If not exists on trial table

Merge branch 'dev' of github.com:fosrl/pangolin into dev
Remove explicit call
2026-05-07 08:49:53 +00:00 · 2026-05-06 20:00:23 -07:00 · 2026-05-06 16:58:39 -07:00 · 2026-05-06 16:58:28 -07:00 · 2026-05-06 16:21:45 -07:00 · 2026-05-06 16:17:46 -07:00
144 changed files with 6302 additions and 3127 deletions
--- a/cli/commands/clearCertificates.ts
+++ b/cli/commands/clearCertificates.ts
@@ -0,0 +1,28 @@
+import { CommandModule } from "yargs";
+import { db, certificates } from "@server/db";
+
+type ClearCertificatesArgs = {};
+
+export const clearCertificates: CommandModule<{}, ClearCertificatesArgs> = {
+    command: "clear-certificates",
+    describe: "Delete all entries from the certificates table",
+    builder: (yargs) => {
+        return yargs;
+    },
+    handler: async (argv: {}) => {
+        try {
+            console.log("Clearing all certificates from the database...");
+
+            const deleted = await db.delete(certificates).returning();
+
+            console.log(
+                `Deleted ${deleted.length} certificate(s) from the database`
+            );
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/commands/rotateServerSecret.ts
+++ b/cli/commands/rotateServerSecret.ts
@@ -1,5 +1,5 @@
 import { CommandModule } from "yargs";
-import { db, idpOidcConfig, licenseKey } from "@server/db";
+import { db, idpOidcConfig, licenseKey, certificates, eventStreamingDestinations, alertWebhookActions } from "@server/db";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { eq } from "drizzle-orm";
@@ -129,9 +129,15 @@ export const rotateServerSecret: CommandModule<
            console.log("\nReading encrypted data from database...");
            const idpConfigs = await db.select().from(idpOidcConfig);
            const licenseKeys = await db.select().from(licenseKey);
+            const certs = await db.select().from(certificates);
+            const streamingDestinations = await db.select().from(eventStreamingDestinations);
+            const webhookActions = await db.select().from(alertWebhookActions);

            console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
            console.log(`Found ${licenseKeys.length} license key(s)`);
+            console.log(`Found ${certs.length} certificate(s)`);
+            console.log(`Found ${streamingDestinations.length} event streaming destination(s)`);
+            console.log(`Found ${webhookActions.length} alert webhook action(s)`);

            // Prepare all decrypted and re-encrypted values
            console.log("\nDecrypting and re-encrypting values...");
@@ -149,8 +155,27 @@ export const rotateServerSecret: CommandModule<
                encryptedInstanceId: string;
            };

+            type CertUpdate = {
+                certId: number;
+                encryptedCertFile: string | null;
+                encryptedKeyFile: string | null;
+            };
+
+            type StreamingDestinationUpdate = {
+                destinationId: number;
+                encryptedConfig: string;
+            };
+
+            type WebhookActionUpdate = {
+                webhookActionId: number;
+                encryptedConfig: string;
+            };
+
            const idpUpdates: IdpUpdate[] = [];
            const licenseKeyUpdates: LicenseKeyUpdate[] = [];
+            const certUpdates: CertUpdate[] = [];
+            const streamingDestinationUpdates: StreamingDestinationUpdate[] = [];
+            const webhookActionUpdates: WebhookActionUpdate[] = [];

            // Process idpOidcConfig entries
            for (const idpConfig of idpConfigs) {
@@ -217,6 +242,70 @@ export const rotateServerSecret: CommandModule<
                }
            }

+            // Process certificate entries
+            for (const cert of certs) {
+                try {
+                    const encryptedCertFile = cert.certFile
+                        ? encrypt(decrypt(cert.certFile, oldSecret), newSecret)
+                        : null;
+                    const encryptedKeyFile = cert.keyFile
+                        ? encrypt(decrypt(cert.keyFile, oldSecret), newSecret)
+                        : null;
+
+                    certUpdates.push({
+                        certId: cert.certId,
+                        encryptedCertFile,
+                        encryptedKeyFile
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing certificate ${cert.certId} (${cert.domain}):`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
+            // Process eventStreamingDestinations entries
+            for (const dest of streamingDestinations) {
+                try {
+                    const decryptedConfig = decrypt(dest.config, oldSecret);
+                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
+
+                    streamingDestinationUpdates.push({
+                        destinationId: dest.destinationId,
+                        encryptedConfig
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing event streaming destination ${dest.destinationId}:`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
+            // Process alertWebhookActions entries
+            for (const webhook of webhookActions) {
+                try {
+                    if (webhook.config == null) continue;
+
+                    const decryptedConfig = decrypt(webhook.config, oldSecret);
+                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
+
+                    webhookActionUpdates.push({
+                        webhookActionId: webhook.webhookActionId,
+                        encryptedConfig
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing alert webhook action ${webhook.webhookActionId}:`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
            // Perform all database updates in a single transaction
            console.log("\nUpdating database in transaction...");
            await db.transaction(async (trx) => {
@@ -250,10 +339,50 @@ export const rotateServerSecret: CommandModule<
                        instanceId: update.encryptedInstanceId
                    });
                }
+
+                // Update certificate entries
+                for (const update of certUpdates) {
+                    await trx
+                        .update(certificates)
+                        .set({
+                            certFile: update.encryptedCertFile,
+                            keyFile: update.encryptedKeyFile
+                        })
+                        .where(eq(certificates.certId, update.certId));
+                }
+
+                // Update event streaming destination entries
+                for (const update of streamingDestinationUpdates) {
+                    await trx
+                        .update(eventStreamingDestinations)
+                        .set({ config: update.encryptedConfig })
+                        .where(
+                            eq(
+                                eventStreamingDestinations.destinationId,
+                                update.destinationId
+                            )
+                        );
+                }
+
+                // Update alert webhook action entries
+                for (const update of webhookActionUpdates) {
+                    await trx
+                        .update(alertWebhookActions)
+                        .set({ config: update.encryptedConfig })
+                        .where(
+                            eq(
+                                alertWebhookActions.webhookActionId,
+                                update.webhookActionId
+                            )
+                        );
+                }
            });

            console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
            console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
+            console.log(`Rotated ${certUpdates.length} certificate(s)`);
+            console.log(`Rotated ${streamingDestinationUpdates.length} event streaming destination(s)`);
+            console.log(`Rotated ${webhookActionUpdates.length} alert webhook action(s)`);

            // Update config file with new secret
            console.log("\nUpdating config file...");
@@ -270,6 +399,9 @@ export const rotateServerSecret: CommandModule<
            console.log(`\nSummary:`);
            console.log(`  - OIDC IdP configurations: ${idpUpdates.length}`);
            console.log(`  - License keys: ${licenseKeyUpdates.length}`);
+            console.log(`  - Certificates: ${certUpdates.length}`);
+            console.log(`  - Event streaming destinations: ${streamingDestinationUpdates.length}`);
+            console.log(`  - Alert webhook actions: ${webhookActionUpdates.length}`);
            console.log(
                `\n  IMPORTANT: Restart the server for the new secret to take effect.`
            );
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -9,6 +9,7 @@ import { rotateServerSecret } from "./commands/rotateServerSecret";
 import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
+import { clearCertificates } from "./commands/clearCertificates";

 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -19,5 +20,6 @@ yargs(hideBin(process.argv))
    .command(clearLicenseKeys)
    .command(deleteClient)
    .command(generateOrgCaKeys)
+    .command(clearCertificates)
    .demandCommand()
    .help().argv;
--- a/docker-compose.mailpit.yml
+++ b/docker-compose.mailpit.yml
@@ -0,0 +1,12 @@
+services:
+  mailer:
+    image: axllent/mailpit
+    ports:
+      - 8025:8025
+      - 1025:1025
+    volumes:
+      - mailpit-storage:/data
+    environment:
+      - MP_DATABASE=/data/mailpit.db
+volumes:
+  mailpit-storage:
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Превишихте ограничението на текущия си план. Коригирайте проблема, като премахнете сайтове, потребители или други ресурси, за да оставате в рамките на плана си.",
    "trialBannerMessage": "Пробният Ви период изтича след {countdown}. Актуализирайте за запазване на достъпа.",
    "trialBannerExpired": "Пробният Ви период е изтекъл. Актуализирайте сега, за да възстановите достъпа.",
+    "billingTrialBannerTitle": "Пробният период е активен",
+    "billingTrialBannerDescription": "В момента сте в пробен период на бизнес ниво. След края на пробния период, вашият акаунт автоматично ще бъде върнат към функциите и ограниченията на основното ниво. Надградете по всяко време, за да запазите достъпа до текущите функции на плана.",
+    "billingTrialBannerUpgrade": "Надградете сега",
+    "billingTrialBadge": "Пробен период",
    "trialActive": "Активен пробен период",
    "trialExpired": "Пробният период е изтекъл",
    "trialHasEnded": "Пробният Ви период е приключил.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Крайна точка",
    "newtId": "Идентификационен номер",
    "newtSecretKey": "Секретен ключ",
+    "newtVersion": "Версия",
    "architecture": "Архитектура",
    "sites": "Сайтове",
    "siteWgAnyClients": "Използвайте клиент на WireGuard, за да се свържете. Ще трябва да използвате вътрешните ресурси чрез IP адреса на връстника.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Преглед на бележките за изданието",
    "newtUpdateAvailable": "Ново обновление",
    "newtUpdateAvailableInfo": "Нова версия на Newt е налична. Моля, обновете до последната версия за най-добро изживяване.",
+    "pangolinNodeUpdateAvailableInfo": "Налична е нова версия на Pangolin Node. Моля, актуализирайте до последната версия за най-добро изживяване.",
    "domainPickerEnterDomain": "Домейн",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Въведете пълния домейн на ресурса, за да видите наличните опции.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Изберете своя доставчик на идентичност, за да продължите",
    "orgAuthNoIdpConfigured": "Тази организация няма конфигурирани доставчици на идентичност. Можете да влезете с вашата Pangolin идентичност.",
    "orgAuthSignInWithPangolin": "Впишете се с Pangolin",
-    "orgAuthSignInToOrg": "Влезте в организация",
+    "orgAuthSignInToOrg": "Идентификационен доставчик на организация (SSO)",
    "orgAuthSelectOrgTitle": "Вход в организация.",
    "orgAuthSelectOrgDescription": "Въведете идентификатора на вашата организация, за да продължите.",
    "orgAuthOrgIdPlaceholder": "вашата-организация",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "Няма валидни методи за удостоверение",
    "ip": "IP",
    "reason": "Причина",
-    "requestLogs": "Заявка за логове",
+    "requestLogs": "Логове за HTTP заявки",
    "requestAnalytics": "Анализи На Заявки",
    "host": "Хост",
    "location": "Местоположение",
    "actionLogs": "Дневници на действията",
-    "sidebarLogsRequest": "Заявка за логове",
+    "sidebarLogsRequest": "Логове за HTTP заявки",
    "sidebarLogsAccess": "Достъп до логове",
    "sidebarLogsAction": "Дневници на действията",
    "logRetention": "Задържане на логове",
    "logRetentionDescription": "Управлявайте времето за задържане на различни видове логове за тази организация или ги деактивирайте",
    "requestLogsDescription": "Прегледайте подробни логове на заявки за ресурси в тази организация",
    "requestAnalyticsDescription": "Вижте подробни анализи на заявки за ресурсите в тази организация",
-    "logRetentionRequestLabel": "Задържане на логове на заявки",
+    "logRetentionRequestLabel": "Задържане на логове за HTTP заявки",
    "logRetentionRequestDescription": "Колко дълго да се задържат логовете на заявките",
    "logRetentionAccessLabel": "Задържане на логове за достъп",
    "logRetentionAccessDescription": "Колко дълго да се задържат логовете за достъп",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Административни действия, извършени от потребители в организацията.",
    "httpDestConnectionLogsTitle": "Логове на връзката",
    "httpDestConnectionLogsDescription": "Събития на свързване и прекъсване на сайта и тунела, включително свръзки и прекъсвания.",
-    "httpDestRequestLogsTitle": "Заявки за логове",
+    "httpDestRequestLogsTitle": "Логове за HTTP заявки",
    "httpDestRequestLogsDescription": "Регистри за HTTP заявките към проксирани ресурси, включително метод, път и код на отговор.",
    "httpDestSaveChanges": "Запази промените",
    "httpDestCreateDestination": "Създаване на дестинация",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Уайлдкард подсайтове не са позволени.",
    "domainPickerWildcardCertWarning": "Ресурсите с уайлдкард може да изискват допълнителна конфигурация за правилна работа.",
    "domainPickerWildcardCertWarningLink": "Научете повече",
-    "health": "Здраве"
+    "health": "Здраве",
+    "domainPendingErrorTitle": "Проблем при проверка",
+    "memberPortalTitle": "Ресурси",
+    "memberPortalDescription": "Ресурси, до които имате достъп в тази организация",
+    "memberPortalSortBy": "Сортиране по...",
+    "memberPortalSortNameAsc": "Име А-Я",
+    "memberPortalSortNameDesc": "Име Я-А",
+    "memberPortalSortDomainAsc": "Домен А-Я",
+    "memberPortalSortDomainDesc": "Домен Я-А",
+    "memberPortalSortEnabledFirst": "Активирани Първи",
+    "memberPortalSortDisabledFirst": "Деактивирани Първи",
+    "memberPortalRefresh": "Обнови",
+    "memberPortalRefreshResources": "Обнови ресурсите",
+    "memberPortalFailedToLoad": "Грешка при зареждане на ресурсите",
+    "memberPortalFailedToLoadDescription": "Грешка при зареждане на ресурсите. Моля, проверете връзката си и опитайте отново.",
+    "memberPortalUnableToLoad": "Неуспешно зареждане на ресурси",
+    "memberPortalTryAgain": "Опитай отново",
+    "memberPortalNoResourcesFound": "Няма намерени ресурси",
+    "memberPortalNoResourcesAvailable": "Няма налични ресурси",
+    "memberPortalNoResourcesMatchSearch": "Няма ресурси, съвпадащи с \"{query}\". Опитайте да промените търсените условия или нулирайте търсенето, за да видите всички ресурси.",
+    "memberPortalNoResourcesAccess": "Още нямате достъп до ресурси. Свържете се с вашия администратор, за да получите достъп до нужните ресурси.",
+    "memberPortalClearSearch": "Изчисти търсенето",
+    "memberPortalPublicResources": "Публични ресурси",
+    "memberPortalPublicResourcesDescription": "Уеб приложения и услуги, достъпни през браузър",
+    "memberPortalCopiedToClipboard": "Копирано в клипборда",
+    "memberPortalCopiedUrlDescription": "URL адресът на ресурса е копиран в клипборда.",
+    "memberPortalOpenResource": "Отвори ресурса",
+    "memberPortalPrivateResources": "Частни ресурси",
+    "memberPortalPrivateResourcesDescription": "Ресурси на вътрешната мрежа, достъпни чрез клиент",
+    "memberPortalResourceDetails": "Детайли за ресурса",
+    "memberPortalMode": "Режим",
+    "memberPortalDestination": "Дестинация",
+    "memberPortalAlias": "Алиас",
+    "memberPortalCopiedAliasDescription": "Алиасът на ресурса е копиран в клипборда.",
+    "memberPortalCopiedDestinationDescription": "Дестинацията на ресурса е копирана в клипборда.",
+    "memberPortalRequiresClientConnection": "Изисква връзка с клиента",
+    "memberPortalAuthMethods": "Методи на удостоверяване",
+    "memberPortalSso": "Единно вход (SSO)",
+    "memberPortalPasswordProtected": "Защитено с парола",
+    "memberPortalPinCode": "ПИН код",
+    "memberPortalEmailWhitelist": "Бял списък на имейли",
+    "memberPortalResourceDisabled": "Ресурсът е деактивиран",
+    "memberPortalShowingResources": "Показва {start}-{end} от {total} ресурси",
+    "memberPortalPrevious": "Предишен",
+    "memberPortalNext": "Следващ"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Jste za hranicemi vašeho aktuálního plánu. Opravte problém odstraněním webů, uživatelů nebo jiných zdrojů, abyste zůstali ve vašem tarifu.",
    "trialBannerMessage": "Vaše zkušební verze vyprší za {countdown}. Pro udržení přístupu upgraduje.",
    "trialBannerExpired": "Vaše zkušební verze vypršela. Upgradujte nyní pro obnovu přístupu.",
+    "billingTrialBannerTitle": "Aktivní zkušební verze",
+    "billingTrialBannerDescription": "Právě používáte zkušební verzi na úrovni business. Po skončení zkušební verze se váš účet automaticky vrátí k funkcím a limitům úrovně Basic. Upgradujte kdykoli pro zachování přístupu k funkcím vašeho aktuálního plánu.",
+    "billingTrialBannerUpgrade": "Upgradovat nyní",
+    "billingTrialBadge": "Zkušební verze",
    "trialActive": "Zkušební verze je aktivní",
    "trialExpired": "Zkušební verze vypršela",
    "trialHasEnded": "Vaše zkušební verze skončila.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Tajný klíč",
+    "newtVersion": "Verze",
    "architecture": "Architektura",
    "sites": "Stránky",
    "siteWgAnyClients": "K připojení použijte jakéhokoli klienta WireGuard. Budete muset řešit interní zdroje pomocí klientské IP adresy.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Zobrazit poznámky k vydání",
    "newtUpdateAvailable": "Dostupná aktualizace",
    "newtUpdateAvailableInfo": "Je k dispozici nová verze Newt. Pro nejlepší zážitek prosím aktualizujte na nejnovější verzi.",
+    "pangolinNodeUpdateAvailableInfo": "Je k dispozici nová verze uzlu Pangolin. Pro nejlepší zážitek aktualizujte na nejnovější verzi.",
    "domainPickerEnterDomain": "Doména",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Zadejte úplnou doménu zdroje pro zobrazení dostupných možností.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Chcete-li pokračovat, vyberte svého poskytovatele identity",
    "orgAuthNoIdpConfigured": "Tato organizace nemá nakonfigurovány žádné poskytovatele identity. Místo toho se můžete přihlásit s vaší Pangolinovou identitou.",
    "orgAuthSignInWithPangolin": "Přihlásit se pomocí Pangolinu",
-    "orgAuthSignInToOrg": "Přihlásit se do organizace",
+    "orgAuthSignInToOrg": "Poskytovatel identity organizace (SSO)",
    "orgAuthSelectOrgTitle": "Přihlášení do organizace",
    "orgAuthSelectOrgDescription": "Zadejte ID vaší organizace pro pokračování",
    "orgAuthOrgIdPlaceholder": "vaše-organizace",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP adresa",
    "reason": "Důvod",
-    "requestLogs": "Záznamy požadavků",
+    "requestLogs": "Záznamy HTTP požadavků",
    "requestAnalytics": "Vyžádat analýzu",
    "host": "Hostitel",
    "location": "Poloha",
    "actionLogs": "Záznamy akcí",
-    "sidebarLogsRequest": "Záznamy požadavků",
+    "sidebarLogsRequest": "Záznamy HTTP požadavků",
    "sidebarLogsAccess": "Protokoly přístupu",
    "sidebarLogsAction": "Záznamy akcí",
    "logRetention": "Zaznamenávání záznamu",
    "logRetentionDescription": "Spravovat, jak dlouho jsou různé typy logů uloženy pro tuto organizaci nebo je zakázat",
    "requestLogsDescription": "Zobrazit podrobné protokoly požadavků pro zdroje v této organizaci",
    "requestAnalyticsDescription": "Zobrazit podrobnou analýzu požadavků pro zdroje v této organizaci",
-    "logRetentionRequestLabel": "Zachování logu žádosti",
+    "logRetentionRequestLabel": "Zachování logu HTTP požadavků",
    "logRetentionRequestDescription": "Jak dlouho uchovávat záznamy požadavků",
    "logRetentionAccessLabel": "Zachování záznamu přístupu",
    "logRetentionAccessDescription": "Jak dlouho uchovávat přístupové záznamy",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Správní opatření prováděná uživateli v rámci organizace.",
    "httpDestConnectionLogsTitle": "Protokoly připojení",
    "httpDestConnectionLogsDescription": "Události týkající se připojení lokality a tunelu, včetně připojení a odpojení.",
-    "httpDestRequestLogsTitle": "Záznamy požadavků",
+    "httpDestRequestLogsTitle": "Záznamy HTTP požadavků",
    "httpDestRequestLogsDescription": "HTTP záznamy požadavků pro proxy zdroje, včetně metod, cesty a kódu odpovědi.",
    "httpDestSaveChanges": "Uložit změny",
    "httpDestCreateDestination": "Vytvořit cíl",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Zástupné poddomény nejsou povoleny.",
    "domainPickerWildcardCertWarning": "Zástupné zdroje mohou vyžadovat dodatečnou konfiguraci pro správnou funkci.",
    "domainPickerWildcardCertWarningLink": "Zjistit více",
-    "health": "Zdraví"
+    "health": "Zdraví",
+    "domainPendingErrorTitle": "Problém s ověřením",
+    "memberPortalTitle": "Zdroje",
+    "memberPortalDescription": "Zdroje, ke kterým máte v této organizaci přístup",
+    "memberPortalSortBy": "Řadit podle...",
+    "memberPortalSortNameAsc": "Názvu A-Z",
+    "memberPortalSortNameDesc": "Názvu Z-A",
+    "memberPortalSortDomainAsc": "Domény A-Z",
+    "memberPortalSortDomainDesc": "Domény Z-A",
+    "memberPortalSortEnabledFirst": "Nejprve povoleno",
+    "memberPortalSortDisabledFirst": "Nejprve zakázáno",
+    "memberPortalRefresh": "Aktualizovat",
+    "memberPortalRefreshResources": "Aktualizovat zdroje",
+    "memberPortalFailedToLoad": "Nepodařilo se načíst zdroje",
+    "memberPortalFailedToLoadDescription": "Nepodařilo se načíst zdroje. Zkontrolujte prosím své připojení a zkuste to znovu.",
+    "memberPortalUnableToLoad": "Nelze načíst zdroje",
+    "memberPortalTryAgain": "Zkusit znovu",
+    "memberPortalNoResourcesFound": "Žádné zdroje nebyly nalezeny",
+    "memberPortalNoResourcesAvailable": "Žádné zdroje nejsou k dispozici",
+    "memberPortalNoResourcesMatchSearch": "Žádné zdroje neodpovídají \"{query}\". Zkuste přizpůsobit své vyhledávací termíny nebo vyčistit hledání, abyste viděli všechny zdroje.",
+    "memberPortalNoResourcesAccess": "Zatím nemáte přístup k žádným zdrojům. Kontaktujte svého správce, aby vám poskytl přístup k potřebným zdrojům.",
+    "memberPortalClearSearch": "Vymazat hledání",
+    "memberPortalPublicResources": "Veřejné zdroje",
+    "memberPortalPublicResourcesDescription": "Webové aplikace a služby přístupné přes prohlížeč",
+    "memberPortalCopiedToClipboard": "Zkopírováno do schránky",
+    "memberPortalCopiedUrlDescription": "URL zdroje byla zkopírována do vaší schránky.",
+    "memberPortalOpenResource": "Otevřít zdroj",
+    "memberPortalPrivateResources": "Soukromé zdroje",
+    "memberPortalPrivateResourcesDescription": "Interní síťové zdroje přístupné přes klienta",
+    "memberPortalResourceDetails": "Podrobnosti o zdroji",
+    "memberPortalMode": "Režim",
+    "memberPortalDestination": "Cíl",
+    "memberPortalAlias": "Přezdívka",
+    "memberPortalCopiedAliasDescription": "Alias zdroje byl zkopírován do vaší schránky.",
+    "memberPortalCopiedDestinationDescription": "Cíl zdroje byl zkopírován do vaší schránky.",
+    "memberPortalRequiresClientConnection": "Vyžaduje klientské připojení",
+    "memberPortalAuthMethods": "Metody ověřování",
+    "memberPortalSso": "Jedno přihlášení (SSO)",
+    "memberPortalPasswordProtected": "Heslo chráněno",
+    "memberPortalPinCode": "PIN kód",
+    "memberPortalEmailWhitelist": "Seznam povolených emailů",
+    "memberPortalResourceDisabled": "Zdroj je zakázán",
+    "memberPortalShowingResources": "Zobrazeny {start}-{end} z {total} zdrojů",
+    "memberPortalPrevious": "Předchozí",
+    "memberPortalNext": "Následující"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Webseiten, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
    "trialBannerMessage": "Ihre Testversion läuft in {countdown} ab. Upgraden, um den Zugriff zu behalten.",
    "trialBannerExpired": "Ihre Testversion ist abgelaufen. Jetzt upgraden, um den Zugriff wiederherzustellen.",
+    "billingTrialBannerTitle": "Kostenlose Testversion aktiv",
+    "billingTrialBannerDescription": "Sie nutzen derzeit eine kostenlose Testversion auf der Geschäftsstufe. Wenn die Testversion endet, wird Ihr Konto automatisch auf die Funktionen und Beschränkungen der Basisstufe zurückgesetzt. Upgraden Sie jederzeit, um weiterhin Zugriff auf die Funktionen Ihres aktuellen Plans zu behalten.",
+    "billingTrialBannerUpgrade": "Jetzt upgraden",
+    "billingTrialBadge": "Kostenlose Testversion",
    "trialActive": "Kostenlose Testversion aktiv",
    "trialExpired": "Testversion abgelaufen",
    "trialHasEnded": "Ihre Testversion ist beendet.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpunkt",
    "newtId": "ID",
    "newtSecretKey": "Geheimnis",
+    "newtVersion": "Version",
    "architecture": "Architektur",
    "sites": "Standorte",
    "siteWgAnyClients": "Verwenden Sie jeden WireGuard-Client um sich zu verbinden. Sie müssen interne Ressourcen über die Peer-IP ansprechen.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Versionshinweise anzeigen",
    "newtUpdateAvailable": "Update verfügbar",
    "newtUpdateAvailableInfo": "Eine neue Version von Newt ist verfügbar. Bitte aktualisieren Sie auf die neueste Version für das beste Erlebnis.",
+    "pangolinNodeUpdateAvailableInfo": "Eine neue Version von Pangolin Node ist verfügbar. Bitte aktualisieren Sie auf die neueste Version für das beste Erlebnis.",
    "domainPickerEnterDomain": "Domäne",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Geben Sie die vollständige Domain der Ressource ein, um verfügbare Optionen zu sehen.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Wähle deinen Identitätsanbieter um fortzufahren",
    "orgAuthNoIdpConfigured": "Diese Organisation hat keine Identitätsanbieter konfiguriert. Sie können sich stattdessen mit Ihrer Pangolin-Identität anmelden.",
    "orgAuthSignInWithPangolin": "Mit Pangolin anmelden",
-    "orgAuthSignInToOrg": "Bei einer Organisation anmelden",
+    "orgAuthSignInToOrg": "Organisations-Identitätsanbieter (SSO)",
    "orgAuthSelectOrgTitle": "Organisations-Anmeldung",
    "orgAuthSelectOrgDescription": "Geben Sie Ihre Organisations-ID ein, um fortzufahren",
    "orgAuthOrgIdPlaceholder": "Ihre Organisation",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "Keine gültige Authentifizierungsmethode verfügbar",
    "ip": "IP",
    "reason": "Grund",
-    "requestLogs": "Logs anfordern",
+    "requestLogs": "HTTP Anforderungsprotokolle",
    "requestAnalytics": "Anfrage-Analyse anzeigen",
    "host": "Host",
    "location": "Standort",
    "actionLogs": "Aktionsprotokolle",
-    "sidebarLogsRequest": "Logs anfordern",
+    "sidebarLogsRequest": "HTTP Anforderungsprotokolle",
    "sidebarLogsAccess": "Zugriffsprotokolle",
    "sidebarLogsAction": "Aktionsprotokolle",
    "logRetention": "Log-Speicherung",
    "logRetentionDescription": "Verwalten, wie lange verschiedene Logs für diese Organisation gespeichert werden oder deaktivieren",
    "requestLogsDescription": "Detaillierte Request-Logs für Ressourcen in dieser Organisation anzeigen",
    "requestAnalyticsDescription": "Detaillierte Anfrage-Analyse für Ressourcen in dieser Organisation anzeigen",
-    "logRetentionRequestLabel": "Log-Speicherung anfordern",
+    "logRetentionRequestLabel": "HTTP Anforderungsprotokoll Aufbewahrung",
    "logRetentionRequestDescription": "Wie lange sollen Request-Logs gespeichert werden",
    "logRetentionAccessLabel": "Zugriffsprotokoll-Speicherung",
    "logRetentionAccessDescription": "Wie lange Zugriffsprotokolle beibehalten werden sollen",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administrative Maßnahmen, die von Benutzern innerhalb der Organisation durchgeführt werden.",
    "httpDestConnectionLogsTitle": "Verbindungsprotokolle",
    "httpDestConnectionLogsDescription": "Site- und Tunnelverbindungen, einschließlich Verbindungen und Trennungen.",
-    "httpDestRequestLogsTitle": "Logs anfordern",
+    "httpDestRequestLogsTitle": "HTTP Anforderungsprotokolle",
    "httpDestRequestLogsDescription": "HTTP-Request-Protokolle für proxiierte Ressourcen, einschließlich Methode, Pfad und Antwort-Code.",
    "httpDestSaveChanges": "Änderungen speichern",
    "httpDestCreateDestination": "Ziel erstellen",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard-Subdomains sind nicht erlaubt.",
    "domainPickerWildcardCertWarning": "Wildcard-Ressourcen erfordern möglicherweise zusätzliche Konfigurationen, um ordnungsgemäß zu funktionieren.",
    "domainPickerWildcardCertWarningLink": "Mehr erfahren",
-    "health": "Gesundheit"
+    "health": "Gesundheit",
+    "domainPendingErrorTitle": "Verifizierungsproblem",
+    "memberPortalTitle": "Ressourcen",
+    "memberPortalDescription": "Ressourcen, auf die Sie in dieser Organisation Zugriff haben",
+    "memberPortalSortBy": "Sortieren nach...",
+    "memberPortalSortNameAsc": "Name A-Z",
+    "memberPortalSortNameDesc": "Name Z-A",
+    "memberPortalSortDomainAsc": "Domain A-Z",
+    "memberPortalSortDomainDesc": "Domain Z-A",
+    "memberPortalSortEnabledFirst": "Zuerst aktiviert",
+    "memberPortalSortDisabledFirst": "Zuerst deaktiviert",
+    "memberPortalRefresh": "Aktualisieren",
+    "memberPortalRefreshResources": "Ressourcen aktualisieren",
+    "memberPortalFailedToLoad": "Fehler beim Laden der Ressourcen",
+    "memberPortalFailedToLoadDescription": "Fehler beim Laden der Ressourcen. Bitte überprüfen Sie Ihre Verbindung und versuchen Sie es erneut.",
+    "memberPortalUnableToLoad": "Ressourcen konnten nicht geladen werden",
+    "memberPortalTryAgain": "Nochmal versuchen",
+    "memberPortalNoResourcesFound": "Keine Ressourcen gefunden",
+    "memberPortalNoResourcesAvailable": "Keine Ressourcen verfügbar",
+    "memberPortalNoResourcesMatchSearch": "Keine Ressourcen passen zu \"{query}\". Versuchen Sie, Ihre Suchbegriffe anzupassen oder die Suche zu löschen, um alle Ressourcen anzuzeigen.",
+    "memberPortalNoResourcesAccess": "Sie haben noch keinen Zugriff auf Ressourcen. Wenden Sie sich an Ihren Administrator, um Zugriff auf die benötigten Ressourcen zu erhalten.",
+    "memberPortalClearSearch": "Suchverlauf löschen",
+    "memberPortalPublicResources": "Öffentliche Ressourcen",
+    "memberPortalPublicResourcesDescription": "Webanwendungen und Dienste, die über den Browser zugänglich sind",
+    "memberPortalCopiedToClipboard": "In die Zwischenablage kopiert",
+    "memberPortalCopiedUrlDescription": "Ressourcen-URL wurde in Ihre Zwischenablage kopiert.",
+    "memberPortalOpenResource": "Ressource öffnen",
+    "memberPortalPrivateResources": "Private Ressourcen",
+    "memberPortalPrivateResourcesDescription": "Interne Netzwerkressourcen, die über den Client zugänglich sind",
+    "memberPortalResourceDetails": "Ressourcendetails",
+    "memberPortalMode": "Modus",
+    "memberPortalDestination": "Ziel",
+    "memberPortalAlias": "Alias",
+    "memberPortalCopiedAliasDescription": "Ressourcenalias wurde in Ihre Zwischenablage kopiert.",
+    "memberPortalCopiedDestinationDescription": "Ressourcenziel wurde in Ihre Zwischenablage kopiert.",
+    "memberPortalRequiresClientConnection": "Erfordert Client-Verbindung",
+    "memberPortalAuthMethods": "Authentifizierungsmethoden",
+    "memberPortalSso": "Single Sign-On (SSO)",
+    "memberPortalPasswordProtected": "Passwortgeschützt",
+    "memberPortalPinCode": "PIN-Code",
+    "memberPortalEmailWhitelist": "E-Mail-Whitelist",
+    "memberPortalResourceDisabled": "Ressource deaktiviert",
+    "memberPortalShowingResources": "Zeige {start}-{end} von {total} Ressourcen",
+    "memberPortalPrevious": "Vorherige",
+    "memberPortalNext": "Nächste"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "You're beyond your limits for your current plan. Correct the problem by removing sites, users, or other resources to stay within your plan.",
    "trialBannerMessage": "Your trial expires in {countdown}. Upgrade to keep access.",
    "trialBannerExpired": "Your trial has expired. Upgrade now to restore access.",
+    "billingTrialBannerTitle": "Free Trial Active",
+    "billingTrialBannerDescription": "You're currently on a free trial on the business tier. When the trial ends, your account will automatically revert to the Basic tier features and limits. Upgrade anytime to keep access to your current plan's features.",
+    "billingTrialBannerUpgrade": "Upgrade Now",
+    "billingTrialBadge": "Free Trial",
    "trialActive": "Free Trial Active",
    "trialExpired": "Trial Expired",
    "trialHasEnded": "Your trial has ended.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secret",
+    "newtVersion": "Version",
    "architecture": "Architecture",
    "sites": "Sites",
    "siteWgAnyClients": "Use any WireGuard client to connect. You will have to address internal resources using the peer IP.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "View Release Notes",
    "newtUpdateAvailable": "Update Available",
    "newtUpdateAvailableInfo": "A new version of Newt is available. Please update to the latest version for the best experience.",
+    "pangolinNodeUpdateAvailableInfo": "A new version of Pangolin Node is available. Please update to the latest version for the best experience.",
    "domainPickerEnterDomain": "Domain",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Enter the full domain of the resource to see available options.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Choose your identity provider to continue",
    "orgAuthNoIdpConfigured": "This organization doesn't have any identity providers configured. You can log in with your Pangolin identity instead.",
    "orgAuthSignInWithPangolin": "Sign in with Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Organization Identity Provider (SSO)",
    "orgAuthSelectOrgTitle": "Organization Sign In",
    "orgAuthSelectOrgDescription": "Enter your organization ID to continue",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Reason",
-    "requestLogs": "HTTPS Request Logs",
+    "requestLogs": "HTTP Request Logs",
    "requestAnalytics": "Request Analytics",
    "host": "Host",
    "location": "Location",
    "actionLogs": "Admin Action Logs",
-    "sidebarLogsRequest": "HTTPS Request Logs",
+    "sidebarLogsRequest": "HTTP Request Logs",
    "sidebarLogsAccess": "Authentication Logs",
    "sidebarLogsAction": "Admin Action Logs",
    "logRetention": "Log Retention",
    "logRetentionDescription": "Manage how long different types of logs are retained for this organization or disable them",
    "requestLogsDescription": "View detailed request logs for HTTPS resources in this organization",
    "requestAnalyticsDescription": "View detailed request analytics for resources in this organization",
-    "logRetentionRequestLabel": "HTTPS Request Log Retention",
+    "logRetentionRequestLabel": "HTTP Request Log Retention",
    "logRetentionRequestDescription": "How long to retain request logs",
    "logRetentionAccessLabel": "Authentication Log Retention",
    "logRetentionAccessDescription": "How long to retain access logs",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administrative actions performed by users within the organization.",
    "httpDestConnectionLogsTitle": "Network Logs",
    "httpDestConnectionLogsDescription": "Site and tunnel connection events, including connects and disconnects.",
-    "httpDestRequestLogsTitle": "HTTPS Request Logs",
+    "httpDestRequestLogsTitle": "HTTP Request Logs",
    "httpDestRequestLogsDescription": "HTTP request logs for proxied resources, including method, path, and response code.",
    "httpDestSaveChanges": "Save Changes",
    "httpDestCreateDestination": "Create Destination",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard subdomains are not allowed.",
    "domainPickerWildcardCertWarning": "Wildcard resources may require additional configuration to work properly.",
    "domainPickerWildcardCertWarningLink": "Learn more",
-    "health": "Health"
+    "health": "Health",
+    "domainPendingErrorTitle": "Verification Issue",
+    "memberPortalTitle": "Resources",
+    "memberPortalDescription": "Resources you have access to in this organization",
+    "memberPortalSortBy": "Sort by...",
+    "memberPortalSortNameAsc": "Name A-Z",
+    "memberPortalSortNameDesc": "Name Z-A",
+    "memberPortalSortDomainAsc": "Domain A-Z",
+    "memberPortalSortDomainDesc": "Domain Z-A",
+    "memberPortalSortEnabledFirst": "Enabled First",
+    "memberPortalSortDisabledFirst": "Disabled First",
+    "memberPortalRefresh": "Refresh",
+    "memberPortalRefreshResources": "Refresh Resources",
+    "memberPortalFailedToLoad": "Failed to load resources",
+    "memberPortalFailedToLoadDescription": "Failed to load resources. Please check your connection and try again.",
+    "memberPortalUnableToLoad": "Unable to Load Resources",
+    "memberPortalTryAgain": "Try Again",
+    "memberPortalNoResourcesFound": "No Resources Found",
+    "memberPortalNoResourcesAvailable": "No Resources Available",
+    "memberPortalNoResourcesMatchSearch": "No resources match \"{query}\". Try adjusting your search terms or clearing the search to see all resources.",
+    "memberPortalNoResourcesAccess": "You don't have access to any resources yet. Contact your administrator to get access to resources you need.",
+    "memberPortalClearSearch": "Clear Search",
+    "memberPortalPublicResources": "Public Resources",
+    "memberPortalPublicResourcesDescription": "Web applications and services accessible via browser",
+    "memberPortalCopiedToClipboard": "Copied to clipboard",
+    "memberPortalCopiedUrlDescription": "Resource URL has been copied to your clipboard.",
+    "memberPortalOpenResource": "Open Resource",
+    "memberPortalPrivateResources": "Private Resources",
+    "memberPortalPrivateResourcesDescription": "Internal network resources accessible via client",
+    "memberPortalResourceDetails": "Resource Details",
+    "memberPortalMode": "Mode",
+    "memberPortalDestination": "Destination",
+    "memberPortalAlias": "Alias",
+    "memberPortalCopiedAliasDescription": "Resource alias has been copied to your clipboard.",
+    "memberPortalCopiedDestinationDescription": "Resource destination has been copied to your clipboard.",
+    "memberPortalRequiresClientConnection": "Requires Client Connection",
+    "memberPortalAuthMethods": "Authentication Methods",
+    "memberPortalSso": "Single Sign-On (SSO)",
+    "memberPortalPasswordProtected": "Password Protected",
+    "memberPortalPinCode": "PIN Code",
+    "memberPortalEmailWhitelist": "Email Whitelist",
+    "memberPortalResourceDisabled": "Resource Disabled",
+    "memberPortalShowingResources": "Showing {start}-{end} of {total} resources",
+    "memberPortalPrevious": "Previous",
+    "memberPortalNext": "Next"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Estás más allá de tus límites para tu plan actual. Corrija el problema eliminando sitios, usuarios u otros recursos para permanecer dentro de tu plan.",
    "trialBannerMessage": "Su prueba expira en {countdown}. Actualice para mantener el acceso.",
    "trialBannerExpired": "Su prueba ha expirado. Actualice ahora para restaurar el acceso.",
+    "billingTrialBannerTitle": "Prueba gratuita activada",
+    "billingTrialBannerDescription": "Actualmente estás en una prueba gratuita en el nivel empresarial. Cuando finalice la prueba, tu cuenta volverá automáticamente a las características y límites del nivel Básico. Mejora en cualquier momento para mantener el acceso a las características de tu plan actual.",
+    "billingTrialBannerUpgrade": "Actualizar ahora",
+    "billingTrialBadge": "Prueba Gratuita",
    "trialActive": "Prueba gratuita activa",
    "trialExpired": "Prueba expirada",
    "trialHasEnded": "Su prueba ha terminado.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secreto",
+    "newtVersion": "Versión",
    "architecture": "Arquitectura",
    "sites": "Sitios",
    "siteWgAnyClients": "Usa cualquier cliente de Wirex para conectarte. Tendrás que dirigirte a los recursos internos usando la IP de compañeros.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Ver notas de lanzamiento",
    "newtUpdateAvailable": "Nueva actualización disponible",
    "newtUpdateAvailableInfo": "Hay una nueva versión de Newt disponible. Actualice a la última versión para la mejor experiencia.",
+    "pangolinNodeUpdateAvailableInfo": "Hay una nueva versión de Pangolin Node disponible. Actualice a la última versión para la mejor experiencia.",
    "domainPickerEnterDomain": "Dominio",
    "domainPickerPlaceholder": "miapp.ejemplo.com",
    "domainPickerDescription": "Ingresa el dominio completo del recurso para ver las opciones disponibles.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Elige tu proveedor de identidad para continuar",
    "orgAuthNoIdpConfigured": "Esta organización no tiene ningún proveedor de identidad configurado. En su lugar puedes iniciar sesión con tu identidad de Pangolin.",
    "orgAuthSignInWithPangolin": "Iniciar sesión con Pangolin",
-    "orgAuthSignInToOrg": "Iniciar sesión en una organización",
+    "orgAuthSignInToOrg": "Proveedor de identidad de la organización (SSO)",
    "orgAuthSelectOrgTitle": "Inicio de sesión de organización",
    "orgAuthSelectOrgDescription": "Ingrese el ID de su organización para continuar",
    "orgAuthOrgIdPlaceholder": "tu-organización",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Razón",
-    "requestLogs": "Registros de Solicitud",
+    "requestLogs": "Registros de Solicitud HTTP",
    "requestAnalytics": "Analítica de Solicitud",
    "host": "Anfitrión",
    "location": "Ubicación",
    "actionLogs": "Registros de acción",
-    "sidebarLogsRequest": "Registros de Solicitud",
+    "sidebarLogsRequest": "Registros de Solicitud HTTP",
    "sidebarLogsAccess": "Registros de acceso",
    "sidebarLogsAction": "Registros de acción",
    "logRetention": "Retención de Log",
    "logRetentionDescription": "Administrar cuánto tiempo se conservan los diferentes tipos de registros para esta organización o desactivarlos",
    "requestLogsDescription": "Ver registros de solicitudes detallados para los recursos de esta organización",
    "requestAnalyticsDescription": "Ver análisis de solicitudes detalladas de recursos en esta organización",
-    "logRetentionRequestLabel": "Retención de Registro de Solicitud",
+    "logRetentionRequestLabel": "Retención de Registro de Solicitud HTTP",
    "logRetentionRequestDescription": "Cuánto tiempo conservar los registros de solicitudes",
    "logRetentionAccessLabel": "Retención de Log de Acceso",
    "logRetentionAccessDescription": "Cuánto tiempo retener los registros de acceso",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Acciones administrativas realizadas por los usuarios dentro de la organización.",
    "httpDestConnectionLogsTitle": "Registros de conexión",
    "httpDestConnectionLogsDescription": "Eventos de conexión de sitios y túneles, incluyendo conexiones y desconexiones.",
-    "httpDestRequestLogsTitle": "Registros de Solicitud",
+    "httpDestRequestLogsTitle": "Registros de Solicitud HTTP",
    "httpDestRequestLogsDescription": "Registros de peticiones HTTP para recursos proxyficados, incluyendo método, ruta y código de respuesta.",
    "httpDestSaveChanges": "Guardar Cambios",
    "httpDestCreateDestination": "Crear destino",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "No se permiten subdominios comodín.",
    "domainPickerWildcardCertWarning": "Los recursos comodín pueden requerir configuración adicional para funcionar correctamente.",
    "domainPickerWildcardCertWarningLink": "Más información",
-    "health": "Salud"
+    "health": "Salud",
+    "domainPendingErrorTitle": "Problema de verificación",
+    "memberPortalTitle": "Recursos",
+    "memberPortalDescription": "Recursos a los que tiene acceso en esta organización",
+    "memberPortalSortBy": "Ordenar por...",
+    "memberPortalSortNameAsc": "Nombre A-Z",
+    "memberPortalSortNameDesc": "Nombre Z-A",
+    "memberPortalSortDomainAsc": "Dominio A-Z",
+    "memberPortalSortDomainDesc": "Dominio Z-A",
+    "memberPortalSortEnabledFirst": "Habilitado Primero",
+    "memberPortalSortDisabledFirst": "Deshabilitado Primero",
+    "memberPortalRefresh": "Actualizar",
+    "memberPortalRefreshResources": "Actualizar Recursos",
+    "memberPortalFailedToLoad": "No se pudieron cargar los recursos",
+    "memberPortalFailedToLoadDescription": "No se pudieron cargar los recursos. Por favor, revise su conexión e intente de nuevo.",
+    "memberPortalUnableToLoad": "No se pudieron cargar los recursos",
+    "memberPortalTryAgain": "Intentar de Nuevo",
+    "memberPortalNoResourcesFound": "No se encontraron Recursos",
+    "memberPortalNoResourcesAvailable": "No Hay Recursos Disponibles",
+    "memberPortalNoResourcesMatchSearch": "No hay recursos que coincidan con \"{query}\". Intenta ajustar tus términos de búsqueda o limpiar la búsqueda para ver todos los recursos.",
+    "memberPortalNoResourcesAccess": "Aún no tiene acceso a ningún recurso. Comuníquese con su administrador para obtener acceso a los recursos que necesita.",
+    "memberPortalClearSearch": "Limpiar Búsqueda",
+    "memberPortalPublicResources": "Recursos Públicos",
+    "memberPortalPublicResourcesDescription": "Aplicaciones web y servicios accesibles vía navegador",
+    "memberPortalCopiedToClipboard": "Copiado al portapapeles",
+    "memberPortalCopiedUrlDescription": "La URL del recurso ha sido copiada a su portapapeles.",
+    "memberPortalOpenResource": "Abrir Recurso",
+    "memberPortalPrivateResources": "Recursos Privados",
+    "memberPortalPrivateResourcesDescription": "Recursos de red interna accesibles vía cliente",
+    "memberPortalResourceDetails": "Detalles del Recurso",
+    "memberPortalMode": "Modo",
+    "memberPortalDestination": "Destino",
+    "memberPortalAlias": "Alias",
+    "memberPortalCopiedAliasDescription": "El alias del recurso ha sido copiado a su portapapeles.",
+    "memberPortalCopiedDestinationDescription": "El destino del recurso ha sido copiado a su portapapeles.",
+    "memberPortalRequiresClientConnection": "Requiere Conexión de Cliente",
+    "memberPortalAuthMethods": "Métodos de Autenticación",
+    "memberPortalSso": "Inicio de Sesión Único (SSO)",
+    "memberPortalPasswordProtected": "Protegido por Contraseña",
+    "memberPortalPinCode": "Código PIN",
+    "memberPortalEmailWhitelist": "Lista Blanca de Correo",
+    "memberPortalResourceDisabled": "Recurso Deshabilitado",
+    "memberPortalShowingResources": "Mostrando {start}-{end} de {total} recursos",
+    "memberPortalPrevious": "Anterior",
+    "memberPortalNext": "Siguiente"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Vous dépassez vos limites pour votre forfait actuel. Corrigez le problème en supprimant des sites, des utilisateurs ou d'autres ressources pour rester dans votre forfait.",
    "trialBannerMessage": "Votre essai expire dans {countdown}. Passez à l'abonnement pour garder l'accès.",
    "trialBannerExpired": "Votre essai a expiré. Passez à l'abonnement maintenant pour restaurer l'accès.",
+    "billingTrialBannerTitle": "Essai gratuit actif",
+    "billingTrialBannerDescription": "Vous êtes actuellement en essai gratuit sur le niveau business. À la fin de l'essai, votre compte basculera automatiquement aux fonctionnalités et limites du niveau Basique. Mettez à jour à tout moment pour conserver l'accès aux fonctionnalités de votre plan actuel.",
+    "billingTrialBannerUpgrade": "Passer à la version supérieure maintenant",
+    "billingTrialBadge": "Essai gratuit",
    "trialActive": "Essai gratuit actif",
    "trialExpired": "Essai expiré",
    "trialHasEnded": "Votre essai est terminé.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secrète",
+    "newtVersion": "Version",
    "architecture": "Architecture",
    "sites": "Nœuds",
    "siteWgAnyClients": "Utilisez n'importe quel client WireGuard pour vous connecter. Vous devrez adresser des ressources internes en utilisant l'adresse IP du pair.",
@@ -1351,7 +1356,7 @@
    "sidebarSites": "Nœuds",
    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
-    "sidebarProxyResources": "Publique",
+    "sidebarProxyResources": "Publiques",
    "sidebarClientResources": "Privé",
    "sidebarAccessControl": "Contrôle d'accès",
    "sidebarLogsAndAnalytics": "Journaux & Analytiques",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Voir les notes de publication",
    "newtUpdateAvailable": "Mise à jour disponible",
    "newtUpdateAvailableInfo": "Une nouvelle version de Newt est disponible. Veuillez mettre à jour vers la dernière version pour une meilleure expérience.",
+    "pangolinNodeUpdateAvailableInfo": "Une nouvelle version de Pangolin Node est disponible. Veuillez mettre à jour vers la dernière version pour une meilleure expérience.",
    "domainPickerEnterDomain": "Domaine",
    "domainPickerPlaceholder": "monapp.exemple.com",
    "domainPickerDescription": "Entrez le domaine complet de la ressource pour voir les options disponibles.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Choisissez votre fournisseur d'identité pour continuer",
    "orgAuthNoIdpConfigured": "Cette organisation n'a aucun fournisseur d'identité configuré. Vous pouvez vous connecter avec votre identité Pangolin à la place.",
    "orgAuthSignInWithPangolin": "Se connecter avec Pangolin",
-    "orgAuthSignInToOrg": "Se connecter à une organisation",
+    "orgAuthSignInToOrg": "Fournisseur d'identité d'organisation (SSO)",
    "orgAuthSelectOrgTitle": "Connexion à l'organisation",
    "orgAuthSelectOrgDescription": "Entrez votre identifiant d'organisation pour continuer",
    "orgAuthOrgIdPlaceholder": "votre-organisation",
@@ -2452,8 +2458,8 @@
    "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
    "downloadClientBannerTitle": "Télécharger le client Pangolin",
    "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
-    "manageMachineClients": "Gérer les clients de la machine",
-    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
+    "manageMachineClients": "Gérer les machines",
+    "manageMachineClientsDescription": "Créer et gérer les clients que les serveurs et systèmes utilisent pour se connecter en privé aux ressources",
    "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
    "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
    "machineClientsBannerPangolinCLI": "Pangolin CLI",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Raison",
-    "requestLogs": "Journal des requêtes",
+    "requestLogs": "Journal des Requêtes HTTP",
    "requestAnalytics": "Demander des analyses",
    "host": "Hôte",
    "location": "Localisation",
    "actionLogs": "Journaux des actions",
-    "sidebarLogsRequest": "Journal des requêtes",
+    "sidebarLogsRequest": "Journal des Requêtes HTTP",
    "sidebarLogsAccess": "Journaux d'accès",
    "sidebarLogsAction": "Journaux des actions",
    "logRetention": "Journaliser la rétention",
    "logRetentionDescription": "Gérer la durée de conservation des différents types de logs pour cette organisation ou les désactiver",
    "requestLogsDescription": "Voir les journaux détaillés des requêtes pour les ressources de cette organisation",
    "requestAnalyticsDescription": "Voir les analyses détaillées des demandes pour les ressources de cette organisation",
-    "logRetentionRequestLabel": "Demander la rétention des journaux",
+    "logRetentionRequestLabel": "Rétention des Journaux de Requêtes HTTP",
    "logRetentionRequestDescription": "Durée de conservation des journaux de requêtes",
    "logRetentionAccessLabel": "Rétention du journal d'accès",
    "logRetentionAccessDescription": "Durée de conservation des journaux d'accès",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Actions administratives effectuées par les utilisateurs au sein de l'organisation.",
    "httpDestConnectionLogsTitle": "Journaux de connexion",
    "httpDestConnectionLogsDescription": "Événements de connexion du site et du tunnel, y compris les connexions et les déconnexions.",
-    "httpDestRequestLogsTitle": "Journal des requêtes",
+    "httpDestRequestLogsTitle": "Journal des Requêtes HTTP",
    "httpDestRequestLogsDescription": "Journaux des requêtes HTTP pour les ressources proxiées, y compris la méthode, le chemin et le code de réponse.",
    "httpDestSaveChanges": "Enregistrer les modifications",
    "httpDestCreateDestination": "Créer une destination",
@@ -3148,6 +3154,7 @@
    "healthCheckTabAdvanced": "Avancé",
    "healthCheckStrategyNotAvailable": "Cette stratégie n'est pas disponible. Veuillez contacter le service commercial pour activer cette fonctionnalité.",
    "uptime30d": "Disponibilité (30j)",
+    "uptimeNoData": "Aucune donnée",
    "idpAddActionCreateNew": "Créer un nouveau fournisseur d'identité",
    "idpAddActionImportFromOrg": "Importer d'une autre organisation",
    "idpImportDialogTitle": "Importer le fournisseur d'identité",
@@ -3201,5 +3208,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Les sous-domaines Joker ne sont pas autorisés.",
    "domainPickerWildcardCertWarning": "Les ressources Joker peuvent nécessiter une configuration supplémentaire pour fonctionner correctement.",
    "domainPickerWildcardCertWarningLink": "En savoir plus",
-    "health": "Santé"
+    "health": "Santé",
+    "domainPendingErrorTitle": "Problème de vérification",
+    "memberPortalTitle": "Ressources",
+    "memberPortalDescription": "Ressources auxquelles vous avez accès dans cette organisation",
+    "memberPortalSortBy": "Trier par...",
+    "memberPortalSortNameAsc": "Nom A-Z",
+    "memberPortalSortNameDesc": "Nom Z-A",
+    "memberPortalSortDomainAsc": "Domaine A-Z",
+    "memberPortalSortDomainDesc": "Domaine Z-A",
+    "memberPortalSortEnabledFirst": "Activé en premier",
+    "memberPortalSortDisabledFirst": "Désactivé en premier",
+    "memberPortalRefresh": "Actualiser",
+    "memberPortalRefreshResources": "Actualiser les ressources",
+    "memberPortalFailedToLoad": "Échec du chargement des ressources",
+    "memberPortalFailedToLoadDescription": "Échec du chargement des ressources. Veuillez vérifier votre connexion et réessayer.",
+    "memberPortalUnableToLoad": "Impossible de charger les ressources",
+    "memberPortalTryAgain": "Réessayer",
+    "memberPortalNoResourcesFound": "Aucune ressource trouvée",
+    "memberPortalNoResourcesAvailable": "Aucune ressource disponible",
+    "memberPortalNoResourcesMatchSearch": "Aucune ressource ne correspond à \"{query}\". Essayez d'ajuster vos termes de recherche ou de vider la recherche pour voir toutes les ressources.",
+    "memberPortalNoResourcesAccess": "Vous n'avez encore accès à aucune ressource. Contactez votre administrateur pour obtenir l'accès aux ressources dont vous avez besoin.",
+    "memberPortalClearSearch": "Effacer la recherche",
+    "memberPortalPublicResources": "Ressources publiques",
+    "memberPortalPublicResourcesDescription": "Applications et services web accessibles via un navigateur",
+    "memberPortalCopiedToClipboard": "Copié dans le presse-papiers",
+    "memberPortalCopiedUrlDescription": "L'URL de la ressource a été copiée dans votre presse-papiers.",
+    "memberPortalOpenResource": "Ouvrir la ressource",
+    "memberPortalPrivateResources": "Ressources privées",
+    "memberPortalPrivateResourcesDescription": "Ressources réseau internes accessibles via un client",
+    "memberPortalResourceDetails": "Détails de la ressource",
+    "memberPortalMode": "Mode",
+    "memberPortalDestination": "Destination",
+    "memberPortalAlias": "Alias",
+    "memberPortalCopiedAliasDescription": "L'alias de la ressource a été copié dans votre presse-papiers.",
+    "memberPortalCopiedDestinationDescription": "La destination de la ressource a été copiée dans votre presse-papiers.",
+    "memberPortalRequiresClientConnection": "Nécessite une connexion client",
+    "memberPortalAuthMethods": "Méthodes d'authentification",
+    "memberPortalSso": "Authentification unique (SSO)",
+    "memberPortalPasswordProtected": "Protégé par un mot de passe",
+    "memberPortalPinCode": "Code PIN",
+    "memberPortalEmailWhitelist": "Liste blanche des e-mails",
+    "memberPortalResourceDisabled": "Ressource désactivée",
+    "memberPortalShowingResources": "Affichage de {start}-{end} sur {total} ressources",
+    "memberPortalPrevious": "Précédent",
+    "memberPortalNext": "Suivant"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Hai superato i tuoi limiti per il tuo piano attuale. Correggi il problema rimuovendo siti, utenti o altre risorse per rimanere all'interno del tuo piano.",
    "trialBannerMessage": "Il tuo periodo di prova scade tra {countdown}. Aggiorna per mantenere l'accesso.",
    "trialBannerExpired": "Il tuo periodo di prova è scaduto. Aggiorna ora per ripristinare l'accesso.",
+    "billingTrialBannerTitle": "Prova Gratuita Attiva",
+    "billingTrialBannerDescription": "Attualmente sei in una prova gratuita sul livello business. Quando la prova terminerà, il tuo account tornerà automaticamente alle funzionalità e ai limiti del piano Basic. Effettua l'upgrade in qualsiasi momento per mantenere l'accesso alle funzionalità del tuo piano attuale.",
+    "billingTrialBannerUpgrade": "Effettua l'Upgrade Ora",
+    "billingTrialBadge": "Prova Gratuita",
    "trialActive": "Prova Gratuita Attiva",
    "trialExpired": "Prova scaduta",
    "trialHasEnded": "La tua prova è terminata.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Segreto",
+    "newtVersion": "Versione",
    "architecture": "Architettura",
    "sites": "Siti",
    "siteWgAnyClients": "Usa qualsiasi client WireGuard per connetterti. Dovrai indirizzare le risorse interne utilizzando l'IP del peer.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Visualizza Note Di Rilascio",
    "newtUpdateAvailable": "Aggiornamento Disponibile",
    "newtUpdateAvailableInfo": "È disponibile una nuova versione di Newt. Si prega di aggiornare all'ultima versione per la migliore esperienza.",
+    "pangolinNodeUpdateAvailableInfo": "È disponibile una nuova versione di Pangolin Node. Si prega di aggiornare all'ultima versione per la migliore esperienza.",
    "domainPickerEnterDomain": "Dominio",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Inserisci il dominio completo della risorsa per vedere le opzioni disponibili.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Scegli il tuo provider di identità per continuare",
    "orgAuthNoIdpConfigured": "Questa organizzazione non ha nessun provider di identità configurato. Puoi accedere con la tua identità Pangolin.",
    "orgAuthSignInWithPangolin": "Accedi con Pangolino",
-    "orgAuthSignInToOrg": "Accedi a un'organizzazione",
+    "orgAuthSignInToOrg": "Provider di identità dell'organizzazione (SSO)",
    "orgAuthSelectOrgTitle": "Accesso Organizzazione",
    "orgAuthSelectOrgDescription": "Inserisci l'ID dell'organizzazione per continuare",
    "orgAuthOrgIdPlaceholder": "la-tua-organizzazione",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Motivo",
-    "requestLogs": "Log Richiesta",
+    "requestLogs": "Log Richieste HTTP",
    "requestAnalytics": "Richiedi Analisi",
    "host": "Host",
    "location": "Posizione",
    "actionLogs": "Log Azioni",
-    "sidebarLogsRequest": "Log Richiesta",
+    "sidebarLogsRequest": "Log Richieste HTTP",
    "sidebarLogsAccess": "Log Accesso",
    "sidebarLogsAction": "Log Azioni",
    "logRetention": "Ritenzione Registro",
    "logRetentionDescription": "Gestisci per quanto tempo i diversi tipi di log sono mantenuti per questa organizzazione o disabilitali",
    "requestLogsDescription": "Visualizza i registri di richiesta dettagliati per le risorse in questa organizzazione",
    "requestAnalyticsDescription": "Visualizza le analisi dettagliate della richiesta per le risorse in questa organizzazione",
-    "logRetentionRequestLabel": "Richiedi Ritenzione Log",
+    "logRetentionRequestLabel": "Conservazione Log Richieste HTTP",
    "logRetentionRequestDescription": "Per quanto tempo conservare i log delle richieste",
    "logRetentionAccessLabel": "Ritenzione Registro Accesso",
    "logRetentionAccessDescription": "Per quanto tempo conservare i log di accesso",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Azioni amministrative eseguite dagli utenti all'interno dell'organizzazione.",
    "httpDestConnectionLogsTitle": "Log Di Connessione",
    "httpDestConnectionLogsDescription": "Eventi di connessione al sito e al tunnel, inclusi collegamenti e disconnessioni.",
-    "httpDestRequestLogsTitle": "Log Richiesta",
+    "httpDestRequestLogsTitle": "Log Richieste HTTP",
    "httpDestRequestLogsDescription": "Registri di richiesta HTTP per le risorse proxy, inclusi metodo, percorso e codice di risposta.",
    "httpDestSaveChanges": "Salva Modifiche",
    "httpDestCreateDestination": "Crea Destinazione",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "I sottodomini wildcard non sono permessi.",
    "domainPickerWildcardCertWarning": "Le risorse wildcard potrebbero richiedere configurazioni aggiuntive per funzionare correttamente.",
    "domainPickerWildcardCertWarningLink": "Scopri di più",
-    "health": "Salute"
+    "health": "Salute",
+    "domainPendingErrorTitle": "Problema di Verifica",
+    "memberPortalTitle": "Risorse",
+    "memberPortalDescription": "Risorse a cui hai accesso in questa organizzazione",
+    "memberPortalSortBy": "Ordina per...",
+    "memberPortalSortNameAsc": "Nome A-Z",
+    "memberPortalSortNameDesc": "Nome Z-A",
+    "memberPortalSortDomainAsc": "Dominio A-Z",
+    "memberPortalSortDomainDesc": "Dominio Z-A",
+    "memberPortalSortEnabledFirst": "Abilitati per primi",
+    "memberPortalSortDisabledFirst": "Disabilitati per primi",
+    "memberPortalRefresh": "Aggiorna",
+    "memberPortalRefreshResources": "Aggiorna Risorse",
+    "memberPortalFailedToLoad": "Caricamento delle risorse non riuscito",
+    "memberPortalFailedToLoadDescription": "Caricamento delle risorse non riuscito. Controlla la tua connessione e riprova.",
+    "memberPortalUnableToLoad": "Impossibile caricare le risorse",
+    "memberPortalTryAgain": "Riprova",
+    "memberPortalNoResourcesFound": "Nessuna risorsa trovata",
+    "memberPortalNoResourcesAvailable": "Nessuna risorsa disponibile",
+    "memberPortalNoResourcesMatchSearch": "Nessuna risorsa corrisponde a \"{query}\". Prova ad aggiustare i termini di ricerca o a cancellare la ricerca per vedere tutte le risorse.",
+    "memberPortalNoResourcesAccess": "Non hai ancora accesso a nessuna risorsa. Contatta il tuo amministratore per ottenere l'accesso alle risorse di cui hai bisogno.",
+    "memberPortalClearSearch": "Cancella Ricerca",
+    "memberPortalPublicResources": "Risorse Pubbliche",
+    "memberPortalPublicResourcesDescription": "Applicazioni web e servizi accessibili tramite browser",
+    "memberPortalCopiedToClipboard": "Copiato negli appunti",
+    "memberPortalCopiedUrlDescription": "L'URL della risorsa è stato copiato negli appunti.",
+    "memberPortalOpenResource": "Apri Risorsa",
+    "memberPortalPrivateResources": "Risorse Private",
+    "memberPortalPrivateResourcesDescription": "Risorse di rete interne accessibili tramite client",
+    "memberPortalResourceDetails": "Dettagli della Risorsa",
+    "memberPortalMode": "Modalità",
+    "memberPortalDestination": "Destinazione",
+    "memberPortalAlias": "Alias",
+    "memberPortalCopiedAliasDescription": "L'alias della risorsa è stato copiato negli appunti.",
+    "memberPortalCopiedDestinationDescription": "La destinazione della risorsa è stata copiata negli appunti.",
+    "memberPortalRequiresClientConnection": "Richiede Connessione Client",
+    "memberPortalAuthMethods": "Metodi di Autenticazione",
+    "memberPortalSso": "Accesso unico (Single Sign-On, SSO)",
+    "memberPortalPasswordProtected": "Protetto da password",
+    "memberPortalPinCode": "Codice PIN",
+    "memberPortalEmailWhitelist": "Lista Autorizzazioni Email",
+    "memberPortalResourceDisabled": "Risorsa Disabilitata",
+    "memberPortalShowingResources": "Mostrando {start}-{end} di {total} risorse",
+    "memberPortalPrevious": "Precedente",
+    "memberPortalNext": "Successivo"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "현재 계획의 한계를 초과했습니다. 사이트, 사용자 또는 기타 리소스를 제거하여 계획 내에 머물도록 해결하세요.",
    "trialBannerMessage": "시험 사용 기간이 {countdown} 안에 만료됩니다. 업그레이드하여 액세스를 유지하세요.",
    "trialBannerExpired": "시험 사용 기간이 만료되었습니다. 지금 업그레이드하여 액세스를 복구하세요.",
+    "billingTrialBannerTitle": "무료 평가판 활성화",
+    "billingTrialBannerDescription": "현재 비즈니스 티어의 무료 평가판을 사용 중입니다. 평가판이 종료되면 계정은 자동으로 기본 티어 기능 및 제한으로 돌아갑니다. 현재 계획의 기능을 유지하려면 언제든지 업그레이드 하세요.",
+    "billingTrialBannerUpgrade": "지금 업그레이드",
+    "billingTrialBadge": "무료 평가판",
    "trialActive": "무료 체험 활성화됨",
    "trialExpired": "체험 만료됨",
    "trialHasEnded": "시험 사용 기간이 종료되었습니다.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "엔드포인트",
    "newtId": "ID",
    "newtSecretKey": "비밀",
+    "newtVersion": "버전",
    "architecture": "아키텍처",
    "sites": "사이트",
    "siteWgAnyClients": "WireGuard 클라이언트를 사용하여 연결하십시오. 피어 IP를 사용하여 내부 리소스에 접근해야 합니다.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "릴리스 노트 보기",
    "newtUpdateAvailable": "업데이트 가능",
    "newtUpdateAvailableInfo": "뉴트의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
+    "pangolinNodeUpdateAvailableInfo": "Pangolin Node의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
    "domainPickerEnterDomain": "도메인",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "리소스의 전체 도메인을 입력하여 사용 가능한 옵션을 확인하십시오.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "계속하려면 신원 공급자를 선택하세요.",
    "orgAuthNoIdpConfigured": "이 조직은 구성된 신원 공급자가 없습니다. 대신 Pangolin 아이덴티티로 로그인할 수 있습니다.",
    "orgAuthSignInWithPangolin": "Pangolin으로 로그인",
-    "orgAuthSignInToOrg": "조직에 로그인",
+    "orgAuthSignInToOrg": "조직 아이덴티티 제공자 (SSO)",
    "orgAuthSelectOrgTitle": "조직 로그인",
    "orgAuthSelectOrgDescription": "계속하려면 조직 ID를 입력하십시오.",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "유효한 인증 없음",
    "ip": "IP",
    "reason": "이유",
-    "requestLogs": "요청 로그",
+    "requestLogs": "HTTP 요청 로그",
    "requestAnalytics": "요청 분석",
    "host": "호스트",
    "location": "위치",
    "actionLogs": "작업 로그",
-    "sidebarLogsRequest": "요청 로그",
+    "sidebarLogsRequest": "HTTP 요청 로그",
    "sidebarLogsAccess": "접근 로그",
    "sidebarLogsAction": "작업 로그",
    "logRetention": "로그 보관",
    "logRetentionDescription": "다양한 유형의 로그를 이 조직에 대해 얼마나 오래 보관할지 관리하거나 비활성화합니다",
    "requestLogsDescription": "이 조직의 자원에 대한 상세한 요청 로그를 봅니다",
    "requestAnalyticsDescription": "이 조직의 리소스에 대한 자세한 요청 분석 보기",
-    "logRetentionRequestLabel": "요청 로그 보관",
+    "logRetentionRequestLabel": "HTTP 요청 로그 보관",
    "logRetentionRequestDescription": "요청 로그를 얼마나 오래 보관할지",
    "logRetentionAccessLabel": "접근 로그 보관",
    "logRetentionAccessDescription": "접근 로그를 얼마나 오래 보관할지",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "조직 내에서 사용자가 수행한 관리 작업.",
    "httpDestConnectionLogsTitle": "연결 로그",
    "httpDestConnectionLogsDescription": "사이트 및 터널 연결 이벤트, 연결 및 연결 끊기를 포함합니다.",
-    "httpDestRequestLogsTitle": "요청 로그",
+    "httpDestRequestLogsTitle": "HTTP 요청 로그",
    "httpDestRequestLogsDescription": "프록시된 리소스에 대한 HTTP 요청 로그, 메서드, 경로 및 응답 코드를 포함합니다.",
    "httpDestSaveChanges": "변경 사항 저장",
    "httpDestCreateDestination": "대상지 생성",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "와일드카드 서브도메인은 허용되지 않습니다.",
    "domainPickerWildcardCertWarning": "와일드카드 리소스는 올바르게 작동하려면 추가 구성이 필요할 수 있습니다.",
    "domainPickerWildcardCertWarningLink": "자세히 알아보기",
-    "health": "건강"
+    "health": "건강",
+    "domainPendingErrorTitle": "확인 문제",
+    "memberPortalTitle": "리소스",
+    "memberPortalDescription": "이 조직에서 접근할 수 있는 리소스",
+    "memberPortalSortBy": "정렬 기준...",
+    "memberPortalSortNameAsc": "이름 A-Z",
+    "memberPortalSortNameDesc": "이름 Z-A",
+    "memberPortalSortDomainAsc": "도메인 A-Z",
+    "memberPortalSortDomainDesc": "도메인 Z-A",
+    "memberPortalSortEnabledFirst": "사용 활성화 우선",
+    "memberPortalSortDisabledFirst": "사용 비활성화 우선",
+    "memberPortalRefresh": "새로 고침",
+    "memberPortalRefreshResources": "리소스 새로 고침",
+    "memberPortalFailedToLoad": "리소스를 불러오는 데 실패했습니다",
+    "memberPortalFailedToLoadDescription": "리소스를 불러오는 데 실패했습니다. 연결을 확인하고 다시 시도해 주십시오.",
+    "memberPortalUnableToLoad": "리소스를 가져오는 데 실패했습니다",
+    "memberPortalTryAgain": "다시 시도",
+    "memberPortalNoResourcesFound": "리소스를 발견하지 못했습니다",
+    "memberPortalNoResourcesAvailable": "사용 가능한 리소스가 없습니다",
+    "memberPortalNoResourcesMatchSearch": "\"{query}\"와 일치하는 리소스가 없습니다. 검색어를 수정하거나 검색을 초기화하여 모든 리소스를 확인하십시오.",
+    "memberPortalNoResourcesAccess": "아직 접근할 수 있는 리소스가 없습니다. 필요한 리소스 접근을 위해 관리자에게 문의하세요.",
+    "memberPortalClearSearch": "검색 초기화",
+    "memberPortalPublicResources": "공공 리소스",
+    "memberPortalPublicResourcesDescription": "브라우저를 통해 접근 가능한 웹 애플리케이션 및 서비스",
+    "memberPortalCopiedToClipboard": "클립보드에 복사됨",
+    "memberPortalCopiedUrlDescription": "리소스 URL이 클립보드에 복사되었습니다.",
+    "memberPortalOpenResource": "리소스 열기",
+    "memberPortalPrivateResources": "비공개 리소스",
+    "memberPortalPrivateResourcesDescription": "클라이언트를 통해 접근 가능한 내부 네트워크 리소스",
+    "memberPortalResourceDetails": "리소스 세부 정보",
+    "memberPortalMode": "모드",
+    "memberPortalDestination": "대상지",
+    "memberPortalAlias": "별칭",
+    "memberPortalCopiedAliasDescription": "리소스 별칭이 클립보드에 복사되었습니다.",
+    "memberPortalCopiedDestinationDescription": "리소스 대상지가 클립보드에 복사되었습니다.",
+    "memberPortalRequiresClientConnection": "클라이언트 연결 필요",
+    "memberPortalAuthMethods": "인증 방법",
+    "memberPortalSso": "싱글 사인온 (SSO)",
+    "memberPortalPasswordProtected": "비밀번호 보호",
+    "memberPortalPinCode": "PIN 코드",
+    "memberPortalEmailWhitelist": "이메일 화이트리스트",
+    "memberPortalResourceDisabled": "리소스 비활성화됨",
+    "memberPortalShowingResources": "{start}-{end} 중 {total}개의 리소스를 표시 중",
+    "memberPortalPrevious": "이전",
+    "memberPortalNext": "다음"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Du er utenfor grensen for gjeldende plan. Rett problemet ved å fjerne nettsteder, brukere eller andre ressurser for å bli innenfor planen din.",
    "trialBannerMessage": "Din prøveperiode utløper om {countdown}. Oppgrader for å beholde tilgangen.",
    "trialBannerExpired": "Prøveperioden din har utløpt. Oppgrader nå for å gjenopprette tilgangen.",
+    "billingTrialBannerTitle": "Prøveversjon Aktiv",
+    "billingTrialBannerDescription": "Du har for øyeblikket en gratis prøveversjon på forretningsnivået. Når prøven avsluttes, vil kontoen din automatisk gå tilbake til funksjoner og begrensninger på Basis-nivået. Oppgrader når som helst for å beholde tilgang til de nåværende planens funksjoner.",
+    "billingTrialBannerUpgrade": "Oppgrader nå",
+    "billingTrialBadge": "Prøveversjon",
    "trialActive": "Gratis prøveversjon aktiv",
    "trialExpired": "Prøveperioden er utløpt",
    "trialHasEnded": "Din prøveperiode har avsluttet.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Sikkerhetsnøkkel",
+    "newtVersion": "Versjon",
    "architecture": "Arkitektur",
    "sites": "Områder",
    "siteWgAnyClients": "Bruk hvilken som helst WireGuard klient til å koble til. Du må adressere interne ressurser ved hjelp av peer IP.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Se utgivelsesnotater",
    "newtUpdateAvailable": "Oppdatering tilgjengelig",
    "newtUpdateAvailableInfo": "En ny versjon av Newt er tilgjengelig. Vennligst oppdater til den nyeste versjonen for den beste opplevelsen.",
+    "pangolinNodeUpdateAvailableInfo": "En ny versjon av Pangolin Node er tilgjengelig. Vennligst oppdater til den nyeste versjonen for den beste opplevelsen.",
    "domainPickerEnterDomain": "Domene",
    "domainPickerPlaceholder": "minapp.eksempel.no",
    "domainPickerDescription": "Skriv inn hele domenet til ressursen for å se tilgjengelige alternativer.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Velg din identitet leverandør for å fortsette",
    "orgAuthNoIdpConfigured": "Denne organisasjonen har ikke noen identitetstjeneste konfigurert. Du kan i stedet logge inn med Pangolin identiteten din.",
    "orgAuthSignInWithPangolin": "Logg inn med Pangolin",
-    "orgAuthSignInToOrg": "Logg inn på en organisasjon",
+    "orgAuthSignInToOrg": "Organisasjonens identitetsleverandør (SSO)",
    "orgAuthSelectOrgTitle": "Organisasjonsinnlogging",
    "orgAuthSelectOrgDescription": "Skriv inn organisasjons-ID-en din for å fortsette",
    "orgAuthOrgIdPlaceholder": "din-organisasjon",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Grunn",
-    "requestLogs": "Forespørselslogger (Automatic Translation)",
+    "requestLogs": "HTTP-forespørselslogger",
    "requestAnalytics": "Be om analyser",
    "host": "Vert",
    "location": "Sted",
    "actionLogs": "Handlingslogger",
-    "sidebarLogsRequest": "Forespørselslogger (Automatic Translation)",
+    "sidebarLogsRequest": "HTTP-forespørselslogger",
    "sidebarLogsAccess": "Tilgangslogger (Automatic Translation)",
    "sidebarLogsAction": "Handlingslogger",
    "logRetention": "Logg tilbaketrekning",
    "logRetentionDescription": "Håndter hvor lenge ulike typer logger beholdes for denne organisasjonen, eller deaktiver dem",
    "requestLogsDescription": "Se detaljerte forespørselslogger for ressurser i denne organisasjonen",
    "requestAnalyticsDescription": "Se detaljert rekvisisjonsanalyse for ressurser i denne organisasjonen",
-    "logRetentionRequestLabel": "Be om loggoverføring",
+    "logRetentionRequestLabel": "Be om loggbevaring",
    "logRetentionRequestDescription": "Hvor lenge du vil beholde forespørselslogger",
    "logRetentionAccessLabel": "Få tilgang til loggoverføring",
    "logRetentionAccessDescription": "Hvor lenge du vil beholde adgangslogger",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administrative tiltak som utføres av brukere innenfor organisasjonen.",
    "httpDestConnectionLogsTitle": "Loggfiler for tilkobling",
    "httpDestConnectionLogsDescription": "Utstyrs- og tunneltilkoblingshendelser, inkludert forbindelser og frakobling.",
-    "httpDestRequestLogsTitle": "Forespørselslogger (Automatic Translation)",
+    "httpDestRequestLogsTitle": "HTTP-forespørselslogger",
    "httpDestRequestLogsDescription": "HTTP-forespørsel logger for bekreftede ressurser, inkludert metode, bane og responskode.",
    "httpDestSaveChanges": "Lagre endringer",
    "httpDestCreateDestination": "Opprett mål",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Jokertegnsubdomener er ikke tillatt.",
    "domainPickerWildcardCertWarning": "Jokertegnressurser kan kreve ekstra konfigurasjon for å fungere skikkelig.",
    "domainPickerWildcardCertWarningLink": "Lær mer",
-    "health": "Helse"
+    "health": "Helse",
+    "domainPendingErrorTitle": "Verifiseringsproblem",
+    "memberPortalTitle": "Ressurser",
+    "memberPortalDescription": "Ressurser du har tilgang til i denne organisasjonen",
+    "memberPortalSortBy": "Sorter etter...",
+    "memberPortalSortNameAsc": "Navn A-Å",
+    "memberPortalSortNameDesc": "Navn Å-A",
+    "memberPortalSortDomainAsc": "Domene A-Å",
+    "memberPortalSortDomainDesc": "Domene Å-A",
+    "memberPortalSortEnabledFirst": "Aktivert først",
+    "memberPortalSortDisabledFirst": "Deaktivert først",
+    "memberPortalRefresh": "Oppdater",
+    "memberPortalRefreshResources": "Oppdater ressurser",
+    "memberPortalFailedToLoad": "Kunne ikke laste inn ressurser",
+    "memberPortalFailedToLoadDescription": "Kunne ikke laste inn ressurser. Vennligst sjekk tilkoblingen din og prøv igjen.",
+    "memberPortalUnableToLoad": "Kan ikke laste inn ressurser",
+    "memberPortalTryAgain": "Prøv igjen",
+    "memberPortalNoResourcesFound": "Ingen ressurser funnet",
+    "memberPortalNoResourcesAvailable": "Ingen ressurser tilgjengelig",
+    "memberPortalNoResourcesMatchSearch": "Ingen ressurser samsvarer med \"{query}\". Prøv å justere søkeordene dine eller fjern søket for å se alle ressurser.",
+    "memberPortalNoResourcesAccess": "Du har ennå ikke tilgang til noen ressurser. Kontakt administratoren din for å få tilgang til de ressursene du trenger.",
+    "memberPortalClearSearch": "Fjern søk",
+    "memberPortalPublicResources": "Offentlige ressurser",
+    "memberPortalPublicResourcesDescription": "Webapplikasjoner og -tjenester tilgjengelige via nettleser",
+    "memberPortalCopiedToClipboard": "Kopiert til utklippstavlen",
+    "memberPortalCopiedUrlDescription": "Ressurs-URL er kopiert til utklippstavlen din.",
+    "memberPortalOpenResource": "Åpne ressurs",
+    "memberPortalPrivateResources": "Private ressurser",
+    "memberPortalPrivateResourcesDescription": "Interne nettverksressurser tilgjengelige via klient",
+    "memberPortalResourceDetails": "Ressursdetaljer",
+    "memberPortalMode": "Modus",
+    "memberPortalDestination": "Destinasjon",
+    "memberPortalAlias": "Navn",
+    "memberPortalCopiedAliasDescription": "Ressursalias er kopiert til utklippstavlen din.",
+    "memberPortalCopiedDestinationDescription": "Ressursdestinasjon er kopiert til utklippstavlen din.",
+    "memberPortalRequiresClientConnection": "Krever klienttilkobling",
+    "memberPortalAuthMethods": "Autentiseringsmetoder",
+    "memberPortalSso": "Enkeltpålogging (SSO)",
+    "memberPortalPasswordProtected": "Passordbeskyttet",
+    "memberPortalPinCode": "PIN-kode",
+    "memberPortalEmailWhitelist": "E-post-hviteliste",
+    "memberPortalResourceDisabled": "Ressurs deaktivert",
+    "memberPortalShowingResources": "Viser {start}-{end} av {total} ressurser",
+    "memberPortalPrevious": "Forrige",
+    "memberPortalNext": "Neste"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "U overschrijdt uw huidige abonnement. Corrigeer het probleem door sites, gebruikers of andere bronnen te verwijderen om binnen uw plan te blijven.",
    "trialBannerMessage": "Uw proefversie verloopt over {countdown}. Upgrade om toegang te behouden.",
    "trialBannerExpired": "Uw proefperiode is verlopen. Upgrade nu om toegang te herstellen.",
+    "billingTrialBannerTitle": "Proefperiode Actief",
+    "billingTrialBannerDescription": "Je bent momenteel bezig met een gratis proefperiode op het zakelijke niveau. Wanneer de proefperiode eindigt, wordt je account automatisch teruggezet naar de functies en limieten van het Basic-niveau. Upgrade op elk moment om toegang te houden tot de functies van je huidige plan.",
+    "billingTrialBannerUpgrade": "Nu Upgraden",
+    "billingTrialBadge": "Gratis Proefversie",
    "trialActive": "Gratis proefversie actief",
    "trialExpired": "Proefversie verlopen",
    "trialHasEnded": "Uw proefperiode is geëindigd.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Geheim",
+    "newtVersion": "Versie",
    "architecture": "Architectuur",
    "sites": "Sites",
    "siteWgAnyClients": "Gebruik een willekeurige WireGuard client om verbinding te maken. Je zult interne bronnen moeten aanspreken met behulp van de peer IP.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Uitgaveopmerkingen bekijken",
    "newtUpdateAvailable": "Update beschikbaar",
    "newtUpdateAvailableInfo": "Er is een nieuwe versie van Newt beschikbaar. Update naar de nieuwste versie voor de beste ervaring.",
+    "pangolinNodeUpdateAvailableInfo": "Er is een nieuwe versie van Pangolin Node beschikbaar. Update naar de nieuwste versie voor de beste ervaring.",
    "domainPickerEnterDomain": "Domein",
    "domainPickerPlaceholder": "mijnapp.voorbeeld.nl",
    "domainPickerDescription": "Voer de volledige domein van de bron in om beschikbare opties te zien.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Kies uw identiteitsprovider om door te gaan",
    "orgAuthNoIdpConfigured": "Deze organisatie heeft geen identiteitsproviders geconfigureerd. Je kunt in plaats daarvan inloggen met je Pangolin-identiteit.",
    "orgAuthSignInWithPangolin": "Log in met Pangolin",
-    "orgAuthSignInToOrg": "Log in bij een organisatie",
+    "orgAuthSignInToOrg": "Organisatie Identiteitsprovider (SSO)",
    "orgAuthSelectOrgTitle": "Organisatie Inloggen",
    "orgAuthSelectOrgDescription": "Voer je organisatie-ID in om verder te gaan",
    "orgAuthOrgIdPlaceholder": "jouw-organisatie",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP-adres",
    "reason": "Reden",
-    "requestLogs": "Logboeken aanvragen",
+    "requestLogs": "HTTP-aanvraaglogboeken",
    "requestAnalytics": "Analytics opvragen",
    "host": "Hostnaam",
    "location": "Locatie",
    "actionLogs": "Actie logs",
-    "sidebarLogsRequest": "Logboeken aanvragen",
+    "sidebarLogsRequest": "HTTP-aanvraaglogboeken",
    "sidebarLogsAccess": "Toegang tot logboek",
    "sidebarLogsAction": "Actie logs",
    "logRetention": "Log bewaring",
    "logRetentionDescription": "Beheren hoe lang verschillende soorten logs bewaard worden voor deze organisatie of schakel ze uit",
    "requestLogsDescription": "Bekijk gedetailleerde verzoeklogboeken voor resources in deze organisatie",
    "requestAnalyticsDescription": "Bekijk gedetailleerde request analytics voor resources in deze organisatie",
-    "logRetentionRequestLabel": "Logboekbewaring aanvragen",
+    "logRetentionRequestLabel": "Bewaring van HTTP-aanvraaglogboeken",
    "logRetentionRequestDescription": "Hoe lang de aanvraaglogboeken te behouden",
    "logRetentionAccessLabel": "Toegang logboek bewaring",
    "logRetentionAccessDescription": "Hoe lang de toegangslogboeken behouden blijven",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administratieve acties uitgevoerd door gebruikers binnen de organisatie.",
    "httpDestConnectionLogsTitle": "Connectie Logs",
    "httpDestConnectionLogsDescription": "Verbinding met de Site en tunnel maken verbroken, inclusief verbindingen en verbindingen.",
-    "httpDestRequestLogsTitle": "Logboeken aanvragen",
+    "httpDestRequestLogsTitle": "HTTP-aanvraaglogboeken",
    "httpDestRequestLogsDescription": "HTTP request logs voor proxied hulpmiddelen, waaronder methode, pad en response code.",
    "httpDestSaveChanges": "Wijzigingen opslaan",
    "httpDestCreateDestination": "Maak bestemming aan",
@@ -3168,7 +3174,7 @@
    "publicIpEndpoint": "Eindpunt",
    "lastTriggeredAt": "Laatste Trigger",
    "reject": "Afwijzen",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "{count} dagen geleden",
    "uptimeToday": "Vandaag",
    "uptimeNoDataAvailable": "Geen gegevens beschikbaar",
    "uptimeSuffix": "werktijd",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard-subdomeinen zijn niet toegestaan.",
    "domainPickerWildcardCertWarning": "Wildcard-bronnen hebben mogelijk extra configuratie nodig om correct te werken.",
    "domainPickerWildcardCertWarningLink": "Meer informatie",
-    "health": "Gezondheid"
+    "health": "Gezondheid",
+    "domainPendingErrorTitle": "Verificatieprobleem",
+    "memberPortalTitle": "Bronnen",
+    "memberPortalDescription": "Bronnen waartoe je toegang hebt binnen deze organisatie",
+    "memberPortalSortBy": "Sorteren op...",
+    "memberPortalSortNameAsc": "Naam A-Z",
+    "memberPortalSortNameDesc": "Naam Z-A",
+    "memberPortalSortDomainAsc": "Domein A-Z",
+    "memberPortalSortDomainDesc": "Domein Z-A",
+    "memberPortalSortEnabledFirst": "Ingeschakeld Eerst",
+    "memberPortalSortDisabledFirst": "Uitgeschakeld Eerst",
+    "memberPortalRefresh": "Vernieuwen",
+    "memberPortalRefreshResources": "Bronnen Vernieuwen",
+    "memberPortalFailedToLoad": "Fout bij het laden van bronnen",
+    "memberPortalFailedToLoadDescription": "Fout bij het laden van bronnen. Controleer uw verbinding en probeer het opnieuw.",
+    "memberPortalUnableToLoad": "Niet in staat om bronnen te laden",
+    "memberPortalTryAgain": "Probeer Opnieuw",
+    "memberPortalNoResourcesFound": "Geen Bronnen Gevonden",
+    "memberPortalNoResourcesAvailable": "Geen Bronnen Beschikbaar",
+    "memberPortalNoResourcesMatchSearch": "Geen bronnen komen overeen met \"{query}\". Probeer uw zoektermen aan te passen of wis de zoekopdracht om alle bronnen te zien.",
+    "memberPortalNoResourcesAccess": "Je hebt nog geen toegang tot bronnen. Neem contact op met je beheerder om toegang te krijgen tot de benodigde bronnen.",
+    "memberPortalClearSearch": "Zoekopdracht Wissen",
+    "memberPortalPublicResources": "Publieke Bronnen",
+    "memberPortalPublicResourcesDescription": "Webapplicaties en services toegankelijk via browser",
+    "memberPortalCopiedToClipboard": "Gekopieerd naar klembord",
+    "memberPortalCopiedUrlDescription": "Bron URL is naar uw klembord gekopieerd.",
+    "memberPortalOpenResource": "Bron Openen",
+    "memberPortalPrivateResources": "Privé Bronnen",
+    "memberPortalPrivateResourcesDescription": "Interne netwerkbronnen toegankelijk via client",
+    "memberPortalResourceDetails": "Bron Details",
+    "memberPortalMode": "Modus",
+    "memberPortalDestination": "Bestemming",
+    "memberPortalAlias": "Alias",
+    "memberPortalCopiedAliasDescription": "Bron alias is naar uw klembord gekopieerd.",
+    "memberPortalCopiedDestinationDescription": "Bron bestemming is naar uw klembord gekopieerd.",
+    "memberPortalRequiresClientConnection": "Clientverbinding Vereist",
+    "memberPortalAuthMethods": "Authenticatiemethoden",
+    "memberPortalSso": "Single Sign-On (SSO)",
+    "memberPortalPasswordProtected": "Wachtwoord Beveiligd",
+    "memberPortalPinCode": "Pincode",
+    "memberPortalEmailWhitelist": "E-mail whitelist",
+    "memberPortalResourceDisabled": "Bron Uitgeschakeld",
+    "memberPortalShowingResources": "Toont {start}-{end} van {total} bronnen",
+    "memberPortalPrevious": "Vorige",
+    "memberPortalNext": "Volgende"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Nie masz ograniczeń dla aktualnego planu. Popraw problem poprzez usunięcie stron, użytkowników lub innych zasobów, aby pozostać w swoim planie.",
    "trialBannerMessage": "Twój okres próbny wygasa za {countdown}. Uaktualnij, aby zachować dostęp.",
    "trialBannerExpired": "Twój okres próbny wygasł. Uaktualnij teraz, aby przywrócić dostęp.",
+    "billingTrialBannerTitle": "Bezpłatna wersja próbna aktywna",
+    "billingTrialBannerDescription": "Obecnie korzystasz z bezpłatnej wersji próbnej na poziomie biznesowym. Po zakończeniu wersji próbnej, Twoje konto automatycznie powróci do funkcji i limitów poziomu Podstawowego. Możesz dokonać uaktualnienia w każdej chwili, aby zachować dostęp do funkcji obecnego planu.",
+    "billingTrialBannerUpgrade": "Uaktualnij teraz",
+    "billingTrialBadge": "Bezpłatna wersja próbna",
    "trialActive": "Okres próbny aktywny",
    "trialExpired": "Okres próbny wygasł",
    "trialHasEnded": "Twój okres próbny dobiegł końca.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Sekret",
+    "newtVersion": "Wersja",
    "architecture": "Architektura",
    "sites": "Witryny",
    "siteWgAnyClients": "Użyj dowolnego klienta WireGuard, aby się połączyć. Będziesz musiał przekierować wewnętrzne zasoby za pomocą adresu IP.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Zobacz informacje o wydaniu",
    "newtUpdateAvailable": "Dostępna aktualizacja",
    "newtUpdateAvailableInfo": "Nowa wersja Newt jest dostępna. Prosimy o aktualizację do najnowszej wersji dla najlepszej pracy.",
+    "pangolinNodeUpdateAvailableInfo": "Nowa wersja Pangolin Node jest dostępna. Prosimy o aktualizację do najnowszej wersji dla najlepszej pracy.",
    "domainPickerEnterDomain": "Domena",
    "domainPickerPlaceholder": "mojapp.example.com",
    "domainPickerDescription": "Wpisz pełną domenę zasobu, aby zobaczyć dostępne opcje.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Wybierz swojego dostawcę tożsamości, aby kontynuować",
    "orgAuthNoIdpConfigured": "Ta organizacja nie ma skonfigurowanych żadnych dostawców tożsamości. Zamiast tego możesz zalogować się za pomocą swojej tożsamości Pangolin.",
    "orgAuthSignInWithPangolin": "Zaloguj się używając Pangolin",
-    "orgAuthSignInToOrg": "Zaloguj się do organizacji",
+    "orgAuthSignInToOrg": "Dostawca tożsamości organizacji (SSO)",
    "orgAuthSelectOrgTitle": "Logowanie do organizacji",
    "orgAuthSelectOrgDescription": "Wprowadź identyfikator organizacji, aby kontynuować",
    "orgAuthOrgIdPlaceholder": "twoja-organizacja",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Powód",
-    "requestLogs": "Dzienniki żądań",
+    "requestLogs": "Dzienniki żądań HTTP",
    "requestAnalytics": "Żądanie Analityki",
    "host": "Host",
    "location": "Lokalizacja",
    "actionLogs": "Dzienniki działań",
-    "sidebarLogsRequest": "Dzienniki żądań",
+    "sidebarLogsRequest": "Dzienniki żądań HTTP",
    "sidebarLogsAccess": "Logi dostępu",
    "sidebarLogsAction": "Dzienniki działań",
    "logRetention": "Zachowanie dziennika",
    "logRetentionDescription": "Zarządzaj jak długo różne typy logów są zachowane dla tej organizacji lub wyłącz je",
    "requestLogsDescription": "Zobacz szczegółowe dzienniki żądań zasobów w tej organizacji",
    "requestAnalyticsDescription": "Zobacz szczegółowe analizy żądań dla zasobów w tej organizacji",
-    "logRetentionRequestLabel": "Zachowanie dziennika żądań",
+    "logRetentionRequestLabel": "Przechowywanie dzienników żądań HTTP",
    "logRetentionRequestDescription": "Jak długo zachować dzienniki żądań",
    "logRetentionAccessLabel": "Zachowanie dziennika dostępu",
    "logRetentionAccessDescription": "Jak długo zachować dzienniki dostępu",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Działania administracyjne wykonywane przez użytkowników w organizacji.",
    "httpDestConnectionLogsTitle": "Dzienniki połączeń",
    "httpDestConnectionLogsDescription": "Zdarzenia związane z miejscem i tunelem, w tym połączenia i rozłączenia.",
-    "httpDestRequestLogsTitle": "Dzienniki żądań",
+    "httpDestRequestLogsTitle": "Dzienniki żądań HTTP",
    "httpDestRequestLogsDescription": "Logi żądań HTTP dla zasobów proxy, w tym metody, ścieżki i kodu odpowiedzi.",
    "httpDestSaveChanges": "Zapisz zmiany",
    "httpDestCreateDestination": "Utwórz cel",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Uniwersalne subdomeny nie są dozwolone.",
    "domainPickerWildcardCertWarning": "Uniwersalne zasoby mogą wymagać dodatkowej konfiguracji, aby działać poprawnie.",
    "domainPickerWildcardCertWarningLink": "Dowiedz się więcej",
-    "health": "Zdrowie"
+    "health": "Zdrowie",
+    "domainPendingErrorTitle": "Problem z weryfikacją",
+    "memberPortalTitle": "Zasoby",
+    "memberPortalDescription": "Zasoby, do których masz dostęp w tej organizacji",
+    "memberPortalSortBy": "Sortuj według...",
+    "memberPortalSortNameAsc": "Nazwa A-Z",
+    "memberPortalSortNameDesc": "Nazwa Z-A",
+    "memberPortalSortDomainAsc": "Domena A-Z",
+    "memberPortalSortDomainDesc": "Domena Z-A",
+    "memberPortalSortEnabledFirst": "Włączone najpierw",
+    "memberPortalSortDisabledFirst": "Wyłączone najpierw",
+    "memberPortalRefresh": "Odśwież",
+    "memberPortalRefreshResources": "Odśwież zasoby",
+    "memberPortalFailedToLoad": "Nie udało się załadować zasobów",
+    "memberPortalFailedToLoadDescription": "Nie udało się załadować zasobów. Sprawdź połączenie i spróbuj ponownie.",
+    "memberPortalUnableToLoad": "Nie można załadować zasobów",
+    "memberPortalTryAgain": "Spróbuj ponownie",
+    "memberPortalNoResourcesFound": "Nie znaleziono zasobów",
+    "memberPortalNoResourcesAvailable": "Brak dostępnych zasobów",
+    "memberPortalNoResourcesMatchSearch": "Żadne zasoby nie pasują do „{query}”. Spróbuj dostosować swoje warunki wyszukiwania lub wyczyść wyszukiwanie, aby zobaczyć wszystkie zasoby.",
+    "memberPortalNoResourcesAccess": "Nie masz jeszcze dostępu do żadnych zasobów. Skontaktuj się z administratorem, aby uzyskać dostęp do potrzebnych zasobów.",
+    "memberPortalClearSearch": "Wyczyść wyszukiwanie",
+    "memberPortalPublicResources": "Publiczne zasoby",
+    "memberPortalPublicResourcesDescription": "Aplikacje i usługi internetowe dostępne za pośrednictwem przeglądarki",
+    "memberPortalCopiedToClipboard": "Skopiowano do schowka",
+    "memberPortalCopiedUrlDescription": "URL zasobu został skopiowany do schowka.",
+    "memberPortalOpenResource": "Otwórz zasób",
+    "memberPortalPrivateResources": "Prywatne zasoby",
+    "memberPortalPrivateResourcesDescription": "Zasoby sieci wewnętrznej dostępne za pośrednictwem klienta",
+    "memberPortalResourceDetails": "Szczegóły zasobu",
+    "memberPortalMode": "Tryb",
+    "memberPortalDestination": "Miejsce docelowe",
+    "memberPortalAlias": "Pseudonim",
+    "memberPortalCopiedAliasDescription": "Alias zasobu został skopiowany do schowka.",
+    "memberPortalCopiedDestinationDescription": "Miejsce docelowe zasobu zostało skopiowane do schowka.",
+    "memberPortalRequiresClientConnection": "Wymaga połączenia z klientem",
+    "memberPortalAuthMethods": "Metody uwierzytelniania",
+    "memberPortalSso": "Jednorazowe logowanie (SSO)",
+    "memberPortalPasswordProtected": "Chronione hasłem",
+    "memberPortalPinCode": "Kod PIN",
+    "memberPortalEmailWhitelist": "Biała lista e-mail",
+    "memberPortalResourceDisabled": "Zasób wyłączony",
+    "memberPortalShowingResources": "Wyświetlanie zasobów od {start} do {end} z {total}",
+    "memberPortalPrevious": "Poprzedni",
+    "memberPortalNext": "Następny"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Você está além dos seus limites para o seu plano atual. Corrija o problema removendo sites, usuários, ou outros recursos para ficar em seu plano.",
    "trialBannerMessage": "Sua avaliação termina em {countdown}. Faça o upgrade para manter o acesso.",
    "trialBannerExpired": "Sua avaliação expirou. Faça o upgrade agora para restaurar o acesso.",
+    "billingTrialBannerTitle": "Teste Gratuito Ativo",
+    "billingTrialBannerDescription": "Atualmente, você está em um teste gratuito no nível empresarial. Quando o teste terminar, sua conta reverterá automaticamente para os recursos e limites do nível Básico. Atualize a qualquer momento para manter o acesso aos recursos do seu plano atual.",
+    "billingTrialBannerUpgrade": "Atualize Agora",
+    "billingTrialBadge": "Teste Gratuito",
    "trialActive": "Avaliação Gratuita Ativa",
    "trialExpired": "Avaliação Expirada",
    "trialHasEnded": "Sua avaliação terminou.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Chave Secreta",
+    "newtVersion": "Versão",
    "architecture": "Arquitetura",
    "sites": "sites",
    "siteWgAnyClients": "Use qualquer cliente do WireGuard para se conectar. Você terá que endereçar recursos internos usando o IP de pares.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Ver notas de versão",
    "newtUpdateAvailable": "Nova Atualização Disponível",
    "newtUpdateAvailableInfo": "Uma nova versão do Newt está disponível. Atualize para a versão mais recente para uma melhor experiência.",
+    "pangolinNodeUpdateAvailableInfo": "Uma nova versão do Pangolin Node está disponível. Atualize para a versão mais recente para uma melhor experiência.",
    "domainPickerEnterDomain": "Domínio",
    "domainPickerPlaceholder": "myapp.exemplo.com",
    "domainPickerDescription": "Insira o domínio completo do recurso para ver as opções disponíveis.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Escolha o seu provedor de identidade para continuar",
    "orgAuthNoIdpConfigured": "Esta organização não tem nenhum provedor de identidade configurado. Você pode entrar com a identidade do seu Pangolin.",
    "orgAuthSignInWithPangolin": "Entrar com o Pangolin",
-    "orgAuthSignInToOrg": "Fazer login em uma organização",
+    "orgAuthSignInToOrg": "Provedor de Identidade da Organização (SSO)",
    "orgAuthSelectOrgTitle": "Entrada da Organização",
    "orgAuthSelectOrgDescription": "Digite seu ID da organização para continuar",
    "orgAuthOrgIdPlaceholder": "sua-organização",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "PI",
    "reason": "Motivo",
-    "requestLogs": "Registro de pedidos",
+    "requestLogs": "Registros de Pedidos HTTP",
    "requestAnalytics": "Solicitar análise",
    "host": "Servidor",
    "location": "Local:",
    "actionLogs": "Logs de Ações",
-    "sidebarLogsRequest": "Registro de pedidos",
+    "sidebarLogsRequest": "Registros de Pedidos HTTP",
    "sidebarLogsAccess": "Logs de Acesso",
    "sidebarLogsAction": "Logs de Ações",
    "logRetention": "Retenção de Log",
    "logRetentionDescription": "Gerenciar quanto tempo os diferentes tipos de logs são mantidos para esta organização ou desativá-los",
    "requestLogsDescription": "Ver registros de pedidos detalhados de recursos nesta organização",
    "requestAnalyticsDescription": "Exibir análise detalhada de pedidos para recursos nesta organização",
-    "logRetentionRequestLabel": "Solicitar retenção de registro",
+    "logRetentionRequestLabel": "Retenção de Registro de Pedido HTTP",
    "logRetentionRequestDescription": "Por quanto tempo manter os registros de pedidos",
    "logRetentionAccessLabel": "Retenção de Log de Acesso",
    "logRetentionAccessDescription": "Por quanto tempo manter os registros de acesso",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Ações administrativas realizadas por usuários dentro da organização.",
    "httpDestConnectionLogsTitle": "Logs da conexão",
    "httpDestConnectionLogsDescription": "Eventos de conexão de site e túnel, incluindo conexões e desconexões.",
-    "httpDestRequestLogsTitle": "Registro de pedidos",
+    "httpDestRequestLogsTitle": "Registros de Pedidos HTTP",
    "httpDestRequestLogsDescription": "Logs de solicitação HTTP para recursos proxy incluindo o método, o caminho e o código de resposta.",
    "httpDestSaveChanges": "Salvar as alterações",
    "httpDestCreateDestination": "Criar destino",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Subdomínios curinga não são permitidos.",
    "domainPickerWildcardCertWarning": "Recursos curinga podem exigir configurações adicionais para funcionarem corretamente.",
    "domainPickerWildcardCertWarningLink": "Saiba mais",
-    "health": "Saúde"
+    "health": "Saúde",
+    "domainPendingErrorTitle": "Problema de Verificação",
+    "memberPortalTitle": "Recursos",
+    "memberPortalDescription": "Recursos aos quais você tem acesso nesta organização",
+    "memberPortalSortBy": "Ordenar por...",
+    "memberPortalSortNameAsc": "Nome A-Z",
+    "memberPortalSortNameDesc": "Nome Z-A",
+    "memberPortalSortDomainAsc": "Domínio A-Z",
+    "memberPortalSortDomainDesc": "Domínio Z-A",
+    "memberPortalSortEnabledFirst": "Habilitados Primeiro",
+    "memberPortalSortDisabledFirst": "Desabilitados Primeiro",
+    "memberPortalRefresh": "Atualizar",
+    "memberPortalRefreshResources": "Atualizar Recursos",
+    "memberPortalFailedToLoad": "Falha ao carregar recursos",
+    "memberPortalFailedToLoadDescription": "Falha ao carregar recursos. Por favor, verifique sua conexão e tente novamente.",
+    "memberPortalUnableToLoad": "Incapaz de Carregar Recursos",
+    "memberPortalTryAgain": "Tentar Novamente",
+    "memberPortalNoResourcesFound": "Nenhum Recurso Encontrado",
+    "memberPortalNoResourcesAvailable": "Nenhum Recurso Disponível",
+    "memberPortalNoResourcesMatchSearch": "Nenhum recurso corresponde a \"{query}\". Tente ajustar seus termos de pesquisa ou limpe a pesquisa para ver todos os recursos.",
+    "memberPortalNoResourcesAccess": "Você ainda não tem acesso a nenhum recurso. Entre em contato com seu administrador para obter acesso aos recursos que precisa.",
+    "memberPortalClearSearch": "Limpar Pesquisa",
+    "memberPortalPublicResources": "Recursos Públicos",
+    "memberPortalPublicResourcesDescription": "Aplicações e serviços web acessíveis via navegador",
+    "memberPortalCopiedToClipboard": "Copiado para a área de transferência",
+    "memberPortalCopiedUrlDescription": "A URL do recurso foi copiada para sua área de transferência.",
+    "memberPortalOpenResource": "Abrir Recurso",
+    "memberPortalPrivateResources": "Recursos Privados",
+    "memberPortalPrivateResourcesDescription": "Recursos da rede interna acessíveis via cliente",
+    "memberPortalResourceDetails": "Detalhes do Recurso",
+    "memberPortalMode": "Modo",
+    "memberPortalDestination": "Destino",
+    "memberPortalAlias": "Apelido",
+    "memberPortalCopiedAliasDescription": "O apelido do recurso foi copiado para sua área de transferência.",
+    "memberPortalCopiedDestinationDescription": "O destino do recurso foi copiado para sua área de transferência.",
+    "memberPortalRequiresClientConnection": "Requer Conexão de Cliente",
+    "memberPortalAuthMethods": "Métodos de Autenticação",
+    "memberPortalSso": "Logon Único (SSO)",
+    "memberPortalPasswordProtected": "Protegido por Senha",
+    "memberPortalPinCode": "Código PIN",
+    "memberPortalEmailWhitelist": "Lista de E-mails Permitidos",
+    "memberPortalResourceDisabled": "Recurso Desativado",
+    "memberPortalShowingResources": "Mostrando {start}-{end} de {total} recursos",
+    "memberPortalPrevious": "Anterior",
+    "memberPortalNext": "Próximo"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Вы превысили лимиты для вашего текущего плана. Исправьте проблему, удалив сайты, пользователей или другие ресурсы, чтобы остаться в пределах вашего плана.",
    "trialBannerMessage": "Ваш пробный период истекает через {countdown}. Обновите, чтобы сохранить доступ.",
    "trialBannerExpired": "Ваш пробный период истек. Обновите сейчас, чтобы восстановить доступ.",
+    "billingTrialBannerTitle": "Бесплатная версия активна",
+    "billingTrialBannerDescription": "Вы в настоящее время находитесь на бесплатном пробном периоде бизнес-уровня. Когда пробный период закончится, ваш аккаунт автоматически вернётся к функциям и лимитам базового уровня. Обновите в любое время, чтобы сохранить доступ к функциям текущего плана.",
+    "billingTrialBannerUpgrade": "Обновить сейчас",
+    "billingTrialBadge": "Бесплатная версия",
    "trialActive": "Бесплатный пробный период активен",
    "trialExpired": "Пробный период истек",
    "trialHasEnded": "Ваш пробный период окончен.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Секретный ключ",
+    "newtVersion": "Версия",
    "architecture": "Архитектура",
    "sites": "Сайты",
    "siteWgAnyClients": "Для подключения используйте любой клиент WireGuard. Вы должны будете адресовать внутренние ресурсы, используя IP адрес пира.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Просмотреть примечания к выпуску",
    "newtUpdateAvailable": "Доступно обновление",
    "newtUpdateAvailableInfo": "Доступна новая версия Newt. Пожалуйста, обновитесь до последней версии для лучшего опыта.",
+    "pangolinNodeUpdateAvailableInfo": "Доступна новая версия Pangolin Node. Пожалуйста, обновитесь до последней версии для лучшего опыта.",
    "domainPickerEnterDomain": "Домен",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Введите полный домен ресурса, чтобы увидеть доступные опции.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Выберите своего поставщика удостоверений личности для продолжения",
    "orgAuthNoIdpConfigured": "Эта организация не имеет настроенных поставщиков идентификационных данных. Вместо этого вы можете войти в свой Pangolin.",
    "orgAuthSignInWithPangolin": "Войти через Pangolin",
-    "orgAuthSignInToOrg": "Войти в организацию",
+    "orgAuthSignInToOrg": "Поставщик удостоверений организации (SSO)",
    "orgAuthSelectOrgTitle": "Вход в организацию",
    "orgAuthSelectOrgDescription": "Введите ID вашей организации, чтобы продолжить",
    "orgAuthOrgIdPlaceholder": "ваша-организация",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Причина",
-    "requestLogs": "Запросить журналы",
+    "requestLogs": "HTTP Запросы Логи",
    "requestAnalytics": "Аналитика запроса",
    "host": "Хост",
    "location": "Местоположение",
    "actionLogs": "Журнал действий",
-    "sidebarLogsRequest": "Запросить журналы",
+    "sidebarLogsRequest": "HTTP Запросы Логи",
    "sidebarLogsAccess": "Журналы доступа",
    "sidebarLogsAction": "Журнал действий",
    "logRetention": "Сохранение журнала",
    "logRetentionDescription": "Управление сохранением различных типов журналов для этой организации или отключение их",
    "requestLogsDescription": "Просмотреть подробные журналы запроса ресурсов в этой организации",
    "requestAnalyticsDescription": "Просмотреть подробную аналитику запроса для ресурсов в этой организации",
-    "logRetentionRequestLabel": "Запросить сохранение журнала",
+    "logRetentionRequestLabel": "Сохранение HTTP Запросов Лога",
    "logRetentionRequestDescription": "Как долго сохранять журналы запросов",
    "logRetentionAccessLabel": "Хранение журнала доступа",
    "logRetentionAccessDescription": "Как долго сохранять журналы доступа",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Административные меры, осуществляемые пользователями в рамках организации.",
    "httpDestConnectionLogsTitle": "Журнал подключений",
    "httpDestConnectionLogsDescription": "События связи с сайтами и туннелями, включая соединения и отключения.",
-    "httpDestRequestLogsTitle": "Запросить журналы",
+    "httpDestRequestLogsTitle": "HTTP Запросы Логи",
    "httpDestRequestLogsDescription": "Журналы запросов HTTP для проксируемых ресурсов, включая метод, путь и код ответа.",
    "httpDestSaveChanges": "Сохранить изменения",
    "httpDestCreateDestination": "Создать адрес назначения",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard поддомены не допускаются.",
    "domainPickerWildcardCertWarning": "Wildcard ресурсы могут потребовать дополнительной настройки для правильной работы.",
    "domainPickerWildcardCertWarningLink": "Узнать больше",
-    "health": "Состояние"
+    "health": "Состояние",
+    "domainPendingErrorTitle": "Проблема с подтверждением",
+    "memberPortalTitle": "Ресурсы",
+    "memberPortalDescription": "Ресурсы, к которым у вас есть доступ в этой организации",
+    "memberPortalSortBy": "Сортировать по...",
+    "memberPortalSortNameAsc": "Имя A-Я",
+    "memberPortalSortNameDesc": "Имя Я-A",
+    "memberPortalSortDomainAsc": "Домен A-Я",
+    "memberPortalSortDomainDesc": "Домен Я-A",
+    "memberPortalSortEnabledFirst": "Включённые сначала",
+    "memberPortalSortDisabledFirst": "Отключённые сначала",
+    "memberPortalRefresh": "Обновить",
+    "memberPortalRefreshResources": "Обновить ресурсы",
+    "memberPortalFailedToLoad": "Не удалось загрузить ресурсы",
+    "memberPortalFailedToLoadDescription": "Не удалось загрузить ресурсы. Пожалуйста, проверьте подключение и попробуйте снова.",
+    "memberPortalUnableToLoad": "Не удалось загрузить ресурсы",
+    "memberPortalTryAgain": "Попробуйте снова",
+    "memberPortalNoResourcesFound": "Ресурсы не найдены",
+    "memberPortalNoResourcesAvailable": "Нет доступных ресурсов",
+    "memberPortalNoResourcesMatchSearch": "Нет ресурсов, соответствующих \"{query}\". Попробуйте изменить условия поиска или очистить поиск, чтобы увидеть все ресурсы.",
+    "memberPortalNoResourcesAccess": "У вас пока нет доступа к ресурсам. Свяжитесь с администратором, чтобы получить доступ к нужным вам ресурсам.",
+    "memberPortalClearSearch": "Очистить поиск",
+    "memberPortalPublicResources": "Публичные ресурсы",
+    "memberPortalPublicResourcesDescription": "Веб-приложения и сервисы, доступные через браузер",
+    "memberPortalCopiedToClipboard": "Скопировано в буфер обмена",
+    "memberPortalCopiedUrlDescription": "URL ресурса был скопирован в ваш буфер обмена.",
+    "memberPortalOpenResource": "Открыть ресурс",
+    "memberPortalPrivateResources": "Приватные ресурсы",
+    "memberPortalPrivateResourcesDescription": "Ресурсы внутренней сети, доступные через клиент",
+    "memberPortalResourceDetails": "Детали ресурса",
+    "memberPortalMode": "Режим",
+    "memberPortalDestination": "Назначение",
+    "memberPortalAlias": "Псевдоним",
+    "memberPortalCopiedAliasDescription": "Псевдоним ресурса был скопирован в ваш буфер обмена.",
+    "memberPortalCopiedDestinationDescription": "Назначение ресурса было скопировано в ваш буфер обмена.",
+    "memberPortalRequiresClientConnection": "Требуется подключение клиента",
+    "memberPortalAuthMethods": "Методы аутентификации",
+    "memberPortalSso": "Единый вход (SSO)",
+    "memberPortalPasswordProtected": "Защищено паролем",
+    "memberPortalPinCode": "PIN-код",
+    "memberPortalEmailWhitelist": "Белый список email",
+    "memberPortalResourceDisabled": "Ресурс отключён",
+    "memberPortalShowingResources": "Показаны {start}-{end} из {total} ресурсов",
+    "memberPortalPrevious": "Предыдущий",
+    "memberPortalNext": "Следующий"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Geçerli planınız için limitlerinizi aştınız. Planınız dahilinde kalmak için siteleri, kullanıcıları veya diğer kaynakları kaldırarak sorunu düzeltin.",
    "trialBannerMessage": "Deneme süreniz {countdown} içinde sona eriyor. Erişimi sürdürmek için yükseltin.",
    "trialBannerExpired": "Deneme süreniz sona erdi. Erişimi geri yüklemek için şimdi yükseltin.",
+    "billingTrialBannerTitle": "Ücretsiz Deneme Aktif",
+    "billingTrialBannerDescription": "Şu anda iş seviyesi için ücretsiz deneme sürümündesiniz. Deneme süresi sona erdiğinde, hesabınız otomatik olarak Temel seviye özelliklerine ve limitlerine geri dönecektir. Mevcut planınızın özelliklerine erişimi sürdürmek için istediğiniz zaman yükseltin.",
+    "billingTrialBannerUpgrade": "Şimdi Yükselt",
+    "billingTrialBadge": "Ücretsiz Deneme",
    "trialActive": "Ücretsiz Deneme Aktif",
    "trialExpired": "Deneme Süresi Doldu",
    "trialHasEnded": "Deneme süreniz sona erdi.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Uç Nokta",
    "newtId": "Kimlik",
    "newtSecretKey": "Gizli",
+    "newtVersion": "Sürüm",
    "architecture": "Mimari",
    "sites": "Siteler",
    "siteWgAnyClients": "Herhangi bir WireGuard istemcisi kullanarak bağlanın. Dahili kaynaklara eş IP adresini kullanarak erişmeniz gerekecek.",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Yayın Notlarını Görüntüle",
    "newtUpdateAvailable": "Güncelleme Mevcut",
    "newtUpdateAvailableInfo": "Newt'in yeni bir versiyonu mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
+    "pangolinNodeUpdateAvailableInfo": "Pangolin Node'un yeni bir sürümü mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
    "domainPickerEnterDomain": "Alan Adı",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Mevcut seçenekleri görmek için kaynağın tam etki alanını girin.",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Devam etmek için kimlik sağlayıcınızı seçin",
    "orgAuthNoIdpConfigured": "Bu kuruluşta yapılandırılmış kimlik sağlayıcı yok. Bunun yerine Pangolin kimliğinizle giriş yapabilirsiniz.",
    "orgAuthSignInWithPangolin": "Pangolin ile Giriş Yap",
-    "orgAuthSignInToOrg": "Bir kuruluşa giriş yapın",
+    "orgAuthSignInToOrg": "Kuruluş Kimlik Sağlayıcısı (SSO)",
    "orgAuthSelectOrgTitle": "Kuruluş Giriş",
    "orgAuthSelectOrgDescription": "Devam etmek için kuruluş kimliğinizi girin",
    "orgAuthOrgIdPlaceholder": "kuruluşunuz",
@@ -2654,19 +2660,19 @@
    "noMoreAuthMethods": "Daha Fazla Kimlik Doğrulama Yöntemi Yok",
    "ip": "IP",
    "reason": "Sebep",
-    "requestLogs": "İstek Günlükleri",
+    "requestLogs": "HTTP İstek Günlükleri",
    "requestAnalytics": "İstek Analizi",
    "host": "Sunucu",
    "location": "Konum",
    "actionLogs": "Eylem Günlükleri",
-    "sidebarLogsRequest": "İstek Günlükleri",
+    "sidebarLogsRequest": "HTTP İstek Günlükleri",
    "sidebarLogsAccess": "Erişim Günlükleri",
    "sidebarLogsAction": "Eylem Günlükleri",
    "logRetention": "Kayıt Saklama",
    "logRetentionDescription": "Bu organizasyon için farklı türdeki günlüklerin ne kadar süre saklanacağını yönetin veya devre dışı bırakın",
    "requestLogsDescription": "Bu organizasyondaki kaynaklar için ayrıntılı istek günlüklerini görüntüleyin",
    "requestAnalyticsDescription": "Bu organizasyondaki kaynaklar için ayrıntılı istek analizlerini görüntüleyin.",
-    "logRetentionRequestLabel": "İstek Günlüğü Saklama",
+    "logRetentionRequestLabel": "HTTP İstek Günlüğü Saklama",
    "logRetentionRequestDescription": "İstek günlüklerini ne kadar süre tutacağını belirle",
    "logRetentionAccessLabel": "Erişim Günlüğü Saklama",
    "logRetentionAccessDescription": "Erişim günlüklerini ne kadar süre tutacağını belirle",
@@ -3128,7 +3134,7 @@
    "httpDestActionLogsDescription": "Kullanıcılar tarafından organizasyon içerisinde yapılan yönetici eylemleri.",
    "httpDestConnectionLogsTitle": "Bağlantı Kayıtları",
    "httpDestConnectionLogsDescription": "Site ve tünel bağlantı olayları, bağlantılar ve bağlantı kesilmeleri dahil.",
-    "httpDestRequestLogsTitle": "İstek Kayıtları",
+    "httpDestRequestLogsTitle": "HTTP İstek Günlükleri",
    "httpDestRequestLogsDescription": "Yönlendirilmiş kaynaklar için HTTP istek kayıtları, yöntem, yol ve yanıt kodu dahil.",
    "httpDestSaveChanges": "Değişiklikleri Kaydet",
    "httpDestCreateDestination": "Hedef Oluştur",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Genel alt alanlara izin verilmiyor.",
    "domainPickerWildcardCertWarning": "Genel kaynaklar düzgün çalışmak için ek yapılandırma gerektirebilir.",
    "domainPickerWildcardCertWarningLink": "Daha fazla bilgi",
-    "health": "Sağlık"
+    "health": "Sağlık",
+    "domainPendingErrorTitle": "Doğrulama Sorunu",
+    "memberPortalTitle": "Kaynaklar",
+    "memberPortalDescription": "Bu organizasyondaki erişiminiz olan kaynaklar",
+    "memberPortalSortBy": "Şuna göre sırala...",
+    "memberPortalSortNameAsc": "İsim A-Z",
+    "memberPortalSortNameDesc": "İsim Z-A",
+    "memberPortalSortDomainAsc": "Alan A-Z",
+    "memberPortalSortDomainDesc": "Alan Z-A",
+    "memberPortalSortEnabledFirst": "İlk Etkinleştirilenler",
+    "memberPortalSortDisabledFirst": "İlk Devre Dışı Bırakılanlar",
+    "memberPortalRefresh": "Yenile",
+    "memberPortalRefreshResources": "Kaynakları Yenile",
+    "memberPortalFailedToLoad": "Kaynaklar yüklenemedi",
+    "memberPortalFailedToLoadDescription": "Kaynaklar yüklenemedi. Lütfen bağlantınızı kontrol edin ve tekrar deneyin.",
+    "memberPortalUnableToLoad": "Kaynaklar Yüklenemiyor",
+    "memberPortalTryAgain": "Tekrar Dene",
+    "memberPortalNoResourcesFound": "Hiçbir Kaynak Bulunamadı",
+    "memberPortalNoResourcesAvailable": "Uygun Kaynak Yok",
+    "memberPortalNoResourcesMatchSearch": "Hiçbir kaynak \"{query}\" ile eşleşmiyor. Arama terimlerinizi değiştirerek veya tüm kaynakları görmek için aramayı temizleyerek deneyin.",
+    "memberPortalNoResourcesAccess": "Henüz herhangi bir kaynağa erişiminiz yok. İhtiyacınız olan kaynaklara erişim sağlamak için yöneticinizle iletişime geçin.",
+    "memberPortalClearSearch": "Aramayı Temizle",
+    "memberPortalPublicResources": "Genel Kaynaklar",
+    "memberPortalPublicResourcesDescription": "Tarayıcı üzerinden erişilebilen web uygulamaları ve hizmetler",
+    "memberPortalCopiedToClipboard": "Panoya kopyalandı",
+    "memberPortalCopiedUrlDescription": "Kaynak URL'si panonuza kopyalandı.",
+    "memberPortalOpenResource": "Kaynağı Aç",
+    "memberPortalPrivateResources": "Özel Kaynaklar",
+    "memberPortalPrivateResourcesDescription": "İstemci üzerinden erişilebilen dahili ağ kaynakları",
+    "memberPortalResourceDetails": "Kaynak Detayları",
+    "memberPortalMode": "Mod",
+    "memberPortalDestination": "Hedef",
+    "memberPortalAlias": "Takma İsim",
+    "memberPortalCopiedAliasDescription": "Kaynak takma adı panonuza kopyalandı.",
+    "memberPortalCopiedDestinationDescription": "Kaynak hedefi panonuza kopyalandı.",
+    "memberPortalRequiresClientConnection": "İstemci Bağlantısı Gerektirir",
+    "memberPortalAuthMethods": "Kimlik Doğrulama Yöntemleri",
+    "memberPortalSso": "Tek Oturum Açma (SSO)",
+    "memberPortalPasswordProtected": "Parola ile Korunan",
+    "memberPortalPinCode": "PIN Kodu",
+    "memberPortalEmailWhitelist": "E-posta Beyaz Listesi",
+    "memberPortalResourceDisabled": "Kaynak Devre Dışı",
+    "memberPortalShowingResources": "{total} kaynaktan {start}-{end} gösteriliyor",
+    "memberPortalPrevious": "Önceki",
+    "memberPortalNext": "Sonraki"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "您的当前计划超出了您的限制。通过移除站点、用户或其他资源以保持在您的计划范围内来纠正问题。",
    "trialBannerMessage": "您的试用将在 {countdown} 到期。升级以保持访问。",
    "trialBannerExpired": "您的试用已到期。立即升级以恢复访问。",
+    "billingTrialBannerTitle": "免费试用激活中",
+    "billingTrialBannerDescription": "您目前正在商用层进行免费试用。试用结束后，您的账户将自动回到基础层功能和限制。可随时升级以保持当前计划的功能访问。",
+    "billingTrialBannerUpgrade": "立即升级",
+    "billingTrialBadge": "免费试用",
    "trialActive": "免费试用中",
    "trialExpired": "试用到期",
    "trialHasEnded": "您的试用已结束。",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "密钥",
+    "newtVersion": "版本",
    "architecture": "架构",
    "sites": "站点",
    "siteWgAnyClients": "使用任何 WireGuard 客户端连接。您必须使用对等IP解决内部资源问题。",
@@ -1666,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "查看发布说明",
    "newtUpdateAvailable": "更新可用",
    "newtUpdateAvailableInfo": "新版本的 Newt 已可用。请更新到最新版本以获得最佳体验。",
+    "pangolinNodeUpdateAvailableInfo": "新版本的 Pangolin Node 已可用。请更新到最新版本以获得最佳体验。",
    "domainPickerEnterDomain": "域名",
    "domainPickerPlaceholder": "example.com",
    "domainPickerDescription": "输入资源的完整域名以查看可用选项。",
@@ -2353,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "选择您的身份提供商以继续",
    "orgAuthNoIdpConfigured": "此机构没有配置任何身份提供者。您可以使用您的 Pangolin 身份登录。",
    "orgAuthSignInWithPangolin": "使用 Pangolin 登录",
-    "orgAuthSignInToOrg": "登录到组织",
+    "orgAuthSignInToOrg": "组织身份提供商 (SSO)",
    "orgAuthSelectOrgTitle": "组织登录",
    "orgAuthSelectOrgDescription": "输入您的组织ID以继续",
    "orgAuthOrgIdPlaceholder": "您的组织",
@@ -2666,7 +2672,7 @@
    "logRetentionDescription": "管理不同类型的日志为这个机构保留多长时间或禁用这些日志",
    "requestLogsDescription": "查看此机构资源的详细请求日志",
    "requestAnalyticsDescription": "查看此机构资源的详细请求分析",
-    "logRetentionRequestLabel": "请求日志保留",
+    "logRetentionRequestLabel": "HTTP 请求日志保留",
    "logRetentionRequestDescription": "保留请求日志的时间",
    "logRetentionAccessLabel": "访问日志保留",
    "logRetentionAccessDescription": "保留访问日志的时间",
@@ -3201,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "不允许使用通配符子域。",
    "domainPickerWildcardCertWarning": "通配符资源可能需要额外配置才能正常工作。",
    "domainPickerWildcardCertWarningLink": "了解更多",
-    "health": "健康"
+    "health": "健康",
+    "domainPendingErrorTitle": "验证问题",
+    "memberPortalTitle": "资源",
+    "memberPortalDescription": "您在此组织中可以访问的资源",
+    "memberPortalSortBy": "排序依据……",
+    "memberPortalSortNameAsc": "名称 A-Z",
+    "memberPortalSortNameDesc": "名称 Z-A",
+    "memberPortalSortDomainAsc": "域名 A-Z",
+    "memberPortalSortDomainDesc": "域名 Z-A",
+    "memberPortalSortEnabledFirst": "启用优先",
+    "memberPortalSortDisabledFirst": "禁用优先",
+    "memberPortalRefresh": "刷新",
+    "memberPortalRefreshResources": "刷新资源",
+    "memberPortalFailedToLoad": "加载资源失败",
+    "memberPortalFailedToLoadDescription": "加载资源失败。请检查您的连接并再试一次。",
+    "memberPortalUnableToLoad": "无法加载资源",
+    "memberPortalTryAgain": "再试一次",
+    "memberPortalNoResourcesFound": "找不到资源",
+    "memberPortalNoResourcesAvailable": "无可用资源",
+    "memberPortalNoResourcesMatchSearch": "没有与\"{query}\"匹配的资源。尝试调整您的搜索词或清除搜索以查看所有资源。",
+    "memberPortalNoResourcesAccess": "您尚无访问任何资源的权限。请联系您的管理员获取所需资源的访问权限。",
+    "memberPortalClearSearch": "清除搜索",
+    "memberPortalPublicResources": "公共资源",
+    "memberPortalPublicResourcesDescription": "通过浏览器可访问的网络应用和服务",
+    "memberPortalCopiedToClipboard": "已复制到剪贴板",
+    "memberPortalCopiedUrlDescription": "资源 URL 已复制到您的剪贴板。",
+    "memberPortalOpenResource": "打开资源",
+    "memberPortalPrivateResources": "私有资源",
+    "memberPortalPrivateResourcesDescription": "通过客户端可访问的内部网络资源",
+    "memberPortalResourceDetails": "资源详情",
+    "memberPortalMode": "模式",
+    "memberPortalDestination": "目标",
+    "memberPortalAlias": "别名",
+    "memberPortalCopiedAliasDescription": "资源别名已复制到您的剪贴板。",
+    "memberPortalCopiedDestinationDescription": "资源目的地已复制到您的剪贴板。",
+    "memberPortalRequiresClientConnection": "需要客户端连接",
+    "memberPortalAuthMethods": "身份验证方法",
+    "memberPortalSso": "单一登录 (SSO)",
+    "memberPortalPasswordProtected": "密码保护",
+    "memberPortalPinCode": "PIN 码",
+    "memberPortalEmailWhitelist": "电子邮件白名单",
+    "memberPortalResourceDisabled": "资源已禁用",
+    "memberPortalShowingResources": "显示 {start}-{end} 共 {total} 个资源",
+    "memberPortalPrevious": "上一页",
+    "memberPortalNext": "下一页"
 }
--- a/public/screenshots/hero.png
+++ b/public/screenshots/hero.png
--- a/public/screenshots/private-resources.png
+++ b/public/screenshots/private-resources.png
--- a/public/screenshots/public-resources.png
+++ b/public/screenshots/public-resources.png
--- a/public/screenshots/sites.png
+++ b/public/screenshots/sites.png
--- a/public/screenshots/user-devices.png
+++ b/public/screenshots/user-devices.png
--- a/public/screenshots/users.png
+++ b/public/screenshots/users.png
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -1,94 +1,53 @@
 {
-  "PowerMac4,4": "eMac",
-  "PowerMac6,4": "eMac",
-  "PowerBook2,1": "iBook",
-  "PowerBook2,2": "iBook",
-  "PowerBook4,1": "iBook",
-  "PowerBook4,2": "iBook",
-  "PowerBook4,3": "iBook",
-  "PowerBook6,3": "iBook",
-  "PowerBook6,5": "iBook",
-  "PowerBook6,7": "iBook",
-  "iMac,1": "iMac",
-  "PowerMac2,1": "iMac",
-  "PowerMac2,2": "iMac",
-  "PowerMac4,1": "iMac",
-  "PowerMac4,2": "iMac",
-  "PowerMac4,5": "iMac",
-  "PowerMac6,1": "iMac",
-  "PowerMac6,3*": "iMac",
-  "PowerMac6,3": "iMac",
-  "PowerMac8,1": "iMac",
-  "PowerMac8,2": "iMac",
-  "PowerMac12,1": "iMac",
-  "iMac4,1": "iMac",
-  "iMac4,2": "iMac",
-  "iMac5,2": "iMac",
-  "iMac5,1": "iMac",
-  "iMac6,1": "iMac",
-  "iMac7,1": "iMac",
-  "iMac8,1": "iMac",
-  "iMac9,1": "iMac",
-  "iMac10,1": "iMac",
-  "iMac11,1": "iMac",
-  "iMac11,2": "iMac",
-  "iMac11,3": "iMac",
-  "iMac12,1": "iMac",
-  "iMac12,2": "iMac",
-  "iMac13,1": "iMac",
-  "iMac13,2": "iMac",
-  "iMac14,1": "iMac",
-  "iMac14,3": "iMac",
-  "iMac14,2": "iMac",
-  "iMac14,4": "iMac",
-  "iMac15,1": "iMac",
-  "iMac16,1": "iMac",
-  "iMac16,2": "iMac",
-  "iMac17,1": "iMac",
-  "iMac18,1": "iMac",
-  "iMac18,2": "iMac",
-  "iMac18,3": "iMac",
-  "iMac19,2": "iMac",
-  "iMac19,1": "iMac",
-  "iMac20,1": "iMac",
-  "iMac20,2": "iMac",
-  "iMac21,2": "iMac",
-  "iMac21,1": "iMac",
-  "iMacPro1,1": "iMac Pro",
-  "PowerMac10,1": "Mac mini",
-  "PowerMac10,2": "Mac mini",
-  "Macmini1,1": "Mac mini",
-  "Macmini2,1": "Mac mini",
-  "Macmini3,1": "Mac mini",
-  "Macmini4,1": "Mac mini",
-  "Macmini5,1": "Mac mini",
-  "Macmini5,2": "Mac mini",
-  "Macmini5,3": "Mac mini",
-  "Macmini6,1": "Mac mini",
-  "Macmini6,2": "Mac mini",
-  "Macmini7,1": "Mac mini",
-  "Macmini8,1": "Mac mini",
  "ADP3,2": "Mac mini",
-  "Macmini9,1": "Mac mini",
-  "Mac14,3": "Mac mini",
-  "Mac14,12": "Mac mini",
-  "MacPro1,1*": "Mac Pro",
-  "MacPro2,1": "Mac Pro",
-  "MacPro3,1": "Mac Pro",
-  "MacPro4,1": "Mac Pro",
-  "MacPro5,1": "Mac Pro",
-  "MacPro6,1": "Mac Pro",
-  "MacPro7,1": "Mac Pro",
-  "N/A*": "Power Macintosh",
-  "PowerMac1,1": "Power Macintosh",
-  "PowerMac3,1": "Power Macintosh",
-  "PowerMac3,3": "Power Macintosh",
-  "PowerMac3,4": "Power Macintosh",
-  "PowerMac3,5": "Power Macintosh",
-  "PowerMac3,6": "Power Macintosh",
  "Mac13,1": "Mac Studio",
  "Mac13,2": "Mac Studio",
+  "Mac14,10": "MacBook Pro",
+  "Mac14,12": "Mac mini",
+  "Mac14,13": "Mac Studio",
+  "Mac14,14": "Mac Studio",
+  "Mac14,15": "MacBook Air",
+  "Mac14,2": "MacBook Air",
+  "Mac14,3": "Mac mini",
+  "Mac14,5": "MacBook Pro",
+  "Mac14,6": "MacBook Pro",
+  "Mac14,7": "MacBook Pro",
+  "Mac14,8": "Mac Pro",
+  "Mac14,9": "MacBook Pro",
+  "Mac15,10": "MacBook Pro",
+  "Mac15,11": "MacBook Pro",
+  "Mac15,12": "MacBook Air",
+  "Mac15,13": "MacBook Air",
+  "Mac15,14": "Mac Studio",
+  "Mac15,3": "MacBook Pro",
+  "Mac15,4": "iMac",
+  "Mac15,5": "iMac",
+  "Mac15,6": "MacBook Pro",
+  "Mac15,7": "MacBook Pro",
+  "Mac15,8": "MacBook Pro",
+  "Mac15,9": "MacBook Pro",
+  "Mac16,1": "MacBook Pro",
+  "Mac16,10": "Mac mini",
+  "Mac16,11": "Mac mini",
+  "Mac16,12": "MacBook Air",
+  "Mac16,13": "MacBook Air",
+  "Mac16,2": "iMac",
+  "Mac16,3": "iMac",
+  "Mac16,5": "MacBook Pro",
+  "Mac16,6": "MacBook Pro",
+  "Mac16,7": "MacBook Pro",
+  "Mac16,8": "MacBook Pro",
+  "Mac16,9": "Mac Studio",
+  "Mac17,2": "MacBook Pro",
+  "Mac17,3": "MacBook Air",
+  "Mac17,4": "MacBook Air",
+  "Mac17,5": "MacBook Neo",
+  "Mac17,6": "MacBook Pro",
+  "Mac17,7": "MacBook Pro",
+  "Mac17,8": "MacBook Pro",
+  "Mac17,9": "MacBook Pro",
  "MacBook1,1": "MacBook",
+  "MacBook10,1": "MacBook",
  "MacBook2,1": "MacBook",
  "MacBook3,1": "MacBook",
  "MacBook4,1": "MacBook",
@@ -98,8 +57,8 @@
  "MacBook7,1": "MacBook",
  "MacBook8,1": "MacBook",
  "MacBook9,1": "MacBook",
-  "MacBook10,1": "MacBook",
  "MacBookAir1,1": "MacBook Air",
+  "MacBookAir10,1": "MacBook Air",
  "MacBookAir2,1": "MacBook Air",
  "MacBookAir3,1": "MacBook Air",
  "MacBookAir3,2": "MacBook Air",
@@ -114,88 +73,163 @@
  "MacBookAir8,1": "MacBook Air",
  "MacBookAir8,2": "MacBook Air",
  "MacBookAir9,1": "MacBook Air",
-  "MacBookAir10,1": "MacBook Air",
-  "Mac14,2": "MacBook Air",
  "MacBookPro1,1": "MacBook Pro",
  "MacBookPro1,2": "MacBook Pro",
-  "MacBookPro2,2": "MacBook Pro",
-  "MacBookPro2,1": "MacBook Pro",
-  "MacBookPro3,1": "MacBook Pro",
-  "MacBookPro4,1": "MacBook Pro",
-  "MacBookPro5,1": "MacBook Pro",
-  "MacBookPro5,2": "MacBook Pro",
-  "MacBookPro5,5": "MacBook Pro",
-  "MacBookPro5,4": "MacBook Pro",
-  "MacBookPro5,3": "MacBook Pro",
-  "MacBookPro7,1": "MacBook Pro",
-  "MacBookPro6,2": "MacBook Pro",
-  "MacBookPro6,1": "MacBook Pro",
-  "MacBookPro8,1": "MacBook Pro",
-  "MacBookPro8,2": "MacBook Pro",
-  "MacBookPro8,3": "MacBook Pro",
-  "MacBookPro9,2": "MacBook Pro",
-  "MacBookPro9,1": "MacBook Pro",
  "MacBookPro10,1": "MacBook Pro",
  "MacBookPro10,2": "MacBook Pro",
  "MacBookPro11,1": "MacBook Pro",
  "MacBookPro11,2": "MacBook Pro",
  "MacBookPro11,3": "MacBook Pro",
-  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro11,4": "MacBook Pro",
  "MacBookPro11,5": "MacBook Pro",
+  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro13,1": "MacBook Pro",
  "MacBookPro13,2": "MacBook Pro",
  "MacBookPro13,3": "MacBook Pro",
  "MacBookPro14,1": "MacBook Pro",
  "MacBookPro14,2": "MacBook Pro",
  "MacBookPro14,3": "MacBook Pro",
-  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,1": "MacBook Pro",
+  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,3": "MacBook Pro",
  "MacBookPro15,4": "MacBook Pro",
  "MacBookPro16,1": "MacBook Pro",
-  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,2": "MacBook Pro",
+  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,4": "MacBook Pro",
  "MacBookPro17,1": "MacBook Pro",
-  "MacBookPro18,3": "MacBook Pro",
-  "MacBookPro18,4": "MacBook Pro",
  "MacBookPro18,1": "MacBook Pro",
  "MacBookPro18,2": "MacBook Pro",
-  "Mac14,7": "MacBook Pro",
-  "Mac14,9": "MacBook Pro",
-  "Mac14,5": "MacBook Pro",
-  "Mac14,10": "MacBook Pro",
-  "Mac14,6": "MacBook Pro",
-  "PowerMac1,2": "Power Macintosh",
-  "PowerMac5,1": "Power Macintosh",
-  "PowerMac7,2": "Power Macintosh",
-  "PowerMac7,3": "Power Macintosh",
-  "PowerMac9,1": "Power Macintosh",
-  "PowerMac11,2": "Power Macintosh",
+  "MacBookPro18,3": "MacBook Pro",
+  "MacBookPro18,4": "MacBook Pro",
+  "MacBookPro2,1": "MacBook Pro",
+  "MacBookPro2,2": "MacBook Pro",
+  "MacBookPro3,1": "MacBook Pro",
+  "MacBookPro4,1": "MacBook Pro",
+  "MacBookPro5,1": "MacBook Pro",
+  "MacBookPro5,2": "MacBook Pro",
+  "MacBookPro5,3": "MacBook Pro",
+  "MacBookPro5,4": "MacBook Pro",
+  "MacBookPro5,5": "MacBook Pro",
+  "MacBookPro6,1": "MacBook Pro",
+  "MacBookPro6,2": "MacBook Pro",
+  "MacBookPro7,1": "MacBook Pro",
+  "MacBookPro8,1": "MacBook Pro",
+  "MacBookPro8,2": "MacBook Pro",
+  "MacBookPro8,3": "MacBook Pro",
+  "MacBookPro9,1": "MacBook Pro",
+  "MacBookPro9,2": "MacBook Pro",
+  "MacPro1,1": "Mac Pro",
+  "MacPro2,1": "Mac Pro",
+  "MacPro3,1": "Mac Pro",
+  "MacPro4,1": "Mac Pro",
+  "MacPro5,1": "Mac Pro",
+  "MacPro6,1": "Mac Pro",
+  "MacPro7,1": "Mac Pro",
+  "Macmini1,1": "Mac mini",
+  "Macmini2,1": "Mac mini",
+  "Macmini3,1": "Mac mini",
+  "Macmini4,1": "Mac mini",
+  "Macmini5,1": "Mac mini",
+  "Macmini5,2": "Mac mini",
+  "Macmini5,3": "Mac mini",
+  "Macmini6,1": "Mac mini",
+  "Macmini6,2": "Mac mini",
+  "Macmini7,1": "Mac mini",
+  "Macmini8,1": "Mac mini",
+  "Macmini9,1": "Mac mini",
  "PowerBook1,1": "PowerBook",
+  "PowerBook2,1": "iBook",
+  "PowerBook2,2": "iBook",
  "PowerBook3,1": "PowerBook",
  "PowerBook3,2": "PowerBook",
  "PowerBook3,3": "PowerBook",
  "PowerBook3,4": "PowerBook",
  "PowerBook3,5": "PowerBook",
-  "PowerBook6,1": "PowerBook",
+  "PowerBook4,1": "iBook",
+  "PowerBook4,2": "iBook",
+  "PowerBook4,3": "iBook",
  "PowerBook5,1": "PowerBook",
-  "PowerBook6,2": "PowerBook",
  "PowerBook5,2": "PowerBook",
  "PowerBook5,3": "PowerBook",
-  "PowerBook6,4": "PowerBook",
  "PowerBook5,4": "PowerBook",
  "PowerBook5,5": "PowerBook",
-  "PowerBook6,8": "PowerBook",
  "PowerBook5,6": "PowerBook",
  "PowerBook5,7": "PowerBook",
  "PowerBook5,8": "PowerBook",
  "PowerBook5,9": "PowerBook",
+  "PowerBook6,1": "PowerBook",
+  "PowerBook6,2": "PowerBook",
+  "PowerBook6,3": "iBook",
+  "PowerBook6,4": "PowerBook",
+  "PowerBook6,5": "iBook",
+  "PowerBook6,7": "iBook",
+  "PowerBook6,8": "PowerBook",
+  "PowerMac1,1": "Power Macintosh",
+  "PowerMac1,2": "Power Macintosh",
+  "PowerMac10,1": "Mac mini",
+  "PowerMac10,2": "Mac mini",
+  "PowerMac11,2": "Power Macintosh",
+  "PowerMac12,1": "iMac",
+  "PowerMac2,1": "iMac",
+  "PowerMac2,2": "iMac",
+  "PowerMac3,1": "Mac Server",
+  "PowerMac3,3": "Power Macintosh",
+  "PowerMac3,4": "Power Macintosh",
+  "PowerMac3,5": "Power Macintosh",
+  "PowerMac3,6": "Power Macintosh",
+  "PowerMac4,1": "iMac",
+  "PowerMac4,2": "iMac",
+  "PowerMac4,4": "eMac",
+  "PowerMac4,5": "iMac",
+  "PowerMac5,1": "Power Macintosh",
+  "PowerMac6,1": "iMac",
+  "PowerMac6,3": "iMac",
+  "PowerMac6,4": "eMac",
+  "PowerMac7,2": "Power Macintosh",
+  "PowerMac7,3": "Power Macintosh",
+  "PowerMac8,1": "iMac",
+  "PowerMac8,2": "iMac",
+  "PowerMac9,1": "Power Macintosh",
  "RackMac1,1": "Xserve",
  "RackMac1,2": "Xserve",
  "RackMac3,1": "Xserve",
  "Xserve1,1": "Xserve",
  "Xserve2,1": "Xserve",
-  "Xserve3,1": "Xserve"
-}
+  "Xserve3,1": "Xserve",
+  "iMac,1": "iMac",
+  "iMac10,1": "iMac",
+  "iMac11,1": "iMac",
+  "iMac11,2": "iMac",
+  "iMac11,3": "iMac",
+  "iMac12,1": "iMac",
+  "iMac12,2": "iMac",
+  "iMac13,1": "iMac",
+  "iMac13,2": "iMac",
+  "iMac14,1": "iMac",
+  "iMac14,2": "iMac",
+  "iMac14,3": "iMac",
+  "iMac14,4": "iMac",
+  "iMac15,1": "iMac",
+  "iMac16,1": "iMac",
+  "iMac16,2": "iMac",
+  "iMac17,1": "iMac",
+  "iMac18,1": "iMac",
+  "iMac18,2": "iMac",
+  "iMac18,3": "iMac",
+  "iMac19,1": "iMac",
+  "iMac19,2": "iMac",
+  "iMac20,1": "iMac",
+  "iMac20,2": "iMac",
+  "iMac21,1": "iMac",
+  "iMac21,2": "iMac",
+  "iMac4,1": "iMac",
+  "iMac4,2": "iMac",
+  "iMac5,1": "iMac",
+  "iMac5,2": "iMac",
+  "iMac6,1": "iMac",
+  "iMac7,1": "iMac",
+  "iMac8,1": "iMac",
+  "iMac9,1": "iMac",
+  "iMacPro1,1": "iMac Pro"
+}
--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -1,5 +1,6 @@
 import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
+import type BetterSqlite3 from "better-sqlite3";
 import * as schema from "./schema/schema";
 import path from "path";
 import fs from "fs";
@@ -11,8 +12,69 @@ export const exists = checkFileExists(location);

 bootstrapVolume();

+/**
+ * Wraps better-sqlite3 Statement to call `finalize()` immediately after
+ * execution, freeing native sqlite3_stmt memory deterministically instead
+ * of waiting for GC. Fixes steady off-heap growth under load (#2120).
+ * WARNING: Finalizes after first execution — incompatible with drizzle's
+ * reusable .prepare() builders. No such usage exists in this codebase.
+ */
+function autoFinalizeStatement(
+    stmt: BetterSqlite3.Statement
+): BetterSqlite3.Statement {
+    const wrapExec = <T extends (...args: any[]) => any>(fn: T): T => {
+        return function (this: any, ...args: any[]) {
+            try {
+                return fn.apply(this, args);
+            } finally {
+                try {
+                    // finalize() exists on the native Statement at runtime but
+                    // is missing from @types/better-sqlite3.
+                    (stmt as any).finalize();
+                } catch {
+                    // Already finalized — harmless
+                }
+            }
+        } as unknown as T;
+    };
+
+    stmt.run = wrapExec(stmt.run);
+    stmt.get = wrapExec(stmt.get);
+    stmt.all = wrapExec(stmt.all);
+
+    return stmt;
+}
+
 function createDb() {
    const sqlite = new Database(location);
+
+    if (process.env.ENABLE_SQLITE_WAL_MODE == "true") {
+        // Enable WAL mode — allows concurrent readers + single writer, preventing
+        // contention across subsystems (verifySession, Traefik, audit, ping).
+        sqlite.pragma("journal_mode = WAL");
+        // NORMAL sync mode: safe with WAL, reduces write lock hold time.
+        sqlite.pragma("synchronous = NORMAL");
+    }
+
+    // Wait up to 5s on SQLITE_BUSY instead of failing — prevents audit log
+    // retry loops that accumulate memory.
+    sqlite.pragma("busy_timeout = 5000");
+
+    // 64 MB page cache (default 2 MB) — reduces I/O round-trips on large
+    // TraefikConfigManager JOINs that block the event loop.
+    sqlite.pragma("cache_size = -65536");
+
+    // 256 MB memory-mapped I/O — OS serves reads from page cache directly,
+    // reducing event-loop blocking.
+    sqlite.pragma("mmap_size = 268435456");
+
+    // Wrap prepare() so every drizzle-orm statement is auto-finalized after
+    // first use, preventing sqlite3_stmt accumulation between GC cycles.
+    const originalPrepare = sqlite.prepare.bind(sqlite);
+    (sqlite as any).prepare = function autoFinalizePrepare(source: string) {
+        return autoFinalizeStatement(originalPrepare(source));
+    };
+
    return DrizzleSqlite(sqlite, {
        schema
    });
@@ -23,7 +85,7 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
-    >[0];
+>[0];
 export const DB_TYPE: "pg" | "sqlite" = "sqlite";

 function checkFileExists(filePath: string): boolean {
--- a/server/emails/templates/NotifyTrialExpiring.tsx
+++ b/server/emails/templates/NotifyTrialExpiring.tsx
@@ -64,7 +64,7 @@ export const NotifyTrialExpiring = ({

                                <EmailText>
                                    Some features and resources may now be
-                                    restricted or disconnected. To restore full
+                                    restricted. To restore full
                                    access and continue using all the features
                                    you had during your trial, please upgrade to
                                    a paid plan.
@@ -85,7 +85,7 @@ export const NotifyTrialExpiring = ({
                                    <strong>{orgName}</strong> will end on{" "}
                                    <strong>{trialEndsAt}</strong>
                                    {isLastDay
-                                        ? " — that's tomorrow!"
+                                        ? " - that's tomorrow!"
                                        : `, in ${daysRemaining} days`}
                                    .
                                </EmailText>
@@ -93,8 +93,7 @@ export const NotifyTrialExpiring = ({
                                <EmailText>
                                    After your trial ends, your account will be
                                    moved to the free plan and some
-                                    functionality may be restricted or your
-                                    sites may disconnect.
+                                    functionality may be restricted.
                                </EmailText>

                                <EmailText>
--- a/server/lib/alerts/events/healthCheckEvents.ts
+++ b/server/lib/alerts/events/healthCheckEvents.ts
@@ -1,27 +1,153 @@
-// stub
+import logger from "@server/logger";
+import { processAlerts } from "#dynamic/lib/alerts";
+import {
+    db,
+    statusHistory,
+    targetHealthCheck,
+    targets,
+    resources,
+    Transaction,
+    logsDb
+} from "@server/db";
+import { eq } from "drizzle-orm";
+import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
+import {
+    fireResourceDegradedAlert,
+    fireResourceHealthyAlert,
+    fireResourceUnhealthyAlert,
+    fireResourceUnknownAlert
+} from "./resourceEvents";

+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Fire a `health_check_healthy` alert for the given health check.
+ *
+ * Call this after a previously-failing health check has recovered so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId         - Organisation that owns the health check.
+ * @param healthCheckId - Numeric primary key of the health check.
+ * @param healthCheckName - Human-readable name shown in notifications (optional).
+ * @param extra         - Any additional key/value pairs to include in the payload.
+ */
 export async function fireHealthCheckHealthyAlert(
    orgId: string,
    healthCheckId: number,
-    healthCheckName?: string,
+    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "health_check",
+            entityId: healthCheckId,
+            orgId: orgId,
+            status: "healthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("health_check", healthCheckId);
+
+        await handleResource(orgId, healthCheckTargetId, send, trx);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "health_check_healthy",
+            orgId,
+            healthCheckId,
+            data: {
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "health_check_toggle",
+            orgId,
+            healthCheckId,
+            data: {
+                healthCheckId,
+                status: "healthy",
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
+            err
+        );
+    }
 }

+/**
+ * Fire a `health_check_unhealthy` alert for the given health check.
+ *
+ * Call this after a health check has been detected as failing so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId         - Organisation that owns the health check.
+ * @param healthCheckId - Numeric primary key of the health check.
+ * @param healthCheckName - Human-readable name shown in notifications (optional).
+ * @param extra         - Any additional key/value pairs to include in the payload.
+ */
 export async function fireHealthCheckUnhealthyAlert(
    orgId: string,
    healthCheckId: number,
-    healthCheckName?: string,
+    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "health_check",
+            entityId: healthCheckId,
+            orgId: orgId,
+            status: "unhealthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("health_check", healthCheckId);
+
+        await handleResource(orgId, healthCheckTargetId, send, trx);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "health_check_unhealthy",
+            orgId,
+            healthCheckId,
+            data: {
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "health_check_toggle",
+            orgId,
+            healthCheckId,
+            data: {
+                healthCheckId,
+                status: "unhealthy",
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
+            err
+        );
+    }
 }

 export async function fireHealthCheckUnknownAlert(
@@ -31,7 +157,137 @@ export async function fireHealthCheckUnknownAlert(
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "health_check",
+            entityId: healthCheckId,
+            orgId: orgId,
+            status: "unknown",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("health_check", healthCheckId);
+
+        await handleResource(orgId, healthCheckTargetId, send, trx);
+
+        if (!send) {
+            return;
+        }
+    } catch (err) {
+        logger.error(
+            `fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
+            err
+        );
+    }
+}
+
+async function handleResource(
+    orgId: string,
+    healthCheckTargetId?: number | null,
+    send: boolean = true,
+    trx: Transaction | typeof db = db
+) {
+    if (!healthCheckTargetId) {
+        return;
+    }
+    // we have targets lets get them
+    const [target] = await trx
+        .select()
+        .from(targets)
+        .where(eq(targets.targetId, healthCheckTargetId))
+        .limit(1);
+
+    if (!target) {
+        return;
+    }
+
+    const [resource] = await trx
+        .select()
+        .from(resources)
+        .where(eq(resources.resourceId, target.resourceId))
+        .limit(1);
+
+    if (!resource) {
+        return;
+    }
+
+    const otherTargets = await trx
+        .select({ hcHealth: targetHealthCheck.hcHealth })
+        .from(targets)
+        .innerJoin(
+            targetHealthCheck,
+            eq(targetHealthCheck.targetId, targets.targetId)
+        )
+        .where(eq(targets.resourceId, resource.resourceId));
+
+    let health = "healthy";
+    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
+    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
+    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
+
+    if (allUnknown) {
+        logger.debug(
+            `Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
+        );
+        health = "unknown";
+    } else if (allHealthy) {
+        health = "healthy";
+    } else if (allUnhealthy) {
+        logger.debug(
+            `Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
+        );
+        health = "unhealthy";
+    } else {
+        logger.debug(
+            `Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
+        );
+        health = "degraded";
+    }
+
+    if (health != resource.health) {
+        // it changed
+        await trx
+            .update(resources)
+            .set({ health })
+            .where(eq(resources.resourceId, resource.resourceId));
+
+        if (health === "unknown") {
+            await fireResourceUnknownAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        } else if (health === "unhealthy") {
+            await fireResourceUnhealthyAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        } else if (health === "healthy") {
+            await fireResourceHealthyAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        } else if (health === "degraded") {
+            await fireResourceDegradedAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        }
+    }
 }
--- a/server/lib/alerts/events/resourceEvents.ts
+++ b/server/lib/alerts/events/resourceEvents.ts
@@ -1,26 +1,243 @@
+import logger from "@server/logger";
+import { processAlerts } from "#dynamic/lib/alerts";
+import { db, logsDb, statusHistory, Transaction } from "@server/db";
+import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Fire a `resource_healthy` alert for the given resource.
+ *
+ * Call this after a previously-unhealthy resource has recovered so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
 export async function fireResourceHealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
-): Promise<void> {}
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "healthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);

+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_healthy",
+            orgId,
+            resourceId,
+            data: {
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "healthy",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
+
+/**
+ * Fire a `resource_unhealthy` alert for the given resource.
+ *
+ * Call this after a resource has been detected as unhealthy so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
 export async function fireResourceUnhealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
-): Promise<void> {}
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "unhealthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);

-export async function fireResourceToggleAlert(
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_unhealthy",
+            orgId,
+            resourceId,
+            data: {
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "unhealthy",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
+
+/**
+ * Fire a `resource_degraded` alert for the given resource.
+ *
+ * Call this after a resource has been detected as degraded so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
+export async function fireResourceDegradedAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
-): Promise<void> {}
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "degraded",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_degraded",
+            orgId,
+            resourceId,
+            data: {
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "degraded",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
+
+/**
+ * Fire a `resource_unknown` alert for the given resource.
+ *
+ * Call this when all health checks on a resource are disabled so that the
+ * resource status transitions to unknown.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
+export async function fireResourceUnknownAlert(
+    orgId: string,
+    resourceId: number,
+    resourceName?: string | null,
+    extra?: Record<string, unknown>,
+    send: boolean = true,
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "unknown",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "unknown",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
--- a/server/lib/alerts/events/siteEvents.ts
+++ b/server/lib/alerts/events/siteEvents.ts
@@ -1,21 +1,156 @@
-// stub
+import logger from "@server/logger";
+import { processAlerts } from "#dynamic/lib/alerts";
+import {
+    db,
+    logsDb,
+    statusHistory,
+    targetHealthCheck,
+    Transaction
+} from "@server/db";
+import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
+import { and, eq, inArray } from "drizzle-orm";
+import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";

+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Fire a `site_online` alert for the given site.
+ *
+ * Call this after the site has been confirmed reachable / connected so that
+ * any matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId    - Organisation that owns the site.
+ * @param siteId   - Numeric primary key of the site.
+ * @param siteName - Human-readable name shown in notifications (optional).
+ * @param extra    - Any additional key/value pairs to include in the payload.
+ */
 export async function fireSiteOnlineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "site",
+            entityId: siteId,
+            orgId: orgId,
+            status: "online",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("site", siteId);
+
+        await processAlerts({
+            eventType: "site_online",
+            orgId,
+            siteId,
+            data: {
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "site_toggle",
+            orgId,
+            siteId,
+            data: {
+                siteId,
+                status: "online",
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
+            err
+        );
+    }
 }

+/**
+ * Fire a `site_offline` alert for the given site.
+ *
+ * Call this after the site has been detected as unreachable / disconnected so
+ * that any matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId    - Organisation that owns the site.
+ * @param siteId   - Numeric primary key of the site.
+ * @param siteName - Human-readable name shown in notifications (optional).
+ * @param extra    - Any additional key/value pairs to include in the payload.
+ */
 export async function fireSiteOfflineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
-}
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "site",
+            entityId: siteId,
+            orgId: orgId,
+            status: "offline",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("site", siteId);
+
+        const unhealthyHealthChecks = await trx
+            .update(targetHealthCheck)
+            .set({ hcHealth: "unhealthy" })
+            .where(
+                and(
+                    eq(targetHealthCheck.orgId, orgId),
+                    eq(targetHealthCheck.siteId, siteId),
+                    eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
+                )
+            )
+            .returning();
+
+        for (const healthCheck of unhealthyHealthChecks) {
+            logger.info(
+                `Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
+            );
+
+            await fireHealthCheckUnhealthyAlert(
+                healthCheck.orgId,
+                healthCheck.targetHealthCheckId,
+                healthCheck.name,
+                healthCheck.targetId, // for the resource if we have one
+                undefined,
+                true,
+                trx
+            );
+        }
+
+        await processAlerts({
+            eventType: "site_offline",
+            orgId,
+            siteId,
+            data: {
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "site_toggle",
+            orgId,
+            siteId,
+            data: {
+                siteId,
+                status: "offline",
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
+            err
+        );
+    }
+}
--- a/server/lib/alerts/index.ts
+++ b/server/lib/alerts/index.ts
@@ -1,3 +1,4 @@
 export * from "./events/siteEvents";
 export * from "./events/healthCheckEvents";
 export * from "./events/resourceEvents";
+export * from "./processAlerts";
--- a/server/lib/alerts/processAlerts.ts
+++ b/server/lib/alerts/processAlerts.ts
@@ -0,0 +1,5 @@
+import { AlertContext } from "@server/routers/alertRule/types";
+
+export async function processAlerts(context: AlertContext): Promise<void> {
+    return;
+}
--- a/server/lib/billing/getOrgTierData.ts
+++ b/server/lib/billing/getOrgTierData.ts
@@ -1,8 +1,9 @@
 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: string | null; active: boolean }> {
+): Promise<{ tier: string | null; active: boolean; isTrial: boolean }> {
    const tier = null;
    const active = false;
+    const isTrial = false;

-    return { tier, active };
+    return { tier, active, isTrial };
 }
--- a/server/lib/billing/limitSet.ts
+++ b/server/lib/billing/limitSet.ts
@@ -25,7 +25,7 @@ export const tier1LimitSet: LimitSet = {

 export const tier2LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 100,
+        value: 50,
        description: "Team limit"
    },
    [FeatureId.SITES]: {
@@ -48,7 +48,7 @@ export const tier2LimitSet: LimitSet = {

 export const tier3LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 500,
+        value: 250,
        description: "Business limit"
    },
    [FeatureId.SITES]: {
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -131,41 +131,22 @@ export async function updateClientResources(
            : [];

        const allSites: { siteId: number }[] = [];
+
        if (resourceData.site) {
-            let siteSingle;
-            const resourceSiteId = resourceData.site;
-
-            if (resourceSiteId) {
-                // Look up site by niceId
-                [siteSingle] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(
-                            eq(sites.niceId, resourceSiteId),
-                            eq(sites.orgId, orgId)
-                        )
+            // Look up site by niceId
+            const [siteSingle] = await trx
+                .select({ siteId: sites.siteId })
+                .from(sites)
+                .where(
+                    and(
+                        eq(sites.niceId, resourceData.site),
+                        eq(sites.orgId, orgId)
                    )
-                    .limit(1);
-            } else if (siteId) {
-                // Use the provided siteId directly, but verify it belongs to the org
-                [siteSingle] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
-                    )
-                    .limit(1);
-            } else {
-                throw new Error(`Target site is required`);
+                )
+                .limit(1);
+            if (siteSingle) {
+                allSites.push(siteSingle);
            }
-
-            if (!siteSingle) {
-                throw new Error(
-                    `Site not found: ${resourceSiteId} in org ${orgId}`
-                );
-            }
-            allSites.push(siteSingle);
        }

        if (resourceData.sites) {
@@ -180,15 +161,31 @@ export async function updateClientResources(
                        )
                    )
                    .limit(1);
-                if (!site) {
-                    throw new Error(
-                        `Site not found: ${siteId} in org ${orgId}`
-                    );
+                if (site) {
+                    allSites.push(site);
                }
-                allSites.push(site);
            }
        }

+        if (siteId && allSites.length === 0) {
+            // only add if there are not provided sites
+            // Use the provided siteId directly, but verify it belongs to the org
+            const [siteSingle] = await trx
+                .select({ siteId: sites.siteId })
+                .from(sites)
+                .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+                .limit(1);
+            if (siteSingle) {
+                allSites.push(siteSingle);
+            }
+        }
+
+        if (allSites.length === 0) {
+            throw new Error(
+                `No valid sites found for private private resource ${resourceNiceId} in org ${orgId}`
+            );
+        }
+
        if (existingResource) {
            let domainInfo:
                | { subdomain: string | null; domainId: string }
@@ -364,7 +361,7 @@ export async function updateClientResources(
        } else {
            let aliasAddress: string | null = null;
            if (resourceData.mode === "host" || resourceData.mode === "http") {
-                aliasAddress = await getNextAvailableAliasAddress(orgId);
+                aliasAddress = await getNextAvailableAliasAddress(orgId, trx);
            }

            let domainInfo:
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -34,7 +34,7 @@ import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
 import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { fireHealthCheckUnknownAlert } from "#dynamic/lib/alerts";
+import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";

 export type ProxyResourcesResults = {
@@ -165,7 +165,8 @@ export async function updateProxyResources(
                    hcStatus: healthcheckData?.status,
                    hcHealth: "unknown",
                    hcHealthyThreshold: healthcheckData?.["healthy-threshold"],
-                    hcUnhealthyThreshold: healthcheckData?.["unhealthy-threshold"]
+                    hcUnhealthyThreshold:
+                        healthcheckData?.["unhealthy-threshold"]
                })
                .returning();

@@ -544,8 +545,10 @@ export async function updateProxyResources(
                                healthcheckData?.["follow-redirects"],
                            hcMethod: healthcheckData?.method,
                            hcStatus: healthcheckData?.status,
-                            hcHealthyThreshold: healthcheckData?.["healthy-threshold"],
-                            hcUnhealthyThreshold: healthcheckData?.["unhealthy-threshold"]
+                            hcHealthyThreshold:
+                                healthcheckData?.["healthy-threshold"],
+                            hcUnhealthyThreshold:
+                                healthcheckData?.["unhealthy-threshold"]
                        })
                        .where(
                            eq(
@@ -1120,8 +1123,10 @@ function checkIfHealthcheckChanged(
        JSON.stringify(incoming.hcHeaders)
    )
        return true;
-    if (existing.hcHealthyThreshold !== incoming.hcHealthyThreshold) return true;
-    if (existing.hcUnhealthyThreshold !== incoming.hcUnhealthyThreshold) return true;
+    if (existing.hcHealthyThreshold !== incoming.hcHealthyThreshold)
+        return true;
+    if (existing.hcUnhealthyThreshold !== incoming.hcUnhealthyThreshold)
+        return true;

    return false;
 }
@@ -1184,7 +1189,11 @@ async function getDomainId(
    orgId: string,
    fullDomain: string,
    trx: Transaction
-): Promise<{ subdomain: string | null; domainId: string; wildcard: boolean } | null> {
+): Promise<{
+    subdomain: string | null;
+    domainId: string;
+    wildcard: boolean;
+} | null> {
    const isWildcardFullDomain = fullDomain.startsWith("*.");

    const possibleDomains = await trx
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -28,6 +28,159 @@ export async function calculateUserClientsForOrgs(
    trx?: Transaction
 ): Promise<void> {
    const execute = async (transaction: Transaction) => {
+        const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
+        const adminRoleCache = new Map<
+            string,
+            typeof roles.$inferSelect | null
+        >();
+        const exitNodesCache = new Map<
+            string,
+            Awaited<ReturnType<typeof listExitNodes>>
+        >();
+        const isOrgLicensedCache = new Map<string, boolean>();
+        const existingClientCache = new Map<
+            string,
+            typeof clients.$inferSelect | null
+        >();
+        const roleClientAccessCache = new Map<string, boolean>();
+        const userClientAccessCache = new Map<string, boolean>();
+
+        const getOrgOlmKey = (orgId: string, olmId: string) =>
+            `${orgId}:${olmId}`;
+        const getRoleClientKey = (roleId: number, clientId: number) =>
+            `${roleId}:${clientId}`;
+        const getUserClientKey = (cachedUserId: string, clientId: number) =>
+            `${cachedUserId}:${clientId}`;
+
+        const getOrg = async (orgId: string) => {
+            if (orgCache.has(orgId)) {
+                return orgCache.get(orgId) ?? null;
+            }
+
+            const [org] = await transaction
+                .select()
+                .from(orgs)
+                .where(eq(orgs.orgId, orgId));
+            orgCache.set(orgId, org ?? null);
+
+            return org ?? null;
+        };
+
+        const getAdminRole = async (orgId: string) => {
+            if (adminRoleCache.has(orgId)) {
+                return adminRoleCache.get(orgId) ?? null;
+            }
+
+            const [adminRole] = await transaction
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                .limit(1);
+            adminRoleCache.set(orgId, adminRole ?? null);
+
+            return adminRole ?? null;
+        };
+
+        const getExitNodes = async (orgId: string) => {
+            if (exitNodesCache.has(orgId)) {
+                return exitNodesCache.get(orgId)!;
+            }
+
+            const exitNodes = await listExitNodes(orgId);
+            exitNodesCache.set(orgId, exitNodes);
+
+            return exitNodes;
+        };
+
+        const getIsOrgLicensed = async (orgId: string) => {
+            if (isOrgLicensedCache.has(orgId)) {
+                return isOrgLicensedCache.get(orgId)!;
+            }
+
+            const isOrgLicensed = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.deviceApprovals
+            );
+            isOrgLicensedCache.set(orgId, isOrgLicensed);
+
+            return isOrgLicensed;
+        };
+
+        const getExistingClient = async (orgId: string, olmId: string) => {
+            const key = getOrgOlmKey(orgId, olmId);
+            if (existingClientCache.has(key)) {
+                return existingClientCache.get(key) ?? null;
+            }
+
+            const [existingClient] = await transaction
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, orgId),
+                        eq(clients.olmId, olmId)
+                    )
+                )
+                .limit(1);
+
+            existingClientCache.set(key, existingClient ?? null);
+
+            return existingClient ?? null;
+        };
+
+        const hasRoleClientAccess = async (
+            roleId: number,
+            clientId: number
+        ) => {
+            const key = getRoleClientKey(roleId, clientId);
+            if (roleClientAccessCache.has(key)) {
+                return roleClientAccessCache.get(key)!;
+            }
+
+            const [existingRoleClient] = await transaction
+                .select()
+                .from(roleClients)
+                .where(
+                    and(
+                        eq(roleClients.roleId, roleId),
+                        eq(roleClients.clientId, clientId)
+                    )
+                )
+                .limit(1);
+
+            const hasAccess = Boolean(existingRoleClient);
+            roleClientAccessCache.set(key, hasAccess);
+
+            return hasAccess;
+        };
+
+        const hasUserClientAccess = async (
+            cachedUserId: string,
+            clientId: number
+        ) => {
+            const key = getUserClientKey(cachedUserId, clientId);
+            if (userClientAccessCache.has(key)) {
+                return userClientAccessCache.get(key)!;
+            }
+
+            const [existingUserClient] = await transaction
+                .select()
+                .from(userClients)
+                .where(
+                    and(
+                        eq(userClients.userId, cachedUserId),
+                        eq(userClients.clientId, clientId)
+                    )
+                )
+                .limit(1);
+
+            const hasAccess = Boolean(existingUserClient);
+            userClientAccessCache.set(key, hasAccess);
+
+            return hasAccess;
+        };
+
        // Get all OLMs for this user
        const userOlms = await transaction
            .select()
@@ -54,7 +207,9 @@ export async function calculateUserClientsForOrgs(
            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
            .where(eq(userOrgs.userId, userId));

-        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const userOrgIds = [
+            ...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))
+        ];
        const orgIdToRoleRows = new Map<
            string,
            (typeof userOrgRoleRows)[0][]
@@ -64,6 +219,13 @@ export async function calculateUserClientsForOrgs(
            list.push(r);
            orgIdToRoleRows.set(r.userOrgs.orgId, list);
        }
+        const orgRequiresDeviceApprovalRole = new Map<string, boolean>();
+        for (const [orgId, roleRowsForOrg] of orgIdToRoleRows.entries()) {
+            orgRequiresDeviceApprovalRole.set(
+                orgId,
+                roleRowsForOrg.some((r) => r.roles.requireDeviceApproval)
+            );
+        }

        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
@@ -71,10 +233,7 @@ export async function calculateUserClientsForOrgs(
                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
                const userOrg = roleRowsForOrg[0].userOrgs;

-                const [org] = await transaction
-                    .select()
-                    .from(orgs)
-                    .where(eq(orgs.orgId, orgId));
+                const org = await getOrg(orgId);

                if (!org) {
                    logger.warn(
@@ -91,11 +250,7 @@ export async function calculateUserClientsForOrgs(
                }

                // Get admin role for this org (needed for access grants)
-                const [adminRole] = await transaction
-                    .select()
-                    .from(roles)
-                    .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
-                    .limit(1);
+                const adminRole = await getAdminRole(orgId);

                if (!adminRole) {
                    logger.warn(
@@ -105,64 +260,50 @@ export async function calculateUserClientsForOrgs(
                }

                // Check if a client already exists for this OLM+user+org combination
-                const [existingClient] = await transaction
-                    .select()
-                    .from(clients)
-                    .where(
-                        and(
-                            eq(clients.userId, userId),
-                            eq(clients.orgId, orgId),
-                            eq(clients.olmId, olm.olmId)
-                        )
-                    )
-                    .limit(1);
+                const existingClient = await getExistingClient(
+                    orgId,
+                    olm.olmId
+                );

                if (existingClient) {
                    // Ensure admin role has access to the client
-                    const [existingRoleClient] = await transaction
-                        .select()
-                        .from(roleClients)
-                        .where(
-                            and(
-                                eq(roleClients.roleId, adminRole.roleId),
-                                eq(
-                                    roleClients.clientId,
-                                    existingClient.clientId
-                                )
-                            )
-                        )
-                        .limit(1);
+                    const hasRoleAccess = await hasRoleClientAccess(
+                        adminRole.roleId,
+                        existingClient.clientId
+                    );

-                    if (!existingRoleClient) {
+                    if (!hasRoleAccess) {
                        await transaction.insert(roleClients).values({
                            roleId: adminRole.roleId,
                            clientId: existingClient.clientId
                        });
+                        roleClientAccessCache.set(
+                            getRoleClientKey(
+                                adminRole.roleId,
+                                existingClient.clientId
+                            ),
+                            true
+                        );
                        logger.debug(
                            `Granted admin role access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
                        );
                    }

                    // Ensure user has access to the client
-                    const [existingUserClient] = await transaction
-                        .select()
-                        .from(userClients)
-                        .where(
-                            and(
-                                eq(userClients.userId, userId),
-                                eq(
-                                    userClients.clientId,
-                                    existingClient.clientId
-                                )
-                            )
-                        )
-                        .limit(1);
+                    const hasUserAccess = await hasUserClientAccess(
+                        userId,
+                        existingClient.clientId
+                    );

-                    if (!existingUserClient) {
+                    if (!hasUserAccess) {
                        await transaction.insert(userClients).values({
                            userId,
                            clientId: existingClient.clientId
                        });
+                        userClientAccessCache.set(
+                            getUserClientKey(userId, existingClient.clientId),
+                            true
+                        );
                        logger.debug(
                            `Granted user access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
                        );
@@ -175,7 +316,7 @@ export async function calculateUserClientsForOrgs(
                }

                // Get exit nodes for this org
-                const exitNodesList = await listExitNodes(orgId);
+                const exitNodesList = await getExitNodes(orgId);

                if (exitNodesList.length === 0) {
                    logger.warn(
@@ -206,14 +347,11 @@ export async function calculateUserClientsForOrgs(

                const niceId = await getUniqueClientName(orgId);

-                const isOrgLicensed = await isLicensedOrSubscribed(
-                    userOrg.orgId,
-                    tierMatrix.deviceApprovals
-                );
+                const isOrgLicensed = await getIsOrgLicensed(userOrg.orgId);
                const requireApproval =
                    build !== "oss" &&
                    isOrgLicensed &&
-                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
+                    orgRequiresDeviceApprovalRole.get(orgId) === true;

                const newClientData: InferInsertModel<typeof clients> = {
                    userId,
@@ -232,6 +370,10 @@ export async function calculateUserClientsForOrgs(
                    .insert(clients)
                    .values(newClientData)
                    .returning();
+                existingClientCache.set(
+                    getOrgOlmKey(orgId, olm.olmId),
+                    newClient
+                );

                // create approval request
                if (requireApproval) {
@@ -257,12 +399,20 @@ export async function calculateUserClientsForOrgs(
                    roleId: adminRole.roleId,
                    clientId: newClient.clientId
                });
+                roleClientAccessCache.set(
+                    getRoleClientKey(adminRole.roleId, newClient.clientId),
+                    true
+                );

                // Grant user access to the client
                await transaction.insert(userClients).values({
                    userId,
                    clientId: newClient.clientId
                });
+                userClientAccessCache.set(
+                    getUserClientKey(userId, newClient.clientId),
+                    true
+                );

                logger.debug(
                    `Created client for OLM ${olm.olmId} in org ${orgId} (user ${userId}) with access granted to admin role and user`
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.18.0";
+export const APP_VERSION = "1.18.3";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -6,6 +6,7 @@ import z from "zod";
 import logger from "@server/logger";
 import semver from "semver";
 import { getValidCertificatesForDomains } from "#dynamic/lib/certificates";
+import { lockManager } from "#dynamic/lib/lock";

 interface IPRange {
    start: bigint;
@@ -327,120 +328,146 @@ export async function getNextAvailableClientSubnet(
    orgId: string,
    transaction: Transaction | typeof db = db
 ): Promise<string> {
-    const [org] = await transaction
-        .select()
-        .from(orgs)
-        .where(eq(orgs.orgId, orgId));
+    return await lockManager.withLock(
+        `client-subnet-allocation:${orgId}`,
+        async () => {
+            const [org] = await transaction
+                .select()
+                .from(orgs)
+                .where(eq(orgs.orgId, orgId));

-    if (!org) {
-        throw new Error(`Organization with ID ${orgId} not found`);
-    }
+            if (!org) {
+                throw new Error(`Organization with ID ${orgId} not found`);
+            }

-    if (!org.subnet) {
-        throw new Error(`Organization with ID ${orgId} has no subnet defined`);
-    }
+            if (!org.subnet) {
+                throw new Error(
+                    `Organization with ID ${orgId} has no subnet defined`
+                );
+            }

-    const existingAddressesSites = await transaction
-        .select({
-            address: sites.address
-        })
-        .from(sites)
-        .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
+            const existingAddressesSites = await transaction
+                .select({
+                    address: sites.address
+                })
+                .from(sites)
+                .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));

-    const existingAddressesClients = await transaction
-        .select({
-            address: clients.subnet
-        })
-        .from(clients)
-        .where(and(isNotNull(clients.subnet), eq(clients.orgId, orgId)));
+            const existingAddressesClients = await transaction
+                .select({
+                    address: clients.subnet
+                })
+                .from(clients)
+                .where(
+                    and(isNotNull(clients.subnet), eq(clients.orgId, orgId))
+                );

-    const addresses = [
-        ...existingAddressesSites.map(
-            (site) => `${site.address?.split("/")[0]}/32`
-        ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
-        ...existingAddressesClients.map(
-            (client) => `${client.address.split("/")}/32`
-        )
-    ].filter((address) => address !== null) as string[];
+            const addresses = [
+                ...existingAddressesSites.map(
+                    (site) => `${site.address?.split("/")[0]}/32`
+                ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
+                ...existingAddressesClients.map(
+                    (client) => `${client.address.split("/")}/32`
+                )
+            ].filter((address) => address !== null) as string[];

-    const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
-    if (!subnet) {
-        throw new Error("No available subnets remaining in space");
-    }
+            const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
+            if (!subnet) {
+                throw new Error("No available subnets remaining in space");
+            }

-    return subnet;
+            return subnet;
+        }
+    );
 }

 export async function getNextAvailableAliasAddress(
-    orgId: string
+    orgId: string,
+    trx: Transaction | typeof db = db
 ): Promise<string> {
-    const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+    return await lockManager.withLock(
+        `alias-address-allocation:${orgId}`,
+        async () => {
+            const [org] = await trx
+                .select()
+                .from(orgs)
+                .where(eq(orgs.orgId, orgId));

-    if (!org) {
-        throw new Error(`Organization with ID ${orgId} not found`);
-    }
+            if (!org) {
+                throw new Error(`Organization with ID ${orgId} not found`);
+            }

-    if (!org.subnet) {
-        throw new Error(`Organization with ID ${orgId} has no subnet defined`);
-    }
+            if (!org.subnet) {
+                throw new Error(
+                    `Organization with ID ${orgId} has no subnet defined`
+                );
+            }

-    if (!org.utilitySubnet) {
-        throw new Error(
-            `Organization with ID ${orgId} has no utility subnet defined`
-        );
-    }
+            if (!org.utilitySubnet) {
+                throw new Error(
+                    `Organization with ID ${orgId} has no utility subnet defined`
+                );
+            }

-    const existingAddresses = await db
-        .select({
-            aliasAddress: siteResources.aliasAddress
-        })
-        .from(siteResources)
-        .where(
-            and(
-                isNotNull(siteResources.aliasAddress),
-                eq(siteResources.orgId, orgId)
-            )
-        );
+            const existingAddresses = await trx
+                .select({
+                    aliasAddress: siteResources.aliasAddress
+                })
+                .from(siteResources)
+                .where(
+                    and(
+                        isNotNull(siteResources.aliasAddress),
+                        eq(siteResources.orgId, orgId)
+                    )
+                );

-    const addresses = [
-        ...existingAddresses.map(
-            (site) => `${site.aliasAddress?.split("/")[0]}/32`
-        ),
-        // reserve a /29 for the dns server and other stuff
-        `${org.utilitySubnet.split("/")[0]}/29`
-    ].filter((address) => address !== null) as string[];
+            const addresses = [
+                ...existingAddresses.map(
+                    (site) => `${site.aliasAddress?.split("/")[0]}/32`
+                ),
+                // reserve a /29 for the dns server and other stuff
+                `${org.utilitySubnet.split("/")[0]}/29`
+            ].filter((address) => address !== null) as string[];

-    let subnet = findNextAvailableCidr(addresses, 32, org.utilitySubnet);
-    if (!subnet) {
-        throw new Error("No available subnets remaining in space");
-    }
+            let subnet = findNextAvailableCidr(
+                addresses,
+                32,
+                org.utilitySubnet
+            );
+            if (!subnet) {
+                throw new Error("No available subnets remaining in space");
+            }

-    // remove the cidr
-    subnet = subnet.split("/")[0];
+            // remove the cidr
+            subnet = subnet.split("/")[0];

-    return subnet;
+            return subnet;
+        }
+    );
 }

 export async function getNextAvailableOrgSubnet(): Promise<string> {
-    const existingAddresses = await db
-        .select({
-            subnet: orgs.subnet
-        })
-        .from(orgs)
-        .where(isNotNull(orgs.subnet));
+    return await lockManager.withLock("org-subnet-allocation", async () => {
+        const existingAddresses = await db
+            .select({
+                subnet: orgs.subnet
+            })
+            .from(orgs)
+            .where(isNotNull(orgs.subnet));

-    const addresses = existingAddresses.map((org) => org.subnet!);
+        const addresses = existingAddresses.map((org) => org.subnet!);

-    const subnet = findNextAvailableCidr(
-        addresses,
-        config.getRawConfig().orgs.block_size,
-        config.getRawConfig().orgs.subnet_group
-    );
-    if (!subnet) {
-        throw new Error("No available subnets remaining in space");
-    }
+        const subnet = findNextAvailableCidr(
+            addresses,
+            config.getRawConfig().orgs.block_size,
+            config.getRawConfig().orgs.subnet_group
+        );
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }

-    return subnet;
+        return subnet;
+    });
 }

 export function generateRemoteSubnets(
@@ -478,7 +505,12 @@ export type Alias = { alias: string | null; aliasAddress: string | null };

 export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
    return allSiteResources
-        .filter((sr) => sr.aliasAddress && ((sr.alias && sr.mode == "host") || (sr.fullDomain && sr.mode == "http")))
+        .filter(
+            (sr) =>
+                sr.aliasAddress &&
+                ((sr.alias && sr.mode == "host") ||
+                    (sr.fullDomain && sr.mode == "http"))
+        )
        .map((sr) => ({
            alias: sr.alias || sr.fullDomain,
            aliasAddress: sr.aliasAddress
--- a/server/lib/statusHistory.ts
+++ b/server/lib/statusHistory.ts
@@ -24,8 +24,11 @@ export async function getCachedStatusHistory(
        return cached;
    }

-    const nowSec = Math.floor(Date.now() / 1000);
-    const startSec = nowSec - days * 86400;
+    // Anchor to UTC midnight so the query window aligns with stable calendar days
+    const utcToday = new Date();
+    utcToday.setUTCHours(0, 0, 0, 0);
+    const todayMidnightSec = Math.floor(utcToday.getTime() / 1000);
+    const startSec = todayMidnightSec - days * 86400;

    const events = await logsDb
        .select()
@@ -110,11 +113,18 @@ export function computeBuckets(
    days: number
 ): { buckets: StatusHistoryDayBucket[]; totalDowntime: number } {
    const nowSec = Math.floor(Date.now() / 1000);
+
+    // Anchor bucket boundaries to UTC midnight so dates are stable calendar days
+    // and don't drift as the cache expires and is recomputed
+    const utcToday = new Date();
+    utcToday.setUTCHours(0, 0, 0, 0);
+    const todayMidnightSec = Math.floor(utcToday.getTime() / 1000);
+
    const buckets: StatusHistoryDayBucket[] = [];
    let totalDowntime = 0;

    for (let d = 0; d < days; d++) {
-        const dayStartSec = nowSec - (days - d) * 86400;
+        const dayStartSec = todayMidnightSec - (days - d) * 86400;
        const dayEndSec = dayStartSec + 86400;

        const dayEvents = events.filter(
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -535,6 +535,24 @@ export class TraefikConfigManager {
                        if (match && match[1]) {
                            domains.add(match[1]);
                        }
+                        // Match HostRegexp(`^[^.]+\.parent.domain$`) generated for wildcard resources
+                        const hostRegexpMatch = router.rule.match(
+                            /HostRegexp\(`([^`]+)`\)/
+                        );
+                        if (hostRegexpMatch && hostRegexpMatch[1]) {
+                            const innerRegex = hostRegexpMatch[1];
+                            // Pattern is always ^[^.]+\.PARENT_DOMAIN$ where dots are escaped as \.
+                            const domainMatch = innerRegex.match(
+                                /^\^\[\^\.\]\+\\\.(.+)\$$/
+                            );
+                            if (domainMatch && domainMatch[1]) {
+                                const parentDomain = domainMatch[1].replace(
+                                    /\\\./g,
+                                    "."
+                                );
+                                domains.add(`*.${parentDomain}`);
+                            }
+                        }
                    }
                }
            }
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -12,6 +12,7 @@
 */

 import fs from "fs";
+import path from "path";
 import crypto from "crypto";
 import {
    certificates,
@@ -274,12 +275,267 @@ function detectWildcard(
    return { wildcard: false, wildcardSan: null };
 }

+interface HttpCert {
+    wildcard: boolean;
+    altName: string;
+    certName: string;
+    commonName: string;
+    certFile: string;
+    keyFile: string;
+}
+
+async function syncAcmeCertsFromHttp(endpoint: string): Promise<void> {
+    let response: Response;
+    try {
+        response = await fetch(endpoint);
+    } catch (err) {
+        logger.debug(
+            `acmeCertSync: could not reach HTTP endpoint ${endpoint}: ${err}`
+        );
+        return;
+    }
+
+    if (!response.ok) {
+        logger.debug(
+            `acmeCertSync: HTTP endpoint returned status ${response.status}`
+        );
+        return;
+    }
+
+    let httpCerts: HttpCert[];
+    try {
+        httpCerts = await response.json();
+    } catch (err) {
+        logger.debug(
+            `acmeCertSync: could not parse JSON from HTTP endpoint: ${err}`
+        );
+        return;
+    }
+
+    if (!Array.isArray(httpCerts) || httpCerts.length === 0) {
+        logger.debug(
+            `acmeCertSync: no certificates returned from HTTP endpoint`
+        );
+        return;
+    }
+
+    for (const cert of httpCerts) {
+        const domain = cert?.certName;
+
+        if (!domain || typeof domain !== "string") {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert with missing certName`
+            );
+            continue;
+        }
+
+        const certPem = cert.certFile;
+        const keyPem = cert.keyFile;
+
+        if (!certPem?.trim() || !keyPem?.trim()) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - empty certFile or keyFile`
+            );
+            continue;
+        }
+
+        const firstCertPemForValidation = extractFirstCert(certPem);
+        if (!firstCertPemForValidation) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - no PEM certificate block found`
+            );
+            continue;
+        }
+
+        let validatedX509: crypto.X509Certificate;
+        try {
+            validatedX509 = new crypto.X509Certificate(
+                firstCertPemForValidation
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - invalid X.509 certificate: ${err}`
+            );
+            continue;
+        }
+
+        try {
+            crypto.createPrivateKey(keyPem);
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - invalid private key: ${err}`
+            );
+            continue;
+        }
+
+        const wildcard = cert.wildcard ?? false;
+
+        const existing = await db
+            .select()
+            .from(certificates)
+            .where(eq(certificates.domain, domain))
+            .limit(1);
+
+        let oldCertPem: string | null = null;
+        let oldKeyPem: string | null = null;
+
+        if (existing.length > 0 && existing[0].certFile) {
+            try {
+                const storedCertPem = decrypt(
+                    existing[0].certFile,
+                    config.getRawConfig().server.secret!
+                );
+                const wildcardUnchanged = existing[0].wildcard === wildcard;
+                if (storedCertPem === certPem && wildcardUnchanged) {
+                    continue;
+                }
+                oldCertPem = storedCertPem;
+                if (existing[0].keyFile) {
+                    try {
+                        oldKeyPem = decrypt(
+                            existing[0].keyFile,
+                            config.getRawConfig().server.secret!
+                        );
+                    } catch (keyErr) {
+                        logger.debug(
+                            `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
+                        );
+                    }
+                }
+            } catch (err) {
+                logger.debug(
+                    `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
+                );
+            }
+        }
+
+        let expiresAt: number | null = null;
+        try {
+            expiresAt = Math.floor(
+                new Date(validatedX509.validTo).getTime() / 1000
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
+            );
+        }
+
+        const encryptedCert = encrypt(
+            certPem,
+            config.getRawConfig().server.secret!
+        );
+        const encryptedKey = encrypt(
+            keyPem,
+            config.getRawConfig().server.secret!
+        );
+        const now = Math.floor(Date.now() / 1000);
+
+        const domainId = await findDomainId(domain);
+        if (domainId) {
+            logger.debug(
+                `acmeCertSync: resolved domainId "${domainId}" for HTTP cert domain "${domain}"`
+            );
+        } else {
+            logger.debug(
+                `acmeCertSync: no matching domain record found for HTTP cert domain "${domain}"`
+            );
+        }
+
+        if (existing.length > 0) {
+            logger.debug(
+                `acmeCertSync: updating existing certificate (HTTP) for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+            await db
+                .update(certificates)
+                .set({
+                    certFile: encryptedCert,
+                    keyFile: encryptedKey,
+                    status: "valid",
+                    expiresAt,
+                    updatedAt: now,
+                    wildcard,
+                    ...(domainId !== null && { domainId })
+                })
+                .where(eq(certificates.domain, domain));
+
+            await pushCertUpdateToAffectedNewts(
+                domain,
+                domainId,
+                oldCertPem,
+                oldKeyPem
+            );
+        } else {
+            logger.debug(
+                `acmeCertSync: inserting new certificate (HTTP) for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+            await db.insert(certificates).values({
+                domain,
+                domainId,
+                certFile: encryptedCert,
+                keyFile: encryptedKey,
+                status: "valid",
+                expiresAt,
+                createdAt: now,
+                updatedAt: now,
+                wildcard
+            });
+
+            await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
+        }
+    }
+}
+
+function findAcmeJsonFiles(dirPath: string): string[] {
+    const results: string[] = [];
+    let entries: fs.Dirent[];
+    try {
+        entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    } catch (err) {
+        logger.warn(
+            `acmeCertSync: could not read directory "${dirPath}": ${err}`
+        );
+        return results;
+    }
+    for (const entry of entries) {
+        const fullPath = path.join(dirPath, entry.name);
+        if (entry.isDirectory()) {
+            results.push(...findAcmeJsonFiles(fullPath));
+        } else if (entry.isFile()) {
+            // check if it is a json file
+            if (entry.name.endsWith(".json")) {
+                let raw: string;
+                try {
+                    raw = fs.readFileSync(fullPath, "utf8");
+                } catch (err) {
+                    logger.warn(
+                        `acmeCertSync: could not read file "${fullPath}": ${err}`
+                    );
+                    continue;
+                }
+
+                let parsed: any;
+                try {
+                    parsed = JSON.parse(raw);
+                } catch (err) {
+                    logger.warn(
+                        `acmeCertSync: could not parse "${fullPath}" as JSON: ${err}`
+                    );
+                    continue;
+                }
+            }
+
+            results.push(fullPath);
+        }
+    }
+    return results;
+}
+
 async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
    let raw: string;
    try {
        raw = fs.readFileSync(acmeJsonPath, "utf8");
    } catch (err) {
-        logger.debug(`acmeCertSync: could not read ${acmeJsonPath}: ${err}`);
+        logger.warn(`acmeCertSync: could not read "${acmeJsonPath}": ${err}`);
        return;
    }

@@ -287,7 +543,9 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
    try {
        acmeJson = JSON.parse(raw);
    } catch (err) {
-        logger.debug(`acmeCertSync: could not parse acme.json: ${err}`);
+        logger.warn(
+            `acmeCertSync: could not parse "${acmeJsonPath}" as JSON: ${err}`
+        );
        return;
    }

@@ -389,11 +647,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
        const existing = await db
            .select()
            .from(certificates)
-            .where(
-                and(
-                    eq(certificates.domain, domain)
-                )
-            )
+            .where(and(eq(certificates.domain, domain)))
            .limit(1);

        let oldCertPem: string | null = null;
@@ -408,7 +662,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
                const wildcardUnchanged = existing[0].wildcard === wildcard;
                if (storedCertPem === certPem && wildcardUnchanged) {
                    // logger.debug(
-                        // `acmeCertSync: cert for ${domain} is unchanged, skipping`
+                    // `acmeCertSync: cert for ${domain} is unchanged, skipping`
                    // );
                    continue;
                }
@@ -547,19 +801,62 @@ export function initAcmeCertSync(): void {
        privateConfigData.acme?.acme_json_path ??
        "config/letsencrypt/acme.json";
    const intervalMs = privateConfigData.acme?.sync_interval_ms ?? 5000;
+    const httpEndpoint = privateConfigData.acme?.acme_http_endpoint;

    logger.debug(
        `acmeCertSync: starting ACME cert sync from "${acmeJsonPath}" across all resolvers every ${intervalMs}ms`
    );
+    if (httpEndpoint) {
+        logger.debug(
+            `acmeCertSync: also syncing from HTTP endpoint "${httpEndpoint}" every ${intervalMs}ms`
+        );
+    }
+
+    const runSync = () => {
+        if (httpEndpoint) {
+            syncAcmeCertsFromHttp(httpEndpoint).catch((err) => {
+                logger.error(`acmeCertSync: error during HTTP sync: ${err}`);
+            });
+        } else {
+            // only run the file-based sync if the HTTP endpoint is not configured, to avoid doubling up
+            let stat: fs.Stats | null = null;
+            try {
+                stat = fs.statSync(acmeJsonPath);
+            } catch (err) {
+                logger.warn(
+                    `acmeCertSync: cannot stat path "${acmeJsonPath}": ${err}`
+                );
+                return;
+            }
+
+            if (stat.isDirectory()) {
+                const files = findAcmeJsonFiles(acmeJsonPath);
+                if (files.length === 0) {
+                    logger.debug(
+                        `acmeCertSync: no acme.json files found in directory "${acmeJsonPath}"`
+                    );
+                    return;
+                }
+                logger.debug(
+                    `acmeCertSync: found ${files.length} acme.json file(s) in directory "${acmeJsonPath}"`
+                );
+                for (const file of files) {
+                    syncAcmeCerts(file).catch((err) => {
+                        logger.error(
+                            `acmeCertSync: error during sync of "${file}": ${err}`
+                        );
+                    });
+                }
+            } else {
+                syncAcmeCerts(acmeJsonPath).catch((err) => {
+                    logger.error(`acmeCertSync: error during sync: ${err}`);
+                });
+            }
+        }
+    };

    // Run immediately on init, then on the configured interval
-    syncAcmeCerts(acmeJsonPath).catch((err) => {
-        logger.error(`acmeCertSync: error during initial sync: ${err}`);
-    });
+    runSync();

-    setInterval(() => {
-        syncAcmeCerts(acmeJsonPath).catch((err) => {
-            logger.error(`acmeCertSync: error during sync: ${err}`);
-        });
-    }, intervalMs);
+    setInterval(runSync, intervalMs);
 }
--- a/server/private/lib/alerts/events/healthCheckEvents.ts
+++ b/server/private/lib/alerts/events/healthCheckEvents.ts
@@ -1,306 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import logger from "@server/logger";
-import { processAlerts } from "../processAlerts";
-import {
-    db,
-    statusHistory,
-    targetHealthCheck,
-    targets,
-    resources,
-    Transaction,
-    logsDb
-} from "@server/db";
-import { eq } from "drizzle-orm";
-import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
-import {
-    fireResourceDegradedAlert,
-    fireResourceHealthyAlert,
-    fireResourceUnhealthyAlert,
-    fireResourceUnknownAlert
-} from "./resourceEvents";
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Fire a `health_check_healthy` alert for the given health check.
- *
- * Call this after a previously-failing health check has recovered so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId         - Organisation that owns the health check.
- * @param healthCheckId - Numeric primary key of the health check.
- * @param healthCheckName - Human-readable name shown in notifications (optional).
- * @param extra         - Any additional key/value pairs to include in the payload.
- */
-export async function fireHealthCheckHealthyAlert(
-    orgId: string,
-    healthCheckId: number,
-    healthCheckName?: string | null,
-    healthCheckTargetId?: number | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "health_check",
-            entityId: healthCheckId,
-            orgId: orgId,
-            status: "healthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("health_check", healthCheckId);
-
-        await handleResource(orgId, healthCheckTargetId, send, trx);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "health_check_healthy",
-            orgId,
-            healthCheckId,
-            data: {
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "health_check_toggle",
-            orgId,
-            healthCheckId,
-            data: {
-                healthCheckId,
-                status: "healthy",
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `health_check_unhealthy` alert for the given health check.
- *
- * Call this after a health check has been detected as failing so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId         - Organisation that owns the health check.
- * @param healthCheckId - Numeric primary key of the health check.
- * @param healthCheckName - Human-readable name shown in notifications (optional).
- * @param extra         - Any additional key/value pairs to include in the payload.
- */
-export async function fireHealthCheckUnhealthyAlert(
-    orgId: string,
-    healthCheckId: number,
-    healthCheckName?: string | null,
-    healthCheckTargetId?: number | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "health_check",
-            entityId: healthCheckId,
-            orgId: orgId,
-            status: "unhealthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("health_check", healthCheckId);
-
-        await handleResource(orgId, healthCheckTargetId, send, trx);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "health_check_unhealthy",
-            orgId,
-            healthCheckId,
-            data: {
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "health_check_toggle",
-            orgId,
-            healthCheckId,
-            data: {
-                healthCheckId,
-                status: "unhealthy",
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
-            err
-        );
-    }
-}
-
-export async function fireHealthCheckUnknownAlert(
-    orgId: string,
-    healthCheckId: number,
-    healthCheckName?: string | null,
-    healthCheckTargetId?: number | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "health_check",
-            entityId: healthCheckId,
-            orgId: orgId,
-            status: "unknown",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("health_check", healthCheckId);
-
-        await handleResource(orgId, healthCheckTargetId, send, trx);
-
-        if (!send) {
-            return;
-        }
-    } catch (err) {
-        logger.error(
-            `fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
-            err
-        );
-    }
-}
-
-async function handleResource(
-    orgId: string,
-    healthCheckTargetId?: number | null,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-) {
-    if (!healthCheckTargetId) {
-        return;
-    }
-    // we have targets lets get them
-    const [target] = await trx
-        .select()
-        .from(targets)
-        .where(eq(targets.targetId, healthCheckTargetId))
-        .limit(1);
-
-    if (!target) {
-        return;
-    }
-
-    const [resource] = await trx
-        .select()
-        .from(resources)
-        .where(eq(resources.resourceId, target.resourceId))
-        .limit(1);
-
-    if (!resource) {
-        return;
-    }
-
-    const otherTargets = await trx
-        .select({ hcHealth: targetHealthCheck.hcHealth })
-        .from(targets)
-        .innerJoin(
-            targetHealthCheck,
-            eq(targetHealthCheck.targetId, targets.targetId)
-        )
-        .where(eq(targets.resourceId, resource.resourceId));
-
-    let health = "healthy";
-    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
-    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
-    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
-
-    if (allUnknown) {
-        logger.debug(
-            `Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
-        );
-        health = "unknown";
-    } else if (allHealthy) {
-        health = "healthy";
-    } else if (allUnhealthy) {
-        logger.debug(
-            `Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
-        );
-        health = "unhealthy";
-    } else {
-        logger.debug(
-            `Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
-        );
-        health = "degraded";
-    }
-
-    if (health != resource.health) {
-        // it changed
-        await trx
-            .update(resources)
-            .set({ health })
-            .where(eq(resources.resourceId, resource.resourceId));
-
-        if (health === "unknown") {
-            await fireResourceUnknownAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        } else if (health === "unhealthy") {
-            await fireResourceUnhealthyAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        } else if (health === "healthy") {
-            await fireResourceHealthyAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        } else if (health === "degraded") {
-            await fireResourceDegradedAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        }
-    }
-}
--- a/server/private/lib/alerts/events/resourceEvents.ts
+++ b/server/private/lib/alerts/events/resourceEvents.ts
@@ -1,256 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import logger from "@server/logger";
-import { processAlerts } from "../processAlerts";
-import { db, logsDb, statusHistory, Transaction } from "@server/db";
-import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Fire a `resource_healthy` alert for the given resource.
- *
- * Call this after a previously-unhealthy resource has recovered so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceHealthyAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "healthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_healthy",
-            orgId,
-            resourceId,
-            data: {
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "healthy",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `resource_unhealthy` alert for the given resource.
- *
- * Call this after a resource has been detected as unhealthy so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceUnhealthyAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "unhealthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_unhealthy",
-            orgId,
-            resourceId,
-            data: {
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "unhealthy",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `resource_degraded` alert for the given resource.
- *
- * Call this after a resource has been detected as degraded so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceDegradedAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "degraded",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_degraded",
-            orgId,
-            resourceId,
-            data: {
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "degraded",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `resource_unknown` alert for the given resource.
- *
- * Call this when all health checks on a resource are disabled so that the
- * resource status transitions to unknown.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceUnknownAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "unknown",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "unknown",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
--- a/server/private/lib/alerts/events/siteEvents.ts
+++ b/server/private/lib/alerts/events/siteEvents.ts
@@ -1,169 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import logger from "@server/logger";
-import { processAlerts } from "../processAlerts";
-import {
-    db,
-    logsDb,
-    statusHistory,
-    targetHealthCheck,
-    Transaction
-} from "@server/db";
-import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
-import { and, eq, inArray } from "drizzle-orm";
-import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Fire a `site_online` alert for the given site.
- *
- * Call this after the site has been confirmed reachable / connected so that
- * any matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId    - Organisation that owns the site.
- * @param siteId   - Numeric primary key of the site.
- * @param siteName - Human-readable name shown in notifications (optional).
- * @param extra    - Any additional key/value pairs to include in the payload.
- */
-export async function fireSiteOnlineAlert(
-    orgId: string,
-    siteId: number,
-    siteName?: string,
-    extra?: Record<string, unknown>,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "site",
-            entityId: siteId,
-            orgId: orgId,
-            status: "online",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("site", siteId);
-
-        await processAlerts({
-            eventType: "site_online",
-            orgId,
-            siteId,
-            data: {
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "site_toggle",
-            orgId,
-            siteId,
-            data: {
-                siteId,
-                status: "online",
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `site_offline` alert for the given site.
- *
- * Call this after the site has been detected as unreachable / disconnected so
- * that any matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId    - Organisation that owns the site.
- * @param siteId   - Numeric primary key of the site.
- * @param siteName - Human-readable name shown in notifications (optional).
- * @param extra    - Any additional key/value pairs to include in the payload.
- */
-export async function fireSiteOfflineAlert(
-    orgId: string,
-    siteId: number,
-    siteName?: string,
-    extra?: Record<string, unknown>,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "site",
-            entityId: siteId,
-            orgId: orgId,
-            status: "offline",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("site", siteId);
-
-        const unhealthyHealthChecks = await trx
-            .update(targetHealthCheck)
-            .set({ hcHealth: "unhealthy" })
-            .where(
-                and(
-                    eq(targetHealthCheck.orgId, orgId),
-                    eq(targetHealthCheck.siteId, siteId),
-                    eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
-                )
-            )
-            .returning();
-
-        for (const healthCheck of unhealthyHealthChecks) {
-            logger.info(
-                `Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
-            );
-
-            await fireHealthCheckUnhealthyAlert(
-                healthCheck.orgId,
-                healthCheck.targetHealthCheckId,
-                healthCheck.name,
-                healthCheck.targetId, // for the resource if we have one
-                undefined,
-                true,
-                trx
-            );
-        }
-
-        await processAlerts({
-            eventType: "site_offline",
-            orgId,
-            siteId,
-            data: {
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "site_toggle",
-            orgId,
-            siteId,
-            data: {
-                siteId,
-                status: "offline",
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
-            err
-        );
-    }
-}
--- a/server/private/lib/alerts/index.ts
+++ b/server/private/lib/alerts/index.ts
@@ -14,6 +14,3 @@
 export * from "./processAlerts";
 export * from "./sendAlertWebhook";
 export * from "./sendAlertEmail";
-export * from "./events/siteEvents";
-export * from "./events/healthCheckEvents";
-export * from "./events/resourceEvents";
--- a/server/private/lib/alerts/processAlerts.ts
+++ b/server/private/lib/alerts/processAlerts.ts
@@ -29,7 +29,10 @@ import { decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 import { sendAlertWebhook } from "./sendAlertWebhook";
 import { sendAlertEmail } from "./sendAlertEmail";
-import { AlertContext, WebhookAlertConfig } from "@server/routers/alertRule/types";
+import {
+    AlertContext,
+    WebhookAlertConfig
+} from "@server/routers/alertRule/types";

 /**
 * Core alert processing pipeline.
@@ -99,7 +102,10 @@ export async function processAlerts(context: AlertContext): Promise<void> {
                    baseConditions,
                    or(
                        eq(alertRules.allHealthChecks, true),
-                        eq(alertHealthChecks.healthCheckId, context.healthCheckId)
+                        eq(
+                            alertHealthChecks.healthCheckId,
+                            context.healthCheckId
+                        )
                    )
                )
            );
@@ -208,14 +214,19 @@ async function processRule(

    for (const action of emailActions) {
        try {
-            const recipients = await resolveEmailRecipients(action.emailActionId);
+            const recipients = await resolveEmailRecipients(
+                action.emailActionId
+            );
            if (recipients.length > 0) {
                await sendAlertEmail(recipients, context);
                await db
                    .update(alertEmailActions)
                    .set({ lastSentAt: now })
                    .where(
-                        eq(alertEmailActions.emailActionId, action.emailActionId)
+                        eq(
+                            alertEmailActions.emailActionId,
+                            action.emailActionId
+                        )
                    );
            }
        } catch (err) {
@@ -269,7 +280,7 @@ async function processRule(
                    )
                );
        } catch (err) {
-            logger.error(
+            logger.warn(
                `processAlerts: failed to send alert webhook for action ${action.webhookActionId}`,
                err
            );
@@ -289,7 +300,9 @@ async function processRule(
 * - All users in a role (by `roleId`, resolved via `userOrgRoles`)
 * - Direct external email addresses
 */
-async function resolveEmailRecipients(emailActionId: number): Promise<string[]> {
+async function resolveEmailRecipients(
+    emailActionId: number
+): Promise<string[]> {
    const rows = await db
        .select()
        .from(alertEmailRecipients)
--- a/server/private/lib/alerts/sendAlertWebhook.ts
+++ b/server/private/lib/alerts/sendAlertWebhook.ts
@@ -42,17 +42,23 @@ export async function sendAlertWebhook(
    webhookConfig: WebhookAlertConfig,
    context: AlertContext
 ): Promise<void> {
-    const payload = {
-        event: context.eventType,
-        timestamp: new Date().toISOString(),
-        status: deriveStatus(context.eventType, context.data),
-        data: {
-            orgId: context.orgId,
-            ...context.data
-        }
-    };
+    const eventType = context.eventType;
+    const timestamp = new Date().toISOString();
+    const status = deriveStatus(eventType, context.data);
+    const data = { orgId: context.orgId, ...context.data };
+
+    let body: string;
+    if (webhookConfig.useBodyTemplate && webhookConfig.bodyTemplate?.trim()) {
+        body = renderTemplate(webhookConfig.bodyTemplate, {
+            event: eventType,
+            timestamp,
+            status,
+            data
+        });
+    } else {
+        body = JSON.stringify({ event: eventType, timestamp, status, data });
+    }

-    const body = JSON.stringify(payload);
    const headers = buildHeaders(webhookConfig);

    let lastError: Error | undefined;
@@ -217,3 +223,80 @@ function buildHeaders(

    return headers;
 }
+
+// ---------------------------------------------------------------------------
+// Body template rendering
+// ---------------------------------------------------------------------------
+
+interface TemplateContext {
+    event: string;
+    timestamp: string;
+    status: string;
+    data: Record<string, unknown>;
+}
+
+/**
+ * Render a body template with {{event}}, {{timestamp}}, {{status}}, {{data}},
+ * and individual data-field placeholders (e.g. {{orgId}}, {{siteId}}, …).
+ *
+ * Replacement order:
+ *   1. {{data}} → raw JSON of the full data object (prevents re-expansion of
+ *      nested values that might look like placeholders).
+ *   2. Top-level scalar fields from data (string values are JSON-escaped;
+ *      numbers and booleans are rendered as-is). Unknown placeholders are
+ *      left untouched.
+ *   3. The fixed top-level keys: event, timestamp, status.
+ */
+function renderTemplate(template: string, ctx: TemplateContext): string {
+    // Step 1 – expand {{data}} first so its contents are already serialised
+    // and won't be touched by later passes.
+    let rendered = template.replace(/\{\{data\}\}/g, JSON.stringify(ctx.data));
+
+    // Step 2 – expand individual data fields. Only replace placeholders whose
+    // key actually exists in ctx.data; leave everything else as-is.
+    for (const [key, value] of Object.entries(ctx.data)) {
+        if (value === null || value === undefined) continue;
+        const placeholder = new RegExp(
+            `\\{\\{${key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\}\\}`,
+            "g"
+        );
+        let serialised: string;
+        if (typeof value === "string") {
+            serialised = escapeJsonString(value);
+        } else if (typeof value === "number" || typeof value === "boolean") {
+            serialised = String(value);
+        } else {
+            serialised = escapeJsonString(JSON.stringify(value));
+        }
+        rendered = rendered.replace(placeholder, serialised);
+    }
+
+    // Step 3 – expand the fixed top-level keys.
+    rendered = rendered
+        .replace(/\{\{event\}\}/g, escapeJsonString(ctx.event))
+        .replace(/\{\{timestamp\}\}/g, escapeJsonString(ctx.timestamp))
+        .replace(/\{\{status\}\}/g, escapeJsonString(ctx.status));
+
+    // Validate the rendered result is valid JSON; if not, log a warning and
+    // fall back to the default payload so the webhook still fires.
+    try {
+        JSON.parse(rendered);
+        return rendered;
+    } catch {
+        logger.warn(
+            `sendAlertWebhook: body template produced invalid JSON for event ` +
+                `"${ctx.event}" destined for a webhook. Falling back to default ` +
+                `payload. Check that {{data}} is NOT wrapped in quotes in your template.`
+        );
+        return JSON.stringify({
+            event: ctx.event,
+            timestamp: ctx.timestamp,
+            status: ctx.status,
+            data: ctx.data
+        });
+    }
+}
+
+function escapeJsonString(value: string): string {
+    return JSON.stringify(value).slice(1, -1);
+}
--- a/server/private/lib/alerts/types.ts
+++ b/server/private/lib/alerts/types.ts
@@ -45,6 +45,10 @@ export interface WebhookAlertConfig {
    headers?: Array<{ key: string; value: string }>;
    /** HTTP method (default POST) */
    method?: string;
+    /** Whether to use a custom body template */
+    useBodyTemplate?: boolean;
+    /** Mustache-style body template with {{event}}, {{timestamp}}, {{status}}, {{data}} placeholders */
+    bodyTemplate?: string;
 }

 // ---------------------------------------------------------------------------
@@ -60,4 +64,4 @@ export interface AlertContext {
    healthCheckId?: number;
    /** Human-readable context data included in emails and webhook payloads */
    data: Record<string, unknown>;
-}
+}
--- a/server/private/lib/billing/getOrgTierData.ts
+++ b/server/private/lib/billing/getOrgTierData.ts
@@ -19,12 +19,13 @@ import { eq, and, ne } from "drizzle-orm";

 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: Tier | null; active: boolean }> {
+): Promise<{ tier: Tier | null; active: boolean; isTrial: boolean }> {
    let tier: Tier | null = null;
    let active = false;
+    let isTrial = false;

    if (build !== "saas") {
-        return { tier, active };
+        return { tier, active, isTrial };
    }

    try {
@@ -35,7 +36,7 @@ export async function getOrgTierData(
            .limit(1);

        if (!org) {
-            return { tier, active };
+            return { tier, active, isTrial };
        }

        let orgIdToUse = org.orgId;
@@ -44,7 +45,7 @@ export async function getOrgTierData(
                logger.warn(
                    `Org ${orgId} is not a billing org and does not have a billingOrgId`
                );
-                return { tier, active };
+                return { tier, active, isTrial };
            }
            orgIdToUse = org.billingOrgId;
        }
@@ -57,7 +58,7 @@ export async function getOrgTierData(
            .limit(1);

        if (!customer) {
-            return { tier, active };
+            return { tier, active, isTrial };
        }

        // Query for active subscriptions that are not license type
@@ -84,11 +85,13 @@ export async function getOrgTierData(
                tier = subscription.type;
                active = true;
            }
+
+            isTrial = subscription.trial ?? false;
        }
    } catch (error) {
        // If org not found or error occurs, return null tier and inactive
        // This is acceptable behavior as per the function signature
    }

-    return { tier, active };
+    return { tier, active, isTrial };
 }
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -21,173 +21,172 @@ import { getEnvOrYaml } from "@server/lib/getEnvOrYaml";

 const portSchema = z.number().positive().gt(0).lte(65535);

-export const privateConfigSchema = z.object({
-    app: z
-        .object({
-            region: z.string().optional().default("default"),
-            base_domain: z.string().optional(),
-            identity_provider_mode: z.enum(["global", "org"]).optional()
-        })
-        .optional()
-        .default({
-            region: "default"
-        }),
-    server: z
-        .object({
-            reo_client_id: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("REO_CLIENT_ID")),
-            fossorial_api: z
-                .string()
-                .optional()
-                .default("https://api.fossorial.io"),
-            fossorial_api_key: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
-        })
-        .optional()
-        .prefault({}),
-    redis: z
-        .object({
-            host: z.string(),
-            port: portSchema,
-            password: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("REDIS_PASSWORD")),
-            db: z.int().nonnegative().optional().default(0),
-            replicas: z
-                .array(
-                    z.object({
-                        host: z.string(),
-                        port: portSchema,
-                        password: z.string().optional(),
-                        db: z.int().nonnegative().optional().default(0)
+export const privateConfigSchema = z
+    .object({
+        app: z
+            .object({
+                region: z.string().optional().default("default"),
+                base_domain: z.string().optional(),
+                identity_provider_mode: z.enum(["global", "org"]).optional()
+            })
+            .optional()
+            .default({
+                region: "default"
+            }),
+        server: z
+            .object({
+                reo_client_id: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("REO_CLIENT_ID")),
+                fossorial_api: z
+                    .string()
+                    .optional()
+                    .default("https://api.fossorial.io"),
+                fossorial_api_key: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
+            })
+            .optional()
+            .prefault({}),
+        redis: z
+            .object({
+                host: z.string(),
+                port: portSchema,
+                password: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("REDIS_PASSWORD")),
+                db: z.int().nonnegative().optional().default(0),
+                replicas: z
+                    .array(
+                        z.object({
+                            host: z.string(),
+                            port: portSchema,
+                            password: z.string().optional(),
+                            db: z.int().nonnegative().optional().default(0)
+                        })
+                    )
+                    .optional(),
+                tls: z
+                    .object({
+                        rejectUnauthorized: z.boolean().optional().default(true)
                    })
-                )
-                .optional(),
-            tls: z
-                .object({
-                    rejectUnauthorized: z
-                        .boolean()
-                        .optional()
-                        .default(true)
-                })
-                .optional()
-        })
-        .optional(),
-    gerbil: z
-        .object({
-            local_exit_node_reachable_at: z
-                .string()
-                .optional()
-                .default("http://gerbil:3004")
-        })
-        .optional()
-        .prefault({}),
-    flags: z
-        .object({
-            enable_redis: z.boolean().optional().default(false),
-            use_pangolin_dns: z.boolean().optional().default(false),
-            use_org_only_idp: z.boolean().optional(),
-            enable_acme_cert_sync: z.boolean().optional().default(true)
-        })
-        .optional()
-        .prefault({}),
-    acme: z
-        .object({
-            acme_json_path: z
-                .string()
-                .optional()
-                .default("config/letsencrypt/acme.json"),
-            sync_interval_ms: z.number().optional().default(5000)
-        })
-        .optional(),
-    branding: z
-        .object({
-            app_name: z.string().optional(),
-            background_image_path: z.string().optional(),
-            colors: z
-                .object({
-                    light: colorsSchema.optional(),
-                    dark: colorsSchema.optional()
-                })
-                .optional(),
-            logo: z
-                .object({
-                    light_path: z.string().optional(),
-                    dark_path: z.string().optional(),
-                    auth_page: z
-                        .object({
-                            width: z.number().optional(),
-                            height: z.number().optional()
-                        })
-                        .optional(),
-                    navbar: z
-                        .object({
-                            width: z.number().optional(),
-                            height: z.number().optional()
-                        })
-                        .optional()
-                })
-                .optional(),
-            footer: z
-                .array(
-                    z.object({
-                        text: z.string(),
-                        href: z.string().optional()
+                    .optional()
+            })
+            .optional(),
+        gerbil: z
+            .object({
+                local_exit_node_reachable_at: z
+                    .string()
+                    .optional()
+                    .default("http://gerbil:3004")
+            })
+            .optional()
+            .prefault({}),
+        flags: z
+            .object({
+                enable_redis: z.boolean().optional().default(false),
+                use_pangolin_dns: z.boolean().optional().default(false),
+                use_org_only_idp: z.boolean().optional(),
+                enable_acme_cert_sync: z.boolean().optional().default(true)
+            })
+            .optional()
+            .prefault({}),
+        acme: z
+            .object({
+                acme_json_path: z
+                    .string()
+                    .optional()
+                    .default("config/letsencrypt/acme.json"),
+                acme_http_endpoint: z.string().optional(),
+                sync_interval_ms: z.number().optional().default(5000)
+            })
+            .optional(),
+        branding: z
+            .object({
+                app_name: z.string().optional(),
+                background_image_path: z.string().optional(),
+                colors: z
+                    .object({
+                        light: colorsSchema.optional(),
+                        dark: colorsSchema.optional()
                    })
-                )
-                .optional(),
-            hide_auth_layout_footer: z.boolean().optional().default(false),
-            login_page: z
-                .object({
-                    subtitle_text: z.string().optional()
-                })
-                .optional(),
-            signup_page: z
-                .object({
-                    subtitle_text: z.string().optional()
-                })
-                .optional(),
-            resource_auth_page: z
-                .object({
-                    show_logo: z.boolean().optional(),
-                    hide_powered_by: z.boolean().optional(),
-                    title_text: z.string().optional(),
-                    subtitle_text: z.string().optional()
-                })
-                .optional(),
-            emails: z
-                .object({
-                    signature: z.string().optional(),
-                    colors: z
-                        .object({
-                            primary: z.string().optional()
+                    .optional(),
+                logo: z
+                    .object({
+                        light_path: z.string().optional(),
+                        dark_path: z.string().optional(),
+                        auth_page: z
+                            .object({
+                                width: z.number().optional(),
+                                height: z.number().optional()
+                            })
+                            .optional(),
+                        navbar: z
+                            .object({
+                                width: z.number().optional(),
+                                height: z.number().optional()
+                            })
+                            .optional()
+                    })
+                    .optional(),
+                footer: z
+                    .array(
+                        z.object({
+                            text: z.string(),
+                            href: z.string().optional()
                        })
-                        .optional()
-                })
-                .optional()
-        })
-        .optional(),
-    stripe: z
-        .object({
-            secret_key: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
-            webhook_secret: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
-            // s3Bucket: z.string(),
-            // s3Region: z.string().default("us-east-1"),
-            // localFilePath: z.string().optional()
-        })
-        .optional()
-})
+                    )
+                    .optional(),
+                hide_auth_layout_footer: z.boolean().optional().default(false),
+                login_page: z
+                    .object({
+                        subtitle_text: z.string().optional()
+                    })
+                    .optional(),
+                signup_page: z
+                    .object({
+                        subtitle_text: z.string().optional()
+                    })
+                    .optional(),
+                resource_auth_page: z
+                    .object({
+                        show_logo: z.boolean().optional(),
+                        hide_powered_by: z.boolean().optional(),
+                        title_text: z.string().optional(),
+                        subtitle_text: z.string().optional()
+                    })
+                    .optional(),
+                emails: z
+                    .object({
+                        signature: z.string().optional(),
+                        colors: z
+                            .object({
+                                primary: z.string().optional()
+                            })
+                            .optional()
+                    })
+                    .optional()
+            })
+            .optional(),
+        stripe: z
+            .object({
+                secret_key: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
+                webhook_secret: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET"))
+                // s3Bucket: z.string(),
+                // s3Region: z.string().default("us-east-1"),
+                // localFilePath: z.string().optional()
+            })
+            .optional()
+    })
    .transform((data) => {
        // this to maintain backwards compatibility with the old config file
        const identityProviderMode = data.app?.identity_provider_mode;
--- a/server/private/routers/alertEvents/triggerHealthCheckAlert.ts
+++ b/server/private/routers/alertEvents/triggerHealthCheckAlert.ts
@@ -24,7 +24,7 @@ import { eq, and } from "drizzle-orm";
 import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert
-} from "#private/lib/alerts/events/healthCheckEvents";
+} from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
@@ -73,10 +73,7 @@ export async function triggerHealthCheckAlert(
            .from(targetHealthCheck)
            .where(
                and(
-                    eq(
-                        targetHealthCheck.targetHealthCheckId,
-                        healthCheckId
-                    ),
+                    eq(targetHealthCheck.targetHealthCheckId, healthCheckId),
                    eq(targetHealthCheck.orgId, orgId)
                )
            )
--- a/server/private/routers/alertEvents/triggerResourceAlert.ts
+++ b/server/private/routers/alertEvents/triggerResourceAlert.ts
@@ -25,7 +25,7 @@ import {
    fireResourceHealthyAlert,
    fireResourceUnhealthyAlert,
    fireResourceDegradedAlert
-} from "#private/lib/alerts/events/resourceEvents";
+} from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
--- a/server/private/routers/alertEvents/triggerSiteAlert.ts
+++ b/server/private/routers/alertEvents/triggerSiteAlert.ts
@@ -21,10 +21,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, and } from "drizzle-orm";
-import {
-    fireSiteOnlineAlert,
-    fireSiteOfflineAlert
-} from "#private/lib/alerts/events/siteEvents";
+import { fireSiteOnlineAlert, fireSiteOfflineAlert } from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
--- a/server/private/routers/billing/hooks/handleCustomerCreated.ts
+++ b/server/private/routers/billing/hooks/handleCustomerCreated.ts
@@ -16,6 +16,7 @@ import { customers, db, subscriptions } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
 import { generateId } from "@server/auth/sessions/app";
+import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";

 export async function handleCustomerCreated(
    customer: Stripe.Customer
@@ -62,6 +63,13 @@ export async function handleCustomerCreated(
                expiresAt: trialExpiresAt,
                trial: true
            });
+
+            // update to the business limits for the trial
+            await handleSubscriptionLifesycle(
+                customer.metadata.orgId,
+                "active",
+                "tier3"
+            );
        });

        logger.info(`Customer with ID ${customer.id} created successfully.`);
--- a/server/private/routers/billing/subscriptionLifecycle.ts
+++ b/server/private/routers/billing/subscriptionLifecycle.ts
@@ -44,7 +44,7 @@ function getLimitSetForSubscriptionType(
 export async function handleSubscriptionLifesycle(
    orgId: string,
    status: string,
-    subType: SubscriptionType | null
+    subType: SubscriptionType | null = null
 ) {
    switch (status) {
        case "active":
--- a/server/private/routers/certificates/createCertificate.ts
+++ b/server/private/routers/certificates/createCertificate.ts
@@ -79,7 +79,7 @@ export async function createCertificate(

    let domainToWrite = domain;
    if (
-        domainRecord.type == "wildcard" &&
+        domainRecord.type == "wildcard" && // this is to fix the wildcard certs for traefik in self hosted NOT ON THE CLOUD
        domainRecord.preferWildcardCert &&
        !domain.startsWith("*.")
    ) {
@@ -89,6 +89,15 @@ export async function createCertificate(
            domainToWrite = parts.slice(1).join(".");
            domainToWrite = `*.${domainToWrite}`;
        }
+    } else if (domainRecord.type == "ns") {
+        if (domain == domainRecord.baseDomain) {
+            domainToWrite = domainRecord.baseDomain;
+        } else {
+            const parts = domain.split(".");
+            if (parts.length > 2) {
+                domainToWrite = parts.slice(1).join(".");
+            }
+        }
    }

    // No cert found, create a new one in pending state
--- a/server/private/routers/healthChecks/createHealthCheck.ts
+++ b/server/private/routers/healthChecks/createHealthCheck.ts
@@ -22,7 +22,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { addStandaloneHealthCheck } from "@server/routers/newt/targets";
-import { fireHealthCheckUnhealthyAlert } from "#private/lib/alerts";
+import { fireHealthCheckUnhealthyAlert } from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
--- a/server/private/routers/healthChecks/updateHealthCheck.ts
+++ b/server/private/routers/healthChecks/updateHealthCheck.ts
@@ -22,7 +22,11 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq, isNull } from "drizzle-orm";
 import { addStandaloneHealthCheck } from "@server/routers/newt/targets";
-import { fireHealthCheckUnhealthyAlert, fireHealthCheckUnknownAlert, fireHealthCheckHealthyAlert } from "#private/lib/alerts";
+import {
+    fireHealthCheckUnhealthyAlert,
+    fireHealthCheckUnknownAlert,
+    fireHealthCheckHealthyAlert
+} from "@server/lib/alerts";

 const paramsSchema = z
    .object({
@@ -234,7 +238,10 @@ export async function updateHealthCheck(
            )
            .returning();

-        if (updated.hcHealth === "unhealthy" && existingHealthCheck.hcHealth !== "unhealthy") {
+        if (
+            updated.hcHealth === "unhealthy" &&
+            existingHealthCheck.hcHealth !== "unhealthy"
+        ) {
            await fireHealthCheckUnhealthyAlert(
                updated.orgId,
                updated.targetHealthCheckId,
@@ -243,7 +250,10 @@ export async function updateHealthCheck(
                undefined,
                false // dont send the alert because we just want to create the alert, not notify users yet
            );
-        } else if (updated.hcHealth === "unknown" && existingHealthCheck.hcHealth !== "unknown") {
+        } else if (
+            updated.hcHealth === "unknown" &&
+            existingHealthCheck.hcHealth !== "unknown"
+        ) {
            // if the health is unknown, we want to fire an alert to notify users to enable health checks
            await fireHealthCheckUnknownAlert(
                updated.orgId,
@@ -253,7 +263,10 @@ export async function updateHealthCheck(
                undefined,
                false // dont send the alert because we just want to create the alert, not notify users yet
            );
-        } else if (updated.hcHealth === "healthy" && existingHealthCheck.hcHealth !== "healthy") {
+        } else if (
+            updated.hcHealth === "healthy" &&
+            existingHealthCheck.hcHealth !== "healthy"
+        ) {
            await fireHealthCheckHealthyAlert(
                updated.orgId,
                updated.targetHealthCheckId,
@@ -264,7 +277,6 @@ export async function updateHealthCheck(
            );
        }

-
        // Push updated health check to newt if the site is a newt site
        const [newt] = await db
            .select()
--- a/server/private/routers/org/sendTrialNotification.ts
+++ b/server/private/routers/org/sendTrialNotification.ts
@@ -24,13 +24,18 @@ import { fromError } from "zod-validation-error";
 import { sendEmail } from "@server/emails";
 import NotifyTrialExpiring from "@server/emails/templates/NotifyTrialExpiring";
 import config from "@server/lib/config";
+import { handleSubscriptionLifesycle } from "../billing/subscriptionLifecycle";

 const sendTrialNotificationParamsSchema = z.object({
    orgId: z.string()
 });

 const sendTrialNotificationBodySchema = z.object({
-    notificationType: z.enum(["trial_ending_5d", "trial_ending_24h", "trial_ended"]),
+    notificationType: z.enum([
+        "trial_ending_5d",
+        "trial_ending_24h",
+        "trial_ended"
+    ]),
    orgName: z.string(),
    trialEndsAt: z.number(),
    billingLink: z.string().optional()
@@ -69,9 +74,7 @@ async function getOrgAdmins(orgId: string) {
            )
        );

-    const byUserId = new Map(
-        admins.map((a) => [a.userId, a])
-    );
+    const byUserId = new Map(admins.map((a) => [a.userId, a]));
    const orgAdmins = Array.from(byUserId.values()).filter(
        (admin) => admin.email && admin.email.length > 0
    );
@@ -108,8 +111,12 @@ export async function sendTrialNotification(
        }

        const { orgId } = parsedParams.data;
-        const { notificationType, orgName, trialEndsAt, billingLink: bodyBillingLink } =
-            parsedBody.data;
+        const {
+            notificationType,
+            orgName,
+            trialEndsAt,
+            billingLink: bodyBillingLink
+        } = parsedBody.data;

        // Verify organization exists
        const org = await db
@@ -146,13 +153,17 @@ export async function sendTrialNotification(
            bodyBillingLink ??
            `${config.getRawConfig().app.dashboard_url}/${orgId}/settings/billing`;

-        const trialEndsAtFormatted = new Date(trialEndsAt * 1000).toLocaleDateString(
-            "en-US",
-            { year: "numeric", month: "long", day: "numeric" }
-        );
+        const trialEndsAtFormatted = new Date(
+            trialEndsAt * 1000
+        ).toLocaleDateString("en-US", {
+            year: "numeric",
+            month: "long",
+            day: "numeric"
+        });

        let daysRemaining: number | null;
        let subject: string;
+        let resetLimits = false;

        if (notificationType === "trial_ending_5d") {
            daysRemaining = 5;
@@ -163,6 +174,7 @@ export async function sendTrialNotification(
        } else {
            daysRemaining = null;
            subject = "Your trial has ended";
+            resetLimits = true;
        }

        let emailsSent = 0;
@@ -201,6 +213,14 @@ export async function sendTrialNotification(
            }
        }

+        if (resetLimits) {
+            // this will only fire if they have not upgraded yet because when upgrading we delete the trial
+            await handleSubscriptionLifesycle(orgId, "cancled");
+            logger.debug(
+                `Trial ended for org ${orgId}, limits reset to free tier`
+            );
+        }
+
        return response<SendTrialNotificationResponse>(res, {
            data: {
                success: true,
@@ -221,4 +241,4 @@ export async function sendTrialNotification(
            )
        );
    }
-}
+}
--- a/server/private/routers/remoteExitNode/listRemoteExitNodes.ts
+++ b/server/private/routers/remoteExitNode/listRemoteExitNodes.ts
@@ -22,6 +22,91 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
+import cache from "#private/lib/cache";
+import semver from "semver";
+
+let stalePangolinNodeVersion: string | null = null;
+
+async function getLatestPangolinNodeVersion(): Promise<string | null> {
+    try {
+        const cachedVersion = await cache.get<string>(
+            "cache:latestPangolinNodeVersion"
+        );
+        if (cachedVersion) {
+            return cachedVersion;
+        }
+
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), 1500);
+
+        const res = await fetch(
+            "https://api.github.com/repos/fosrl/pangolin-node/tags",
+            { signal: controller.signal }
+        );
+
+        clearTimeout(timeoutId);
+
+        if (!res.ok) {
+            logger.warn(
+                `Failed to fetch latest pangolin-node version from GitHub: ${res.status} ${res.statusText}`
+            );
+            return stalePangolinNodeVersion;
+        }
+
+        let tags = await res.json();
+        if (!Array.isArray(tags) || tags.length === 0) {
+            logger.warn("No tags found for pangolin-node repository");
+            return stalePangolinNodeVersion;
+        }
+
+        tags = tags.filter((tag: any) => !tag.name.includes("rc"));
+        tags.sort((a: any, b: any) => {
+            const va = semver.coerce(a.name);
+            const vb = semver.coerce(b.name);
+            if (!va && !vb) return 0;
+            if (!va) return 1;
+            if (!vb) return -1;
+            return semver.rcompare(va, vb);
+        });
+
+        const seen = new Set<string>();
+        tags = tags.filter((tag: any) => {
+            const normalised = semver.coerce(tag.name)?.version;
+            if (!normalised || seen.has(normalised)) return false;
+            seen.add(normalised);
+            return true;
+        });
+
+        if (tags.length === 0) {
+            logger.warn(
+                "No valid semver tags found for pangolin-node repository"
+            );
+            return stalePangolinNodeVersion;
+        }
+
+        const latestVersion = tags[0].name;
+        stalePangolinNodeVersion = latestVersion;
+        await cache.set("cache:latestPangolinNodeVersion", latestVersion, 3600);
+
+        return latestVersion;
+    } catch (error: any) {
+        if (error.name === "AbortError") {
+            logger.warn(
+                "Request to fetch latest pangolin-node version timed out (1.5s)"
+            );
+        } else if (error.cause?.code === "UND_ERR_CONNECT_TIMEOUT") {
+            logger.warn(
+                "Connection timeout while fetching latest pangolin-node version"
+            );
+        } else {
+            logger.warn(
+                "Error fetching latest pangolin-node version:",
+                error.message || error
+            );
+        }
+        return stalePangolinNodeVersion;
+    }
+}

 const listRemoteExitNodesParamsSchema = z.strictObject({
    orgId: z.string()
@@ -118,9 +203,41 @@ export async function listRemoteExitNodes(
        const totalCountResult = await countQuery;
        const totalCount = totalCountResult[0].count;

+        const latestPangolinNodeVersionPromise = getLatestPangolinNodeVersion();
+
+        const nodesWithUpdates = remoteExitNodesList.map((node) => ({
+            ...node,
+            updateAvailable: false
+        }));
+
+        try {
+            const latestPangolinNodeVersion =
+                await latestPangolinNodeVersionPromise;
+
+            if (latestPangolinNodeVersion) {
+                nodesWithUpdates.forEach((node) => {
+                    if (node.version) {
+                        try {
+                            node.updateAvailable = semver.lt(
+                                node.version,
+                                latestPangolinNodeVersion
+                            );
+                        } catch {
+                            node.updateAvailable = false;
+                        }
+                    }
+                });
+            }
+        } catch (error) {
+            logger.warn(
+                "Failed to check for pangolin-node updates, continuing without update info:",
+                error
+            );
+        }
+
        return response<ListRemoteExitNodesResponse>(res, {
            data: {
-                remoteExitNodes: remoteExitNodesList,
+                remoteExitNodes: nodesWithUpdates,
                pagination: {
                    total: totalCount,
                    limit,
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -22,7 +22,7 @@ import {
    Olm,
    olms,
    RemoteExitNode,
-    remoteExitNodes,
+    remoteExitNodes
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
@@ -194,8 +194,6 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();

-
-
 // Recovery tracking
 let isRedisRecoveryInProgress = false;

@@ -406,6 +404,9 @@ const removeClient = async (
    const updatedClients = existingClients.filter((client) => client !== ws);
    if (updatedClients.length === 0) {
        connectedClients.delete(mapKey);
+        // Remove clientId from clientConfigVersions on disconnect — prevents
+        // unbounded memory growth from stale entries.
+        clientConfigVersions.delete(clientId);

        if (redisManager.isRedisEnabled()) {
            try {
@@ -1097,6 +1098,11 @@ const disconnectClient = async (clientId: string): Promise<boolean> => {
        }
    });

+    // Eagerly remove client — close event may not fire if socket is already
+    // CLOSING, leaving zombie entries.
+    connectedClients.delete(mapKey);
+    clientConfigVersions.delete(clientId);
+
    return true;
 };

--- a/server/routers/alertRule/types.ts
+++ b/server/routers/alertRule/types.ts
@@ -80,6 +80,10 @@ export interface WebhookAlertConfig {
    headers?: Array<{ key: string; value: string }>;
    /** HTTP method (default POST) */
    method?: string;
+    /** Whether to use a custom body template */
+    useBodyTemplate?: boolean;
+    /** Mustache-style body template with {{event}}, {{timestamp}}, {{status}}, {{data}} placeholders */
+    bodyTemplate?: string;
 }

 // ---------------------------------------------------------------------------
--- a/server/routers/auth/deleteMyAccount.ts
+++ b/server/routers/auth/deleteMyAccount.ts
@@ -104,8 +104,9 @@ export async function deleteMyAccount(
                (r) => r.isBillingOrg && r.isOwner
            )?.orgId;
            if (primaryOrgId) {
-                const { tier, active } = await getOrgTierData(primaryOrgId);
-                if (active && tier) {
+                const { tier, active, isTrial } =
+                    await getOrgTierData(primaryOrgId);
+                if (active && tier && !isTrial) {
                    return next(
                        createHttpError(
                            HttpCode.BAD_REQUEST,
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -1003,7 +1003,11 @@ async function checkRules(
            isIpInCidr(clientIp, rule.value)
        ) {
            return rule.action as any;
-        } else if (clientIp && rule.match == "IP" && clientIp == rule.value) {
+        } else if (
+            clientIp &&
+            rule.match == "IP" &&
+            clientIp == rule.value
+        ) {
            return rule.action as any;
        } else if (
            path &&
@@ -1013,16 +1017,35 @@ async function checkRules(
            return rule.action as any;
        } else if (
            clientIp &&
-            rule.match == "COUNTRY" &&
-            (await isIpInGeoIP(ipCC, rule.value))
+            rule.match == "COUNTRY"
        ) {
-            return rule.action as any;
+            // COUNTRY=ALL should not affect local/private/CGNAT addresses.
+            if (
+                rule.value.toUpperCase() === "ALL" &&
+                isLocalOrCarrierGradeNatIp(clientIp)
+            ) {
+                continue;
+            }
+
+            if (await isIpInGeoIP(ipCC, rule.value)) {
+                return rule.action as any;
+            }
        } else if (
            clientIp &&
-            rule.match == "ASN" &&
-            (await isIpInAsn(ipAsn, rule.value))
+            rule.match == "ASN"
        ) {
-            return rule.action as any;
+            // ASN=ALL/AS0 should not affect local/private/CGNAT addresses.
+            if (
+                (rule.value.toUpperCase() === "ALL" ||
+                    rule.value.toUpperCase() === "AS0") &&
+                isLocalOrCarrierGradeNatIp(clientIp)
+            ) {
+                continue;
+            }
+
+            if (await isIpInAsn(ipAsn, rule.value)) {
+                return rule.action as any;
+            }
        } else if (
            clientIp &&
            rule.match == "REGION" &&
@@ -1184,6 +1207,26 @@ async function isIpInGeoIP(
    return ipCountryCode?.toUpperCase() === checkCountryCode.toUpperCase();
 }

+function isLocalOrCarrierGradeNatIp(ip: string): boolean {
+    const localAndCgnatCidrs = [
+        "10.0.0.0/8",
+        "172.16.0.0/12",
+        "192.168.0.0/16",
+        "100.64.0.0/10",
+        "127.0.0.0/8",
+        "169.254.0.0/16",
+        "::1/128",
+        "fc00::/7",
+        "fe80::/10"
+    ];
+
+    try {
+        return localAndCgnatCidrs.some((cidr) => isIpInCidr(ip, cidr));
+    } catch {
+        return false;
+    }
+}
+
 async function isIpInAsn(
    ipAsn: number | undefined,
    checkAsn: string
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -38,10 +38,7 @@ import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsFor
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import {
-    assignUserToOrg,
-    removeUserFromOrg
-} from "@server/lib/userOrg";
+import { assignUserToOrg, removeUserFromOrg } from "@server/lib/userOrg";
 import { unwrapRoleMapping } from "@app/lib/idpRoleMapping";

 const ensureTrailingSlash = (url: string): string => {
@@ -336,31 +333,15 @@ export async function validateOidcCallback(
                    .innerJoin(orgs, eq(orgs.orgId, idpOrg.orgId));
                allOrgs = idpOrgs.map((o) => o.orgs);

-                // TODO: when there are multiple orgs we need to do this better!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
-                if (allOrgs.length > 1) {
-                    // for some reason there is more than one org
-                    logger.error(
-                        "More than one organization linked to this IdP. This should not happen with auto-provisioning enabled."
-                    );
-                    return next(
-                        createHttpError(
-                            HttpCode.INTERNAL_SERVER_ERROR,
-                            "Multiple organizations linked to this IdP. Please contact support."
-                        )
-                    );
-                }
-
-                const subscribed = await isSubscribed(
-                    allOrgs[0].orgId,
-                    tierMatrix.autoProvisioning
-                );
-                if (!subscribed) {
-                    return next(
-                        createHttpError(
-                            HttpCode.FORBIDDEN,
-                            "This organization's current plan does not support this feature."
-                        )
+                for (const org of allOrgs) {
+                    const subscribed = await isSubscribed(
+                        org.orgId,
+                        tierMatrix.autoProvisioning
                    );
+                    if (!subscribed) {
+                        // filter out the org
+                        allOrgs = allOrgs.filter((o) => o.orgId !== org.orgId);
+                    }
                }
            } else {
                allOrgs = await db.select().from(orgs);
@@ -405,16 +386,14 @@ export async function validateOidcCallback(
                    idpOrgRes?.roleMapping || defaultRoleMapping;
                if (roleMapping) {
                    logger.debug("Role Mapping", { roleMapping });
-                    const roleMappingJmes = unwrapRoleMapping(
-                        roleMapping
-                    ).evaluationExpression;
+                    const roleMappingJmes =
+                        unwrapRoleMapping(roleMapping).evaluationExpression;
                    const roleMappingResult = jmespath.search(
                        claims,
                        roleMappingJmes
                    );
-                    const roleNames = normalizeRoleMappingResult(
-                        roleMappingResult
-                    );
+                    const roleNames =
+                        normalizeRoleMappingResult(roleMappingResult);

                    const supportsMultiRole = await isLicensedOrSubscribed(
                        org.orgId,
@@ -504,7 +483,14 @@ export async function validateOidcCallback(
                            }
                        }

-                        await calculateUserClientsForOrgs(existingUser.userId);
+                        calculateUserClientsForOrgs(existingUser.userId).catch(
+                            (err) => {
+                                logger.error(
+                                    "Error calculating user clients after removing all orgs for user with no valid IdP mappings",
+                                    { error: err }
+                                );
+                            }
+                        );

                        return next(
                            createHttpError(
@@ -524,12 +510,11 @@ export async function validateOidcCallback(
                }
            }

-                const orgUserCounts: { orgId: string; userCount: number }[] = [];
+            const orgUserCounts: { orgId: string; userCount: number }[] = [];

+            let userId = existingUser?.userId;
            // sync the user with the orgs and roles
            await db.transaction(async (trx) => {
-                let userId = existingUser?.userId;
-
                // create user if not exists
                if (!existingUser) {
                    userId = generateId(15);
@@ -637,7 +622,7 @@ export async function validateOidcCallback(
                                {
                                    orgId: org.orgId,
                                    userId: userId!,
-                                    autoProvisioned: true,
+                                    autoProvisioned: true
                                },
                                org.roleIds,
                                trx
@@ -659,8 +644,15 @@ export async function validateOidcCallback(
                        userCount: userCount.length
                    });
                }
+            });

+            db.transaction(async (trx) => {
                await calculateUserClientsForOrgs(userId!, trx);
+            }).catch((err) => {
+                logger.error(
+                    "Error calculating user clients after syncing orgs and roles for OIDC user",
+                    { error: err }
+                );
            });

            for (const orgCount of orgUserCounts) {
@@ -767,9 +759,7 @@ function hydrateOrgMapping(
    return orgMapping.split("{{orgId}}").join(orgId);
 }

-function normalizeRoleMappingResult(
-    result: unknown
-): string[] {
+function normalizeRoleMappingResult(result: unknown): string[] {
    if (typeof result === "string") {
        const role = result.trim();
        return role ? [role] : [];
@@ -779,7 +769,9 @@ function normalizeRoleMappingResult(
        return [
            ...new Set(
                result
-                    .filter((value): value is string => typeof value === "string")
+                    .filter(
+                        (value): value is string => typeof value === "string"
+                    )
                    .map((value) => value.trim())
                    .filter(Boolean)
            )
--- a/server/routers/newt/handleNewtDisconnectingMessage.ts
+++ b/server/routers/newt/handleNewtDisconnectingMessage.ts
@@ -1,12 +1,8 @@
 import { MessageHandler } from "@server/routers/ws";
-import {
-    db,
-    Newt,
-    sites
-} from "@server/db";
+import { db, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOfflineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOfflineAlert } from "@server/lib/alerts";

 /**
 * Handles disconnecting messages from sites to show disconnected in the ui
@@ -38,7 +34,13 @@ export const handleNewtDisconnectingMessage: MessageHandler = async (
                .where(eq(sites.siteId, newt.siteId!))
                .returning();

-            await fireSiteOfflineAlert(site.orgId, site.siteId, site.name, undefined, trx);
+            await fireSiteOfflineAlert(
+                site.orgId,
+                site.siteId,
+                site.name,
+                undefined,
+                trx
+            );
        });
    } catch (error) {
        logger.error("Error handling disconnecting message", { error });
--- a/server/routers/newt/offlineChecker.ts
+++ b/server/routers/newt/offlineChecker.ts
@@ -1,12 +1,8 @@
-import {
-    db,
-    newts,
-    sites
-} from "@server/db";
+import { db, newts, sites } from "@server/db";
 import { hasActiveConnections } from "#dynamic/routers/ws";
 import { eq, lt, isNull, and, or, ne, not, inArray } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOfflineAlert, fireSiteOnlineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOfflineAlert, fireSiteOnlineAlert } from "@server/lib/alerts";

 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
--- a/server/routers/newt/pingAccumulator.ts
+++ b/server/routers/newt/pingAccumulator.ts
@@ -2,7 +2,7 @@ import { db } from "@server/db";
 import { sites, clients, olms } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOnlineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOnlineAlert } from "@server/lib/alerts";

 /**
 * Ping Accumulator
@@ -127,7 +127,11 @@ async function flushSitePingsToDb(): Promise<void> {
                            eq(sites.online, false)
                        )
                    )
-                    .returning({ siteId: sites.siteId, orgId: sites.orgId, name: sites.name });
+                    .returning({
+                        siteId: sites.siteId,
+                        orgId: sites.orgId,
+                        name: sites.name
+                    });

                // Update lastPing for sites that were already online.
                // After the update above, the newly-online sites now have
@@ -148,7 +152,13 @@ async function flushSitePingsToDb(): Promise<void> {

            for (const site of newlyOnlineSites) {
                await db.transaction(async (trx) => {
-                    await fireSiteOnlineAlert(site.orgId, site.siteId, site.name, undefined, trx);
+                    await fireSiteOnlineAlert(
+                        site.orgId,
+                        site.siteId,
+                        site.name,
+                        undefined,
+                        trx
+                    );
                });
            }
        } catch (error) {
--- a/server/routers/remoteExitNode/types.ts
+++ b/server/routers/remoteExitNode/types.ts
@@ -21,6 +21,7 @@ export type ListRemoteExitNodesResponse = {
        remoteExitNodeId: string;
        dateCreated: string;
        version: string | null;
+        updateAvailable?: boolean;
        exitNodeId: number | null;
        name: string;
        address: string;
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -151,6 +151,8 @@ export async function getUserResources(
            destination: string;
            mode: string;
            scheme: string | null;
+            ssl: boolean;
+            fullDomain: string | null;
            enabled: boolean;
            alias: string | null;
            aliasAddress: string | null;
@@ -164,6 +166,8 @@ export async function getUserResources(
                    destination: siteResources.destination,
                    mode: siteResources.mode,
                    scheme: siteResources.scheme,
+                    ssl: siteResources.ssl,
+                    fullDomain: siteResources.fullDomain,
                    enabled: siteResources.enabled,
                    alias: siteResources.alias,
                    aliasAddress: siteResources.aliasAddress
@@ -251,6 +255,8 @@ export async function getUserResources(
                destination: siteResource.destination,
                mode: siteResource.mode,
                protocol: siteResource.scheme,
+                ssl: siteResource.ssl,
+                fullDomain: siteResource.fullDomain,
                enabled: siteResource.enabled,
                alias: siteResource.alias,
                aliasAddress: siteResource.aliasAddress,
@@ -296,6 +302,8 @@ export type GetUserResourcesResponse = {
            destination: string;
            mode: string;
            protocol: string | null;
+            ssl: boolean;
+            fullDomain: string | null;
            enabled: boolean;
            alias: string | null;
            aliasAddress: string | null;
--- a/server/routers/site/getSite.ts
+++ b/server/routers/site/getSite.ts
@@ -42,9 +42,12 @@ async function query(siteId?: number, niceId?: string, orgId?: string) {
    }
 }

-export type GetSiteResponse = NonNullable<
-    Awaited<ReturnType<typeof query>>
->["sites"] & { newtId: string | null };
+type SiteQueryRow = NonNullable<Awaited<ReturnType<typeof query>>>;
+
+export type GetSiteResponse = SiteQueryRow["sites"] & {
+    newtId: string | null;
+    newtVersion: string | null;
+};

 registry.registerPath({
    method: "get",
@@ -100,7 +103,8 @@ export async function getSite(

        const data: GetSiteResponse = {
            ...site.sites,
-            newtId: site.newt ? site.newt.newtId : null
+            newtId: site.newt ? site.newt.newtId : null,
+            newtVersion: site.newt?.version ?? null
        };

        return response<GetSiteResponse>(res, {
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -74,16 +74,14 @@ const createSiteResourceSchema = z
    .refine(
        (data) => {
            if (data.mode === "host") {
-                if (data.mode == "host") {
-                    // Check if it's a valid IP address using zod (v4 or v6)
-                    const isValidIP = z
-                        // .union([z.ipv4(), z.ipv6()])
-                        .union([z.ipv4()]) // for now lets just do ipv4 until we verify ipv6 works everywhere
-                        .safeParse(data.destination).success;
+                // Check if it's a valid IP address using zod (v4 or v6)
+                const isValidIP = z
+                    // .union([z.ipv4(), z.ipv6()])
+                    .union([z.ipv4()]) // for now lets just do ipv4 until we verify ipv6 works everywhere
+                    .safeParse(data.destination).success;

-                    if (isValidIP) {
-                        return true;
-                    }
+                if (isValidIP) {
+                    return true;
                }

                // Check if it's a valid domain (hostname pattern, TLD not required)
@@ -96,17 +94,12 @@ const createSiteResourceSchema = z
                    data.alias.trim() !== "";

                return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
-            }
-            return true;
-        },
-        {
-            message:
-                "Destination must be a valid IPV4 address or valid domain AND alias is required"
-        }
-    )
-    .refine(
-        (data) => {
-            if (data.mode === "cidr") {
+            } else if (data.mode === "http") {
+                // we have to have a domainId defined
+                if (!data.domainId) {
+                    return false;
+                }
+            } else if (data.mode === "cidr") {
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
@@ -116,7 +109,8 @@ const createSiteResourceSchema = z
            return true;
        },
        {
-            message: "Destination must be a valid CIDR notation for cidr mode"
+            message:
+                "Destination must be a valid IPV4 address or valid domain AND alias is required"
        }
    )
    .refine(
@@ -496,11 +490,6 @@ export async function createSiteResource(
                    );
                }
            }
-
-            await rebuildClientAssociationsFromSiteResource(
-                newSiteResource,
-                trx
-            ); // we need to call this because we added to the admin role
        });

        if (!newSiteResource) {
@@ -526,6 +515,22 @@ export async function createSiteResource(
            await createCertificate(domainId, fullDomain, db);
        }

+        // Run in the background after the response is sent. Wrapped in its
+        // own transaction so it always executes on the primary — avoiding any
+        // replica-lag issues while still allowing the HTTP response to return
+        // early.
+        db.transaction(async (trx) => {
+            await rebuildClientAssociationsFromSiteResource(
+                newSiteResource!,
+                trx
+            );
+        }).catch((err) => {
+            logger.error(
+                `Error rebuilding client associations for site resource ${newSiteResource!.siteResourceId}:`,
+                err
+            );
+        });
+
        return response(res, {
            data: newSiteResource,
            success: true,
--- a/server/routers/siteResource/deleteSiteResource.ts
+++ b/server/routers/siteResource/deleteSiteResource.ts
@@ -63,17 +63,26 @@ export async function deleteSiteResource(
            );
        }

-        await db.transaction(async (trx) => {
-            // Delete the site resource
-            const [removedSiteResource] = await trx
-                .delete(siteResources)
-                .where(eq(siteResources.siteResourceId, siteResourceId))
-                .returning();
+        // Delete the site resource
+        const [removedSiteResource] = await db
+            .delete(siteResources)
+            .where(eq(siteResources.siteResourceId, siteResourceId))
+            .returning();

+        // Run in the background after the response is sent. Wrapped in its
+        // own transaction so it always executes on the primary — avoiding any
+        // replica-lag issues while still allowing the HTTP response to return
+        // early.
+        db.transaction(async (trx) => {
            await rebuildClientAssociationsFromSiteResource(
                removedSiteResource,
                trx
            );
+        }).catch((err) => {
+            logger.error(
+                `Error rebuilding client associations for site resource ${removedSiteResource!.siteResourceId}:`,
+                err
+            );
        });

        logger.info(`Deleted site resource ${siteResourceId}`);
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -104,6 +104,17 @@ const updateSiteResourceSchema = z
                    data.alias.trim() !== "";

                return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
+            } else if (data.mode === "cidr" && data.destination) {
+                // Check if it's a valid CIDR (v4 or v6)
+                const isValidCIDR = z
+                    .union([z.cidrv4(), z.cidrv6()])
+                    .safeParse(data.destination).success;
+                return isValidCIDR;
+            } else if (data.mode === "http") {
+                // we have to have a domainId defined
+                if (!data.domainId) {
+                    return false;
+                }
            }
            return true;
        },
@@ -112,21 +123,6 @@ const updateSiteResourceSchema = z
                "Destination must be a valid IP address or valid domain AND alias is required"
        }
    )
-    .refine(
-        (data) => {
-            if (data.mode === "cidr" && data.destination) {
-                // Check if it's a valid CIDR (v4 or v6)
-                const isValidCIDR = z
-                    .union([z.cidrv4(), z.cidrv6()])
-                    .safeParse(data.destination).success;
-                return isValidCIDR;
-            }
-            return true;
-        },
-        {
-            message: "Destination must be a valid CIDR notation for cidr mode"
-        }
-    )
    .refine(
        (data) => {
            if (data.mode !== "http") return true;
@@ -431,9 +427,6 @@ export async function updateSiteResource(
                    })
                    .returning();

-                // wait some time to allow for messages to be handled
-                await new Promise((resolve) => setTimeout(resolve, 750));
-
                const sshPamSet =
                    isLicensedSshPam &&
                    (authDaemonPort !== undefined ||
@@ -556,11 +549,6 @@ export async function updateSiteResource(
                        }))
                    );
                }
-
-                await rebuildClientAssociationsFromSiteResource(
-                    updatedSiteResource,
-                    trx
-                );
            } else {
                // Update the site resource
                const sshPamSet =
@@ -690,7 +678,24 @@ export async function updateSiteResource(
                }

                logger.info(`Updated site resource ${siteResourceId}`);
+            }
+        });

+        // Background: wait for removal messages to propagate, then rebuild
+        // associations for the re-created resource. Own transaction ensures
+        // execution on the primary against fully committed state.
+        (async () => {
+            await db.transaction(async (trx) => {
+                if (!updatedSiteResource) {
+                    throw new Error("No updated resource found after update");
+                }
+                if (sitesChanged) {
+                    await new Promise((resolve) => setTimeout(resolve, 750));
+                    await rebuildClientAssociationsFromSiteResource(
+                        updatedSiteResource,
+                        trx
+                    );
+                }
                await handleMessagingForUpdatedSiteResource(
                    existingSiteResource,
                    updatedSiteResource,
@@ -700,7 +705,12 @@ export async function updateSiteResource(
                    })),
                    trx
                );
-            }
+            });
+        })().catch((err) => {
+            logger.error(
+                `Error rebuilding client associations for site resource ${updatedSiteResource?.siteResourceId}:`,
+                err
+            );
        });

        return response(res, {
--- a/server/routers/target/createTarget.ts
+++ b/server/routers/target/createTarget.ts
@@ -23,7 +23,7 @@ import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert,
    fireHealthCheckUnknownAlert
-} from "#dynamic/lib/alerts";
+} from "@server/lib/alerts";

 const createTargetParamsSchema = z.strictObject({
    resourceId: z.string().transform(Number).pipe(z.int().positive())
--- a/server/routers/target/handleHealthcheckStatusMessage.ts
+++ b/server/routers/target/handleHealthcheckStatusMessage.ts
@@ -6,7 +6,7 @@ import logger from "@server/logger";
 import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert
-} from "#dynamic/lib/alerts";
+} from "@server/lib/alerts";

 interface TargetHealthStatus {
    status: string;
--- a/server/routers/target/listTargets.ts
+++ b/server/routers/target/listTargets.ts
@@ -56,6 +56,8 @@ function queryTargets(resourceId: number) {
            hcStatus: targetHealthCheck.hcStatus,
            hcHealth: targetHealthCheck.hcHealth,
            hcTlsServerName: targetHealthCheck.hcTlsServerName,
+            hcHealthyThreshold: targetHealthCheck.hcHealthyThreshold,
+            hcUnhealthyThreshold: targetHealthCheck.hcUnhealthyThreshold,
            path: targets.path,
            pathMatchType: targets.pathMatchType,
            rewritePath: targets.rewritePath,
--- a/server/routers/target/updateTarget.ts
+++ b/server/routers/target/updateTarget.ts
@@ -10,7 +10,11 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { addPeer } from "../gerbil/peers";
 import { addTargets } from "../newt/targets";
-import { fireHealthCheckHealthyAlert, fireHealthCheckUnknownAlert, fireHealthCheckUnhealthyAlert } from "#dynamic/lib/alerts";
+import {
+    fireHealthCheckHealthyAlert,
+    fireHealthCheckUnknownAlert,
+    fireHealthCheckUnhealthyAlert
+} from "@server/lib/alerts";
 import { pickPort } from "./helpers";
 import { isTargetValid } from "@server/lib/validators";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -169,7 +173,7 @@ export async function updateTarget(
        let updatedTarget: any;
        let updatedHc: any;
        await db.transaction(async (trx) => {
-             [updatedTarget] = await trx
+            [updatedTarget] = await trx
                .update(targets)
                .set({
                    siteId: parsedBody.data.siteId,
@@ -181,8 +185,12 @@ export async function updateTarget(
                    path: parsedBody.data.path,
                    pathMatchType: parsedBody.data.pathMatchType,
                    priority: parsedBody.data.priority,
-                    rewritePath: pathMatchTypeRemoved ? null : parsedBody.data.rewritePath,
-                    rewritePathType: pathMatchTypeRemoved ? null : parsedBody.data.rewritePathType
+                    rewritePath: pathMatchTypeRemoved
+                        ? null
+                        : parsedBody.data.rewritePath,
+                    rewritePathType: pathMatchTypeRemoved
+                        ? null
+                        : parsedBody.data.rewritePathType
                })
                .where(eq(targets.targetId, targetId))
                .returning();
@@ -213,7 +221,8 @@ export async function updateTarget(
            // If hcEnabled is being turned on (was false, now true), set to "unhealthy"
            // so the target must pass a health check before being considered healthy.
            const hcEnabledTurnedOn =
-                parsedBody.data.hcEnabled === true && existingHc.hcEnabled === false;
+                parsedBody.data.hcEnabled === true &&
+                existingHc.hcEnabled === false;

            let hcHealthValue: "unknown" | "healthy" | "unhealthy" | undefined;
            if (
@@ -253,7 +262,10 @@ export async function updateTarget(
                .where(eq(targetHealthCheck.targetId, targetId))
                .returning();

-            if (updatedHc.hcHealth === "unhealthy" && existingHc.hcHealth !== "unhealthy") {
+            if (
+                updatedHc.hcHealth === "unhealthy" &&
+                existingHc.hcHealth !== "unhealthy"
+            ) {
                logger.debug(
                    `Health check ${updatedHc.targetHealthCheckId} for target ${targetId} is now unhealthy, firing alert`
                );
@@ -266,7 +278,10 @@ export async function updateTarget(
                    false, // dont send the alert because we just want to create the alert, not notify users yet
                    trx
                );
-            } else if (updatedHc.hcHealth === "unknown" && existingHc.hcHealth !== "unknown") {
+            } else if (
+                updatedHc.hcHealth === "unknown" &&
+                existingHc.hcHealth !== "unknown"
+            ) {
                logger.debug(
                    `Health check ${updatedHc.targetHealthCheckId} for target ${targetId} is now unknown, firing alert`
                );
@@ -280,7 +295,10 @@ export async function updateTarget(
                    false, // dont send the alert because we just want to create the alert, not notify users yet
                    trx
                );
-            } else if (updatedHc.hcHealth === "healthy" && existingHc.hcHealth !== "healthy") {
+            } else if (
+                updatedHc.hcHealth === "healthy" &&
+                existingHc.hcHealth !== "healthy"
+            ) {
                logger.debug(
                    `Health check ${updatedHc.targetHealthCheckId} for target ${targetId} is now healthy, firing alert`
                );
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@@ -3,7 +3,15 @@ import zlib from "zlib";
 import { Server as HttpServer } from "http";
 import { WebSocket, WebSocketServer } from "ws";
 import { Socket } from "net";
-import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
+import {
+    Newt,
+    newts,
+    NewtSession,
+    olms,
+    Olm,
+    OlmSession,
+    sites
+} from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
 import { recordPing } from "@server/routers/newt/pingAccumulator";
@@ -80,6 +88,9 @@ const removeClient = async (
    const updatedClients = existingClients.filter((client) => client !== ws);
    if (updatedClients.length === 0) {
        connectedClients.delete(mapKey);
+        // Remove clientId from clientConfigVersions — prevents unbounded growth
+        // from stale entries.
+        clientConfigVersions.delete(clientId);

        logger.info(
            `All connections removed for ${clientType.toUpperCase()} ID: ${clientId}`
@@ -218,9 +229,13 @@ const hasActiveConnections = async (clientId: string): Promise<boolean> => {
 };

 // Get the current config version for a client
-const getClientConfigVersion = async (clientId: string): Promise<number | undefined> => {
+const getClientConfigVersion = async (
+    clientId: string
+): Promise<number | undefined> => {
    const version = clientConfigVersions.get(clientId);
-    logger.debug(`getClientConfigVersion called for clientId: ${clientId}, returning: ${version} (type: ${typeof version})`);
+    logger.debug(
+        `getClientConfigVersion called for clientId: ${clientId}, returning: ${version} (type: ${typeof version})`
+    );
    return version;
 };

@@ -507,6 +522,11 @@ const disconnectClient = async (clientId: string): Promise<boolean> => {
        }
    });

+    // Eagerly remove client — close event may not fire if socket already
+    // CLOSING, leaving zombie entries.
+    connectedClients.delete(mapKey);
+    clientConfigVersions.delete(clientId);
+
    return true;
 };

--- a/server/setup/migrationsPg.ts
+++ b/server/setup/migrationsPg.ts
@@ -23,6 +23,7 @@ import m14 from "./scriptsPg/1.15.4";
 import m15 from "./scriptsPg/1.16.0";
 import m16 from "./scriptsPg/1.17.0";
 import m17 from "./scriptsPg/1.18.0";
+import m18 from "./scriptsPg/1.18.3";

 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -45,7 +46,8 @@ const migrations = [
    { version: "1.15.4", run: m14 },
    { version: "1.16.0", run: m15 },
    { version: "1.17.0", run: m16 },
-    { version: "1.18.0", run: m17 }
+    { version: "1.18.0", run: m17 },
+    { version: "1.18.3", run: m18 }
    // Add new migrations here as they are created
 ] as {
    version: string;
--- a/server/setup/migrationsSqlite.ts
+++ b/server/setup/migrationsSqlite.ts
@@ -41,6 +41,7 @@ import m35 from "./scriptsSqlite/1.15.4";
 import m36 from "./scriptsSqlite/1.16.0";
 import m37 from "./scriptsSqlite/1.17.0";
 import m38 from "./scriptsSqlite/1.18.0";
+import m39 from "./scriptsSqlite/1.18.3";

 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
@@ -79,7 +80,8 @@ const migrations = [
    { version: "1.15.4", run: m35 },
    { version: "1.16.0", run: m36 },
    { version: "1.17.0", run: m37 },
-    { version: "1.18.0", run: m38 }
+    { version: "1.18.0", run: m38 },
+    { version: "1.18.3", run: m39 }
    // Add new migrations here as they are created
 ] as const;

--- a/server/setup/scriptsPg/1.18.0.ts
+++ b/server/setup/scriptsPg/1.18.0.ts
@@ -16,6 +16,9 @@ export default async function migration() {
                thc."targetId",
                t."siteId",
                s."orgId",
+                r."name" AS "resourceName",
+                t."ip",
+                t."port",
                thc."hcEnabled",
                thc."hcPath",
                thc."hcScheme",
@@ -33,13 +36,17 @@ export default async function migration() {
                thc."hcTlsServerName"
            FROM "targetHealthCheck" thc
            JOIN "targets" t ON thc."targetId" = t."targetId"
-            JOIN "sites" s ON t."siteId" = s."siteId"`
+            JOIN "sites" s ON t."siteId" = s."siteId"
+            JOIN "resources" r ON t."resourceId" = r."resourceId"`
    );
    const existingHealthChecks = healthChecksQuery.rows as {
        targetHealthCheckId: number;
        targetId: number;
        siteId: number;
        orgId: string;
+        resourceName: string;
+        ip: string;
+        port: number;
        hcEnabled: boolean;
        hcPath: string | null;
        hcScheme: string | null;
@@ -385,6 +392,7 @@ export default async function migration() {
                        "targetId",
                        "orgId",
                        "siteId",
+                        "name",
                        "hcEnabled",
                        "hcPath",
                        "hcScheme",
@@ -405,6 +413,7 @@ export default async function migration() {
                        ${hc.targetId},
                        ${hc.orgId},
                        ${hc.siteId},
+                        ${`Resource ${hc.resourceName} - ${hc.ip}:${hc.port}`},
                        ${hc.hcEnabled},
                        ${hc.hcPath},
                        ${hc.hcScheme},
--- a/server/setup/scriptsPg/1.18.3.ts
+++ b/server/setup/scriptsPg/1.18.3.ts
@@ -0,0 +1,169 @@
+import { db } from "@server/db/pg/driver";
+import { sql } from "drizzle-orm";
+
+const version = "1.18.3";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    // Query existing targetHealthCheck data with joined siteId and orgId before
+    // the transaction adds the new columns (which start NULL for existing rows).
+    // We will delete all rows and reinsert them with targetHealthCheckId = targetId
+    // so the two IDs form a stable 1:1 mapping.
+    const healthChecksQuery = await db.execute(
+        sql`SELECT
+                thc."targetHealthCheckId",
+                thc."targetId",
+                t."siteId",
+                s."orgId",
+                r."name" AS "resourceName",
+                t."ip",
+                t."port"
+            FROM "targetHealthCheck" thc
+            JOIN "targets" t ON thc."targetId" = t."targetId"
+            JOIN "sites" s ON t."siteId" = s."siteId"
+            JOIN "resources" r ON t."resourceId" = r."resourceId"
+            WHERE thc."name" IS NULL OR thc."name" = ''`
+    );
+
+    const existingHealthChecks = healthChecksQuery.rows as {
+        targetHealthCheckId: number;
+        targetId: number;
+        siteId: number;
+        orgId: string;
+        resourceName: string;
+        ip: string;
+        port: number;
+    }[];
+
+    console.log(
+        `Found ${existingHealthChecks.length} existing targetHealthCheck row(s) to migrate`
+    );
+
+    try {
+        await db.execute(sql`BEGIN`);
+
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS "trialNotifications" (
+               	"notificationId" serial PRIMARY KEY NOT NULL,
+               	"subscriptionId" varchar(255) NOT NULL,
+               	"notificationType" varchar(50) NOT NULL,
+               	"sentAt" bigint NOT NULL
+            );
+        `);
+
+        await db.execute(sql`COMMIT`);
+        console.log("Migrated database");
+    } catch (e) {
+        await db.execute(sql`ROLLBACK`);
+        console.log("Unable to migrate database");
+        console.log(e);
+        throw e;
+    }
+
+    if (existingHealthChecks.length > 0) {
+        // fix the name column
+        try {
+            for (const hc of existingHealthChecks) {
+                await db.execute(sql`
+                    UPDATE "targetHealthCheck"
+                    SET "name" = ${`Resource ${hc.resourceName} - ${hc.ip}:${hc.port}`}
+                    WHERE "targetHealthCheckId" = ${hc.targetHealthCheckId}
+                `);
+            }
+
+            console.log(
+                `Updated names for ${existingHealthChecks.length} existing targetHealthCheck row(s)`
+            );
+        } catch (e) {
+            console.error("Error while migrating targetHealthCheck rows:", e);
+            throw e;
+        }
+    }
+
+    // Recompute resource health by aggregating across the resource's targets'
+    // target health checks, then update the resources.health column to match.
+    try {
+        const resourceTargetHealthQuery = await db.execute(
+            sql`SELECT
+                    r."resourceId" AS "resourceId",
+                    r."orgId" AS "orgId",
+                    r."health" AS "currentHealth",
+                    thc."hcHealth" AS "hcHealth"
+                FROM "resources" r
+                LEFT JOIN "targets" t ON t."resourceId" = r."resourceId"
+                LEFT JOIN "targetHealthCheck" thc ON thc."targetId" = t."targetId"`
+        );
+        const resourceTargetHealthRows = resourceTargetHealthQuery.rows as {
+            resourceId: number;
+            orgId: string;
+            currentHealth: string | null;
+            hcHealth: string | null;
+        }[];
+
+        const resourceHealthMap = new Map<
+            number,
+            {
+                hasHealthy: boolean;
+                hasUnhealthy: boolean;
+                hasUnknown: boolean;
+                orgId: string;
+                currentHealth: string | null;
+            }
+        >();
+        for (const row of resourceTargetHealthRows) {
+            const entry = resourceHealthMap.get(row.resourceId) ?? {
+                hasHealthy: false,
+                hasUnhealthy: false,
+                hasUnknown: false,
+                orgId: row.orgId,
+                currentHealth: row.currentHealth
+            };
+            const status = row.hcHealth ?? "unknown";
+            if (status === "healthy") entry.hasHealthy = true;
+            else if (status === "unhealthy") entry.hasUnhealthy = true;
+            else entry.hasUnknown = true;
+            resourceHealthMap.set(row.resourceId, entry);
+        }
+
+        const now = Math.floor(Date.now() / 1000);
+        let updatedResourceCount = 0;
+        for (const [resourceId, entry] of resourceHealthMap.entries()) {
+            let aggregated: "healthy" | "unhealthy" | "degraded" | "unknown";
+            if (entry.hasHealthy && entry.hasUnhealthy) {
+                aggregated = "degraded";
+            } else if (entry.hasHealthy) {
+                aggregated = "healthy";
+            } else if (entry.hasUnhealthy) {
+                aggregated = "unhealthy";
+            } else {
+                aggregated = "unknown";
+            }
+
+            if (entry.currentHealth !== aggregated) {
+                await db.execute(sql`
+                    UPDATE "resources"
+                    SET "health" = ${aggregated}
+                    WHERE "resourceId" = ${resourceId}
+                `);
+                await db.execute(sql`
+                    INSERT INTO "statusHistory" ("entityType", "entityId", "orgId", "status", "timestamp")
+                    VALUES ('resource', ${resourceId}, ${entry.orgId}, ${aggregated}, ${now})
+                `);
+                updatedResourceCount++;
+            }
+        }
+
+        console.log(
+            `Recomputed health for ${updatedResourceCount} resource(s) based on target health checks`
+        );
+    } catch (e) {
+        console.error(
+            "Error while recomputing resource health from target health checks:",
+            e
+        );
+        throw e;
+    }
+
+    console.log(`${version} migration complete`);
+}
--- a/server/setup/scriptsSqlite/1.18.0.ts
+++ b/server/setup/scriptsSqlite/1.18.0.ts
@@ -22,6 +22,9 @@ export default async function migration() {
                    thc."targetId",
                    t."siteId",
                    s."orgId",
+                    r."name" AS "resourceName",
+                    t."ip",
+                    t."port",
                    thc."hcEnabled",
                    thc."hcPath",
                    thc."hcScheme",
@@ -39,13 +42,17 @@ export default async function migration() {
                    thc."hcTlsServerName"
                FROM 'targetHealthCheck' thc
                JOIN 'targets' t ON thc."targetId" = t."targetId"
-                JOIN 'sites' s ON t."siteId" = s."siteId"`
+                JOIN 'sites' s ON t."siteId" = s."siteId"
+                JOIN 'resources' r ON t."resourceId" = r."resourceId"`
            )
            .all() as {
            targetHealthCheckId: number;
            targetId: number;
            siteId: number;
            orgId: string;
+            resourceName: string;
+            ip: string;
+            port: number;
            hcEnabled: number;
            hcPath: string | null;
            hcScheme: string | null;
@@ -392,6 +399,7 @@ export default async function migration() {
                    "targetId",
                    "orgId",
                    "siteId",
+                    "name",
                    "hcEnabled",
                    "hcPath",
                    "hcScheme",
@@ -407,7 +415,7 @@ export default async function migration() {
                    "hcStatus",
                    "hcHealth",
                    "hcTlsServerName"
-                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
            );

            const insertAll = db.transaction(() => {
@@ -417,6 +425,7 @@ export default async function migration() {
                        hc.targetId,
                        hc.orgId,
                        hc.siteId,
+                        `Resource ${hc.resourceName} - ${hc.ip}:${hc.port}`,
                        hc.hcEnabled,
                        hc.hcPath,
                        hc.hcScheme,
--- a/server/setup/scriptsSqlite/1.18.3.ts
+++ b/server/setup/scriptsSqlite/1.18.3.ts
@@ -0,0 +1,172 @@
+import { APP_PATH } from "@server/lib/consts";
+import Database from "better-sqlite3";
+import path from "path";
+
+const version = "1.18.3";
+
+export default async function migration() {
+    console.log(`Running setup script ${version}...`);
+
+    const location = path.join(APP_PATH, "db", "db.sqlite");
+    const db = new Database(location);
+
+    try {
+        db.pragma("foreign_keys = OFF");
+
+        db.transaction(() => {
+            db.prepare(
+                `
+                    CREATE TABLE IF NOT EXISTS 'trialNotifications' (
+                       	'notificationId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+                       	'subscriptionId' text NOT NULL,
+                       	'notificationType' text NOT NULL,
+                       	'sentAt' integer NOT NULL,
+                       	FOREIGN KEY ('subscriptionId') REFERENCES 'subscriptions'('subscriptionId') ON UPDATE no action ON DELETE cascade
+                    );
+            `
+            ).run();
+        })();
+
+        db.pragma("foreign_keys = ON");
+
+        console.log("Migrated database");
+
+        // Fix names for health checks that don't have one
+        const healthChecksWithoutName = db
+            .prepare(
+                `SELECT
+                    thc."targetHealthCheckId",
+                    r."name" AS "resourceName",
+                    t."ip",
+                    t."port"
+                FROM 'targetHealthCheck' thc
+                JOIN 'targets' t ON thc."targetId" = t."targetId"
+                JOIN 'resources' r ON t."resourceId" = r."resourceId"
+                WHERE thc."name" IS NULL OR thc."name" = ''`
+            )
+            .all() as {
+            targetHealthCheckId: number;
+            resourceName: string;
+            ip: string;
+            port: number;
+        }[];
+
+        console.log(
+            `Found ${healthChecksWithoutName.length} targetHealthCheck row(s) with missing names`
+        );
+
+        if (healthChecksWithoutName.length > 0) {
+            const updateName = db.prepare(
+                `UPDATE 'targetHealthCheck' SET "name" = ? WHERE "targetHealthCheckId" = ?`
+            );
+            const updateAllNames = db.transaction(() => {
+                for (const hc of healthChecksWithoutName) {
+                    updateName.run(
+                        `Resource ${hc.resourceName} - ${hc.ip}:${hc.port}`,
+                        hc.targetHealthCheckId
+                    );
+                }
+            });
+            updateAllNames();
+            console.log(
+                `Updated names for ${healthChecksWithoutName.length} targetHealthCheck row(s)`
+            );
+        }
+
+        // Recompute resource health by aggregating across the resource's
+        // targets' target health checks, then update resources.health and
+        // insert a statusHistory entry for any resource whose health changed.
+        const resourceTargetHealthRows = db
+            .prepare(
+                `SELECT
+                    r."resourceId" AS "resourceId",
+                    r."orgId" AS "orgId",
+                    r."health" AS "currentHealth",
+                    thc."hcHealth" AS "hcHealth"
+                 FROM 'resources' r
+                 LEFT JOIN 'targets' t ON t."resourceId" = r."resourceId"
+                 LEFT JOIN 'targetHealthCheck' thc ON thc."targetId" = t."targetId"`
+            )
+            .all() as {
+            resourceId: number;
+            orgId: string;
+            currentHealth: string | null;
+            hcHealth: string | null;
+        }[];
+
+        const resourceHealthMap = new Map<
+            number,
+            {
+                hasHealthy: boolean;
+                hasUnhealthy: boolean;
+                hasUnknown: boolean;
+                orgId: string;
+                currentHealth: string | null;
+            }
+        >();
+        for (const row of resourceTargetHealthRows) {
+            const entry = resourceHealthMap.get(row.resourceId) ?? {
+                hasHealthy: false,
+                hasUnhealthy: false,
+                hasUnknown: false,
+                orgId: row.orgId,
+                currentHealth: row.currentHealth
+            };
+            const status = row.hcHealth ?? "unknown";
+            if (status === "healthy") entry.hasHealthy = true;
+            else if (status === "unhealthy") entry.hasUnhealthy = true;
+            else entry.hasUnknown = true;
+            resourceHealthMap.set(row.resourceId, entry);
+        }
+
+        const updateResourceHealth = db.prepare(
+            `UPDATE 'resources' SET "health" = ? WHERE "resourceId" = ?`
+        );
+        const insertResourceHistory = db.prepare(
+            `INSERT INTO 'statusHistory' ("entityType", "entityId", "orgId", "status", "timestamp") VALUES (?, ?, ?, ?, ?)`
+        );
+
+        const now = Math.floor(Date.now() / 1000);
+        let updatedResourceCount = 0;
+
+        const recomputeAll = db.transaction(() => {
+            for (const [resourceId, entry] of resourceHealthMap.entries()) {
+                let aggregated:
+                    | "healthy"
+                    | "unhealthy"
+                    | "degraded"
+                    | "unknown";
+                if (entry.hasHealthy && entry.hasUnhealthy) {
+                    aggregated = "degraded";
+                } else if (entry.hasHealthy) {
+                    aggregated = "healthy";
+                } else if (entry.hasUnhealthy) {
+                    aggregated = "unhealthy";
+                } else {
+                    aggregated = "unknown";
+                }
+
+                if (entry.currentHealth !== aggregated) {
+                    updateResourceHealth.run(aggregated, resourceId);
+                    insertResourceHistory.run(
+                        "resource",
+                        resourceId,
+                        entry.orgId,
+                        aggregated,
+                        now
+                    );
+                    updatedResourceCount++;
+                }
+            }
+        });
+        recomputeAll();
+        console.log(
+            `Recomputed health for ${updatedResourceCount} resource(s) based on target health checks`
+        );
+    } catch (e) {
+        console.log("Failed to migrate db:", e);
+        throw e;
+    }
+
+    console.log(`${version} migration complete`);
+}
--- a/src/app/[orgId]/settings/(private)/billing/page.tsx
+++ b/src/app/[orgId]/settings/(private)/billing/page.tsx
@@ -35,6 +35,7 @@ import {
 } from "@app/components/Credenza";
 import { cn } from "@app/lib/cn";
 import { CreditCard, ExternalLink, Check, AlertTriangle } from "lucide-react";
+import { Badge } from "@app/components/ui/badge";
 import { Alert, AlertTitle, AlertDescription } from "@app/components/ui/alert";
 import {
    Tooltip,
@@ -55,6 +56,7 @@ import {
    tier3LimitSet
 } from "@server/lib/billing/limitSet";
 import { FeatureId } from "@server/lib/billing/features";
+import TrialBillingBanner from "@app/components/TrialBillingBanner";

 // Plan tier definitions matching the mockup
 type PlanId = "basic" | "home" | "team" | "business" | "enterprise";
@@ -805,6 +807,20 @@ export default function BillingPage() {

    return (
        <SettingsContainer>
+            {/* Trial Banner */}
+            {isTrial && (
+                <TrialBillingBanner
+                    onUpgrade={() => {
+                        const currentPlan = planOptions.find(
+                            (p) => p.id === currentPlanId
+                        );
+                        if (currentPlan?.tierType) {
+                            handleStartSubscription(currentPlan.tierType);
+                        }
+                    }}
+                />
+            )}
+
            {/* Subscription Status Alert */}
            {isProblematicState && statusMessage && (
                <Alert variant="destructive" className="mb-6">
@@ -859,8 +875,19 @@ export default function BillingPage() {
                                    )}
                                >
                                    <div className="flex-1">
-                                        <div className="text-2xl">
-                                            {plan.name}
+                                        <div className="flex items-center gap-2 flex-wrap">
+                                            <span className="text-2xl">
+                                                {plan.name}
+                                            </span>
+                                            {isCurrentPlan && isTrial && (
+                                                <Badge
+                                                    variant="outlinePrimary"
+                                                    className="text-xs"
+                                                >
+                                                    {t("billingTrialBadge") ||
+                                                        "Free Trial"}
+                                                </Badge>
+                                            )}
                                        </div>
                                        <div className="mt-1">
                                            <span className="text-xl">
--- a/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx
@@ -175,26 +175,6 @@ export default function GeneralPage() {
    }, [variant]);

    useEffect(() => {
-        async function fetchRoles() {
-            const res = await api
-                .get<AxiosResponse<ListRolesResponse>>(`/org/${orgId}/roles`)
-                .catch((e) => {
-                    console.error(e);
-                    toast({
-                        variant: "destructive",
-                        title: t("accessRoleErrorFetch"),
-                        description: formatAxiosError(
-                            e,
-                            t("accessRoleErrorFetchDescription")
-                        )
-                    });
-                });
-
-            if (res?.status === 200) {
-                setRoles(res.data.data.roles);
-            }
-        }
-
        const loadIdp = async (
            availableRoles: { roleId: number; name: string }[]
        ) => {
@@ -520,6 +500,7 @@ export default function GeneralPage() {
                                    onAutoProvisionChange={(checked) => {
                                        form.setValue("autoProvision", checked);
                                    }}
+                                    orgId={orgId as string}
                                    roleMappingMode={roleMappingMode}
                                    onRoleMappingModeChange={(data) => {
                                        setRoleMappingMode(data);
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
--- a/src/app/[orgId]/settings/(private)/remote-exit-nodes/page.tsx
+++ b/src/app/[orgId]/settings/(private)/remote-exit-nodes/page.tsx
@@ -45,6 +45,7 @@ export default async function RemoteExitNodesPage(
                type: node.type,
                dateCreated: node.dateCreated,
                version: node.version || undefined,
+                updateAvailable: node.updateAvailable,
                orgId: params.orgId
            };
        }
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -1,44 +1,40 @@
 "use client";

+import IdpTypeBadge from "@app/components/IdpTypeBadge";
+import OrgRolesTagField from "@app/components/OrgRolesTagField";
+import {
+    SettingsContainer,
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionFooter,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import { Button } from "@app/components/ui/button";
+import { Checkbox } from "@app/components/ui/checkbox";
 import {
    Form,
    FormControl,
    FormField,
    FormItem,
-    FormLabel,
-    FormMessage
+    FormLabel
 } from "@app/components/ui/form";
-import { Checkbox } from "@app/components/ui/checkbox";
-import OrgRolesTagField from "@app/components/OrgRolesTagField";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { userOrgUserContext } from "@app/hooks/useOrgUserContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { AxiosResponse } from "axios";
-import { useEffect, useState } from "react";
+import { build } from "@server/build";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { UserType } from "@server/types/UserTypes";
+import { useTranslations } from "next-intl";
+import { useParams } from "next/navigation";
+import { useActionState, useEffect } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
-import { ListRolesResponse } from "@server/routers/role";
-import { userOrgUserContext } from "@app/hooks/useOrgUserContext";
-import { useParams } from "next/navigation";
-import { Button } from "@app/components/ui/button";
-import {
-    SettingsContainer,
-    SettingsSection,
-    SettingsSectionHeader,
-    SettingsSectionTitle,
-    SettingsSectionDescription,
-    SettingsSectionBody,
-    SettingsSectionForm,
-    SettingsSectionFooter
-} from "@app/components/Settings";
-import { formatAxiosError } from "@app/lib/api";
-import { createApiClient } from "@app/lib/api";
-import { useEnvContext } from "@app/hooks/useEnvContext";
-import { useTranslations } from "next-intl";
-import IdpTypeBadge from "@app/components/IdpTypeBadge";
-import { UserType } from "@server/types/UserTypes";
-import { usePaidStatus } from "@app/hooks/usePaidStatus";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { build } from "@server/build";

 const accessControlsFormSchema = z.object({
    username: z.string(),
@@ -59,12 +55,6 @@ export default function AccessControlsPage() {

    const { orgId } = useParams();

-    const [loading, setLoading] = useState(false);
-    const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [activeRoleTagIndex, setActiveRoleTagIndex] = useState<number | null>(
-        null
-    );
-
    const t = useTranslations();
    const { isPaidUser } = usePaidStatus();
    const isPaid = isPaidUser(tierMatrix.fullRbac);
@@ -97,44 +87,21 @@ export default function AccessControlsPage() {
                text: r.name
            }))
        );
-    }, [user.userId, currentRoleIds.join(",")]);
-
-    useEffect(() => {
-        async function fetchRoles() {
-            const res = await api
-                .get<AxiosResponse<ListRolesResponse>>(`/org/${orgId}/roles`)
-                .catch((e) => {
-                    console.error(e);
-                    toast({
-                        variant: "destructive",
-                        title: t("accessRoleErrorFetch"),
-                        description: formatAxiosError(
-                            e,
-                            t("accessRoleErrorFetchDescription")
-                        )
-                    });
-                });
-
-            if (res?.status === 200) {
-                setRoles(res.data.data.roles);
-            }
-        }
-
-        fetchRoles();
        form.setValue("autoProvisioned", user.autoProvisioned || false);
-    }, []);
-
-    const allRoleOptions = roles.map((role) => ({
-        id: role.roleId.toString(),
-        text: role.name
-    }));
+    }, [user.userId, user.autoProvisioned, currentRoleIds.join(",")]);

    const paywallMessage =
        build === "saas"
            ? t("singleRolePerUserPlanNotice")
            : t("singleRolePerUserEditionNotice");

-    async function onSubmit(values: z.infer<typeof accessControlsFormSchema>) {
+    const [, action, isSubmitting] = useActionState(onSubmit, null);
+    async function onSubmit() {
+        const isValid = await form.trigger();
+        if (!isValid) return;
+
+        const values = form.getValues();
+
        if (values.roles.length === 0) {
            toast({
                variant: "destructive",
@@ -144,7 +111,6 @@ export default function AccessControlsPage() {
            return;
        }

-        setLoading(true);
        try {
            const roleIds = values.roles.map((r) => parseInt(r.id, 10));
            const updateRoleRequest = supportsMultipleRolesPerUser
@@ -184,7 +150,6 @@ export default function AccessControlsPage() {
                )
            });
        }
-        setLoading(false);
    }

    return (
@@ -203,7 +168,7 @@ export default function AccessControlsPage() {
                    <SettingsSectionForm>
                        <Form {...form}>
                            <form
-                                onSubmit={form.handleSubmit(onSubmit)}
+                                action={action}
                                className="space-y-4"
                                id="access-controls-form"
                            >
@@ -226,9 +191,7 @@ export default function AccessControlsPage() {
                                <OrgRolesTagField
                                    form={form}
                                    name="roles"
-                                    label={t("roles")}
-                                    placeholder={t("accessRoleSelect2")}
-                                    allRoleOptions={allRoleOptions}
+                                    orgId={orgId as string}
                                    supportsMultipleRolesPerUser={
                                        supportsMultipleRolesPerUser
                                    }
@@ -236,9 +199,6 @@ export default function AccessControlsPage() {
                                        showMultiRolePaywallMessage
                                    }
                                    paywallMessage={paywallMessage}
-                                    loading={loading}
-                                    activeTagIndex={activeRoleTagIndex}
-                                    setActiveTagIndex={setActiveRoleTagIndex}
                                />

                                {user.idpAutoProvision && (
@@ -277,8 +237,8 @@ export default function AccessControlsPage() {
                <SettingsSectionFooter>
                    <Button
                        type="submit"
-                        loading={loading}
-                        disabled={loading}
+                        loading={isSubmitting}
+                        disabled={isSubmitting}
                        form="access-controls-form"
                    >
                        {t("accessControlsSubmit")}
--- a/src/app/[orgId]/settings/access/users/create/page.tsx
+++ b/src/app/[orgId]/settings/access/users/create/page.tsx
@@ -13,7 +13,7 @@ import { StrategyOption, StrategySelect } from "@app/components/StrategySelect";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
 import { Button } from "@app/components/ui/button";
 import { useParams, useRouter } from "next/navigation";
-import { useState } from "react";
+import { useActionState, useState } from "react";
 import {
    Form,
    FormControl,
@@ -91,7 +91,7 @@ export default function Page() {
        "internal"
    );
    const [inviteLink, setInviteLink] = useState<string | null>(null);
-    const [loading, setLoading] = useState(false);
+
    const [expiresInDays, setExpiresInDays] = useState(1);
    const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
    const [idps, setIdps] = useState<IdpOption[]>([]);
@@ -311,10 +311,29 @@ export default function Page() {
        setUserOptions(options);
    }, [idps, t]);

-    async function onSubmitInternal(
-        values: z.infer<typeof internalFormSchema>
-    ) {
-        setLoading(true);
+    const [, submitInternalAction, isSubmittingInternal] = useActionState(
+        onSubmitInternal,
+        null
+    );
+    const [, submitGoogleAzureAction, isSubmittingGoogleAzure] = useActionState(
+        onSubmitGoogleAzure,
+        null
+    );
+    const [, submitGenericOidcAction, isSubmittingGenericOidc] = useActionState(
+        onSubmitGenericOidc,
+        null
+    );
+
+    const loading =
+        isSubmittingInternal ||
+        isSubmittingGoogleAzure ||
+        isSubmittingGenericOidc;
+
+    async function onSubmitInternal() {
+        const isValid = await internalForm.trigger();
+        if (!isValid) return;
+
+        const values = internalForm.getValues();

        const roleIds = values.roles.map((r) => parseInt(r.id, 10));

@@ -357,25 +376,24 @@ export default function Page() {

            setExpiresInDays(parseInt(values.validForHours) / 24);
        }
-
-        setLoading(false);
    }

-    async function onSubmitGoogleAzure(
-        values: z.infer<typeof googleAzureFormSchema>
-    ) {
+    async function onSubmitGoogleAzure() {
+        const isValid = await googleAzureForm.trigger();
+        if (!isValid) return;
+
+        const values = googleAzureForm.getValues();
+
        const selectedUserOption = userOptions.find(
            (opt) => opt.id === selectedOption
        );
        if (!selectedUserOption?.idpId) return;

-        setLoading(true);
-
        const roleIds = values.roles.map((r) => parseInt(r.id, 10));

        const res = await api
            .put(`/org/${orgId}/user`, {
-                username: values.email, // Use email as username for Google/Azure
+                username: values.email,
                email: values.email || undefined,
                name: values.name,
                type: "oidc",
@@ -401,20 +419,19 @@ export default function Page() {
            });
            router.push(`/${orgId}/settings/access/users`);
        }
-
-        setLoading(false);
    }

-    async function onSubmitGenericOidc(
-        values: z.infer<typeof genericOidcFormSchema>
-    ) {
+    async function onSubmitGenericOidc() {
+        const isValid = await genericOidcForm.trigger();
+        if (!isValid) return;
+
+        const values = genericOidcForm.getValues();
+
        const selectedUserOption = userOptions.find(
            (opt) => opt.id === selectedOption
        );
        if (!selectedUserOption?.idpId) return;

-        setLoading(true);
-
        const roleIds = values.roles.map((r) => parseInt(r.id, 10));

        const res = await api
@@ -445,8 +462,6 @@ export default function Page() {
            });
            router.push(`/${orgId}/settings/access/users`);
        }
-
-        setLoading(false);
    }

    return (
@@ -513,9 +528,9 @@ export default function Page() {
                                        <SettingsSectionForm>
                                            <Form {...internalForm}>
                                                <form
-                                                    onSubmit={internalForm.handleSubmit(
-                                                        onSubmitInternal
-                                                    )}
+                                                    action={
+                                                        submitInternalAction
+                                                    }
                                                    className="space-y-4"
                                                    id="create-user-form"
                                                >
@@ -595,13 +610,7 @@ export default function Page() {
                                                    <OrgRolesTagField
                                                        form={internalForm}
                                                        name="roles"
-                                                        label={t("roles")}
-                                                        placeholder={t(
-                                                            "accessRoleSelect2"
-                                                        )}
-                                                        allRoleOptions={
-                                                            allRoleOptions
-                                                        }
+                                                        orgId={orgId as string}
                                                        supportsMultipleRolesPerUser={
                                                            supportsMultipleRolesPerUser
                                                        }
@@ -611,13 +620,6 @@ export default function Page() {
                                                        paywallMessage={
                                                            invitePaywallMessage
                                                        }
-                                                        loading={loading}
-                                                        activeTagIndex={
-                                                            activeInviteRoleTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveInviteRoleTagIndex
-                                                        }
                                                    />

                                                    {env.email.emailEnabled && (
@@ -712,9 +714,9 @@ export default function Page() {
                                        })() && (
                                            <Form {...googleAzureForm}>
                                                <form
-                                                    onSubmit={googleAzureForm.handleSubmit(
-                                                        onSubmitGoogleAzure
-                                                    )}
+                                                    action={
+                                                        submitGoogleAzureAction
+                                                    }
                                                    className="space-y-4"
                                                    id="create-user-form"
                                                >
@@ -763,13 +765,7 @@ export default function Page() {
                                                    <OrgRolesTagField
                                                        form={googleAzureForm}
                                                        name="roles"
-                                                        label={t("roles")}
-                                                        placeholder={t(
-                                                            "accessRoleSelect2"
-                                                        )}
-                                                        allRoleOptions={
-                                                            allRoleOptions
-                                                        }
+                                                        orgId={orgId as string}
                                                        supportsMultipleRolesPerUser={
                                                            supportsMultipleRolesPerUser
                                                        }
@@ -779,13 +775,6 @@ export default function Page() {
                                                        paywallMessage={
                                                            invitePaywallMessage
                                                        }
-                                                        loading={loading}
-                                                        activeTagIndex={
-                                                            activeOidcRoleTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveOidcRoleTagIndex
-                                                        }
                                                    />
                                                </form>
                                            </Form>
@@ -808,9 +797,9 @@ export default function Page() {
                                        })() && (
                                            <Form {...genericOidcForm}>
                                                <form
-                                                    onSubmit={genericOidcForm.handleSubmit(
-                                                        onSubmitGenericOidc
-                                                    )}
+                                                    action={
+                                                        submitGenericOidcAction
+                                                    }
                                                    className="space-y-4"
                                                    id="create-user-form"
                                                >
@@ -888,13 +877,7 @@ export default function Page() {
                                                    <OrgRolesTagField
                                                        form={genericOidcForm}
                                                        name="roles"
-                                                        label={t("roles")}
-                                                        placeholder={t(
-                                                            "accessRoleSelect2"
-                                                        )}
-                                                        allRoleOptions={
-                                                            allRoleOptions
-                                                        }
+                                                        orgId={orgId as string}
                                                        supportsMultipleRolesPerUser={
                                                            supportsMultipleRolesPerUser
                                                        }
@@ -904,13 +887,6 @@ export default function Page() {
                                                        paywallMessage={
                                                            invitePaywallMessage
                                                        }
-                                                        loading={loading}
-                                                        activeTagIndex={
-                                                            activeOidcRoleTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveOidcRoleTagIndex
-                                                        }
                                                    />
                                                </form>
                                            </Form>
--- a/src/app/[orgId]/settings/alerting/create/page.tsx
+++ b/src/app/[orgId]/settings/alerting/create/page.tsx
@@ -3,10 +3,12 @@
 import AlertRuleGraphEditor from "@app/components/alert-rule-editor/AlertRuleGraphEditor";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
 import { defaultFormValues } from "@app/lib/alertRuleForm";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { useParams } from "next/navigation";
+import { useParams, useRouter } from "next/navigation";
 import { useTranslations } from "next-intl";
+import { useEffect } from "react";

 export default function NewAlertRulePage() {
    const params = useParams();
@@ -14,6 +16,19 @@ export default function NewAlertRulePage() {
    const t = useTranslations();
    const { isPaidUser } = usePaidStatus();
    const isPaid = isPaidUser(tierMatrix.alertingRules);
+    const { env } = useEnvContext();
+    const router = useRouter();
+    const disableEnterpriseFeatures = env.flags.disableEnterpriseFeatures;
+
+    useEffect(() => {
+        if (disableEnterpriseFeatures) {
+            router.replace(`/${orgId}/settings/alerting/rules`);
+        }
+    }, [disableEnterpriseFeatures, orgId, router]);
+
+    if (disableEnterpriseFeatures) {
+        return null;
+    }

    return (
        <>
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
@@ -1,5 +1,6 @@
 "use client";

+import { RolesSelector } from "@app/components/roles-selector";
 import SetResourceHeaderAuthForm from "@app/components/SetResourceHeaderAuthForm";
 import SetResourcePincodeForm from "@app/components/SetResourcePincodeForm";
 import {
@@ -33,6 +34,7 @@ import {
    SelectTrigger,
    SelectValue
 } from "@app/components/ui/select";
+import { UsersSelector } from "@app/components/users-selector";
 import type { ResourceContextType } from "@app/contexts/resourceContext";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useOrgContext } from "@app/hooks/useOrgContext";
@@ -180,13 +182,6 @@ export default function ResourceAuthenticationPage() {
        return [];
    }, [orgIdps]);

-    const [activeRolesTagIndex, setActiveRolesTagIndex] = useState<
-        number | null
-    >(null);
-    const [activeUsersTagIndex, setActiveUsersTagIndex] = useState<
-        number | null
-    >(null);
-
    const [ssoEnabled, setSsoEnabled] = useState(resource.sso ?? false);

    useEffect(() => {
@@ -497,46 +492,27 @@ export default function ResourceAuthenticationPage() {
                                                            {t("roles")}
                                                        </FormLabel>
                                                        <FormControl>
-                                                            <TagInput
-                                                                {...field}
-                                                                activeTagIndex={
-                                                                    activeRolesTagIndex
+                                                            <RolesSelector
+                                                                selectedRoles={
+                                                                    field.value ??
+                                                                    []
                                                                }
-                                                                setActiveTagIndex={
-                                                                    setActiveRolesTagIndex
+                                                                restrictAdminRole
+                                                                orgId={
+                                                                    org.org
+                                                                        .orgId
                                                                }
-                                                                placeholder={t(
-                                                                    "accessRoleSelect2"
-                                                                )}
-                                                                size="sm"
-                                                                tags={
-                                                                    usersRolesForm.getValues()
-                                                                        .roles
-                                                                }
-                                                                setTags={(
-                                                                    newRoles
+                                                                onSelectRoles={(
+                                                                    newUsers
                                                                ) => {
                                                                    usersRolesForm.setValue(
                                                                        "roles",
-                                                                        newRoles as [
+                                                                        newUsers as [
                                                                            Tag,
                                                                            ...Tag[]
                                                                        ]
                                                                    );
                                                                }}
-                                                                enableAutocomplete={
-                                                                    true
-                                                                }
-                                                                autocompleteOptions={
-                                                                    allRoles
-                                                                }
-                                                                allowDuplicates={
-                                                                    false
-                                                                }
-                                                                restrictTagsToAutocompleteOptions={
-                                                                    true
-                                                                }
-                                                                sortTags={true}
                                                            />
                                                        </FormControl>
                                                        <FormMessage />
@@ -557,23 +533,16 @@ export default function ResourceAuthenticationPage() {
                                                            {t("users")}
                                                        </FormLabel>
                                                        <FormControl>
-                                                            <TagInput
-                                                                {...field}
-                                                                activeTagIndex={
-                                                                    activeUsersTagIndex
+                                                            <UsersSelector
+                                                                selectedUsers={
+                                                                    field.value ??
+                                                                    []
                                                                }
-                                                                setActiveTagIndex={
-                                                                    setActiveUsersTagIndex
+                                                                orgId={
+                                                                    org.org
+                                                                        .orgId
                                                                }
-                                                                placeholder={t(
-                                                                    "accessUserSelect"
-                                                                )}
-                                                                tags={
-                                                                    usersRolesForm.getValues()
-                                                                        .users
-                                                                }
-                                                                size="sm"
-                                                                setTags={(
+                                                                onSelectUsers={(
                                                                    newUsers
                                                                ) => {
                                                                    usersRolesForm.setValue(
@@ -584,19 +553,6 @@ export default function ResourceAuthenticationPage() {
                                                                        ]
                                                                    );
                                                                }}
-                                                                enableAutocomplete={
-                                                                    true
-                                                                }
-                                                                autocompleteOptions={
-                                                                    allUsers
-                                                                }
-                                                                allowDuplicates={
-                                                                    false
-                                                                }
-                                                                restrictTagsToAutocompleteOptions={
-                                                                    true
-                                                                }
-                                                                sortTags={true}
                                                            />
                                                        </FormControl>
                                                        <FormMessage />
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -652,6 +652,8 @@ function ProxyResourceTargetsForm({
            hcMode: null,
            hcUnhealthyInterval: null,
            hcTlsServerName: null,
+            hcHealthyThreshold: null,
+            hcUnhealthyThreshold: null,
            siteType: sites.length > 0 ? sites[0].type : null,
            new: true,
            updated: false
@@ -761,7 +763,9 @@ function ProxyResourceTargetsForm({
                    hcStatus: target.hcStatus || null,
                    hcUnhealthyInterval: target.hcUnhealthyInterval || null,
                    hcMode: target.hcMode || null,
-                    hcTlsServerName: target.hcTlsServerName
+                    hcTlsServerName: target.hcTlsServerName,
+                    hcHealthyThreshold: target.hcHealthyThreshold || null,
+                    hcUnhealthyThreshold: target.hcUnhealthyThreshold || null
                };

                // Only include path-related fields for HTTP resources
@@ -1018,7 +1022,13 @@ function ProxyResourceTargetsForm({
                            30,
                        hcTlsServerName:
                            selectedTargetForHealthCheck.hcTlsServerName ||
-                            undefined
+                            undefined,
+                        hcHealthyThreshold:
+                            selectedTargetForHealthCheck.hcHealthyThreshold ||
+                            1,
+                        hcUnhealthyThreshold:
+                            selectedTargetForHealthCheck.hcUnhealthyThreshold ||
+                            1
                    }}
                    onChanges={async (config) => {
                        if (selectedTargetForHealthCheck) {
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -303,6 +303,8 @@ export default function Page() {
            hcMode: null,
            hcUnhealthyInterval: null,
            hcTlsServerName: null,
+            hcHealthyThreshold: null,
+            hcUnhealthyThreshold: null,
            siteType: sites.length > 0 ? sites[0].type : null,
            new: true,
            updated: false
@@ -552,7 +554,11 @@ export default function Page() {
                                hcUnhealthyInterval:
                                    target.hcUnhealthyInterval || null,
                                hcMode: target.hcMode || null,
-                                hcTlsServerName: target.hcTlsServerName
+                                hcTlsServerName: target.hcTlsServerName,
+                                hcHealthyThreshold:
+                                    target.hcHealthyThreshold || null,
+                                hcUnhealthyThreshold:
+                                    target.hcUnhealthyThreshold || null
                            };

                            // Only include path-related fields for HTTP resources
@@ -1520,7 +1526,13 @@ export default function Page() {
                                            30,
                                        hcTlsServerName:
                                            selectedTargetForHealthCheck.hcTlsServerName ||
-                                            undefined
+                                            undefined,
+                                        hcHealthyThreshold:
+                                            selectedTargetForHealthCheck.hcHealthyThreshold ||
+                                            1,
+                                        hcUnhealthyThreshold:
+                                            selectedTargetForHealthCheck.hcUnhealthyThreshold ||
+                                            1
                                    }}
                                    onChanges={async (config) => {
                                        if (selectedTargetForHealthCheck) {
--- a/src/app/admin/idp/[idpId]/policies/page.tsx
+++ b/src/app/admin/idp/[idpId]/policies/page.tsx
@@ -681,6 +681,9 @@ export default function PoliciesPage() {
                                        control: form.control,
                                        name: "orgMapping"
                                    }}
+                                    orgId={
+                                        editingPolicy?.orgId || policyFormOrgId
+                                    }
                                    roleMappingFieldIdPrefix="admin-idp-policy-role"
                                    roleMappingMode={policyRoleMappingMode}
                                    onRoleMappingModeChange={
--- a/src/app/auth/login/page.tsx
+++ b/src/app/auth/login/page.tsx
@@ -160,6 +160,18 @@ export default async function Page(props: {
                                redirect={redirectUrl}
                                forceLogin={forceLogin}
                                defaultUser={defaultUser}
+                                orgSignIn={
+                                    !isInvite &&
+                                    (build === "saas" ||
+                                        env.app.identityProviderMode === "org")
+                                        ? {
+                                              href: `/auth/org${buildQueryString(searchParams)}`,
+                                              linkText: t("orgAuthSignInToOrg"),
+                                              descriptionText:
+                                                  t("needToSignInToOrg")
+                                          }
+                                        : undefined
+                                }
                            />
                        </CardContent>
                    </Card>
@@ -195,7 +207,8 @@ export default async function Page(props: {
                </p>
            )}

-            {!isInvite &&
+            {!useSmartLogin &&
+            !isInvite &&
            (build === "saas" || env.app.identityProviderMode === "org") ? (
                <OrgSignInLink
                    href={`/auth/org${buildQueryString(searchParams)}`}
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -212,16 +212,22 @@ export const orgNavSections = (
                title: "sidebarManagement",
                icon: <Building2 className="size-4 flex-none" />,
                items: [
-                    {
-                        title: "sidebarAlerting",
-                        href: "/{orgId}/settings/alerting",
-                        icon: <BellRing className="size-4 flex-none" />
-                    },
-                    {
-                        title: "sidebarProvisioning",
-                        href: "/{orgId}/settings/provisioning",
-                        icon: <Boxes className="size-4 flex-none" />
-                    },
+                    ...(!env?.flags.disableEnterpriseFeatures
+                        ? [
+                              {
+                                  title: "sidebarAlerting",
+                                  href: "/{orgId}/settings/alerting",
+                                  icon: (
+                                      <BellRing className="size-4 flex-none" />
+                                  )
+                              },
+                              {
+                                  title: "sidebarProvisioning",
+                                  href: "/{orgId}/settings/provisioning",
+                                  icon: <Boxes className="size-4 flex-none" />
+                              }
+                          ]
+                        : []),
                    {
                        title: "sidebarBluePrints",
                        href: "/{orgId}/settings/blueprints",
--- a/Show More
+++ b/Show More