first pass

2026-03-03 17:26:38 +00:00 · 2026-02-24 17:58:11 -08:00
149 changed files with 2044 additions and 3094 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -28,9 +28,9 @@ LICENSE
 CONTRIBUTING.md
 dist
 .git
-server/migrations/
+migrations/
 config/
 build.ts
 tsconfig.json
 Dockerfile*
-drizzle.config.ts
+migrations/
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -29,7 +29,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
@@ -62,7 +62,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
            - name: Monitor storage space
              run: |
@@ -77,7 +77,7 @@ jobs:
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -134,7 +134,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
            - name: Monitor storage space
              run: |
@@ -149,7 +149,7 @@ jobs:
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -201,10 +201,10 @@ jobs:
        timeout-minutes: 30
        steps:
            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -256,7 +256,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
            - name: Extract tag name
              id: get-tag
@@ -289,14 +289,22 @@ jobs:
                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
              shell: bash
            - name: Update install/main.go
              run: |
                  PANGOLIN_VERSION=${{ env.TAG }}
                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
                  cat install/main.go
              shell: bash
            - name: Build installer
              working-directory: install
              run: |
-                  make go-build-release \
+                  make go-build-release
                    PANGOLIN_VERSION=${{ env.TAG }} \
                    GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }} \
                    BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
              shell: bash
            - name: Upload artifacts from /install/bin
              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -407,7 +415,7 @@ jobs:
              shell: bash
            - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
@@ -570,7 +578,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -21,7 +21,7 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
            - name: Set up Node.js
              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
--- a/.github/workflows/restart-runners.yml
+++ b/.github/workflows/restart-runners.yml
@@ -14,7 +14,7 @@ jobs:
    permissions: write-all
    steps:
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
          role-duration-seconds: 3600
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -23,7 +23,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
@@ -54,7 +54,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
            - name: Download MaxMind GeoLite2 databases
              env:
@@ -104,7 +104,7 @@ jobs:
                  fi
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
@@ -145,7 +145,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -14,7 +14,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          days-before-stale: 14
          days-before-close: 14
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Install Node
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
@@ -62,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Build Docker image sqlite
        run: make dev-build-sqlite
@@ -71,7 +71,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Build Docker image pg
        run: make dev-build-pg
--- a/20
+++ b/20
@@ -1,9 +1,8 @@
-# FROM node:24-slim AS base
+FROM node:24-alpine AS base
 FROM public.ecr.aws/docker/library/node:24-slim AS base
 WORKDIR /app
-RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache python3 make g++
 COPY package*.json ./
@@ -24,20 +23,15 @@ RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi && \
    npm run build:cli && \
    test -f dist/server.mjs
 # Create placeholder files for MaxMind databases to avoid COPY errors
 # Real files should be present for saas builds, placeholders for oss builds
 RUN touch /app/GeoLite2-Country.mmdb /app/GeoLite2-ASN.mmdb
 FROM base AS builder
 RUN npm ci --omit=dev
-# FROM node:24-slim AS runner
+FROM node:24-alpine AS runner
 FROM public.ecr.aws/docker/library/node:24-slim AS runner
 WORKDIR /app
-RUN apt-get update && apt-get install -y curl tzdata && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache curl tzdata
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/package.json ./package.json
@@ -57,16 +51,12 @@ COPY public ./public
 # Copy MaxMind databases for SaaS builds
 ARG BUILD=oss
 RUN mkdir -p ./maxmind
-# Copy MaxMind databases (placeholders exist for oss builds, real files for saas)
+# This is only for saas
 COPY --from=builder-dev /app/GeoLite2-Country.mmdb ./maxmind/GeoLite2-Country.mmdb
 COPY --from=builder-dev /app/GeoLite2-ASN.mmdb ./maxmind/GeoLite2-ASN.mmdb
 # Remove MaxMind databases for non-saas builds (keep only for saas)
 RUN if [ "$BUILD" != "saas" ]; then rm -rf ./maxmind; fi
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""
--- a/cli/commands/generateOrgCaKeys.ts
+++ b/cli/commands/generateOrgCaKeys.ts
@@ -3,7 +3,7 @@ import { db, orgs } from "@server/db";
 import { eq } from "drizzle-orm";
 import { encrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
-import { generateCA } from "@server/lib/sshCA";
+import { generateCA } from "@server/private/lib/sshCA";
 import fs from "fs";
 import yaml from "js-yaml";
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -4,12 +4,6 @@ services:
    image: fosrl/pangolin:latest
    container_name: pangolin
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 1g
        reservations:
          memory: 256m
    volumes:
      - ./config:/app/config
    healthcheck:
--- a/install/Makefile
+++ b/install/Makefile
@@ -1,24 +1,41 @@
-all: go-build-release
+all: update-versions go-build-release put-back
-
+dev-all: dev-update-versions dev-build dev-clean
 # Build with version injection via ldflags
 # Versions can be passed via: make go-build-release PANGOLIN_VERSION=x.x.x GERBIL_VERSION=x.x.x BADGER_VERSION=x.x.x
 # Or fetched automatically if not provided (requires curl and jq)
 PANGOLIN_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name')
 GERBIL_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
 BADGER_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
 LDFLAGS = -X main.pangolinVersion=$(PANGOLIN_VERSION) \
          -X main.gerbilVersion=$(GERBIL_VERSION) \
          -X main.badgerVersion=$(BADGER_VERSION)
 go-build-release:
-	@echo "Building with versions - Pangolin: $(PANGOLIN_VERSION), Gerbil: $(GERBIL_VERSION), Badger: $(BADGER_VERSION)"
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/installer_linux_amd64
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/installer_linux_amd64
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/installer_linux_arm64
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/installer_linux_arm64
 clean:
 	rm -f bin/installer_linux_amd64
 	rm -f bin/installer_linux_arm64
-.PHONY: all go-build-release clean
+update-versions:
 	@echo "Fetching latest versions..."
 	cp main.go main.go.bak && \
 	$(MAKE) dev-update-versions
 put-back:
 	mv main.go.bak main.go
 dev-update-versions:
 	if [ -z "$(tag)" ]; then \
 		PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name'); \
 	else \
 		PANGOLIN_VERSION=$(tag); \
 	fi && \
 	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
 	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
 	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \
 	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$$PANGOLIN_VERSION\"/" main.go && \
 	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$$GERBIL_VERSION\"/" main.go && \
 	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$$BADGER_VERSION\"/" main.go && \
 	echo "Updated main.go with latest versions"
 dev-build: go-build-release
 dev-clean:
 	@echo "Restoring version values ..."
 	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"replaceme\"/" main.go && \
 	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"replaceme\"/" main.go && \
 	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"replaceme\"/" main.go
 	@echo "Restored version strings in main.go"
--- a/install/config.go
+++ b/install/config.go
@@ -118,19 +118,19 @@ func copyDockerService(sourceFile, destFile, serviceName string) error {
 	}
 	// Parse source Docker Compose YAML
-	var sourceCompose map[string]any
+	var sourceCompose map[string]interface{}
 	if err := yaml.Unmarshal(sourceData, &sourceCompose); err != nil {
 		return fmt.Errorf("error parsing source Docker Compose file: %w", err)
 	}
 	// Parse destination Docker Compose YAML
-	var destCompose map[string]any
+	var destCompose map[string]interface{}
 	if err := yaml.Unmarshal(destData, &destCompose); err != nil {
 		return fmt.Errorf("error parsing destination Docker Compose file: %w", err)
 	}
 	// Get services section from source
-	sourceServices, ok := sourceCompose["services"].(map[string]any)
+	sourceServices, ok := sourceCompose["services"].(map[string]interface{})
 	if !ok {
 		return fmt.Errorf("services section not found in source file or has invalid format")
 	}
@@ -142,10 +142,10 @@ func copyDockerService(sourceFile, destFile, serviceName string) error {
 	}
 	// Get or create services section in destination
-	destServices, ok := destCompose["services"].(map[string]any)
+	destServices, ok := destCompose["services"].(map[string]interface{})
 	if !ok {
 		// If services section doesn't exist, create it
-		destServices = make(map[string]any)
+		destServices = make(map[string]interface{})
 		destCompose["services"] = destServices
 	}
@@ -187,12 +187,13 @@ func backupConfig() error {
 	return nil
 }
-func MarshalYAMLWithIndent(data any, indent int) ([]byte, error) {
+func MarshalYAMLWithIndent(data interface{}, indent int) ([]byte, error) {
 	buffer := new(bytes.Buffer)
 	encoder := yaml.NewEncoder(buffer)
 	encoder.SetIndent(indent)
-	if err := encoder.Encode(data); err != nil {
+	err := encoder.Encode(data)
 	if err != nil {
 		return nil, err
 	}
@@ -208,7 +209,7 @@ func replaceInFile(filepath, oldStr, newStr string) error {
 	}
 	// Replace the string
-	newContent := strings.ReplaceAll(string(content), oldStr, newStr)
+	newContent := strings.Replace(string(content), oldStr, newStr, -1)
 	// Write the modified content back to the file
 	err = os.WriteFile(filepath, []byte(newContent), 0644)
@@ -227,28 +228,28 @@ func CheckAndAddTraefikLogVolume(composePath string) error {
 	}
 	// Parse YAML into a generic map
-	var compose map[string]any
+	var compose map[string]interface{}
 	if err := yaml.Unmarshal(data, &compose); err != nil {
 		return fmt.Errorf("error parsing compose file: %w", err)
 	}
 	// Get services section
-	services, ok := compose["services"].(map[string]any)
+	services, ok := compose["services"].(map[string]interface{})
 	if !ok {
 		return fmt.Errorf("services section not found or invalid")
 	}
 	// Get traefik service
-	traefik, ok := services["traefik"].(map[string]any)
+	traefik, ok := services["traefik"].(map[string]interface{})
 	if !ok {
 		return fmt.Errorf("traefik service not found or invalid")
 	}
 	// Check volumes
 	logVolume := "./config/traefik/logs:/var/log/traefik"
-	var volumes []any
+	var volumes []interface{}
-	if existingVolumes, ok := traefik["volumes"].([]any); ok {
+	if existingVolumes, ok := traefik["volumes"].([]interface{}); ok {
 		// Check if volume already exists
 		for _, v := range existingVolumes {
 			if v.(string) == logVolume {
@@ -294,13 +295,13 @@ func MergeYAML(baseFile, overlayFile string) error {
 	}
 	// Parse base YAML into a map
-	var baseMap map[string]any
+	var baseMap map[string]interface{}
 	if err := yaml.Unmarshal(baseContent, &baseMap); err != nil {
 		return fmt.Errorf("error parsing base YAML: %v", err)
 	}
 	// Parse overlay YAML into a map
-	var overlayMap map[string]any
+	var overlayMap map[string]interface{}
 	if err := yaml.Unmarshal(overlayContent, &overlayMap); err != nil {
 		return fmt.Errorf("error parsing overlay YAML: %v", err)
 	}
@@ -323,8 +324,8 @@ func MergeYAML(baseFile, overlayFile string) error {
 }
 // mergeMap recursively merges two maps
-func mergeMap(base, overlay map[string]any) map[string]any {
+func mergeMap(base, overlay map[string]interface{}) map[string]interface{} {
-	result := make(map[string]any)
+	result := make(map[string]interface{})
 	// Copy all key-values from base map
 	for k, v := range base {
@@ -335,8 +336,8 @@ func mergeMap(base, overlay map[string]any) map[string]any {
 	for k, v := range overlay {
 		// If both maps have the same key and both values are maps, merge recursively
 		if baseVal, ok := base[k]; ok {
-			if baseMap, isBaseMap := baseVal.(map[string]any); isBaseMap {
+			if baseMap, isBaseMap := baseVal.(map[string]interface{}); isBaseMap {
-				if overlayMap, isOverlayMap := v.(map[string]any); isOverlayMap {
+				if overlayMap, isOverlayMap := v.(map[string]interface{}); isOverlayMap {
 					result[k] = mergeMap(baseMap, overlayMap)
 					continue
 				}
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -4,12 +4,6 @@ services:
    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 1g
        reservations:
          memory: 256m
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -44,7 +38,9 @@ services:
    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
-{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
+{{if .InstallGerbil}}
    network_mode: service:gerbil # Ports appear on the gerbil service
 {{end}}{{if not .InstallGerbil}}
    ports:
      - 443:443
      - 80:80
--- a/install/containers.go
+++ b/install/containers.go
@@ -144,13 +144,12 @@ func installDocker() error {
 }
 func startDockerService() error {
-	switch runtime.GOOS {
+	if runtime.GOOS == "linux" {
 	case "linux":
 		cmd := exec.Command("systemctl", "enable", "--now", "docker")
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		return cmd.Run()
-	case "darwin":
+	} else if runtime.GOOS == "darwin" {
 		// On macOS, Docker is usually started via the Docker Desktop application
 		fmt.Println("Please start Docker Desktop manually on macOS.")
 		return nil
@@ -303,7 +302,7 @@ func pullContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("unsupported container type: %s", containerType)
+	return fmt.Errorf("Unsupported container type: %s", containerType)
 }
 // startContainers starts the containers using the appropriate command.
@@ -326,7 +325,7 @@ func startContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("unsupported container type: %s", containerType)
+	return fmt.Errorf("Unsupported container type: %s", containerType)
 }
 // stopContainers stops the containers using the appropriate command.
@@ -348,7 +347,7 @@ func stopContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("unsupported container type: %s", containerType)
+	return fmt.Errorf("Unsupported container type: %s", containerType)
 }
 // restartContainer restarts a specific container using the appropriate command.
@@ -370,5 +369,5 @@ func restartContainer(container string, containerType SupportedContainer) error
 		return nil
 	}
-	return fmt.Errorf("unsupported container type: %s", containerType)
+	return fmt.Errorf("Unsupported container type: %s", containerType)
 }
--- a/install/crowdsec.go
+++ b/install/crowdsec.go
@@ -27,18 +27,9 @@ func installCrowdsec(config Config) error {
 		os.Exit(1)
 	}
-	if err := os.MkdirAll("config/crowdsec/db", 0755); err != nil {
+	os.MkdirAll("config/crowdsec/db", 0755)
-		fmt.Printf("Error creating config files: %v\n", err)
+	os.MkdirAll("config/crowdsec/acquis.d", 0755)
-		os.Exit(1)
+	os.MkdirAll("config/traefik/logs", 0755)
 	}
 	if err := os.MkdirAll("config/crowdsec/acquis.d", 0755); err != nil {
 		fmt.Printf("Error creating config files: %v\n", err)
 		os.Exit(1)
 	}
 	if err := os.MkdirAll("config/traefik/logs", 0755); err != nil {
 		fmt.Printf("Error creating config files: %v\n", err)
 		os.Exit(1)
 	}
 	if err := copyDockerService("config/crowdsec/docker-compose.yml", "docker-compose.yml", "crowdsec"); err != nil {
 		fmt.Printf("Error copying docker service: %v\n", err)
@@ -162,34 +153,34 @@ func CheckAndAddCrowdsecDependency(composePath string) error {
 	}
 	// Parse YAML into a generic map
-	var compose map[string]any
+	var compose map[string]interface{}
 	if err := yaml.Unmarshal(data, &compose); err != nil {
 		return fmt.Errorf("error parsing compose file: %w", err)
 	}
 	// Get services section
-	services, ok := compose["services"].(map[string]any)
+	services, ok := compose["services"].(map[string]interface{})
 	if !ok {
 		return fmt.Errorf("services section not found or invalid")
 	}
 	// Get traefik service
-	traefik, ok := services["traefik"].(map[string]any)
+	traefik, ok := services["traefik"].(map[string]interface{})
 	if !ok {
 		return fmt.Errorf("traefik service not found or invalid")
 	}
 	// Get dependencies
-	dependsOn, ok := traefik["depends_on"].(map[string]any)
+	dependsOn, ok := traefik["depends_on"].(map[string]interface{})
 	if ok {
 		// Append the new block for crowdsec
-		dependsOn["crowdsec"] = map[string]any{
+		dependsOn["crowdsec"] = map[string]interface{}{
 			"condition": "service_healthy",
 		}
 	} else {
 		// No dependencies exist, create it
-		traefik["depends_on"] = map[string]any{
+		traefik["depends_on"] = map[string]interface{}{
-			"crowdsec": map[string]any{
+			"crowdsec": map[string]interface{}{
 				"condition": "service_healthy",
 			},
 		}
--- a/install/go.mod
+++ b/install/go.mod
@@ -3,36 +3,8 @@ module installer
 go 1.24.0
 require (
-	github.com/charmbracelet/huh v0.8.0
+	golang.org/x/term v0.39.0
 	github.com/charmbracelet/lipgloss v1.1.0
 	golang.org/x/term v0.40.0
 	gopkg.in/yaml.v3 v3.0.1
 )
-require (
+require golang.org/x/sys v0.40.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/catppuccin/go v0.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
 	github.com/charmbracelet/bubbletea v1.3.6 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/x/ansi v0.9.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -1,80 +1,7 @@
-github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
 github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
 github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
 github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 h1:JFgG/xnwFfbezlUnFMJy0nusZvytYysV4SCS2cYbvws=
 github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7/go.mod h1:ISC1gtLcVilLOf23wvTfoQuYbW2q0JevFxPfUzZ9Ybw=
 github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
 github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
 github.com/charmbracelet/huh v0.8.0 h1:Xz/Pm2h64cXQZn/Jvele4J3r7DDiqFCNIVteYukxDvY=
 github.com/charmbracelet/huh v0.8.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
 github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U=
 github.com/charmbracelet/x/conpty v0.1.0/go.mod h1:rMFsDJoDwVmiYM10aD4bH2XiRgwI7NYJtQgl5yskjEQ=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86/go.mod h1:2P0UgXMEa6TsToMSuFqKFQR+fZTO9CNGUNokkPatT/0=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 h1:qko3AQ4gK1MTS/de7F5hPGx6/k1u0w4TeYmBFwzYVP4=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0/go.mod h1:pBhA0ybfXv6hDjQUZ7hk1lVxBiUbupdw5R31yPUViVQ=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY=
 github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=
 github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI=
 github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
 golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/install/input.go
+++ b/install/input.go
@@ -1,235 +1,92 @@
 package main
 import (
-	"errors"
+	"bufio"
 	"fmt"
-	"os"
+	"strings"
-	"strconv"
+	"syscall"
 	"github.com/charmbracelet/huh"
 	"golang.org/x/term"
 )
-// pangolinTheme is the custom theme using brand colors
+func readString(reader *bufio.Reader, prompt string, defaultValue string) string {
 var pangolinTheme = ThemePangolin()
 // isAccessibleMode checks if we should use accessible mode (simple prompts)
 // This is true for: non-TTY, TERM=dumb, or ACCESSIBLE env var set
 func isAccessibleMode() bool {
 	// Check if stdin is not a terminal (piped input, CI, etc.)
 	if !term.IsTerminal(int(os.Stdin.Fd())) {
 		return true
 	}
 	// Check for dumb terminal
 	if os.Getenv("TERM") == "dumb" {
 		return true
 	}
 	// Check for explicit accessible mode request
 	if os.Getenv("ACCESSIBLE") != "" {
 		return true
 	}
 	return false
 }
 // handleAbort checks if the error is a user abort (Ctrl+C) and exits if so
 func handleAbort(err error) {
 	if err != nil && errors.Is(err, huh.ErrUserAborted) {
 		fmt.Println("\nInstallation cancelled.")
 		os.Exit(0)
 	}
 }
 // runField runs a single field with the Pangolin theme, handling accessible mode
 func runField(field huh.Field) error {
 	if isAccessibleMode() {
 		return field.RunAccessible(os.Stdout, os.Stdin)
 	}
 	form := huh.NewForm(huh.NewGroup(field)).WithTheme(pangolinTheme)
 	return form.Run()
 }
 func readString(prompt string, defaultValue string) string {
 	var value string
 	title := prompt
 	if defaultValue != "" {
-		title = fmt.Sprintf("%s (default: %s)", prompt, defaultValue)
+		fmt.Printf("%s (default: %s): ", prompt, defaultValue)
 	} else {
 		fmt.Print(prompt + ": ")
 	}
-
+	input, _ := reader.ReadString('\n')
-	input := huh.NewInput().
+	input = strings.TrimSpace(input)
-		Title(title).
+	if input == "" {
 		Value(&value)
 	// If no default value, this field is required
 	if defaultValue == "" {
 		input = input.Validate(func(s string) error {
 			if s == "" {
 				return fmt.Errorf("this field is required")
 			}
 			return nil
 		})
 	}
 	err := runField(input)
 	handleAbort(err)
 	if value == "" {
 		value = defaultValue
 	}
 	// Print the answer so it remains visible in terminal history (skip in accessible mode as it already shows)
 	if !isAccessibleMode() {
 		fmt.Printf("%s: %s\n", prompt, value)
 	}
 	return value
 }
 func readStringNoDefault(prompt string) string {
 	var value string
 	for {
 		input := huh.NewInput().
 			Title(prompt).
 			Value(&value).
 			Validate(func(s string) error {
 				if s == "" {
 					return fmt.Errorf("this field is required")
 				}
 				return nil
 			})
 		err := runField(input)
 		handleAbort(err)
 		if value != "" {
 			// Print the answer so it remains visible in terminal history
 			if !isAccessibleMode() {
 				fmt.Printf("%s: %s\n", prompt, value)
 			}
 			return value
 		}
 	}
 }
 func readPassword(prompt string) string {
 	var value string
 	for {
 		input := huh.NewInput().
 			Title(prompt).
 			Value(&value).
 			EchoMode(huh.EchoModePassword).
 			Validate(func(s string) error {
 				if s == "" {
 					return fmt.Errorf("password is required")
 				}
 				return nil
 			})
 		err := runField(input)
 		handleAbort(err)
 		if value != "" {
 			// Print confirmation without revealing the password
 			if !isAccessibleMode() {
 				fmt.Printf("%s: %s\n", prompt, "********")
 			}
 			return value
 		}
 	}
 }
 func readBool(prompt string, defaultValue bool) bool {
 	var value = defaultValue
 	confirm := huh.NewConfirm().
 		Title(prompt).
 		Value(&value).
 		Affirmative("Yes").
 		Negative("No")
 	err := runField(confirm)
 	handleAbort(err)
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		answer := "No"
 		if value {
 			answer = "Yes"
 		}
 		fmt.Printf("%s: %s\n", prompt, answer)
 	}
 	return value
 }
 func readBoolNoDefault(prompt string) bool {
 	var value bool
 	confirm := huh.NewConfirm().
 		Title(prompt).
 		Value(&value).
 		Affirmative("Yes").
 		Negative("No")
 	err := runField(confirm)
 	handleAbort(err)
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		answer := "No"
 		if value {
 			answer = "Yes"
 		}
 		fmt.Printf("%s: %s\n", prompt, answer)
 	}
 	return value
 }
 func readInt(prompt string, defaultValue int) int {
 	var value string
 	title := fmt.Sprintf("%s (default: %d)", prompt, defaultValue)
 	input := huh.NewInput().
 		Title(title).
 		Value(&value).
 		Validate(func(s string) error {
 			if s == "" {
 				return nil
 			}
 			_, err := strconv.Atoi(s)
 			if err != nil {
 				return fmt.Errorf("please enter a valid number")
 			}
 			return nil
 		})
 	err := runField(input)
 	handleAbort(err)
 	if value == "" {
 		// Print the answer so it remains visible in terminal history
 		if !isAccessibleMode() {
 			fmt.Printf("%s: %d\n", prompt, defaultValue)
 		}
 		return defaultValue
 	}
 	return input
 }
-	result, err := strconv.Atoi(value)
+func readStringNoDefault(reader *bufio.Reader, prompt string) string {
-	if err != nil {
+	fmt.Print(prompt + ": ")
-		if !isAccessibleMode() {
+	input, _ := reader.ReadString('\n')
-			fmt.Printf("%s: %d\n", prompt, defaultValue)
+	return strings.TrimSpace(input)
 }
 func readPassword(prompt string, reader *bufio.Reader) string {
 	if term.IsTerminal(int(syscall.Stdin)) {
 		fmt.Print(prompt + ": ")
 		// Read password without echo if we're in a terminal
 		password, err := term.ReadPassword(int(syscall.Stdin))
 		fmt.Println() // Add a newline since ReadPassword doesn't add one
 		if err != nil {
 			return ""
 		}
 		input := strings.TrimSpace(string(password))
 		if input == "" {
 			return readPassword(prompt, reader)
 		}
 		return input
 	} else {
 		// Fallback to reading from stdin if not in a terminal
 		return readString(reader, prompt, "")
 	}
 }
 func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
 	defaultStr := "no"
 	if defaultValue {
 		defaultStr = "yes"
 	}
 	for {
 		input := readString(reader, prompt+" (yes/no)", defaultStr)
 		lower := strings.ToLower(input)
 		if lower == "yes" {
 			return true
 		} else if lower == "no" {
 			return false
 		} else {
 			fmt.Println("Please enter 'yes' or 'no'.")
 		}
 	}
 }
 func readBoolNoDefault(reader *bufio.Reader, prompt string) bool {
 	for {
 		input := readStringNoDefault(reader, prompt+" (yes/no)")
 		lower := strings.ToLower(input)
 		if lower == "yes" {
 			return true
 		} else if lower == "no" {
 			return false
 		} else {
 			fmt.Println("Please enter 'yes' or 'no'.")
 		}
 	}
 }
 func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {
 	input := readString(reader, prompt, fmt.Sprintf("%d", defaultValue))
 	if input == "" {
 		return defaultValue
 	}
-
+	value := defaultValue
-	// Print the answer so it remains visible in terminal history
+	fmt.Sscanf(input, "%d", &value)
-	if !isAccessibleMode() {
+	return value
 		fmt.Printf("%s: %d\n", prompt, result)
 	}
 	return result
 }
--- a/install/main.go
+++ b/install/main.go
@@ -1,12 +1,13 @@
 package main
 import (
-	"crypto/rand"
+	"bufio"
 	"embed"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"io/fs"
 	"crypto/rand"
 	"encoding/base64"
 	"net"
 	"net/http"
 	"net/url"
@@ -19,17 +20,11 @@ import (
 	"time"
 )
-// Version variables injected at build time via -ldflags
+// DO NOT EDIT THIS FUNCTION; IT MATCHED BY REGEX IN CICD
 var (
 	pangolinVersion string
 	gerbilVersion   string
 	badgerVersion   string
 )
 func loadVersions(config *Config) {
-	config.PangolinVersion = pangolinVersion
+	config.PangolinVersion = "replaceme"
-	config.GerbilVersion = gerbilVersion
+	config.GerbilVersion = "replaceme"
-	config.BadgerVersion = badgerVersion
+	config.BadgerVersion = "replaceme"
 }
 //go:embed config/*
@@ -87,12 +82,14 @@ func main() {
 		}
 	}
 	reader := bufio.NewReader(os.Stdin)
 	var config Config
 	var alreadyInstalled = false
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
-		config = collectUserInput()
+		config = collectUserInput(reader)
 		loadVersions(&config)
 		config.DoCrowdsecInstall = false
@@ -105,10 +102,7 @@ func main() {
 			os.Exit(1)
 		}
-		if err := moveFile("config/docker-compose.yml", "docker-compose.yml"); err != nil {
+		moveFile("config/docker-compose.yml", "docker-compose.yml")
 			fmt.Printf("Error moving docker-compose.yml: %v\n", err)
 			os.Exit(1)
 		}
 		fmt.Println("\nConfiguration files created successfully!")
@@ -123,17 +117,13 @@ func main() {
 		fmt.Println("\n=== Starting installation ===")
-		if readBool("Would you like to install and start the containers?", true) {
+		if readBool(reader, "Would you like to install and start the containers?", true) {
-			config.InstallationContainerType = podmanOrDocker()
+			config.InstallationContainerType = podmanOrDocker(reader)
 			if !isDockerInstalled() && runtime.GOOS == "linux" && config.InstallationContainerType == Docker {
-				if readBool("Docker is not installed. Would you like to install it?", true) {
+				if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
-					if err := installDocker(); err != nil {
+					installDocker()
 						fmt.Printf("Error installing Docker: %v\n", err)
 						return
 					}
 					// try to start docker service but ignore errors
 					if err := startDockerService(); err != nil {
 						fmt.Println("Error starting Docker service:", err)
@@ -142,7 +132,7 @@ func main() {
 					}
 					// wait 10 seconds for docker to start checking if docker is running every 2 seconds
 					fmt.Println("Waiting for Docker to start...")
-					for range 5 {
+					for i := 0; i < 5; i++ {
 						if isDockerRunning() {
 							fmt.Println("Docker is running!")
 							break
@@ -177,7 +167,7 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool(reader, "Would you like to update the MaxMind database to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
@@ -185,7 +175,7 @@ func main() {
 			}
 		} else {
 			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			if readBool(reader, "Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
@@ -202,11 +192,11 @@ func main() {
 	if !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
-		if readBool("Would you like to install CrowdSec?", false) {
+		if readBool(reader, "Would you like to install CrowdSec?", false) {
 			fmt.Println("This installer constitutes a minimal viable CrowdSec deployment. CrowdSec will add extra complexity to your Pangolin installation and may not work to the best of its abilities out of the box. Users are expected to implement configuration adjustments on their own to achieve the best security posture. Consult the CrowdSec documentation for detailed configuration instructions.")
 			// BUG: crowdsec installation will be skipped if the user chooses to install on the first installation.
-			if readBool("Are you willing to manage CrowdSec?", false) {
+			if readBool(reader, "Are you willing to manage CrowdSec?", false) {
 				if config.DashboardDomain == "" {
 					traefikConfig, err := ReadTraefikConfig("config/traefik/traefik_config.yml")
 					if err != nil {
@@ -235,8 +225,8 @@ func main() {
 					fmt.Printf("Let's Encrypt Email: %s\n", config.LetsEncryptEmail)
 					fmt.Printf("Badger Version: %s\n", config.BadgerVersion)
-					if !readBool("Are these values correct?", true) {
+					if !readBool(reader, "Are these values correct?", true) {
-						config = collectUserInput()
+						config = collectUserInput(reader)
 					}
 				}
@@ -245,7 +235,7 @@ func main() {
 				if detectedType == Undefined {
 					// If detection fails, prompt the user
 					fmt.Println("Unable to detect container type from existing installation.")
-					config.InstallationContainerType = podmanOrDocker()
+					config.InstallationContainerType = podmanOrDocker(reader)
 				} else {
 					config.InstallationContainerType = detectedType
 					fmt.Printf("Detected container type: %s\n", config.InstallationContainerType)
@@ -287,8 +277,8 @@ func main() {
 	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
-func podmanOrDocker() SupportedContainer {
+func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
-	inputContainer := readString("Would you like to run Pangolin as Docker or Podman containers?", "docker")
+	inputContainer := readString(reader, "Would you like to run Pangolin as Docker or Podman containers?", "docker")
 	chosenContainer := Docker
 	if strings.EqualFold(inputContainer, "docker") {
@@ -300,8 +290,7 @@ func podmanOrDocker() SupportedContainer {
 		os.Exit(1)
 	}
-	switch chosenContainer {
+	if chosenContainer == Podman {
 	case Podman:
 		if !isPodmanInstalled() {
 			fmt.Println("Podman or podman-compose is not installed. Please install both manually. Automated installation will be available in a later release.")
 			os.Exit(1)
@@ -310,7 +299,7 @@ func podmanOrDocker() SupportedContainer {
 		if err := exec.Command("bash", "-c", "cat /etc/sysctl.d/99-podman.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start=' || cat /etc/sysctl.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
 			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
 			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
-			approved := readBool("The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
+			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
 			if approved {
 				if os.Geteuid() != 0 {
 					fmt.Println("You need to run the installer as root for such a configuration.")
@@ -322,7 +311,7 @@ func podmanOrDocker() SupportedContainer {
 				// Linux only.
 				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system"); err != nil {
-					fmt.Printf("Error configuring unprivileged ports: %v\n", err)
+				    fmt.Printf("Error configuring unprivileged ports: %v\n", err)
 					os.Exit(1)
 				}
 			} else {
@@ -332,7 +321,7 @@ func podmanOrDocker() SupportedContainer {
 			fmt.Println("Unprivileged ports have been configured.")
 		}
-	case Docker:
+	} else if chosenContainer == Docker {
 		// check if docker is not installed and the user is root
 		if !isDockerInstalled() {
 			if os.Geteuid() != 0 {
@@ -347,7 +336,7 @@ func podmanOrDocker() SupportedContainer {
 			fmt.Println("The installer will not be able to run docker commands without running it as root.")
 			os.Exit(1)
 		}
-	default:
+	} else {
 		// This shouldn't happen unless there's a third container runtime.
 		os.Exit(1)
 	}
@@ -355,35 +344,35 @@ func podmanOrDocker() SupportedContainer {
 	return chosenContainer
 }
-func collectUserInput() Config {
+func collectUserInput(reader *bufio.Reader) Config {
 	config := Config{}
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
-	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
+	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 	// Set default dashboard domain after base domain is collected
 	defaultDashboardDomain := ""
 	if config.BaseDomain != "" {
 		defaultDashboardDomain = "pangolin." + config.BaseDomain
 	}
-	config.DashboardDomain = readString("Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
+	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
-	config.LetsEncryptEmail = readString("Enter email for Let's Encrypt certificates", "")
+	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
-	config.InstallGerbil = readBool("Do you want to use Gerbil to allow tunneled connections", true)
+	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
 	// Email configuration
 	fmt.Println("\n=== Email Configuration ===")
-	config.EnableEmail = readBool("Enable email functionality (SMTP)", false)
+	config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
 	if config.EnableEmail {
-		config.EmailSMTPHost = readString("Enter SMTP host", "")
+		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
-		config.EmailSMTPPort = readInt("Enter SMTP port (default 587)", 587)
+		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
-		config.EmailSMTPUser = readString("Enter SMTP username", "")
+		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
-		config.EmailSMTPPass = readPassword("Enter SMTP password")
+		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
-		config.EmailNoReply = readString("Enter no-reply email address (often the same as SMTP username)", "")
+		config.EmailNoReply = readString(reader, "Enter no-reply email address (often the same as SMTP username)", "")
 	}
 	// Validate required fields
@@ -404,8 +393,8 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")
-	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
+	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
+	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -416,18 +405,10 @@ func collectUserInput() Config {
 }
 func createConfigFiles(config Config) error {
-	if err := os.MkdirAll("config", 0755); err != nil {
+	os.MkdirAll("config", 0755)
-		return fmt.Errorf("failed to create config directory: %v", err)
+	os.MkdirAll("config/letsencrypt", 0755)
-	}
+	os.MkdirAll("config/db", 0755)
-	if err := os.MkdirAll("config/letsencrypt", 0755); err != nil {
+	os.MkdirAll("config/logs", 0755)
 		return fmt.Errorf("failed to create letsencrypt directory: %v", err)
 	}
 	if err := os.MkdirAll("config/db", 0755); err != nil {
 		return fmt.Errorf("failed to create db directory: %v", err)
 	}
 	if err := os.MkdirAll("config/logs", 0755); err != nil {
 		return fmt.Errorf("failed to create logs directory: %v", err)
 	}
 	// Walk through all embedded files
 	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, err error) error {
@@ -581,24 +562,22 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 	fmt.Println("To get your setup token, you need to:")
 	fmt.Println("")
 	fmt.Println("1. Start the containers")
-	switch containerType {
+	if containerType == Docker {
 	case Docker:
 		fmt.Println("   docker compose up -d")
-	case Podman:
+	} else if containerType == Podman {
 		fmt.Println("   podman-compose up -d")
 	} else {
 	}
 	fmt.Println("")
 	fmt.Println("2. Wait for the Pangolin container to start and generate the token")
 	fmt.Println("")
 	fmt.Println("3. Check the container logs for the setup token")
-	switch containerType {
+	if containerType == Docker {
 	case Docker:
 		fmt.Println("   docker logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
-	case Podman:
+	} else if containerType == Podman {
 		fmt.Println("   podman logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
 	} else {
 	}
 	fmt.Println("")
 	fmt.Println("4. Look for output like")
 	fmt.Println("   === SETUP TOKEN GENERATED ===")
@@ -660,7 +639,10 @@ func checkPortsAvailable(port int) error {
 	addr := fmt.Sprintf(":%d", port)
 	ln, err := net.Listen("tcp", addr)
 	if err != nil {
-		return fmt.Errorf("ERROR: port %d is occupied or cannot be bound: %w", port, err)
+		return fmt.Errorf(
 			"ERROR: port %d is occupied or cannot be bound: %w\n\n",
 			port, err,
 		)
 	}
 	if closeErr := ln.Close(); closeErr != nil {
 		fmt.Fprintf(os.Stderr,
--- a/install/theme.go
+++ b/install/theme.go
@@ -1,51 +0,0 @@
 package main
 import (
 	"github.com/charmbracelet/huh"
 	"github.com/charmbracelet/lipgloss"
 )
 // Pangolin brand colors (converted from oklch to hex)
 var (
 	// Primary orange/amber - oklch(0.6717 0.1946 41.93)
 	primaryColor = lipgloss.AdaptiveColor{Light: "#D97706", Dark: "#F59E0B"}
 	// Muted foreground
 	mutedColor = lipgloss.AdaptiveColor{Light: "#737373", Dark: "#A3A3A3"}
 	// Success green
 	successColor = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"}
 	// Error red - oklch(0.577 0.245 27.325)
 	errorColor = lipgloss.AdaptiveColor{Light: "#DC2626", Dark: "#EF4444"}
 	// Normal text
 	normalFg = lipgloss.AdaptiveColor{Light: "#171717", Dark: "#FAFAFA"}
 )
 // ThemePangolin returns a huh theme using Pangolin brand colors
 func ThemePangolin() *huh.Theme {
 	t := huh.ThemeBase()
 	// Focused state styles
 	t.Focused.Base = t.Focused.Base.BorderForeground(primaryColor)
 	t.Focused.Title = t.Focused.Title.Foreground(primaryColor).Bold(true)
 	t.Focused.Description = t.Focused.Description.Foreground(mutedColor)
 	t.Focused.ErrorIndicator = t.Focused.ErrorIndicator.Foreground(errorColor)
 	t.Focused.ErrorMessage = t.Focused.ErrorMessage.Foreground(errorColor)
 	t.Focused.SelectSelector = t.Focused.SelectSelector.Foreground(primaryColor)
 	t.Focused.NextIndicator = t.Focused.NextIndicator.Foreground(primaryColor)
 	t.Focused.PrevIndicator = t.Focused.PrevIndicator.Foreground(primaryColor)
 	t.Focused.Option = t.Focused.Option.Foreground(normalFg)
 	t.Focused.SelectedOption = t.Focused.SelectedOption.Foreground(primaryColor)
 	t.Focused.SelectedPrefix = lipgloss.NewStyle().Foreground(successColor).SetString("✓ ")
 	t.Focused.UnselectedPrefix = lipgloss.NewStyle().Foreground(mutedColor).SetString("  ")
 	t.Focused.FocusedButton = t.Focused.FocusedButton.Foreground(lipgloss.Color("#FFFFFF")).Background(primaryColor)
 	t.Focused.BlurredButton = t.Focused.BlurredButton.Foreground(normalFg).Background(lipgloss.AdaptiveColor{Light: "#E5E5E5", Dark: "#404040"})
 	t.Focused.TextInput.Cursor = t.Focused.TextInput.Cursor.Foreground(primaryColor)
 	t.Focused.TextInput.Prompt = t.Focused.TextInput.Prompt.Foreground(primaryColor)
 	// Blurred state inherits from focused but with hidden border
 	t.Blurred = t.Focused
 	t.Blurred.Base = t.Focused.Base.BorderStyle(lipgloss.HiddenBorder())
 	t.Blurred.Title = t.Blurred.Title.Foreground(mutedColor).Bold(false)
 	t.Blurred.TextInput.Prompt = t.Blurred.TextInput.Prompt.Foreground(mutedColor)
 	return t
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Неуспешно превключване на ресурса",
    "resourcesErrorUpdateDescription": "Възникна грешка при актуализиране на ресурса",
    "access": "Достъп",
    "accessControl": "Контрол на достъпа",
    "shareLink": "{resource} Сподели връзка",
    "resourceSelect": "Изберете ресурс",
    "shareLinks": "Споделени връзки",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "О, не! Страницата, която търсите, не съществува.",
    "overview": "Общ преглед",
    "home": "Начало",
    "accessControl": "Контрол на достъпа",
    "settings": "Настройки",
    "usersAll": "Всички потребители",
    "license": "Лиценз",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Nepodařilo se přepnout zdroj",
    "resourcesErrorUpdateDescription": "Došlo k chybě při aktualizaci zdroje",
    "access": "Přístup",
    "accessControl": "Kontrola přístupu",
    "shareLink": "{resource} Sdílet odkaz",
    "resourceSelect": "Vyberte zdroj",
    "shareLinks": "Sdílet odkazy",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Jejda! Stránka, kterou hledáte, neexistuje.",
    "overview": "Přehled",
    "home": "Domů",
    "accessControl": "Kontrola přístupu",
    "settings": "Nastavení",
    "usersAll": "Všichni uživatelé",
    "license": "Licence",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Fehler beim Umschalten der Ressource",
    "resourcesErrorUpdateDescription": "Beim Aktualisieren der Ressource ist ein Fehler aufgetreten",
    "access": "Zugriff",
    "accessControl": "Zugriffskontrolle",
    "shareLink": "{resource} Freigabe-Link",
    "resourceSelect": "Ressource auswählen",
    "shareLinks": "Freigabe-Links",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Hoppla! Die gesuchte Seite existiert nicht.",
    "overview": "Übersicht",
    "home": "Startseite",
    "accessControl": "Zugriffskontrolle",
    "settings": "Einstellungen",
    "usersAll": "Alle Benutzer",
    "license": "Lizenz",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -649,8 +649,7 @@
    "resourcesUsersRolesAccess": "User and role-based access control",
    "resourcesErrorUpdate": "Failed to toggle resource",
    "resourcesErrorUpdateDescription": "An error occurred while updating the resource",
-    "access": "Access",
+    "access": "Access Control",
    "accessControl": "Access Control",
    "shareLink": "{resource} Share Link",
    "resourceSelect": "Select resource",
    "shareLinks": "Share Links",
@@ -1670,10 +1669,10 @@
    "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
    "sshSudo": "Allow sudo",
    "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo.",
    "sshCreateHomeDir": "Create Home Directory",
    "sshUnixGroups": "Unix Groups",
-    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -2543,7 +2542,7 @@
    "internalResourceAuthDaemonSite": "On Site",
    "internalResourceAuthDaemonSiteDescription": "Auth daemon runs on the site (Newt).",
    "internalResourceAuthDaemonRemote": "Remote Host",
-    "internalResourceAuthDaemonRemoteDescription": "Auth daemon runs on this resource's destination - not the site.",
+    "internalResourceAuthDaemonRemoteDescription": "Auth daemon runs on a host that is not the site.",
    "internalResourceAuthDaemonPort": "Daemon Port (optional)",
    "orgAuthWhatsThis": "Where can I find my organization ID?",
    "learnMore": "Learn more",
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Error al cambiar el recurso",
    "resourcesErrorUpdateDescription": "Se ha producido un error al actualizar el recurso",
    "access": "Acceder",
    "accessControl": "Control de acceso",
    "shareLink": "{resource} Compartir Enlace",
    "resourceSelect": "Seleccionar recurso",
    "shareLinks": "Compartir enlaces",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "¡Vaya! La página que estás buscando no existe.",
    "overview": "Resumen",
    "home": "Inicio",
    "accessControl": "Control de acceso",
    "settings": "Ajustes",
    "usersAll": "Todos los usuarios",
    "license": "Licencia",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Échec de la bascule de la ressource",
    "resourcesErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour de la ressource",
    "access": "Accès",
    "accessControl": "Contrôle d'accès",
    "shareLink": "Lien de partage {resource}",
    "resourceSelect": "Sélectionner une ressource",
    "shareLinks": "Liens de partage",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Oups! La page que vous recherchez n'existe pas.",
    "overview": "Vue d'ensemble",
    "home": "Accueil",
    "accessControl": "Contrôle d'accès",
    "settings": "Paramètres",
    "usersAll": "Tous les utilisateurs",
    "license": "Licence",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Impossibile attivare/disattivare la risorsa",
    "resourcesErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento della risorsa",
    "access": "Accesso",
    "accessControl": "Controllo Accessi",
    "shareLink": "Link di Condivisione {resource}",
    "resourceSelect": "Seleziona risorsa",
    "shareLinks": "Link di Condivisione",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Oops! La pagina che stai cercando non esiste.",
    "overview": "Panoramica",
    "home": "Home",
    "accessControl": "Controllo Accessi",
    "settings": "Impostazioni",
    "usersAll": "Tutti Gli Utenti",
    "license": "Licenza",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "리소스를 전환하는 데 실패했습니다.",
    "resourcesErrorUpdateDescription": "리소스를 업데이트하는 동안 오류가 발생했습니다.",
    "access": "접속",
    "accessControl": "액세스 제어",
    "shareLink": "{resource} 공유 링크",
    "resourceSelect": "리소스 선택",
    "shareLinks": "공유 링크",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "앗! 찾고 있는 페이지가 존재하지 않습니다.",
    "overview": "개요",
    "home": "홈",
    "accessControl": "액세스 제어",
    "settings": "설정",
    "usersAll": "모든 사용자",
    "license": "라이선스",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Feilet å slå av/på ressurs",
    "resourcesErrorUpdateDescription": "En feil oppstod under oppdatering av ressursen",
    "access": "Tilgang",
    "accessControl": "Tilgangskontroll",
    "shareLink": "{resource} Del Lenke",
    "resourceSelect": "Velg ressurs",
    "shareLinks": "Del lenker",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Oops! Siden du leter etter finnes ikke.",
    "overview": "Oversikt",
    "home": "Hjem",
    "accessControl": "Tilgangskontroll",
    "settings": "Innstillinger",
    "usersAll": "Alle brukere",
    "license": "Lisens",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Bron wisselen mislukt",
    "resourcesErrorUpdateDescription": "Er is een fout opgetreden tijdens het bijwerken van het document",
    "access": "Toegangsrechten",
    "accessControl": "Toegangs controle",
    "shareLink": "{resource} Share link",
    "resourceSelect": "Selecteer resource",
    "shareLinks": "Links delen",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Oeps! De pagina die je zoekt bestaat niet.",
    "overview": "Overzicht.",
    "home": "Startpagina",
    "accessControl": "Toegangs controle",
    "settings": "Instellingen",
    "usersAll": "Alle gebruikers",
    "license": "Licentie",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Nie udało się przełączyć zasobu",
    "resourcesErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji zasobu",
    "access": "Dostęp",
    "accessControl": "Kontrola dostępu",
    "shareLink": "Link udostępniania {resource}",
    "resourceSelect": "Wybierz zasób",
    "shareLinks": "Linki udostępniania",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Ups! Strona, której szukasz, nie istnieje.",
    "overview": "Przegląd",
    "home": "Strona główna",
    "accessControl": "Kontrola dostępu",
    "settings": "Ustawienia",
    "usersAll": "Wszyscy użytkownicy",
    "license": "Licencja",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Falha ao alternar recurso",
    "resourcesErrorUpdateDescription": "Ocorreu um erro ao atualizar o recurso",
    "access": "Acesso",
    "accessControl": "Controle de Acesso",
    "shareLink": "Link de Compartilhamento {resource}",
    "resourceSelect": "Selecionar recurso",
    "shareLinks": "Links de Compartilhamento",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Ops! A página que você está procurando não existe.",
    "overview": "Visão Geral",
    "home": "Início",
    "accessControl": "Controle de Acesso",
    "settings": "Configurações",
    "usersAll": "Todos os Utilizadores",
    "license": "Licença",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Не удалось переключить ресурс",
    "resourcesErrorUpdateDescription": "Произошла ошибка при обновлении ресурса",
    "access": "Доступ",
    "accessControl": "Контроль доступа",
    "shareLink": "Общая ссылка {resource}",
    "resourceSelect": "Выберите ресурс",
    "shareLinks": "Общие ссылки",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Упс! Страница, которую вы ищете, не существует.",
    "overview": "Обзор",
    "home": "Главная",
    "accessControl": "Контроль доступа",
    "settings": "Настройки",
    "usersAll": "Все пользователи",
    "license": "Лицензия",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "Kaynak değiştirilemedi",
    "resourcesErrorUpdateDescription": "Kaynak güncellenirken bir hata oluştu",
    "access": "Erişim",
    "accessControl": "Erişim Kontrolü",
    "shareLink": "{resource} Paylaşım Bağlantısı",
    "resourceSelect": "Kaynak seçin",
    "shareLinks": "Paylaşım Bağlantıları",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "Oops! Aradığınız sayfa mevcut değil.",
    "overview": "Genel Bakış",
    "home": "Ana Sayfa",
    "accessControl": "Erişim Kontrolü",
    "settings": "Ayarlar",
    "usersAll": "Tüm Kullanıcılar",
    "license": "Lisans",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -650,7 +650,6 @@
    "resourcesErrorUpdate": "切换资源失败",
    "resourcesErrorUpdateDescription": "更新资源时出错",
    "access": "访问权限",
    "accessControl": "访问控制",
    "shareLink": "{resource} 的分享链接",
    "resourceSelect": "选择资源",
    "shareLinks": "分享链接",
@@ -1039,6 +1038,7 @@
    "pageNotFoundDescription": "哎呀！您正在查找的页面不存在。",
    "overview": "概览",
    "home": "首页",
    "accessControl": "访问控制",
    "settings": "设置",
    "usersAll": "所有用户",
    "license": "许可协议",
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.4.1",
+        "@asteasolutions/zod-to-openapi": "8.4.0",
        "@aws-sdk/client-s3": "3.989.0",
        "@faker-js/faker": "10.3.0",
        "@headlessui/react": "2.2.9",
@@ -59,11 +59,11 @@
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.8",
+        "@react-email/components": "1.0.7",
        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "2.0.5",
+        "@react-email/tailwind": "2.0.4",
        "@simplewebauthn/browser": "13.2.2",
-        "@simplewebauthn/server": "13.2.3",
+        "@simplewebauthn/server": "13.2.2",
        "@tailwindcss/forms": "0.5.11",
        "@tanstack/react-query": "5.90.21",
        "@tanstack/react-table": "8.21.3",
@@ -81,7 +81,7 @@
        "drizzle-orm": "0.45.1",
        "express": "5.2.1",
        "express-rate-limit": "8.2.1",
-        "glob": "13.0.6",
+        "glob": "13.0.3",
        "helmet": "8.1.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
@@ -93,20 +93,20 @@
        "maxmind": "5.0.5",
        "moment": "2.30.1",
        "next": "15.5.12",
-        "next-intl": "4.8.3",
+        "next-intl": "4.8.2",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
        "nodemailer": "8.0.1",
        "oslo": "1.2.1",
-        "pg": "8.19.0",
+        "pg": "8.18.0",
-        "posthog-node": "5.26.0",
+        "posthog-node": "5.24.15",
        "qrcode.react": "4.2.0",
        "react": "19.2.4",
        "react-day-picker": "9.13.2",
        "react-dom": "19.2.4",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.71.2",
+        "react-hook-form": "7.71.1",
        "react-icons": "5.5.0",
        "recharts": "2.15.4",
        "reodotdev": "1.0.0",
@@ -115,7 +115,7 @@
        "sshpk": "^1.18.0",
        "stripe": "20.3.1",
        "swagger-ui-express": "5.0.1",
-        "tailwind-merge": "3.5.0",
+        "tailwind-merge": "3.4.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
        "use-debounce": "^10.1.0",
@@ -147,7 +147,7 @@
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
        "@types/node": "25.2.3",
-        "@types/nodemailer": "7.0.11",
+        "@types/nodemailer": "7.0.9",
        "@types/nprogress": "0.2.3",
        "@types/pg": "8.16.0",
        "@types/react": "19.2.14",
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,7 +1,7 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
+import { userActions, roleActions } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
@@ -52,6 +52,7 @@ export enum ActionsEnum {
    listRoleResources = "listRoleResources",
    // listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
    removeUserRole = "removeUserRole",
    // addUserSite = "addUserSite",
    // addUserAction = "addUserAction",
    // removeUserAction = "removeUserAction",
@@ -153,29 +154,19 @@ export async function checkUserActionPermission(
    }
    try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;
-        // If userOrgRoleId is not available on the request, fetch it
+        if (userOrgRoleIds === undefined) {
-        if (userOrgRoleId === undefined) {
+            const { getUserOrgRoleIds } = await import(
-            const userOrgRole = await db
+                "@server/lib/userOrgRoles"
-                .select()
+            );
-                .from(userOrgs)
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
-                .where(
+            if (userOrgRoleIds.length === 0) {
                    and(
                        eq(userOrgs.userId, userId),
                        eq(userOrgs.orgId, req.userOrgId!)
                    )
                )
                .limit(1);
            if (userOrgRole.length === 0) {
                throw createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                );
            }
            userOrgRoleId = userOrgRole[0].roleId;
        }
        // Check if the user has direct permission for the action in the current org
@@ -186,7 +177,7 @@ export async function checkUserActionPermission(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                )
            )
            .limit(1);
@@ -195,14 +186,14 @@ export async function checkUserActionPermission(
            return true;
        }
-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
        const roleActionPermission = await db
            .select()
            .from(roleActions)
            .where(
                and(
                    eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                    eq(roleActions.orgId, req.userOrgId!)
                )
            )
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 export async function canUserAccessResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
+    const roleResourceAccess =
-        .select()
+        roleIds.length > 0
-        .from(roleResources)
+            ? await db
-        .where(
+                  .select()
-            and(
+                  .from(roleResources)
-                eq(roleResources.resourceId, resourceId),
+                  .where(
-                eq(roleResources.roleId, roleId)
+                      and(
-            )
+                          eq(roleResources.resourceId, resourceId),
-        )
+                          inArray(roleResources.roleId, roleIds)
-        .limit(1);
+                      )
                  )
                  .limit(1)
            : [];
    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 export async function canUserAccessSiteResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
+    const roleResourceAccess =
-        .select()
+        roleIds.length > 0
-        .from(roleSiteResources)
+            ? await db
-        .where(
+                  .select()
-            and(
+                  .from(roleSiteResources)
-                eq(roleSiteResources.siteResourceId, resourceId),
+                  .where(
-                eq(roleSiteResources.roleId, roleId)
+                      and(
-            )
+                          eq(roleSiteResources.siteResourceId, resourceId),
-        )
+                          inArray(roleSiteResources.roleId, roleIds)
-        .limit(1);
+                      )
                  )
                  .limit(1)
            : [];
    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -87,7 +87,7 @@ export async function validateResourceSessionToken(
    if (Date.now() >= resourceSession.expiresAt) {
        await db
            .delete(resourceSessions)
-            .where(eq(resourceSessions.sessionId, sessionId));
+            .where(eq(resourceSessions.sessionId, resourceSessions.sessionId));
        return { resourceSession: null };
    } else if (
        Date.now() >=
@@ -181,7 +181,7 @@ export function serializeResourceSessionCookie(
        return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Secure; Domain=${domain}`;
    } else {
        if (expiresAt === undefined) {
-            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=${domain}`;
+            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=$domain}`;
        }
        return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Domain=${domain}`;
    }
--- a/server/db/pg/index.ts
+++ b/server/db/pg/index.ts
@@ -1,5 +1,4 @@
 export * from "./driver";
 export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,87 +0,0 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
 function createLogsDb() {
    // Only use separate logs database in SaaS builds
    if (build !== "saas") {
        return mainDb;
    }
    const config = readConfigFile();
    // Merge configs, prioritizing private config
    const logsConfig = config.postgres_logs;
    // Check environment variable first
    let connectionString = process.env.POSTGRES_LOGS_CONNECTION_STRING;
    let replicaConnections: Array<{ connection_string: string }> = [];
    if (!connectionString && logsConfig) {
        connectionString = logsConfig.connection_string;
        replicaConnections = logsConfig.replicas || [];
    }
    // If POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS is set, use it
    if (process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS) {
        replicaConnections =
            process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS.split(",").map(
                (conn) => ({
                    connection_string: conn.trim()
                })
            );
    }
    // If no logs database is configured, fall back to main database
    if (!connectionString) {
        return mainDb;
    }
    // Create separate connection pool for logs database
    const poolConfig = logsConfig?.pool || config.postgres?.pool;
    const primaryPool = new Pool({
        connectionString,
        max: poolConfig?.max_connections || 20,
        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
    });
    const replicas = [];
    if (!replicaConnections.length) {
        replicas.push(
            DrizzlePostgres(primaryPool, {
                logger: process.env.QUERY_LOGGING == "true"
            })
        );
    } else {
        for (const conn of replicaConnections) {
            const replicaPool = new Pool({
                connectionString: conn.connection_string,
                max: poolConfig?.max_replica_connections || 20,
                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
                connectionTimeoutMillis:
                    poolConfig?.connection_timeout_ms || 5000
            });
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
                })
            );
        }
    }
    return withReplicas(
        DrizzlePostgres(primaryPool, {
            logger: process.env.QUERY_LOGGING == "true"
        }),
        replicas as any
    );
 }
 export const logsDb = createLogsDb();
 export default logsDb;
 export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -9,6 +9,7 @@ import {
    real,
    serial,
    text,
    unique,
    varchar
 } from "drizzle-orm/pg-core";
@@ -332,9 +333,6 @@ export const userOrgs = pgTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId),
    isOwner: boolean("isOwner").notNull().default(false),
    autoProvisioned: boolean("autoProvisioned").default(false),
    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -383,6 +381,22 @@ export const roles = pgTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 export const userOrgRoles = pgTable(
    "userOrgRoles",
    {
        userId: varchar("userId")
            .notNull()
            .references(() => users.userId, { onDelete: "cascade" }),
        orgId: varchar("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 export const roleActions = pgTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -1031,6 +1045,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -12,6 +12,7 @@ import {
    resources,
    roleResources,
    sessions,
    userOrgRoles,
    userOrgs,
    userResources,
    users,
@@ -104,24 +105,57 @@ export async function getUserSessionWithUser(
 }
 /**
- * Get user organization role
+ * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
 * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
 */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrgRole = await db
+    const userOrg = await db
        .select({
            userId: userOrgs.userId,
            orgId: userOrgs.orgId,
            roleId: userOrgs.roleId,
            isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned,
+            autoProvisioned: userOrgs.autoProvisioned
            roleName: roles.name
        })
        .from(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .limit(1);
-    return userOrgRole.length > 0 ? userOrgRole[0] : null;
+    if (userOrg.length === 0) return null;
    const [firstRole] = await db
        .select({
            roleId: userOrgRoles.roleId,
            roleName: roles.name
        })
        .from(userOrgRoles)
        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
        .where(
            and(
                eq(userOrgRoles.userId, userId),
                eq(userOrgRoles.orgId, orgId)
            )
        )
        .limit(1);
    return firstRole
        ? {
              ...userOrg[0],
              roleId: firstRole.roleId,
              roleName: firstRole.roleName
          }
        : { ...userOrg[0], roleId: null, roleName: null };
 }
 /**
 * Get role name by role ID (for display).
 */
 export async function getRoleName(roleId: number): Promise<string | null> {
    const [row] = await db
        .select({ name: roles.name })
        .from(roles)
        .where(eq(roles.roleId, roleId))
        .limit(1);
    return row?.name ?? null;
 }
 /**
--- a/server/db/sqlite/index.ts
+++ b/server/db/sqlite/index.ts
@@ -1,5 +1,4 @@
 export * from "./driver";
 export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
--- a/server/db/sqlite/logsDriver.ts
+++ b/server/db/sqlite/logsDriver.ts
@@ -1,7 +0,0 @@
 import { db as mainDb } from "./driver";
 // SQLite doesn't support separate databases for logs in the same way as Postgres
 // Always use the main database connection for SQLite
 export const logsDb = mainDb;
 export default logsDb;
 export const primaryLogsDb = logsDb;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,6 +1,12 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
    index,
    integer,
    sqliteTable,
    text,
    unique
 } from "drizzle-orm/sqlite-core";
 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -635,9 +641,6 @@ export const userOrgs = sqliteTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId),
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
@@ -692,6 +695,22 @@ export const roles = sqliteTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 export const userOrgRoles = sqliteTable(
    "userOrgRoles",
    {
        userId: text("userId")
            .notNull()
            .references(() => users.userId, { onDelete: "cascade" }),
        orgId: text("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 export const roleActions = sqliteTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -1126,6 +1145,7 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
            session: Session;
            userOrg?: UserOrg;
            apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
            userOrgId?: string;
            userOrgIds?: string[];
            remoteExitNode?: RemoteExitNode;
--- a/server/internalServer.ts
+++ b/server/internalServer.ts
@@ -16,11 +16,6 @@ const internalPort = config.getRawConfig().server.internal_port;
 export function createInternalServer() {
    const internalServer = express();
    const trustProxy = config.getRawConfig().server.trust_proxy;
    if (trustProxy) {
        internalServer.set("trust proxy", trustProxy);
    }
    internalServer.use(helmet());
    internalServer.use(cors());
    internalServer.use(stripDuplicateSesions);
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -48,5 +48,5 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "enterprise"
    ],
    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.SshPam]: ["enterprise"]
 };
--- a/server/lib/billing/usageService.ts
+++ b/server/lib/billing/usageService.ts
@@ -12,7 +12,7 @@ import {
 import { FeatureId, getFeatureMeterId } from "./features";
 import logger from "@server/logger";
 import { build } from "@server/build";
-import cache from "#dynamic/lib/cache";
+import cache from "@server/lib/cache";
 export function noop() {
    if (build !== "saas") {
@@ -230,7 +230,7 @@ export class UsageService {
        const orgIdToUse = await this.getBillingOrg(orgId);
        const cacheKey = `customer_${orgIdToUse}_${featureId}`;
-        const cached = await cache.get<string>(cacheKey);
+        const cached = cache.get<string>(cacheKey);
        if (cached) {
            return cached;
@@ -253,7 +253,7 @@ export class UsageService {
            const customerId = customer.customerId;
            // Cache the result
-            await cache.set(cacheKey, customerId, 300); // 5 minute TTL
+            cache.set(cacheKey, customerId, 300); // 5 minute TTL
            return customerId;
        } catch (error) {
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -11,7 +11,7 @@ import {
    userSiteResources
 } from "@server/db";
 import { sites } from "@server/db";
-import { eq, and, ne, inArray, or } from "drizzle-orm";
+import { eq, and, ne, inArray } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
 import { getNextAvailableAliasAddress } from "../ip";
@@ -142,10 +142,7 @@ export async function updateClientResources(
                    .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
                    .where(
                        and(
-                            or(
+                            inArray(users.username, resourceData.users),
                                inArray(users.username, resourceData.users),
                                inArray(users.email, resourceData.users)
                            ),
                            eq(userOrgs.orgId, orgId)
                        )
                    );
@@ -279,10 +276,7 @@ export async function updateClientResources(
                    .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
                    .where(
                        and(
-                            or(
+                            inArray(users.username, resourceData.users),
                                inArray(users.username, resourceData.users),
                                inArray(users.email, resourceData.users)
                            ),
                            eq(userOrgs.orgId, orgId)
                        )
                    );
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -212,10 +212,7 @@ export async function updateProxyResources(
            } else {
                // Update existing resource
-                const isLicensed = await isLicensedOrSubscribed(
+                const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
                    orgId,
                    tierMatrix.maintencePage
                );
                if (!isLicensed) {
                    resourceData.maintenance = undefined;
                }
@@ -593,10 +590,7 @@ export async function updateProxyResources(
                        existingRule.action !== getRuleAction(rule.action) ||
                        existingRule.match !== rule.match.toUpperCase() ||
                        existingRule.value !==
-                            getRuleValue(
+                        getRuleValue(rule.match.toUpperCase(), rule.value) ||
                                rule.match.toUpperCase(),
                                rule.value
                            ) ||
                        existingRule.priority !== intendedPriority
                    ) {
                        validateRule(rule);
@@ -654,10 +648,7 @@ export async function updateProxyResources(
                );
            }
-            const isLicensed = await isLicensedOrSubscribed(
+            const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
                orgId,
                tierMatrix.maintencePage
            );
            if (!isLicensed) {
                resourceData.maintenance = undefined;
            }
@@ -944,12 +935,7 @@ async function syncUserResources(
            .select()
            .from(users)
            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(
+            .where(and(eq(users.username, username), eq(userOrgs.orgId, orgId)))
                and(
                    or(eq(users.username, username), eq(users.email, username)),
                    eq(userOrgs.orgId, orgId)
                )
            )
            .limit(1);
        if (!user) {
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -69,7 +69,7 @@ export const AuthSchema = z.object({
        .refine((roles) => !roles.includes("Admin"), {
            error: "Admin role cannot be included in sso-roles"
        }),
-    "sso-users": z.array(z.string()).optional().default([]),
+    "sso-users": z.array(z.email()).optional().default([]),
    "whitelist-users": z.array(z.email()).optional().default([]),
    "auto-login-idp": z.int().positive().optional()
 });
@@ -335,7 +335,7 @@ export const ClientResourceSchema = z
            .refine((roles) => !roles.includes("Admin"), {
                error: "Admin role cannot be included in roles"
            }),
-        users: z.array(z.string()).optional().default([]),
+        users: z.array(z.email()).optional().default([]),
        machines: z.array(z.string()).optional().default([])
    })
    .refine(
--- a/server/lib/cache.ts
+++ b/server/lib/cache.ts
@@ -1,9 +1,9 @@
 import NodeCache from "node-cache";
 import logger from "@server/logger";
-// Create local cache with maxKeys limit to prevent memory leaks
+// Create cache with maxKeys limit to prevent memory leaks
 // With ~10k requests/day and 5min TTL, 10k keys should be more than sufficient
-export const localCache = new NodeCache({
+export const cache = new NodeCache({
    stdTTL: 3600,
    checkperiod: 120,
    maxKeys: 10000
@@ -11,151 +11,10 @@ export const localCache = new NodeCache({
 // Log cache statistics periodically for monitoring
 setInterval(() => {
-    const stats = localCache.getStats();
+    const stats = cache.getStats();
    logger.debug(
-        `Local cache stats - Keys: ${stats.keys}, Hits: ${stats.hits}, Misses: ${stats.misses}, Hit rate: ${stats.hits > 0 ? ((stats.hits / (stats.hits + stats.misses)) * 100).toFixed(2) : 0}%`
+        `Cache stats - Keys: ${stats.keys}, Hits: ${stats.hits}, Misses: ${stats.misses}, Hit rate: ${stats.hits > 0 ? ((stats.hits / (stats.hits + stats.misses)) * 100).toFixed(2) : 0}%`
    );
 }, 300000); // Every 5 minutes
 /**
 * Adaptive cache that uses Redis when available in multi-node environments,
 * otherwise falls back to local memory cache for single-node deployments.
 */
 class AdaptiveCache {
    /**
     * Set a value in the cache
     * @param key - Cache key
     * @param value - Value to cache (will be JSON stringified for Redis)
     * @param ttl - Time to live in seconds (0 = no expiration)
     * @returns boolean indicating success
     */
    async set(key: string, value: any, ttl?: number): Promise<boolean> {
        const effectiveTtl = ttl === 0 ? undefined : ttl;
        // Use local cache as fallback or primary
        const success = localCache.set(key, value, effectiveTtl || 0);
        if (success) {
            logger.debug(`Set key in local cache: ${key}`);
        }
        return success;
    }
    /**
     * Get a value from the cache
     * @param key - Cache key
     * @returns The cached value or undefined if not found
     */
    async get<T = any>(key: string): Promise<T | undefined> {
        // Use local cache as fallback or primary
        const value = localCache.get<T>(key);
        if (value !== undefined) {
            logger.debug(`Cache hit in local cache: ${key}`);
        } else {
            logger.debug(`Cache miss in local cache: ${key}`);
        }
        return value;
    }
    /**
     * Delete a value from the cache
     * @param key - Cache key or array of keys
     * @returns Number of deleted entries
     */
    async del(key: string | string[]): Promise<number> {
        const keys = Array.isArray(key) ? key : [key];
        let deletedCount = 0;
        // Use local cache as fallback or primary
        for (const k of keys) {
            const success = localCache.del(k);
            if (success > 0) {
                deletedCount++;
                logger.debug(`Deleted key from local cache: ${k}`);
            }
        }
        return deletedCount;
    }
    /**
     * Check if a key exists in the cache
     * @param key - Cache key
     * @returns boolean indicating if key exists
     */
    async has(key: string): Promise<boolean> {
        // Use local cache as fallback or primary
        return localCache.has(key);
    }
    /**
     * Get multiple values from the cache
     * @param keys - Array of cache keys
     * @returns Array of values (undefined for missing keys)
     */
    async mget<T = any>(keys: string[]): Promise<(T | undefined)[]> {
        // Use local cache as fallback or primary
        return keys.map((key) => localCache.get<T>(key));
    }
    /**
     * Flush all keys from the cache
     */
    async flushAll(): Promise<void> {
        localCache.flushAll();
        logger.debug("Flushed local cache");
    }
    /**
     * Get cache statistics
     * Note: Only returns local cache stats, Redis stats are not included
     */
    getStats() {
        return localCache.getStats();
    }
    /**
     * Get the current cache backend being used
     * @returns "redis" if Redis is available and healthy, "local" otherwise
     */
    getCurrentBackend(): "redis" | "local" {
        return "local";
    }
    /**
     * Take a key from the cache and delete it
     * @param key - Cache key
     * @returns The value or undefined if not found
     */
    async take<T = any>(key: string): Promise<T | undefined> {
        const value = await this.get<T>(key);
        if (value !== undefined) {
            await this.del(key);
        }
        return value;
    }
    /**
     * Get TTL (time to live) for a key
     * @param key - Cache key
     * @returns TTL in seconds, 0 if no expiration, -1 if key doesn't exist
     */
    getTtl(key: string): number {
        const ttl = localCache.getTtl(key);
        if (ttl === undefined) {
            return -1;
        }
        return Math.max(0, Math.floor((ttl - Date.now()) / 1000));
    }
    /**
     * Get all keys from the cache
     * Note: Only returns local cache keys, Redis keys are not included
     */
    keys(): string[] {
        return localCache.keys();
    }
 }
 // Export singleton instance
 export const cache = new AdaptiveCache();
 export default cache;
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -10,6 +10,7 @@ import {
    roles,
    Transaction,
    userClients,
    userOrgRoles,
    userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -39,20 +40,36 @@ export async function calculateUserClientsForOrgs(
            return;
        }
-        // Get all user orgs
+        // Get all user orgs with all roles (for org list and role-based logic)
-        const allUserOrgs = await transaction
+        const userOrgRoleRows = await transaction
            .select()
            .from(userOrgs)
-            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
+            .innerJoin(
                userOrgRoles,
                and(
                    eq(userOrgs.userId, userOrgRoles.userId),
                    eq(userOrgs.orgId, userOrgRoles.orgId)
                )
            )
            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
            .where(eq(userOrgs.userId, userId));
-        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
+        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
        const orgIdToRoleRows = new Map<
            string,
            (typeof userOrgRoleRows)[0][]
        >();
        for (const r of userOrgRoleRows) {
            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
            list.push(r);
            orgIdToRoleRows.set(r.userOrgs.orgId, list);
        }
        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
-            for (const userRoleOrg of allUserOrgs) {
+            for (const orgId of orgIdToRoleRows.keys()) {
-                const { userOrgs: userOrg, roles: role } = userRoleOrg;
+                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
-                const orgId = userOrg.orgId;
+                const userOrg = roleRowsForOrg[0].userOrgs;
                const [org] = await transaction
                    .select()
@@ -196,7 +213,7 @@ export async function calculateUserClientsForOrgs(
                const requireApproval =
                    build !== "oss" &&
                    isOrgLicensed &&
-                    role.requireDeviceApproval;
+                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
                const newClientData: InferInsertModel<typeof clients> = {
                    userId,
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";
 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.16.0";
+export const APP_VERSION = "1.15.4";
 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -189,46 +189,6 @@ export const configSchema = z
                    .prefault({})
            })
            .optional(),
        postgres_logs: z
            .object({
                connection_string: z
                    .string()
                    .optional()
                    .transform(getEnvOrYaml("POSTGRES_LOGS_CONNECTION_STRING")),
                replicas: z
                    .array(
                        z.object({
                            connection_string: z.string()
                        })
                    )
                    .optional(),
                pool: z
                    .object({
                        max_connections: z
                            .number()
                            .positive()
                            .optional()
                            .default(20),
                        max_replica_connections: z
                            .number()
                            .positive()
                            .optional()
                            .default(10),
                        idle_timeout_ms: z
                            .number()
                            .positive()
                            .optional()
                            .default(30000),
                        connection_timeout_ms: z
                            .number()
                            .positive()
                            .optional()
                            .default(5000)
                    })
                    .optional()
                    .prefault({})
            })
            .optional(),
        traefik: z
            .object({
                http_entrypoint: z.string().optional().default("web"),
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -14,6 +14,7 @@ import {
    siteResources,
    sites,
    Transaction,
    userOrgRoles,
    userOrgs,
    userSiteResources
 } from "@server/db";
@@ -77,10 +78,10 @@ export async function getClientSiteResourceAccess(
    // get all of the users in these roles
    const userIdsFromRoles = await trx
        .select({
-            userId: userOrgs.userId
+            userId: userOrgRoles.userId
        })
-        .from(userOrgs)
+        .from(userOrgRoles)
-        .where(inArray(userOrgs.roleId, roleIds))
+        .where(inArray(userOrgRoles.roleId, roleIds))
        .then((rows) => rows.map((row) => row.userId));
    const newAllUserIds = Array.from(
@@ -811,12 +812,12 @@ export async function rebuildClientAssociationsFromClient(
        // Role-based access
        const roleIds = await trx
-            .select({ roleId: userOrgs.roleId })
+            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgs)
+            .from(userOrgRoles)
            .where(
                and(
-                    eq(userOrgs.userId, client.userId),
+                    eq(userOrgRoles.userId, client.userId),
-                    eq(userOrgs.orgId, client.orgId)
+                    eq(userOrgRoles.orgId, client.orgId)
                )
            ) // this needs to be locked onto this org or else cross-org access could happen
            .then((rows) => rows.map((row) => row.roleId));
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -6,7 +6,7 @@ import {
    siteResources,
    sites,
    Transaction,
-    UserOrg,
+    userOrgRoles,
    userOrgs,
    userResources,
    userSiteResources,
@@ -19,9 +19,15 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
    org: Org,
    values: typeof userOrgs.$inferInsert,
    roleId: number,
    trx: Transaction | typeof db = db
 ) {
    const [userOrg] = await trx.insert(userOrgs).values(values).returning();
    await trx.insert(userOrgRoles).values({
        userId: userOrg.userId,
        orgId: userOrg.orgId,
        roleId
    });
    // calculate if the user is in any other of the orgs before we count it as an add to the billing org
    if (org.billingOrgId) {
@@ -58,6 +64,14 @@ export async function removeUserFromOrg(
    userId: string,
    trx: Transaction | typeof db = db
 ) {
    await trx
        .delete(userOrgRoles)
        .where(
            and(
                eq(userOrgRoles.userId, userId),
                eq(userOrgRoles.orgId, org.orgId)
            )
        );
    await trx
        .delete(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
--- a/server/lib/userOrgRoles.ts
+++ b/server/lib/userOrgRoles.ts
@@ -0,0 +1,22 @@
 import { db, userOrgRoles } from "@server/db";
 import { and, eq } from "drizzle-orm";
 /**
 * Get all role IDs a user has in an organization.
 * Returns empty array if the user has no roles in the org (callers must treat as no access).
 */
 export async function getUserOrgRoleIds(
    userId: string,
    orgId: string
 ): Promise<number[]> {
    const rows = await db
        .select({ roleId: userOrgRoles.roleId })
        .from(userOrgRoles)
        .where(
            and(
                eq(userOrgRoles.userId, userId),
                eq(userOrgRoles.orgId, orgId)
            )
        );
    return rows.map((r) => r.roleId);
 }
--- a/server/middlewares/getUserOrgs.ts
+++ b/server/middlewares/getUserOrgs.ts
@@ -21,8 +21,7 @@ export async function getUserOrgs(
    try {
        const userOrganizations = await db
            .select({
-                orgId: userOrgs.orgId,
+                orgId: userOrgs.orgId
                roleId: userOrgs.roleId
            })
            .from(userOrgs)
            .where(eq(userOrgs.userId, userId));
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyAccessTokenAccess(
    req: Request,
@@ -93,7 +94,10 @@ export async function verifyAccessTokenAccess(
                )
            );
        } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
                req.userOrg.userId,
                resource[0].orgId!
            );
            req.userOrgId = resource[0].orgId!;
        }
@@ -118,7 +122,7 @@ export async function verifyAccessTokenAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
        });
        if (!resourceAllowed) {
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyAdmin(
    req: Request,
@@ -62,13 +63,29 @@ export async function verifyAdmin(
        }
    }
-    const userRole = await db
+    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
    if (req.userOrgRoleIds.length === 0) {
        return next(
            createHttpError(
                HttpCode.FORBIDDEN,
                "User does not have Admin access"
            )
        );
    }
    const userAdminRoles = await db
        .select()
        .from(roles)
-        .where(eq(roles.roleId, req.userOrg.roleId))
+        .where(
            and(
                inArray(roles.roleId, req.userOrgRoleIds),
                eq(roles.isAdmin, true)
            )
        )
        .limit(1);
-    if (userRole.length === 0 || !userRole[0].isAdmin) {
+    if (userAdminRoles.length === 0) {
        return next(
            createHttpError(
                HttpCode.FORBIDDEN,
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyApiKeyAccess(
    req: Request,
@@ -103,8 +104,10 @@ export async function verifyApiKeyAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            orgId
        );
        return next();
    } catch (error) {
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyClientAccess(
    req: Request,
@@ -113,21 +114,30 @@ export async function verifyClientAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            client.orgId
        );
        req.userOrgId = client.orgId;
-        // Check role-based site access first
+        // Check role-based client access (any of user's roles)
-        const [roleClientAccess] = await db
+        const roleClientAccessList =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleClients)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleClients)
-                    eq(roleClients.clientId, client.clientId),
+                      .where(
-                    eq(roleClients.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(roleClients.clientId, client.clientId),
-            )
+                              inArray(
-            .limit(1);
+                                  roleClients.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        const [roleClientAccess] = roleClientAccessList;
        if (roleClientAccess) {
            // User has access to the site through their role
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs, apiKeyOrg } from "@server/db";
+import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyDomainAccess(
    req: Request,
@@ -63,7 +64,7 @@ export async function verifyDomainAccess(
                .where(
                    and(
                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, apiKeyOrg.orgId)
+                        eq(userOrgs.orgId, orgId)
                    )
                )
                .limit(1);
@@ -97,8 +98,7 @@ export async function verifyDomainAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
        req.userOrgRoleId = userOrgRoleId;
        return next();
    } catch (error) {
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
-import { db, orgs } from "@server/db";
+import { db } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyOrgAccess(
    req: Request,
@@ -64,8 +65,8 @@ export async function verifyOrgAccess(
            }
        }
-        // User has access, attach the user's role to the request for potential future use
+        // User has access, attach the user's role(s) to the request for potential future use
-        req.userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
        req.userOrgId = orgId;
        return next();
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyResourceAccess(
    req: Request,
@@ -107,20 +108,28 @@ export async function verifyResourceAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            resource.orgId
        );
        req.userOrgId = resource.orgId;
-        const roleResourceAccess = await db
+        const roleResourceAccess =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleResources)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleResources)
-                    eq(roleResources.resourceId, resource.resourceId),
+                      .where(
-                    eq(roleResources.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(roleResources.resourceId, resource.resourceId),
-            )
+                              inArray(
-            .limit(1);
+                                  roleResources.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyRoleAccess(
    req: Request,
@@ -99,7 +100,6 @@ export async function verifyRoleAccess(
        }
        if (!req.userOrg) {
            // get the userORg
            const userOrg = await db
                .select()
                .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                .limit(1);
            req.userOrg = userOrg[0];
-            req.userOrgRoleId = userOrg[0].roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
        }
        if (!req.userOrg) {
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -1,10 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifySiteAccess(
    req: Request,
@@ -112,21 +113,29 @@ export async function verifySiteAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            site.orgId
        );
        req.userOrgId = site.orgId;
-        // Check role-based site access first
+        // Check role-based site access first (any of user's roles)
-        const roleSiteAccess = await db
+        const roleSiteAccess =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleSites)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleSites)
-                    eq(roleSites.siteId, site.siteId),
+                      .where(
-                    eq(roleSites.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(roleSites.siteId, site.siteId),
-            )
+                              inArray(
-            .limit(1);
+                                  roleSites.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        if (roleSiteAccess.length > 0) {
            // User's role has access to the site
--- a/server/middlewares/verifySiteResourceAccess.ts
+++ b/server/middlewares/verifySiteResourceAccess.ts
@@ -1,11 +1,12 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and } from "drizzle-orm";
+import { eq, and, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifySiteResourceAccess(
    req: Request,
@@ -109,23 +110,34 @@ export async function verifySiteResourceAccess(
            }
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            siteResource.orgId
        );
        req.userOrgId = siteResource.orgId;
        // Attach the siteResource to the request for use in the next middleware/route
        req.siteResource = siteResource;
-        const roleResourceAccess = await db
+        const roleResourceAccess =
-            .select()
+            (req.userOrgRoleIds?.length ?? 0) > 0
-            .from(roleSiteResources)
+                ? await db
-            .where(
+                      .select()
-                and(
+                      .from(roleSiteResources)
-                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
+                      .where(
-                    eq(roleSiteResources.roleId, userOrgRoleId)
+                          and(
-                )
+                              eq(
-            )
+                                  roleSiteResources.siteResourceId,
-            .limit(1);
+                                  siteResourceIdNum
                              ),
                              inArray(
                                  roleSiteResources.roleId,
                                  req.userOrgRoleIds!
                              )
                          )
                      )
                      .limit(1)
                : [];
        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyTargetAccess(
    req: Request,
@@ -99,7 +100,10 @@ export async function verifyTargetAccess(
                )
            );
        } else {
-            req.userOrgRoleId = req.userOrg.roleId;
+            req.userOrgRoleIds = await getUserOrgRoleIds(
                req.userOrg.userId,
                resource[0].orgId!
            );
            req.userOrgId = resource[0].orgId!;
        }
@@ -126,7 +130,7 @@ export async function verifyTargetAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleId: req.userOrgRoleId!
+            roleIds: req.userOrgRoleIds ?? []
        });
        if (!resourceAllowed) {
--- a/server/middlewares/verifyUserInRole.ts
+++ b/server/middlewares/verifyUserInRole.ts
@@ -12,7 +12,7 @@ export async function verifyUserInRole(
        const roleId = parseInt(
            req.params.roleId || req.body.roleId || req.query.roleId
        );
-        const userRoleId = req.userOrgRoleId;
+        const userOrgRoleIds = req.userOrgRoleIds ?? [];
        if (isNaN(roleId)) {
            return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
            );
        }
-        if (!userRoleId) {
+        if (userOrgRoleIds.length === 0) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
            );
        }
-        if (userRoleId !== roleId) {
+        if (!userOrgRoleIds.includes(roleId)) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,266 +0,0 @@
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
 // Create local cache with maxKeys limit to prevent memory leaks
 // With ~10k requests/day and 5min TTL, 10k keys should be more than sufficient
 export const localCache = new NodeCache({
    stdTTL: 3600,
    checkperiod: 120,
    maxKeys: 10000
 });
 // Log cache statistics periodically for monitoring
 setInterval(() => {
    const stats = localCache.getStats();
    logger.debug(
        `Local cache stats - Keys: ${stats.keys}, Hits: ${stats.hits}, Misses: ${stats.misses}, Hit rate: ${stats.hits > 0 ? ((stats.hits / (stats.hits + stats.misses)) * 100).toFixed(2) : 0}%`
    );
 }, 300000); // Every 5 minutes
 /**
 * Adaptive cache that uses Redis when available in multi-node environments,
 * otherwise falls back to local memory cache for single-node deployments.
 */
 class AdaptiveCache {
    private useRedis(): boolean {
        return redisManager.isRedisEnabled() && redisManager.getHealthStatus().isHealthy;
    }
    /**
     * Set a value in the cache
     * @param key - Cache key
     * @param value - Value to cache (will be JSON stringified for Redis)
     * @param ttl - Time to live in seconds (0 = no expiration)
     * @returns boolean indicating success
     */
    async set(key: string, value: any, ttl?: number): Promise<boolean> {
        const effectiveTtl = ttl === 0 ? undefined : ttl;
        if (this.useRedis()) {
            try {
                const serialized = JSON.stringify(value);
                const success = await redisManager.set(key, serialized, effectiveTtl);
                if (success) {
                    logger.debug(`Set key in Redis: ${key}`);
                    return true;
                }
                // Redis failed, fall through to local cache
                logger.debug(`Redis set failed for key ${key}, falling back to local cache`);
            } catch (error) {
                logger.error(`Redis set error for key ${key}:`, error);
                // Fall through to local cache
            }
        }
        // Use local cache as fallback or primary
        const success = localCache.set(key, value, effectiveTtl || 0);
        if (success) {
            logger.debug(`Set key in local cache: ${key}`);
        }
        return success;
    }
    /**
     * Get a value from the cache
     * @param key - Cache key
     * @returns The cached value or undefined if not found
     */
    async get<T = any>(key: string): Promise<T | undefined> {
        if (this.useRedis()) {
            try {
                const value = await redisManager.get(key);
                if (value !== null) {
                    logger.debug(`Cache hit in Redis: ${key}`);
                    return JSON.parse(value) as T;
                }
                logger.debug(`Cache miss in Redis: ${key}`);
                return undefined;
            } catch (error) {
                logger.error(`Redis get error for key ${key}:`, error);
                // Fall through to local cache
            }
        }
        // Use local cache as fallback or primary
        const value = localCache.get<T>(key);
        if (value !== undefined) {
            logger.debug(`Cache hit in local cache: ${key}`);
        } else {
            logger.debug(`Cache miss in local cache: ${key}`);
        }
        return value;
    }
    /**
     * Delete a value from the cache
     * @param key - Cache key or array of keys
     * @returns Number of deleted entries
     */
    async del(key: string | string[]): Promise<number> {
        const keys = Array.isArray(key) ? key : [key];
        let deletedCount = 0;
        if (this.useRedis()) {
            try {
                for (const k of keys) {
                    const success = await redisManager.del(k);
                    if (success) {
                        deletedCount++;
                        logger.debug(`Deleted key from Redis: ${k}`);
                    }
                }
                if (deletedCount === keys.length) {
                    return deletedCount;
                }
                // Some Redis deletes failed, fall through to local cache
                logger.debug(`Some Redis deletes failed, falling back to local cache`);
            } catch (error) {
                logger.error(`Redis del error for keys ${keys.join(", ")}:`, error);
                // Fall through to local cache
                deletedCount = 0;
            }
        }
        // Use local cache as fallback or primary
        for (const k of keys) {
            const success = localCache.del(k);
            if (success > 0) {
                deletedCount++;
                logger.debug(`Deleted key from local cache: ${k}`);
            }
        }
        return deletedCount;
    }
    /**
     * Check if a key exists in the cache
     * @param key - Cache key
     * @returns boolean indicating if key exists
     */
    async has(key: string): Promise<boolean> {
        if (this.useRedis()) {
            try {
                const value = await redisManager.get(key);
                return value !== null;
            } catch (error) {
                logger.error(`Redis has error for key ${key}:`, error);
                // Fall through to local cache
            }
        }
        // Use local cache as fallback or primary
        return localCache.has(key);
    }
    /**
     * Get multiple values from the cache
     * @param keys - Array of cache keys
     * @returns Array of values (undefined for missing keys)
     */
    async mget<T = any>(keys: string[]): Promise<(T | undefined)[]> {
        if (this.useRedis()) {
            try {
                const results: (T | undefined)[] = [];
                for (const key of keys) {
                    const value = await redisManager.get(key);
                    if (value !== null) {
                        results.push(JSON.parse(value) as T);
                    } else {
                        results.push(undefined);
                    }
                }
                return results;
            } catch (error) {
                logger.error(`Redis mget error:`, error);
                // Fall through to local cache
            }
        }
        // Use local cache as fallback or primary
        return keys.map((key) => localCache.get<T>(key));
    }
    /**
     * Flush all keys from the cache
     */
    async flushAll(): Promise<void> {
        if (this.useRedis()) {
            logger.warn("Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed");
        }
        localCache.flushAll();
        logger.debug("Flushed local cache");
    }
    /**
     * Get cache statistics
     * Note: Only returns local cache stats, Redis stats are not included
     */
    getStats() {
        return localCache.getStats();
    }
    /**
     * Get the current cache backend being used
     * @returns "redis" if Redis is available and healthy, "local" otherwise
     */
    getCurrentBackend(): "redis" | "local" {
        return this.useRedis() ? "redis" : "local";
    }
    /**
     * Take a key from the cache and delete it
     * @param key - Cache key
     * @returns The value or undefined if not found
     */
    async take<T = any>(key: string): Promise<T | undefined> {
        const value = await this.get<T>(key);
        if (value !== undefined) {
            await this.del(key);
        }
        return value;
    }
    /**
     * Get TTL (time to live) for a key
     * @param key - Cache key
     * @returns TTL in seconds, 0 if no expiration, -1 if key doesn't exist
     */
    getTtl(key: string): number {
        // Note: This only works for local cache, Redis TTL is not supported
        if (this.useRedis()) {
            logger.warn(`getTtl called for key ${key} but Redis TTL lookup is not implemented`);
        }
        const ttl = localCache.getTtl(key);
        if (ttl === undefined) {
            return -1;
        }
        return Math.max(0, Math.floor((ttl - Date.now()) / 1000));
    }
    /**
     * Get all keys from the cache
     * Note: Only returns local cache keys, Redis keys are not included
     */
    keys(): string[] {
        if (this.useRedis()) {
            logger.warn("keys() called but Redis keys are not included, only local cache keys returned");
        }
        return localCache.keys();
    }
 }
 // Export singleton instance
 export const cache = new AdaptiveCache();
 export default cache;
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -15,8 +15,9 @@ import config from "./config";
 import { certificates, db } from "@server/db";
 import { and, eq, isNotNull, or, inArray, sql } from "drizzle-orm";
 import { decryptData } from "@server/lib/encryption";
 import * as fs from "fs";
 import logger from "@server/logger";
-import cache from "#private/lib/cache";
+import cache from "@server/lib/cache";
 let encryptionKeyHex = "";
 let encryptionKey: Buffer;
@@ -54,7 +55,7 @@ export async function getValidCertificatesForDomains(
    if (useCache) {
        for (const domain of domains) {
            const cacheKey = `cert:${domain}`;
-            const cachedCert = await cache.get<CertificateResult>(cacheKey);
+            const cachedCert = cache.get<CertificateResult>(cacheKey);
            if (cachedCert) {
                finalResults.push(cachedCert); // Valid cache hit
            } else {
@@ -168,7 +169,7 @@ export async function getValidCertificatesForDomains(
            // Add to cache for future requests, using the *requested domain* as the key
            if (useCache) {
                const cacheKey = `cert:${domain}`;
-                await cache.set(cacheKey, resultCert, 180);
+                cache.set(cacheKey, resultCert, 180);
            }
        }
    }
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -11,17 +11,17 @@
 * This file is not licensed under the AGPLv3.
 */
-import { accessAuditLog, logsDb, db, orgs } from "@server/db";
+import { accessAuditLog, db, orgs } from "@server/db";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
-import cache from "#private/lib/cache";
+import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
 async function getAccessDays(orgId: string): Promise<number> {
    // check cache first
-    const cached = await cache.get<number>(`org_${orgId}_accessDays`);
+    const cached = cache.get<number>(`org_${orgId}_accessDays`);
    if (cached !== undefined) {
        return cached;
    }
@@ -39,7 +39,7 @@ async function getAccessDays(orgId: string): Promise<number> {
    }
    // store the result in cache
-    await cache.set(
+    cache.set(
        `org_${orgId}_accessDays`,
        org.settingsLogRetentionDaysAction,
        300
@@ -52,7 +52,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
    try {
-        await logsDb
+        await db
            .delete(accessAuditLog)
            .where(
                and(
@@ -124,7 +124,7 @@ export async function logAccessAudit(data: {
            ? await getCountryCodeFromIp(data.requestIp)
            : undefined;
-        await logsDb.insert(accessAuditLog).values({
+        await db.insert(accessAuditLog).values({
            timestamp: timestamp,
            orgId: data.orgId,
            actorType,
@@ -146,14 +146,14 @@ export async function logAccessAudit(data: {
 async function getCountryCodeFromIp(ip: string): Promise<string | undefined> {
    const geoIpCacheKey = `geoip_access:${ip}`;
-    let cachedCountryCode: string | undefined = await cache.get(geoIpCacheKey);
+    let cachedCountryCode: string | undefined = cache.get(geoIpCacheKey);
    if (!cachedCountryCode) {
        cachedCountryCode = await getCountryCodeForIp(ip); // do it locally
        // Only cache successful lookups to avoid filling cache with undefined values
        if (cachedCountryCode) {
            // Cache for longer since IP geolocation doesn't change frequently
-            await cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
+            cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
        }
    }
--- a/server/private/lib/sshCA.ts
+++ b/server/private/lib/sshCA.ts
@@ -1,3 +1,16 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import * as crypto from "crypto";
 /**
--- a/server/private/middlewares/logActionAudit.ts
+++ b/server/private/middlewares/logActionAudit.ts
@@ -12,18 +12,18 @@
 */
 import { ActionsEnum } from "@server/auth/actions";
-import { actionAuditLog, logsDb, db, orgs } from "@server/db";
+import { actionAuditLog, db, orgs } from "@server/db";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import { Request, Response, NextFunction } from "express";
 import createHttpError from "http-errors";
 import { and, eq, lt } from "drizzle-orm";
-import cache from "#private/lib/cache";
+import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 async function getActionDays(orgId: string): Promise<number> {
    // check cache first
-    const cached = await cache.get<number>(`org_${orgId}_actionDays`);
+    const cached = cache.get<number>(`org_${orgId}_actionDays`);
    if (cached !== undefined) {
        return cached;
    }
@@ -41,7 +41,7 @@ async function getActionDays(orgId: string): Promise<number> {
    }
    // store the result in cache
-    await cache.set(
+    cache.set(
        `org_${orgId}_actionDays`,
        org.settingsLogRetentionDaysAction,
        300
@@ -54,7 +54,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
    try {
-        await logsDb
+        await db
            .delete(actionAuditLog)
            .where(
                and(
@@ -123,7 +123,7 @@ export function logActionAudit(action: ActionsEnum) {
                metadata = JSON.stringify(req.params);
            }
-            await logsDb.insert(actionAuditLog).values({
+            await db.insert(actionAuditLog).values({
                timestamp,
                orgId,
                actorType,
--- a/server/private/middlewares/verifyIdpAccess.ts
+++ b/server/private/middlewares/verifyIdpAccess.ts
@@ -13,9 +13,10 @@
 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyIdpAccess(
    req: Request,
@@ -84,8 +85,10 @@ export async function verifyIdpAccess(
            );
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            idpRes.idpOrg.orgId
        );
        return next();
    } catch (error) {
--- a/server/private/middlewares/verifyRemoteExitNodeAccess.ts
+++ b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
@@ -12,11 +12,12 @@
 */
 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
+import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
-import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
+import { userOrgs } from "@server/db";
-import { and, eq, or } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export async function verifyRemoteExitNodeAccess(
    req: Request,
@@ -103,8 +104,10 @@ export async function verifyRemoteExitNodeAccess(
            );
        }
-        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
-        req.userOrgRoleId = userOrgRoleId;
+            req.userOrg.userId,
            exitNodeOrg.orgId
        );
        return next();
    } catch (error) {
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -11,11 +11,11 @@
 * This file is not licensed under the AGPLv3.
 */
-import { accessAuditLog, logsDb, resources, db, primaryDb } from "@server/db";
+import { accessAuditLog, db, resources } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -115,13 +115,15 @@ function getWhere(data: Q) {
 }
 export function queryAccess(data: Q) {
-    return logsDb
+    return db
        .select({
            orgId: accessAuditLog.orgId,
            action: accessAuditLog.action,
            actorType: accessAuditLog.actorType,
            actorId: accessAuditLog.actorId,
            resourceId: accessAuditLog.resourceId,
            resourceName: resources.name,
            resourceNiceId: resources.niceId,
            ip: accessAuditLog.ip,
            location: accessAuditLog.location,
            userAgent: accessAuditLog.userAgent,
@@ -131,46 +133,16 @@ export function queryAccess(data: Q) {
            actor: accessAuditLog.actor
        })
        .from(accessAuditLog)
        .leftJoin(
            resources,
            eq(accessAuditLog.resourceId, resources.resourceId)
        )
        .where(getWhere(data))
        .orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
 }
 async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
    // If logs database is the same as main database, we can do a join
    // Otherwise, we need to fetch resource details separately
    const resourceIds = logs
        .map(log => log.resourceId)
        .filter((id): id is number => id !== null && id !== undefined);
    if (resourceIds.length === 0) {
        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
    }
    // Fetch resource details from main database
    const resourceDetails = await primaryDb
        .select({
            resourceId: resources.resourceId,
            name: resources.name,
            niceId: resources.niceId
        })
        .from(resources)
        .where(inArray(resources.resourceId, resourceIds));
    // Create a map for quick lookup
    const resourceMap = new Map(
        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
    );
    // Enrich logs with resource details
    return logs.map(log => ({
        ...log,
        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
    }));
 }
 export function countAccessQuery(data: Q) {
-    const countQuery = logsDb
+    const countQuery = db
        .select({ count: count() })
        .from(accessAuditLog)
        .where(getWhere(data));
@@ -189,7 +161,7 @@ async function queryUniqueFilterAttributes(
    );
    // Get unique actors
-    const uniqueActors = await logsDb
+    const uniqueActors = await db
        .selectDistinct({
            actor: accessAuditLog.actor
        })
@@ -197,7 +169,7 @@ async function queryUniqueFilterAttributes(
        .where(baseConditions);
    // Get unique locations
-    const uniqueLocations = await logsDb
+    const uniqueLocations = await db
        .selectDistinct({
            locations: accessAuditLog.location
        })
@@ -205,40 +177,25 @@ async function queryUniqueFilterAttributes(
        .where(baseConditions);
    // Get unique resources with names
-    const uniqueResources = await logsDb
+    const uniqueResources = await db
        .selectDistinct({
-            id: accessAuditLog.resourceId
+            id: accessAuditLog.resourceId,
            name: resources.name
        })
        .from(accessAuditLog)
        .leftJoin(
            resources,
            eq(accessAuditLog.resourceId, resources.resourceId)
        )
        .where(baseConditions);
    // Fetch resource names from main database for the unique resource IDs
    const resourceIds = uniqueResources
        .map(row => row.id)
        .filter((id): id is number => id !== null);
    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
    if (resourceIds.length > 0) {
        const resourceDetails = await primaryDb
            .select({
                resourceId: resources.resourceId,
                name: resources.name
            })
            .from(resources)
            .where(inArray(resources.resourceId, resourceIds));
        resourcesWithNames = resourceDetails.map(r => ({
            id: r.resourceId,
            name: r.name
        }));
    }
    return {
        actors: uniqueActors
            .map((row) => row.actor)
            .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: uniqueResources.filter(
            (row): row is { id: number; name: string | null } => row.id !== null
        ),
        locations: uniqueLocations
            .map((row) => row.locations)
            .filter((location): location is string => location !== null)
@@ -286,10 +243,7 @@ export async function queryAccessAuditLogs(
        const baseQuery = queryAccess(data);
-        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
+        const log = await baseQuery.limit(data.limit).offset(data.offset);
        // Enrich with resource details (handles cross-database scenario)
        const log = await enrichWithResourceDetails(logsRaw);
        const totalCountResult = await countAccessQuery(data);
        const totalCount = totalCountResult[0].count;
--- a/server/private/routers/auditLogs/queryActionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryActionAuditLog.ts
@@ -11,7 +11,7 @@
 * This file is not licensed under the AGPLv3.
 */
-import { actionAuditLog, logsDb } from "@server/db";
+import { actionAuditLog, db } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -97,7 +97,7 @@ function getWhere(data: Q) {
 }
 export function queryAction(data: Q) {
-    return logsDb
+    return db
        .select({
            orgId: actionAuditLog.orgId,
            action: actionAuditLog.action,
@@ -113,7 +113,7 @@ export function queryAction(data: Q) {
 }
 export function countActionQuery(data: Q) {
-    const countQuery = logsDb
+    const countQuery = db
        .select({ count: count() })
        .from(actionAuditLog)
        .where(getWhere(data));
@@ -132,14 +132,14 @@ async function queryUniqueFilterAttributes(
    );
    // Get unique actors
-    const uniqueActors = await logsDb
+    const uniqueActors = await db
        .selectDistinct({
            actor: actionAuditLog.actor
        })
        .from(actionAuditLog)
        .where(baseConditions);
-    const uniqueActions = await logsDb
+    const uniqueActions = await db
        .selectDistinct({
            action: actionAuditLog.action
        })
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -480,9 +480,9 @@ authenticated.get(
 authenticated.post(
    "/re-key/:clientId/regenerate-client-secret",
    verifyClientAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
    verifyClientAccess, // this is first to set the org id
    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateClientSecret
@@ -490,9 +490,9 @@ authenticated.post(
 authenticated.post(
    "/re-key/:siteId/regenerate-site-secret",
    verifySiteAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
    verifySiteAccess, // this is first to set the org id
    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateSiteSecret
--- a/server/private/routers/org/sendUsageNotifications.ts
+++ b/server/private/routers/org/sendUsageNotifications.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, users, roles, orgs } from "@server/db";
+import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,7 +95,14 @@ async function getOrgAdmins(orgId: string) {
        })
        .from(userOrgs)
        .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+        .leftJoin(
            userOrgRoles,
            and(
                eq(userOrgs.userId, userOrgRoles.userId),
                eq(userOrgs.orgId, userOrgRoles.orgId)
            )
        )
        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
        .where(
            and(
                eq(userOrgs.orgId, orgId),
@@ -103,8 +110,11 @@ async function getOrgAdmins(orgId: string) {
            )
        );
-    // Filter to only include users with verified emails
+    // Dedupe by userId (user may have multiple roles)
-    const orgAdmins = admins.filter(
+    const byUserId = new Map(
        admins.map((a) => [a.userId, a])
    );
    const orgAdmins = Array.from(byUserId.values()).filter(
        (admin) => admin.email && admin.email.length > 0
    );
--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -79,7 +79,7 @@ export async function createRemoteExitNode(
        const { remoteExitNodeId, secret } = parsedBody.data;
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -30,9 +30,9 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq, or, and } from "drizzle-orm";
+import { and, eq, inArray, or } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
-import { signPublicKey, getOrgCAKeys } from "@server/lib/sshCA";
+import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
 import { sendToClient } from "#private/routers/ws";
@@ -122,7 +122,7 @@ export async function signSshKey(
            resource: resourceQueryString
        } = parsedBody.data;
        const userId = req.user?.userId;
-        const roleId = req.userOrgRoleId!;
+        const roleIds = req.userOrgRoleIds ?? [];
        if (!userId) {
            return next(
@@ -130,6 +130,15 @@ export async function signSshKey(
            );
        }
        if (roleIds.length === 0) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User has no role in organization"
                )
            );
        }
        const [userOrg] = await db
            .select()
            .from(userOrgs)
@@ -176,7 +185,7 @@ export async function signSshKey(
            } else if (req.user?.username) {
                usernameToUse = req.user.username;
                // We need to clean out any spaces or special characters from the username to ensure it's valid for SSH certificates
-                usernameToUse = usernameToUse.replace(/[^a-zA-Z0-9_-]/g, "-");
+                usernameToUse = usernameToUse.replace(/[^a-zA-Z0-9_-]/g, "");
                if (!usernameToUse) {
                    return next(
                        createHttpError(
@@ -194,9 +203,6 @@ export async function signSshKey(
                );
            }
            // prefix with p-
            usernameToUse = `p-${usernameToUse}`;
            // check if we have a existing user in this org with the same
            const [existingUserWithSameName] = await db
                .select()
@@ -242,16 +248,6 @@ export async function signSshKey(
                    );
                }
            }
            await db
                .update(userOrgs)
                .set({ pamUsername: usernameToUse })
                .where(
                    and(
                        eq(userOrgs.orgId, orgId),
                        eq(userOrgs.userId, userId)
                    )
                );
        } else {
            usernameToUse = userOrg.pamUsername;
        }
@@ -323,20 +319,11 @@ export async function signSshKey(
            );
        }
-        if (resource.mode == "cidr") {
+        // Check if the user has access to the resource (any of their roles)
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "SSHing is not supported for CIDR resources"
                )
            );
        }
        // Check if the user has access to the resource
        const hasAccess = await canUserAccessSiteResource({
            userId: userId,
            resourceId: resource.siteResourceId,
-            roleId: roleId
+            roleIds
        });
        if (!hasAccess) {
@@ -348,28 +335,39 @@ export async function signSshKey(
            );
        }
-        const [roleRow] = await db
+        const roleRows = await db
            .select()
            .from(roles)
-            .where(eq(roles.roleId, roleId))
+            .where(inArray(roles.roleId, roleIds));
            .limit(1);
-        let parsedSudoCommands: string[] = [];
+        const parsedSudoCommands: string[] = [];
-        let parsedGroups: string[] = [];
+        const parsedGroupsSet = new Set<string>();
-        try {
+        let homedir: boolean | null = null;
-            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
-            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
+        let sudoMode: "none" | "commands" | "all" = "none";
-        } catch {
+        for (const roleRow of roleRows) {
-            parsedSudoCommands = [];
+            try {
                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
            } catch {
                // skip
            }
            try {
                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
            } catch {
                // skip
            }
            if (roleRow?.sshCreateHomeDir === true) homedir = true;
            const m = roleRow?.sshSudoMode ?? "none";
            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
                sudoMode = m as "none" | "commands" | "all";
            }
        }
-        try {
+        const parsedGroups = Array.from(parsedGroupsSet);
-            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+        if (homedir === null && roleRows.length > 0) {
-            if (!Array.isArray(parsedGroups)) parsedGroups = [];
+            homedir = roleRows[0].sshCreateHomeDir ?? null;
        } catch {
            parsedGroups = [];
        }
        const homedir = roleRow?.sshCreateHomeDir ?? null;
        const sudoMode = roleRow?.sshSudoMode ?? "none";
        // get the site
        const [newt] = await db
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -208,7 +208,7 @@ export async function listAccessTokens(
                .where(
                    or(
                        eq(userResources.userId, req.user!.userId),
-                        eq(roleResources.roleId, req.userOrgRoleId!)
+                        inArray(roleResources.roleId, req.userOrgRoleIds!)
                    )
                );
        } else {
--- a/server/routers/auditLogs/queryRequestAnalytics.ts
+++ b/server/routers/auditLogs/queryRequestAnalytics.ts
@@ -1,4 +1,4 @@
-import { logsDb, requestAuditLog, driver, primaryLogsDb } from "@server/db";
+import { db, requestAuditLog, driver, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -74,12 +74,12 @@ async function query(query: Q) {
        );
    }
-    const [all] = await primaryLogsDb
+    const [all] = await primaryDb
        .select({ total: count() })
        .from(requestAuditLog)
        .where(baseConditions);
-    const [blocked] = await primaryLogsDb
+    const [blocked] = await primaryDb
        .select({ total: count() })
        .from(requestAuditLog)
        .where(and(baseConditions, eq(requestAuditLog.action, false)));
@@ -90,7 +90,7 @@ async function query(query: Q) {
    const DISTINCT_LIMIT = 500;
-    const requestsPerCountry = await primaryLogsDb
+    const requestsPerCountry = await primaryDb
        .selectDistinct({
            code: requestAuditLog.location,
            count: totalQ
@@ -118,7 +118,7 @@ async function query(query: Q) {
    const booleanTrue = driver === "pg" ? sql`true` : sql`1`;
    const booleanFalse = driver === "pg" ? sql`false` : sql`0`;
-    const requestsPerDay = await primaryLogsDb
+    const requestsPerDay = await primaryDb
        .select({
            day: groupByDayFunction.as("day"),
            allowedCount:
--- a/server/routers/auditLogs/queryRequestAuditLog.ts
+++ b/server/routers/auditLogs/queryRequestAuditLog.ts
@@ -1,8 +1,8 @@
-import { logsDb, primaryLogsDb, requestAuditLog, resources, db, primaryDb } from "@server/db";
+import { db, primaryDb, requestAuditLog, resources } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -107,7 +107,7 @@ function getWhere(data: Q) {
 }
 export function queryRequest(data: Q) {
-    return primaryLogsDb
+    return primaryDb
        .select({
            id: requestAuditLog.id,
            timestamp: requestAuditLog.timestamp,
@@ -129,49 +129,21 @@ export function queryRequest(data: Q) {
            host: requestAuditLog.host,
            path: requestAuditLog.path,
            method: requestAuditLog.method,
-            tls: requestAuditLog.tls
+            tls: requestAuditLog.tls,
            resourceName: resources.name,
            resourceNiceId: resources.niceId
        })
        .from(requestAuditLog)
        .leftJoin(
            resources,
            eq(requestAuditLog.resourceId, resources.resourceId)
        ) // TODO: Is this efficient?
        .where(getWhere(data))
        .orderBy(desc(requestAuditLog.timestamp));
 }
 async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRequest>>) {
    // If logs database is the same as main database, we can do a join
    // Otherwise, we need to fetch resource details separately
    const resourceIds = logs
        .map(log => log.resourceId)
        .filter((id): id is number => id !== null && id !== undefined);
    if (resourceIds.length === 0) {
        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
    }
    // Fetch resource details from main database
    const resourceDetails = await primaryDb
        .select({
            resourceId: resources.resourceId,
            name: resources.name,
            niceId: resources.niceId
        })
        .from(resources)
        .where(inArray(resources.resourceId, resourceIds));
    // Create a map for quick lookup
    const resourceMap = new Map(
        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
    );
    // Enrich logs with resource details
    return logs.map(log => ({
        ...log,
        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
    }));
 }
 export function countRequestQuery(data: Q) {
-    const countQuery = primaryLogsDb
+    const countQuery = primaryDb
        .select({ count: count() })
        .from(requestAuditLog)
        .where(getWhere(data));
@@ -213,31 +185,36 @@ async function queryUniqueFilterAttributes(
        uniquePaths,
        uniqueResources
    ] = await Promise.all([
-        primaryLogsDb
+        primaryDb
            .selectDistinct({ actor: requestAuditLog.actor })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
            .selectDistinct({ locations: requestAuditLog.location })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
            .selectDistinct({ hosts: requestAuditLog.host })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
            .selectDistinct({ paths: requestAuditLog.path })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        primaryDb
            .selectDistinct({
-                id: requestAuditLog.resourceId
+                id: requestAuditLog.resourceId,
                name: resources.name
            })
            .from(requestAuditLog)
            .leftJoin(
                resources,
                eq(requestAuditLog.resourceId, resources.resourceId)
            )
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1)
    ]);
@@ -254,33 +231,13 @@ async function queryUniqueFilterAttributes(
    //     throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
    // }
    // Fetch resource names from main database for the unique resource IDs
    const resourceIds = uniqueResources
        .map(row => row.id)
        .filter((id): id is number => id !== null);
    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
    if (resourceIds.length > 0) {
        const resourceDetails = await primaryDb
            .select({
                resourceId: resources.resourceId,
                name: resources.name
            })
            .from(resources)
            .where(inArray(resources.resourceId, resourceIds));
        resourcesWithNames = resourceDetails.map(r => ({
            id: r.resourceId,
            name: r.name
        }));
    }
    return {
        actors: uniqueActors
            .map((row) => row.actor)
            .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: uniqueResources.filter(
            (row): row is { id: number; name: string | null } => row.id !== null
        ),
        locations: uniqueLocations
            .map((row) => row.locations)
            .filter((location): location is string => location !== null),
@@ -323,10 +280,7 @@ export async function queryRequestAuditLogs(
        const baseQuery = queryRequest(data);
-        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
+        const log = await baseQuery.limit(data.limit).offset(data.offset);
        // Enrich with resource details (handles cross-database scenario)
        const log = await enrichWithResourceDetails(logsRaw);
        const totalCountResult = await countRequestQuery(data);
        const totalCount = totalCountResult[0].count;
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -1,7 +1,7 @@
-import { logsDb, primaryLogsDb, db, orgs, requestAuditLog } from "@server/db";
+import { db, orgs, requestAuditLog } from "@server/db";
 import logger from "@server/logger";
 import { and, eq, lt, sql } from "drizzle-orm";
-import cache from "#dynamic/lib/cache";
+import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
@@ -69,7 +69,7 @@ async function flushAuditLogs() {
    try {
        // Use a transaction to ensure all inserts succeed or fail together
        // This prevents index corruption from partial writes
-        await logsDb.transaction(async (tx) => {
+        await db.transaction(async (tx) => {
            // Batch insert logs in groups of 25 to avoid overwhelming the database
            const BATCH_DB_SIZE = 25;
            for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
@@ -130,7 +130,7 @@ export async function shutdownAuditLogger() {
 async function getRetentionDays(orgId: string): Promise<number> {
    // check cache first
-    const cached = await cache.get<number>(`org_${orgId}_retentionDays`);
+    const cached = cache.get<number>(`org_${orgId}_retentionDays`);
    if (cached !== undefined) {
        return cached;
    }
@@ -149,7 +149,7 @@ async function getRetentionDays(orgId: string): Promise<number> {
    }
    // store the result in cache
-    await cache.set(
+    cache.set(
        `org_${orgId}_retentionDays`,
        org.settingsLogRetentionDaysRequest,
        300
@@ -162,7 +162,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);
    try {
-        await logsDb
+        await db
            .delete(requestAuditLog)
            .where(
                and(
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -3,12 +3,13 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
    getResourceByDomain,
    getResourceRules,
    getRoleName,
    getRoleResourceAccess,
    getUserOrgRole,
    getUserResourceAccess,
    getOrgLoginPage,
    getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 import {
    LoginPage,
    Org,
@@ -37,7 +38,7 @@ import {
    enforceResourceSessionLength
 } from "#dynamic/lib/checkOrgAccessPolicy";
 import { logRequestAudit } from "./logRequestAudit";
-import { localCache } from "#dynamic/lib/cache";
+import cache from "@server/lib/cache";
 import { APP_VERSION } from "@server/lib/consts";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
@@ -137,7 +138,7 @@ export async function verifyResourceSession(
                  headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
                  org: Org;
              }
-            | undefined = localCache.get(resourceCacheKey);
+            | undefined = cache.get(resourceCacheKey);
        if (!resourceData) {
            const result = await getResourceByDomain(cleanHost);
@@ -161,7 +162,7 @@ export async function verifyResourceSession(
            }
            resourceData = result;
-            localCache.set(resourceCacheKey, resourceData, 5);
+            cache.set(resourceCacheKey, resourceData, 5);
        }
        const {
@@ -405,7 +406,7 @@ export async function verifyResourceSession(
        // check for HTTP Basic Auth header
        const clientHeaderAuthKey = `headerAuth:${clientHeaderAuth}`;
        if (headerAuth && clientHeaderAuth) {
-            if (localCache.get(clientHeaderAuthKey)) {
+            if (cache.get(clientHeaderAuthKey)) {
                logger.debug(
                    "Resource allowed because header auth is valid (cached)"
                );
@@ -428,7 +429,7 @@ export async function verifyResourceSession(
                    headerAuth.headerAuthHash
                )
            ) {
-                localCache.set(clientHeaderAuthKey, clientHeaderAuth, 5);
+                cache.set(clientHeaderAuthKey, clientHeaderAuth, 5);
                logger.debug("Resource allowed because header auth is valid");
                logRequestAudit(
@@ -520,7 +521,7 @@ export async function verifyResourceSession(
        if (resourceSessionToken) {
            const sessionCacheKey = `session:${resourceSessionToken}`;
-            let resourceSession: any = localCache.get(sessionCacheKey);
+            let resourceSession: any = cache.get(sessionCacheKey);
            if (!resourceSession) {
                const result = await validateResourceSessionToken(
@@ -529,7 +530,7 @@ export async function verifyResourceSession(
                );
                resourceSession = result?.resourceSession;
-                localCache.set(sessionCacheKey, resourceSession, 5);
+                cache.set(sessionCacheKey, resourceSession, 5);
            }
            if (resourceSession?.isRequestToken) {
@@ -662,7 +663,7 @@ export async function verifyResourceSession(
                    }:${resource.resourceId}`;
                    let allowedUserData: BasicUserData | null | undefined =
-                        localCache.get(userAccessCacheKey);
+                        cache.get(userAccessCacheKey);
                    if (allowedUserData === undefined) {
                        allowedUserData = await isUserAllowedToAccessResource(
@@ -671,7 +672,7 @@ export async function verifyResourceSession(
                            resourceData.org
                        );
-                        localCache.set(userAccessCacheKey, allowedUserData, 5);
+                        cache.set(userAccessCacheKey, allowedUserData, 5);
                    }
                    if (
@@ -916,9 +917,9 @@ async function isUserAllowedToAccessResource(
        return null;
    }
-    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);
+    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
-    if (!userOrgRole) {
+    if (!userOrgRoleIds.length) {
        return null;
    }
@@ -934,17 +935,23 @@ async function isUserAllowedToAccessResource(
        return null;
    }
-    const roleResourceAccess = await getRoleResourceAccess(
+    const roleNames: string[] = [];
-        resource.resourceId,
+    for (const roleId of userOrgRoleIds) {
-        userOrgRole.roleId
+        const roleResourceAccess = await getRoleResourceAccess(
-    );
+            resource.resourceId,
-
+            roleId
-    if (roleResourceAccess) {
+        );
        if (roleResourceAccess) {
            const roleName = await getRoleName(roleId);
            if (roleName) roleNames.push(roleName);
        }
    }
    if (roleNames.length > 0) {
        return {
            username: user.username,
            email: user.email,
            name: user.name,
-            role: userOrgRole.roleName
+            role: roleNames.join(", ")
        };
    }
@@ -954,11 +961,15 @@ async function isUserAllowedToAccessResource(
    );
    if (userResourceAccess) {
        const names = await Promise.all(
            userOrgRoleIds.map((id) => getRoleName(id))
        );
        const role = names.filter(Boolean).join(", ") || "";
        return {
            username: user.username,
            email: user.email,
            name: user.name,
-            role: userOrgRole.roleName
+            role
        };
    }
@@ -974,11 +985,11 @@ async function checkRules(
 ): Promise<"ACCEPT" | "DROP" | "PASS" | undefined> {
    const ruleCacheKey = `rules:${resourceId}`;
-    let rules: ResourceRule[] | undefined = localCache.get(ruleCacheKey);
+    let rules: ResourceRule[] | undefined = cache.get(ruleCacheKey);
    if (!rules) {
        rules = await getResourceRules(resourceId);
-        localCache.set(ruleCacheKey, rules, 5);
+        cache.set(ruleCacheKey, rules, 5);
    }
    if (rules.length === 0) {
@@ -1208,13 +1219,13 @@ async function isIpInAsn(
 async function getAsnFromIp(ip: string): Promise<number | undefined> {
    const asnCacheKey = `asn:${ip}`;
-    let cachedAsn: number | undefined = localCache.get(asnCacheKey);
+    let cachedAsn: number | undefined = cache.get(asnCacheKey);
    if (!cachedAsn) {
        cachedAsn = await getAsnForIp(ip); // do it locally
        // Cache for longer since IP ASN doesn't change frequently
        if (cachedAsn) {
-            localCache.set(asnCacheKey, cachedAsn, 300); // 5 minutes
+            cache.set(asnCacheKey, cachedAsn, 300); // 5 minutes
        }
    }
@@ -1224,14 +1235,14 @@ async function getAsnFromIp(ip: string): Promise<number | undefined> {
 async function getCountryCodeFromIp(ip: string): Promise<string | undefined> {
    const geoIpCacheKey = `geoip:${ip}`;
-    let cachedCountryCode: string | undefined = localCache.get(geoIpCacheKey);
+    let cachedCountryCode: string | undefined = cache.get(geoIpCacheKey);
    if (!cachedCountryCode) {
        cachedCountryCode = await getCountryCodeForIp(ip); // do it locally
        // Only cache successful lookups to avoid filling cache with undefined values
        if (cachedCountryCode) {
            // Cache for longer since IP geolocation doesn't change frequently
-            localCache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
+            cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
        }
    }
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -92,7 +92,7 @@ export async function createClient(
        const { orgId } = parsedParams.data;
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -234,7 +234,7 @@ export async function createClient(
                clientId: newClient.clientId
            });
-            if (req.user && req.userOrgRoleId != adminRole.roleId) {
+            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
                // make sure the user can access the client
                trx.insert(userClients).values({
                    userId: req.user.userId,
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -119,12 +119,12 @@ const listClientsSchema = z.object({
        }),
    query: z.string().optional(),
    sort_by: z
-        .enum(["name", "megabytesIn", "megabytesOut"])
+        .enum(["megabytesIn", "megabytesOut"])
        .optional()
        .catch(undefined)
        .openapi({
            type: "string",
-            enum: ["name", "megabytesIn", "megabytesOut"],
+            enum: ["megabytesIn", "megabytesOut"],
            description: "Field to sort by"
        }),
    order: z
@@ -297,7 +297,7 @@ export async function listClients(
                .where(
                    or(
                        eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                    )
                );
        } else {
@@ -363,14 +363,14 @@ export async function listClients(
        const countQuery = db.$count(baseQuery.as("filtered_clients"));
        const listMachinesQuery = baseQuery
-            .limit(pageSize)
+            .limit(page)
            .offset(pageSize * (page - 1))
            .orderBy(
                sort_by
                    ? order === "asc"
                        ? asc(clients[sort_by])
                        : desc(clients[sort_by])
-                    : asc(clients.name)
+                    : asc(clients.clientId)
            );
        const [clientsList, totalCount] = await Promise.all([
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -316,7 +316,7 @@ export async function listUserDevices(
                .where(
                    or(
                        eq(userClients.userId, req.user!.userId),
-                        eq(roleClients.roleId, req.userOrgRoleId!)
+                        inArray(roleClients.roleId, req.userOrgRoleIds!)
                    )
                );
        } else {
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -654,6 +654,16 @@ authenticated.post(
    user.addUserRole
 );
 authenticated.delete(
    "/role/:roleId/remove/:userId",
    verifyRoleAccess,
    verifyUserAccess,
    verifyLimits,
    verifyUserHasAction(ActionsEnum.removeUserRole),
    logActionAudit(ActionsEnum.removeUserRole),
    user.removeUserRole
 );
 authenticated.post(
    "/resource/:resourceId/roles",
    verifyResourceAccess,
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -13,6 +13,7 @@ import {
    orgs,
    Role,
    roles,
    userOrgRoles,
    userOrgs,
    users
 } from "@server/db";
@@ -570,32 +571,28 @@ export async function validateOidcCallback(
                    }
                }
-                // Update roles for existing auto-provisioned orgs where the role has changed
+                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
-                const orgsToUpdate = autoProvisionedOrgs.filter(
+                const userRolesInOrgs = await trx
-                    (currentOrg) => {
+                    .select()
-                        const newOrg = userOrgInfo.find(
+                    .from(userOrgRoles)
-                            (newOrg) => newOrg.orgId === currentOrg.orgId
+                    .where(eq(userOrgRoles.userId, userId!));
-                        );
+                for (const currentOrg of autoProvisionedOrgs) {
-                        return newOrg && newOrg.roleId !== currentOrg.roleId;
+                    const newRole = userOrgInfo.find(
-                    }
+                        (newOrg) => newOrg.orgId === currentOrg.orgId
-                );
+                    );
-
+                    if (!newRole) continue;
-                if (orgsToUpdate.length > 0) {
+                    const currentRolesInOrg = userRolesInOrgs.filter(
-                    for (const org of orgsToUpdate) {
+                        (r) => r.orgId === currentOrg.orgId
-                        const newRole = userOrgInfo.find(
+                    );
-                            (newOrg) => newOrg.orgId === org.orgId
+                    const hasIdpRole = currentRolesInOrg.some(
-                        );
+                        (r) => r.roleId === newRole.roleId
-                        if (newRole) {
+                    );
-                            await trx
+                    if (!hasIdpRole) {
-                                .update(userOrgs)
+                        await trx.insert(userOrgRoles).values({
-                                .set({ roleId: newRole.roleId })
+                            userId: userId!,
-                                .where(
+                            orgId: currentOrg.orgId,
-                                    and(
+                            roleId: newRole.roleId
-                                        eq(userOrgs.userId, userId!),
+                        });
                                        eq(userOrgs.orgId, org.orgId)
                                    )
                                );
                        }
                    }
                }
@@ -619,9 +616,9 @@ export async function validateOidcCallback(
                                {
                                    orgId: org.orgId,
                                    userId: userId!,
                                    roleId: org.roleId,
                                    autoProvisioned: true,
                                },
                                org.roleId,
                                trx
                            );
                        }
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -532,6 +532,16 @@ authenticated.post(
    user.addUserRole
 );
 authenticated.delete(
    "/role/:roleId/remove/:userId",
    verifyApiKeyRoleAccess,
    verifyApiKeyUserAccess,
    verifyLimits,
    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
    logActionAudit(ActionsEnum.removeUserRole),
    user.removeUserRole
 );
 authenticated.post(
    "/resource/:resourceId/roles",
    verifyApiKeyResourceAccess,
@@ -689,13 +699,6 @@ authenticated.get(
    user.getOrgUser
 );
 authenticated.get(
    "/org/:orgId/user-by-username",
    verifyApiKeyOrgAccess,
    verifyApiKeyHasAction(ActionsEnum.getOrgUser),
    user.getOrgUserByUsername
 );
 authenticated.post(
    "/user/:userId/2fa",
    verifyApiKeyIsRoot,
--- a/server/routers/newt/createNewt.ts
+++ b/server/routers/newt/createNewt.ts
@@ -46,7 +46,7 @@ export async function createNewt(
        const { newtId, secret } = parsedBody.data;
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/Show More
+++ b/Show More