    locale: text("locale")
 });

 export const securityKeys = sqliteTable("webauthnCredentials", {
@@ -406,6 +423,9 @@ export const clientSitesAssociationsCache = sqliteTable(
        isRelayed: integer("isRelayed", { mode: "boolean" })
            .notNull()
            .default(false),
+        isJitMode: integer("isJitMode", { mode: "boolean" })
+            .notNull()
+            .default(false),
        endpoint: text("endpoint"),
        publicKey: text("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
@@ -635,9 +655,6 @@ export const userOrgs = sqliteTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
@@ -692,6 +709,22 @@ export const roles = sqliteTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });

+export const userOrgRoles = sqliteTable(
+    "userOrgRoles",
+    {
+        userId: text("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = sqliteTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -777,12 +810,22 @@ export const userInvites = sqliteTable("userInvites", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    email: text("email").notNull(),
    expiresAt: integer("expiresAt").notNull(),
-    tokenHash: text("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: text("token").notNull()
 });

+export const userInviteRoles = sqliteTable(
+    "userInviteRoles",
+    {
+        inviteId: text("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = sqliteTable("resourcePincode", {
    pincodeId: integer("pincodeId").primaryKey({
        autoIncrement: true
@@ -1125,7 +1168,9 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
            session: Session;
            userOrg?: UserOrg;
            apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
            userOrgId?: string;
            userOrgIds?: string[];
            remoteExitNode?: RemoteExitNode;
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -8,6 +8,7 @@ export enum TierFeature {
    LogExport = "logExport",
    AccessLogs = "accessLogs", // set the retention period to none on downgrade
    ActionLogs = "actionLogs", // set the retention period to none on downgrade
+    ConnectionLogs = "connectionLogs",
    RotateCredentials = "rotateCredentials",
    MaintencePage = "maintencePage", // handle downgrade
    DevicePosture = "devicePosture",
@@ -15,7 +16,10 @@ export enum TierFeature {
    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
    AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam"
+    SshPam = "sshPam",
+    FullRbac = "fullRbac",
+    SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
+    SIEM = "siem" // handle downgrade by disabling SIEM integrations
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -26,6 +30,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.LogExport]: ["tier3", "enterprise"],
    [TierFeature.AccessLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.ActionLogs]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.ConnectionLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.RotateCredentials]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.MaintencePage]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DevicePosture]: ["tier2", "tier3", "enterprise"],
@@ -48,5 +53,8 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "enterprise"
    ],
    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
+    [TierFeature.SIEM]: ["enterprise"]
 };
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -107,7 +107,7 @@ export async function applyBlueprint({
                            [target],
                            matchingHealthcheck ? [matchingHealthcheck] : [],
                            result.proxyResource.protocol,
-                            result.proxyResource.proxyPort
+                            site.newt.version
                        );
                    }
                }
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -31,6 +31,7 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
+import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "../billing/tierMatrix";

@@ -863,6 +864,10 @@ function validateRule(rule: any) {
        if (!isValidUrlGlobPattern(rule.value)) {
            throw new Error(`Invalid URL glob pattern: ${rule.value}`);
        }
+    } else if (rule.match === "region") {
+        if (!isValidRegionId(rule.value)) {
+            throw new Error(`Invalid region ID provided: ${rule.value}`);
+        }
    }
 }

--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
+import { isValidRegionId } from "@server/db/regions";

 export const SiteSchema = z.object({
    name: z.string().min(1).max(100),
@@ -77,7 +78,7 @@ export const AuthSchema = z.object({
 export const RuleSchema = z
    .object({
        action: z.enum(["allow", "deny", "pass"]),
-        match: z.enum(["cidr", "path", "ip", "country", "asn"]),
+        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
        value: z.string(),
        priority: z.int().optional()
    })
@@ -137,6 +138,19 @@ export const RuleSchema = z
            message:
                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
        }
+    )
+    .refine(
+        (rule) => {
+            if (rule.match === "region") {
+                return isValidRegionId(rule.value);
+            }
+            return true;
+        },
+        {
+            path: ["value"],
+            message:
+                "Value must be a valid UN M.49 region or subregion ID when match is 'region'"
+        }
    );

 export const HeaderSchema = z.object({
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -10,6 +10,7 @@ import {
    roles,
    Transaction,
    userClients,
+    userOrgRoles,
    userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -39,20 +40,36 @@ export async function calculateUserClientsForOrgs(
            return;
        }

-        // Get all user orgs
-        const allUserOrgs = await transaction
+        // Get all user orgs with all roles (for org list and role-based logic)
+        const userOrgRoleRows = await transaction
            .select()
            .from(userOrgs)
-            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
+            .innerJoin(
+                userOrgRoles,
+                and(
+                    eq(userOrgs.userId, userOrgRoles.userId),
+                    eq(userOrgs.orgId, userOrgRoles.orgId)
+                )
+            )
+            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
            .where(eq(userOrgs.userId, userId));

-        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
+        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const orgIdToRoleRows = new Map<
+            string,
+            (typeof userOrgRoleRows)[0][]
+        >();
+        for (const r of userOrgRoleRows) {
+            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
+            list.push(r);
+            orgIdToRoleRows.set(r.userOrgs.orgId, list);
+        }

        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
-            for (const userRoleOrg of allUserOrgs) {
-                const { userOrgs: userOrg, roles: role } = userRoleOrg;
-                const orgId = userOrg.orgId;
+            for (const orgId of orgIdToRoleRows.keys()) {
+                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
+                const userOrg = roleRowsForOrg[0].userOrgs;

                const [org] = await transaction
                    .select()
@@ -196,7 +213,7 @@ export async function calculateUserClientsForOrgs(
                const requireApproval =
                    build !== "oss" &&
                    isOrgLicensed &&
-                    role.requireDeviceApproval;
+                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);

                const newClientData: InferInsertModel<typeof clients> = {
                    userId,
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -2,10 +2,15 @@ import { db, orgs } from "@server/db";
 import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAudit";
 import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
+import { cleanUpOldLogs as cleanUpOldConnectionLogs } from "#dynamic/routers/newt";
 import { gt, or } from "drizzle-orm";
 import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";
+import { build } from "@server/build";

 export function initLogCleanupInterval() {
+    if (build == "saas") { // skip log cleanup for saas builds
+        return null;
+    }
    return setInterval(
        async () => {
            const orgsToClean = await db
@@ -16,14 +21,17 @@ export function initLogCleanupInterval() {
                    settingsLogRetentionDaysAccess:
                        orgs.settingsLogRetentionDaysAccess,
                    settingsLogRetentionDaysRequest:
-                        orgs.settingsLogRetentionDaysRequest
+                        orgs.settingsLogRetentionDaysRequest,
+                    settingsLogRetentionDaysConnection:
+                        orgs.settingsLogRetentionDaysConnection
                })
                .from(orgs)
                .where(
                    or(
                        gt(orgs.settingsLogRetentionDaysAction, 0),
                        gt(orgs.settingsLogRetentionDaysAccess, 0),
-                        gt(orgs.settingsLogRetentionDaysRequest, 0)
+                        gt(orgs.settingsLogRetentionDaysRequest, 0),
+                        gt(orgs.settingsLogRetentionDaysConnection, 0)
                    )
                );

@@ -33,7 +41,8 @@ export function initLogCleanupInterval() {
                    orgId,
                    settingsLogRetentionDaysAction,
                    settingsLogRetentionDaysAccess,
-                    settingsLogRetentionDaysRequest
+                    settingsLogRetentionDaysRequest,
+                    settingsLogRetentionDaysConnection
                } = org;

                if (settingsLogRetentionDaysAction > 0) {
@@ -56,6 +65,13 @@ export function initLogCleanupInterval() {
                        settingsLogRetentionDaysRequest
                    );
                }
+
+                if (settingsLogRetentionDaysConnection > 0) {
+                    await cleanUpOldConnectionLogs(
+                        orgId,
+                        settingsLogRetentionDaysConnection
+                    );
+                }
            }

            await cleanUpOldFingerprintSnapshots(365);
--- a/server/lib/clientVersionChecks.ts
+++ b/server/lib/clientVersionChecks.ts
@@ -0,0 +1,20 @@
+import semver from "semver";
+
+export function canCompress(
+    clientVersion: string | null | undefined,
+    type: "newt" | "olm"
+): boolean {
+    try {
+        if (!clientVersion) return false;
+        // check if it is a valid semver
+        if (!semver.valid(clientVersion)) return false;
+        if (type === "newt") {
+            return semver.gte(clientVersion, "1.10.3");
+        } else if (type === "olm") {
+            return semver.gte(clientVersion, "1.4.3");
+        }
+        return false;
+    } catch {
+        return false;
+    }
+}
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.16.0";
+export const APP_VERSION = "1.17.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/deleteOrg.ts
+++ b/server/lib/deleteOrg.ts
@@ -85,9 +85,7 @@ export async function deleteOrgById(
                        deletedNewtIds.push(deletedNewt.newtId);
                        await trx
                            .delete(newtSessions)
-                            .where(
-                                eq(newtSessions.newtId, deletedNewt.newtId)
-                            );
+                            .where(eq(newtSessions.newtId, deletedNewt.newtId));
                    }
                }
            }
@@ -121,33 +119,38 @@ export async function deleteOrgById(
                    eq(clientSitesAssociationsCache.clientId, client.clientId)
                );
        }
+
+        await trx.delete(resources).where(eq(resources.orgId, orgId));
+
        const allOrgDomains = await trx
            .select()
            .from(orgDomains)
-            .innerJoin(domains, eq(domains.domainId, orgDomains.domainId))
+            .innerJoin(domains, eq(orgDomains.domainId, domains.domainId))
            .where(
                and(
                    eq(orgDomains.orgId, orgId),
                    eq(domains.configManaged, false)
                )
            );
+        logger.info(`Found ${allOrgDomains.length} domains to delete`);
        const domainIdsToDelete: string[] = [];
        for (const orgDomain of allOrgDomains) {
            const domainId = orgDomain.domains.domainId;
-            const orgCount = await trx
-                .select({ count: sql<number>`count(*)` })
+            const [orgCount] = await trx
+                .select({ count: count() })
                .from(orgDomains)
                .where(eq(orgDomains.domainId, domainId));
-            if (orgCount[0].count === 1) {
+            logger.info(`Found ${orgCount.count} orgs using domain ${domainId}`);
+            if (orgCount.count === 1) {
                domainIdsToDelete.push(domainId);
            }
        }
+        logger.info(`Found ${domainIdsToDelete.length} domains to delete`);
        if (domainIdsToDelete.length > 0) {
            await trx
                .delete(domains)
                .where(inArray(domains.domainId, domainIdsToDelete));
        }
-        await trx.delete(resources).where(eq(resources.orgId, orgId));

        await usageService.add(orgId, FeatureId.ORGINIZATIONS, -1, trx); // here we are decreasing the org count BEFORE deleting the org because we need to still be able to get the org to get the billing org inside of here

@@ -231,15 +234,13 @@ export function sendTerminationMessages(result: DeleteOrgByIdResult): void {
        );
    }
    for (const olmId of result.olmsToTerminate) {
-        sendTerminateClient(
-            0,
-            OlmErrorCodes.TERMINATED_REKEYED,
-            olmId
-        ).catch((error) => {
-            logger.error(
-                "Failed to send termination message to olm:",
-                error
-            );
-        });
+        sendTerminateClient(0, OlmErrorCodes.TERMINATED_REKEYED, olmId).catch(
+            (error) => {
+                logger.error(
+                    "Failed to send termination message to olm:",
+                    error
+                );
+            }
+        );
    }
 }
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -571,6 +571,133 @@ export function generateSubnetProxyTargets(
    return targets;
 }

+export type SubnetProxyTargetV2 = {
+    sourcePrefixes: string[]; // must be cidrs
+    destPrefix: string; // must be a cidr
+    disableIcmp?: boolean;
+    rewriteTo?: string; // must be a cidr
+    portRange?: {
+        min: number;
+        max: number;
+        protocol: "tcp" | "udp";
+    }[];
+    resourceId?: number;
+};
+
+export function generateSubnetProxyTargetV2(
+    siteResource: SiteResource,
+    clients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[]
+): SubnetProxyTargetV2 | undefined {
+    if (clients.length === 0) {
+        logger.debug(
+            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
+        );
+        return;
+    }
+
+    let target: SubnetProxyTargetV2 | null = null;
+
+    const portRange = [
+        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
+        ...parsePortRangeString(siteResource.udpPortRangeString, "udp")
+    ];
+    const disableIcmp = siteResource.disableIcmp ?? false;
+
+    if (siteResource.mode == "host") {
+        let destination = siteResource.destination;
+        // check if this is a valid ip
+        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
+        if (ipSchema.safeParse(destination).success) {
+            destination = `${destination}/32`;
+
+            target = {
+                sourcePrefixes: [],
+                destPrefix: destination,
+                portRange,
+                disableIcmp,
+                resourceId: siteResource.siteResourceId,
+            };
+        }
+
+        if (siteResource.alias && siteResource.aliasAddress) {
+            // also push a match for the alias address
+            target = {
+                sourcePrefixes: [],
+                destPrefix: `${siteResource.aliasAddress}/32`,
+                rewriteTo: destination,
+                portRange,
+                disableIcmp,
+                resourceId: siteResource.siteResourceId,
+            };
+        }
+    } else if (siteResource.mode == "cidr") {
+        target = {
+            sourcePrefixes: [],
+            destPrefix: siteResource.destination,
+            portRange,
+            disableIcmp,
+            resourceId: siteResource.siteResourceId,
+        };
+    }
+
+    if (!target) {
+        return;
+    }
+
+    for (const clientSite of clients) {
+        if (!clientSite.subnet) {
+            logger.debug(
+                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
+            );
+            continue;
+        }
+
+        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
+
+        // add client prefix to source prefixes
+        target.sourcePrefixes.push(clientPrefix);
+    }
+
+    // print a nice representation of the targets
+    // logger.debug(
+    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
+    // );
+
+    return target;
+}
+
+
+/**
+ * Converts a SubnetProxyTargetV2 to an array of SubnetProxyTarget (v1)
+ * by expanding each source prefix into its own target entry.
+ * @param targetV2 - The v2 target to convert
+ * @returns Array of v1 SubnetProxyTarget objects
+ */
+ export function convertSubnetProxyTargetsV2ToV1(
+     targetsV2: SubnetProxyTargetV2[]
+ ): SubnetProxyTarget[] {
+     return targetsV2.flatMap((targetV2) =>
+         targetV2.sourcePrefixes.map((sourcePrefix) => ({
+             sourcePrefix,
+             destPrefix: targetV2.destPrefix,
+             ...(targetV2.disableIcmp !== undefined && {
+                 disableIcmp: targetV2.disableIcmp
+             }),
+             ...(targetV2.rewriteTo !== undefined && {
+                 rewriteTo: targetV2.rewriteTo
+             }),
+             ...(targetV2.portRange !== undefined && {
+                 portRange: targetV2.portRange
+             })
+         }))
+     );
+ }
+
+
 // Custom schema for validating port range strings
 // Format: "80,443,8000-9000" or "*" for all ports, or empty string
 export const portRangeStringSchema = z
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -79,6 +79,7 @@ export const configSchema = z
                    .default(3001)
                    .transform(stoi)
                    .pipe(portSchema),
+                badger_override: z.string().optional(),
                next_port: portSchema
                    .optional()
                    .default(3002)
@@ -302,8 +303,8 @@ export const configSchema = z
            .optional()
            .default({
                block_size: 24,
-                subnet_group: "100.90.128.0/24",
-                utility_subnet_group: "100.96.128.0/24"
+                subnet_group: "100.90.128.0/20",
+                utility_subnet_group: "100.96.128.0/20"
            }),
        rate_limits: z
            .object({
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -14,6 +14,7 @@ import {
    siteResources,
    sites,
    Transaction,
+    userOrgRoles,
    userOrgs,
    userSiteResources
 } from "@server/db";
@@ -32,7 +33,7 @@ import logger from "@server/logger";
 import {
    generateAliasConfig,
    generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
    parseEndpoint,
    formatEndpoint
 } from "@server/lib/ip";
@@ -77,10 +78,10 @@ export async function getClientSiteResourceAccess(
    // get all of the users in these roles
    const userIdsFromRoles = await trx
        .select({
-            userId: userOrgs.userId
+            userId: userOrgRoles.userId
        })
-        .from(userOrgs)
-        .where(inArray(userOrgs.roleId, roleIds))
+        .from(userOrgRoles)
+        .where(inArray(userOrgRoles.roleId, roleIds))
        .then((rows) => rows.map((row) => row.userId));

    const newAllUserIds = Array.from(
@@ -477,6 +478,7 @@ async function handleMessagesForSiteClients(
        }

        if (isAdd) {
+            // TODO: if we are in jit mode here should we really be sending this?
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -571,7 +573,7 @@ export async function updateClientSiteDestinations(
                destinations: [
                    {
                        destinationIP: site.sites.subnet.split("/")[0],
-                        destinationPort: site.sites.listenPort || 0
+                        destinationPort: site.sites.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
                    }
                ]
            };
@@ -579,7 +581,7 @@ export async function updateClientSiteDestinations(
            // add to the existing destinations
            destinations.destinations.push({
                destinationIP: site.sites.subnet.split("/")[0],
-                destinationPort: site.sites.listenPort || 0
+                destinationPort: site.sites.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
            });
        }

@@ -659,17 +661,18 @@ async function handleSubnetProxyTargetUpdates(
        );

        if (addedClients.length > 0) {
-            const targetsToAdd = generateSubnetProxyTargets(
+            const targetToAdd = generateSubnetProxyTargetV2(
                siteResource,
                addedClients
            );

-            if (targetsToAdd.length > 0) {
-                logger.info(
-                    `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
+            if (targetToAdd) {
                proxyJobs.push(
-                    addSubnetProxyTargets(newt.newtId, targetsToAdd)
+                    addSubnetProxyTargets(
+                        newt.newtId,
+                        [targetToAdd],
+                        newt.version
+                    )
                );
            }

@@ -695,17 +698,18 @@ async function handleSubnetProxyTargetUpdates(
        );

        if (removedClients.length > 0) {
-            const targetsToRemove = generateSubnetProxyTargets(
+            const targetToRemove = generateSubnetProxyTargetV2(
                siteResource,
                removedClients
            );

-            if (targetsToRemove.length > 0) {
-                logger.info(
-                    `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId}`
-                );
+            if (targetToRemove) {
                proxyJobs.push(
-                    removeSubnetProxyTargets(newt.newtId, targetsToRemove)
+                    removeSubnetProxyTargets(
+                        newt.newtId,
+                        [targetToRemove],
+                        newt.version
+                    )
                );
            }

@@ -811,12 +815,12 @@ export async function rebuildClientAssociationsFromClient(

        // Role-based access
        const roleIds = await trx
-            .select({ roleId: userOrgs.roleId })
-            .from(userOrgs)
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
            .where(
                and(
-                    eq(userOrgs.userId, client.userId),
-                    eq(userOrgs.orgId, client.orgId)
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
                )
            ) // this needs to be locked onto this org or else cross-org access could happen
            .then((rows) => rows.map((row) => row.roleId));
@@ -1080,6 +1084,7 @@ async function handleMessagesForClientSites(
                continue;
            }

+            // TODO: if we are in jit mode here should we really be sending this?
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -1146,7 +1151,7 @@ async function handleMessagesForClientResources(
        // Add subnet proxy targets for each site
        for (const [siteId, resources] of addedBySite.entries()) {
            const [newt] = await trx
-                .select({ newtId: newts.newtId })
+                .select({ newtId: newts.newtId, version: newts.version })
                .from(newts)
                .where(eq(newts.siteId, siteId))
                .limit(1);
@@ -1159,7 +1164,7 @@ async function handleMessagesForClientResources(
            }

            for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1167,8 +1172,14 @@ async function handleMessagesForClientResources(
                    }
                ]);

-                if (targets.length > 0) {
-                    proxyJobs.push(addSubnetProxyTargets(newt.newtId, targets));
+                if (target) {
+                    proxyJobs.push(
+                        addSubnetProxyTargets(
+                            newt.newtId,
+                            [target],
+                            newt.version
+                        )
+                    );
                }

                try {
@@ -1217,7 +1228,7 @@ async function handleMessagesForClientResources(
        // Remove subnet proxy targets for each site
        for (const [siteId, resources] of removedBySite.entries()) {
            const [newt] = await trx
-                .select({ newtId: newts.newtId })
+                .select({ newtId: newts.newtId, version: newts.version })
                .from(newts)
                .where(eq(newts.siteId, siteId))
                .limit(1);
@@ -1230,7 +1241,7 @@ async function handleMessagesForClientResources(
            }

            for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1238,9 +1249,13 @@ async function handleMessagesForClientResources(
                    }
                ]);

-                if (targets.length > 0) {
+                if (target) {
                    proxyJobs.push(
-                        removeSubnetProxyTargets(newt.newtId, targets)
+                        removeSubnetProxyTargets(
+                            newt.newtId,
+                            [target],
+                            newt.version
+                        )
                    );
                }

--- a/server/lib/resend.ts
+++ b/server/lib/resend.ts
@@ -1,16 +0,0 @@
-export enum AudienceIds {
-    SignUps = "",
-    Subscribed = "",
-    Churned = "",
-    Newsletter = ""
-}
-
-let resend;
-export default resend;
-
-export async function moveEmailToAudience(
-    email: string,
-    audienceId: AudienceIds
-) {
-    return;
-}
--- a/server/lib/sanitize.ts
+++ b/server/lib/sanitize.ts
@@ -0,0 +1,40 @@
+/**
+ * Sanitize a string field before inserting into a database TEXT column.
+ *
+ * Two passes are applied:
+ *
+ * 1. Lone UTF-16 surrogates – JavaScript strings can hold unpaired surrogates
+ *    (e.g. \uD800 without a following \uDC00-\uDFFF codepoint). These are
+ *    valid in JS but cannot be encoded as UTF-8, triggering
+ *    `report_invalid_encoding` in SQLite / Postgres. They are replaced with
+ *    the Unicode replacement character U+FFFD so the data is preserved as a
+ *    visible signal that something was malformed.
+ *
+ * 2. Null bytes and C0 control characters – SQLite stores TEXT as
+ *    null-terminated C strings, so \x00 in a value causes
+ *    `report_invalid_encoding`. Bots and scanners routinely inject null bytes
+ *    into URLs (e.g. `/path\u0000.jpg`). All C0 control characters in the
+ *    range \x00-\x1F are stripped except for the three that are legitimate in
+ *    text payloads: HT (\x09), LF (\x0A), and CR (\x0D). DEL (\x7F) is also
+ *    stripped.
+ */
+export function sanitizeString(value: string): string;
+export function sanitizeString(
+    value: string | null | undefined
+): string | undefined;
+export function sanitizeString(
+    value: string | null | undefined
+): string | undefined {
+    if (value == null) return undefined;
+    return (
+        value
+            // Replace lone high surrogates (not followed by a low surrogate)
+            // and lone low surrogates (not preceded by a high surrogate).
+            .replace(
+                /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g,
+                "\uFFFD"
+            )
+            // Strip null bytes, C0 control chars (except HT/LF/CR), and DEL.
+            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "")
+    );
+}
--- a/server/lib/tokenCache.ts
+++ b/server/lib/tokenCache.ts
@@ -0,0 +1,22 @@
+/**
+ * Returns a cached plaintext token from Redis if one exists and decrypts
+ * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
+ * encrypted value in Redis with the given TTL, and returns it.
+ *
+ * Failures at the Redis layer are non-fatal – the function always falls
+ * through to session creation so the caller is never blocked by a Redis outage.
+ *
+ * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
+ * @param secret     Server secret used for AES encryption/decryption
+ * @param ttlSeconds Cache TTL in seconds (should match session expiry)
+ * @param createSession Factory that mints a new session and returns its raw token
+ */
+export async function getOrCreateCachedToken(
+    cacheKey: string,
+    secret: string,
+    ttlSeconds: number,
+    createSession: () => Promise<string>
+): Promise<string> {
+    const token = await createSession();
+    return token;
+}
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -218,10 +218,11 @@ export class TraefikConfigManager {
            return true;
        }

-        // Fetch if it's been more than 24 hours (for renewals)
        const dayInMs = 24 * 60 * 60 * 1000;
        const timeSinceLastFetch =
            Date.now() - this.lastCertificateFetch.getTime();
+
+        // Fetch if it's been more than 24 hours (daily routine check)
        if (timeSinceLastFetch > dayInMs) {
            logger.info("Fetching certificates due to 24-hour renewal check");
            return true;
@@ -265,7 +266,7 @@ export class TraefikConfigManager {
            return true;
        }

-        // Check if any local certificates are missing or appear to be outdated
+        // Check if any local certificates are missing (needs immediate fetch)
        for (const domain of domainsNeedingCerts) {
            const localState = this.lastLocalCertificateState.get(domain);
            if (!localState || !localState.exists) {
@@ -274,17 +275,46 @@ export class TraefikConfigManager {
                );
                return true;
            }
+        }

-            // Check if certificate is expiring soon (within 30 days)
-            if (localState.expiresAt) {
-                const nowInSeconds = Math.floor(Date.now() / 1000);
-                const secondsUntilExpiry = localState.expiresAt - nowInSeconds;
-                const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
-                if (daysUntilExpiry < 30) {
-                    logger.info(
-                        `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
-                    );
-                    return true;
+        // For expiry checks, throttle to every 6 hours to avoid querying the
+        // API/DB on every monitor loop. The certificate-service renews certs
+        // 45 days before expiry, so checking every 6 hours is plenty frequent
+        // to pick up renewed certs promptly.
+        const renewalCheckIntervalMs = 6 * 60 * 60 * 1000; // 6 hours
+        if (timeSinceLastFetch > renewalCheckIntervalMs) {
+            // Check non-wildcard certs for expiry (within 45 days to match
+            // the server-side renewal window in certificate-service)
+            for (const domain of domainsNeedingCerts) {
+                const localState = this.lastLocalCertificateState.get(domain);
+                if (localState?.expiresAt) {
+                    const nowInSeconds = Math.floor(Date.now() / 1000);
+                    const secondsUntilExpiry =
+                        localState.expiresAt - nowInSeconds;
+                    const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
+                    if (daysUntilExpiry < 45) {
+                        logger.info(
+                            `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
+                        );
+                        return true;
+                    }
+                }
+            }
+
+            // Also check wildcard certificates for expiry. These are not
+            // included in domainsNeedingCerts since their subdomains are
+            // filtered out, so we must check them separately.
+            for (const [certDomain, state] of this.lastLocalCertificateState) {
+                if (state.exists && state.wildcard && state.expiresAt) {
+                    const nowInSeconds = Math.floor(Date.now() / 1000);
+                    const secondsUntilExpiry = state.expiresAt - nowInSeconds;
+                    const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
+                    if (daysUntilExpiry < 45) {
+                        logger.info(
+                            `Fetching certificates due to upcoming expiry for wildcard cert ${certDomain} (${Math.round(daysUntilExpiry)} days remaining)`
+                        );
+                        return true;
+                    }
                }
            }
        }
@@ -361,6 +391,26 @@ export class TraefikConfigManager {
                        }
                    }

+                    // Also include wildcard cert base domains that are
+                    // expiring or expired so they get re-fetched even though
+                    // their subdomains were filtered out above.
+                    for (const [certDomain, state] of this
+                        .lastLocalCertificateState) {
+                        if (state.exists && state.wildcard && state.expiresAt) {
+                            const nowInSeconds = Math.floor(Date.now() / 1000);
+                            const secondsUntilExpiry =
+                                state.expiresAt - nowInSeconds;
+                            const daysUntilExpiry =
+                                secondsUntilExpiry / (60 * 60 * 24);
+                            if (daysUntilExpiry < 45) {
+                                domainsToFetch.add(certDomain);
+                                logger.info(
+                                    `Including expiring wildcard cert domain ${certDomain} in fetch (${Math.round(daysUntilExpiry)} days remaining)`
+                                );
+                            }
+                        }
+                    }
+
                    if (domainsToFetch.size > 0) {
                        // Get valid certificates for domains not covered by wildcards
                        validCertificates =
@@ -507,11 +557,18 @@ export class TraefikConfigManager {
                                config.getRawConfig().server
                                    .session_cookie_name,

-                            // deprecated
                            accessTokenQueryParam:
                                config.getRawConfig().server
                                    .resource_access_token_param,

+                            accessTokenIdHeader:
+                                config.getRawConfig().server
+                                    .resource_access_token_headers.id,
+
+                            accessTokenHeader:
+                                config.getRawConfig().server
+                                    .resource_access_token_headers.token,
+
                            resourceSessionRequestParam:
                                config.getRawConfig().server
                                    .resource_session_request_param
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -14,7 +14,7 @@ import logger from "@server/logger";
 import config from "@server/lib/config";
 import { resources, sites, Target, targets } from "@server/db";
 import createPathRewriteMiddleware from "./middleware";
-import { sanitize, validatePathRewriteConfig } from "./utils";
+import { sanitize, encodePath, validatePathRewriteConfig } from "./utils";

 const redirectHttpsMiddlewareName = "redirect-to-https";
 const badgerMiddlewareName = "badger";
@@ -44,7 +44,7 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
    allowRawResources = true,
-    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
+    allowMaintenancePage = true // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -127,7 +127,7 @@ export async function getTraefikConfig(
    resourcesWithTargetsAndSites.forEach((row) => {
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
-        const targetPath = sanitize(row.path) || ""; // Handle null/undefined paths
+        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
        const pathMatchType = row.pathMatchType || "";
        const rewritePath = row.rewritePath || "";
        const rewritePathType = row.rewritePathType || "";
@@ -145,7 +145,7 @@ export async function getTraefikConfig(
        const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
        const key = sanitize(mapKey);

-        if (!resourcesMap.has(key)) {
+        if (!resourcesMap.has(mapKey)) {
            const validation = validatePathRewriteConfig(
                row.path,
                row.pathMatchType,
@@ -160,9 +160,10 @@ export async function getTraefikConfig(
                return;
            }

-            resourcesMap.set(key, {
+            resourcesMap.set(mapKey, {
                resourceId: row.resourceId,
                name: resourceName,
+                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
                http: row.http,
@@ -190,7 +191,7 @@ export async function getTraefikConfig(
            });
        }

-        resourcesMap.get(key).targets.push({
+        resourcesMap.get(mapKey).targets.push({
            resourceId: row.resourceId,
            targetId: row.targetId,
            ip: row.ip,
@@ -227,8 +228,9 @@ export async function getTraefikConfig(
    };

    // get the key and the resource
-    for (const [key, resource] of resourcesMap.entries()) {
+    for (const [, resource] of resourcesMap.entries()) {
        const targets = resource.targets as TargetWithSite[];
+        const key = resource.key;

        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
--- a/server/lib/traefik/pathEncoding.test.ts
+++ b/server/lib/traefik/pathEncoding.test.ts
@@ -0,0 +1,323 @@
+import { assertEquals } from "../../../test/assert";
+
+// ── Pure function copies (inlined to avoid pulling in server dependencies) ──
+
+function sanitize(input: string | null | undefined): string | undefined {
+    if (!input) return undefined;
+    if (input.length > 50) {
+        input = input.substring(0, 50);
+    }
+    return input
+        .replace(/[^a-zA-Z0-9-]/g, "-")
+        .replace(/-+/g, "-")
+        .replace(/^-|-$/g, "");
+}
+
+function encodePath(path: string | null | undefined): string {
+    if (!path) return "";
+    return path.replace(/[^a-zA-Z0-9]/g, (ch) => {
+        return ch.charCodeAt(0).toString(16);
+    });
+}
+
+// ── Helpers ──────────────────────────────────────────────────────────
+
+/**
+ * Exact replica of the OLD key computation from upstream main.
+ * Uses sanitize() for paths — this is what had the collision bug.
+ */
+function oldKeyComputation(
+    resourceId: number,
+    path: string | null,
+    pathMatchType: string | null,
+    rewritePath: string | null,
+    rewritePathType: string | null
+): string {
+    const targetPath = sanitize(path) || "";
+    const pmt = pathMatchType || "";
+    const rp = rewritePath || "";
+    const rpt = rewritePathType || "";
+    const pathKey = [targetPath, pmt, rp, rpt].filter(Boolean).join("-");
+    const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
+    return sanitize(mapKey) || "";
+}
+
+/**
+ * Replica of the NEW key computation from our fix.
+ * Uses encodePath() for paths — collision-free.
+ */
+function newKeyComputation(
+    resourceId: number,
+    path: string | null,
+    pathMatchType: string | null,
+    rewritePath: string | null,
+    rewritePathType: string | null
+): string {
+    const targetPath = encodePath(path);
+    const pmt = pathMatchType || "";
+    const rp = rewritePath || "";
+    const rpt = rewritePathType || "";
+    const pathKey = [targetPath, pmt, rp, rpt].filter(Boolean).join("-");
+    const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
+    return sanitize(mapKey) || "";
+}
+
+// ── Tests ────────────────────────────────────────────────────────────
+
+function runTests() {
+    console.log("Running path encoding tests...\n");
+
+    let passed = 0;
+
+    // ── encodePath unit tests ────────────────────────────────────────
+
+    // Test 1: null/undefined/empty
+    {
+        assertEquals(encodePath(null), "", "null should return empty");
+        assertEquals(
+            encodePath(undefined),
+            "",
+            "undefined should return empty"
+        );
+        assertEquals(encodePath(""), "", "empty string should return empty");
+        console.log("  PASS: encodePath handles null/undefined/empty");
+        passed++;
+    }
+
+    // Test 2: root path
+    {
+        assertEquals(encodePath("/"), "2f", "/ should encode to 2f");
+        console.log("  PASS: encodePath encodes root path");
+        passed++;
+    }
+
+    // Test 3: alphanumeric passthrough
+    {
+        assertEquals(encodePath("/api"), "2fapi", "/api encodes slash only");
+        assertEquals(encodePath("/v1"), "2fv1", "/v1 encodes slash only");
+        assertEquals(encodePath("abc"), "abc", "plain alpha passes through");
+        console.log("  PASS: encodePath preserves alphanumeric chars");
+        passed++;
+    }
+
+    // Test 4: all special chars produce unique hex
+    {
+        const paths = ["/a/b", "/a-b", "/a.b", "/a_b", "/a b"];
+        const results = paths.map((p) => encodePath(p));
+        const unique = new Set(results);
+        assertEquals(
+            unique.size,
+            paths.length,
+            "all special-char paths must produce unique encodings"
+        );
+        console.log(
+            "  PASS: encodePath produces unique output for different special chars"
+        );
+        passed++;
+    }
+
+    // Test 5: output is always alphanumeric (safe for Traefik names)
+    {
+        const paths = [
+            "/",
+            "/api",
+            "/a/b",
+            "/a-b",
+            "/a.b",
+            "/complex/path/here"
+        ];
+        for (const p of paths) {
+            const e = encodePath(p);
+            assertEquals(
+                /^[a-zA-Z0-9]+$/.test(e),
+                true,
+                `encodePath("${p}") = "${e}" must be alphanumeric`
+            );
+        }
+        console.log("  PASS: encodePath output is always alphanumeric");
+        passed++;
+    }
+
+    // Test 6: deterministic
+    {
+        assertEquals(
+            encodePath("/api"),
+            encodePath("/api"),
+            "same input same output"
+        );
+        assertEquals(
+            encodePath("/a/b/c"),
+            encodePath("/a/b/c"),
+            "same input same output"
+        );
+        console.log("  PASS: encodePath is deterministic");
+        passed++;
+    }
+
+    // Test 7: many distinct paths never collide
+    {
+        const paths = [
+            "/",
+            "/api",
+            "/api/v1",
+            "/api/v2",
+            "/a/b",
+            "/a-b",
+            "/a.b",
+            "/a_b",
+            "/health",
+            "/health/check",
+            "/admin",
+            "/admin/users",
+            "/api/v1/users",
+            "/api/v1/posts",
+            "/app",
+            "/app/dashboard"
+        ];
+        const encoded = new Set(paths.map((p) => encodePath(p)));
+        assertEquals(
+            encoded.size,
+            paths.length,
+            `expected ${paths.length} unique encodings, got ${encoded.size}`
+        );
+        console.log("  PASS: 16 realistic paths all produce unique encodings");
+        passed++;
+    }
+
+    // ── Collision fix: the actual bug we're fixing ───────────────────
+
+    // Test 8: /a/b and /a-b now have different keys (THE BUG FIX)
+    {
+        const keyAB = newKeyComputation(1, "/a/b", "prefix", null, null);
+        const keyDash = newKeyComputation(1, "/a-b", "prefix", null, null);
+        assertEquals(
+            keyAB !== keyDash,
+            true,
+            "/a/b and /a-b MUST have different keys"
+        );
+        console.log("  PASS: collision fix — /a/b vs /a-b have different keys");
+        passed++;
+    }
+
+    // Test 9: demonstrate the old bug — old code maps /a/b and /a-b to same key
+    {
+        const oldKeyAB = oldKeyComputation(1, "/a/b", "prefix", null, null);
+        const oldKeyDash = oldKeyComputation(1, "/a-b", "prefix", null, null);
+        assertEquals(
+            oldKeyAB,
+            oldKeyDash,
+            "old code MUST have this collision (confirms the bug exists)"
+        );
+        console.log("  PASS: confirmed old code bug — /a/b and /a-b collided");
+        passed++;
+    }
+
+    // Test 10: /api/v1 and /api-v1 — old code collision, new code fixes it
+    {
+        const oldKey1 = oldKeyComputation(1, "/api/v1", "prefix", null, null);
+        const oldKey2 = oldKeyComputation(1, "/api-v1", "prefix", null, null);
+        assertEquals(
+            oldKey1,
+            oldKey2,
+            "old code collision for /api/v1 vs /api-v1"
+        );
+
+        const newKey1 = newKeyComputation(1, "/api/v1", "prefix", null, null);
+        const newKey2 = newKeyComputation(1, "/api-v1", "prefix", null, null);
+        assertEquals(
+            newKey1 !== newKey2,
+            true,
+            "new code must separate /api/v1 and /api-v1"
+        );
+        console.log("  PASS: collision fix — /api/v1 vs /api-v1");
+        passed++;
+    }
+
+    // Test 11: /app.v2 and /app/v2 and /app-v2 — three-way collision fixed
+    {
+        const a = newKeyComputation(1, "/app.v2", "prefix", null, null);
+        const b = newKeyComputation(1, "/app/v2", "prefix", null, null);
+        const c = newKeyComputation(1, "/app-v2", "prefix", null, null);
+        const keys = new Set([a, b, c]);
+        assertEquals(
+            keys.size,
+            3,
+            "three paths must produce three unique keys"
+        );
+        console.log(
+            "  PASS: collision fix — three-way /app.v2, /app/v2, /app-v2"
+        );
+        passed++;
+    }
+
+    // ── Edge cases ───────────────────────────────────────────────────
+
+    // Test 12: same path in different resources — always separate
+    {
+        const key1 = newKeyComputation(1, "/api", "prefix", null, null);
+        const key2 = newKeyComputation(2, "/api", "prefix", null, null);
+        assertEquals(
+            key1 !== key2,
+            true,
+            "different resources with same path must have different keys"
+        );
+        console.log("  PASS: edge case — same path, different resources");
+        passed++;
+    }
+
+    // Test 13: same resource, different pathMatchType — separate keys
+    {
+        const exact = newKeyComputation(1, "/api", "exact", null, null);
+        const prefix = newKeyComputation(1, "/api", "prefix", null, null);
+        assertEquals(
+            exact !== prefix,
+            true,
+            "exact vs prefix must have different keys"
+        );
+        console.log("  PASS: edge case — same path, different match types");
+        passed++;
+    }
+
+    // Test 14: same resource and path, different rewrite config — separate keys
+    {
+        const noRewrite = newKeyComputation(1, "/api", "prefix", null, null);
+        const withRewrite = newKeyComputation(
+            1,
+            "/api",
+            "prefix",
+            "/backend",
+            "prefix"
+        );
+        assertEquals(
+            noRewrite !== withRewrite,
+            true,
+            "with vs without rewrite must have different keys"
+        );
+        console.log("  PASS: edge case — same path, different rewrite config");
+        passed++;
+    }
+
+    // Test 15: paths with special URL characters
+    {
+        const paths = ["/api?foo", "/api#bar", "/api%20baz", "/api+qux"];
+        const keys = new Set(
+            paths.map((p) => newKeyComputation(1, p, "prefix", null, null))
+        );
+        assertEquals(
+            keys.size,
+            paths.length,
+            "special URL chars must produce unique keys"
+        );
+        console.log("  PASS: edge case — special URL characters in paths");
+        passed++;
+    }
+
+    console.log(`\nAll ${passed} tests passed!`);
+}
+
+try {
+    runTests();
+} catch (error) {
+    console.error("Test failed:", error);
+    process.exit(1);
+}
--- a/server/lib/traefik/utils.ts
+++ b/server/lib/traefik/utils.ts
@@ -13,6 +13,26 @@ export function sanitize(input: string | null | undefined): string | undefined {
        .replace(/^-|-$/g, "");
 }

+/**
+ * Encode a URL path into a collision-free alphanumeric string suitable for use
+ * in Traefik map keys.
+ *
+ * Unlike sanitize(), this preserves uniqueness by encoding each non-alphanumeric
+ * character as its hex code. Different paths always produce different outputs.
+ *
+ *   encodePath("/api")  => "2fapi"
+ *   encodePath("/a/b")  => "2fa2fb"
+ *   encodePath("/a-b")  => "2fa2db"   (different from /a/b)
+ *   encodePath("/")     => "2f"
+ *   encodePath(null)    => ""
+ */
+export function encodePath(path: string | null | undefined): string {
+    if (!path) return "";
+    return path.replace(/[^a-zA-Z0-9]/g, (ch) => {
+        return ch.charCodeAt(0).toString(16);
+    });
+}
+
 export function validatePathRewriteConfig(
    path: string | null,
    pathMatchType: string | null,
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -6,7 +6,7 @@ import {
    siteResources,
    sites,
    Transaction,
-    UserOrg,
+    userOrgRoles,
    userOrgs,
    userResources,
    userSiteResources,
@@ -19,9 +19,22 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
    org: Org,
    values: typeof userOrgs.$inferInsert,
+    roleIds: number[],
    trx: Transaction | typeof db = db
 ) {
+    const uniqueRoleIds = [...new Set(roleIds)];
+    if (uniqueRoleIds.length === 0) {
+        throw new Error("assignUserToOrg requires at least one roleId");
+    }
+
    const [userOrg] = await trx.insert(userOrgs).values(values).returning();
+    await trx.insert(userOrgRoles).values(
+        uniqueRoleIds.map((roleId) => ({
+            userId: userOrg.userId,
+            orgId: userOrg.orgId,
+            roleId
+        }))
+    );

    // calculate if the user is in any other of the orgs before we count it as an add to the billing org
    if (org.billingOrgId) {
@@ -58,6 +71,14 @@ export async function removeUserFromOrg(
    userId: string,
    trx: Transaction | typeof db = db
 ) {
+    await trx
+        .delete(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, org.orgId)
+            )
+        );
    await trx
        .delete(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
--- a/server/lib/userOrgRoles.ts
+++ b/server/lib/userOrgRoles.ts
@@ -0,0 +1,36 @@
+import { db, roles, userOrgRoles } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+/**
+ * Get all role IDs a user has in an organization.
+ * Returns empty array if the user has no roles in the org (callers must treat as no access).
+ */
+export async function getUserOrgRoleIds(
+    userId: string,
+    orgId: string
+): Promise<number[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId })
+        .from(userOrgRoles)
+        .where(
+            and(
+                eq(userOrgRoles.userId, userId),
+                eq(userOrgRoles.orgId, orgId)
+            )
+        );
+    return rows.map((r) => r.roleId);
+}
+
+export async function getUserOrgRoles(
+    userId: string,
+    orgId: string
+): Promise<{ roleId: number; roleName: string }[]> {
+    const rows = await db
+        .select({ roleId: userOrgRoles.roleId, roleName: roles.name })
+        .from(userOrgRoles)
+        .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .where(
+            and(eq(userOrgRoles.userId, userId), eq(userOrgRoles.orgId, orgId))
+        );
+    return rows;
+}
--- a/server/middlewares/getUserOrgs.ts
+++ b/server/middlewares/getUserOrgs.ts
@@ -21,8 +21,7 @@ export async function getUserOrgs(
    try {
        const userOrganizations = await db
            .select({
-                orgId: userOrgs.orgId,
-                roleId: userOrgs.roleId
+                orgId: userOrgs.orgId
            })
            .from(userOrgs)
            .where(eq(userOrgs.userId, userId));
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -17,6 +17,7 @@ export * from "./verifyAccessTokenAccess";
 export * from "./requestTimeout";
 export * from "./verifyClientAccess";
 export * from "./verifyUserHasAction";
+export * from "./verifyUserCanSetUserOrgRoles";
 export * from "./verifyUserIsServerAdmin";
 export * from "./verifyIsLoggedInUser";
 export * from "./verifyIsLoggedInUser";
@@ -24,6 +25,7 @@ export * from "./verifyClientAccess";
 export * from "./integration";
 export * from "./verifyUserHasAction";
 export * from "./verifyApiKeyAccess";
+export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
 export * from "./verifySiteResourceAccess";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -1,6 +1,7 @@
 export * from "./verifyApiKey";
 export * from "./verifyApiKeyOrgAccess";
 export * from "./verifyApiKeyHasAction";
+export * from "./verifyApiKeyCanSetUserOrgRoles";
 export * from "./verifyApiKeySiteAccess";
 export * from "./verifyApiKeyResourceAccess";
 export * from "./verifyApiKeyTargetAccess";
--- a/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
+++ b/server/middlewares/integration/verifyApiKeyCanSetUserOrgRoles.ts
@@ -0,0 +1,74 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import logger from "@server/logger";
+import { ActionsEnum } from "@server/auth/actions";
+import { db } from "@server/db";
+import { apiKeyActions } from "@server/db";
+import { and, eq } from "drizzle-orm";
+
+async function apiKeyHasAction(apiKeyId: string, actionId: ActionsEnum) {
+    const [row] = await db
+        .select()
+        .from(apiKeyActions)
+        .where(
+            and(
+                eq(apiKeyActions.apiKeyId, apiKeyId),
+                eq(apiKeyActions.actionId, actionId)
+            )
+        );
+    return !!row;
+}
+
+/**
+ * Allows setUserOrgRoles on the key, or both addUserRole and removeUserRole.
+ */
+export function verifyApiKeyCanSetUserOrgRoles() {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            if (!req.apiKey) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "API Key not authenticated"
+                    )
+                );
+            }
+
+            const keyId = req.apiKey.apiKeyId;
+
+            if (await apiKeyHasAction(keyId, ActionsEnum.setUserOrgRoles)) {
+                return next();
+            }
+
+            const hasAdd = await apiKeyHasAction(keyId, ActionsEnum.addUserRole);
+            const hasRemove = await apiKeyHasAction(
+                keyId,
+                ActionsEnum.removeUserRole
+            );
+
+            if (hasAdd && hasRemove) {
+                return next();
+            }
+
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have permission perform this action"
+                )
+            );
+        } catch (error) {
+            logger.error("Error verifying API key set user org roles:", error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying key action access"
+                )
+            );
+        }
+    };
+}
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyAccessTokenAccess(
    req: Request,
@@ -93,7 +94,10 @@ export async function verifyAccessTokenAccess(
                )
            );
        } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
            req.userOrgId = resource[0].orgId!;
        }

@@ -118,7 +122,7 @@ export async function verifyAccessTokenAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
        });

        if (!resourceAllowed) {
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyAdmin(
    req: Request,
@@ -62,13 +63,29 @@ export async function verifyAdmin(
        }
    }

-    const userRole = await db
+    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
+
+    if (req.userOrgRoleIds.length === 0) {
+        return next(
+            createHttpError(
+                HttpCode.FORBIDDEN,
+                "User does not have Admin access"
+            )
+        );
+    }
+
+    const userAdminRoles = await db
        .select()
        .from(roles)
-        .where(eq(roles.roleId, req.userOrg.roleId))
+        .where(
+            and(
+                inArray(roles.roleId, req.userOrgRoleIds),
+                eq(roles.isAdmin, true)
+            )
+        )
        .limit(1);

-    if (userRole.length === 0 || !userRole[0].isAdmin) {
+    if (userAdminRoles.length === 0) {
        return next(
            createHttpError(
                HttpCode.FORBIDDEN,
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyApiKeyAccess(
    req: Request,
@@ -103,8 +104,10 @@ export async function verifyApiKeyAccess(
            }
        }

-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            orgId
+        );

        return next();
    } catch (error) {
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyClientAccess(
    req: Request,
@@ -113,21 +114,30 @@ export async function verifyClientAccess(
            }
        }

-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            client.orgId
+        );
        req.userOrgId = client.orgId;

-        // Check role-based site access first
-        const [roleClientAccess] = await db
-            .select()
-            .from(roleClients)
-            .where(
-                and(
-                    eq(roleClients.clientId, client.clientId),
-                    eq(roleClients.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based client access (any of user's roles)
+        const roleClientAccessList =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleClients)
+                      .where(
+                          and(
+                              eq(roleClients.clientId, client.clientId),
+                              inArray(
+                                  roleClients.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];
+        const [roleClientAccess] = roleClientAccessList;

        if (roleClientAccess) {
            // User has access to the site through their role
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs, apiKeyOrg } from "@server/db";
+import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyDomainAccess(
    req: Request,
@@ -63,7 +64,7 @@ export async function verifyDomainAccess(
                .where(
                    and(
                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, apiKeyOrg.orgId)
+                        eq(userOrgs.orgId, orgId)
                    )
                )
                .limit(1);
@@ -97,8 +98,7 @@ export async function verifyDomainAccess(
            }
        }

-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);

        return next();
    } catch (error) {
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
-import { db, orgs } from "@server/db";
+import { db } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyOrgAccess(
    req: Request,
@@ -64,8 +65,8 @@ export async function verifyOrgAccess(
            }
        }

-        // User has access, attach the user's role to the request for potential future use
-        req.userOrgRoleId = req.userOrg.roleId;
+        // User has access, attach the user's role(s) to the request for potential future use
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
        req.userOrgId = orgId;

        return next();
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyResourceAccess(
    req: Request,
@@ -107,20 +108,28 @@ export async function verifyResourceAccess(
            }
        }

-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            resource.orgId
+        );
        req.userOrgId = resource.orgId;

-        const roleResourceAccess = await db
-            .select()
-            .from(roleResources)
-            .where(
-                and(
-                    eq(roleResources.resourceId, resource.resourceId),
-                    eq(roleResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleResources)
+                      .where(
+                          and(
+                              eq(roleResources.resourceId, resource.resourceId),
+                              inArray(
+                                  roleResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];

        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyRoleAccess(
    req: Request,
@@ -99,7 +100,6 @@ export async function verifyRoleAccess(
        }

        if (!req.userOrg) {
-            // get the userORg
            const userOrg = await db
                .select()
                .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                .limit(1);

            req.userOrg = userOrg[0];
-            req.userOrgRoleId = userOrg[0].roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
        }

        if (!req.userOrg) {
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifySiteAccess(
    req: Request,
@@ -112,21 +113,29 @@ export async function verifySiteAccess(
            }
        }

-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            site.orgId
+        );
        req.userOrgId = site.orgId;

-        // Check role-based site access first
-        const roleSiteAccess = await db
-            .select()
-            .from(roleSites)
-            .where(
-                and(
-                    eq(roleSites.siteId, site.siteId),
-                    eq(roleSites.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        // Check role-based site access first (any of user's roles)
+        const roleSiteAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSites)
+                      .where(
+                          and(
+                              eq(roleSites.siteId, site.siteId),
+                              inArray(
+                                  roleSites.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];

        if (roleSiteAccess.length > 0) {
            // User's role has access to the site
--- a/server/middlewares/verifySiteProvisioningKeyAccess.ts
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -0,0 +1,135 @@
+import { Request, Response, NextFunction } from "express";
+import { db, userOrgs, siteProvisioningKeys, siteProvisioningKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+
+export async function verifySiteProvisioningKeyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const userId = req.user!.userId;
+        const siteProvisioningKeyId = req.params.siteProvisioningKeyId;
+        const orgId = req.params.orgId;
+
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!siteProvisioningKeyId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid key ID")
+            );
+        }
+
+        const [row] = await db
+            .select()
+            .from(siteProvisioningKeys)
+            .innerJoin(
+                siteProvisioningKeyOrg,
+                and(
+                    eq(
+                        siteProvisioningKeys.siteProvisioningKeyId,
+                        siteProvisioningKeyOrg.siteProvisioningKeyId
+                    ),
+                    eq(siteProvisioningKeyOrg.orgId, orgId)
+                )
+            )
+            .where(
+                eq(
+                    siteProvisioningKeys.siteProvisioningKeyId,
+                    siteProvisioningKeyId
+                )
+            )
+            .limit(1);
+
+        if (!row?.siteProvisioningKeys) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} not found`
+                )
+            );
+        }
+
+        if (!row.siteProvisioningKeyOrg.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Site provisioning key with ID ${siteProvisioningKeyId} does not have an organization ID`
+                )
+            );
+        }
+
+        if (!req.userOrg) {
+            const userOrgRole = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(
+                            userOrgs.orgId,
+                            row.siteProvisioningKeyOrg.orgId
+                        )
+                    )
+                )
+                .limit(1);
+            req.userOrg = userOrgRole[0];
+        }
+
+        if (!req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            row.siteProvisioningKeyOrg.orgId
+        );
+        req.userOrgId = row.siteProvisioningKeyOrg.orgId;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying site provisioning key access"
+            )
+        );
+    }
+}
--- a/server/middlewares/verifySiteResourceAccess.ts
+++ b/server/middlewares/verifySiteResourceAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifySiteResourceAccess(
    req: Request,
@@ -109,23 +110,34 @@ export async function verifySiteResourceAccess(
            }
        }

-        const userOrgRoleId = req.userOrg.roleId;
-        req.userOrgRoleId = userOrgRoleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            siteResource.orgId
+        );
        req.userOrgId = siteResource.orgId;

        // Attach the siteResource to the request for use in the next middleware/route
        req.siteResource = siteResource;

-        const roleResourceAccess = await db
-            .select()
-            .from(roleSiteResources)
-            .where(
-                and(
-                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
-                    eq(roleSiteResources.roleId, userOrgRoleId)
-                )
-            )
-            .limit(1);
+        const roleResourceAccess =
+            (req.userOrgRoleIds?.length ?? 0) > 0
+                ? await db
+                      .select()
+                      .from(roleSiteResources)
+                      .where(
+                          and(
+                              eq(
+                                  roleSiteResources.siteResourceId,
+                                  siteResourceIdNum
+                              ),
+                              inArray(
+                                  roleSiteResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];

        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyTargetAccess(
    req: Request,
@@ -99,7 +100,10 @@ export async function verifyTargetAccess(
                )
            );
        } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
+                req.userOrg.userId,
+                resource[0].orgId!
+            );
            req.userOrgId = resource[0].orgId!;
        }

@@ -126,7 +130,7 @@ export async function verifyTargetAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
        });

        if (!resourceAllowed) {
--- a/server/middlewares/verifyUserCanSetUserOrgRoles.ts
+++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
@@ -0,0 +1,54 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import logger from "@server/logger";
+import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
+
+/**
+ * Allows the new setUserOrgRoles action, or legacy permission pair addUserRole + removeUserRole.
+ */
+export function verifyUserCanSetUserOrgRoles() {
+    return async function (
+        req: Request,
+        res: Response,
+        next: NextFunction
+    ): Promise<any> {
+        try {
+            const canSet = await checkUserActionPermission(
+                ActionsEnum.setUserOrgRoles,
+                req
+            );
+            if (canSet) {
+                return next();
+            }
+
+            const canAdd = await checkUserActionPermission(
+                ActionsEnum.addUserRole,
+                req
+            );
+            const canRemove = await checkUserActionPermission(
+                ActionsEnum.removeUserRole,
+                req
+            );
+
+            if (canAdd && canRemove) {
+                return next();
+            }
+
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have permission perform this action"
+                )
+            );
+        } catch (error) {
+            logger.error("Error verifying set user org roles access:", error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Error verifying role access"
+                )
+            );
+        }
+    };
+}
--- a/server/middlewares/verifyUserInRole.ts
+++ b/server/middlewares/verifyUserInRole.ts
@@ -12,7 +12,7 @@ export async function verifyUserInRole(
        const roleId = parseInt(
            req.params.roleId || req.body.roleId || req.query.roleId
        );
-        const userRoleId = req.userOrgRoleId;
+        const userOrgRoleIds = req.userOrgRoleIds ?? [];

        if (isNaN(roleId)) {
            return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
            );
        }

-        if (!userRoleId) {
+        if (userOrgRoleIds.length === 0) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
            );
        }

-        if (userRoleId !== roleId) {
+        if (!userOrgRoleIds.includes(roleId)) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -12,11 +12,21 @@
 */

 import { rateLimitService } from "#private/lib/rateLimit";
+import { logStreamingManager } from "#private/lib/logStreaming";
 import { cleanup as wsCleanup } from "#private/routers/ws";
+import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
+import { flushConnectionLogToDb } from "#private/routers/newt";
+import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
+import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";

 async function cleanup() {
+    await stopPingAccumulator();
+    await flushBandwidthToDb();
+    await flushConnectionLogToDb();
+    await flushSiteBandwidthToDb();
    await rateLimitService.cleanup();
    await wsCleanup();
+    await logStreamingManager.shutdown();

    process.exit(0);
 }
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,3 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
@@ -24,23 +37,31 @@ setInterval(() => {
 */
 class AdaptiveCache {
    private useRedis(): boolean {
-        return redisManager.isRedisEnabled() && redisManager.getHealthStatus().isHealthy;
+        return (
+            redisManager.isRedisEnabled() &&
+            redisManager.getHealthStatus().isHealthy
+        );
    }

    /**
     * Set a value in the cache
     * @param key - Cache key
     * @param value - Value to cache (will be JSON stringified for Redis)
-     * @param ttl - Time to live in seconds (0 = no expiration)
+     * @param ttl - Time to live in seconds (0 = no expiration; omit = 3600s for Redis)
     * @returns boolean indicating success
     */
    async set(key: string, value: any, ttl?: number): Promise<boolean> {
        const effectiveTtl = ttl === 0 ? undefined : ttl;
+        const redisTtl = ttl === 0 ? undefined : (ttl ?? 3600);

        if (this.useRedis()) {
            try {
                const serialized = JSON.stringify(value);
-                const success = await redisManager.set(key, serialized, effectiveTtl);
+                const success = await redisManager.set(
+                    key,
+                    serialized,
+                    redisTtl
+                );

                if (success) {
                    logger.debug(`Set key in Redis: ${key}`);
@@ -48,7 +69,9 @@ class AdaptiveCache {
                }

                // Redis failed, fall through to local cache
-                logger.debug(`Redis set failed for key ${key}, falling back to local cache`);
+                logger.debug(
+                    `Redis set failed for key ${key}, falling back to local cache`
+                );
            } catch (error) {
                logger.error(`Redis set error for key ${key}:`, error);
                // Fall through to local cache
@@ -120,9 +143,14 @@ class AdaptiveCache {
                }

                // Some Redis deletes failed, fall through to local cache
-                logger.debug(`Some Redis deletes failed, falling back to local cache`);
+                logger.debug(
+                    `Some Redis deletes failed, falling back to local cache`
+                );
            } catch (error) {
-                logger.error(`Redis del error for keys ${keys.join(", ")}:`, error);
+                logger.error(
+                    `Redis del error for keys ${keys.join(", ")}:`,
+                    error
+                );
                // Fall through to local cache
                deletedCount = 0;
            }
@@ -195,7 +223,9 @@ class AdaptiveCache {
     */
    async flushAll(): Promise<void> {
        if (this.useRedis()) {
-            logger.warn("Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed");
+            logger.warn(
+                "Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed"
+            );
        }

        localCache.flushAll();
@@ -239,7 +269,9 @@ class AdaptiveCache {
    getTtl(key: string): number {
        // Note: This only works for local cache, Redis TTL is not supported
        if (this.useRedis()) {
-            logger.warn(`getTtl called for key ${key} but Redis TTL lookup is not implemented`);
+            logger.warn(
+                `getTtl called for key ${key} but Redis TTL lookup is not implemented`
+            );
        }

        const ttl = localCache.getTtl(key);
@@ -255,7 +287,9 @@ class AdaptiveCache {
     */
    keys(): string[] {
        if (this.useRedis()) {
-            logger.warn("keys() called but Redis keys are not included, only local cache keys returned");
+            logger.warn(
+                "keys() called but Redis keys are not included, only local cache keys returned"
+            );
        }
        return localCache.keys();
    }
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -74,6 +74,7 @@ export async function logAccessAudit(data: {
    type: string;
    orgId: string;
    resourceId?: number;
+    siteResourceId?: number;
    user?: { username: string; userId: string };
    apiKey?: { name: string | null; apiKeyId: string };
    metadata?: any;
@@ -134,6 +135,7 @@ export async function logAccessAudit(data: {
            type: data.type,
            metadata,
            resourceId: data.resourceId,
+            siteResourceId: data.siteResourceId,
            userAgent: data.userAgent,
            ip: clientIp,
            location: countryCode
--- a/server/private/lib/logConnectionAudit.ts
+++ b/server/private/lib/logConnectionAudit.ts
@@ -0,0 +1,234 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { logsDb, connectionAuditLog } from "@server/db";
+import logger from "@server/logger";
+import { and, eq, lt } from "drizzle-orm";
+import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+
+// ---------------------------------------------------------------------------
+// Retry configuration for deadlock handling
+// ---------------------------------------------------------------------------
+
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+// ---------------------------------------------------------------------------
+// Buffer / flush configuration
+// ---------------------------------------------------------------------------
+
+/** How often to flush accumulated connection log data to the database. */
+const FLUSH_INTERVAL_MS = 30_000; // 30 seconds
+
+/** Maximum number of records to buffer before forcing a flush. */
+const MAX_BUFFERED_RECORDS = 500;
+
+/** Maximum number of records to insert in a single database batch. */
+const INSERT_BATCH_SIZE = 100;
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface ConnectionLogRecord {
+    sessionId: string;
+    siteResourceId: number;
+    orgId: string;
+    siteId: number;
+    clientId: number | null;
+    userId: string | null;
+    sourceAddr: string;
+    destAddr: string;
+    protocol: string;
+    startedAt: number; // epoch seconds
+    endedAt: number | null;
+    bytesTx: number | null;
+    bytesRx: number | null;
+}
+
+// ---------------------------------------------------------------------------
+// In-memory buffer
+// ---------------------------------------------------------------------------
+
+let buffer: ConnectionLogRecord[] = [];
+
+// ---------------------------------------------------------------------------
+// Deadlock helpers
+// ---------------------------------------------------------------------------
+
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Flush
+// ---------------------------------------------------------------------------
+
+/**
+ * Flush all buffered connection log records to the database.
+ *
+ * Swaps out the buffer before writing so that any records added during the
+ * flush are captured in the new buffer rather than being lost. Entries that
+ * fail to write are re-queued back into the buffer so they will be retried
+ * on the next flush.
+ *
+ * This function is exported so that the application's graceful-shutdown
+ * cleanup handler can call it before the process exits.
+ */
+export async function flushConnectionLogToDb(): Promise<void> {
+    if (buffer.length === 0) {
+        return;
+    }
+
+    // Atomically swap out the buffer so new data keeps flowing in
+    const snapshot = buffer;
+    buffer = [];
+
+    logger.debug(
+        `Flushing ${snapshot.length} connection log record(s) to the database`
+    );
+
+    for (let i = 0; i < snapshot.length; i += INSERT_BATCH_SIZE) {
+        const batch = snapshot.slice(i, i + INSERT_BATCH_SIZE);
+
+        try {
+            await withDeadlockRetry(async () => {
+                await logsDb.insert(connectionAuditLog).values(batch);
+            }, `flush connection log batch (${batch.length} records)`);
+        } catch (error) {
+            logger.error(
+                `Failed to flush connection log batch of ${batch.length} records:`,
+                error
+            );
+
+            // Re-queue the failed batch so it is retried on the next flush
+            buffer = [...batch, ...buffer];
+
+            // Cap buffer to prevent unbounded growth if the DB is unreachable
+            const hardLimit = MAX_BUFFERED_RECORDS * 5;
+            if (buffer.length > hardLimit) {
+                const dropped = buffer.length - hardLimit;
+                buffer = buffer.slice(0, hardLimit);
+                logger.warn(
+                    `Connection log buffer overflow, dropped ${dropped} oldest records`
+                );
+            }
+
+            // Stop processing further batches from this snapshot — they will
+            // be picked up via the re-queued records on the next flush.
+            const remaining = snapshot.slice(i + INSERT_BATCH_SIZE);
+            if (remaining.length > 0) {
+                buffer = [...remaining, ...buffer];
+            }
+            break;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Periodic flush timer
+// ---------------------------------------------------------------------------
+
+const flushTimer = setInterval(async () => {
+    try {
+        await flushConnectionLogToDb();
+    } catch (error) {
+        logger.error(
+            "Unexpected error during periodic connection log flush:",
+            error
+        );
+    }
+}, FLUSH_INTERVAL_MS);
+
+// Calling unref() means this timer will not keep the Node.js event loop alive
+// on its own — the process can still exit normally when there is no other work
+// left. The graceful-shutdown path will call flushConnectionLogToDb() explicitly
+// before process.exit(), so no data is lost.
+flushTimer.unref();
+
+// ---------------------------------------------------------------------------
+// Cleanup
+// ---------------------------------------------------------------------------
+
+export async function cleanUpOldLogs(
+    orgId: string,
+    retentionDays: number
+): Promise<void> {
+    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
+
+    try {
+        await logsDb
+            .delete(connectionAuditLog)
+            .where(
+                and(
+                    lt(connectionAuditLog.startedAt, cutoffTimestamp),
+                    eq(connectionAuditLog.orgId, orgId)
+                )
+            );
+    } catch (error) {
+        logger.error("Error cleaning up old connection audit logs:", error);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Public logging entry-point
+// ---------------------------------------------------------------------------
+
+/**
+ * Buffer a single connection log record for eventual persistence.
+ *
+ * Records are written to the database in batches either when the buffer
+ * reaches MAX_BUFFERED_RECORDS or when the periodic flush timer fires.
+ */
+export function logConnectionAudit(record: ConnectionLogRecord): void {
+    buffer.push(record);
+
+    if (buffer.length >= MAX_BUFFERED_RECORDS) {
+        // Fire and forget — errors are handled inside flushConnectionLogToDb
+        flushConnectionLogToDb().catch((error) => {
+            logger.error(
+                "Unexpected error during size-triggered connection log flush:",
+                error
+            );
+        });
+    }
+}
--- a/server/private/lib/logStreaming/LogStreamingManager.ts
+++ b/server/private/lib/logStreaming/LogStreamingManager.ts
@@ -0,0 +1,773 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    db,
+    logsDb,
+    eventStreamingDestinations,
+    eventStreamingCursors,
+    requestAuditLog,
+    actionAuditLog,
+    accessAuditLog,
+    connectionAuditLog
+} from "@server/db";
+import logger from "@server/logger";
+import { and, eq, gt, desc, max, sql } from "drizzle-orm";
+import {
+    LogType,
+    LOG_TYPES,
+    LogEvent,
+    DestinationFailureState,
+    HttpConfig
+} from "./types";
+import { LogDestinationProvider } from "./providers/LogDestinationProvider";
+import { HttpLogDestination } from "./providers/HttpLogDestination";
+import type { EventStreamingDestination } from "@server/db";
+
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+/**
+ * How often (ms) the manager polls all destinations for new log records.
+ * Destinations that were behind (full batch returned) will be re-polled
+ * immediately without waiting for this interval.
+ */
+const POLL_INTERVAL_MS = 30_000;
+
+/**
+ * Maximum number of log records fetched from the DB in a single query.
+ * This also controls the maximum size of one HTTP POST body.
+ */
+const BATCH_SIZE = 250;
+
+/**
+ * Minimum delay (ms) between consecutive HTTP requests to the same destination
+ * during a catch-up run.  Prevents bursting thousands of requests back-to-back
+ * when a destination has fallen behind.
+ */
+const INTER_BATCH_DELAY_MS = 100;
+
+/**
+ * Maximum number of consecutive back-to-back batches to process for a single
+ * destination per poll cycle.  After this limit the destination will wait for
+ * the next scheduled poll before continuing, giving other destinations a turn.
+ */
+const MAX_CATCHUP_BATCHES = 20;
+
+/**
+ * Back-off schedule (ms) indexed by consecutive failure count.
+ * After the last entry the max value is re-used.
+ */
+const BACKOFF_SCHEDULE_MS = [
+    60_000,       // 1 min   (failure 1)
+    2 * 60_000,   // 2 min   (failure 2)
+    5 * 60_000,   // 5 min   (failure 3)
+    10 * 60_000,  // 10 min  (failure 4)
+    30 * 60_000   // 30 min  (failure 5+)
+];
+
+/**
+ * If a destination has been continuously unreachable for this long, its
+ * cursors are advanced to the current max row id and the backlog is silently
+ * discarded.  This prevents unbounded queue growth when a webhook endpoint is
+ * down for an extended period.  A prominent warning is logged so operators are
+ * aware logs were dropped.
+ *
+ * Default: 24 hours.
+ */
+const MAX_BACKLOG_DURATION_MS = 24 * 60 * 60_000;
+
+// ---------------------------------------------------------------------------
+// LogStreamingManager
+// ---------------------------------------------------------------------------
+
+/**
+ * Orchestrates periodic polling of the four audit-log tables and forwards new
+ * records to every enabled event-streaming destination.
+ *
+ * ### Design
+ * - **Interval-based**: a timer fires every `POLL_INTERVAL_MS`.  On each tick
+ *   every enabled destination is processed in sequence.
+ * - **Cursor-based**: the last successfully forwarded row `id` is persisted in
+ *   the `eventStreamingCursors` table so state survives restarts.
+ * - **Catch-up**: if a full batch is returned the destination is immediately
+ *   re-queried (up to `MAX_CATCHUP_BATCHES` times) before yielding.
+ * - **Smoothing**: `INTER_BATCH_DELAY_MS` is inserted between consecutive
+ *   catch-up batches to avoid hammering the remote endpoint.
+ * - **Back-off**: consecutive send failures trigger exponential back-off
+ *   (tracked in-memory per destination).  Successful sends reset the counter.
+ * - **Backlog abandonment**: if a destination remains unreachable for longer
+ *   than `MAX_BACKLOG_DURATION_MS`, all cursors for that destination are
+ *   advanced to the current max id so the backlog is discarded and streaming
+ *   resumes from the present moment on recovery.
+ */
+export class LogStreamingManager {
+    private pollTimer: ReturnType<typeof setTimeout> | null = null;
+    private isRunning = false;
+    private isPolling = false;
+
+    /** In-memory back-off state keyed by destinationId. */
+    private readonly failures = new Map<number, DestinationFailureState>();
+
+    // -------------------------------------------------------------------------
+    // Lifecycle
+    // -------------------------------------------------------------------------
+
+    start(): void {
+        if (this.isRunning) return;
+        this.isRunning = true;
+        logger.info("LogStreamingManager: started");
+        this.schedulePoll(POLL_INTERVAL_MS);
+    }
+
+    // -------------------------------------------------------------------------
+    // Cursor initialisation (call this when a destination is first created)
+    // -------------------------------------------------------------------------
+
+    /**
+     * Eagerly seed cursors for every log type at the **current** max row id of
+     * each table, scoped to the destination's org.
+     *
+     * Call this immediately after inserting a new row into
+     * `eventStreamingDestinations` so the destination only receives events
+     * that were written *after* it was created.  If a cursor row already exists
+     * (e.g. the method is called twice) it is left untouched.
+     *
+     * The manager also has a lazy fallback inside `getOrCreateCursor` for
+     * destinations that existed before this method was introduced.
+     */
+    async initializeCursorsForDestination(
+        destinationId: number,
+        orgId: string
+    ): Promise<void> {
+        for (const logType of LOG_TYPES) {
+            const currentMaxId = await this.getCurrentMaxId(logType, orgId);
+            try {
+                await db
+                    .insert(eventStreamingCursors)
+                    .values({
+                        destinationId,
+                        logType,
+                        lastSentId: currentMaxId,
+                        lastSentAt: null
+                    })
+                    .onConflictDoNothing();
+            } catch (err) {
+                logger.warn(
+                    `LogStreamingManager: could not initialise cursor for ` +
+                        `destination ${destinationId} logType="${logType}"`,
+                    err
+                );
+            }
+        }
+
+        logger.debug(
+            `LogStreamingManager: cursors initialised for destination ${destinationId} ` +
+                `(org=${orgId})`
+        );
+    }
+
+    async shutdown(): Promise<void> {
+        this.isRunning = false;
+        if (this.pollTimer !== null) {
+            clearTimeout(this.pollTimer);
+            this.pollTimer = null;
+        }
+        // Wait for any in-progress poll to finish before returning so that
+        // callers (graceful-shutdown handlers) can safely exit afterward.
+        const deadline = Date.now() + 15_000;
+        while (this.isPolling && Date.now() < deadline) {
+            await sleep(100);
+        }
+        logger.info("LogStreamingManager: stopped");
+    }
+
+    // -------------------------------------------------------------------------
+    // Scheduling
+    // -------------------------------------------------------------------------
+
+    private schedulePoll(delayMs: number): void {
+        this.pollTimer = setTimeout(() => {
+            this.pollTimer = null;
+            this.runPoll()
+                .catch((err) =>
+                    logger.error("LogStreamingManager: unexpected poll error", err)
+                )
+                .finally(() => {
+                    if (this.isRunning) {
+                        this.schedulePoll(POLL_INTERVAL_MS);
+                    }
+                });
+        }, delayMs);
+
+        // Do not keep the event loop alive just for the poll timer – the
+        // graceful-shutdown path calls shutdown() explicitly.
+        this.pollTimer.unref?.();
+    }
+
+    // -------------------------------------------------------------------------
+    // Poll cycle
+    // -------------------------------------------------------------------------
+
+    private async runPoll(): Promise<void> {
+        if (this.isPolling) return; // previous poll still running – skip
+        this.isPolling = true;
+
+        try {
+            const destinations = await this.loadEnabledDestinations();
+            if (destinations.length === 0) return;
+
+            for (const dest of destinations) {
+                if (!this.isRunning) break;
+                await this.processDestination(dest).catch((err) => {
+                    // Individual destination errors must never abort the whole cycle
+                    logger.error(
+                        `LogStreamingManager: unhandled error for destination ${dest.destinationId}`,
+                        err
+                    );
+                });
+            }
+        } finally {
+            this.isPolling = false;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Per-destination processing
+    // -------------------------------------------------------------------------
+
+    private async processDestination(
+        dest: EventStreamingDestination
+    ): Promise<void> {
+        const failState = this.failures.get(dest.destinationId);
+
+        // Check whether this destination has been unreachable long enough that
+        // we should give up on the accumulated backlog.
+        if (failState) {
+            const failingForMs = Date.now() - failState.firstFailedAt;
+            if (failingForMs >= MAX_BACKLOG_DURATION_MS) {
+                await this.abandonBacklog(dest, failState);
+                this.failures.delete(dest.destinationId);
+                // Cursors now point to the current head – retry on next poll.
+                return;
+            }
+        }
+
+        // Check regular exponential back-off window
+        if (failState && Date.now() < failState.nextRetryAt) {
+            logger.debug(
+                `LogStreamingManager: destination ${dest.destinationId} in back-off, skipping`
+            );
+            return;
+        }
+
+        // Parse config – skip destination if config is unparseable
+        let config: HttpConfig;
+        try {
+            config = JSON.parse(dest.config) as HttpConfig;
+        } catch (err) {
+            logger.error(
+                `LogStreamingManager: destination ${dest.destinationId} has invalid JSON config`,
+                err
+            );
+            return;
+        }
+
+        const provider = this.createProvider(dest.type, config);
+        if (!provider) {
+            logger.warn(
+                `LogStreamingManager: unsupported destination type "${dest.type}" ` +
+                    `for destination ${dest.destinationId} – skipping`
+            );
+            return;
+        }
+
+        const enabledTypes: LogType[] = [];
+        if (dest.sendRequestLogs) enabledTypes.push("request");
+        if (dest.sendActionLogs) enabledTypes.push("action");
+        if (dest.sendAccessLogs) enabledTypes.push("access");
+        if (dest.sendConnectionLogs) enabledTypes.push("connection");
+
+        if (enabledTypes.length === 0) return;
+
+        let anyFailure = false;
+
+        for (const logType of enabledTypes) {
+            if (!this.isRunning) break;
+            try {
+                await this.processLogType(dest, provider, logType);
+            } catch (err) {
+                anyFailure = true;
+                logger.error(
+                    `LogStreamingManager: failed to process "${logType}" logs ` +
+                        `for destination ${dest.destinationId}`,
+                    err
+                );
+            }
+        }
+
+        if (anyFailure) {
+            this.recordFailure(dest.destinationId);
+        } else {
+            // Any success resets the failure/back-off state
+            if (this.failures.has(dest.destinationId)) {
+                this.failures.delete(dest.destinationId);
+                logger.info(
+                    `LogStreamingManager: destination ${dest.destinationId} recovered`
+                );
+            }
+        }
+    }
+
+    /**
+     * Advance every cursor for the destination to the current max row id,
+     * effectively discarding the accumulated backlog.  Called when the
+     * destination has been unreachable for longer than MAX_BACKLOG_DURATION_MS.
+     */
+    private async abandonBacklog(
+        dest: EventStreamingDestination,
+        failState: DestinationFailureState
+    ): Promise<void> {
+        const failingForHours = (
+            (Date.now() - failState.firstFailedAt) /
+            3_600_000
+        ).toFixed(1);
+
+        let totalDropped = 0;
+
+        for (const logType of LOG_TYPES) {
+            try {
+                const currentMaxId = await this.getCurrentMaxId(
+                    logType,
+                    dest.orgId
+                );
+
+                // Find out how many rows are being skipped for this type
+                const cursor = await db
+                    .select({ lastSentId: eventStreamingCursors.lastSentId })
+                    .from(eventStreamingCursors)
+                    .where(
+                        and(
+                            eq(eventStreamingCursors.destinationId, dest.destinationId),
+                            eq(eventStreamingCursors.logType, logType)
+                        )
+                    )
+                    .limit(1);
+
+                const prevId = cursor[0]?.lastSentId ?? currentMaxId;
+                totalDropped += Math.max(0, currentMaxId - prevId);
+
+                await this.updateCursor(
+                    dest.destinationId,
+                    logType,
+                    currentMaxId
+                );
+            } catch (err) {
+                logger.error(
+                    `LogStreamingManager: failed to advance cursor for ` +
+                        `destination ${dest.destinationId} logType="${logType}" ` +
+                        `during backlog abandonment`,
+                    err
+                );
+            }
+        }
+
+        logger.warn(
+            `LogStreamingManager: destination ${dest.destinationId} has been ` +
+                `unreachable for ${failingForHours}h ` +
+                `(${failState.consecutiveFailures} consecutive failures). ` +
+                `Discarding backlog of ~${totalDropped} log event(s) and ` +
+                `resuming from the current position. ` +
+                `Verify the destination URL and credentials.`
+        );
+    }
+
+    /**
+     * Forward all pending log records of a specific type for a destination.
+     *
+     * Fetches up to `BATCH_SIZE` records at a time.  If the batch is full
+     * (indicating more records may exist) it loops immediately, inserting a
+     * short delay between consecutive requests to the remote endpoint.
+     * The loop is capped at `MAX_CATCHUP_BATCHES` to keep the poll cycle
+     * bounded.
+     */
+    private async processLogType(
+        dest: EventStreamingDestination,
+        provider: LogDestinationProvider,
+        logType: LogType
+    ): Promise<void> {
+        // Ensure a cursor row exists (creates one pointing at the current max
+        // id so we do not replay historical logs on first run)
+        const cursor = await this.getOrCreateCursor(
+            dest.destinationId,
+            logType,
+            dest.orgId
+        );
+
+        let lastSentId = cursor.lastSentId;
+        let batchCount = 0;
+
+        while (batchCount < MAX_CATCHUP_BATCHES) {
+            const rows = await this.fetchLogs(
+                logType,
+                dest.orgId,
+                lastSentId,
+                BATCH_SIZE
+            );
+
+            if (rows.length === 0) break;
+
+            const events = rows.map((row) =>
+                this.rowToLogEvent(logType, row)
+            );
+
+            // Throws on failure – caught by the caller which applies back-off
+            await provider.send(events);
+
+            lastSentId = rows[rows.length - 1].id;
+            await this.updateCursor(dest.destinationId, logType, lastSentId);
+
+            batchCount++;
+
+            if (rows.length < BATCH_SIZE) {
+                // Partial batch means we have caught up
+                break;
+            }
+
+            // Full batch – there are likely more records; pause briefly before
+            // fetching the next batch to smooth out the HTTP request rate
+            if (batchCount < MAX_CATCHUP_BATCHES) {
+                await sleep(INTER_BATCH_DELAY_MS);
+            }
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Cursor management
+    // -------------------------------------------------------------------------
+
+    private async getOrCreateCursor(
+        destinationId: number,
+        logType: LogType,
+        orgId: string
+    ): Promise<{ lastSentId: number }> {
+        // Try to read an existing cursor
+        const existing = await db
+            .select({
+                lastSentId: eventStreamingCursors.lastSentId
+            })
+            .from(eventStreamingCursors)
+            .where(
+                and(
+                    eq(eventStreamingCursors.destinationId, destinationId),
+                    eq(eventStreamingCursors.logType, logType)
+                )
+            )
+            .limit(1);
+
+        if (existing.length > 0) {
+            return { lastSentId: existing[0].lastSentId };
+        }
+
+        // No cursor yet – this destination pre-dates the eager initialisation
+        // path (initializeCursorsForDestination).  Seed at the current max id
+        // so we do not replay historical logs.
+        const initialId = await this.getCurrentMaxId(logType, orgId);
+
+        // Use onConflictDoNothing in case of a rare race between two poll
+        // cycles both hitting this branch simultaneously.
+        await db
+            .insert(eventStreamingCursors)
+            .values({
+                destinationId,
+                logType,
+                lastSentId: initialId,
+                lastSentAt: null
+            })
+            .onConflictDoNothing();
+
+        logger.debug(
+            `LogStreamingManager: lazily initialised cursor for destination ${destinationId} ` +
+                `logType="${logType}" at id=${initialId} ` +
+                `(prefer initializeCursorsForDestination at creation time)`
+        );
+
+        return { lastSentId: initialId };
+    }
+
+    private async updateCursor(
+        destinationId: number,
+        logType: LogType,
+        lastSentId: number
+    ): Promise<void> {
+        await db
+            .update(eventStreamingCursors)
+            .set({
+                lastSentId,
+                lastSentAt: Date.now()
+            })
+            .where(
+                and(
+                    eq(eventStreamingCursors.destinationId, destinationId),
+                    eq(eventStreamingCursors.logType, logType)
+                )
+            );
+    }
+
+    /**
+     * Returns the current maximum `id` in the given log table for the org.
+     * Returns 0 when the table is empty.
+     */
+    private async getCurrentMaxId(
+        logType: LogType,
+        orgId: string
+    ): Promise<number> {
+        try {
+            switch (logType) {
+                case "request": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(requestAuditLog.id) })
+                        .from(requestAuditLog)
+                        .where(eq(requestAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "action": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(actionAuditLog.id) })
+                        .from(actionAuditLog)
+                        .where(eq(actionAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "access": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(accessAuditLog.id) })
+                        .from(accessAuditLog)
+                        .where(eq(accessAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+                case "connection": {
+                    const [row] = await logsDb
+                        .select({ maxId: max(connectionAuditLog.id) })
+                        .from(connectionAuditLog)
+                        .where(eq(connectionAuditLog.orgId, orgId));
+                    return row?.maxId ?? 0;
+                }
+            }
+        } catch (err) {
+            logger.warn(
+                `LogStreamingManager: could not determine current max id for ` +
+                    `logType="${logType}", defaulting to 0`,
+                err
+            );
+            return 0;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Log fetching
+    // -------------------------------------------------------------------------
+
+    /**
+     * Fetch up to `limit` log rows with `id > afterId`, ordered by id ASC,
+     * filtered to the given organisation.
+     */
+    private async fetchLogs(
+        logType: LogType,
+        orgId: string,
+        afterId: number,
+        limit: number
+    ): Promise<Array<Record<string, unknown> & { id: number }>> {
+        switch (logType) {
+            case "request":
+                return (await logsDb
+                    .select()
+                    .from(requestAuditLog)
+                    .where(
+                        and(
+                            eq(requestAuditLog.orgId, orgId),
+                            gt(requestAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(requestAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "action":
+                return (await logsDb
+                    .select()
+                    .from(actionAuditLog)
+                    .where(
+                        and(
+                            eq(actionAuditLog.orgId, orgId),
+                            gt(actionAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(actionAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "access":
+                return (await logsDb
+                    .select()
+                    .from(accessAuditLog)
+                    .where(
+                        and(
+                            eq(accessAuditLog.orgId, orgId),
+                            gt(accessAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(accessAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+
+            case "connection":
+                return (await logsDb
+                    .select()
+                    .from(connectionAuditLog)
+                    .where(
+                        and(
+                            eq(connectionAuditLog.orgId, orgId),
+                            gt(connectionAuditLog.id, afterId)
+                        )
+                    )
+                    .orderBy(connectionAuditLog.id)
+                    .limit(limit)) as Array<
+                    Record<string, unknown> & { id: number }
+                >;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Row → LogEvent conversion
+    // -------------------------------------------------------------------------
+
+    private rowToLogEvent(
+        logType: LogType,
+        row: Record<string, unknown> & { id: number }
+    ): LogEvent {
+        // Determine the epoch-seconds timestamp for this row type
+        let timestamp: number;
+        switch (logType) {
+            case "request":
+            case "action":
+            case "access":
+                timestamp =
+                    typeof row.timestamp === "number" ? row.timestamp : 0;
+                break;
+            case "connection":
+                timestamp =
+                    typeof row.startedAt === "number" ? row.startedAt : 0;
+                break;
+        }
+
+        const orgId =
+            typeof row.orgId === "string" ? row.orgId : "";
+
+        return {
+            id: row.id,
+            logType,
+            orgId,
+            timestamp,
+            data: row as Record<string, unknown>
+        };
+    }
+
+    // -------------------------------------------------------------------------
+    // Provider factory
+    // -------------------------------------------------------------------------
+
+    /**
+     * Instantiate the correct LogDestinationProvider for the given destination
+     * type string.  Returns `null` for unknown types.
+     *
+     * To add a new provider:
+     *  1. Implement `LogDestinationProvider` in a new file under `providers/`
+     *  2. Add a `case` here
+     */
+    private createProvider(
+        type: string,
+        config: unknown
+    ): LogDestinationProvider | null {
+        switch (type) {
+            case "http":
+                return new HttpLogDestination(config as HttpConfig);
+            // Future providers:
+            // case "datadog": return new DatadogLogDestination(config as DatadogConfig);
+            default:
+                return null;
+        }
+    }
+
+    // -------------------------------------------------------------------------
+    // Back-off tracking
+    // -------------------------------------------------------------------------
+
+    private recordFailure(destinationId: number): void {
+        const current = this.failures.get(destinationId) ?? {
+            consecutiveFailures: 0,
+            nextRetryAt: 0,
+            // Stamp the very first failure so we can measure total outage duration
+            firstFailedAt: Date.now()
+        };
+
+        current.consecutiveFailures += 1;
+
+        const scheduleIdx = Math.min(
+            current.consecutiveFailures - 1,
+            BACKOFF_SCHEDULE_MS.length - 1
+        );
+        const backoffMs = BACKOFF_SCHEDULE_MS[scheduleIdx];
+        current.nextRetryAt = Date.now() + backoffMs;
+
+        this.failures.set(destinationId, current);
+
+        logger.warn(
+            `LogStreamingManager: destination ${destinationId} failed ` +
+                `(consecutive #${current.consecutiveFailures}), ` +
+                `backing off for ${backoffMs / 1000}s`
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // DB helpers
+    // -------------------------------------------------------------------------
+
+    private async loadEnabledDestinations(): Promise<
+        EventStreamingDestination[]
+    > {
+        try {
+            return await db
+                .select()
+                .from(eventStreamingDestinations)
+                .where(eq(eventStreamingDestinations.enabled, true));
+        } catch (err) {
+            logger.error(
+                "LogStreamingManager: failed to load destinations",
+                err
+            );
+            return [];
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
--- a/server/private/lib/logStreaming/index.ts
+++ b/server/private/lib/logStreaming/index.ts
@@ -0,0 +1,34 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { build } from "@server/build";
+import { LogStreamingManager } from "./LogStreamingManager";
+
+/**
+ * Module-level singleton.  Importing this module is sufficient to start the
+ * streaming manager – no explicit init call required by the caller.
+ *
+ * The manager registers a non-blocking timer (unref'd) so it will not keep
+ * the Node.js event loop alive on its own.  Call `logStreamingManager.shutdown()`
+ * during graceful shutdown to drain any in-progress poll and release resources.
+ */
+export const logStreamingManager = new LogStreamingManager();
+
+if (build != "saas") { // this is handled separately in the saas build, so we don't want to start it here
+    logStreamingManager.start();
+}
+
+export { LogStreamingManager } from "./LogStreamingManager";
+export type { LogDestinationProvider } from "./providers/LogDestinationProvider";
+export { HttpLogDestination } from "./providers/HttpLogDestination";
+export * from "./types";
--- a/server/private/lib/logStreaming/providers/HttpLogDestination.ts
+++ b/server/private/lib/logStreaming/providers/HttpLogDestination.ts
@@ -0,0 +1,322 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import { LogEvent, HttpConfig, PayloadFormat } from "../types";
+import { LogDestinationProvider } from "./LogDestinationProvider";
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+/** Maximum time (ms) to wait for a single HTTP response. */
+const REQUEST_TIMEOUT_MS = 30_000;
+
+/** Default payload format when none is specified in the config. */
+const DEFAULT_FORMAT: PayloadFormat = "json_array";
+
+// ---------------------------------------------------------------------------
+// HttpLogDestination
+// ---------------------------------------------------------------------------
+
+/**
+ * Forwards a batch of log events to an arbitrary HTTP endpoint via a single
+ * POST request per batch.
+ *
+ * **Payload format**
+ *
+ * **Payload formats** (controlled by `config.format`):
+ *
+ * - `json_array` (default) — one POST per batch, body is a JSON array:
+ *   ```json
+ *   [
+ *     { "event": "request", "timestamp": "2024-01-01T00:00:00.000Z", "data": { … } },
+ *     …
+ *   ]
+ *   ```
+ *   `Content-Type: application/json`
+ *
+ * - `ndjson` — one POST per batch, body is newline-delimited JSON (one object
+ *   per line, no outer array).  Required by Splunk HEC, Elastic/OpenSearch,
+ *   and Grafana Loki:
+ *   ```
+ *   {"event":"request","timestamp":"…","data":{…}}
+ *   {"event":"action","timestamp":"…","data":{…}}
+ *   ```
+ *   `Content-Type: application/x-ndjson`
+ *
+ * - `json_single` — one POST **per event**, body is a plain JSON object.
+ *   Use only for endpoints that cannot handle batches at all.
+ *
+ * With a body template each event is rendered through the template before
+ * serialisation.  Template placeholders:
+ *   - `{{event}}`     → the LogType string ("request", "action", etc.)
+ *   - `{{timestamp}}` → ISO-8601 UTC datetime string
+ *   - `{{data}}`      → raw inline JSON object  (**no surrounding quotes**)
+ *
+ * Example template:
+ * ```
+ * { "event": "{{event}}", "ts": "{{timestamp}}", "payload": {{data}} }
+ * ```
+ */
+export class HttpLogDestination implements LogDestinationProvider {
+    readonly type = "http";
+
+    private readonly config: HttpConfig;
+
+    constructor(config: HttpConfig) {
+        this.config = config;
+    }
+
+    // -----------------------------------------------------------------------
+    // LogDestinationProvider implementation
+    // -----------------------------------------------------------------------
+
+    async send(events: LogEvent[]): Promise<void> {
+        if (events.length === 0) return;
+
+        const format = this.config.format ?? DEFAULT_FORMAT;
+
+        if (format === "json_single") {
+            // One HTTP POST per event – send sequentially so a failure on one
+            // event throws and lets the manager retry the whole batch from the
+            // same cursor position.
+            for (const event of events) {
+                await this.postRequest(
+                    this.buildSingleBody(event),
+                    "application/json"
+                );
+            }
+            return;
+        }
+
+        if (format === "ndjson") {
+            const body = this.buildNdjsonBody(events);
+            await this.postRequest(body, "application/x-ndjson");
+            return;
+        }
+
+        // json_array (default)
+        const body = JSON.stringify(this.buildArrayPayload(events));
+        await this.postRequest(body, "application/json");
+    }
+
+    // -----------------------------------------------------------------------
+    // Internal HTTP sender
+    // -----------------------------------------------------------------------
+
+    private async postRequest(
+        body: string,
+        contentType: string
+    ): Promise<void> {
+        const headers = this.buildHeaders(contentType);
+
+        const controller = new AbortController();
+        const timeoutHandle = setTimeout(
+            () => controller.abort(),
+            REQUEST_TIMEOUT_MS
+        );
+
+        let response: Response;
+        try {
+            response = await fetch(this.config.url, {
+                method: "POST",
+                headers,
+                body,
+                signal: controller.signal
+            });
+        } catch (err: unknown) {
+            const isAbort =
+                err instanceof Error && err.name === "AbortError";
+            if (isAbort) {
+                throw new Error(
+                    `HttpLogDestination: request to "${this.config.url}" timed out after ${REQUEST_TIMEOUT_MS} ms`
+                );
+            }
+            const msg = err instanceof Error ? err.message : String(err);
+            throw new Error(
+                `HttpLogDestination: request to "${this.config.url}" failed – ${msg}`
+            );
+        } finally {
+            clearTimeout(timeoutHandle);
+        }
+
+        if (!response.ok) {
+            // Try to include a snippet of the response body in the error so
+            // operators can diagnose auth or schema rejections.
+            let responseSnippet = "";
+            try {
+                const text = await response.text();
+                responseSnippet = text.slice(0, 300);
+            } catch {
+                // ignore – best effort
+            }
+
+            throw new Error(
+                `HttpLogDestination: server at "${this.config.url}" returned ` +
+                    `HTTP ${response.status} ${response.statusText}` +
+                    (responseSnippet ? ` – ${responseSnippet}` : "")
+            );
+        }
+    }
+
+    // -----------------------------------------------------------------------
+    // Header construction
+    // -----------------------------------------------------------------------
+
+    private buildHeaders(contentType: string): Record<string, string> {
+        const headers: Record<string, string> = {
+            "Content-Type": contentType
+        };
+
+        // Authentication
+        switch (this.config.authType) {
+            case "bearer": {
+                const token = this.config.bearerToken?.trim();
+                if (token) {
+                    headers["Authorization"] = `Bearer ${token}`;
+                }
+                break;
+            }
+            case "basic": {
+                const creds = this.config.basicCredentials?.trim();
+                if (creds) {
+                    const encoded = Buffer.from(creds).toString("base64");
+                    headers["Authorization"] = `Basic ${encoded}`;
+                }
+                break;
+            }
+            case "custom": {
+                const name = this.config.customHeaderName?.trim();
+                const value = this.config.customHeaderValue ?? "";
+                if (name) {
+                    headers[name] = value;
+                }
+                break;
+            }
+            case "none":
+            default:
+                // No Authorization header
+                break;
+        }
+
+        // Additional static headers (user-defined; may override Content-Type
+        // if the operator explicitly sets it, which is intentional).
+        for (const { key, value } of this.config.headers ?? []) {
+            const trimmedKey = key?.trim();
+            if (trimmedKey) {
+                headers[trimmedKey] = value ?? "";
+            }
+        }
+
+        return headers;
+    }
+
+    // -----------------------------------------------------------------------
+    // Payload construction
+    // -----------------------------------------------------------------------
+
+    /** Single default event object (no surrounding array). */
+    private buildEventObject(event: LogEvent): unknown {
+        if (this.config.useBodyTemplate && this.config.bodyTemplate?.trim()) {
+            return this.renderTemplate(this.config.bodyTemplate!, event);
+        }
+        return {
+            event: event.logType,
+            timestamp: epochSecondsToIso(event.timestamp),
+            data: event.data
+        };
+    }
+
+    /** JSON array payload – used for `json_array` format. */
+    private buildArrayPayload(events: LogEvent[]): unknown[] {
+        return events.map((e) => this.buildEventObject(e));
+    }
+
+    /**
+     * NDJSON payload – one JSON object per line, no outer array.
+     * Each line must be a complete, valid JSON object.
+     */
+    private buildNdjsonBody(events: LogEvent[]): string {
+        return events
+            .map((e) => JSON.stringify(this.buildEventObject(e)))
+            .join("\n");
+    }
+
+    /** Single-event body – used for `json_single` format. */
+    private buildSingleBody(event: LogEvent): string {
+        return JSON.stringify(this.buildEventObject(event));
+    }
+
+    /**
+     * Render a single event through the body template.
+     *
+     * The three placeholder tokens are replaced in a specific order to avoid
+     * accidental double-replacement:
+     *
+     *  1. `{{data}}`      → raw JSON (may contain `{{` characters in values)
+     *  2. `{{event}}`     → safe string
+     *  3. `{{timestamp}}` → safe ISO string
+     *
+     * If the rendered string is not valid JSON we fall back to returning it as
+     * a plain string so the batch still makes it out and the operator can
+     * inspect the template.
+     */
+    private renderTemplate(template: string, event: LogEvent): unknown {
+        const isoTimestamp = epochSecondsToIso(event.timestamp);
+        const dataJson = JSON.stringify(event.data);
+
+        // Replace {{data}} first because its JSON value might legitimately
+        // contain the substrings "{{event}}" or "{{timestamp}}" inside string
+        // fields – those should NOT be re-expanded.
+        const rendered = template
+            .replace(/\{\{data\}\}/g, dataJson)
+            .replace(/\{\{event\}\}/g, escapeJsonString(event.logType))
+            .replace(
+                /\{\{timestamp\}\}/g,
+                escapeJsonString(isoTimestamp)
+            );
+
+        try {
+            return JSON.parse(rendered);
+        } catch {
+            logger.warn(
+                `HttpLogDestination: body template produced invalid JSON for ` +
+                    `event type "${event.logType}" destined for "${this.config.url}". ` +
+                    `Sending rendered template as a raw string. ` +
+                    `Check your template syntax – specifically that {{data}} is ` +
+                    `NOT wrapped in quotes.`
+            );
+            return rendered;
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function epochSecondsToIso(epochSeconds: number): string {
+    return new Date(epochSeconds * 1000).toISOString();
+}
+
+/**
+ * Escape a string value so it can be safely substituted into the interior of
+ * a JSON string literal (i.e. between existing `"` quotes in the template).
+ * This prevents a crafted logType or timestamp from breaking out of its
+ * string context in the rendered template.
+ */
+function escapeJsonString(value: string): string {
+    // JSON.stringify produces `"<escaped>"` – strip the outer quotes.
+    return JSON.stringify(value).slice(1, -1);
+}
--- a/server/private/lib/logStreaming/providers/LogDestinationProvider.ts
+++ b/server/private/lib/logStreaming/providers/LogDestinationProvider.ts
@@ -0,0 +1,44 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { LogEvent } from "../types";
+
+/**
+ * Common interface that every log-forwarding backend must implement.
+ *
+ * Adding a new destination type (e.g. Datadog, Splunk, Kafka) is as simple as
+ * creating a class that satisfies this interface and registering it inside
+ * LogStreamingManager.createProvider().
+ */
+export interface LogDestinationProvider {
+    /**
+     * The string identifier that matches the `type` column in the
+     * `eventStreamingDestinations` table (e.g. "http", "datadog").
+     */
+    readonly type: string;
+
+    /**
+     * Forward a batch of log events to the destination.
+     *
+     * Implementations should:
+     *  - Treat the call as atomic: either all events are accepted or an error
+     *    is thrown so the caller can retry / back off.
+     *  - Respect the timeout contract expected by the manager (default 30 s).
+     *  - NOT swallow errors – the manager relies on thrown exceptions to track
+     *    failure state and apply exponential back-off.
+     *
+     * @param events  A non-empty array of normalised log events to forward.
+     * @throws        Any network, authentication, or serialisation error.
+     */
+    send(events: LogEvent[]): Promise<void>;
+}
--- a/server/private/lib/logStreaming/types.ts
+++ b/server/private/lib/logStreaming/types.ts
@@ -0,0 +1,134 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+// ---------------------------------------------------------------------------
+// Log type identifiers
+// ---------------------------------------------------------------------------
+
+export type LogType = "request" | "action" | "access" | "connection";
+
+export const LOG_TYPES: LogType[] = [
+    "request",
+    "action",
+    "access",
+    "connection"
+];
+
+// ---------------------------------------------------------------------------
+// A normalised event ready to be forwarded to a destination
+// ---------------------------------------------------------------------------
+
+export interface LogEvent {
+    /** The auto-increment primary key from the source table */
+    id: number;
+    /** Which log table this event came from */
+    logType: LogType;
+    /** The organisation that owns this event */
+    orgId: string;
+    /** Unix epoch seconds – taken from the record's own timestamp field */
+    timestamp: number;
+    /** Full row data from the source table, serialised as a plain object */
+    data: Record<string, unknown>;
+}
+
+// ---------------------------------------------------------------------------
+// A batch of events destined for a single streaming target
+// ---------------------------------------------------------------------------
+
+export interface LogBatch {
+    destinationId: number;
+    logType: LogType;
+    events: LogEvent[];
+}
+
+// ---------------------------------------------------------------------------
+// HTTP destination configuration (mirrors HttpConfig in the UI component)
+// ---------------------------------------------------------------------------
+
+export type AuthType = "none" | "bearer" | "basic" | "custom";
+
+/**
+ * Controls how the batch of events is serialised into the HTTP request body.
+ *
+ * - `json_array`   – `[{…}, {…}]`  — default; one POST per batch wrapped in a
+ *                    JSON array.  Works with most generic webhooks and Datadog.
+ * - `ndjson`       – `{…}\n{…}`    — newline-delimited JSON, one object per
+ *                    line.  Required by Splunk HEC, Elastic/OpenSearch, Loki.
+ * - `json_single`  – one HTTP POST per event, body is a plain JSON object.
+ *                    Use only for endpoints that cannot handle batches at all.
+ */
+export type PayloadFormat = "json_array" | "ndjson" | "json_single";
+
+export interface HttpConfig {
+    /** Human-readable label for the destination */
+    name: string;
+    /** Target URL that will receive POST requests */
+    url: string;
+    /** Authentication strategy to use */
+    authType: AuthType;
+    /** Used when authType === "bearer" */
+    bearerToken?: string;
+    /** Used when authType === "basic" – must be "username:password" */
+    basicCredentials?: string;
+    /** Used when authType === "custom" – header name */
+    customHeaderName?: string;
+    /** Used when authType === "custom" – header value */
+    customHeaderValue?: string;
+    /** Additional static headers appended to every request */
+    headers: Array<{ key: string; value: string }>;
+    /** Whether to render a custom body template instead of the default shape */
+    /**
+     * How events are serialised into the request body.
+     * Defaults to `"json_array"` when absent.
+     */
+    format?: PayloadFormat;
+    useBodyTemplate: boolean;
+    /**
+     * Handlebars-style template for the JSON body of each event.
+     *
+     * Supported placeholders:
+     *   {{event}}     – the LogType string ("request", "action", etc.)
+     *   {{timestamp}} – ISO-8601 UTC string derived from the event's timestamp
+     *   {{data}}      – raw JSON object (no surrounding quotes) of the full row
+     *
+     * Example:
+     *   { "event": "{{event}}", "ts": "{{timestamp}}", "payload": {{data}} }
+     */
+    bodyTemplate?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Per-destination per-log-type cursor (reflects the DB table)
+// ---------------------------------------------------------------------------
+
+export interface StreamingCursor {
+    destinationId: number;
+    logType: LogType;
+    /** The `id` of the last row that was successfully forwarded */
+    lastSentId: number;
+    /** Epoch milliseconds of the last successful send (or null if never sent) */
+    lastSentAt: number | null;
+}
+
+// ---------------------------------------------------------------------------
+// In-memory failure / back-off state tracked per destination
+// ---------------------------------------------------------------------------
+
+export interface DestinationFailureState {
+    /** How many consecutive send failures have occurred */
+    consecutiveFailures: number;
+    /** Date.now() value after which the destination may be retried */
+    nextRetryAt: number;
+    /** Date.now() value of the very first failure in the current streak */
+    firstFailedAt: number;
+}
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -38,10 +38,6 @@ export const privateConfigSchema = z.object({
                .string()
                .optional()
                .transform(getEnvOrYaml("SERVER_ENCRYPTION_KEY")),
-            resend_api_key: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("RESEND_API_KEY")),
            reo_client_id: z
                .string()
                .optional()
@@ -61,7 +57,10 @@ export const privateConfigSchema = z.object({
        .object({
            host: z.string(),
            port: portSchema,
-            password: z.string().optional(),
+            password: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("REDIS_PASSWORD")),
            db: z.int().nonnegative().optional().default(0),
            replicas: z
                .array(
--- a/server/private/lib/resend.ts
+++ b/server/private/lib/resend.ts
@@ -1,127 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Resend } from "resend";
-import privateConfig from "#private/lib/config";
-import logger from "@server/logger";
-
-export enum AudienceIds {
-    SignUps = "6c4e77b2-0851-4bd6-bac8-f51f91360f1a",
-    Subscribed = "870b43fd-387f-44de-8fc1-707335f30b20",
-    Churned = "f3ae92bd-2fdb-4d77-8746-2118afd62549",
-    Newsletter = "5500c431-191c-42f0-a5d4-8b6d445b4ea0"
-}
-
-const resend = new Resend(
-    privateConfig.getRawPrivateConfig().server.resend_api_key || "missing"
-);
-
-export default resend;
-
-export async function moveEmailToAudience(
-    email: string,
-    audienceId: AudienceIds
-) {
-    if (process.env.ENVIRONMENT !== "prod") {
-        logger.debug(
-            `Skipping moving email ${email} to audience ${audienceId} in non-prod environment`
-        );
-        return;
-    }
-    const { error, data } = await retryWithBackoff(async () => {
-        const { data, error } = await resend.contacts.create({
-            email,
-            unsubscribed: false,
-            audienceId
-        });
-        if (error) {
-            throw new Error(
-                `Error adding email ${email} to audience ${audienceId}: ${error}`
-            );
-        }
-        return { error, data };
-    });
-
-    if (error) {
-        logger.error(
-            `Error adding email ${email} to audience ${audienceId}: ${error}`
-        );
-        return;
-    }
-
-    if (data) {
-        logger.debug(
-            `Added email ${email} to audience ${audienceId} with contact ID ${data.id}`
-        );
-    }
-
-    const otherAudiences = Object.values(AudienceIds).filter(
-        (id) => id !== audienceId
-    );
-
-    for (const otherAudienceId of otherAudiences) {
-        const { error, data } = await retryWithBackoff(async () => {
-            const { data, error } = await resend.contacts.remove({
-                email,
-                audienceId: otherAudienceId
-            });
-            if (error) {
-                throw new Error(
-                    `Error removing email ${email} from audience ${otherAudienceId}: ${error}`
-                );
-            }
-            return { error, data };
-        });
-
-        if (error) {
-            logger.error(
-                `Error removing email ${email} from audience ${otherAudienceId}: ${error}`
-            );
-        }
-
-        if (data) {
-            logger.info(
-                `Removed email ${email} from audience ${otherAudienceId}`
-            );
-        }
-    }
-}
-
-type RetryOptions = {
-    retries?: number;
-    initialDelayMs?: number;
-    factor?: number;
-};
-
-export async function retryWithBackoff<T>(
-    fn: () => Promise<T>,
-    options: RetryOptions = {}
-): Promise<T> {
-    const { retries = 5, initialDelayMs = 500, factor = 2 } = options;
-
-    let attempt = 0;
-    let delay = initialDelayMs;
-
-    while (true) {
-        try {
-            return await fn();
-        } catch (err) {
-            attempt++;
-
-            if (attempt > retries) throw err;
-
-            await new Promise((resolve) => setTimeout(resolve, delay));
-            delay *= factor;
-        }
-    }
-}
--- a/Show More
+++ b/Show More