Send less data down

revert: telemetry comment
Add todo
2026-03-13 14:16:38 +00:00 · 2026-03-12 17:27:15 -07:00 · 2026-03-12 17:11:13 -07:00 · 2026-03-12 17:10:46 -07:00 · 2026-03-12 16:58:23 -07:00 · 2026-03-12 16:33:33 -07:00
38 changed files with 1466 additions and 471 deletions
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2343,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "End of following year",
    "actionLogsDescription": "View a history of actions performed in this organization",
    "accessLogsDescription": "View access auth requests for resources in this organization",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
    "certResolver": "Certificate Resolver",
    "certResolverDescription": "Select the certificate resolver to use for this resource.",
    "selectCertResolver": "Select Certificate Resolver",
@@ -2681,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "approvalsEmptyStateButtonText": "Manage Roles",
    "domainErrorTitle": "We are having trouble verifying your domain"
 }
--- a/package-lock.json
+++ b/package-lock.json
@@ -16773,7 +16773,8 @@
        "node_modules/postal-mime": {
            "version": "2.7.3",
            "resolved": "https://registry.npmjs.org/postal-mime/-/postal-mime-2.7.3.tgz",
-            "integrity": "sha512-MjhXadAJaWgYzevi46+3kLak8y6gbg0ku14O1gO/LNOuay8dO+1PtcSGvAdgDR0DoIsSaiIA8y/Ddw6MnrO0Tw=="
+            "integrity": "sha512-MjhXadAJaWgYzevi46+3kLak8y6gbg0ku14O1gO/LNOuay8dO+1PtcSGvAdgDR0DoIsSaiIA8y/Ddw6MnrO0Tw==",
            "license": "MIT-0"
        },
        "node_modules/postcss": {
            "version": "8.5.6",
@@ -17814,6 +17815,7 @@
            "version": "6.9.2",
            "resolved": "https://registry.npmjs.org/resend/-/resend-6.9.2.tgz",
            "integrity": "sha512-uIM6CQ08tS+hTCRuKBFbOBvHIGaEhqZe8s4FOgqsVXSbQLAhmNWpmUhG3UAtRnmcwTWFUqnHa/+Vux8YGPyDBA==",
            "license": "MIT",
            "dependencies": {
                "postal-mime": "2.7.3",
                "svix": "1.84.1"
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -22,7 +22,8 @@ export const domains = pgTable("domains", {
    tries: integer("tries").notNull().default(0),
    certResolver: varchar("certResolver"),
    customCertResolver: varchar("customCertResolver"),
-    preferWildcardCert: boolean("preferWildcardCert")
+    preferWildcardCert: boolean("preferWildcardCert"),
    errorMessage: text("errorMessage")
 });
 export const dnsRecords = pgTable("dnsRecords", {
@@ -720,6 +721,7 @@ export const clientSitesAssociationsCache = pgTable(
            .notNull(),
        siteId: integer("siteId").notNull(),
        isRelayed: boolean("isRelayed").notNull().default(false),
        isJitMode: boolean("isJitMode").notNull().default(false),
        endpoint: varchar("endpoint"),
        publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -13,7 +13,8 @@ export const domains = sqliteTable("domains", {
    failed: integer("failed", { mode: "boolean" }).notNull().default(false),
    tries: integer("tries").notNull().default(0),
    certResolver: text("certResolver"),
-    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" })
+    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" }),
    errorMessage: text("errorMessage")
 });
 export const dnsRecords = sqliteTable("dnsRecords", {
@@ -409,6 +410,9 @@ export const clientSitesAssociationsCache = sqliteTable(
        isRelayed: integer("isRelayed", { mode: "boolean" })
            .notNull()
            .default(false),
        isJitMode: integer("isJitMode", { mode: "boolean" })
            .notNull()
            .default(false),
        endpoint: text("endpoint"),
        publicKey: text("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -477,6 +477,7 @@ async function handleMessagesForSiteClients(
        }
        if (isAdd) {
            // TODO: if we are in jit mode here should we really be sending this?
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -571,7 +572,7 @@ export async function updateClientSiteDestinations(
                destinations: [
                    {
                        destinationIP: site.sites.subnet.split("/")[0],
-                        destinationPort: site.sites.listenPort || 0
+                        destinationPort: site.sites.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
                    }
                ]
            };
@@ -579,7 +580,7 @@ export async function updateClientSiteDestinations(
            // add to the existing destinations
            destinations.destinations.push({
                destinationIP: site.sites.subnet.split("/")[0],
-                destinationPort: site.sites.listenPort || 0
+                destinationPort: site.sites.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
            });
        }
@@ -1080,6 +1081,7 @@ async function handleMessagesForClientSites(
                continue;
            }
            // TODO: if we are in jit mode here should we really be sending this?
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
--- a/server/lib/resend.ts
+++ b/server/lib/resend.ts
@@ -1,16 +0,0 @@
 export enum AudienceIds {
    SignUps = "",
    Subscribed = "",
    Churned = "",
    Newsletter = ""
 }
 let resend;
 export default resend;
 export async function moveEmailToAudience(
    email: string,
    audienceId: AudienceIds
 ) {
    return;
 }
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -218,10 +218,11 @@ export class TraefikConfigManager {
            return true;
        }
        // Fetch if it's been more than 24 hours (for renewals)
        const dayInMs = 24 * 60 * 60 * 1000;
        const timeSinceLastFetch =
            Date.now() - this.lastCertificateFetch.getTime();
        // Fetch if it's been more than 24 hours (daily routine check)
        if (timeSinceLastFetch > dayInMs) {
            logger.info("Fetching certificates due to 24-hour renewal check");
            return true;
@@ -265,7 +266,7 @@ export class TraefikConfigManager {
            return true;
        }
-        // Check if any local certificates are missing or appear to be outdated
+        // Check if any local certificates are missing (needs immediate fetch)
        for (const domain of domainsNeedingCerts) {
            const localState = this.lastLocalCertificateState.get(domain);
            if (!localState || !localState.exists) {
@@ -274,13 +275,26 @@ export class TraefikConfigManager {
                );
                return true;
            }
        }
-            // Check if certificate is expiring soon (within 30 days)
+        // For expiry checks, throttle to every 6 hours to avoid querying the
-            if (localState.expiresAt) {
+        // API/DB on every monitor loop. The certificate-service renews certs
        // 45 days before expiry, so checking every 6 hours is plenty frequent
        // to pick up renewed certs promptly.
        const renewalCheckIntervalMs = 6 * 60 * 60 * 1000; // 6 hours
        if (timeSinceLastFetch > renewalCheckIntervalMs) {
            // Check non-wildcard certs for expiry (within 45 days to match
            // the server-side renewal window in certificate-service)
            for (const domain of domainsNeedingCerts) {
                const localState =
                    this.lastLocalCertificateState.get(domain);
                if (localState?.expiresAt) {
                    const nowInSeconds = Math.floor(Date.now() / 1000);
-                const secondsUntilExpiry = localState.expiresAt - nowInSeconds;
+                    const secondsUntilExpiry =
-                const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
+                        localState.expiresAt - nowInSeconds;
-                if (daysUntilExpiry < 30) {
+                    const daysUntilExpiry =
                        secondsUntilExpiry / (60 * 60 * 24);
                    if (daysUntilExpiry < 45) {
                        logger.info(
                            `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
                        );
@@ -289,6 +303,31 @@ export class TraefikConfigManager {
                }
            }
            // Also check wildcard certificates for expiry. These are not
            // included in domainsNeedingCerts since their subdomains are
            // filtered out, so we must check them separately.
            for (const [certDomain, state] of this
                .lastLocalCertificateState) {
                if (
                    state.exists &&
                    state.wildcard &&
                    state.expiresAt
                ) {
                    const nowInSeconds = Math.floor(Date.now() / 1000);
                    const secondsUntilExpiry =
                        state.expiresAt - nowInSeconds;
                    const daysUntilExpiry =
                        secondsUntilExpiry / (60 * 60 * 24);
                    if (daysUntilExpiry < 45) {
                        logger.info(
                            `Fetching certificates due to upcoming expiry for wildcard cert ${certDomain} (${Math.round(daysUntilExpiry)} days remaining)`
                        );
                        return true;
                    }
                }
            }
        }
        return false;
    }
@@ -361,6 +400,32 @@ export class TraefikConfigManager {
                        }
                    }
                    // Also include wildcard cert base domains that are
                    // expiring or expired so they get re-fetched even though
                    // their subdomains were filtered out above.
                    for (const [certDomain, state] of this
                        .lastLocalCertificateState) {
                        if (
                            state.exists &&
                            state.wildcard &&
                            state.expiresAt
                        ) {
                            const nowInSeconds = Math.floor(
                                Date.now() / 1000
                            );
                            const secondsUntilExpiry =
                                state.expiresAt - nowInSeconds;
                            const daysUntilExpiry =
                                secondsUntilExpiry / (60 * 60 * 24);
                            if (daysUntilExpiry < 45) {
                                domainsToFetch.add(certDomain);
                                logger.info(
                                    `Including expiring wildcard cert domain ${certDomain} in fetch (${Math.round(daysUntilExpiry)} days remaining)`
                                );
                            }
                        }
                    }
                    if (domainsToFetch.size > 0) {
                        // Get valid certificates for domains not covered by wildcards
                        validCertificates =
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -14,7 +14,7 @@ import logger from "@server/logger";
 import config from "@server/lib/config";
 import { resources, sites, Target, targets } from "@server/db";
 import createPathRewriteMiddleware from "./middleware";
-import { sanitize, validatePathRewriteConfig } from "./utils";
+import { sanitize, encodePath, validatePathRewriteConfig } from "./utils";
 const redirectHttpsMiddlewareName = "redirect-to-https";
 const badgerMiddlewareName = "badger";
@@ -44,7 +44,7 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
    allowRawResources = true,
-    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
+    allowMaintenancePage = true // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -127,7 +127,7 @@ export async function getTraefikConfig(
    resourcesWithTargetsAndSites.forEach((row) => {
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
-        const targetPath = sanitize(row.path) || ""; // Handle null/undefined paths
+        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
        const pathMatchType = row.pathMatchType || "";
        const rewritePath = row.rewritePath || "";
        const rewritePathType = row.rewritePathType || "";
@@ -145,7 +145,7 @@ export async function getTraefikConfig(
        const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
        const key = sanitize(mapKey);
-        if (!resourcesMap.has(key)) {
+        if (!resourcesMap.has(mapKey)) {
            const validation = validatePathRewriteConfig(
                row.path,
                row.pathMatchType,
@@ -160,9 +160,10 @@ export async function getTraefikConfig(
                return;
            }
-            resourcesMap.set(key, {
+            resourcesMap.set(mapKey, {
                resourceId: row.resourceId,
                name: resourceName,
                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
                http: row.http,
@@ -190,7 +191,7 @@ export async function getTraefikConfig(
            });
        }
-        resourcesMap.get(key).targets.push({
+        resourcesMap.get(mapKey).targets.push({
            resourceId: row.resourceId,
            targetId: row.targetId,
            ip: row.ip,
@@ -227,8 +228,9 @@ export async function getTraefikConfig(
    };
    // get the key and the resource
-    for (const [key, resource] of resourcesMap.entries()) {
+    for (const [, resource] of resourcesMap.entries()) {
        const targets = resource.targets as TargetWithSite[];
        const key = resource.key;
        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
--- a/server/lib/traefik/pathEncoding.test.ts
+++ b/server/lib/traefik/pathEncoding.test.ts
@@ -0,0 +1,323 @@
 import { assertEquals } from "../../../test/assert";
 // ── Pure function copies (inlined to avoid pulling in server dependencies) ──
 function sanitize(input: string | null | undefined): string | undefined {
    if (!input) return undefined;
    if (input.length > 50) {
        input = input.substring(0, 50);
    }
    return input
        .replace(/[^a-zA-Z0-9-]/g, "-")
        .replace(/-+/g, "-")
        .replace(/^-|-$/g, "");
 }
 function encodePath(path: string | null | undefined): string {
    if (!path) return "";
    return path.replace(/[^a-zA-Z0-9]/g, (ch) => {
        return ch.charCodeAt(0).toString(16);
    });
 }
 // ── Helpers ──────────────────────────────────────────────────────────
 /**
 * Exact replica of the OLD key computation from upstream main.
 * Uses sanitize() for paths — this is what had the collision bug.
 */
 function oldKeyComputation(
    resourceId: number,
    path: string | null,
    pathMatchType: string | null,
    rewritePath: string | null,
    rewritePathType: string | null
 ): string {
    const targetPath = sanitize(path) || "";
    const pmt = pathMatchType || "";
    const rp = rewritePath || "";
    const rpt = rewritePathType || "";
    const pathKey = [targetPath, pmt, rp, rpt].filter(Boolean).join("-");
    const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
    return sanitize(mapKey) || "";
 }
 /**
 * Replica of the NEW key computation from our fix.
 * Uses encodePath() for paths — collision-free.
 */
 function newKeyComputation(
    resourceId: number,
    path: string | null,
    pathMatchType: string | null,
    rewritePath: string | null,
    rewritePathType: string | null
 ): string {
    const targetPath = encodePath(path);
    const pmt = pathMatchType || "";
    const rp = rewritePath || "";
    const rpt = rewritePathType || "";
    const pathKey = [targetPath, pmt, rp, rpt].filter(Boolean).join("-");
    const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
    return sanitize(mapKey) || "";
 }
 // ── Tests ────────────────────────────────────────────────────────────
 function runTests() {
    console.log("Running path encoding tests...\n");
    let passed = 0;
    // ── encodePath unit tests ────────────────────────────────────────
    // Test 1: null/undefined/empty
    {
        assertEquals(encodePath(null), "", "null should return empty");
        assertEquals(
            encodePath(undefined),
            "",
            "undefined should return empty"
        );
        assertEquals(encodePath(""), "", "empty string should return empty");
        console.log("  PASS: encodePath handles null/undefined/empty");
        passed++;
    }
    // Test 2: root path
    {
        assertEquals(encodePath("/"), "2f", "/ should encode to 2f");
        console.log("  PASS: encodePath encodes root path");
        passed++;
    }
    // Test 3: alphanumeric passthrough
    {
        assertEquals(encodePath("/api"), "2fapi", "/api encodes slash only");
        assertEquals(encodePath("/v1"), "2fv1", "/v1 encodes slash only");
        assertEquals(encodePath("abc"), "abc", "plain alpha passes through");
        console.log("  PASS: encodePath preserves alphanumeric chars");
        passed++;
    }
    // Test 4: all special chars produce unique hex
    {
        const paths = ["/a/b", "/a-b", "/a.b", "/a_b", "/a b"];
        const results = paths.map((p) => encodePath(p));
        const unique = new Set(results);
        assertEquals(
            unique.size,
            paths.length,
            "all special-char paths must produce unique encodings"
        );
        console.log(
            "  PASS: encodePath produces unique output for different special chars"
        );
        passed++;
    }
    // Test 5: output is always alphanumeric (safe for Traefik names)
    {
        const paths = [
            "/",
            "/api",
            "/a/b",
            "/a-b",
            "/a.b",
            "/complex/path/here"
        ];
        for (const p of paths) {
            const e = encodePath(p);
            assertEquals(
                /^[a-zA-Z0-9]+$/.test(e),
                true,
                `encodePath("${p}") = "${e}" must be alphanumeric`
            );
        }
        console.log("  PASS: encodePath output is always alphanumeric");
        passed++;
    }
    // Test 6: deterministic
    {
        assertEquals(
            encodePath("/api"),
            encodePath("/api"),
            "same input same output"
        );
        assertEquals(
            encodePath("/a/b/c"),
            encodePath("/a/b/c"),
            "same input same output"
        );
        console.log("  PASS: encodePath is deterministic");
        passed++;
    }
    // Test 7: many distinct paths never collide
    {
        const paths = [
            "/",
            "/api",
            "/api/v1",
            "/api/v2",
            "/a/b",
            "/a-b",
            "/a.b",
            "/a_b",
            "/health",
            "/health/check",
            "/admin",
            "/admin/users",
            "/api/v1/users",
            "/api/v1/posts",
            "/app",
            "/app/dashboard"
        ];
        const encoded = new Set(paths.map((p) => encodePath(p)));
        assertEquals(
            encoded.size,
            paths.length,
            `expected ${paths.length} unique encodings, got ${encoded.size}`
        );
        console.log("  PASS: 16 realistic paths all produce unique encodings");
        passed++;
    }
    // ── Collision fix: the actual bug we're fixing ───────────────────
    // Test 8: /a/b and /a-b now have different keys (THE BUG FIX)
    {
        const keyAB = newKeyComputation(1, "/a/b", "prefix", null, null);
        const keyDash = newKeyComputation(1, "/a-b", "prefix", null, null);
        assertEquals(
            keyAB !== keyDash,
            true,
            "/a/b and /a-b MUST have different keys"
        );
        console.log("  PASS: collision fix — /a/b vs /a-b have different keys");
        passed++;
    }
    // Test 9: demonstrate the old bug — old code maps /a/b and /a-b to same key
    {
        const oldKeyAB = oldKeyComputation(1, "/a/b", "prefix", null, null);
        const oldKeyDash = oldKeyComputation(1, "/a-b", "prefix", null, null);
        assertEquals(
            oldKeyAB,
            oldKeyDash,
            "old code MUST have this collision (confirms the bug exists)"
        );
        console.log("  PASS: confirmed old code bug — /a/b and /a-b collided");
        passed++;
    }
    // Test 10: /api/v1 and /api-v1 — old code collision, new code fixes it
    {
        const oldKey1 = oldKeyComputation(1, "/api/v1", "prefix", null, null);
        const oldKey2 = oldKeyComputation(1, "/api-v1", "prefix", null, null);
        assertEquals(
            oldKey1,
            oldKey2,
            "old code collision for /api/v1 vs /api-v1"
        );
        const newKey1 = newKeyComputation(1, "/api/v1", "prefix", null, null);
        const newKey2 = newKeyComputation(1, "/api-v1", "prefix", null, null);
        assertEquals(
            newKey1 !== newKey2,
            true,
            "new code must separate /api/v1 and /api-v1"
        );
        console.log("  PASS: collision fix — /api/v1 vs /api-v1");
        passed++;
    }
    // Test 11: /app.v2 and /app/v2 and /app-v2 — three-way collision fixed
    {
        const a = newKeyComputation(1, "/app.v2", "prefix", null, null);
        const b = newKeyComputation(1, "/app/v2", "prefix", null, null);
        const c = newKeyComputation(1, "/app-v2", "prefix", null, null);
        const keys = new Set([a, b, c]);
        assertEquals(
            keys.size,
            3,
            "three paths must produce three unique keys"
        );
        console.log(
            "  PASS: collision fix — three-way /app.v2, /app/v2, /app-v2"
        );
        passed++;
    }
    // ── Edge cases ───────────────────────────────────────────────────
    // Test 12: same path in different resources — always separate
    {
        const key1 = newKeyComputation(1, "/api", "prefix", null, null);
        const key2 = newKeyComputation(2, "/api", "prefix", null, null);
        assertEquals(
            key1 !== key2,
            true,
            "different resources with same path must have different keys"
        );
        console.log("  PASS: edge case — same path, different resources");
        passed++;
    }
    // Test 13: same resource, different pathMatchType — separate keys
    {
        const exact = newKeyComputation(1, "/api", "exact", null, null);
        const prefix = newKeyComputation(1, "/api", "prefix", null, null);
        assertEquals(
            exact !== prefix,
            true,
            "exact vs prefix must have different keys"
        );
        console.log("  PASS: edge case — same path, different match types");
        passed++;
    }
    // Test 14: same resource and path, different rewrite config — separate keys
    {
        const noRewrite = newKeyComputation(1, "/api", "prefix", null, null);
        const withRewrite = newKeyComputation(
            1,
            "/api",
            "prefix",
            "/backend",
            "prefix"
        );
        assertEquals(
            noRewrite !== withRewrite,
            true,
            "with vs without rewrite must have different keys"
        );
        console.log("  PASS: edge case — same path, different rewrite config");
        passed++;
    }
    // Test 15: paths with special URL characters
    {
        const paths = ["/api?foo", "/api#bar", "/api%20baz", "/api+qux"];
        const keys = new Set(
            paths.map((p) => newKeyComputation(1, p, "prefix", null, null))
        );
        assertEquals(
            keys.size,
            paths.length,
            "special URL chars must produce unique keys"
        );
        console.log("  PASS: edge case — special URL characters in paths");
        passed++;
    }
    console.log(`\nAll ${passed} tests passed!`);
 }
 try {
    runTests();
 } catch (error) {
    console.error("Test failed:", error);
    process.exit(1);
 }
--- a/server/lib/traefik/utils.ts
+++ b/server/lib/traefik/utils.ts
@@ -13,6 +13,26 @@ export function sanitize(input: string | null | undefined): string | undefined {
        .replace(/^-|-$/g, "");
 }
 /**
 * Encode a URL path into a collision-free alphanumeric string suitable for use
 * in Traefik map keys.
 *
 * Unlike sanitize(), this preserves uniqueness by encoding each non-alphanumeric
 * character as its hex code. Different paths always produce different outputs.
 *
 *   encodePath("/api")  => "2fapi"
 *   encodePath("/a/b")  => "2fa2fb"
 *   encodePath("/a-b")  => "2fa2db"   (different from /a/b)
 *   encodePath("/")     => "2f"
 *   encodePath(null)    => ""
 */
 export function encodePath(path: string | null | undefined): string {
    if (!path) return "";
    return path.replace(/[^a-zA-Z0-9]/g, (ch) => {
        return ch.charCodeAt(0).toString(16);
    });
 }
 export function validatePathRewriteConfig(
    path: string | null,
    pathMatchType: string | null,
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -38,10 +38,6 @@ export const privateConfigSchema = z.object({
                .string()
                .optional()
                .transform(getEnvOrYaml("SERVER_ENCRYPTION_KEY")),
            resend_api_key: z
                .string()
                .optional()
                .transform(getEnvOrYaml("RESEND_API_KEY")),
            reo_client_id: z
                .string()
                .optional()
--- a/server/private/lib/resend.ts
+++ b/server/private/lib/resend.ts
@@ -1,127 +0,0 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Resend } from "resend";
 import privateConfig from "#private/lib/config";
 import logger from "@server/logger";
 export enum AudienceIds {
    SignUps = "6c4e77b2-0851-4bd6-bac8-f51f91360f1a",
    Subscribed = "870b43fd-387f-44de-8fc1-707335f30b20",
    Churned = "f3ae92bd-2fdb-4d77-8746-2118afd62549",
    Newsletter = "5500c431-191c-42f0-a5d4-8b6d445b4ea0"
 }
 const resend = new Resend(
    privateConfig.getRawPrivateConfig().server.resend_api_key || "missing"
 );
 export default resend;
 export async function moveEmailToAudience(
    email: string,
    audienceId: AudienceIds
 ) {
    if (process.env.ENVIRONMENT !== "prod") {
        logger.debug(
            `Skipping moving email ${email} to audience ${audienceId} in non-prod environment`
        );
        return;
    }
    const { error, data } = await retryWithBackoff(async () => {
        const { data, error } = await resend.contacts.create({
            email,
            unsubscribed: false,
            audienceId
        });
        if (error) {
            throw new Error(
                `Error adding email ${email} to audience ${audienceId}: ${error}`
            );
        }
        return { error, data };
    });
    if (error) {
        logger.error(
            `Error adding email ${email} to audience ${audienceId}: ${error}`
        );
        return;
    }
    if (data) {
        logger.debug(
            `Added email ${email} to audience ${audienceId} with contact ID ${data.id}`
        );
    }
    const otherAudiences = Object.values(AudienceIds).filter(
        (id) => id !== audienceId
    );
    for (const otherAudienceId of otherAudiences) {
        const { error, data } = await retryWithBackoff(async () => {
            const { data, error } = await resend.contacts.remove({
                email,
                audienceId: otherAudienceId
            });
            if (error) {
                throw new Error(
                    `Error removing email ${email} from audience ${otherAudienceId}: ${error}`
                );
            }
            return { error, data };
        });
        if (error) {
            logger.error(
                `Error removing email ${email} from audience ${otherAudienceId}: ${error}`
            );
        }
        if (data) {
            logger.info(
                `Removed email ${email} from audience ${otherAudienceId}`
            );
        }
    }
 }
 type RetryOptions = {
    retries?: number;
    initialDelayMs?: number;
    factor?: number;
 };
 export async function retryWithBackoff<T>(
    fn: () => Promise<T>,
    options: RetryOptions = {}
 ): Promise<T> {
    const { retries = 5, initialDelayMs = 500, factor = 2 } = options;
    let attempt = 0;
    let delay = initialDelayMs;
    while (true) {
        try {
            return await fn();
        } catch (err) {
            attempt++;
            if (attempt > retries) throw err;
            await new Promise((resolve) => setTimeout(resolve, delay));
            delay *= factor;
        }
    }
 }
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -34,7 +34,11 @@ import {
 import logger from "@server/logger";
 import config from "@server/lib/config";
 import { orgs, resources, sites, Target, targets } from "@server/db";
-import { sanitize, validatePathRewriteConfig } from "@server/lib/traefik/utils";
+import {
    sanitize,
    encodePath,
    validatePathRewriteConfig
 } from "@server/lib/traefik/utils";
 import privateConfig from "#private/lib/config";
 import createPathRewriteMiddleware from "@server/lib/traefik/middleware";
 import {
@@ -170,7 +174,7 @@ export async function getTraefikConfig(
    resourcesWithTargetsAndSites.forEach((row) => {
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
-        const targetPath = sanitize(row.path) || ""; // Handle null/undefined paths
+        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
        const pathMatchType = row.pathMatchType || "";
        const rewritePath = row.rewritePath || "";
        const rewritePathType = row.rewritePathType || "";
@@ -192,7 +196,7 @@ export async function getTraefikConfig(
        const mapKey = [resourceId, pathKey].filter(Boolean).join("-");
        const key = sanitize(mapKey);
-        if (!resourcesMap.has(key)) {
+        if (!resourcesMap.has(mapKey)) {
            const validation = validatePathRewriteConfig(
                row.path,
                row.pathMatchType,
@@ -207,9 +211,10 @@ export async function getTraefikConfig(
                return;
            }
-            resourcesMap.set(key, {
+            resourcesMap.set(mapKey, {
                resourceId: row.resourceId,
                name: resourceName,
                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
                http: row.http,
@@ -243,7 +248,7 @@ export async function getTraefikConfig(
        }
        // Add target with its associated site data
-        resourcesMap.get(key).targets.push({
+        resourcesMap.get(mapKey).targets.push({
            resourceId: row.resourceId,
            targetId: row.targetId,
            ip: row.ip,
@@ -296,8 +301,9 @@ export async function getTraefikConfig(
    };
    // get the key and the resource
-    for (const [key, resource] of resourcesMap.entries()) {
+    for (const [, resource] of resourcesMap.entries()) {
        const targets = resource.targets as TargetWithSite[];
        const key = resource.key;
        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
--- a/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
@@ -24,7 +24,6 @@ import { eq, and } from "drizzle-orm";
 import logger from "@server/logger";
 import stripe from "#private/lib/stripe";
 import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";
 import { AudienceIds, moveEmailToAudience } from "#private/lib/resend";
 import { getSubType } from "./getSubType";
 import privateConfig from "#private/lib/config";
 import { getLicensePriceSet, LicenseId } from "@server/lib/billing/licenses";
@@ -172,7 +171,7 @@ export async function handleSubscriptionCreated(
                const email = orgUserRes.user.email;
                if (email) {
-                    moveEmailToAudience(email, AudienceIds.Subscribed);
+                    // TODO: update user in Sendy
                }
            }
        } else if (type === "license") {
--- a/server/private/routers/billing/hooks/handleSubscriptionDeleted.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionDeleted.ts
@@ -23,7 +23,6 @@ import {
 import { eq, and } from "drizzle-orm";
 import logger from "@server/logger";
 import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";
 import { AudienceIds, moveEmailToAudience } from "#private/lib/resend";
 import { getSubType } from "./getSubType";
 import stripe from "#private/lib/stripe";
 import privateConfig from "#private/lib/config";
@@ -109,7 +108,7 @@ export async function handleSubscriptionDeleted(
                const email = orgUserRes.user.email;
                if (email) {
-                    moveEmailToAudience(email, AudienceIds.Churned);
+                    // TODO: update user in Sendy
                }
            }
        } else if (type === "license") {
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -29,7 +29,6 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { eq, or, and } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "@server/lib/sshCA";
@@ -64,6 +63,7 @@ export type SignSshKeyResponse = {
    sshUsername: string;
    sshHost: string;
    resourceId: number;
    siteId: number;
    keyId: string;
    validPrincipals: string[];
    validAfter: string;
@@ -453,6 +453,7 @@ export async function signSshKey(
                sshUsername: usernameToUse,
                sshHost: sshHost,
                resourceId: resource.siteResourceId,
                siteId: resource.siteId,
                keyId: cert.keyId,
                validPrincipals: cert.validPrincipals,
                validAfter: cert.validAfter.toISOString(),
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -76,7 +76,7 @@ const processMessage = async (
            clientId,
            message.type, // Pass message type for granular limiting
            100, // max requests per window
-            20, // max requests per message type per window
+            100, // max requests per message type per window
            60 * 1000 // window in milliseconds
        );
        if (rateLimitResult.isLimited) {
--- a/server/routers/auth/signup.ts
+++ b/server/routers/auth/signup.ts
@@ -22,7 +22,6 @@ import { checkValidInvite } from "@server/auth/checkValidInvite";
 import { passwordSchema } from "@server/auth/passwordSchema";
 import { UserType } from "@server/types/UserTypes";
 import { build } from "@server/build";
 import resend, { AudienceIds, moveEmailToAudience } from "#dynamic/lib/resend";
 export const signupBodySchema = z.object({
    email: z.email().toLowerCase(),
@@ -237,7 +236,7 @@ export async function signup(
            logger.debug(
                `User ${email} opted in to marketing emails during signup.`
            );
-            moveEmailToAudience(email, AudienceIds.SignUps);
+            // TODO: update user in Sendy
        }
        if (config.getRawConfig().flags?.require_email_verification) {
--- a/server/routers/domain/listDomains.ts
+++ b/server/routers/domain/listDomains.ts
@@ -40,7 +40,8 @@ async function queryDomains(orgId: string, limit: number, offset: number) {
            tries: domains.tries,
            configManaged: domains.configManaged,
            certResolver: domains.certResolver,
-            preferWildcardCert: domains.preferWildcardCert
+            preferWildcardCert: domains.preferWildcardCert,
            errorMessage: domains.errorMessage
        })
        .from(orgDomains)
        .where(eq(orgDomains.orgId, orgId))
--- a/server/routers/gerbil/getAllRelays.ts
+++ b/server/routers/gerbil/getAllRelays.ts
@@ -125,7 +125,7 @@ export async function generateRelayMappings(exitNode: ExitNode) {
            // Add site as a destination for this client
            const destination: PeerDestination = {
                destinationIP: site.subnet.split("/")[0],
-                destinationPort: site.listenPort
+                destinationPort: site.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
            };
            // Check if this destination is already in the array to avoid duplicates
@@ -165,7 +165,7 @@ export async function generateRelayMappings(exitNode: ExitNode) {
                const destination: PeerDestination = {
                    destinationIP: peer.subnet.split("/")[0],
-                    destinationPort: peer.listenPort
+                    destinationPort: peer.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
                };
                // Check for duplicates
--- a/server/routers/gerbil/updateHolePunch.ts
+++ b/server/routers/gerbil/updateHolePunch.ts
@@ -112,7 +112,7 @@ export async function updateHolePunch(
            destinations: destinations
        });
    } catch (error) {
-        // logger.error(error); // FIX THIS
+        logger.error(error);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
@@ -262,7 +262,7 @@ export async function updateAndGenerateEndpointDestinations(
            if (site.subnet && site.listenPort) {
                destinations.push({
                    destinationIP: site.subnet.split("/")[0],
-                    destinationPort: site.listenPort
+                    destinationPort: site.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
                });
            }
        }
@@ -339,10 +339,10 @@ export async function updateAndGenerateEndpointDestinations(
            handleSiteEndpointChange(newt.siteId, updatedSite.endpoint!);
        }
-        if (!updatedSite || !updatedSite.subnet) {
+        // if (!updatedSite || !updatedSite.subnet) {
-            logger.warn(`Site not found: ${newt.siteId}`);
+        //     logger.warn(`Site not found: ${newt.siteId}`);
-            throw new Error("Site not found");
+        //     throw new Error("Site not found");
-        }
+        // }
        // Find all clients that connect to this site
        // const sitesClientPairs = await db
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -1,4 +1,15 @@
-import { clients, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, ExitNode, resources, Site, siteResources, targetHealthCheck, targets } from "@server/db";
+import {
    clients,
    clientSiteResourcesAssociationsCache,
    clientSitesAssociationsCache,
    db,
    ExitNode,
    resources,
    Site,
    siteResources,
    targetHealthCheck,
    targets
 } from "@server/db";
 import logger from "@server/logger";
 import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { eq, and } from "drizzle-orm";
@@ -69,6 +80,7 @@ export async function buildClientConfigurationForNewtClient(
                    //         )
                    //     );
                    if (!client.clientSitesAssociationsCache.isJitMode) { // if we are adding sites through jit then dont add the site to the olm
                        // update the peer info on the olm
                        // if the peer has not been added yet this will be a no-op
                        await updatePeer(client.clients.clientId, {
@@ -103,6 +115,7 @@ export async function buildClientConfigurationForNewtClient(
                                }
                            }
                        );
                    }
                    return {
                        publicKey: client.clients.pubKey!,
@@ -188,7 +201,8 @@ export async function buildTargetConfigurationForNewtClient(siteId: number) {
            hcTimeout: targetHealthCheck.hcTimeout,
            hcHeaders: targetHealthCheck.hcHeaders,
            hcMethod: targetHealthCheck.hcMethod,
-            hcTlsServerName: targetHealthCheck.hcTlsServerName
+            hcTlsServerName: targetHealthCheck.hcTlsServerName,
            hcStatus: targetHealthCheck.hcStatus
        })
        .from(targets)
        .innerJoin(resources, eq(targets.resourceId, resources.resourceId))
@@ -261,7 +275,8 @@ export async function buildTargetConfigurationForNewtClient(siteId: number) {
            hcTimeout: target.hcTimeout, // in seconds
            hcHeaders: hcHeadersSend,
            hcMethod: target.hcMethod,
-            hcTlsServerName: target.hcTlsServerName
+            hcTlsServerName: target.hcTlsServerName,
            hcStatus: target.hcStatus
        };
    });
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -104,11 +104,11 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
            const payload = {
                oldDestination: {
                    destinationIP: existingSite.subnet?.split("/")[0],
-                    destinationPort: existingSite.listenPort
+                    destinationPort: existingSite.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
                },
                newDestination: {
                    destinationIP: site.subnet?.split("/")[0],
-                    destinationPort: site.listenPort
+                    destinationPort: site.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
                }
            };
--- a/server/routers/olm/buildConfiguration.ts
+++ b/server/routers/olm/buildConfiguration.ts
@@ -1,5 +1,17 @@
-import { Client, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, exitNodes, siteResources, sites } from "@server/db";
+import {
-import { generateAliasConfig, generateRemoteSubnets } from "@server/lib/ip";
+    Client,
    clientSiteResourcesAssociationsCache,
    clientSitesAssociationsCache,
    db,
    exitNodes,
    siteResources,
    sites
 } from "@server/db";
 import {
    Alias,
    generateAliasConfig,
    generateRemoteSubnets
 } from "@server/lib/ip";
 import logger from "@server/logger";
 import { and, eq } from "drizzle-orm";
 import { addPeer, deletePeer } from "../newt/peers";
@@ -8,9 +20,19 @@ import config from "@server/lib/config";
 export async function buildSiteConfigurationForOlmClient(
    client: Client,
    publicKey: string | null,
-    relay: boolean
+    relay: boolean,
    jitMode: boolean = false
 ) {
-    const siteConfigurations = [];
+    const siteConfigurations: {
        siteId: number;
        name?: string
        endpoint?: string
        publicKey?: string
        serverIP?: string | null
        serverPort?: number | null
        remoteSubnets?: string[];
        aliases: Alias[];
    }[] = [];
    // Get all sites data
    const sitesData = await db
@@ -27,6 +49,40 @@ export async function buildSiteConfigurationForOlmClient(
        sites: site,
        clientSitesAssociationsCache: association
    } of sitesData) {
        const allSiteResources = await db // only get the site resources that this client has access to
            .select()
            .from(siteResources)
            .innerJoin(
                clientSiteResourcesAssociationsCache,
                eq(
                    siteResources.siteResourceId,
                    clientSiteResourcesAssociationsCache.siteResourceId
                )
            )
            .where(
                and(
                    eq(siteResources.siteId, site.siteId),
                    eq(
                        clientSiteResourcesAssociationsCache.clientId,
                        client.clientId
                    )
                )
            );
        if (jitMode) {
            // Add site configuration to the array
            siteConfigurations.push({
                siteId: site.siteId,
                // remoteSubnets: generateRemoteSubnets(
                //     allSiteResources.map(({ siteResources }) => siteResources)
                // ),
                aliases: generateAliasConfig(
                    allSiteResources.map(({ siteResources }) => siteResources)
                )
            });
            continue;
        }
        if (!site.exitNodeId) {
            logger.warn(
                `Site ${site.siteId} does not have exit node, skipping`
@@ -42,6 +98,13 @@ export async function buildSiteConfigurationForOlmClient(
            continue;
        }
        if (!site.publicKey || site.publicKey == "") { // the site is not ready to accept new peers
            logger.warn(
                `Site ${site.siteId} has no public key, skipping`
            );
            continue;
        }
        // if (site.lastHolePunch && now - site.lastHolePunch > 6 && relay) {
        //     logger.warn(
        //         `Site ${site.siteId} last hole punch is too old, skipping`
@@ -103,26 +166,6 @@ export async function buildSiteConfigurationForOlmClient(
            relayEndpoint = `${exitNode.endpoint}:${config.getRawConfig().gerbil.clients_start_port}`;
        }
        const allSiteResources = await db // only get the site resources that this client has access to
            .select()
            .from(siteResources)
            .innerJoin(
                clientSiteResourcesAssociationsCache,
                eq(
                    siteResources.siteResourceId,
                    clientSiteResourcesAssociationsCache.siteResourceId
                )
            )
            .where(
                and(
                    eq(siteResources.siteId, site.siteId),
                    eq(
                        clientSiteResourcesAssociationsCache.clientId,
                        client.clientId
                    )
                )
            );
        // Add site configuration to the array
        siteConfigurations.push({
            siteId: site.siteId,
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -17,6 +17,8 @@ import { getUserDeviceName } from "@server/db/names";
 import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
 import { OlmErrorCodes, sendOlmError } from "./error";
 import { handleFingerprintInsertion } from "./fingerprintingUtils";
 import { Alias } from "@server/lib/ip";
 import { build } from "@server/build";
 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    logger.info("Handling register olm message!");
@@ -207,6 +209,32 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        }
    }
    // Get all sites data
    const sitesCountResult = await db
        .select({ count: count() })
        .from(sites)
        .innerJoin(
            clientSitesAssociationsCache,
            eq(sites.siteId, clientSitesAssociationsCache.siteId)
        )
        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
    // Extract the count value from the result array
    const sitesCount =
        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
    // Prepare an array to store site configurations
    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
    let jitMode = true;
    if (sitesCount > 250 && build == "saas") {
        // THIS IS THE MAX ON THE BUSINESS TIER
        // we have too many sites
        // If we have too many sites we need to drop into fully JIT mode by not sending any of the sites
        logger.info("Too many sites (%d), dropping into JIT mode", sitesCount);
        jitMode = true;
    }
    logger.debug(
        `Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`
    );
@@ -233,28 +261,12 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        await db
            .update(clientSitesAssociationsCache)
            .set({
-                isRelayed: relay == true
+                isRelayed: relay == true,
                isJitMode: jitMode
            })
            .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
    }
    // Get all sites data
    const sitesCountResult = await db
        .select({ count: count() })
        .from(sites)
        .innerJoin(
            clientSitesAssociationsCache,
            eq(sites.siteId, clientSitesAssociationsCache.siteId)
        )
        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
    // Extract the count value from the result array
    const sitesCount =
        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
    // Prepare an array to store site configurations
    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
    // this prevents us from accepting a register from an olm that has not hole punched yet.
    // the olm will pump the register so we can keep checking
    // TODO: I still think there is a better way to do this rather than locking it out here but ???
@@ -269,15 +281,10 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    const siteConfigurations = await buildSiteConfigurationForOlmClient(
        client,
        publicKey,
-        relay
+        relay,
        jitMode
    );
    // REMOVED THIS SO IT CREATES THE INTERFACE AND JUST WAITS FOR THE SITES
    // if (siteConfigurations.length === 0) {
    //     logger.warn("No valid site configurations found");
    //     return;
    // }
    // Return connect message with all site configurations
    return {
        message: {
--- a/server/routers/olm/handleOlmRelayMessage.ts
+++ b/server/routers/olm/handleOlmRelayMessage.ts
@@ -18,7 +18,7 @@ export const handleOlmRelayMessage: MessageHandler = async (context) => {
    }
    if (!olm.clientId) {
-        logger.warn("Olm has no site!"); // TODO: Maybe we create the site here?
+        logger.warn("Olm has no client!");
        return;
    }
@@ -41,7 +41,7 @@ export const handleOlmRelayMessage: MessageHandler = async (context) => {
        return;
    }
-    const { siteId } = message.data;
+    const { siteId, chainId } = message.data;
    // Get the site
    const [site] = await db
@@ -90,7 +90,8 @@ export const handleOlmRelayMessage: MessageHandler = async (context) => {
            data: {
                siteId: siteId,
                relayEndpoint: exitNode.endpoint,
-                relayPort: config.getRawConfig().gerbil.clients_start_port
+                relayPort: config.getRawConfig().gerbil.clients_start_port,
                chainId
            }
        },
        broadcast: false,
--- a/server/routers/olm/handleOlmServerInitAddPeerHandshake.ts
+++ b/server/routers/olm/handleOlmServerInitAddPeerHandshake.ts
@@ -0,0 +1,241 @@
 import {
    clientSiteResourcesAssociationsCache,
    clientSitesAssociationsCache,
    db,
    exitNodes,
    Site,
    siteResources
 } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { clients, Olm, sites } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { initPeerAddHandshake } from "./peers";
 export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
    context
 ) => {
    logger.info("Handling register olm message!");
    const { message, client: c, sendToClient } = context;
    const olm = c as Olm;
    if (!olm) {
        logger.warn("Olm not found");
        return;
    }
    if (!olm.clientId) {
        logger.warn("Olm has no client!"); // TODO: Maybe we create the site here?
        return;
    }
    const clientId = olm.clientId;
    const [client] = await db
        .select()
        .from(clients)
        .where(eq(clients.clientId, clientId))
        .limit(1);
    if (!client) {
        logger.warn("Client not found");
        return;
    }
    const { siteId, resourceId, chainId } = message.data;
    let site: Site | null = null;
    if (siteId) {
        // get the site
        const [siteRes] = await db
            .select()
            .from(sites)
            .where(eq(sites.siteId, siteId))
            .limit(1);
        if (siteRes) {
            site = siteRes;
        }
    }
    if (resourceId && !site) {
        const resources = await db
            .select()
            .from(siteResources)
            .where(
                and(
                    or(
                        eq(siteResources.niceId, resourceId),
                        eq(siteResources.alias, resourceId)
                    ),
                    eq(siteResources.orgId, client.orgId)
                )
            );
        if (!resources || resources.length === 0) {
            logger.error(`handleOlmServerPeerAddMessage: Resource not found`);
            // cancel the request from the olm side to not keep doing this
            await sendToClient(
                olm.olmId,
                {
                    type: "olm/wg/peer/chain/cancel",
                    data: {
                        chainId
                    }
                },
                { incrementConfigVersion: false }
            ).catch((error) => {
                logger.warn(`Error sending message:`, error);
            });
            return;
        }
        if (resources.length > 1) {
            // error but this should not happen because the nice id cant contain a dot and the alias has to have a dot and both have to be unique within the org so there should never be multiple matches
            logger.error(
                `handleOlmServerPeerAddMessage: Multiple resources found matching the criteria`
            );
            return;
        }
        const resource = resources[0];
        const currentResourceAssociationCaches = await db
            .select()
            .from(clientSiteResourcesAssociationsCache)
            .where(
                and(
                    eq(
                        clientSiteResourcesAssociationsCache.siteResourceId,
                        resource.siteResourceId
                    ),
                    eq(
                        clientSiteResourcesAssociationsCache.clientId,
                        client.clientId
                    )
                )
            );
        if (currentResourceAssociationCaches.length === 0) {
            logger.error(
                `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to resource ${resource.siteResourceId}`
            );
            // cancel the request from the olm side to not keep doing this
            await sendToClient(
                olm.olmId,
                {
                    type: "olm/wg/peer/chain/cancel",
                    data: {
                        chainId
                    }
                },
                { incrementConfigVersion: false }
            ).catch((error) => {
                logger.warn(`Error sending message:`, error);
            });
            return;
        }
        const siteIdFromResource = resource.siteId;
        // get the site
        const [siteRes] = await db
            .select()
            .from(sites)
            .where(eq(sites.siteId, siteIdFromResource));
        if (!siteRes) {
            logger.error(
                `handleOlmServerPeerAddMessage: Site with ID ${site} not found`
            );
            return;
        }
        site = siteRes;
    }
    if (!site) {
        logger.error(`handleOlmServerPeerAddMessage: Site not found`);
        return;
    }
    // check if the client can access this site using the cache
    const currentSiteAssociationCaches = await db
        .select()
        .from(clientSitesAssociationsCache)
        .where(
            and(
                eq(clientSitesAssociationsCache.clientId, client.clientId),
                eq(clientSitesAssociationsCache.siteId, site.siteId)
            )
        );
    if (currentSiteAssociationCaches.length === 0) {
        logger.error(
            `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to site ${site.siteId}`
        );
        // cancel the request from the olm side to not keep doing this
        await sendToClient(
            olm.olmId,
            {
                type: "olm/wg/peer/chain/cancel",
                data: {
                    chainId
                }
            },
            { incrementConfigVersion: false }
        ).catch((error) => {
            logger.warn(`Error sending message:`, error);
        });
        return;
    }
    if (!site.exitNodeId) {
        logger.error(
            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
        );
        // cancel the request from the olm side to not keep doing this
        await sendToClient(
            olm.olmId,
            {
                type: "olm/wg/peer/chain/cancel",
                data: {
                    chainId
                }
            },
            { incrementConfigVersion: false }
        ).catch((error) => {
            logger.warn(`Error sending message:`, error);
        });
        return;
    }
    // get the exit node from the side
    const [exitNode] = await db
        .select()
        .from(exitNodes)
        .where(eq(exitNodes.exitNodeId, site.exitNodeId));
    if (!exitNode) {
        logger.error(
            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
        );
        return;
    }
    // also trigger the peer add handshake in case the peer was not already added to the olm and we need to hole punch
    // if it has already been added this will be a no-op
    await initPeerAddHandshake(
        // this will kick off the add peer process for the client
        client.clientId,
        {
            siteId: site.siteId,
            exitNode: {
                publicKey: exitNode.publicKey,
                endpoint: exitNode.endpoint
            }
        },
        olm.olmId,
        chainId
    );
    return;
 };
--- a/server/routers/olm/handleOlmServerPeerAddMessage.ts
+++ b/server/routers/olm/handleOlmServerPeerAddMessage.ts
@@ -54,7 +54,7 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
        return;
    }
-    const { siteId } = message.data;
+    const { siteId, chainId } = message.data;
    // get the site
    const [site] = await db
@@ -179,7 +179,8 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
                ),
                aliases: generateAliasConfig(
                    allSiteResources.map(({ siteResources }) => siteResources)
-                )
+                ),
                chainId: chainId,
            }
        },
        broadcast: false,
--- a/server/routers/olm/handleOlmUnRelayMessage.ts
+++ b/server/routers/olm/handleOlmUnRelayMessage.ts
@@ -17,7 +17,7 @@ export const handleOlmUnRelayMessage: MessageHandler = async (context) => {
    }
    if (!olm.clientId) {
-        logger.warn("Olm has no site!"); // TODO: Maybe we create the site here?
+        logger.warn("Olm has no client!");
        return;
    }
@@ -40,7 +40,7 @@ export const handleOlmUnRelayMessage: MessageHandler = async (context) => {
        return;
    }
-    const { siteId } = message.data;
+    const { siteId, chainId } = message.data;
    // Get the site
    const [site] = await db
@@ -87,7 +87,8 @@ export const handleOlmUnRelayMessage: MessageHandler = async (context) => {
            type: "olm/wg/peer/unrelay",
            data: {
                siteId: siteId,
-                endpoint: site.endpoint
+                endpoint: site.endpoint,
                chainId
            }
        },
        broadcast: false,
--- a/server/routers/olm/index.ts
+++ b/server/routers/olm/index.ts
@@ -11,3 +11,4 @@ export * from "./handleOlmServerPeerAddMessage";
 export * from "./handleOlmUnRelayMessage";
 export * from "./recoverOlmWithFingerprint";
 export * from "./handleOlmDisconnectingMessage";
 export * from "./handleOlmServerInitAddPeerHandshake";
--- a/server/routers/olm/peers.ts
+++ b/server/routers/olm/peers.ts
@@ -1,8 +1,8 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms } from "@server/db";
+import { clientSitesAssociationsCache, db, olms } from "@server/db";
 import config from "@server/lib/config";
 import logger from "@server/logger";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { Alias } from "yaml";
 export async function addPeer(
@@ -149,7 +149,8 @@ export async function initPeerAddHandshake(
            endpoint: string;
        };
    },
-    olmId?: string
+    olmId?: string,
    chainId?: string
 ) {
    if (!olmId) {
        const [olm] = await db
@@ -173,7 +174,8 @@ export async function initPeerAddHandshake(
                    publicKey: peer.exitNode.publicKey,
                    relayPort: config.getRawConfig().gerbil.clients_start_port,
                    endpoint: peer.exitNode.endpoint
-                }
+                },
                chainId
            }
        },
        { incrementConfigVersion: true }
@@ -181,6 +183,17 @@ export async function initPeerAddHandshake(
        logger.warn(`Error sending message:`, error);
    });
    // update the clientSiteAssociationsCache to make the isJitMode flag false so that JIT mode is disabled for this site if it restarts or something after the connection
    await db
        .update(clientSitesAssociationsCache)
        .set({ isJitMode: false })
        .where(
            and(
                eq(clientSitesAssociationsCache.clientId, clientId),
                eq(clientSitesAssociationsCache.siteId, peer.siteId)
            )
        );
    logger.info(
        `Initiated peer add handshake for site ${peer.siteId} to olm ${olmId}`
    );
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -15,7 +15,8 @@ import {
    startOlmOfflineChecker,
    handleOlmServerPeerAddMessage,
    handleOlmUnRelayMessage,
-    handleOlmDisconnecingMessage
+    handleOlmDisconnecingMessage,
    handleOlmServerInitAddPeerHandshake
 } from "../olm";
 import { handleHealthcheckStatusMessage } from "../target";
 import { handleRoundTripMessage } from "./handleRoundTripMessage";
@@ -23,6 +24,7 @@ import { MessageHandler } from "./types";
 export const messageHandlers: Record<string, MessageHandler> = {
    "olm/wg/server/peer/add": handleOlmServerPeerAddMessage,
    "olm/wg/server/peer/init": handleOlmServerInitAddPeerHandshake,
    "olm/wg/register": handleOlmRegisterMessage,
    "olm/wg/relay": handleOlmRelayMessage,
    "olm/wg/unrelay": handleOlmUnRelayMessage,
--- a/src/app/[orgId]/settings/(private)/billing/page.tsx
+++ b/src/app/[orgId]/settings/(private)/billing/page.tsx
@@ -35,11 +35,7 @@ import {
 } from "@app/components/Credenza";
 import { cn } from "@app/lib/cn";
 import { CreditCard, ExternalLink, Check, AlertTriangle } from "lucide-react";
-import {
+import { Alert, AlertTitle, AlertDescription } from "@app/components/ui/alert";
    Alert,
    AlertTitle,
    AlertDescription
 } from "@app/components/ui/alert";
 import {
    Tooltip,
    TooltipTrigger,
@@ -69,6 +65,7 @@ type PlanOption = {
    price: string;
    priceDetail?: string;
    tierType: Tier | null;
    features: string[];
 };
 const planOptions: PlanOption[] = [
@@ -76,41 +73,87 @@ const planOptions: PlanOption[] = [
        id: "basic",
        name: "Basic",
        price: "Free",
-        tierType: null
+        tierType: null,
        features: [
            "Basic Pangolin features",
            "Free provided domains",
            "Web-based proxy resources",
            "Private resources and clients",
            "Peer-to-peer connections"
        ]
    },
    {
        id: "home",
        name: "Home",
        price: "$12.50",
        priceDetail: "/ month",
-        tierType: "tier1"
+        tierType: "tier1",
        features: [
            "Everything in Basic",
            "OAuth2/OIDC, Google, & Azure SSO",
            "Bring your own identity provider",
            "Pangolin SSH",
            "Custom branding",
            "Device admin approvals"
        ]
    },
    {
        id: "team",
        name: "Team",
        price: "$4",
        priceDetail: "per user / month",
-        tierType: "tier2"
+        tierType: "tier2",
        features: [
            "Everything in Basic",
            "Custom domains",
            "OAuth2/OIDC, Google, & Azure SSO",
            "Access and action audit logs",
            "Device posture information"
        ]
    },
    {
        id: "business",
        name: "Business",
        price: "$9",
        priceDetail: "per user / month",
-        tierType: "tier3"
+        tierType: "tier3",
        features: [
            "Everything in Team",
            "Multiple organizations (multi-tenancy)",
            "Auto-provisioning via IdP",
            "Pangolin SSH",
            "Device approvals",
            "Custom branding",
            "Business support"
        ]
    },
    {
        id: "enterprise",
        name: "Enterprise",
        price: "Custom",
-        tierType: null
+        tierType: null,
        features: [
            "Everything in Business",
            "Custom limits",
            "Priority support and SLA",
            "Log push and export",
            "Private and Gov-Cloud deployment options",
            "Dedicated, premium relay/exit nodes",
            "Pay by invoice "
        ]
    }
 ];
 // Tier limits mapping derived from limit sets
 const tierLimits: Record<
    Tier | "basic",
-    { users: number; sites: number; domains: number; remoteNodes: number; organizations: number }
+    {
        users: number;
        sites: number;
        domains: number;
        remoteNodes: number;
        organizations: number;
    }
 > = {
    basic: {
        users: freeLimitSet[FeatureId.USERS]?.value ?? 0,
@@ -463,7 +506,10 @@ export default function BillingPage() {
    const isProblematicState = hasProblematicSubscription();
    // Get user-friendly subscription status message
-    const getSubscriptionStatusMessage = (): { title: string; description: string } | null => {
+    const getSubscriptionStatusMessage = (): {
        title: string;
        description: string;
    } | null => {
        if (!tierSubscription?.subscription || !isProblematicState) return null;
        const status = tierSubscription.subscription.status;
@@ -472,22 +518,31 @@ export default function BillingPage() {
            case "past_due":
                return {
                    title: t("billingPastDueTitle") || "Payment Past Due",
-                    description: t("billingPastDueDescription") || "Your payment is past due. Please update your payment method to continue using your current plan features. If not resolved, your subscription will be canceled and you'll be reverted to the free tier."
+                    description:
                        t("billingPastDueDescription") ||
                        "Your payment is past due. Please update your payment method to continue using your current plan features. If not resolved, your subscription will be canceled and you'll be reverted to the free tier."
                };
            case "unpaid":
                return {
                    title: t("billingUnpaidTitle") || "Subscription Unpaid",
-                    description: t("billingUnpaidDescription") || "Your subscription is unpaid and you have been reverted to the free tier. Please update your payment method to restore your subscription."
+                    description:
                        t("billingUnpaidDescription") ||
                        "Your subscription is unpaid and you have been reverted to the free tier. Please update your payment method to restore your subscription."
                };
            case "incomplete":
                return {
                    title: t("billingIncompleteTitle") || "Payment Incomplete",
-                    description: t("billingIncompleteDescription") || "Your payment is incomplete. Please complete the payment process to activate your subscription."
+                    description:
                        t("billingIncompleteDescription") ||
                        "Your payment is incomplete. Please complete the payment process to activate your subscription."
                };
            case "incomplete_expired":
                return {
-                    title: t("billingIncompleteExpiredTitle") || "Payment Expired",
+                    title:
-                    description: t("billingIncompleteExpiredDescription") || "Your payment was never completed and has expired. You have been reverted to the free tier. Please subscribe again to restore access to paid features."
+                        t("billingIncompleteExpiredTitle") || "Payment Expired",
                    description:
                        t("billingIncompleteExpiredDescription") ||
                        "Your payment was never completed and has expired. You have been reverted to the free tier. Please subscribe again to restore access to paid features."
                };
            default:
                return null;
@@ -509,7 +564,11 @@ export default function BillingPage() {
        if (plan.id === currentPlanId) {
            // If it's the basic plan (basic with no subscription), show as current but disabled
-            if (plan.id === "basic" && !hasSubscription && !isProblematicState) {
+            if (
                plan.id === "basic" &&
                !hasSubscription &&
                !isProblematicState
            ) {
                return {
                    label: "Current Plan",
                    action: () => {},
@@ -632,7 +691,9 @@ export default function BillingPage() {
    };
    // Check if downgrading to a tier would violate current usage limits
-    const checkLimitViolations = (targetTier: Tier | "basic"): Array<{
+    const checkLimitViolations = (
        targetTier: Tier | "basic"
    ): Array<{
        feature: string;
        currentUsage: number;
        newLimit: number;
@@ -687,7 +748,10 @@ export default function BillingPage() {
        // Check organizations
        const organizationsUsage = getUsageValue(ORGINIZATIONS);
-        if (limits.organizations > 0 && organizationsUsage > limits.organizations) {
+        if (
            limits.organizations > 0 &&
            organizationsUsage > limits.organizations
        ) {
            violations.push({
                feature: "Organizations",
                currentUsage: organizationsUsage,
@@ -712,17 +776,15 @@ export default function BillingPage() {
            {isProblematicState && statusMessage && (
                <Alert variant="destructive" className="mb-6">
                    <AlertTriangle className="h-4 w-4" />
-                    <AlertTitle>
+                    <AlertTitle>{statusMessage.title}</AlertTitle>
                        {statusMessage.title}
                    </AlertTitle>
                    <AlertDescription>
-                        {statusMessage.description}
+                        {statusMessage.description}{" "}
                        {" "}
                        <button
                            onClick={handleModifySubscription}
                            className="underline font-semibold hover:no-underline"
                        >
-                            {t("billingManageSubscription") || "Manage your subscription"}
+                            {t("billingManageSubscription") ||
                                "Manage your subscription"}
                        </button>
                    </AlertDescription>
                </Alert>
@@ -772,7 +834,10 @@ export default function BillingPage() {
                                        </div>
                                    </div>
                                    <div className="mt-4">
-                                        {isProblematicState && planAction.disabled && !isCurrentPlan && plan.id !== "enterprise" ? (
+                                        {isProblematicState &&
                                        planAction.disabled &&
                                        !isCurrentPlan &&
                                        plan.id !== "enterprise" ? (
                                            <Tooltip>
                                                <TooltipTrigger asChild>
                                                    <div>
@@ -784,18 +849,29 @@ export default function BillingPage() {
                                                            }
                                                            size="sm"
                                                            className="w-full"
-                                                            onClick={planAction.action}
+                                                            onClick={
-                                                            disabled={
+                                                                planAction.action
-                                                                isLoading || planAction.disabled
+                                                            }
                                                            disabled={
                                                                isLoading ||
                                                                planAction.disabled
                                                            }
                                                            loading={
                                                                isLoading &&
                                                                isCurrentPlan
                                                            }
                                                            loading={isLoading && isCurrentPlan}
                                                        >
                                                            {planAction.label}
                                                        </Button>
                                                    </div>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingResolvePaymentIssue") || "Please resolve your payment issue before upgrading or downgrading"}</p>
+                                                    <p>
                                                        {t(
                                                            "billingResolvePaymentIssue"
                                                        ) ||
                                                            "Please resolve your payment issue before upgrading or downgrading"}
                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -809,9 +885,12 @@ export default function BillingPage() {
                                                className="w-full"
                                                onClick={planAction.action}
                                                disabled={
-                                                    isLoading || planAction.disabled
+                                                    isLoading ||
                                                    planAction.disabled
                                                }
                                                loading={
                                                    isLoading && isCurrentPlan
                                                }
                                                loading={isLoading && isCurrentPlan}
                                            >
                                                {planAction.label}
                                            </Button>
@@ -886,18 +965,38 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
                                                    >
                                                        {getLimitValue(USERS) ??
-                                                            t("billingUnlimited") ??
+                                                            t(
                                                                "billingUnlimited"
                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(USERS) !== null &&
+                                                        {getLimitValue(
-                                                            "users"}
+                                                            USERS
                                                        ) !== null && "users"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(USERS), limit: getLimitValue(USERS) ?? 0 }) || `Current usage (${getUsageValue(USERS)}) exceeds limit (${getLimitValue(USERS)})`}</p>
+                                                    <p>
                                                        {t(
                                                            "billingUsageExceedsLimit",
                                                            {
                                                                current:
                                                                    getUsageValue(
                                                                        USERS
                                                                    ),
                                                                limit:
                                                                    getLimitValue(
                                                                        USERS
                                                                    ) ?? 0
                                                            }
                                                        ) ||
                                                            `Current usage (${getUsageValue(USERS)}) exceeds limit (${getLimitValue(USERS)})`}
                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -905,8 +1004,8 @@ export default function BillingPage() {
                                                {getLimitValue(USERS) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(USERS) !== null &&
+                                                {getLimitValue(USERS) !==
-                                                    "users"}
+                                                    null && "users"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -920,18 +1019,38 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
                                                    >
                                                        {getLimitValue(SITES) ??
-                                                            t("billingUnlimited") ??
+                                                            t(
                                                                "billingUnlimited"
                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(SITES) !== null &&
+                                                        {getLimitValue(
-                                                            "sites"}
+                                                            SITES
                                                        ) !== null && "sites"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(SITES), limit: getLimitValue(SITES) ?? 0 }) || `Current usage (${getUsageValue(SITES)}) exceeds limit (${getLimitValue(SITES)})`}</p>
+                                                    <p>
                                                        {t(
                                                            "billingUsageExceedsLimit",
                                                            {
                                                                current:
                                                                    getUsageValue(
                                                                        SITES
                                                                    ),
                                                                limit:
                                                                    getLimitValue(
                                                                        SITES
                                                                    ) ?? 0
                                                            }
                                                        ) ||
                                                            `Current usage (${getUsageValue(SITES)}) exceeds limit (${getLimitValue(SITES)})`}
                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -939,8 +1058,8 @@ export default function BillingPage() {
                                                {getLimitValue(SITES) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(SITES) !== null &&
+                                                {getLimitValue(SITES) !==
-                                                    "sites"}
+                                                    null && "sites"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -954,18 +1073,40 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
-                                                        {getLimitValue(DOMAINS) ??
+                                                    >
-                                                            t("billingUnlimited") ??
+                                                        {getLimitValue(
                                                            DOMAINS
                                                        ) ??
                                                            t(
                                                                "billingUnlimited"
                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(DOMAINS) !== null &&
+                                                        {getLimitValue(
-                                                            "domains"}
+                                                            DOMAINS
                                                        ) !== null && "domains"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(DOMAINS), limit: getLimitValue(DOMAINS) ?? 0 }) || `Current usage (${getUsageValue(DOMAINS)}) exceeds limit (${getLimitValue(DOMAINS)})`}</p>
+                                                    <p>
                                                        {t(
                                                            "billingUsageExceedsLimit",
                                                            {
                                                                current:
                                                                    getUsageValue(
                                                                        DOMAINS
                                                                    ),
                                                                limit:
                                                                    getLimitValue(
                                                                        DOMAINS
                                                                    ) ?? 0
                                                            }
                                                        ) ||
                                                            `Current usage (${getUsageValue(DOMAINS)}) exceeds limit (${getLimitValue(DOMAINS)})`}
                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -973,8 +1114,8 @@ export default function BillingPage() {
                                                {getLimitValue(DOMAINS) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(DOMAINS) !== null &&
+                                                {getLimitValue(DOMAINS) !==
-                                                    "domains"}
+                                                    null && "domains"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -989,18 +1130,40 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
-                                                        {getLimitValue(ORGINIZATIONS) ??
+                                                    >
-                                                            t("billingUnlimited") ??
+                                                        {getLimitValue(
                                                            ORGINIZATIONS
                                                        ) ??
                                                            t(
                                                                "billingUnlimited"
                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(ORGINIZATIONS) !==
+                                                        {getLimitValue(
-                                                            null && "orgs"}
+                                                            ORGINIZATIONS
                                                        ) !== null && "orgs"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(ORGINIZATIONS), limit: getLimitValue(ORGINIZATIONS) ?? 0 }) || `Current usage (${getUsageValue(ORGINIZATIONS)}) exceeds limit (${getLimitValue(ORGINIZATIONS)})`}</p>
+                                                    <p>
                                                        {t(
                                                            "billingUsageExceedsLimit",
                                                            {
                                                                current:
                                                                    getUsageValue(
                                                                        ORGINIZATIONS
                                                                    ),
                                                                limit:
                                                                    getLimitValue(
                                                                        ORGINIZATIONS
                                                                    ) ?? 0
                                                            }
                                                        ) ||
                                                            `Current usage (${getUsageValue(ORGINIZATIONS)}) exceeds limit (${getLimitValue(ORGINIZATIONS)})`}
                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
@@ -1008,8 +1171,9 @@ export default function BillingPage() {
                                                {getLimitValue(ORGINIZATIONS) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(ORGINIZATIONS) !==
+                                                {getLimitValue(
-                                                    null && "orgs"}
+                                                    ORGINIZATIONS
                                                ) !== null && "orgs"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -1024,27 +1188,52 @@ export default function BillingPage() {
                                            <Tooltip>
                                                <TooltipTrigger className="flex items-center gap-1">
                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
-                                                    <span className={cn(
+                                                    <span
                                                        className={cn(
                                                            "text-orange-600 dark:text-orange-400 font-medium"
-                                                    )}>
+                                                        )}
-                                                        {getLimitValue(REMOTE_EXIT_NODES) ??
+                                                    >
-                                                            t("billingUnlimited") ??
+                                                        {getLimitValue(
                                                            REMOTE_EXIT_NODES
                                                        ) ??
                                                            t(
                                                                "billingUnlimited"
                                                            ) ??
                                                            "∞"}{" "}
-                                                        {getLimitValue(REMOTE_EXIT_NODES) !==
+                                                        {getLimitValue(
-                                                            null && "nodes"}
+                                                            REMOTE_EXIT_NODES
                                                        ) !== null && "nodes"}
                                                    </span>
                                                </TooltipTrigger>
                                                <TooltipContent>
-                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(REMOTE_EXIT_NODES), limit: getLimitValue(REMOTE_EXIT_NODES) ?? 0 }) || `Current usage (${getUsageValue(REMOTE_EXIT_NODES)}) exceeds limit (${getLimitValue(REMOTE_EXIT_NODES)})`}</p>
+                                                    <p>
                                                        {t(
                                                            "billingUsageExceedsLimit",
                                                            {
                                                                current:
                                                                    getUsageValue(
                                                                        REMOTE_EXIT_NODES
                                                                    ),
                                                                limit:
                                                                    getLimitValue(
                                                                        REMOTE_EXIT_NODES
                                                                    ) ?? 0
                                                            }
                                                        ) ||
                                                            `Current usage (${getUsageValue(REMOTE_EXIT_NODES)}) exceeds limit (${getLimitValue(REMOTE_EXIT_NODES)})`}
                                                    </p>
                                                </TooltipContent>
                                            </Tooltip>
                                        ) : (
                                            <>
-                                                {getLimitValue(REMOTE_EXIT_NODES) ??
+                                                {getLimitValue(
                                                    REMOTE_EXIT_NODES
                                                ) ??
                                                    t("billingUnlimited") ??
                                                    "∞"}{" "}
-                                                {getLimitValue(REMOTE_EXIT_NODES) !==
+                                                {getLimitValue(
-                                                    null && "nodes"}
+                                                    REMOTE_EXIT_NODES
                                                ) !== null && "nodes"}
                                            </>
                                        )}
                                    </InfoSectionContent>
@@ -1072,7 +1261,8 @@ export default function BillingPage() {
                            <div className="flex flex-col md:flex-row items-start md:items-center justify-between gap-4 border rounded-lg p-4">
                                <div>
                                    <div className="text-sm text-muted-foreground mb-1">
-                                        {t("billingCurrentKeys") || "Current Keys"}
+                                        {t("billingCurrentKeys") ||
                                            "Current Keys"}
                                    </div>
                                    <div className="flex items-baseline gap-2">
                                        <span className="text-3xl font-bold">
@@ -1137,61 +1327,101 @@ export default function BillingPage() {
                                    </div>
                                </div>
                                {/* Features with check marks */}
                                {(() => {
                                    const plan = planOptions.find(
                                        (p) =>
                                            p.tierType === pendingTier.tier ||
                                            (pendingTier.tier === "basic" &&
                                                p.id === "basic")
                                    );
                                    return plan?.features?.length ? (
                                        <div>
                                            <h4 className="font-semibold mb-3">
                                                {"What's included:"}
                                            </h4>
                                            <div className="space-y-2">
                                                {plan.features.map(
                                                    (feature, i) => (
                                                        <div
                                                            key={i}
                                                            className="flex items-center gap-2"
                                                        >
                                                            <Check className="h-4 w-4 text-green-600 shrink-0" />
                                                            <span>
                                                                {feature}
                                                            </span>
                                                        </div>
                                                    )
                                                )}
                                            </div>
                                        </div>
                                    ) : null;
                                })()}
                                {/* Limits without check marks */}
                                {tierLimits[pendingTier.tier] && (
                                    <div>
                                        <h4 className="font-semibold mb-3">
-                                            {t("billingPlanIncludes") ||
+                                            {"Up to:"}
                                                "Plan Includes:"}
                                        </h4>
-                                        <div className="space-y-2">
+                                        <div className="space-y-2 text-sm text-muted-foreground">
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
+                                                        tierLimits[
-                                                            .users
+                                                            pendingTier.tier
                                                        ].users
                                                    }{" "}
-                                                    {t("billingUsers") || "Users"}
+                                                    {t("billingUsers") ||
                                                        "Users"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
+                                                        tierLimits[
-                                                            .sites
+                                                            pendingTier.tier
                                                        ].sites
                                                    }{" "}
-                                                    {t("billingSites") || "Sites"}
+                                                    {t("billingSites") ||
                                                        "Sites"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
+                                                        tierLimits[
-                                                            .domains
+                                                            pendingTier.tier
                                                        ].domains
                                                    }{" "}
                                                    {t("billingDomains") ||
                                                        "Domains"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
+                                                        tierLimits[
-                                                            .organizations
+                                                            pendingTier.tier
                                                        ].organizations
                                                    }{" "}
-                                                    {t("billingOrganizations") ||
+                                                    {t(
-                                                        "Organizations"}
+                                                        "billingOrganizations"
                                                    ) || "Organizations"}
                                                </span>
                                            </div>
                                            <div className="flex items-center gap-2">
-                                                <Check className="h-4 w-4 text-green-600" />
+                                                <span className="w-1.5 h-1.5 rounded-full bg-muted-foreground/50 shrink-0" />
                                                <span>
                                                    {
-                                                        tierLimits[pendingTier.tier]
+                                                        tierLimits[
-                                                            .remoteNodes
+                                                            pendingTier.tier
                                                        ].remoteNodes
                                                    }{" "}
                                                    {t("billingRemoteNodes") ||
                                                        "Remote Nodes"}
@@ -1202,26 +1432,63 @@ export default function BillingPage() {
                                )}
                                {/* Warning for limit violations when downgrading */}
-                                {pendingTier.action === "downgrade" && (() => {
+                                {pendingTier.action === "downgrade" &&
-                                    const violations = checkLimitViolations(pendingTier.tier);
+                                    (() => {
                                        const violations = checkLimitViolations(
                                            pendingTier.tier
                                        );
                                        if (violations.length > 0) {
                                            return (
                                                <Alert variant="destructive">
                                                    <AlertTriangle className="h-4 w-4" />
                                                    <AlertTitle>
-                                                    {t("billingLimitViolationWarning") || "Usage Exceeds New Plan Limits"}
+                                                        {t(
                                                            "billingLimitViolationWarning"
                                                        ) ||
                                                            "Usage Exceeds New Plan Limits"}
                                                    </AlertTitle>
                                                    <AlertDescription>
                                                        <p className="mb-3">
-                                                        {t("billingLimitViolationDescription") || "Your current usage exceeds the limits of this plan. The following features will be disabled until you reduce usage:"}
+                                                            {t(
                                                                "billingLimitViolationDescription"
                                                            ) ||
                                                                "Your current usage exceeds the limits of this plan. The following features will be disabled until you reduce usage:"}
                                                        </p>
                                                        <ul className="space-y-2">
-                                                        {violations.map((violation, index) => (
+                                                            {violations.map(
-                                                            <li key={index} className="flex items-center gap-2">
+                                                                (
-                                                                <span className="font-medium">{violation.feature}:</span>
+                                                                    violation,
-                                                                <span>Currently using {violation.currentUsage}, new limit is {violation.newLimit}</span>
+                                                                    index
                                                                ) => (
                                                                    <li
                                                                        key={
                                                                            index
                                                                        }
                                                                        className="flex items-center gap-2"
                                                                    >
                                                                        <span className="font-medium">
                                                                            {
                                                                                violation.feature
                                                                            }
                                                                            :
                                                                        </span>
                                                                        <span>
                                                                            Currently
                                                                            using{" "}
                                                                            {
                                                                                violation.currentUsage
                                                                            }
                                                                            ,
                                                                            new
                                                                            limit
                                                                            is{" "}
                                                                            {
                                                                                violation.newLimit
                                                                            }
                                                                        </span>
                                                                    </li>
-                                                        ))}
+                                                                )
                                                            )}
                                                        </ul>
                                                    </AlertDescription>
                                                </Alert>
@@ -1235,10 +1502,14 @@ export default function BillingPage() {
                                    <Alert variant="warning">
                                        <AlertTriangle className="h-4 w-4" />
                                        <AlertTitle>
-                                            {t("billingFeatureLossWarning") || "Feature Availability Notice"}
+                                            {t("billingFeatureLossWarning") ||
                                                "Feature Availability Notice"}
                                        </AlertTitle>
                                        <AlertDescription>
-                                            {t("billingFeatureLossDescription") || "By downgrading, features not available in the new plan will be automatically disabled. Some settings and configurations may be lost. Please review the pricing matrix to understand which features will no longer be available."}
+                                            {t(
                                                "billingFeatureLossDescription"
                                            ) ||
                                                "By downgrading, features not available in the new plan will be automatically disabled. Some settings and configurations may be lost. Please review the pricing matrix to understand which features will no longer be available."}
                                        </AlertDescription>
                                    </Alert>
                                )}
--- a/src/app/[orgId]/settings/domains/[domainId]/page.tsx
+++ b/src/app/[orgId]/settings/domains/[domainId]/page.tsx
@@ -69,6 +69,7 @@ export default async function DomainSettingsPage({
                    failed={domain.failed}
                    verified={domain.verified}
                    type={domain.type}
                    errorMessage={domain.errorMessage}
                />
                <DNSRecordsTable records={dnsRecords} type={domain.type} />
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -54,6 +54,7 @@ import {
    TooltipProvider,
    TooltipTrigger
 } from "@app/components/ui/tooltip";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
@@ -65,6 +66,7 @@ import { build } from "@server/build";
 import { Resource } from "@server/db";
 import { isTargetValid } from "@server/lib/validators";
 import { ListTargetsResponse } from "@server/routers/target";
 import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
 import { ArrayElement } from "@server/types/ArrayElement";
 import { useQuery } from "@tanstack/react-query";
 import {
@@ -81,6 +83,7 @@ import {
    CircleCheck,
    CircleX,
    Info,
    InfoIcon,
    Plus,
    Settings,
    SquareArrowOutUpRight
@@ -210,6 +213,13 @@ export default function Page() {
        orgQueries.sites({ orgId: orgId as string })
    );
    const [remoteExitNodes, setRemoteExitNodes] = useState<
        ListRemoteExitNodesResponse["remoteExitNodes"]
    >([]);
    const [loadingExitNodes, setLoadingExitNodes] = useState(
        build === "saas"
    );
    const [createLoading, setCreateLoading] = useState(false);
    const [showSnippets, setShowSnippets] = useState(false);
    const [niceId, setNiceId] = useState<string>("");
@@ -224,6 +234,27 @@ export default function Page() {
        useState<LocalTarget | null>(null);
    const [healthCheckDialogOpen, setHealthCheckDialogOpen] = useState(false);
    useEffect(() => {
        if (build !== "saas") return;
        const fetchExitNodes = async () => {
            try {
                const res = await api.get<
                    AxiosResponse<ListRemoteExitNodesResponse>
                >(`/org/${orgId}/remote-exit-nodes`);
                if (res && res.status === 200) {
                    setRemoteExitNodes(res.data.data.remoteExitNodes);
                }
            } catch (e) {
                console.error("Failed to fetch remote exit nodes:", e);
            } finally {
                setLoadingExitNodes(false);
            }
        };
        fetchExitNodes();
    }, [orgId]);
    const [isAdvancedMode, setIsAdvancedMode] = useState(() => {
        if (typeof window !== "undefined") {
            const saved = localStorage.getItem("create-advanced-mode");
@@ -288,16 +319,26 @@ export default function Page() {
            description: t("resourceHTTPDescription")
        },
        ...(!env.flags.allowRawResources
            ? []
            : build === "saas" && remoteExitNodes.length === 0
              ? []
              : [
                    {
                        id: "raw" as ResourceType,
                        title: t("resourceRaw"),
-                      description: build == "saas" ? t("resourceRawDescriptionCloud") : t("resourceRawDescription")
+                        description:
                            build == "saas"
                                ? t("resourceRawDescriptionCloud")
                                : t("resourceRawDescription")
                    }
                ])
    ];
    // In saas mode with no exit nodes, force HTTP
    const showTypeSelector =
        build !== "saas" ||
        (!loadingExitNodes && remoteExitNodes.length > 0);
    const baseForm = useForm({
        resolver: zodResolver(baseResourceFormSchema),
        defaultValues: {
@@ -984,7 +1025,8 @@ export default function Page() {
                                    </SettingsSectionTitle>
                                </SettingsSectionHeader>
                                <SettingsSectionBody>
-                                    {resourceTypes.length > 1 && (
+                                    {showTypeSelector &&
                                        resourceTypes.length > 1 && (
                                            <>
                                                <div className="mb-2">
                                                    <span className="text-sm font-medium">
--- a/src/components/DomainInfoCard.tsx
+++ b/src/components/DomainInfoCard.tsx
@@ -10,17 +10,20 @@ import {
 import { useTranslations } from "next-intl";
 import { Badge } from "./ui/badge";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { AlertTriangle } from "lucide-react";
 type DomainInfoCardProps = {
    failed: boolean;
    verified: boolean;
    type: string | null;
    errorMessage?: string | null;
 };
 export default function DomainInfoCard({
    failed,
    verified,
-    type
+    type,
    errorMessage
 }: DomainInfoCardProps) {
    const t = useTranslations();
    const env = useEnvContext();
@@ -39,6 +42,7 @@ export default function DomainInfoCard({
    };
    return (
        <div className="space-y-3">
        <Alert>
            <AlertDescription>
                <InfoSections cols={3}>
@@ -79,5 +83,19 @@ export default function DomainInfoCard({
                </InfoSections>
            </AlertDescription>
        </Alert>
        {errorMessage && (failed || !verified) && (
            <Alert variant={failed ? "destructive" : "warning"}>
                <AlertTriangle className="h-4 w-4" />
                <AlertTitle>
                    {failed
                        ? t("domainErrorTitle", { fallback: "Domain Error" })
                        : t("domainPendingErrorTitle", { fallback: "Verification Issue" })}
                </AlertTitle>
                <AlertDescription className="font-mono text-xs break-all">
                    {errorMessage}
                </AlertDescription>
            </Alert>
        )}
        </div>
    );
 }
--- a/src/components/DomainsTable.tsx
+++ b/src/components/DomainsTable.tsx
@@ -27,6 +27,12 @@ import {
    DropdownMenuItem,
    DropdownMenuTrigger
 } from "./ui/dropdown-menu";
 import {
    Tooltip,
    TooltipContent,
    TooltipProvider,
    TooltipTrigger
 } from "./ui/tooltip";
 import Link from "next/link";
 export type DomainRow = {
@@ -39,6 +45,7 @@ export type DomainRow = {
    configManaged: boolean;
    certResolver: string;
    preferWildcardCert: boolean;
    errorMessage?: string | null;
 };
 type Props = {
@@ -175,7 +182,7 @@ export default function DomainsTable({ domains, orgId }: Props) {
            );
        },
        cell: ({ row }) => {
-            const { verified, failed, type } = row.original;
+            const { verified, failed, type, errorMessage } = row.original;
            if (verified) {
                return type == "wildcard" ? (
                    <Badge variant="outlinePrimary">{t("manual")}</Badge>
@@ -183,12 +190,44 @@ export default function DomainsTable({ domains, orgId }: Props) {
                    <Badge variant="green">{t("verified")}</Badge>
                );
            } else if (failed) {
                if (errorMessage) {
                    return (
                        <TooltipProvider>
                            <Tooltip>
                                <TooltipTrigger asChild>
                                    <Badge variant="red" className="cursor-help">
                                        {t("failed", { fallback: "Failed" })}
                                    </Badge>
                                </TooltipTrigger>
                                <TooltipContent className="max-w-xs">
                                    <p className="break-words">{errorMessage}</p>
                                </TooltipContent>
                            </Tooltip>
                        </TooltipProvider>
                    );
                }
                return (
                    <Badge variant="red">
                        {t("failed", { fallback: "Failed" })}
                    </Badge>
                );
            } else {
                if (errorMessage) {
                    return (
                        <TooltipProvider>
                            <Tooltip>
                                <TooltipTrigger asChild>
                                    <Badge variant="yellow" className="cursor-help">
                                        {t("pending")}
                                    </Badge>
                                </TooltipTrigger>
                                <TooltipContent className="max-w-xs">
                                    <p className="break-words">{errorMessage}</p>
                                </TooltipContent>
                            </Tooltip>
                        </TooltipProvider>
                    );
                }
                return <Badge variant="yellow">{t("pending")}</Badge>;
            }
        }
--- a/src/components/PaidFeaturesAlert.tsx
+++ b/src/components/PaidFeaturesAlert.tsx
@@ -51,6 +51,7 @@ const docsLinkClassName =
 const PANGOLIN_CLOUD_SIGNUP_URL = "https://app.pangolin.net/auth/signup/";
 const ENTERPRISE_DOCS_URL =
    "https://docs.pangolin.net/self-host/enterprise-edition";
 const BOOK_A_DEMO_URL = "https://click.fossorial.io/ep922";
 function getTierLinkRenderer(billingHref: string) {
    return function tierLinkRenderer(chunks: React.ReactNode) {
@@ -78,6 +79,22 @@ function getPangolinCloudLinkRenderer() {
    };
 }
 function getBookADemoLinkRenderer() {
    return function bookADemoLinkRenderer(chunks: React.ReactNode) {
        return (
            <Link
                href={BOOK_A_DEMO_URL}
                target="_blank"
                rel="noopener noreferrer"
                className={docsLinkClassName}
            >
                {chunks}
                <ExternalLink className="size-3.5 shrink-0" />
            </Link>
        );
    };
 }
 function getDocsLinkRenderer(href: string) {
    return function docsLinkRenderer(chunks: React.ReactNode) {
        return (
@@ -116,6 +133,7 @@ export function PaidFeaturesAlert({ tiers }: Props) {
    const tierLinkRenderer = getTierLinkRenderer(billingHref);
    const pangolinCloudLinkRenderer = getPangolinCloudLinkRenderer();
    const enterpriseDocsLinkRenderer = getDocsLinkRenderer(ENTERPRISE_DOCS_URL);
    const bookADemoLinkRenderer = getBookADemoLinkRenderer();
    if (env.flags.disableEnterpriseFeatures) {
        return null;
@@ -157,7 +175,8 @@ export function PaidFeaturesAlert({ tiers }: Props) {
                                {t.rich("licenseRequiredToUse", {
                                    enterpriseLicenseLink:
                                        enterpriseDocsLinkRenderer,
-                                    pangolinCloudLink: pangolinCloudLinkRenderer
+                                    pangolinCloudLink: pangolinCloudLinkRenderer,
                                    bookADemoLink: bookADemoLinkRenderer
                                })}
                            </span>
                        </div>
@@ -174,7 +193,8 @@ export function PaidFeaturesAlert({ tiers }: Props) {
                                {t.rich("ossEnterpriseEditionRequired", {
                                    enterpriseEditionLink:
                                        enterpriseDocsLinkRenderer,
-                                    pangolinCloudLink: pangolinCloudLinkRenderer
+                                    pangolinCloudLink: pangolinCloudLinkRenderer,
                                    bookADemoLink: bookADemoLinkRenderer
                                })}
                            </span>
                        </div>
Author	SHA1	Message	Date
Owen	63fd63c65c	Send less data down	2026-03-12 17:27:15 -07:00
Owen	beee1d692d	revert: telemetry comment	2026-03-12 17:11:13 -07:00
Owen	fde786ca84	Add todo	2026-03-12 17:10:46 -07:00
Owen	3086fdd064	Merge branch 'dev' into jit	2026-03-12 16:58:23 -07:00
Owen	6c30f6db31	Dont send site if it missing public key	2026-03-12 16:33:33 -07:00
Owen	f021b73458	Add alert about domain error	2026-03-11 18:00:23 -07:00
Owen	74f4751bcc	Dont show raw resource option unless remote node	2026-03-11 17:47:15 -07:00
Owen	e5bce4e180	Merge branch 'main' into dev	2026-03-11 15:55:59 -07:00
Owen	9b0e7b381c	Fix error to gerbil	2026-03-11 15:49:03 -07:00
Owen	90afe5a7ac	Log errors	2026-03-11 15:42:40 -07:00
Owen	b24de85157	Handle gerbil rejecting 0 Closes #2605	2026-03-11 15:06:26 -07:00
Owen	eda43dffe1	Fix not pulling wildcard cert updates	2026-03-11 15:06:26 -07:00
Owen	82c9a1eb70	Add demo link	2026-03-11 15:06:26 -07:00
Owen	a3d4553d14	Merge branch 'main' into dev	2026-03-11 14:53:55 -07:00
Owen	072c89e704	Bump dompurify	2026-03-10 16:43:40 -07:00
Owen	dbdff6812d	Bump esbuild	2026-03-10 16:31:19 -07:00
Owen	cc841d5640	Add some logging to debug	2026-03-10 14:24:57 -07:00
Owen	dec358c4cd	Use native drizzle count	2026-03-10 10:03:49 -07:00
Owen	e98f873f81	Clean up	2026-03-09 21:16:37 -07:00
Owen	e9a2a7e752	Reorder delete	2026-03-09 20:46:27 -07:00
Owen	06015d5191	Handle gerbil rejecting 0 Closes #2605	2026-03-09 17:35:25 -07:00
Owen	af688d2a23	Add demo link	2026-03-09 17:35:04 -07:00
Owen	7d0b3ec6b5	Fix not pulling wildcard cert updates	2026-03-09 17:34:48 -07:00
Owen	cf5fb8dc33	Working on jit	2026-03-09 16:36:13 -07:00
Owen Schwartz	9a0a255445	Merge pull request #2524 from shreyaspapi/fix/2294-path-based-routing fix: path-based routing broken due to key collisions in sanitize()	2026-03-07 21:18:59 -08:00
Owen Schwartz	d5a37436c0	Merge pull request #2616 from LaurenceJJones/fix/issue-240-hcStatus-missing fix(newt): missing hcStatus in hc config on reconnect	2026-03-07 21:14:27 -08:00
Laurence	be609b5000	Fix missing hcStatus field in health check config on reconnect The buildTargetConfigurationForNewtClient function was not including the hcStatus field when building health check targets for the newt/wg/connect message. This caused custom expected response codes (e.g., 409) to revert to the default 2xx range check after Pangolin server restart. Added hcStatus to both the database select query and the returned health check target object, matching the behavior in targets.ts addTargets.	2026-03-07 06:28:10 +00:00
Owen	0503c6e66e	Handle JIT for ssh	2026-03-06 15:49:17 -08:00
Owen	9405b0b70a	Force jit above site limit	2026-03-06 14:09:57 -08:00
Owen	a26ee4ac1a	Adjust billing upgrade language	2026-03-06 12:17:26 -08:00
Owen	2a5c9465e9	Add chainId field passthrough	2026-03-04 22:17:58 -08:00
Owen	f36b66e397	Merge branch 'dev' into jit	2026-03-04 17:58:50 -08:00
Owen	8c6d44677d	Update lock	2026-03-04 17:48:58 -08:00
Owen	1bfff630bf	Jit working for sites	2026-03-04 17:46:58 -08:00
miloschwartz	ebcef28b05	remove resend from config	2026-03-04 17:45:48 -08:00
miloschwartz	e87e12898c	remove resend	2026-03-04 17:45:22 -08:00
miloschwartz	d60ab281cf	remove resend from package.json	2026-03-04 17:42:25 -08:00
Owen	c73a39f797	Allow JIT based on site or resource	2026-03-04 15:44:27 -08:00
Shreyas Papinwar	75a909784a	fix: simplify path encoding per review — inline utils, use single key scheme Address PR review comments: - Remove pathUtils.ts and move sanitize/encodePath directly into utils.ts - Simplify dual-key approach to single key using encodePath for map keys - Remove backward-compat logic (not needed per reviewer) - Update tests to match simplified approach	2026-03-01 15:48:26 +05:30
Shreyas	244f497a9c	test: add comprehensive backward compatibility tests for path routing fix	2026-03-01 15:48:26 +05:30
Shreyas	e58f0c9f07	fix: preserve backward-compatible router names while fixing path collisions Use encodePath only for internal map key grouping (collision-free) and sanitize for Traefik-facing router/service names (unchanged for existing users). Extract pure functions into pathUtils.ts so tests can run without DB dependencies.	2026-03-01 15:48:26 +05:30
Shreyas	5f18c06e03	fix: use collision-free path encoding for Traefik router key generation	2026-03-01 15:48:26 +05:30