Update UI to support additions on the resource

feat: roles & users selector

.gitignore

@@ -17,9 +17,9 @@ yarn-error.log*
 *.tsbuildinfo
 next-env.d.ts
 *.db
-*.sqlite
+*.sqlite*
 !Dockerfile.sqlite
-*.sqlite3
+*.sqlite3*
 *.log
 .machinelogs*.json
 *-audit.json
@@ -54,3 +54,4 @@ hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
+solo.yml

docker-compose.mailpit.yml

@@ -0,0 +1,12 @@
+services:
+  mailer:
+    image: axllent/mailpit
+    ports:
+      - 8025:8025
+      - 1025:1025
+    volumes:
+      - mailpit-storage:/data
+    environment:
+      - MP_DATABASE=/data/mailpit.db
+volumes:
+  mailpit-storage:

messages/en-US.json

@@ -204,11 +204,33 @@
     "resourcesSearch": "Search resources...",
     "resourceAdd": "Add Resource",
     "resourceErrorDelte": "Error deleting resource",
+    "resourcePoliciesTitle": "Manage Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Attached resources",
+    "resourcePoliciesAttachedResources": "{count} resource(s)",
+    "resourcePoliciesAttachedResourcesEmpty": "no resources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your resources",
+    "resourcePoliciesSearch": "Search policies...",
+    "resourcePoliciesAdd": "Add Policy",
+    "resourcePoliciesDefaultBadgeText": "Default policy",
+    "resourcePoliciesCreate": "Create Resource Policy",
+    "resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
+    "resourcePolicyName": "Policy Name",
+    "resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
+    "resourcePolicyNamePlaceholder": "e.g. Internal Access Policy",
+    "resourcePoliciesSeeAll": "See All Policies",
+    "resourcePolicyAuthMethodAdd": "Add Authentication Method",
+    "resourcePolicyOtpEmailAdd": "Add OTP emails",
+    "resourcePolicyRulesAdd": "Add Rules",
+    "resourcePolicyAuthMethodsDescription": "Allow access to resources via additional auth methods",
+    "resourcePolicyUsersRolesDescription": "Configure which users and roles can visit associated resources",
+    "rulesResourcePolicyDescription": "Configure rules to control access resources associated to this policy",
     "authentication": "Authentication",
     "protected": "Protected",
     "notProtected": "Not Protected",
     "resourceMessageRemove": "Once removed, the resource will no longer be accessible. All targets associated with the resource will also be removed.",
     "resourceQuestionRemove": "Are you sure you want to remove the resource from the organization?",
+    "resourcePolicyMessageRemove": "Once removed, the resource policy will no longer be accessible. All resources associated with the resource will be unlinked and left without authentication.",
+    "resourcePolicyQuestionRemove": "Are you sure you want to remove the resource policy from the organization?",
     "resourceHTTP": "HTTPS Resource",
     "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
     "resourceRaw": "Raw TCP/UDP Resource",
@@ -249,6 +271,8 @@
     "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
     "resourceBack": "Back to Resources",
     "resourceGoTo": "Go to Resource",
+    "resourcePolicyDelete": "Delete Resource Policy",
+    "resourcePolicyDeleteConfirm": "Confirm Delete Resource Policy",
     "resourceDelete": "Delete Resource",
     "resourceDeleteConfirm": "Confirm Delete Resource",
     "visibility": "Visibility",
@@ -261,6 +285,8 @@
     "rules": "Rules",
     "resourceSettingDescription": "Configure the settings on the resource",
     "resourceSetting": "{resourceName} Settings",
+    "resourcePolicySettingDescription": "Configure the settings on the resource policy",
+    "resourcePolicySetting": "{policyName} Settings",
     "alwaysAllow": "Bypass Auth",
     "alwaysDeny": "Block Access",
     "passToAuth": "Pass to Auth",
@@ -731,6 +757,16 @@
     "rulesNoOne": "No rules. Add a rule using the form.",
     "rulesOrder": "Rules are evaluated by priority in ascending order.",
     "rulesSubmit": "Save Rules",
+    "policyErrorCreate": "Error creating policy",
+    "policyErrorCreateDescription": "An error occurred when creating the policy",
+    "policyErrorCreateMessageDescription": "An unexpected error occurred",
+    "policyErrorUpdate": "Error updating policy",
+    "policyErrorUpdateDescription": "An error occurred when updating the policy",
+    "policyErrorUpdateMessageDescription": "An unexpected error occurred",
+    "policyCreatedSuccess": "Resource policy succesfully created",
+    "policyUpdatedSuccess": "Resource policy succesfully updated",
+    "authMethodsSave": "Save auth methods",
+    "rulesSave": "Save Rules",
     "resourceErrorCreate": "Error creating resource",
     "resourceErrorCreateDescription": "An error occurred when creating the resource",
     "resourceErrorCreateMessage": "Error creating resource:",
@@ -794,6 +830,16 @@
     "pincodeAdd": "Add PIN Code",
     "pincodeRemove": "Remove PIN Code",
     "resourceAuthMethods": "Authentication Methods",
+    "resourcePolicyAuthMethodsEmpty": "No authentication method",
+    "resourcePolicyOtpEmpty": "No one time password",
+    "resourcePolicyReadOnly": "This policy is Read only",
+    "resourcePolicyReadOnlyDescription": "This resource policy is shared accross multiple resources, you cannot edit it on this page.",
+    "resourcePolicyTypeSave": "Save Resource type",
+    "resourcePolicySelect": "Select resource policy",
+    "resourcePolicySelectError": "Select a resource policy",
+    "resourcePolicyNotFound": "Policy not found",
+    "resourcePolicySearch": "Search policies",
+    "resourcePolicyRulesEmpty": "No authentication rules",
     "resourceAuthMethodsDescriptions": "Allow access to the resource via additional auth methods",
     "resourceAuthSettingsSave": "Saved successfully",
     "resourceAuthSettingsSaveDescription": "Authentication settings have been saved",
@@ -829,6 +875,12 @@
     "resourcePincodeSetupTitle": "Set Pincode",
     "resourcePincodeSetupTitleDescription": "Set a pincode to protect this resource",
     "resourceRoleDescription": "Admins can always access this resource.",
+    "resourcePolicySelectTitle": "Resource Access Policy",
+    "resourcePolicySelectDescription": "Select the resource policy type for authentication",
+    "resourcePolicyInline": "Inline Resource Policy",
+    "resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
+    "resourcePolicyShared": "Shared Resource Policy",
+    "resourcePolicySharedDescription": "Access Policy shared accross multiple resources",
     "resourceUsersRoles": "Access Controls",
     "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
     "resourceUsersRolesSubmit": "Save Access Controls",
@@ -1358,6 +1410,8 @@
     "sidebarResources": "Resources",
     "sidebarProxyResources": "Public",
     "sidebarClientResources": "Private",
+    "sidebarPolicies": "Policies",
+    "sidebarResourcePolicies": "Resources",
     "sidebarAccessControl": "Access Control",
     "sidebarLogsAndAnalytics": "Logs & Analytics",
     "sidebarTeam": "Team",

messages/fr-FR.json

@@ -1356,7 +1356,7 @@
     "sidebarSites": "Nœuds",
     "sidebarApprovals": "Demandes d'approbation",
     "sidebarResources": "Ressource",
-    "sidebarProxyResources": "Publique",
+    "sidebarProxyResources": "Publiques",
     "sidebarClientResources": "Privé",
     "sidebarAccessControl": "Contrôle d'accès",
     "sidebarLogsAndAnalytics": "Journaux & Analytiques",
@@ -2458,8 +2458,8 @@
     "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
     "downloadClientBannerTitle": "Télécharger le client Pangolin",
     "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
-    "manageMachineClients": "Gérer les clients de la machine",
-    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
+    "manageMachineClients": "Gérer les machines",
+    "manageMachineClientsDescription": "Créer et gérer les clients que les serveurs et systèmes utilisent pour se connecter en privé aux ressources",
     "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
     "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
     "machineClientsBannerPangolinCLI": "Pangolin CLI",
@@ -3154,6 +3154,7 @@
     "healthCheckTabAdvanced": "Avancé",
     "healthCheckStrategyNotAvailable": "Cette stratégie n'est pas disponible. Veuillez contacter le service commercial pour activer cette fonctionnalité.",
     "uptime30d": "Disponibilité (30j)",
+    "uptimeNoData": "Aucune donnée",
     "idpAddActionCreateNew": "Créer un nouveau fournisseur d'identité",
     "idpAddActionImportFromOrg": "Importer d'une autre organisation",
     "idpImportDialogTitle": "Importer le fournisseur d'identité",

server/auth/actions.ts

@@ -5,6 +5,7 @@ import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import logger from "@server/logger";
 
 export enum ActionsEnum {
     createOrgUser = "createOrgUser",
@@ -152,7 +153,21 @@ export enum ActionsEnum {
     createHealthCheck = "createHealthCheck",
     updateHealthCheck = "updateHealthCheck",
     deleteHealthCheck = "deleteHealthCheck",
-    listHealthChecks = "listHealthChecks"
+    listHealthChecks = "listHealthChecks",
+    listResourcePolicies = "listResourcePolicies",
+    getResourcePolicy = "getResourcePolicy",
+    createResourcePolicy = "createResourcePolicy",
+    updateResourcePolicy = "updateResourcePolicy",
+    deleteResourcePolicy = "deleteResourcePolicy",
+    listResourcePolicyRoles = "listResourcePolicyRoles",
+    setResourcePolicyRoles = "setResourcePolicyRoles",
+    listResourcePolicyUsers = "listResourcePolicyUsers",
+    setResourcePolicyUsers = "setResourcePolicyUsers",
+    setResourcePolicyPassword = "setResourcePolicyPassword",
+    setResourcePolicyPincode = "setResourcePolicyPincode",
+    setResourcePolicyHeaderAuth = "setResourcePolicyHeaderAuth",
+    setResourcePolicyWhitelist = "setResourcePolicyWhitelist",
+    setResourcePolicyRules = "setResourcePolicyRules"
 }
 
 export async function checkUserActionPermission(
@@ -185,6 +200,23 @@ export async function checkUserActionPermission(
             }
         }
 
+        // If no direct permission, check role-based permission (any of user's roles)
+        const roleActionPermission = await db
+            .select()
+            .from(roleActions)
+            .where(
+                and(
+                    eq(roleActions.actionId, actionId),
+                    inArray(roleActions.roleId, userOrgRoleIds),
+                    eq(roleActions.orgId, req.userOrgId!)
+                )
+            )
+            .limit(1);
+
+        if (roleActionPermission.length > 0) {
+            return true;
+        }
+
         // Check if the user has direct permission for the action in the current org
         const userActionPermission = await db
             .select()
@@ -202,20 +234,7 @@ export async function checkUserActionPermission(
             return true;
         }
 
-        // If no direct permission, check role-based permission (any of user's roles)
-        const roleActionPermission = await db
-            .select()
-            .from(roleActions)
-            .where(
-                and(
-                    eq(roleActions.actionId, actionId),
-                    inArray(roleActions.roleId, userOrgRoleIds),
-                    eq(roleActions.orgId, req.userOrgId!)
-                )
-            )
-            .limit(1);
-
-        return roleActionPermission.length > 0;
+        return false;
     } catch (error) {
         console.error("Error checking user action permission:", error);
         throw createHttpError(

server/db/names.ts

@@ -1,6 +1,12 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { clients, db, resources, siteResources } from "@server/db";
+import {
+    clients,
+    db,
+    resourcePolicies,
+    resources,
+    siteResources
+} from "@server/db";
 import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -107,6 +113,35 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
     }
 }
 
+export async function getUniqueResourcePolicyName(
+    orgId: string
+): Promise<string> {
+    let loops = 0;
+    while (true) {
+        if (loops > 100) {
+            throw new Error("Could not generate a unique name");
+        }
+
+        const name = generateName();
+        const policyCount = await db
+            .select({
+                niceId: resourcePolicies.niceId,
+                orgId: resourcePolicies.orgId
+            })
+            .from(resourcePolicies)
+            .where(
+                and(
+                    eq(resourcePolicies.niceId, name),
+                    eq(resourcePolicies.orgId, orgId)
+                )
+            );
+        if (policyCount.length === 0) {
+            return name;
+        }
+        loops++;
+    }
+}
+
 export async function getUniqueSiteResourceName(
     orgId: string
 ): Promise<string> {

server/db/pg/schema/schema.ts

@@ -110,6 +110,16 @@ export const sites = pgTable("sites", {
 
 export const resources = pgTable("resources", {
     resourceId: serial("resourceId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
     resourceGuid: varchar("resourceGuid", { length: 36 })
         .unique()
         .notNull()
@@ -196,9 +206,11 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
             onDelete: "cascade"
         })
         .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
     name: varchar("name"),
     hcEnabled: boolean("hcEnabled").notNull().default(false),
     hcPath: varchar("hcPath"),
@@ -521,6 +533,38 @@ export const userResources = pgTable("userResources", {
         .references(() => resources.resourceId, { onDelete: "cascade" })
 });
 
+export const rolePolicies = pgTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = pgTable("userPolicies", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = pgTable("resourcePolicyWhitelist", {
+    whitelistId: serial("id").primaryKey(),
+    email: varchar("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const userInvites = pgTable("userInvites", {
     inviteId: varchar("inviteId").primaryKey(),
     orgId: varchar("orgId")
@@ -586,6 +630,40 @@ export const resourceHeaderAuthExtendedCompatibility = pgTable(
     }
 );
 
+export const resourcePolicyPincode = pgTable("resourcePolicyPincode", {
+    pincodeId: serial("pincodeId").primaryKey(),
+    pincodeHash: varchar("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = pgTable("resourcePolicyPassword", {
+    passwordId: serial("passwordId").primaryKey(),
+    passwordHash: varchar("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = pgTable("resourcePolicyHeaderAuth", {
+    headerAuthId: serial("headerAuthId").primaryKey(),
+    headerAuthHash: varchar("headerAuthHash").notNull(),
+    extendedCompatibility: boolean("extendedCompatibility")
+        .notNull()
+        .default(true),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const resourceAccessToken = pgTable("resourceAccessToken", {
     accessTokenId: varchar("accessTokenId").primaryKey(),
     orgId: varchar("orgId")
@@ -679,6 +757,43 @@ export const resourceRules = pgTable("resourceRules", {
     value: varchar("value").notNull()
 });
 
+export const resourcePolicyRules = pgTable("resourcePolicyRules", {
+    ruleId: serial("ruleId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: boolean("enabled").notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: varchar("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    value: varchar("value").notNull()
+});
+
+export const resourcePolicies = pgTable("resourcePolicies", {
+    resourcePolicyId: serial("resourcePolicyId").primaryKey(),
+    sso: boolean("sso").notNull().default(true),
+    applyRules: boolean("applyRules").notNull().default(false),
+    scope: varchar("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
+        .notNull()
+        .default(false),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    niceId: text("niceId").notNull(),
+    name: varchar("name").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = pgTable("supporterKey", {
     keyId: serial("keyId").primaryKey(),
     key: varchar("key").notNull(),
@@ -1097,19 +1212,30 @@ export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
     complete: boolean("complete").notNull().default(false)
 });
 
-export const statusHistory = pgTable("statusHistory", {
-    id: serial("id").primaryKey(),
-    entityType: varchar("entityType").notNull(),
-    entityId: integer("entityId").notNull(),
-    orgId: varchar("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: varchar("status").notNull(),
-    timestamp: integer("timestamp").notNull(),
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = pgTable(
+    "statusHistory",
+    {
+        id: serial("id").primaryKey(),
+        entityType: varchar("entityType").notNull(),
+        entityId: integer("entityId").notNull(),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: varchar("status").notNull(),
+        timestamp: integer("timestamp").notNull()
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
 
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1179,3 +1305,6 @@ export type RoundTripMessageTracker = InferSelectModel<
 >;
 export type Network = InferSelectModel<typeof networks>;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;

server/db/queries/verifySessionQueries.ts

@@ -17,10 +17,13 @@ import {
     resourceHeaderAuth,
     ResourceHeaderAuth,
     resourceRules,
+    resourcePolicyRules,
     resources,
     roleResources,
+    rolePolicies,
     sessions,
     userResources,
+    userPolicies,
     users,
     ResourceHeaderAuthExtendedCompatibility,
     resourceHeaderAuthExtendedCompatibility
@@ -154,58 +157,126 @@ export async function getRoleName(roleId: number): Promise<string | null> {
 }
 
 /**
- * Check if role has access to resource
+ * Check if role has access to resource (direct or via resource policy)
  */
 export async function getRoleResourceAccess(
     resourceId: number,
     roleIds: number[]
 ) {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                inArray(roleResources.roleId, roleIds)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(roleResources)
+            .where(
+                and(
+                    eq(roleResources.resourceId, resourceId),
+                    inArray(roleResources.roleId, roleIds)
+                )
+            ),
+        db
+            .select({
+                roleId: rolePolicies.roleId,
+                resourcePolicyId: rolePolicies.resourcePolicyId
+            })
+            .from(rolePolicies)
+            .innerJoin(
+                resources,
+                eq(resources.resourcePolicyId, rolePolicies.resourcePolicyId)
             )
-        );
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    inArray(rolePolicies.roleId, roleIds)
+                )
+            )
+    ]);
 
-    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
+    const combined = [...direct, ...viaPolicies];
+    return combined.length > 0 ? combined : null;
 }
 
 /**
- * Check if user has direct access to resource
+ * Check if user has access to resource (direct or via resource policy)
  */
 export async function getUserResourceAccess(
     userId: string,
     resourceId: number
 ) {
-    const userResourceAccess = await db
-        .select()
-        .from(userResources)
-        .where(
-            and(
-                eq(userResources.userId, userId),
-                eq(userResources.resourceId, resourceId)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(userResources)
+            .where(
+                and(
+                    eq(userResources.userId, userId),
+                    eq(userResources.resourceId, resourceId)
+                )
             )
-        )
-        .limit(1);
+            .limit(1),
+        db
+            .select({
+                userId: userPolicies.userId,
+                resourcePolicyId: userPolicies.resourcePolicyId
+            })
+            .from(userPolicies)
+            .innerJoin(
+                resources,
+                eq(resources.resourcePolicyId, userPolicies.resourcePolicyId)
+            )
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(userPolicies.userId, userId)
+                )
+            )
+            .limit(1)
+    ]);
 
-    return userResourceAccess.length > 0 ? userResourceAccess[0] : null;
+    return direct[0] ?? viaPolicies[0] ?? null;
 }
 
 /**
- * Get resource rules for a given resource
+ * Get resource rules for a given resource (direct and via resource policy)
  */
 export async function getResourceRules(
     resourceId: number
 ): Promise<ResourceRule[]> {
-    const rules = await db
-        .select()
-        .from(resourceRules)
-        .where(eq(resourceRules.resourceId, resourceId));
+    const [directRules, policyRules] = await Promise.all([
+        db
+            .select()
+            .from(resourceRules)
+            .where(eq(resourceRules.resourceId, resourceId)),
+        db
+            .select({
+                ruleId: resourcePolicyRules.ruleId,
+                resourceId: sql<number>`${resourceId}`,
+                enabled: resourcePolicyRules.enabled,
+                priority: resourcePolicyRules.priority,
+                action: resourcePolicyRules.action,
+                match: resourcePolicyRules.match,
+                value: resourcePolicyRules.value
+            })
+            .from(resourcePolicyRules)
+            .innerJoin(
+                resources,
+                eq(
+                    resources.resourcePolicyId,
+                    resourcePolicyRules.resourcePolicyId
+                )
+            )
+            .where(eq(resources.resourceId, resourceId))
+    ]);
 
-    return rules;
+    const maxDirectPriority = directRules.reduce(
+        (max, r) => Math.max(max, r.priority),
+        0
+    );
+    const offsetPolicyRules = policyRules.map((r) => ({
+        ...r,
+        priority: maxDirectPriority + r.priority
+    }));
+
+    return [...directRules, ...offsetPolicyRules] as ResourceRule[];
 }
 
 /**

server/db/sqlite/driver.ts

@@ -1,5 +1,6 @@
 import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
+import type BetterSqlite3 from "better-sqlite3";
 import * as schema from "./schema/schema";
 import path from "path";
 import fs from "fs";
@@ -11,8 +12,69 @@ export const exists = checkFileExists(location);
 
 bootstrapVolume();
 
+/**
+ * Wraps better-sqlite3 Statement to call `finalize()` immediately after
+ * execution, freeing native sqlite3_stmt memory deterministically instead
+ * of waiting for GC. Fixes steady off-heap growth under load (#2120).
+ * WARNING: Finalizes after first execution — incompatible with drizzle's
+ * reusable .prepare() builders. No such usage exists in this codebase.
+ */
+function autoFinalizeStatement(
+    stmt: BetterSqlite3.Statement
+): BetterSqlite3.Statement {
+    const wrapExec = <T extends (...args: any[]) => any>(fn: T): T => {
+        return function (this: any, ...args: any[]) {
+            try {
+                return fn.apply(this, args);
+            } finally {
+                try {
+                    // finalize() exists on the native Statement at runtime but
+                    // is missing from @types/better-sqlite3.
+                    (stmt as any).finalize();
+                } catch {
+                    // Already finalized — harmless
+                }
+            }
+        } as unknown as T;
+    };
+
+    stmt.run = wrapExec(stmt.run);
+    stmt.get = wrapExec(stmt.get);
+    stmt.all = wrapExec(stmt.all);
+
+    return stmt;
+}
+
 function createDb() {
     const sqlite = new Database(location);
+
+    if (process.env.ENABLE_SQLITE_WAL_MODE == "true") {
+        // Enable WAL mode — allows concurrent readers + single writer, preventing
+        // contention across subsystems (verifySession, Traefik, audit, ping).
+        sqlite.pragma("journal_mode = WAL");
+        // NORMAL sync mode: safe with WAL, reduces write lock hold time.
+        sqlite.pragma("synchronous = NORMAL");
+    }
+
+    // Wait up to 5s on SQLITE_BUSY instead of failing — prevents audit log
+    // retry loops that accumulate memory.
+    sqlite.pragma("busy_timeout = 5000");
+
+    // 64 MB page cache (default 2 MB) — reduces I/O round-trips on large
+    // TraefikConfigManager JOINs that block the event loop.
+    sqlite.pragma("cache_size = -65536");
+
+    // 256 MB memory-mapped I/O — OS serves reads from page cache directly,
+    // reducing event-loop blocking.
+    sqlite.pragma("mmap_size = 268435456");
+
+    // Wrap prepare() so every drizzle-orm statement is auto-finalized after
+    // first use, preventing sqlite3_stmt accumulation between GC cycles.
+    const originalPrepare = sqlite.prepare.bind(sqlite);
+    (sqlite as any).prepare = function autoFinalizePrepare(source: string) {
+        return autoFinalizeStatement(originalPrepare(source));
+    };
+
     return DrizzleSqlite(sqlite, {
         schema
     });
@@ -23,7 +85,7 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
-    >[0];
+>[0];
 export const DB_TYPE: "pg" | "sqlite" = "sqlite";
 
 function checkFileExists(filePath: string): boolean {

server/db/sqlite/schema/schema.ts

@@ -121,6 +121,16 @@ export const sites = sqliteTable("sites", {
 
 export const resources = sqliteTable("resources", {
     resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
     resourceGuid: text("resourceGuid", { length: 36 })
         .unique()
         .notNull()
@@ -219,9 +229,11 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
             onDelete: "cascade"
         })
         .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
     name: text("name"),
     hcEnabled: integer("hcEnabled", { mode: "boolean" })
         .notNull()
@@ -909,6 +921,47 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
     headerAuthHash: text("headerAuthHash").notNull()
 });
 
+export const resourcePolicyPincode = sqliteTable("resourcePolicyPincode", {
+    pincodeId: integer("pincodeId").primaryKey({ autoIncrement: true }),
+    pincodeHash: text("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = sqliteTable("resourcePolicyPassword", {
+    passwordId: integer("passwordId").primaryKey({ autoIncrement: true }),
+    passwordHash: text("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = sqliteTable(
+    "resourcePolicyHeaderAuth",
+    {
+        headerAuthId: integer("headerAuthId").primaryKey({
+            autoIncrement: true
+        }),
+        headerAuthHash: text("headerAuthHash").notNull(),
+        extendedCompatibility: integer("extendedCompatibility", {
+            mode: "boolean"
+        })
+            .notNull()
+            .default(true),
+        resourcePolicyId: integer("resourcePolicyId")
+            .notNull()
+            .references(() => resourcePolicies.resourcePolicyId, {
+                onDelete: "cascade"
+            })
+    }
+);
+
 export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
     "resourceHeaderAuthExtendedCompatibility",
     {
@@ -1023,6 +1076,77 @@ export const resourceRules = sqliteTable("resourceRules", {
     value: text("value").notNull()
 });
 
+export const rolePolicies = sqliteTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = sqliteTable("userPolicies", {
+    userId: text("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = sqliteTable("resourcePolicyWhitelist", {
+    whitelistId: integer("id").primaryKey({ autoIncrement: true }),
+    email: text("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
+    ruleId: integer("ruleId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: text("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    value: text("value").notNull()
+});
+
+export const resourcePolicies = sqliteTable("resourcePolicies", {
+    resourcePolicyId: integer("resourcePolicyId").primaryKey(),
+    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
+    applyRules: integer("applyRules", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    scope: text("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    niceId: text("niceId").notNull(),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    name: text("name").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = sqliteTable("supporterKey", {
     keyId: integer("keyId").primaryKey({ autoIncrement: true }),
     key: text("key").notNull(),
@@ -1196,19 +1320,30 @@ export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
     complete: integer("complete", { mode: "boolean" }).notNull().default(false)
 });
 
-export const statusHistory = sqliteTable("statusHistory", {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    entityType: text("entityType").notNull(), // "site" | "healthCheck"
-    entityId: integer("entityId").notNull(),  // siteId or targetHealthCheckId
-    orgId: text("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
-    timestamp: integer("timestamp").notNull(), // unix epoch seconds
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = sqliteTable(
+    "statusHistory",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        entityType: text("entityType").notNull(), // "site" | "healthCheck"
+        entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
+        timestamp: integer("timestamp").notNull() // unix epoch seconds
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
 
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1278,3 +1413,6 @@ export type RoundTripMessageTracker = InferSelectModel<
     typeof roundTripMessageTracker
 >;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;

server/lib/billing/tierMatrix.ts

@@ -24,7 +24,8 @@ export enum TierFeature {
     DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
     StandaloneHealthChecks = "standaloneHealthChecks",
     AlertingRules = "alertingRules",
-    WildcardSubdomain = "wildcardSubdomain"
+    WildcardSubdomain = "wildcardSubdomain",
+    ResourcePolicies = "resourcePolicies"
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -66,5 +67,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
     [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
     [TierFeature.AlertingRules]: ["tier3", "enterprise"],
-    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
+    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.ResourcePolicies]: ["tier3", "enterprise"]
 };

server/lib/blueprints/types.ts

@@ -162,9 +162,10 @@ export const HeaderSchema = z.object({
 });
 
 // Schema for individual resource
-export const ResourceSchema = z
+export const PublicResourceSchema = z
     .object({
         name: z.string().optional(),
+        policy: z.string().optional(),
         protocol: z.enum(["http", "tcp", "udp"]).optional(),
         ssl: z.boolean().optional(),
         scheme: z.enum(["http", "https"]).optional(),
@@ -340,7 +341,8 @@ export const ResourceSchema = z
             if (parts.includes("*", 1)) return false; // no further wildcards
             if (parts.length < 3) return false; // need at least *.label.tld
 
-            const labelRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
+            const labelRegex =
+                /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
             return parts.slice(1).every((label) => labelRegex.test(label));
         },
         {
@@ -354,7 +356,7 @@ export function isTargetsOnlyResource(resource: any): boolean {
     return Object.keys(resource).length === 1 && resource.targets;
 }
 
-export const ClientResourceSchema = z
+export const PrivateResourceSchema = z
     .object({
         name: z.string().min(1).max(255),
         mode: z.enum(["host", "cidr", "http"]),
@@ -435,19 +437,19 @@ export const ClientResourceSchema = z
 export const ConfigSchema = z
     .object({
         "proxy-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
             .optional()
             .prefault({}),
         "public-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
             .optional()
             .prefault({}),
         "client-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
             .optional()
             .prefault({}),
         "private-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
             .optional()
             .prefault({}),
         sites: z.record(z.string(), SiteSchema).optional().prefault({})
@@ -472,10 +474,13 @@ export const ConfigSchema = z
         }
 
         return data as {
-            "proxy-resources": Record<string, z.infer<typeof ResourceSchema>>;
+            "proxy-resources": Record<
+                string,
+                z.infer<typeof PublicResourceSchema>
+            >;
             "client-resources": Record<
                 string,
-                z.infer<typeof ClientResourceSchema>
+                z.infer<typeof PrivateResourceSchema>
             >;
             sites: Record<string, z.infer<typeof SiteSchema>>;
         };
@@ -614,5 +619,5 @@ export const ConfigSchema = z
 // Type inference from the schema
 export type Site = z.infer<typeof SiteSchema>;
 export type Target = z.infer<typeof TargetSchema>;
-export type Resource = z.infer<typeof ResourceSchema>;
+export type Resource = z.infer<typeof PublicResourceSchema>;
 export type Config = z.infer<typeof ConfigSchema>;

server/lib/calculateUserClientsForOrgs.ts

@@ -28,6 +28,159 @@ export async function calculateUserClientsForOrgs(
     trx?: Transaction
 ): Promise<void> {
     const execute = async (transaction: Transaction) => {
+        const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
+        const adminRoleCache = new Map<
+            string,
+            typeof roles.$inferSelect | null
+        >();
+        const exitNodesCache = new Map<
+            string,
+            Awaited<ReturnType<typeof listExitNodes>>
+        >();
+        const isOrgLicensedCache = new Map<string, boolean>();
+        const existingClientCache = new Map<
+            string,
+            typeof clients.$inferSelect | null
+        >();
+        const roleClientAccessCache = new Map<string, boolean>();
+        const userClientAccessCache = new Map<string, boolean>();
+
+        const getOrgOlmKey = (orgId: string, olmId: string) =>
+            `${orgId}:${olmId}`;
+        const getRoleClientKey = (roleId: number, clientId: number) =>
+            `${roleId}:${clientId}`;
+        const getUserClientKey = (cachedUserId: string, clientId: number) =>
+            `${cachedUserId}:${clientId}`;
+
+        const getOrg = async (orgId: string) => {
+            if (orgCache.has(orgId)) {
+                return orgCache.get(orgId) ?? null;
+            }
+
+            const [org] = await transaction
+                .select()
+                .from(orgs)
+                .where(eq(orgs.orgId, orgId));
+            orgCache.set(orgId, org ?? null);
+
+            return org ?? null;
+        };
+
+        const getAdminRole = async (orgId: string) => {
+            if (adminRoleCache.has(orgId)) {
+                return adminRoleCache.get(orgId) ?? null;
+            }
+
+            const [adminRole] = await transaction
+                .select()
+                .from(roles)
+                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+                .limit(1);
+            adminRoleCache.set(orgId, adminRole ?? null);
+
+            return adminRole ?? null;
+        };
+
+        const getExitNodes = async (orgId: string) => {
+            if (exitNodesCache.has(orgId)) {
+                return exitNodesCache.get(orgId)!;
+            }
+
+            const exitNodes = await listExitNodes(orgId);
+            exitNodesCache.set(orgId, exitNodes);
+
+            return exitNodes;
+        };
+
+        const getIsOrgLicensed = async (orgId: string) => {
+            if (isOrgLicensedCache.has(orgId)) {
+                return isOrgLicensedCache.get(orgId)!;
+            }
+
+            const isOrgLicensed = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.deviceApprovals
+            );
+            isOrgLicensedCache.set(orgId, isOrgLicensed);
+
+            return isOrgLicensed;
+        };
+
+        const getExistingClient = async (orgId: string, olmId: string) => {
+            const key = getOrgOlmKey(orgId, olmId);
+            if (existingClientCache.has(key)) {
+                return existingClientCache.get(key) ?? null;
+            }
+
+            const [existingClient] = await transaction
+                .select()
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.userId, userId),
+                        eq(clients.orgId, orgId),
+                        eq(clients.olmId, olmId)
+                    )
+                )
+                .limit(1);
+
+            existingClientCache.set(key, existingClient ?? null);
+
+            return existingClient ?? null;
+        };
+
+        const hasRoleClientAccess = async (
+            roleId: number,
+            clientId: number
+        ) => {
+            const key = getRoleClientKey(roleId, clientId);
+            if (roleClientAccessCache.has(key)) {
+                return roleClientAccessCache.get(key)!;
+            }
+
+            const [existingRoleClient] = await transaction
+                .select()
+                .from(roleClients)
+                .where(
+                    and(
+                        eq(roleClients.roleId, roleId),
+                        eq(roleClients.clientId, clientId)
+                    )
+                )
+                .limit(1);
+
+            const hasAccess = Boolean(existingRoleClient);
+            roleClientAccessCache.set(key, hasAccess);
+
+            return hasAccess;
+        };
+
+        const hasUserClientAccess = async (
+            cachedUserId: string,
+            clientId: number
+        ) => {
+            const key = getUserClientKey(cachedUserId, clientId);
+            if (userClientAccessCache.has(key)) {
+                return userClientAccessCache.get(key)!;
+            }
+
+            const [existingUserClient] = await transaction
+                .select()
+                .from(userClients)
+                .where(
+                    and(
+                        eq(userClients.userId, cachedUserId),
+                        eq(userClients.clientId, clientId)
+                    )
+                )
+                .limit(1);
+
+            const hasAccess = Boolean(existingUserClient);
+            userClientAccessCache.set(key, hasAccess);
+
+            return hasAccess;
+        };
+
         // Get all OLMs for this user
         const userOlms = await transaction
             .select()
@@ -54,7 +207,9 @@ export async function calculateUserClientsForOrgs(
             .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
             .where(eq(userOrgs.userId, userId));
 
-        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const userOrgIds = [
+            ...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))
+        ];
         const orgIdToRoleRows = new Map<
             string,
             (typeof userOrgRoleRows)[0][]
@@ -64,6 +219,13 @@ export async function calculateUserClientsForOrgs(
             list.push(r);
             orgIdToRoleRows.set(r.userOrgs.orgId, list);
         }
+        const orgRequiresDeviceApprovalRole = new Map<string, boolean>();
+        for (const [orgId, roleRowsForOrg] of orgIdToRoleRows.entries()) {
+            orgRequiresDeviceApprovalRole.set(
+                orgId,
+                roleRowsForOrg.some((r) => r.roles.requireDeviceApproval)
+            );
+        }
 
         // For each OLM, ensure there's a client in each org the user is in
         for (const olm of userOlms) {
@@ -71,10 +233,7 @@ export async function calculateUserClientsForOrgs(
                 const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
                 const userOrg = roleRowsForOrg[0].userOrgs;
 
-                const [org] = await transaction
-                    .select()
-                    .from(orgs)
-                    .where(eq(orgs.orgId, orgId));
+                const org = await getOrg(orgId);
 
                 if (!org) {
                     logger.warn(
@@ -91,11 +250,7 @@ export async function calculateUserClientsForOrgs(
                 }
 
                 // Get admin role for this org (needed for access grants)
-                const [adminRole] = await transaction
-                    .select()
-                    .from(roles)
-                    .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
-                    .limit(1);
+                const adminRole = await getAdminRole(orgId);
 
                 if (!adminRole) {
                     logger.warn(
@@ -105,64 +260,50 @@ export async function calculateUserClientsForOrgs(
                 }
 
                 // Check if a client already exists for this OLM+user+org combination
-                const [existingClient] = await transaction
-                    .select()
-                    .from(clients)
-                    .where(
-                        and(
-                            eq(clients.userId, userId),
-                            eq(clients.orgId, orgId),
-                            eq(clients.olmId, olm.olmId)
-                        )
-                    )
-                    .limit(1);
+                const existingClient = await getExistingClient(
+                    orgId,
+                    olm.olmId
+                );
 
                 if (existingClient) {
                     // Ensure admin role has access to the client
-                    const [existingRoleClient] = await transaction
-                        .select()
-                        .from(roleClients)
-                        .where(
-                            and(
-                                eq(roleClients.roleId, adminRole.roleId),
-                                eq(
-                                    roleClients.clientId,
-                                    existingClient.clientId
-                                )
-                            )
-                        )
-                        .limit(1);
+                    const hasRoleAccess = await hasRoleClientAccess(
+                        adminRole.roleId,
+                        existingClient.clientId
+                    );
 
-                    if (!existingRoleClient) {
+                    if (!hasRoleAccess) {
                         await transaction.insert(roleClients).values({
                             roleId: adminRole.roleId,
                             clientId: existingClient.clientId
                         });
+                        roleClientAccessCache.set(
+                            getRoleClientKey(
+                                adminRole.roleId,
+                                existingClient.clientId
+                            ),
+                            true
+                        );
                         logger.debug(
                             `Granted admin role access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
                         );
                     }
 
                     // Ensure user has access to the client
-                    const [existingUserClient] = await transaction
-                        .select()
-                        .from(userClients)
-                        .where(
-                            and(
-                                eq(userClients.userId, userId),
-                                eq(
-                                    userClients.clientId,
-                                    existingClient.clientId
-                                )
-                            )
-                        )
-                        .limit(1);
+                    const hasUserAccess = await hasUserClientAccess(
+                        userId,
+                        existingClient.clientId
+                    );
 
-                    if (!existingUserClient) {
+                    if (!hasUserAccess) {
                         await transaction.insert(userClients).values({
                             userId,
                             clientId: existingClient.clientId
                         });
+                        userClientAccessCache.set(
+                            getUserClientKey(userId, existingClient.clientId),
+                            true
+                        );
                         logger.debug(
                             `Granted user access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
                         );
@@ -175,7 +316,7 @@ export async function calculateUserClientsForOrgs(
                 }
 
                 // Get exit nodes for this org
-                const exitNodesList = await listExitNodes(orgId);
+                const exitNodesList = await getExitNodes(orgId);
 
                 if (exitNodesList.length === 0) {
                     logger.warn(
@@ -206,14 +347,11 @@ export async function calculateUserClientsForOrgs(
 
                 const niceId = await getUniqueClientName(orgId);
 
-                const isOrgLicensed = await isLicensedOrSubscribed(
-                    userOrg.orgId,
-                    tierMatrix.deviceApprovals
-                );
+                const isOrgLicensed = await getIsOrgLicensed(userOrg.orgId);
                 const requireApproval =
                     build !== "oss" &&
                     isOrgLicensed &&
-                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
+                    orgRequiresDeviceApprovalRole.get(orgId) === true;
 
                 const newClientData: InferInsertModel<typeof clients> = {
                     userId,
@@ -232,6 +370,10 @@ export async function calculateUserClientsForOrgs(
                     .insert(clients)
                     .values(newClientData)
                     .returning();
+                existingClientCache.set(
+                    getOrgOlmKey(orgId, olm.olmId),
+                    newClient
+                );
 
                 // create approval request
                 if (requireApproval) {
@@ -257,12 +399,20 @@ export async function calculateUserClientsForOrgs(
                     roleId: adminRole.roleId,
                     clientId: newClient.clientId
                 });
+                roleClientAccessCache.set(
+                    getRoleClientKey(adminRole.roleId, newClient.clientId),
+                    true
+                );
 
                 // Grant user access to the client
                 await transaction.insert(userClients).values({
                     userId,
                     clientId: newClient.clientId
                 });
+                userClientAccessCache.set(
+                    getUserClientKey(userId, newClient.clientId),
+                    true
+                );
 
                 logger.debug(
                     `Created client for OLM ${olm.olmId} in org ${orgId} (user ${userId}) with access granted to admin role and user`

server/middlewares/index.ts

@@ -32,3 +32,4 @@ export * from "./verifySiteResourceAccess";
 export * from "./logActionAudit";
 export * from "./verifyOlmAccess";
 export * from "./verifyLimits";
+export * from "./verifyResourcePolicyAccess";

server/middlewares/integration/index.ts

@@ -16,3 +16,4 @@ export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
 export * from "./verifyApiKeyIdpAccess";
 export * from "./verifyApiKeyDomainAccess";
+export * from "./verifyApiKeyResourcePolicyAccess";

server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts

@@ -0,0 +1,92 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, apiKeyOrg } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const apiKey = req.apiKey;
+    const resourcePolicyId =
+        req.params.resourcePolicyId ||
+        req.body.resourcePolicyId ||
+        req.query.resourcePolicyId;
+
+    if (!apiKey) {
+        return next(
+            createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+        );
+    }
+
+    try {
+        // Retrieve the resource policy
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any resource policy in any org
+            return next();
+        }
+
+        if (!policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Resource policy with ID ${resourcePolicyId} does not have an organization ID`
+                )
+            );
+        }
+
+        // Verify that the API key is linked to the resource policy's organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgResult = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+
+            if (apiKeyOrgResult.length > 0) {
+                req.apiKeyOrg = apiKeyOrgResult[0];
+            }
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}

server/middlewares/verifyResourcePolicyAccess.ts

@@ -0,0 +1,127 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+
+export async function verifyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const userId = req.user!.userId;
+    const resourcePolicyIdStr =
+        req.params?.resourcePolicyId ||
+        req.body?.resourcePolicyId ||
+        req.query?.resourcePolicyId;
+    const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
+    const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
+
+    try {
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        let policy: typeof resourcePolicies.$inferSelect | null = null;
+
+        if (orgId && niceId) {
+            const [policyRes] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(
+                    and(
+                        eq(resourcePolicies.niceId, niceId),
+                        eq(resourcePolicies.orgId, orgId)
+                    )
+                )
+                .limit(1);
+            policy = policyRes ?? null;
+        } else {
+            const resourcePolicyId = parseInt(resourcePolicyIdStr);
+            if (isNaN(resourcePolicyId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid resource policy ID"
+                    )
+                );
+            }
+            const [policyRes] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+                .limit(1);
+            policy = policyRes ?? null;
+        }
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyIdStr ?? niceId} not found`
+                )
+            );
+        }
+
+        if (!req.userOrg) {
+            const userOrgRes = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+            req.userOrg = userOrgRes[0];
+        }
+
+        if (!req.userOrg || req.userOrg.orgId !== policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            policy.orgId
+        );
+        req.userOrgId = policy.orgId;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}

server/middlewares/verifyUserCanSetUserOrgRoles.ts

@@ -38,7 +38,7 @@ export function verifyUserCanSetUserOrgRoles() {
             return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
-                    "User does not have permission perform this action"
+                    "User does not have permission to set user organization roles"
                 )
             );
         } catch (error) {

server/openApi.ts

@@ -7,6 +7,7 @@ export enum OpenAPITags {
     Org = "Organization",
     PublicResource = "Public Resource",
     PrivateResource = "Private Resource",
+    Policy = "Policy",
     Role = "Role",
     User = "User",
     Invitation = "User Invitation",

server/private/lib/acmeCertSync.ts

@@ -500,7 +500,30 @@ function findAcmeJsonFiles(dirPath: string): string[] {
         const fullPath = path.join(dirPath, entry.name);
         if (entry.isDirectory()) {
             results.push(...findAcmeJsonFiles(fullPath));
-        } else if (entry.isFile() && entry.name === "acme.json") {
+        } else if (entry.isFile()) {
+            // check if it is a json file
+            if (entry.name.endsWith(".json")) {
+                let raw: string;
+                try {
+                    raw = fs.readFileSync(fullPath, "utf8");
+                } catch (err) {
+                    logger.warn(
+                        `acmeCertSync: could not read file "${fullPath}": ${err}`
+                    );
+                    continue;
+                }
+
+                let parsed: any;
+                try {
+                    parsed = JSON.parse(raw);
+                } catch (err) {
+                    logger.warn(
+                        `acmeCertSync: could not parse "${fullPath}" as JSON: ${err}`
+                    );
+                    continue;
+                }
+            }
+
             results.push(fullPath);
         }
     }

server/private/routers/external.ts

@@ -31,6 +31,8 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
+import * as resource from "#private/routers/resource";
+import * as policy from "#private/routers/policy";
 
 import {
     verifyOrgAccess,
@@ -44,7 +46,8 @@ import {
     verifyUserCanSetUserOrgRoles,
     verifySiteProvisioningKeyAccess,
     verifyIsLoggedInUser,
-    verifyAdmin
+    verifyAdmin,
+    verifyResourcePolicyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -382,6 +385,39 @@ authenticated.get(
     approval.countApprovals
 );
 
+authenticated.delete(
+    "/resource-policy/:resourcePolicyId",
+    verifyResourcePolicyAccess,
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.resourcePolicies),
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.deleteResourcePolicy),
+    logActionAudit(ActionsEnum.deleteResourcePolicy),
+    policy.deleteResourcePolicy
+);
+
+authenticated.get(
+    "/org/:orgId/resource-policies",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.resourcePolicies),
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.listResourcePolicies),
+    logActionAudit(ActionsEnum.listResourcePolicies),
+    policy.listResourcePolicies
+);
+
+authenticated.post(
+    "/org/:orgId/resource-policy",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.resourcePolicies),
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createResourcePolicy),
+    logActionAudit(ActionsEnum.createResourcePolicy),
+    policy.createResourcePolicy
+);
+
 authenticated.put(
     "/org/:orgId/approvals/:approvalId",
     verifyValidLicense,

server/private/routers/hybrid.ts

@@ -45,8 +45,11 @@ import {
     users,
     userOrgs,
     roleResources,
+    rolePolicies,
     userResources,
+    userPolicies,
     resourceRules,
+    resourcePolicyRules,
     userOrgRoles,
     roles
 } from "@server/db";
@@ -430,7 +433,10 @@ hybridRouter.get(
                 );
 
                 // Decrypt and save key file
-                const decryptedKey = decrypt(cert.keyFile!, config.getRawConfig().server.secret!);
+                const decryptedKey = decrypt(
+                    cert.keyFile!,
+                    config.getRawConfig().server.secret!
+                );
 
                 // Return only the certificate data without org information
                 return {
@@ -531,7 +537,10 @@ hybridRouter.get(
                         wildcardCandidates.length > 0
                             ? and(
                                   eq(resources.wildcard, true),
-                                  inArray(resources.fullDomain, wildcardCandidates)
+                                  inArray(
+                                      resources.fullDomain,
+                                      wildcardCandidates
+                                  )
                               )
                             : sql`false`
                     )
@@ -545,10 +554,10 @@ hybridRouter.get(
 
             if (
                 result &&
-                await checkExitNodeOrg(
+                (await checkExitNodeOrg(
                     remoteExitNode.exitNodeId,
                     result.resources.orgId
-                )
+                ))
             ) {
                 // If the exit node is not allowed for the org, return an error
                 return next(
@@ -1132,22 +1141,43 @@ hybridRouter.get(
                 );
             }
 
-            const roleResourceAccess = await db
-                .select()
-                .from(roleResources)
-                .where(
-                    and(
-                        eq(roleResources.resourceId, resourceId),
-                        eq(roleResources.roleId, roleId)
+            const [direct, viaPolicies] = await Promise.all([
+                db
+                    .select()
+                    .from(roleResources)
+                    .where(
+                        and(
+                            eq(roleResources.resourceId, resourceId),
+                            eq(roleResources.roleId, roleId)
+                        )
                     )
-                )
-                .limit(1);
+                    .limit(1),
+                db
+                    .select({
+                        roleId: rolePolicies.roleId,
+                        resourcePolicyId: rolePolicies.resourcePolicyId
+                    })
+                    .from(rolePolicies)
+                    .innerJoin(
+                        resources,
+                        eq(
+                            resources.resourcePolicyId,
+                            rolePolicies.resourcePolicyId
+                        )
+                    )
+                    .where(
+                        and(
+                            eq(resources.resourceId, resourceId),
+                            eq(rolePolicies.roleId, roleId)
+                        )
+                    )
+                    .limit(1)
+            ]);
 
-            const result =
-                roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+            const result = direct[0] ?? viaPolicies[0] ?? null;
 
             return response<typeof roleResources.$inferSelect | null>(res, {
-                data: result,
+                data: result as any,
                 success: true,
                 error: false,
                 message: result
@@ -1222,21 +1252,44 @@ hybridRouter.get(
                 );
             }
 
-            const roleResourceAccess = await db
-                .select({
-                    resourceId: roleResources.resourceId,
-                    roleId: roleResources.roleId
-                })
-                .from(roleResources)
-                .where(
-                    and(
-                        eq(roleResources.resourceId, resourceId),
-                        inArray(roleResources.roleId, roleIds)
-                    )
-                );
+            const [direct, viaPolicies] = await Promise.all([
+                db
+                    .select({
+                        resourceId: roleResources.resourceId,
+                        roleId: roleResources.roleId
+                    })
+                    .from(roleResources)
+                    .where(
+                        and(
+                            eq(roleResources.resourceId, resourceId),
+                            inArray(roleResources.roleId, roleIds)
+                        )
+                    ),
+                roleIds.length > 0
+                    ? db
+                          .select({
+                              resourceId: sql<number>`${resourceId}`,
+                              roleId: rolePolicies.roleId
+                          })
+                          .from(rolePolicies)
+                          .innerJoin(
+                              resources,
+                              eq(
+                                  resources.resourcePolicyId,
+                                  rolePolicies.resourcePolicyId
+                              )
+                          )
+                          .where(
+                              and(
+                                  eq(resources.resourceId, resourceId),
+                                  inArray(rolePolicies.roleId, roleIds)
+                              )
+                          )
+                    : Promise.resolve([])
+            ]);
 
-            const result =
-                roleResourceAccess.length > 0 ? roleResourceAccess : null;
+            const combined = [...direct, ...viaPolicies];
+            const result = combined.length > 0 ? combined : null;
 
             return response<{ resourceId: number; roleId: number }[] | null>(
                 res,
@@ -1397,10 +1450,45 @@ hybridRouter.get(
                 );
             }
 
-            const rules = await db
-                .select()
-                .from(resourceRules)
-                .where(eq(resourceRules.resourceId, resourceId));
+            const [directRules, policyRules] = await Promise.all([
+                db
+                    .select()
+                    .from(resourceRules)
+                    .where(eq(resourceRules.resourceId, resourceId)),
+                db
+                    .select({
+                        ruleId: resourcePolicyRules.ruleId,
+                        resourceId: sql<number>`${resourceId}`,
+                        enabled: resourcePolicyRules.enabled,
+                        priority: resourcePolicyRules.priority,
+                        action: resourcePolicyRules.action,
+                        match: resourcePolicyRules.match,
+                        value: resourcePolicyRules.value
+                    })
+                    .from(resourcePolicyRules)
+                    .innerJoin(
+                        resources,
+                        eq(
+                            resources.resourcePolicyId,
+                            resourcePolicyRules.resourcePolicyId
+                        )
+                    )
+                    .where(eq(resources.resourceId, resourceId))
+            ]);
+
+            const maxDirectPriority = directRules.reduce(
+                (max, r) => Math.max(max, r.priority),
+                0
+            );
+            const offsetPolicyRules = policyRules.map((r) => ({
+                ...r,
+                priority: maxDirectPriority + r.priority
+            }));
+
+            const rules = [
+                ...directRules,
+                ...offsetPolicyRules
+            ] as (typeof resourceRules.$inferSelect)[];
 
             // backward compatibility: COUNTRY -> GEOIP
             // TODO: remove this after a few versions once all exit nodes are updated

server/private/routers/policy/createResourcePolicy.ts

@@ -0,0 +1,417 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { hashPassword } from "@server/auth/password";
+import {
+    db,
+    idp,
+    idpOrg,
+    orgs,
+    resourcePolicies,
+    resourcePolicyHeaderAuth,
+    resourcePolicyPassword,
+    resourcePolicyPincode,
+    resourcePolicyRules,
+    resourcePolicyWhiteList,
+    rolePolicies,
+    roles,
+    userOrgs,
+    userPolicies,
+    users,
+    type ResourcePolicy
+} from "@server/db";
+import { getUniqueResourcePolicyName } from "@server/db/names";
+import response from "@server/lib/response";
+import {
+    isValidCIDR,
+    isValidIP,
+    isValidUrlGlobPattern
+} from "@server/lib/validators";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, inArray, type InferInsertModel } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import z from "zod";
+import { fromError } from "zod-validation-error";
+
+const createResourcePolicyParamsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const ruleSchema = z.strictObject({
+    action: z.enum(["ACCEPT", "DROP", "PASS"]).openapi({
+        type: "string",
+        enum: ["ACCEPT", "DROP", "PASS"],
+        description: "rule action"
+    }),
+    match: z.enum(["CIDR", "IP", "PATH"]).openapi({
+        type: "string",
+        enum: ["CIDR", "IP", "PATH"],
+        description: "rule match"
+    }),
+    value: z.string().min(1),
+    priority: z.int().openapi({
+        type: "integer",
+        description: "Rule priority"
+    }),
+    enabled: z.boolean().optional()
+});
+
+const createResourcePolicyBodySchema = z.strictObject({
+    name: z.string().min(1).max(255),
+    // Access control
+    sso: z.boolean().default(true),
+    skipToIdpId: z
+        .int()
+        .positive()
+        .optional()
+        .nullable()
+        .openapi({ type: "integer" }),
+    roleIds: z
+        .array(z.string().transform(Number).pipe(z.int().positive()))
+        .optional()
+        .default([]),
+    userIds: z.array(z.string()).optional().default([]),
+    // auth methods
+    password: z.string().min(4).max(100).nullable().optional(),
+    pincode: z
+        .string()
+        .regex(/^\d{6}$/)
+        .or(z.null())
+        .optional(),
+    headerAuth: z
+        .object({
+            user: z.string().min(4).max(100),
+            password: z.string().min(4).max(100),
+            extendedCompatibility: z.boolean()
+        })
+        .nullable()
+        .optional(),
+    // email OTP
+    emailWhitelistEnabled: z.boolean().optional().default(false),
+    emails: z
+        .array(
+            z.email().or(
+                z.string().regex(/^\*@[\w.-]+\.[a-zA-Z]{2,}$/, {
+                    error: "Invalid email address. Wildcard (*) must be the entire local part."
+                })
+            )
+        )
+        .max(50)
+        .transform((v) => v.map((e) => e.toLowerCase()))
+        .optional()
+        .default([]),
+    // rules
+    applyRules: z.boolean().default(false),
+    rules: z.array(ruleSchema).optional().default([])
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/resource-policy",
+    description: "Create a resource policy.",
+    tags: [OpenAPITags.Org, OpenAPITags.Policy],
+    request: {
+        params: createResourcePolicyParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: createResourcePolicyBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createResourcePolicy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        // Validate request params
+        const parsedParams = createResourcePolicyParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+        const { orgId } = parsedParams.data;
+
+        if (req.user && req.userOrgRoleIds?.length === 0) {
+            return next(
+                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
+            );
+        }
+
+        // get the org
+        const org = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId))
+            .limit(1);
+
+        if (org.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Organization with ID ${orgId} not found`
+                )
+            );
+        }
+
+        const parsedBody = createResourcePolicyBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const {
+            name,
+            sso,
+            userIds,
+            roleIds,
+            skipToIdpId,
+            applyRules,
+            emailWhitelistEnabled,
+            password,
+            pincode,
+            headerAuth,
+            emails,
+            rules
+        } = parsedBody.data;
+
+        // Check if Identity provider in `skipToIdpId` exists
+        if (skipToIdpId) {
+            const [provider] = await db
+                .select()
+                .from(idp)
+                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
+                .where(and(eq(idp.idpId, skipToIdpId), eq(idpOrg.orgId, orgId)))
+                .limit(1);
+
+            if (!provider) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Identity provider not found in this organization"
+                    )
+                );
+            }
+        }
+
+        const adminRole = await db
+            .select()
+            .from(roles)
+            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (adminRole.length === 0) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, `Admin role not found`)
+            );
+        }
+
+        const existingRoles = await db
+            .select()
+            .from(roles)
+            .where(and(inArray(roles.roleId, roleIds)));
+
+        const hasAdminRole = existingRoles.some((role) => role.isAdmin);
+
+        if (hasAdminRole) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Admin role cannot be assigned to resource policy"
+                )
+            );
+        }
+
+        const existingUsers = await db
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(userOrgs.userId, users.userId))
+            .where(
+                and(eq(userOrgs.orgId, orgId), inArray(users.userId, userIds))
+            );
+
+        const niceId = await getUniqueResourcePolicyName(orgId);
+
+        for (const rule of rules) {
+            if (rule.match === "CIDR" && !isValidCIDR(rule.value)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid CIDR provided"
+                    )
+                );
+            } else if (rule.match === "IP" && !isValidIP(rule.value)) {
+                return next(
+                    createHttpError(HttpCode.BAD_REQUEST, "Invalid IP provided")
+                );
+            } else if (
+                rule.match === "PATH" &&
+                !isValidUrlGlobPattern(rule.value)
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid URL glob pattern provided"
+                    )
+                );
+            }
+        }
+
+        const policy = await db.transaction(async (trx) => {
+            const [newPolicy] = await trx
+                .insert(resourcePolicies)
+                .values({
+                    niceId,
+                    orgId,
+                    name,
+                    sso,
+                    idpId: skipToIdpId,
+                    applyRules,
+                    emailWhitelistEnabled
+                })
+                .returning();
+
+            const rolesToAdd = [
+                {
+                    roleId: adminRole[0].roleId,
+                    resourcePolicyId: newPolicy.resourcePolicyId
+                }
+            ] satisfies InferInsertModel<typeof rolePolicies>[];
+
+            rolesToAdd.push(
+                ...existingRoles.map((role) => ({
+                    roleId: role.roleId,
+                    resourcePolicyId: newPolicy.resourcePolicyId
+                }))
+            );
+
+            await trx.insert(rolePolicies).values(rolesToAdd);
+
+            const usersToAdd: InferInsertModel<typeof userPolicies>[] = [];
+
+            if (
+                req.user &&
+                !req.userOrgRoleIds?.includes(adminRole[0].roleId)
+            ) {
+                // make sure the user can access the policy
+                usersToAdd.push({
+                    userId: req.user?.userId!,
+                    resourcePolicyId: newPolicy.resourcePolicyId
+                });
+            }
+
+            usersToAdd.push(
+                ...existingUsers.map(({ user }) => ({
+                    userId: user.userId,
+                    resourcePolicyId: newPolicy.resourcePolicyId
+                }))
+            );
+
+            if (usersToAdd.length > 0) {
+                await trx.insert(userPolicies).values(usersToAdd);
+            }
+
+            if (password) {
+                const passwordHash = await hashPassword(password);
+
+                await trx.insert(resourcePolicyPassword).values({
+                    resourcePolicyId: newPolicy.resourcePolicyId,
+                    passwordHash
+                });
+            }
+
+            if (pincode) {
+                const pincodeHash = await hashPassword(pincode);
+
+                await trx.insert(resourcePolicyPincode).values({
+                    resourcePolicyId: newPolicy.resourcePolicyId,
+                    pincodeHash,
+                    digitLength: 6
+                });
+            }
+
+            if (headerAuth) {
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(
+                        `${headerAuth.user}:${headerAuth.password}`
+                    ).toString("base64")
+                );
+
+                await trx.insert(resourcePolicyHeaderAuth).values({
+                    resourcePolicyId: newPolicy.resourcePolicyId,
+                    headerAuthHash,
+                    extendedCompatibility: headerAuth.extendedCompatibility
+                });
+            }
+
+            if (emailWhitelistEnabled && emails.length > 0) {
+                await trx.insert(resourcePolicyWhiteList).values(
+                    emails.map((email) => ({
+                        email,
+                        resourcePolicyId: newPolicy.resourcePolicyId
+                    }))
+                );
+            }
+
+            if (rules.length > 0) {
+                await trx.insert(resourcePolicyRules).values(
+                    rules.map((rule) => ({
+                        resourcePolicyId: newPolicy.resourcePolicyId,
+                        ...rule
+                    }))
+                );
+            }
+
+            return newPolicy;
+        });
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to create policy"
+                )
+            );
+        }
+        return response<ResourcePolicy>(res, {
+            data: policy,
+            success: true,
+            error: false,
+            message: "resource policy created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/policy/deleteResourcePolicy.ts

@@ -0,0 +1,107 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { db, resourcePolicies, resources } from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { eq } from "drizzle-orm";
+import type { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import z from "zod";
+import { fromError } from "zod-validation-error";
+
+// Define Zod schema for request parameters validation
+const deleteResourcePolicySchema = z.strictObject({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/resource-policy/{resourcePolicyId}",
+    description: "Delete a resource policy.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: deleteResourcePolicySchema
+    },
+    responses: {}
+});
+
+export async function deleteResourcePolicy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = deleteResourcePolicySchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+
+        const [existingResource] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId));
+
+        if (!existingResource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource Policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        const totalAffectedResources = await db.$count(
+            db
+                .select()
+                .from(resources)
+                .where(eq(resources.resourcePolicyId, resourcePolicyId))
+        );
+
+        if (totalAffectedResources > 0) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    `Cannot delete Policy '${existingResource.name}' as it's being used by at least one resource`
+                )
+            );
+        }
+
+        // delete policy
+        await db
+            .delete(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Resource Policy deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/policy/index.ts

@@ -0,0 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createResourcePolicy";
+export * from "./listResourcePolicies";
+export * from "./deleteResourcePolicy";

server/private/routers/policy/listResourcePolicies.ts

@@ -0,0 +1,271 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    db,
+    resourcePolicies,
+    resources,
+    rolePolicies,
+    userPolicies
+} from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import type {
+    ListResourcePoliciesResponse,
+    ResourcePolicyWithResources
+} from "@server/routers/resource/types";
+import HttpCode from "@server/types/HttpCode";
+import { and, asc, eq, inArray, like, or, sql } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromZodError } from "zod-validation-error";
+
+const listResourcePoliciesParamsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const listResourcePoliciesSchema = z.object({
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
+        .optional()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
+        .optional()
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional()
+});
+
+function queryResourcePoliciesBase() {
+    return db
+        .select({
+            resourcePolicyId: resourcePolicies.resourcePolicyId,
+            name: resourcePolicies.name,
+            niceId: resourcePolicies.niceId,
+            orgId: resourcePolicies.orgId
+        })
+        .from(resourcePolicies);
+}
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource-policies",
+    description: "List resource policies for an organization.",
+    tags: [OpenAPITags.Org, OpenAPITags.Policy],
+    request: {
+        params: z.object({
+            orgId: z.string()
+        }),
+        query: listResourcePoliciesSchema
+    },
+    responses: {}
+});
+
+export async function listResourcePolicies(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = listResourcePoliciesSchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromZodError(parsedQuery.error)
+                )
+            );
+        }
+        const { page, pageSize, query } = parsedQuery.data;
+
+        const parsedParams = listResourcePoliciesParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromZodError(parsedParams.error)
+                )
+            );
+        }
+
+        const orgId =
+            parsedParams.data.orgId ||
+            req.userOrg?.orgId ||
+            req.apiKeyOrg?.orgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (req.user && orgId && orgId !== req.userOrgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        let accessibleResourcePolicies: Array<{ resourcePolicyId: number }>;
+        if (req.user) {
+            accessibleResourcePolicies = await db
+                .select({
+                    resourcePolicyId: sql<number>`COALESCE(${userPolicies.resourcePolicyId}, ${rolePolicies.resourcePolicyId})`
+                })
+                .from(userPolicies)
+                .fullJoin(
+                    rolePolicies,
+                    eq(
+                        userPolicies.resourcePolicyId,
+                        rolePolicies.resourcePolicyId
+                    )
+                )
+                .where(
+                    or(
+                        eq(userPolicies.userId, req.user!.userId),
+                        inArray(rolePolicies.roleId, req.userOrgRoleIds || [])
+                    )
+                );
+        } else {
+            accessibleResourcePolicies = await db
+                .select({
+                    resourcePolicyId: resourcePolicies.resourcePolicyId
+                })
+                .from(resourcePolicies)
+                .where(eq(resourcePolicies.orgId, orgId));
+        }
+
+        const accessibleResourceIds = accessibleResourcePolicies.map(
+            (resource) => resource.resourcePolicyId
+        );
+
+        const conditions = [
+            and(
+                inArray(
+                    resourcePolicies.resourcePolicyId,
+                    accessibleResourceIds
+                ),
+                eq(resourcePolicies.orgId, orgId),
+                eq(resourcePolicies.scope, "global")
+            )
+        ];
+
+        if (query) {
+            conditions.push(
+                or(
+                    like(
+                        sql`LOWER(${resourcePolicies.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${resourcePolicies.niceId})`,
+                        "%" + query.toLowerCase() + "%"
+                    )
+                )
+            );
+        }
+
+        const baseQuery = queryResourcePoliciesBase().where(and(...conditions));
+
+        // we need to add `as` so that drizzle filters the result as a subquery
+        const countQuery = db.$count(baseQuery.as("filtered_policies"));
+
+        const [rows, totalCount] = await Promise.all([
+            baseQuery
+                .limit(pageSize)
+                .offset(pageSize * (page - 1))
+                .orderBy(asc(resourcePolicies.resourcePolicyId)),
+            countQuery
+        ]);
+
+        const attachedResources =
+            rows.length === 0
+                ? []
+                : await db
+                      .select({
+                          resourceId: resources.resourceId,
+                          name: resources.name,
+                          fullDomain: resources.fullDomain,
+                          resourcePolicyId: resources.resourcePolicyId
+                      })
+                      .from(resources)
+                      .where(
+                          inArray(
+                              resources.resourcePolicyId,
+                              rows.map((row) => row.resourcePolicyId)
+                          )
+                      );
+
+        // avoids TS issues with reduce/never[]
+        const map = new Map<number, ResourcePolicyWithResources>();
+
+        for (const row of rows) {
+            let entry = map.get(row.resourcePolicyId);
+            if (!entry) {
+                entry = {
+                    ...row,
+                    resources: []
+                };
+                map.set(row.resourcePolicyId, entry);
+            }
+
+            entry.resources = attachedResources.filter(
+                (r) => r.resourcePolicyId === entry?.resourcePolicyId
+            );
+        }
+
+        const policiesList = Array.from(map.values());
+
+        return response<ListResourcePoliciesResponse>(res, {
+            data: {
+                policies: policiesList,
+                pagination: {
+                    total: totalCount,
+                    pageSize,
+                    page
+                }
+            },
+            success: true,
+            error: false,
+            message: "Resources retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/ws/ws.ts

@@ -22,7 +22,7 @@ import {
     Olm,
     olms,
     RemoteExitNode,
-    remoteExitNodes,
+    remoteExitNodes
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
@@ -194,8 +194,6 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
 
-
-
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
 
@@ -406,6 +404,9 @@ const removeClient = async (
     const updatedClients = existingClients.filter((client) => client !== ws);
     if (updatedClients.length === 0) {
         connectedClients.delete(mapKey);
+        // Remove clientId from clientConfigVersions on disconnect — prevents
+        // unbounded memory growth from stale entries.
+        clientConfigVersions.delete(clientId);
 
         if (redisManager.isRedisEnabled()) {
             try {
@@ -1097,6 +1098,11 @@ const disconnectClient = async (clientId: string): Promise<boolean> => {
         }
     });
 
+    // Eagerly remove client — close event may not fire if socket is already
+    // CLOSING, leaving zombie entries.
+    connectedClients.delete(mapKey);
+    clientConfigVersions.delete(clientId);
+
     return true;
 };
 

server/routers/badger/verifySession.ts

@@ -671,7 +671,8 @@ export async function verifyResourceSession(
                             resourceData.org
                         );
 
-                        localCache.set(userAccessCacheKey, allowedUserData, 5);
+                        // this is query intensive so let it cache a little longer
+                        localCache.set(userAccessCacheKey, allowedUserData, 12);
                     }
 
                     if (
@@ -1003,11 +1004,7 @@ async function checkRules(
             isIpInCidr(clientIp, rule.value)
         ) {
             return rule.action as any;
-        } else if (
-            clientIp &&
-            rule.match == "IP" &&
-            clientIp == rule.value
-        ) {
+        } else if (clientIp && rule.match == "IP" && clientIp == rule.value) {
             return rule.action as any;
         } else if (
             path &&
@@ -1015,10 +1012,7 @@ async function checkRules(
             isPathAllowed(rule.value, path)
         ) {
             return rule.action as any;
-        } else if (
-            clientIp &&
-            rule.match == "COUNTRY"
-        ) {
+        } else if (clientIp && rule.match == "COUNTRY") {
             // COUNTRY=ALL should not affect local/private/CGNAT addresses.
             if (
                 rule.value.toUpperCase() === "ALL" &&
@@ -1030,10 +1024,7 @@ async function checkRules(
             if (await isIpInGeoIP(ipCC, rule.value)) {
                 return rule.action as any;
             }
-        } else if (
-            clientIp &&
-            rule.match == "ASN"
-        ) {
+        } else if (clientIp && rule.match == "ASN") {
             // ASN=ALL/AS0 should not affect local/private/CGNAT addresses.
             if (
                 (rule.value.toUpperCase() === "ALL" ||
@@ -1272,11 +1263,15 @@ export async function isIpInRegion(
         if (region.id === checkRegionCode) {
             for (const subregion of region.includes) {
                 if (subregion.countries.includes(upperCode)) {
-                    logger.debug(`Country ${upperCode} is in region ${region.id} (${region.name})`);
+                    logger.debug(
+                        `Country ${upperCode} is in region ${region.id} (${region.name})`
+                    );
                     return true;
                 }
             }
-            logger.debug(`Country ${upperCode} is not in region ${region.id} (${region.name})`);
+            logger.debug(
+                `Country ${upperCode} is not in region ${region.id} (${region.name})`
+            );
             return false;
         }
 
@@ -1284,10 +1279,14 @@ export async function isIpInRegion(
         for (const subregion of region.includes) {
             if (subregion.id === checkRegionCode) {
                 if (subregion.countries.includes(upperCode)) {
-                    logger.debug(`Country ${upperCode} is in region ${subregion.id} (${subregion.name})`);
+                    logger.debug(
+                        `Country ${upperCode} is in region ${subregion.id} (${subregion.name})`
+                    );
                     return true;
                 }
-                logger.debug(`Country ${upperCode} is not in region ${subregion.id} (${subregion.name})`);
+                logger.debug(
+                    `Country ${upperCode} is not in region ${subregion.id} (${subregion.name})`
+                );
                 return false;
             }
         }

server/routers/external.ts

@@ -3,6 +3,7 @@ import config from "@server/lib/config";
 import * as site from "./site";
 import * as org from "./org";
 import * as resource from "./resource";
+import * as policy from "./policy";
 import * as domain from "./domain";
 import * as target from "./target";
 import * as user from "./user";
@@ -42,7 +43,8 @@ import {
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
-    verifyLimits
+    verifyLimits,
+    verifyResourcePolicyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import rateLimit, { ipKeyGenerator } from "express-rate-limit";
@@ -103,7 +105,6 @@ authenticated.put(
     site.createSite
 );
 
-
 authenticated.get(
     "/org/:orgId/sites",
     verifyOrgAccess,
@@ -540,6 +541,7 @@ authenticated.get(
     verifyUserHasAction(ActionsEnum.getResource),
     resource.getResource
 );
+
 authenticated.post(
     "/resource/:resourceId",
     verifyResourceAccess,
@@ -646,6 +648,29 @@ authenticated.post(
     logActionAudit(ActionsEnum.updateRole),
     role.updateRole
 );
+
+authenticated.get(
+    "/org/:orgId/resource-policy/:niceId",
+    verifyOrgAccess,
+    verifyResourcePolicyAccess,
+    verifyUserHasAction(ActionsEnum.getResourcePolicy),
+    policy.getResourcePolicy
+);
+
+authenticated.get(
+    "/resource/:resourceId/policies",
+    verifyResourceAccess,
+    verifyUserHasAction(ActionsEnum.getResourcePolicy),
+    resource.getResourcePolicies
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId",
+    verifyResourcePolicyAccess,
+    verifyUserHasAction(ActionsEnum.updateResourcePolicy),
+    policy.updateResourcePolicy
+);
+
 // authenticated.get(
 //     "/role/:roleId",
 //     verifyRoleAccess,
@@ -697,6 +722,59 @@ authenticated.post(
     resource.setResourceUsers
 );
 
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/access-control",
+    verifyResourcePolicyAccess,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyUsers),
+    logActionAudit(ActionsEnum.setResourcePolicyUsers),
+    policy.setResourcePolicyAccessControl
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/password",
+    verifyResourcePolicyAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyPassword),
+    logActionAudit(ActionsEnum.setResourcePolicyPassword),
+    policy.setResourcePolicyPassword
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/pincode",
+    verifyResourcePolicyAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyPincode),
+    logActionAudit(ActionsEnum.setResourcePolicyPincode),
+    policy.setResourcePolicyPincode
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/header-auth",
+    verifyResourcePolicyAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyHeaderAuth),
+    logActionAudit(ActionsEnum.setResourcePolicyHeaderAuth),
+    policy.setResourcePolicyHeaderAuth
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/whitelist",
+    verifyResourcePolicyAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyWhitelist),
+    logActionAudit(ActionsEnum.setResourcePolicyWhitelist),
+    policy.setResourcePolicyWhitelist
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/rules",
+    verifyResourcePolicyAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyRules),
+    logActionAudit(ActionsEnum.setResourcePolicyRules),
+    policy.setResourcePolicyRules
+);
+
 authenticated.post(
     `/resource/:resourceId/password`,
     verifyResourceAccess,

server/routers/idp/validateOidcCallback.ts

@@ -333,23 +333,16 @@ export async function validateOidcCallback(
                     .innerJoin(orgs, eq(orgs.orgId, idpOrg.orgId));
                 allOrgs = idpOrgs.map((o) => o.orgs);
 
-                // for (const org of allOrgs) {
-                //     const subscribed = await isSubscribed(
-                //         org.orgId,
-                //         tierMatrix.autoProvisioning
-                //     );
-                //     if (!subscribed) {
-                //         // filter out the org
-                //         allOrgs = allOrgs.filter((o) => o.orgId !== org.orgId);
-
-                //         // return next(
-                //         //     createHttpError(
-                //         //         HttpCode.FORBIDDEN,
-                //         //         "This organization's current plan does not support this feature."
-                //         //     )
-                //         // );
-                //     }
-                // }
+                for (const org of allOrgs) {
+                    const subscribed = await isSubscribed(
+                        org.orgId,
+                        tierMatrix.autoProvisioning
+                    );
+                    if (!subscribed) {
+                        // filter out the org
+                        allOrgs = allOrgs.filter((o) => o.orgId !== org.orgId);
+                    }
+                }
             } else {
                 allOrgs = await db.select().from(orgs);
             }
@@ -490,7 +483,14 @@ export async function validateOidcCallback(
                             }
                         }
 
-                        await calculateUserClientsForOrgs(existingUser.userId);
+                        calculateUserClientsForOrgs(existingUser.userId).catch(
+                            (err) => {
+                                logger.error(
+                                    "Error calculating user clients after removing all orgs for user with no valid IdP mappings",
+                                    { error: err }
+                                );
+                            }
+                        );
 
                         return next(
                             createHttpError(
@@ -512,10 +512,9 @@ export async function validateOidcCallback(
 
             const orgUserCounts: { orgId: string; userCount: number }[] = [];
 
+            let userId = existingUser?.userId;
             // sync the user with the orgs and roles
             await db.transaction(async (trx) => {
-                let userId = existingUser?.userId;
-
                 // create user if not exists
                 if (!existingUser) {
                     userId = generateId(15);
@@ -645,8 +644,15 @@ export async function validateOidcCallback(
                         userCount: userCount.length
                     });
                 }
+            });
 
+            db.transaction(async (trx) => {
                 await calculateUserClientsForOrgs(userId!, trx);
+            }).catch((err) => {
+                logger.error(
+                    "Error calculating user clients after syncing orgs and roles for OIDC user",
+                    { error: err }
+                );
             });
 
             for (const orgCount of orgUserCounts) {

server/routers/integration.ts

@@ -2,6 +2,7 @@ import * as site from "./site";
 import * as org from "./org";
 import * as blueprints from "./blueprints";
 import * as resource from "./resource";
+import * as policy from "./policy";
 import * as domain from "./domain";
 import * as target from "./target";
 import * as user from "./user";
@@ -29,7 +30,9 @@ import {
     verifyApiKeySiteResourceAccess,
     verifyApiKeySetResourceClients,
     verifyLimits,
-    verifyApiKeyDomainAccess
+    verifyApiKeyDomainAccess,
+    verifyApiKeyResourcePolicyAccess,
+    verifyUserHasAction
 } from "@server/middlewares";
 import HttpCode from "@server/types/HttpCode";
 import { Router } from "express";
@@ -459,6 +462,20 @@ authenticated.get(
     resource.getResource
 );
 
+authenticated.get(
+    "/resource-policy/:resourcePolicyId",
+    verifyApiKeyResourcePolicyAccess,
+    verifyApiKeyHasAction(ActionsEnum.getResourcePolicy),
+    policy.getResourcePolicy
+);
+
+authenticated.get(
+    "/resource/:resourceId/policies",
+    verifyApiKeyResourceAccess,
+    verifyApiKeyHasAction(ActionsEnum.getResourcePolicy),
+    resource.getResourcePolicies
+);
+
 authenticated.post(
     "/resource/:resourceId",
     verifyApiKeyResourceAccess,
@@ -468,6 +485,13 @@ authenticated.post(
     resource.updateResource
 );
 
+authenticated.put(
+    "/resource-policy/:resourcePolicyId",
+    verifyApiKeyResourcePolicyAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateResourcePolicy),
+    policy.updateResourcePolicy
+);
+
 authenticated.delete(
     "/resource/:resourceId",
     verifyApiKeyResourceAccess,
@@ -619,6 +643,63 @@ authenticated.post(
     resource.setResourceUsers
 );
 
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/access-control",
+    verifyApiKeyResourcePolicyAccess,
+    verifyApiKeyRoleAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.setResourcePolicyUsers),
+    verifyUserHasAction(ActionsEnum.setResourcePolicyRoles),
+    logActionAudit(ActionsEnum.setResourcePolicyUsers),
+    logActionAudit(ActionsEnum.setResourcePolicyRoles),
+    policy.setResourcePolicyAccessControl
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/password",
+    verifyApiKeyResourcePolicyAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.setResourcePolicyPassword),
+    logActionAudit(ActionsEnum.setResourcePolicyPassword),
+    policy.setResourcePolicyPassword
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/pincode",
+    verifyApiKeyResourcePolicyAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.setResourcePolicyPincode),
+    logActionAudit(ActionsEnum.setResourcePolicyPincode),
+    policy.setResourcePolicyPincode
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/header-auth",
+    verifyApiKeyResourcePolicyAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.setResourcePolicyHeaderAuth),
+    logActionAudit(ActionsEnum.setResourcePolicyHeaderAuth),
+    policy.setResourcePolicyHeaderAuth
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/whitelist",
+    verifyApiKeyResourcePolicyAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.setResourcePolicyWhitelist),
+    logActionAudit(ActionsEnum.setResourcePolicyWhitelist),
+    policy.setResourcePolicyWhitelist
+);
+
+authenticated.put(
+    "/resource-policy/:resourcePolicyId/rules",
+    verifyApiKeyResourcePolicyAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.setResourcePolicyRules),
+    logActionAudit(ActionsEnum.setResourcePolicyRules),
+    policy.setResourcePolicyRules
+);
+
 authenticated.post(
     "/resource/:resourceId/roles/add",
     verifyApiKeyResourceAccess,

server/routers/policy/getResourcePolicy.ts

@@ -0,0 +1,231 @@
+import {
+    db,
+    idp,
+    resourcePolicyRules,
+    resourcePolicies,
+    resourcePolicyHeaderAuth,
+    resourcePolicyPassword,
+    resourcePolicyPincode,
+    resourcePolicyWhiteList,
+    rolePolicies,
+    roles,
+    userPolicies,
+    users
+} from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, isNull, not, or, type SQL } from "drizzle-orm";
+import type { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import z from "zod";
+import { fromError } from "zod-validation-error";
+
+const getResourcePolicySchema = z
+    .strictObject({
+        niceId: z.string(),
+        orgId: z.string()
+    })
+    .or(
+        z.strictObject({
+            resourcePolicyId: z.coerce
+                .number<string>()
+                .int()
+                .positive()
+                .openapi({
+                    type: "integer",
+                    description: "Resource policy ID"
+                })
+        })
+    );
+
+export async function queryResourcePolicy(
+    params: z.infer<typeof getResourcePolicySchema>
+) {
+    const conditions: SQL<unknown>[] = [];
+    if ("resourcePolicyId" in params) {
+        conditions.push(
+            eq(resourcePolicies.resourcePolicyId, params.resourcePolicyId)
+        );
+    } else {
+        conditions.push(
+            eq(resourcePolicies.niceId, params.niceId),
+            eq(resourcePolicies.orgId, params.orgId)
+        );
+    }
+
+    const [res] = await db
+        .select({
+            resourcePolicyId: resourcePolicies.resourcePolicyId,
+            sso: resourcePolicies.sso,
+            applyRules: resourcePolicies.applyRules,
+            emailWhitelistEnabled: resourcePolicies.emailWhitelistEnabled,
+            idpId: resourcePolicies.idpId,
+            niceId: resourcePolicies.niceId,
+            name: resourcePolicies.name,
+            passwordId: resourcePolicyPassword.passwordId,
+            pincodeId: resourcePolicyPincode.pincodeId,
+            headerAuth: {
+                id: resourcePolicyHeaderAuth.headerAuthId,
+                extendedCompability:
+                    resourcePolicyHeaderAuth.extendedCompatibility
+            }
+        })
+        .from(resourcePolicies)
+        .leftJoin(
+            resourcePolicyPassword,
+            eq(
+                resourcePolicyPassword.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            resourcePolicyPincode,
+            eq(
+                resourcePolicyPincode.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            resourcePolicyHeaderAuth,
+            eq(
+                resourcePolicyHeaderAuth.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .where(and(...conditions))
+        .limit(1);
+
+    if (!res) return null;
+
+    const policyUsers = await db
+        .select({
+            userId: userPolicies.userId,
+            email: users.email,
+            name: users.name,
+            username: users.username,
+            type: users.type,
+            idpName: idp.name
+        })
+        .from(userPolicies)
+        .innerJoin(users, eq(userPolicies.userId, users.userId))
+        .leftJoin(idp, eq(idp.idpId, users.idpId))
+        .where(eq(userPolicies.resourcePolicyId, res.resourcePolicyId));
+
+    const policyRoles = await db
+        .select({
+            roleId: rolePolicies.roleId,
+            name: roles.name
+        })
+        .from(rolePolicies)
+        .innerJoin(
+            roles,
+            and(
+                eq(rolePolicies.roleId, roles.roleId),
+                or(isNull(roles.isAdmin), not(roles.isAdmin))
+            )
+        )
+        .where(eq(rolePolicies.resourcePolicyId, res.resourcePolicyId));
+
+    const policyEmailWhiteList = await db
+        .select({
+            whiteListId: resourcePolicyWhiteList.whitelistId,
+            email: resourcePolicyWhiteList.email
+        })
+        .from(resourcePolicyWhiteList)
+        .where(
+            eq(resourcePolicyWhiteList.resourcePolicyId, res.resourcePolicyId)
+        );
+
+    const policyRules = await db
+        .select({
+            ruleId: resourcePolicyRules.ruleId,
+            enabled: resourcePolicyRules.enabled,
+            priority: resourcePolicyRules.priority,
+            action: resourcePolicyRules.action,
+            match: resourcePolicyRules.match,
+            value: resourcePolicyRules.value
+        })
+        .from(resourcePolicyRules)
+        .where(eq(resourcePolicyRules.resourcePolicyId, res.resourcePolicyId));
+
+    return {
+        ...res,
+        roles: policyRoles,
+        users: policyUsers,
+        emailWhiteList: policyEmailWhiteList,
+        rules: policyRules
+    };
+}
+
+export type GetResourcePolicyResponse = NonNullable<
+    Awaited<ReturnType<typeof queryResourcePolicy>>
+>;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource-policy/{niceId}",
+    description:
+        "Get a resource policy by orgId and niceId. NiceId is a readable ID for the resource and unique on a per org basis.",
+    tags: [OpenAPITags.Org, OpenAPITags.Policy],
+    request: {
+        params: z.object({
+            orgId: z.string(),
+            niceId: z.string()
+        })
+    },
+    responses: {}
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/resource-policy/{resourcePolicyId}",
+    description: "Get a resource policy by its resourcePolicyId.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: z.object({
+            resourcePolicyId: z.number()
+        })
+    },
+    responses: {}
+});
+
+export async function getResourcePolicy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = getResourcePolicySchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const policy = await queryResourcePolicy(parsedParams.data);
+
+        if (!policy) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Resource policy not found")
+            );
+        }
+
+        return response<GetResourcePolicyResponse>(res, {
+            data: policy,
+            success: true,
+            error: false,
+            message: "Resource Policy retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/index.ts

@@ -0,0 +1,8 @@
+export * from "./getResourcePolicy";
+export * from "./updateResourcePolicy";
+export * from "./setResourcePolicyAccessControl";
+export * from "./setResourcePolicyPassword";
+export * from "./setResourcePolicyPincode";
+export * from "./setResourcePolicyHeaderAuth";
+export * from "./setResourcePolicyWhitelist";
+export * from "./setResourcePolicyRules";

server/routers/policy/setResourcePolicyAccessControl.ts

@@ -0,0 +1,237 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    db,
+    idp,
+    idpOrg,
+    resourcePolicies,
+    rolePolicies,
+    roles,
+    userOrgs,
+    users
+} from "@server/db";
+import { userPolicies } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { and, eq, inArray, ne } from "drizzle-orm";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const setResourcePolicyAcccessControlBodySchema = z.strictObject({
+    sso: z.boolean(),
+    userIds: z.array(z.string()),
+    roleIds: z.array(z.int().positive()).openapi({
+        type: "array"
+    }),
+    skipToIdpId: z.int().positive().optional().nullable().openapi({
+        type: "integer",
+        description: "Page number to retrieve"
+    })
+});
+
+const setResourcePolicyAccessControlParamsSchema = z.strictObject({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/resource-policy/{resourceId}/access-control",
+    description:
+        "Set access control users for a resource policy, including SSO, users, roles, Identity provider.",
+    tags: [OpenAPITags.Policy, OpenAPITags.User],
+    request: {
+        params: setResourcePolicyAccessControlParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: setResourcePolicyAcccessControlBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function setResourcePolicyAccessControl(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = setResourcePolicyAcccessControlBodySchema.safeParse(
+            req.body
+        );
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { userIds, roleIds, sso, skipToIdpId: idpId } = parsedBody.data;
+
+        const parsedParams =
+            setResourcePolicyAccessControlParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Resource policy not found"
+                )
+            );
+        }
+
+        // Check if Identity provider in `skipToIdpId` exists
+        if (idpId) {
+            const [provider] = await db
+                .select()
+                .from(idp)
+                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
+                .where(
+                    and(eq(idp.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
+                )
+                .limit(1);
+
+            if (!provider) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Identity provider not found in this organization"
+                    )
+                );
+            }
+        }
+
+        // Check if any of the roleIds are admin roles
+        const rolesToCheck = await db
+            .select()
+            .from(roles)
+            .where(
+                and(
+                    inArray(roles.roleId, roleIds),
+                    eq(roles.orgId, policy.orgId)
+                )
+            );
+
+        const hasAdminRole = rolesToCheck.some((role) => role.isAdmin);
+
+        if (hasAdminRole) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Admin role cannot be assigned to resources"
+                )
+            );
+        }
+
+        // Get all admin role IDs for this org to exclude from deletion
+        const adminRoles = await db
+            .select()
+            .from(roles)
+            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, policy.orgId)));
+        const adminRoleIds = adminRoles.map((role) => role.roleId);
+
+        const existingUsers = await db
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(userOrgs.userId, users.userId))
+            .where(
+                and(
+                    eq(userOrgs.orgId, policy.orgId),
+                    inArray(users.userId, userIds)
+                )
+            );
+
+        const existingRoles = await db
+            .select()
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.orgId, policy.orgId),
+                    inArray(roles.roleId, roleIds)
+                )
+            );
+
+        await db.transaction(async (trx) => {
+            // Update SSO status
+            await trx
+                .update(resourcePolicies)
+                .set({
+                    sso,
+                    idpId
+                })
+                .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId));
+
+            // Update roles
+            if (adminRoleIds.length > 0) {
+                await trx.delete(rolePolicies).where(
+                    and(
+                        eq(rolePolicies.resourcePolicyId, resourcePolicyId),
+                        ne(rolePolicies.roleId, adminRoleIds[0]) // delete all but the admin role
+                    )
+                );
+            } else {
+                await trx
+                    .delete(rolePolicies)
+                    .where(eq(rolePolicies.resourcePolicyId, resourcePolicyId));
+            }
+
+            const rolesToAdd = existingRoles.map(({ roleId }) => ({
+                roleId,
+                resourcePolicyId
+            }));
+
+            if (rolesToAdd.length > 0) {
+                await trx.insert(rolePolicies).values(rolesToAdd);
+            }
+
+            // Update users
+            await trx
+                .delete(userPolicies)
+                .where(eq(userPolicies.resourcePolicyId, resourcePolicyId));
+
+            const usersToAdd = existingUsers.map(({ user }) => ({
+                userId: user.userId,
+                resourcePolicyId: resourcePolicyId
+            }));
+
+            if (usersToAdd.length > 0) {
+                await trx.insert(userPolicies).values(usersToAdd);
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Resource policy succesfully updated",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/setResourcePolicyHeaderAuth.ts

@@ -0,0 +1,117 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, resourcePolicyHeaderAuth } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import { response } from "@server/lib/response";
+import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const setResourcePolicyHeaderAuthParamsSchema = z.object({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const setResourcePolicyHeaderAuthBodySchema = z.strictObject({
+    headerAuth: z
+        .object({
+            user: z.string().min(4).max(100),
+            password: z.string().min(4).max(100),
+            extendedCompatibility: z.boolean()
+        })
+        .nullable()
+});
+
+registry.registerPath({
+    method: "put",
+    path: "/resource-policy/{resourcePolicyId}/header-auth",
+    description:
+        "Set or update the header authentication for a resource policy. If user and password is not provided, it will remove the header authentication.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: setResourcePolicyHeaderAuthParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: setResourcePolicyHeaderAuthBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function setResourcePolicyHeaderAuth(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setResourcePolicyHeaderAuthParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setResourcePolicyHeaderAuthBodySchema.safeParse(
+            req.body
+        );
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+        const { headerAuth } = parsedBody.data;
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(resourcePolicyHeaderAuth)
+                .where(
+                    eq(
+                        resourcePolicyHeaderAuth.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+
+            if (headerAuth !== null) {
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(
+                        `${headerAuth.user}:${headerAuth.password}`
+                    ).toString("base64")
+                );
+
+                await trx.insert(resourcePolicyHeaderAuth).values({
+                    resourcePolicyId,
+                    headerAuthHash,
+                    extendedCompatibility: headerAuth.extendedCompatibility
+                });
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Header Authentication set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/setResourcePolicyPassword.ts

@@ -0,0 +1,106 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { resourcePolicyPassword } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import { response } from "@server/lib/response";
+import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const setResourcePolicyPasswordParamsSchema = z.object({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const setResourcePolicyPasswordBodySchema = z.strictObject({
+    password: z.string().min(4).max(100).nullable()
+});
+
+registry.registerPath({
+    method: "put",
+    path: "/resource-policy/{resourcePolicyId}/password",
+    description:
+        "Set the password for a resource policy. Setting the password to null will remove it.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: setResourcePolicyPasswordParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: setResourcePolicyPasswordBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function setResourcePolicyPassword(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setResourcePolicyPasswordParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setResourcePolicyPasswordBodySchema.safeParse(
+            req.body
+        );
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+        const { password } = parsedBody.data;
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(resourcePolicyPassword)
+                .where(
+                    eq(
+                        resourcePolicyPassword.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+
+            if (password) {
+                const passwordHash = await hashPassword(password);
+
+                await trx
+                    .insert(resourcePolicyPassword)
+                    .values({ resourcePolicyId, passwordHash });
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Resource policy password set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/setResourcePolicyPincode.ts

@@ -0,0 +1,106 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { resourcePolicyPincode } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import { response } from "@server/lib/response";
+import logger from "@server/logger";
+import { hashPassword } from "@server/auth/password";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const setResourcePolicyPincodeParamsSchema = z.object({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const setResourcePolicyPincodeBodySchema = z.strictObject({
+    pincode: z
+        .string()
+        .regex(/^\d{6}$/)
+        .or(z.null())
+});
+
+registry.registerPath({
+    method: "put",
+    path: "/resource-policy/{resourcePolicyId}/pincode",
+    description:
+        "Set the PIN code for a resource policy. Setting the PIN code to null will remove it.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: setResourcePolicyPincodeParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: setResourcePolicyPincodeBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function setResourcePolicyPincode(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setResourcePolicyPincodeParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setResourcePolicyPincodeBodySchema.safeParse(
+            req.body
+        );
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+        const { pincode } = parsedBody.data;
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(resourcePolicyPincode)
+                .where(
+                    eq(resourcePolicyPincode.resourcePolicyId, resourcePolicyId)
+                );
+
+            if (pincode) {
+                const pincodeHash = await hashPassword(pincode);
+
+                await trx
+                    .insert(resourcePolicyPincode)
+                    .values({ resourcePolicyId, pincodeHash, digitLength: 6 });
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Resource policy PIN code set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/setResourcePolicyRules.ts

@@ -0,0 +1,167 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, resourcePolicyRules, resourcePolicies } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import {
+    isValidCIDR,
+    isValidIP,
+    isValidUrlGlobPattern
+} from "@server/lib/validators";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const ruleSchema = z.strictObject({
+    action: z.enum(["ACCEPT", "DROP", "PASS"]).openapi({
+        type: "string",
+        enum: ["ACCEPT", "DROP", "PASS"],
+        description: "rule action"
+    }),
+    match: z.enum(["CIDR", "IP", "PATH"]).openapi({
+        type: "string",
+        enum: ["CIDR", "IP", "PATH"],
+        description: "rule match"
+    }),
+    value: z.string().min(1),
+    priority: z.int().openapi({
+        type: "integer",
+        description: "Rule priority"
+    }),
+    enabled: z.boolean().optional()
+});
+
+const setResourcePolicyRulesBodySchema = z.strictObject({
+    applyRules: z.boolean(),
+    rules: z.array(ruleSchema)
+});
+
+const setResourcePolicyRulesParamsSchema = z.strictObject({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "put",
+    path: "/resource-policy/{resourcePolicyId}/rules",
+    description:
+        "Set all rules for a resource policy at once. This will replace all existing rules.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: setResourcePolicyRulesParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: setResourcePolicyRulesBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function setResourcePolicyRules(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setResourcePolicyRulesParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setResourcePolicyRulesBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+        const { applyRules, rules } = parsedBody.data;
+
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Resource policy not found")
+            );
+        }
+
+        for (const rule of rules) {
+            if (rule.match === "CIDR" && !isValidCIDR(rule.value)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid CIDR provided"
+                    )
+                );
+            } else if (rule.match === "IP" && !isValidIP(rule.value)) {
+                return next(
+                    createHttpError(HttpCode.BAD_REQUEST, "Invalid IP provided")
+                );
+            } else if (
+                rule.match === "PATH" &&
+                !isValidUrlGlobPattern(rule.value)
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid URL glob pattern provided"
+                    )
+                );
+            }
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .update(resourcePolicies)
+                .set({ applyRules })
+                .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId));
+
+            await trx
+                .delete(resourcePolicyRules)
+                .where(
+                    eq(resourcePolicyRules.resourcePolicyId, resourcePolicyId)
+                );
+
+            if (rules.length > 0) {
+                await trx.insert(resourcePolicyRules).values(
+                    rules.map((rule) => ({
+                        resourcePolicyId,
+                        ...rule
+                    }))
+                );
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Resource policy rules set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/setResourcePolicyWhitelist.ts

@@ -0,0 +1,132 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, resourcePolicies, resourcePolicyWhiteList } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { and, eq } from "drizzle-orm";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const setResourcePolicyWhitelistBodySchema = z.strictObject({
+    emailWhitelistEnabled: z.boolean(),
+    emails: z
+        .array(
+            z.email().or(
+                z.string().regex(/^\*@[\w.-]+\.[a-zA-Z]{2,}$/, {
+                    error: "Invalid email address. Wildcard (*) must be the entire local part."
+                })
+            )
+        )
+        .max(50)
+        .transform((v) => v.map((e) => e.toLowerCase()))
+});
+
+const setResourcePolicyWhitelistParamsSchema = z.strictObject({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "put",
+    path: "/resource-policy/{resourcePolicyId}/whitelist",
+    description:
+        "Set email whitelist for a resource policy. This will replace all existing emails.",
+    tags: [OpenAPITags.Policy],
+    request: {
+        params: setResourcePolicyWhitelistParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: setResourcePolicyWhitelistBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function setResourcePolicyWhitelist(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = setResourcePolicyWhitelistBodySchema.safeParse(
+            req.body
+        );
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const parsedParams = setResourcePolicyWhitelistParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+        const { emailWhitelistEnabled, emails } = parsedBody.data;
+
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId));
+
+        if (!policy) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Resource policy not found")
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .update(resourcePolicies)
+                .set({ emailWhitelistEnabled })
+                .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId));
+
+            // delete all whitelist emails
+            await trx
+                .delete(resourcePolicyWhiteList)
+                .where(
+                    eq(
+                        resourcePolicyWhiteList.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+
+            if (emailWhitelistEnabled && emails.length > 0) {
+                await trx.insert(resourcePolicyWhiteList).values(
+                    emails.map((email) => ({
+                        email,
+                        resourcePolicyId
+                    }))
+                );
+            }
+        });
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Whitelist set for resource policy successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/policy/updateResourcePolicy.ts

@@ -0,0 +1,157 @@
+import { Request, Response, NextFunction } from "express";
+import z from "zod";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import { db, orgs, resourcePolicies, type ResourcePolicy } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import logger from "@server/logger";
+import response from "@server/lib/response";
+
+const updateResourcePolicyParamsSchema = z.strictObject({
+    resourcePolicyId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const updateResourcePolicyBodySchema = z.strictObject({
+    name: z.string().min(1).max(255).optional(),
+    niceId: z.string().min(1).max(255).optional()
+});
+
+registry.registerPath({
+    method: "put",
+    path: "/resource-policy/{resourcePolicyId}",
+    description: "Update a resource policy.",
+    tags: [OpenAPITags.Org, OpenAPITags.Policy],
+    request: {
+        params: updateResourcePolicyParamsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: updateResourcePolicyBodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateResourcePolicy(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = updateResourcePolicyParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        if (req.user && req.userOrgRoleIds?.length === 0) {
+            return next(
+                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
+            );
+        }
+
+        const { resourcePolicyId } = parsedParams.data;
+        const [result] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .leftJoin(orgs, eq(resourcePolicies.orgId, orgs.orgId));
+
+        const policy = result?.resourcePolicies;
+        const org = result?.orgs;
+
+        if (!policy || !org) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource Policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        const parsedBody = updateResourcePolicyBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const updateData = parsedBody.data;
+
+        if (updateData.niceId) {
+            const [existingPolicy] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(
+                    and(
+                        eq(resourcePolicies.niceId, updateData.niceId),
+                        eq(resourcePolicies.orgId, policy.orgId)
+                    )
+                );
+
+            if (
+                existingPolicy &&
+                existingPolicy.resourcePolicyId !== policy.resourcePolicyId
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.CONFLICT,
+                        `A resource policy with niceId "${updateData.niceId}" already exists`
+                    )
+                );
+            }
+        }
+
+        const updatedPolicy = await db.transaction(async (trx) => {
+            const [updated] = await trx
+                .update(resourcePolicies)
+                .set({
+                    ...updateData
+                })
+                .where(
+                    eq(
+                        resourcePolicies.resourcePolicyId,
+                        policy.resourcePolicyId
+                    )
+                )
+                .returning();
+
+            return updated;
+        });
+
+        if (!updatedPolicy) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to update policy"
+                )
+            );
+        }
+
+        return response<ResourcePolicy>(res, {
+            data: updatedPolicy,
+            success: true,
+            error: false,
+            message: "Resource policy updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/resource/createResource.ts

@@ -1,15 +1,19 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, domainNamespaces, loginPage } from "@server/db";
+import { build } from "@server/build";
 import {
-    domains,
-    orgDomains,
+    db,
+    loginPage,
     orgs,
     Resource,
     resources,
+    resourcePolicies,
     roleResources,
+    rolePolicies,
     roles,
-    userResources
+    userPolicies,
+    userResources,
+    domainNamespaces
 } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -20,13 +24,18 @@ import logger from "@server/logger";
 import { subdomainSchema, wildcardSubdomainSchema } from "@server/lib/schemas";
 import config from "@server/lib/config";
 import { OpenAPITags, registry } from "@server/openApi";
-import { build } from "@server/build";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
-import { getUniqueResourceName } from "@server/db/names";
-import { validateAndConstructDomain, checkWildcardDomainConflict } from "@server/lib/domainUtils";
+import {
+    validateAndConstructDomain,
+    checkWildcardDomainConflict
+} from "@server/lib/domainUtils";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import {
+    getUniqueResourceName,
+    getUniqueResourcePolicyName
+} from "@server/db/names";
 
 const createResourceParamsSchema = z.strictObject({
     orgId: z.string()
@@ -311,8 +320,46 @@ async function createHttpResource(
     let resource: Resource | undefined;
 
     const niceId = await getUniqueResourceName(orgId);
+    const policyNiceId = await getUniqueResourcePolicyName(orgId);
 
     await db.transaction(async (trx) => {
+        const adminRole = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (adminRole.length === 0) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, `Admin role not found`)
+            );
+        }
+
+        const [defaultPolicy] = await trx
+            .insert(resourcePolicies)
+            .values({
+                niceId: policyNiceId,
+                orgId,
+                name: `default policy for ${niceId}`,
+                sso: true,
+                scope: "resource"
+            })
+            .returning();
+
+        // make this policy visible by the admin role
+        await trx.insert(rolePolicies).values({
+            roleId: adminRole[0].roleId,
+            resourcePolicyId: defaultPolicy.resourcePolicyId
+        });
+
+        // make this policy visible by the current user
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+            await trx.insert(userPolicies).values({
+                userId: req.user?.userId!,
+                resourcePolicyId: defaultPolicy.resourcePolicyId
+            });
+        }
+
         const newResource = await trx
             .insert(resources)
             .values({
@@ -328,22 +375,11 @@ async function createHttpResource(
                 stickySession: stickySession,
                 postAuthPath: postAuthPath,
                 wildcard,
-                health: "unknown"
+                health: "unknown",
+                defaultResourcePolicyId: defaultPolicy.resourcePolicyId
             })
             .returning();
 
-        const adminRole = await db
-            .select()
-            .from(roles)
-            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
-            .limit(1);
-
-        if (adminRole.length === 0) {
-            return next(
-                createHttpError(HttpCode.NOT_FOUND, `Admin role not found`)
-            );
-        }
-
         await trx.insert(roleResources).values({
             roleId: adminRole[0].roleId,
             resourceId: newResource[0].resourceId
@@ -369,7 +405,7 @@ async function createHttpResource(
         );
     }
 
-    if (build != "oss") {
+    if (build !== "oss") {
         await createCertificate(domainId, fullDomain, db);
     }
 
@@ -410,22 +446,10 @@ async function createRawResource(
     let resource: Resource | undefined;
 
     const niceId = await getUniqueResourceName(orgId);
+    const policyNiceId = await getUniqueResourcePolicyName(orgId);
 
     await db.transaction(async (trx) => {
-        const newResource = await trx
-            .insert(resources)
-            .values({
-                niceId,
-                orgId,
-                name,
-                http,
-                protocol,
-                proxyPort
-                // enableProxy
-            })
-            .returning();
-
-        const adminRole = await db
+        const adminRole = await trx
             .select()
             .from(roles)
             .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
@@ -437,6 +461,44 @@ async function createRawResource(
             );
         }
 
+        const [defaultPolicy] = await trx
+            .insert(resourcePolicies)
+            .values({
+                niceId: policyNiceId,
+                orgId,
+                name: `default policy for ${niceId}`,
+                sso: true,
+                scope: "resource"
+            })
+            .returning();
+
+        // make this policy visible by the admin role
+        await trx.insert(rolePolicies).values({
+            roleId: adminRole[0].roleId,
+            resourcePolicyId: defaultPolicy.resourcePolicyId
+        });
+
+        // make this policy visible by the current user
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+            await trx.insert(userPolicies).values({
+                userId: req.user?.userId!,
+                resourcePolicyId: defaultPolicy.resourcePolicyId
+            });
+        }
+
+        const newResource = await trx
+            .insert(resources)
+            .values({
+                niceId,
+                orgId,
+                name,
+                http,
+                protocol,
+                proxyPort,
+                defaultResourcePolicyId: defaultPolicy.resourcePolicyId
+            })
+            .returning();
+
         await trx.insert(roleResources).values({
             roleId: adminRole[0].roleId,
             resourceId: newResource[0].resourceId

server/routers/resource/deleteResource.ts

@@ -1,17 +1,22 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db, targetHealthCheck } from "@server/db";
-import { newts, resources, sites, targets } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
+import {
+    db,
+    newts,
+    resourcePolicies,
+    resources,
+    sites,
+    targetHealthCheck,
+    targets
+} from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
 import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import { addPeer } from "../gerbil/peers";
-import { removeTargets } from "../newt/targets";
-import { getAllowedIps } from "../target/helpers";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import { removeTargets } from "../newt/targets";
 
 // Define Zod schema for request parameters validation
 const deleteResourceSchema = z.strictObject({
@@ -113,6 +118,18 @@ export async function deleteResource(
             }
         }
 
+        // Also delete default resource policy
+        if (deletedResource.defaultResourcePolicyId) {
+            await db
+                .delete(resourcePolicies)
+                .where(
+                    eq(
+                        resourcePolicies.resourcePolicyId,
+                        deletedResource.defaultResourcePolicyId
+                    )
+                );
+        }
+
         return response(res, {
             data: null,
             success: true,

server/routers/resource/getResourceAuthInfo.ts

@@ -2,13 +2,13 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import {
     db,
-    resourceHeaderAuth,
-    resourceHeaderAuthExtendedCompatibility,
-    resourcePassword,
-    resourcePincode,
+    resourcePolicies,
+    resourcePolicyHeaderAuth,
+    resourcePolicyPassword,
+    resourcePolicyPincode,
     resources
 } from "@server/db";
-import { eq } from "drizzle-orm";
+import { eq, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -60,64 +60,53 @@ export async function getResourceAuthInfo(
 
         const isGuidInteger = /^\d+$/.test(resourceGuid);
 
+        const buildQuery = (whereClause: ReturnType<typeof eq>) =>
+            db
+                .select()
+                .from(resources)
+                .leftJoin(
+                    resourcePolicies,
+                    or(
+                        eq(
+                            resourcePolicies.resourcePolicyId,
+                            resources.resourcePolicyId
+                        ),
+                        eq(
+                            resourcePolicies.resourcePolicyId,
+                            resources.defaultResourcePolicyId
+                        )
+                    )
+                )
+                .leftJoin(
+                    resourcePolicyPincode,
+                    eq(
+                        resourcePolicyPincode.resourcePolicyId,
+                        resourcePolicies.resourcePolicyId
+                    )
+                )
+                .leftJoin(
+                    resourcePolicyPassword,
+                    eq(
+                        resourcePolicyPassword.resourcePolicyId,
+                        resourcePolicies.resourcePolicyId
+                    )
+                )
+                .leftJoin(
+                    resourcePolicyHeaderAuth,
+                    eq(
+                        resourcePolicyHeaderAuth.resourcePolicyId,
+                        resourcePolicies.resourcePolicyId
+                    )
+                )
+                .where(whereClause)
+                .limit(1);
+
         const [result] =
             isGuidInteger && build === "saas"
-                ? await db
-                      .select()
-                      .from(resources)
-                      .leftJoin(
-                          resourcePincode,
-                          eq(resourcePincode.resourceId, resources.resourceId)
-                      )
-                      .leftJoin(
-                          resourcePassword,
-                          eq(resourcePassword.resourceId, resources.resourceId)
-                      )
-
-                      .leftJoin(
-                          resourceHeaderAuth,
-                          eq(
-                              resourceHeaderAuth.resourceId,
-                              resources.resourceId
-                          )
-                      )
-                      .leftJoin(
-                          resourceHeaderAuthExtendedCompatibility,
-                          eq(
-                              resourceHeaderAuthExtendedCompatibility.resourceId,
-                              resources.resourceId
-                          )
-                      )
-                      .where(eq(resources.resourceId, Number(resourceGuid)))
-                      .limit(1)
-                : await db
-                      .select()
-                      .from(resources)
-                      .leftJoin(
-                          resourcePincode,
-                          eq(resourcePincode.resourceId, resources.resourceId)
-                      )
-                      .leftJoin(
-                          resourcePassword,
-                          eq(resourcePassword.resourceId, resources.resourceId)
-                      )
-
-                      .leftJoin(
-                          resourceHeaderAuth,
-                          eq(
-                              resourceHeaderAuth.resourceId,
-                              resources.resourceId
-                          )
-                      )
-                      .leftJoin(
-                          resourceHeaderAuthExtendedCompatibility,
-                          eq(
-                              resourceHeaderAuthExtendedCompatibility.resourceId,
-                              resources.resourceId
-                          )
-                      )
-                      .where(eq(resources.resourceGuid, resourceGuid))
-                      .limit(1);
+                ? await buildQuery(
+                      eq(resources.resourceId, Number(resourceGuid))
+                  )
+                : await buildQuery(eq(resources.resourceGuid, resourceGuid));
 
         const resource = result?.resources;
         if (!resource) {
@@ -126,11 +115,10 @@ export async function getResourceAuthInfo(
             );
         }
 
-        const pincode = result?.resourcePincode;
-        const password = result?.resourcePassword;
-        const headerAuth = result?.resourceHeaderAuth;
-        const headerAuthExtendedCompatibility =
-            result?.resourceHeaderAuthExtendedCompatibility;
+        const policy = result?.resourcePolicies;
+        const pincode = result?.resourcePolicyPincode;
+        const password = result?.resourcePolicyPassword;
+        const headerAuth = result?.resourcePolicyHeaderAuth;
 
         const url = resource.fullDomain
             ? `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`
@@ -146,13 +134,13 @@ export async function getResourceAuthInfo(
                 pincode: pincode !== null,
                 headerAuth: headerAuth !== null,
                 headerAuthExtendedCompatibility:
-                    headerAuthExtendedCompatibility !== null,
-                sso: resource.sso,
+                    headerAuth?.extendedCompatibility ?? false,
+                sso: policy?.sso ?? false,
                 blockAccess: resource.blockAccess,
                 url: url ?? "",
                 wildcard: resource.wildcard ?? false,
                 fullDomain: resource.fullDomain,
-                whitelist: resource.emailWhitelistEnabled,
+                whitelist: policy?.emailWhitelistEnabled ?? false,
                 skipToIdpId: resource.skipToIdpId,
                 orgId: resource.orgId,
                 postAuthPath: resource.postAuthPath ?? null

server/routers/resource/getResourcePolicies.ts

@@ -0,0 +1,109 @@
+import { db, resources } from "@server/db";
+import {
+    queryResourcePolicy,
+    type GetResourcePolicyResponse
+} from "@server/routers/policy/getResourcePolicy";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { eq } from "drizzle-orm";
+import type { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import z from "zod";
+import { fromError } from "zod-validation-error";
+
+const getResourcePoliciesParamsSchema = z.strictObject({
+    resourceId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+export type GetResourcePoliciesResponse = {
+    defaultPolicy: GetResourcePolicyResponse;
+    sharedPolicy: GetResourcePolicyResponse | null;
+};
+
+registry.registerPath({
+    method: "get",
+    path: "/resource/{resourceId}/policies",
+    description: "Get the inline and shared policies associated with a resource.",
+    tags: [OpenAPITags.PublicResource, OpenAPITags.Policy],
+    request: {
+        params: getResourcePoliciesParamsSchema
+    },
+    responses: {}
+});
+
+export async function getResourcePolicies(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = getResourcePoliciesParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { resourceId } = parsedParams.data;
+
+        const [resource] = await db
+            .select({
+                defaultResourcePolicyId: resources.defaultResourcePolicyId,
+                resourcePolicyId: resources.resourcePolicyId
+            })
+            .from(resources)
+            .where(eq(resources.resourceId, resourceId))
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Resource not found")
+            );
+        }
+
+        if (!resource.defaultResourcePolicyId) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Resource has no default policy"
+                )
+            );
+        }
+
+        const [defaultPolicy, sharedPolicy] = await Promise.all([
+            queryResourcePolicy({
+                resourcePolicyId: resource.defaultResourcePolicyId
+            }),
+            resource.resourcePolicyId
+                ? queryResourcePolicy({
+                      resourcePolicyId: resource.resourcePolicyId
+                  })
+                : null
+        ]);
+
+        return response<GetResourcePoliciesResponse>(res, {
+            data: {
+                defaultPolicy:
+                    // the policy will always be non nullable
+                    defaultPolicy as unknown as GetResourcePolicyResponse,
+                sharedPolicy
+            },
+            success: true,
+            error: false,
+            message: "Resource policies retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/resource/index.ts

@@ -33,3 +33,4 @@ export * from "./removeUserFromResource";
 export * from "./listAllResourceNames";
 export * from "./removeEmailFromResourceWhitelist";
 export * from "./getStatusHistory";
+export * from "./getResourcePolicies";

server/routers/resource/listResources.ts

@@ -1,9 +1,9 @@
 import {
     db,
-    resourceHeaderAuth,
-    resourceHeaderAuthExtendedCompatibility,
-    resourcePassword,
-    resourcePincode,
+    resourcePolicies,
+    resourcePolicyHeaderAuth,
+    resourcePolicyPassword,
+    resourcePolicyPincode,
     resources,
     roleResources,
     sites,
@@ -163,10 +163,10 @@ function queryResourcesBase() {
             name: resources.name,
             ssl: resources.ssl,
             fullDomain: resources.fullDomain,
-            passwordId: resourcePassword.passwordId,
-            sso: resources.sso,
-            pincodeId: resourcePincode.pincodeId,
-            whitelist: resources.emailWhitelistEnabled,
+            passwordId: resourcePolicyPassword.passwordId,
+            sso: resourcePolicies.sso,
+            pincodeId: resourcePolicyPincode.pincodeId,
+            whitelist: resourcePolicies.emailWhitelistEnabled,
             http: resources.http,
             protocol: resources.protocol,
             proxyPort: resources.proxyPort,
@@ -174,29 +174,45 @@ function queryResourcesBase() {
             domainId: resources.domainId,
             niceId: resources.niceId,
             wildcard: resources.wildcard,
-            headerAuthId: resourceHeaderAuth.headerAuthId,
-            headerAuthExtendedCompatibilityId:
-                resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
-            health: resources.health
+            health: resources.health,
+            headerAuthId: resourcePolicyHeaderAuth.headerAuthId,
+            headerAuthExtendedCompatibility:
+                resourcePolicyHeaderAuth.extendedCompatibility
         })
         .from(resources)
         .leftJoin(
-            resourcePassword,
-            eq(resourcePassword.resourceId, resources.resourceId)
+            resourcePolicies,
+            or(
+                eq(
+                    resourcePolicies.resourcePolicyId,
+                    resources.resourcePolicyId
+                ),
+                eq(
+                    resourcePolicies.resourcePolicyId,
+                    resources.defaultResourcePolicyId
+                )
+            )
         )
+
         .leftJoin(
-            resourcePincode,
-            eq(resourcePincode.resourceId, resources.resourceId)
-        )
-        .leftJoin(
-            resourceHeaderAuth,
-            eq(resourceHeaderAuth.resourceId, resources.resourceId)
-        )
-        .leftJoin(
-            resourceHeaderAuthExtendedCompatibility,
+            resourcePolicyPassword,
             eq(
-                resourceHeaderAuthExtendedCompatibility.resourceId,
-                resources.resourceId
+                resourcePolicyPassword.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            resourcePolicyPincode,
+            eq(
+                resourcePolicyPincode.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            resourcePolicyHeaderAuth,
+            eq(
+                resourcePolicyHeaderAuth.resourcePolicyId,
+                resourcePolicies.resourcePolicyId
             )
         )
         .leftJoin(targets, eq(targets.resourceId, resources.resourceId))
@@ -206,10 +222,10 @@ function queryResourcesBase() {
         )
         .groupBy(
             resources.resourceId,
-            resourcePassword.passwordId,
-            resourcePincode.pincodeId,
-            resourceHeaderAuth.headerAuthId,
-            resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId
+            resourcePolicies.resourcePolicyId,
+            resourcePolicyPassword.passwordId,
+            resourcePolicyPincode.pincodeId,
+            resourcePolicyHeaderAuth.headerAuthId
         );
 }
 
@@ -355,21 +371,21 @@ export async function listResources(
                 case "protected":
                     conditions.push(
                         or(
-                            eq(resources.sso, true),
-                            eq(resources.emailWhitelistEnabled, true),
-                            not(isNull(resourceHeaderAuth.headerAuthId)),
-                            not(isNull(resourcePincode.pincodeId)),
-                            not(isNull(resourcePassword.passwordId))
+                            eq(resourcePolicies.sso, true),
+                            eq(resourcePolicies.emailWhitelistEnabled, true),
+                            not(isNull(resourcePolicyHeaderAuth.headerAuthId)),
+                            not(isNull(resourcePolicyPincode.pincodeId)),
+                            not(isNull(resourcePolicyPassword.passwordId))
                         )
                     );
                     break;
                 case "not_protected":
                     conditions.push(
-                        not(eq(resources.sso, true)),
-                        not(eq(resources.emailWhitelistEnabled, true)),
-                        isNull(resourceHeaderAuth.headerAuthId),
-                        isNull(resourcePincode.pincodeId),
-                        isNull(resourcePassword.passwordId)
+                        not(eq(resourcePolicies.sso, true)),
+                        not(eq(resourcePolicies.emailWhitelistEnabled, true)),
+                        isNull(resourcePolicyHeaderAuth.headerAuthId),
+                        isNull(resourcePolicyPincode.pincodeId),
+                        isNull(resourcePolicyPassword.passwordId)
                     );
                     break;
             }
@@ -446,9 +462,9 @@ export async function listResources(
                     ssl: row.ssl,
                     fullDomain: row.fullDomain,
                     passwordId: row.passwordId,
-                    sso: row.sso,
+                    sso: row.sso ?? false,
                     pincodeId: row.pincodeId,
-                    whitelist: row.whitelist,
+                    whitelist: row.whitelist ?? false,
                     http: row.http,
                     protocol: row.protocol,
                     proxyPort: row.proxyPort,

server/routers/resource/types.ts

@@ -1,3 +1,6 @@
+import type { Resource, ResourcePolicy } from "@server/db";
+import type { PaginatedResponse } from "@server/types/Pagination";
+
 export type GetMaintenanceInfoResponse = {
     resourceId: number;
     name: string;
@@ -8,3 +11,19 @@ export type GetMaintenanceInfoResponse = {
     maintenanceMessage: string | null;
     maintenanceEstimatedTime: string | null;
 };
+
+export type AttachedResource = Pick<
+    Resource,
+    "resourceId" | "name" | "fullDomain"
+>;
+
+export type ResourcePolicyWithResources = Pick<
+    ResourcePolicy,
+    "resourcePolicyId" | "niceId" | "name" | "orgId"
+> & {
+    resources: Array<AttachedResource>;
+};
+
+export type ListResourcePoliciesResponse = PaginatedResponse<{
+    policies: Array<ResourcePolicyWithResources>;
+}>;

server/routers/resource/updateResource.ts

@@ -1,12 +1,23 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, domainNamespaces, loginPage } from "@server/db";
+import {
+    db,
+    domainNamespaces,
+    loginPage,
+    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
+    resourcePassword,
+    resourcePincode,
+    resourceRules,
+    resourceWhitelist
+} from "@server/db";
 import {
     domains,
     Org,
     orgDomains,
     orgs,
     Resource,
+    resourcePolicies,
     resources
 } from "@server/db";
 import { eq, and, ne } from "drizzle-orm";
@@ -24,7 +35,10 @@ import {
 import { registry } from "@server/openApi";
 import { OpenAPITags } from "@server/openApi";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
-import { validateAndConstructDomain, checkWildcardDomainConflict } from "@server/lib/domainUtils";
+import {
+    validateAndConstructDomain,
+    checkWildcardDomainConflict
+} from "@server/lib/domainUtils";
 import { build } from "@server/build";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
@@ -68,7 +82,8 @@ const updateHttpResourceBodySchema = z
         maintenanceTitle: z.string().max(255).nullable().optional(),
         maintenanceMessage: z.string().max(2000).nullable().optional(),
         maintenanceEstimatedTime: z.string().max(100).nullable().optional(),
-        postAuthPath: z.string().nullable().optional()
+        postAuthPath: z.string().nullable().optional(),
+        resourcePolicyId: z.number().nullable().optional()
     })
     .refine((data) => Object.keys(data).length > 0, {
         error: "At least one field must be provided for update"
@@ -165,7 +180,8 @@ const updateRawResourceBodySchema = z
         stickySession: z.boolean().optional(),
         enabled: z.boolean().optional(),
         proxyProtocol: z.boolean().optional(),
-        proxyProtocolVersion: z.int().min(1).optional()
+        proxyProtocolVersion: z.int().min(1).optional(),
+        resourcePolicyId: z.number().nullable().optional()
     })
     .refine((data) => Object.keys(data).length > 0, {
         error: "At least one field must be provided for update"
@@ -301,6 +317,42 @@ async function updateHttpResource(
 
     const updateData = parsedBody.data;
 
+    const isLicensed = await isLicensedOrSubscribed(
+        resource.orgId,
+        tierMatrix.wildcardSubdomain
+    );
+
+    if (updateData.resourcePolicyId != null) {
+        if (!isLicensed) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Resource policies are not supported on your current plan. Please upgrade to access this feature."
+                )
+            );
+        }
+
+        const [existingPolicy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(
+                eq(
+                    resourcePolicies.resourcePolicyId,
+                    updateData.resourcePolicyId
+                )
+            )
+            .limit(1);
+
+        if (!existingPolicy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${updateData.resourcePolicyId} not found`
+                )
+            );
+        }
+    }
+
     if (updateData.niceId) {
         const [existingResource] = await db
             .select()
@@ -326,10 +378,6 @@ async function updateHttpResource(
 
     // Wildcard subdomains are a paid feature
     if (updateData.subdomain && updateData.subdomain.includes("*")) {
-        const isLicensed = await isLicensedOrSubscribed(
-            resource.orgId,
-            tierMatrix.wildcardSubdomain
-        );
         if (!isLicensed) {
             return next(
                 createHttpError(
@@ -474,10 +522,6 @@ async function updateHttpResource(
         headers = null;
     }
 
-    const isLicensed = await isLicensedOrSubscribed(
-        resource.orgId,
-        tierMatrix.maintencePage
-    );
     if (!isLicensed) {
         updateData.maintenanceModeEnabled = undefined;
         updateData.maintenanceModeType = undefined;
@@ -535,38 +579,122 @@ async function updateRawResource(
     }
 
     const updateData = parsedBody.data;
+    let updatedResource: Resource | null = null;
 
-    if (updateData.niceId) {
-        const [existingResource] = await db
-            .select()
-            .from(resources)
-            .where(
-                and(
-                    eq(resources.niceId, updateData.niceId),
-                    eq(resources.orgId, resource.orgId)
-                )
-            );
-
-        if (
-            existingResource &&
-            existingResource.resourceId !== resource.resourceId
-        ) {
-            return next(
-                createHttpError(
-                    HttpCode.CONFLICT,
-                    `A resource with niceId "${updateData.niceId}" already exists`
-                )
-            );
-        }
-    }
-
-    const updatedResource = await db
-        .update(resources)
-        .set(updateData)
+    const [existingResource] = await db
+        .select()
+        .from(resources)
         .where(eq(resources.resourceId, resource.resourceId))
-        .returning();
+        .limit(1);
 
-    if (updatedResource.length === 0) {
+    await db.transaction(async (trx) => {
+        if (updateData.resourcePolicyId != null) {
+            const [existingPolicy] = await trx
+                .select()
+                .from(resourcePolicies)
+                .where(
+                    eq(
+                        resourcePolicies.resourcePolicyId,
+                        updateData.resourcePolicyId
+                    )
+                )
+                .limit(1);
+
+            if (!existingPolicy) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Resource policy with ID ${updateData.resourcePolicyId} not found`
+                    )
+                );
+            }
+        } else {
+            // we are in an inline policy and we need to clear out the old tables
+            await Promise.all([
+                trx
+                    .delete(resourcePassword)
+                    .where(
+                        eq(
+                            resourcePassword.resourceId,
+                            existingResource.resourceId
+                        )
+                    ),
+                trx
+                    .delete(resourcePincode)
+                    .where(
+                        eq(
+                            resourcePincode.resourceId,
+                            existingResource.resourceId
+                        )
+                    ),
+                trx
+                    .delete(resourceHeaderAuth)
+                    .where(
+                        eq(
+                            resourceHeaderAuth.resourceId,
+                            existingResource.resourceId
+                        )
+                    ),
+                trx
+                    .delete(resourceHeaderAuthExtendedCompatibility)
+                    .where(
+                        eq(
+                            resourceHeaderAuthExtendedCompatibility.resourceId,
+                            existingResource.resourceId
+                        )
+                    ),
+                trx
+                    .delete(resourceWhitelist)
+                    .where(
+                        eq(
+                            resourceWhitelist.resourceId,
+                            existingResource.resourceId
+                        )
+                    ),
+
+                trx
+                    .delete(resourceRules)
+                    .where(
+                        eq(
+                            resourceRules.resourceId,
+                            existingResource.resourceId
+                        )
+                    )
+            ]);
+        }
+
+        if (updateData.niceId) {
+            const [existingResourceConflict] = await trx
+                .select()
+                .from(resources)
+                .where(
+                    and(
+                        eq(resources.niceId, updateData.niceId),
+                        eq(resources.orgId, resource.orgId)
+                    )
+                );
+
+            if (
+                existingResourceConflict &&
+                existingResourceConflict.resourceId !== resource.resourceId
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.CONFLICT,
+                        `A resource with niceId "${updateData.niceId}" already exists`
+                    )
+                );
+            }
+        }
+
+        [updatedResource] = await trx
+            .update(resources)
+            .set(updateData)
+            .where(eq(resources.resourceId, resource.resourceId))
+            .returning();
+    });
+
+    if (!updatedResource) {
         return next(
             createHttpError(
                 HttpCode.NOT_FOUND,
@@ -576,7 +704,7 @@ async function updateRawResource(
     }
 
     return response(res, {
-        data: updatedResource[0],
+        data: updatedResource,
         success: true,
         error: false,
         message: "Non-http Resource updated successfully",

server/routers/site/listSites.ts

@@ -135,7 +135,7 @@ const listSitesSchema = z.object({
     page: z.coerce
         .number<string>() // for prettier formatting
         .int()
-        .min(0)
+        .positive()
         .optional()
         .catch(1)
         .default(1)

server/routers/user/getOrgUser.ts

@@ -47,10 +47,7 @@ export async function queryUser(orgId: string, userId: string) {
         .from(userOrgRoles)
         .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
         .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
+            and(eq(userOrgRoles.userId, userId), eq(userOrgRoles.orgId, orgId))
         );
 
     const isAdmin = roleRows.some((r) => r.isAdmin);
@@ -146,7 +143,7 @@ export async function getOrgUser(
                 return next(
                     createHttpError(
                         HttpCode.FORBIDDEN,
-                        "User does not have permission perform this action"
+                        "User does not have permission to get organization user details"
                     )
                 );
             }

server/routers/ws/ws.ts

@@ -3,7 +3,15 @@ import zlib from "zlib";
 import { Server as HttpServer } from "http";
 import { WebSocket, WebSocketServer } from "ws";
 import { Socket } from "net";
-import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
+import {
+    Newt,
+    newts,
+    NewtSession,
+    olms,
+    Olm,
+    OlmSession,
+    sites
+} from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
 import { recordPing } from "@server/routers/newt/pingAccumulator";
@@ -80,6 +88,9 @@ const removeClient = async (
     const updatedClients = existingClients.filter((client) => client !== ws);
     if (updatedClients.length === 0) {
         connectedClients.delete(mapKey);
+        // Remove clientId from clientConfigVersions — prevents unbounded growth
+        // from stale entries.
+        clientConfigVersions.delete(clientId);
 
         logger.info(
             `All connections removed for ${clientType.toUpperCase()} ID: ${clientId}`
@@ -218,9 +229,13 @@ const hasActiveConnections = async (clientId: string): Promise<boolean> => {
 };
 
 // Get the current config version for a client
-const getClientConfigVersion = async (clientId: string): Promise<number | undefined> => {
+const getClientConfigVersion = async (
+    clientId: string
+): Promise<number | undefined> => {
     const version = clientConfigVersions.get(clientId);
-    logger.debug(`getClientConfigVersion called for clientId: ${clientId}, returning: ${version} (type: ${typeof version})`);
+    logger.debug(
+        `getClientConfigVersion called for clientId: ${clientId}, returning: ${version} (type: ${typeof version})`
+    );
     return version;
 };
 
@@ -507,6 +522,11 @@ const disconnectClient = async (clientId: string): Promise<boolean> => {
         }
     });
 
+    // Eagerly remove client — close event may not fire if socket already
+    // CLOSING, leaving zombie entries.
+    connectedClients.delete(mapKey);
+    clientConfigVersions.delete(clientId);
+
     return true;
 };
 

src/app/[orgId]/settings/(private)/idp/[idpId]/general/page.tsx

@@ -175,26 +175,6 @@ export default function GeneralPage() {
     }, [variant]);
 
     useEffect(() => {
-        async function fetchRoles() {
-            const res = await api
-                .get<AxiosResponse<ListRolesResponse>>(`/org/${orgId}/roles`)
-                .catch((e) => {
-                    console.error(e);
-                    toast({
-                        variant: "destructive",
-                        title: t("accessRoleErrorFetch"),
-                        description: formatAxiosError(
-                            e,
-                            t("accessRoleErrorFetchDescription")
-                        )
-                    });
-                });
-
-            if (res?.status === 200) {
-                setRoles(res.data.data.roles);
-            }
-        }
-
         const loadIdp = async (
             availableRoles: { roleId: number; name: string }[]
         ) => {

src/app/[orgId]/settings/(private)/policies/layout.tsx

@@ -0,0 +1,23 @@
+import { getCachedOrg } from "@app/lib/api/getCachedOrg";
+import OrgProvider from "@app/providers/OrgProvider";
+import type { GetOrgResponse } from "@server/routers/org";
+import { redirect } from "next/navigation";
+
+export interface PolicyLayoutPageProps {
+    params: Promise<{ orgId: string }>;
+    children: React.ReactNode;
+}
+
+export default async function PolicyLayoutPage(props: PolicyLayoutPageProps) {
+    const params = await props.params;
+
+    let org: GetOrgResponse | null = null;
+    try {
+        const res = await getCachedOrg(params.orgId);
+        org = res.data.data;
+    } catch {
+        redirect(`/${params.orgId}/settings`);
+    }
+
+    return <OrgProvider org={org}>{props.children}</OrgProvider>;
+}

src/app/[orgId]/settings/(private)/policies/resource/[niceId]/page.tsx

@@ -0,0 +1,60 @@
+import { EditPolicyForm } from "@app/components/resource-policy/EditPolicyForm";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { Button } from "@app/components/ui/button";
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { ResourcePolicyProvider } from "@app/providers/ResourcePolicyProvider";
+import type { GetResourcePolicyResponse } from "@server/routers/policy";
+import type { AxiosResponse } from "axios";
+import { getTranslations } from "next-intl/server";
+import Link from "next/link";
+import { redirect } from "next/navigation";
+
+export interface EditPolicyPageProps {
+    params: Promise<{ niceId: string; orgId: string }>;
+}
+
+export default async function EditPolicyPage(props: EditPolicyPageProps) {
+    const params = await props.params;
+    const t = await getTranslations();
+
+    let policyResponse: GetResourcePolicyResponse | null = null;
+    try {
+        const res = await internal.get<
+            AxiosResponse<GetResourcePolicyResponse>
+        >(
+            `/org/${params.orgId}/resource-policy/${params.niceId}`,
+            await authCookieHeader()
+        );
+        policyResponse = res.data.data;
+    } catch {
+        redirect(`/${params.orgId}/settings/policies/resource`);
+    }
+
+    if (!policyResponse) {
+        redirect(`/${params.orgId}/settings/policies/resource`);
+    }
+
+    return (
+        <>
+            <div className="flex justify-between">
+                <SettingsSectionTitle
+                    title={t("resourcePolicySetting", {
+                        policyName: policyResponse.name
+                    })}
+                    description={t("resourcePolicySettingDescription")}
+                />
+
+                <Button asChild variant="outline">
+                    <Link href={`/${params.orgId}/settings/policies/resource`}>
+                        {t("resourcePoliciesSeeAll")}
+                    </Link>
+                </Button>
+            </div>
+
+            <ResourcePolicyProvider policy={policyResponse}>
+                <EditPolicyForm />
+            </ResourcePolicyProvider>
+        </>
+    );
+}

src/app/[orgId]/settings/(private)/policies/resource/create/page.tsx

@@ -0,0 +1,35 @@
+import { CreatePolicyForm } from "@app/components/resource-policy/CreatePolicyForm";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { Button } from "@app/components/ui/button";
+import { getTranslations } from "next-intl/server";
+import Link from "next/link";
+
+export interface CreateResourcePolicyPageProps {
+    params: Promise<{ orgId: string }>;
+}
+
+export default async function CreateResourcePolicyPage(
+    props: CreateResourcePolicyPageProps
+) {
+    const params = await props.params;
+    const t = await getTranslations();
+
+    return (
+        <>
+            <div className="flex justify-between">
+                <SettingsSectionTitle
+                    title={t("resourcePoliciesCreate")}
+                    description={t("resourcePoliciesCreateDescription")}
+                />
+
+                <Button asChild variant="outline">
+                    <Link href={`/${params.orgId}/settings/policies/resource`}>
+                        {t("resourcePoliciesSeeAll")}
+                    </Link>
+                </Button>
+            </div>
+
+            <CreatePolicyForm />
+        </>
+    );
+}

src/app/[orgId]/settings/(private)/policies/resource/page.tsx

@@ -0,0 +1,68 @@
+import { ResourcePoliciesTable } from "@app/components/ResourcePoliciesTable";
+import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { getCachedOrg } from "@app/lib/api/getCachedOrg";
+import type { GetOrgResponse } from "@server/routers/org";
+import type { ListResourcePoliciesResponse } from "@server/routers/resource/types";
+import type { AxiosResponse } from "axios";
+import { getTranslations } from "next-intl/server";
+import { redirect } from "next/navigation";
+
+export interface ResourcePoliciesPageProps {
+    params: Promise<{ orgId: string }>;
+    searchParams: Promise<Record<string, string>>;
+}
+
+export default async function ResourcePoliciesPage(
+    props: ResourcePoliciesPageProps
+) {
+    const params = await props.params;
+    const t = await getTranslations();
+    const searchParams = new URLSearchParams(await props.searchParams);
+
+    let org: GetOrgResponse | null = null;
+    try {
+        const res = await getCachedOrg(params.orgId);
+        org = res.data.data;
+    } catch {
+        redirect(`/${params.orgId}/settings/resources`);
+    }
+
+    let policies: ListResourcePoliciesResponse["policies"] = [];
+    let pagination: ListResourcePoliciesResponse["pagination"] = {
+        total: 0,
+        page: 1,
+        pageSize: 20
+    };
+    try {
+        const res = await internal.get<
+            AxiosResponse<ListResourcePoliciesResponse>
+        >(
+            `/org/${params.orgId}/resource-policies?${searchParams.toString()}`,
+            await authCookieHeader()
+        );
+        const responseData = res.data.data;
+        policies = responseData.policies;
+        pagination = responseData.pagination;
+    } catch (e) {}
+
+    return (
+        <>
+            <SettingsSectionTitle
+                title={t("resourcePoliciesTitle")}
+                description={t("resourcePoliciesDescription")}
+            />
+
+            <ResourcePoliciesTable
+                policies={policies}
+                orgId={params.orgId}
+                rowCount={pagination.total}
+                pagination={{
+                    pageIndex: pagination.page - 1,
+                    pageSize: pagination.pageSize
+                }}
+            />
+        </>
+    );
+}

src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx

@@ -1,44 +1,40 @@
 "use client";
 
+import IdpTypeBadge from "@app/components/IdpTypeBadge";
+import OrgRolesTagField from "@app/components/OrgRolesTagField";
+import {
+    SettingsContainer,
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionFooter,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import { Button } from "@app/components/ui/button";
+import { Checkbox } from "@app/components/ui/checkbox";
 import {
     Form,
     FormControl,
     FormField,
     FormItem,
-    FormLabel,
-    FormMessage
+    FormLabel
 } from "@app/components/ui/form";
-import { Checkbox } from "@app/components/ui/checkbox";
-import OrgRolesTagField from "@app/components/OrgRolesTagField";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { userOrgUserContext } from "@app/hooks/useOrgUserContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { AxiosResponse } from "axios";
-import { useEffect, useState } from "react";
+import { build } from "@server/build";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { UserType } from "@server/types/UserTypes";
+import { useTranslations } from "next-intl";
+import { useParams } from "next/navigation";
+import { useActionState, useEffect } from "react";
 import { useForm } from "react-hook-form";
 import { z } from "zod";
-import { ListRolesResponse } from "@server/routers/role";
-import { userOrgUserContext } from "@app/hooks/useOrgUserContext";
-import { useParams } from "next/navigation";
-import { Button } from "@app/components/ui/button";
-import {
-    SettingsContainer,
-    SettingsSection,
-    SettingsSectionHeader,
-    SettingsSectionTitle,
-    SettingsSectionDescription,
-    SettingsSectionBody,
-    SettingsSectionForm,
-    SettingsSectionFooter
-} from "@app/components/Settings";
-import { formatAxiosError } from "@app/lib/api";
-import { createApiClient } from "@app/lib/api";
-import { useEnvContext } from "@app/hooks/useEnvContext";
-import { useTranslations } from "next-intl";
-import IdpTypeBadge from "@app/components/IdpTypeBadge";
-import { UserType } from "@server/types/UserTypes";
-import { usePaidStatus } from "@app/hooks/usePaidStatus";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { build } from "@server/build";
 
 const accessControlsFormSchema = z.object({
     username: z.string(),
@@ -59,12 +55,6 @@ export default function AccessControlsPage() {
 
     const { orgId } = useParams();
 
-    const [loading, setLoading] = useState(false);
-    const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [activeRoleTagIndex, setActiveRoleTagIndex] = useState<number | null>(
-        null
-    );
-
     const t = useTranslations();
     const { isPaidUser } = usePaidStatus();
     const isPaid = isPaidUser(tierMatrix.fullRbac);
@@ -97,44 +87,21 @@ export default function AccessControlsPage() {
                 text: r.name
             }))
         );
-    }, [user.userId, currentRoleIds.join(",")]);
-
-    useEffect(() => {
-        async function fetchRoles() {
-            const res = await api
-                .get<AxiosResponse<ListRolesResponse>>(`/org/${orgId}/roles`)
-                .catch((e) => {
-                    console.error(e);
-                    toast({
-                        variant: "destructive",
-                        title: t("accessRoleErrorFetch"),
-                        description: formatAxiosError(
-                            e,
-                            t("accessRoleErrorFetchDescription")
-                        )
-                    });
-                });
-
-            if (res?.status === 200) {
-                setRoles(res.data.data.roles);
-            }
-        }
-
-        fetchRoles();
         form.setValue("autoProvisioned", user.autoProvisioned || false);
-    }, []);
-
-    const allRoleOptions = roles.map((role) => ({
-        id: role.roleId.toString(),
-        text: role.name
-    }));
+    }, [user.userId, user.autoProvisioned, currentRoleIds.join(",")]);
 
     const paywallMessage =
         build === "saas"
             ? t("singleRolePerUserPlanNotice")
             : t("singleRolePerUserEditionNotice");
 
-    async function onSubmit(values: z.infer<typeof accessControlsFormSchema>) {
+    const [, action, isSubmitting] = useActionState(onSubmit, null);
+    async function onSubmit() {
+        const isValid = await form.trigger();
+        if (!isValid) return;
+
+        const values = form.getValues();
+
         if (values.roles.length === 0) {
             toast({
                 variant: "destructive",
@@ -144,7 +111,6 @@ export default function AccessControlsPage() {
             return;
         }
 
-        setLoading(true);
         try {
             const roleIds = values.roles.map((r) => parseInt(r.id, 10));
             const updateRoleRequest = supportsMultipleRolesPerUser
@@ -184,7 +150,6 @@ export default function AccessControlsPage() {
                 )
             });
         }
-        setLoading(false);
     }
 
     return (
@@ -203,7 +168,7 @@ export default function AccessControlsPage() {
                     <SettingsSectionForm>
                         <Form {...form}>
                             <form
-                                onSubmit={form.handleSubmit(onSubmit)}
+                                action={action}
                                 className="space-y-4"
                                 id="access-controls-form"
                             >
@@ -226,9 +191,7 @@ export default function AccessControlsPage() {
                                 <OrgRolesTagField
                                     form={form}
                                     name="roles"
-                                    label={t("roles")}
-                                    placeholder={t("accessRoleSelect2")}
-                                    allRoleOptions={allRoleOptions}
+                                    orgId={orgId as string}
                                     supportsMultipleRolesPerUser={
                                         supportsMultipleRolesPerUser
                                     }
@@ -236,9 +199,6 @@ export default function AccessControlsPage() {
                                         showMultiRolePaywallMessage
                                     }
                                     paywallMessage={paywallMessage}
-                                    loading={loading}
-                                    activeTagIndex={activeRoleTagIndex}
-                                    setActiveTagIndex={setActiveRoleTagIndex}
                                 />
 
                                 {user.idpAutoProvision && (
@@ -277,8 +237,8 @@ export default function AccessControlsPage() {
                 <SettingsSectionFooter>
                     <Button
                         type="submit"
-                        loading={loading}
-                        disabled={loading}
+                        loading={isSubmitting}
+                        disabled={isSubmitting}
                         form="access-controls-form"
                     >
                         {t("accessControlsSubmit")}

src/app/[orgId]/settings/access/users/create/page.tsx

@@ -13,7 +13,7 @@ import { StrategyOption, StrategySelect } from "@app/components/StrategySelect";
 import HeaderTitle from "@app/components/SettingsSectionTitle";
 import { Button } from "@app/components/ui/button";
 import { useParams, useRouter } from "next/navigation";
-import { useState } from "react";
+import { useActionState, useState } from "react";
 import {
     Form,
     FormControl,
@@ -91,7 +91,7 @@ export default function Page() {
         "internal"
     );
     const [inviteLink, setInviteLink] = useState<string | null>(null);
-    const [loading, setLoading] = useState(false);
+
     const [expiresInDays, setExpiresInDays] = useState(1);
     const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
     const [idps, setIdps] = useState<IdpOption[]>([]);
@@ -311,10 +311,29 @@ export default function Page() {
         setUserOptions(options);
     }, [idps, t]);
 
-    async function onSubmitInternal(
-        values: z.infer<typeof internalFormSchema>
-    ) {
-        setLoading(true);
+    const [, submitInternalAction, isSubmittingInternal] = useActionState(
+        onSubmitInternal,
+        null
+    );
+    const [, submitGoogleAzureAction, isSubmittingGoogleAzure] = useActionState(
+        onSubmitGoogleAzure,
+        null
+    );
+    const [, submitGenericOidcAction, isSubmittingGenericOidc] = useActionState(
+        onSubmitGenericOidc,
+        null
+    );
+
+    const loading =
+        isSubmittingInternal ||
+        isSubmittingGoogleAzure ||
+        isSubmittingGenericOidc;
+
+    async function onSubmitInternal() {
+        const isValid = await internalForm.trigger();
+        if (!isValid) return;
+
+        const values = internalForm.getValues();
 
         const roleIds = values.roles.map((r) => parseInt(r.id, 10));
 
@@ -357,25 +376,24 @@ export default function Page() {
 
             setExpiresInDays(parseInt(values.validForHours) / 24);
         }
-
-        setLoading(false);
     }
 
-    async function onSubmitGoogleAzure(
-        values: z.infer<typeof googleAzureFormSchema>
-    ) {
+    async function onSubmitGoogleAzure() {
+        const isValid = await googleAzureForm.trigger();
+        if (!isValid) return;
+
+        const values = googleAzureForm.getValues();
+
         const selectedUserOption = userOptions.find(
             (opt) => opt.id === selectedOption
         );
         if (!selectedUserOption?.idpId) return;
 
-        setLoading(true);
-
         const roleIds = values.roles.map((r) => parseInt(r.id, 10));
 
         const res = await api
             .put(`/org/${orgId}/user`, {
-                username: values.email, // Use email as username for Google/Azure
+                username: values.email,
                 email: values.email || undefined,
                 name: values.name,
                 type: "oidc",
@@ -401,20 +419,19 @@ export default function Page() {
             });
             router.push(`/${orgId}/settings/access/users`);
         }
-
-        setLoading(false);
     }
 
-    async function onSubmitGenericOidc(
-        values: z.infer<typeof genericOidcFormSchema>
-    ) {
+    async function onSubmitGenericOidc() {
+        const isValid = await genericOidcForm.trigger();
+        if (!isValid) return;
+
+        const values = genericOidcForm.getValues();
+
         const selectedUserOption = userOptions.find(
             (opt) => opt.id === selectedOption
         );
         if (!selectedUserOption?.idpId) return;
 
-        setLoading(true);
-
         const roleIds = values.roles.map((r) => parseInt(r.id, 10));
 
         const res = await api
@@ -445,8 +462,6 @@ export default function Page() {
             });
             router.push(`/${orgId}/settings/access/users`);
         }
-
-        setLoading(false);
     }
 
     return (
@@ -513,9 +528,9 @@ export default function Page() {
                                         <SettingsSectionForm>
                                             <Form {...internalForm}>
                                                 <form
-                                                    onSubmit={internalForm.handleSubmit(
-                                                        onSubmitInternal
-                                                    )}
+                                                    action={
+                                                        submitInternalAction
+                                                    }
                                                     className="space-y-4"
                                                     id="create-user-form"
                                                 >
@@ -595,13 +610,7 @@ export default function Page() {
                                                     <OrgRolesTagField
                                                         form={internalForm}
                                                         name="roles"
-                                                        label={t("roles")}
-                                                        placeholder={t(
-                                                            "accessRoleSelect2"
-                                                        )}
-                                                        allRoleOptions={
-                                                            allRoleOptions
-                                                        }
+                                                        orgId={orgId as string}
                                                         supportsMultipleRolesPerUser={
                                                             supportsMultipleRolesPerUser
                                                         }
@@ -611,13 +620,6 @@ export default function Page() {
                                                         paywallMessage={
                                                             invitePaywallMessage
                                                         }
-                                                        loading={loading}
-                                                        activeTagIndex={
-                                                            activeInviteRoleTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveInviteRoleTagIndex
-                                                        }
                                                     />
 
                                                     {env.email.emailEnabled && (
@@ -712,9 +714,9 @@ export default function Page() {
                                         })() && (
                                             <Form {...googleAzureForm}>
                                                 <form
-                                                    onSubmit={googleAzureForm.handleSubmit(
-                                                        onSubmitGoogleAzure
-                                                    )}
+                                                    action={
+                                                        submitGoogleAzureAction
+                                                    }
                                                     className="space-y-4"
                                                     id="create-user-form"
                                                 >
@@ -763,13 +765,7 @@ export default function Page() {
                                                     <OrgRolesTagField
                                                         form={googleAzureForm}
                                                         name="roles"
-                                                        label={t("roles")}
-                                                        placeholder={t(
-                                                            "accessRoleSelect2"
-                                                        )}
-                                                        allRoleOptions={
-                                                            allRoleOptions
-                                                        }
+                                                        orgId={orgId as string}
                                                         supportsMultipleRolesPerUser={
                                                             supportsMultipleRolesPerUser
                                                         }
@@ -779,13 +775,6 @@ export default function Page() {
                                                         paywallMessage={
                                                             invitePaywallMessage
                                                         }
-                                                        loading={loading}
-                                                        activeTagIndex={
-                                                            activeOidcRoleTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveOidcRoleTagIndex
-                                                        }
                                                     />
                                                 </form>
                                             </Form>
@@ -808,9 +797,9 @@ export default function Page() {
                                         })() && (
                                             <Form {...genericOidcForm}>
                                                 <form
-                                                    onSubmit={genericOidcForm.handleSubmit(
-                                                        onSubmitGenericOidc
-                                                    )}
+                                                    action={
+                                                        submitGenericOidcAction
+                                                    }
                                                     className="space-y-4"
                                                     id="create-user-form"
                                                 >
@@ -888,13 +877,7 @@ export default function Page() {
                                                     <OrgRolesTagField
                                                         form={genericOidcForm}
                                                         name="roles"
-                                                        label={t("roles")}
-                                                        placeholder={t(
-                                                            "accessRoleSelect2"
-                                                        )}
-                                                        allRoleOptions={
-                                                            allRoleOptions
-                                                        }
+                                                        orgId={orgId as string}
                                                         supportsMultipleRolesPerUser={
                                                             supportsMultipleRolesPerUser
                                                         }
@@ -904,13 +887,6 @@ export default function Page() {
                                                         paywallMessage={
                                                             invitePaywallMessage
                                                         }
-                                                        loading={loading}
-                                                        activeTagIndex={
-                                                            activeOidcRoleTagIndex
-                                                        }
-                                                        setActiveTagIndex={
-                                                            setActiveOidcRoleTagIndex
-                                                        }
                                                     />
                                                 </form>
                                             </Form>

src/app/[orgId]/settings/layout.tsx

@@ -13,6 +13,7 @@ import { Layout } from "@app/components/Layout";
 import { getTranslations } from "next-intl/server";
 import { pullEnv } from "@app/lib/pullEnv";
 import { orgNavSections } from "@app/app/navigation";
+import { getCachedOrgUser } from "@app/lib/api/getCachedOrgUser";
 
 export const dynamic = "force-dynamic";
 
@@ -48,13 +49,7 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
     const t = await getTranslations();
 
     try {
-        const getOrgUser = cache(() =>
-            internal.get<AxiosResponse<GetOrgUserResponse>>(
-                `/org/${params.orgId}/user/${user.userId}`,
-                cookie
-            )
-        );
-        const orgUser = await getOrgUser();
+        const orgUser = await getCachedOrgUser(params.orgId, user.userId);
 
         if (!orgUser.data.data.isAdmin && !orgUser.data.data.isOwner) {
             throw new Error(t("userErrorNotAdminOrOwner"));

src/app/[orgId]/settings/resources/proxy/[niceId]/layout.tsx

@@ -96,10 +96,10 @@ export default async function ResourceLayout(props: ResourceLayoutProps) {
             title: t("authentication"),
             href: `/{orgId}/settings/resources/proxy/{niceId}/authentication`
         });
-        navItems.push({
-            title: t("rules"),
-            href: `/{orgId}/settings/resources/proxy/{niceId}/rules`
-        });
+        // navItems.push({
+        //     title: t("rules"),
+        //     href: `/{orgId}/settings/resources/proxy/{niceId}/rules`
+        // });
     }
 
     return (

src/app/[orgId]/settings/resources/proxy/create/page.tsx

@@ -92,7 +92,13 @@ import { useTranslations } from "next-intl";
 import Link from "next/link";
 import { useParams, useRouter } from "next/navigation";
 import { toASCII } from "punycode";
-import { useEffect, useMemo, useState, useCallback } from "react";
+import {
+    useMemo,
+    useState,
+    useCallback,
+    useTransition,
+    useEffect
+} from "react";
 import { Controller, useForm } from "react-hook-form";
 import { z } from "zod";
 
@@ -218,7 +224,7 @@ export default function Page() {
     >([]);
     const [loadingExitNodes, setLoadingExitNodes] = useState(build === "saas");
 
-    const [createLoading, setCreateLoading] = useState(false);
+    const [createLoading, startTransition] = useTransition();
     const [showSnippets, setShowSnippets] = useState(false);
     const [niceId, setNiceId] = useState<string>("");
 
@@ -328,7 +334,7 @@ export default function Page() {
                         id: "raw" as ResourceType,
                         title: t("resourceRaw"),
                         description:
-                            build == "saas"
+                            build === "saas"
                                 ? t("resourceRawDescriptionCloud")
                                 : t("resourceRawDescription")
                     }
@@ -473,8 +479,6 @@ export default function Page() {
     );
 
     async function onSubmit() {
-        setCreateLoading(true);
-
         const baseData = baseForm.getValues();
         const isHttp = baseData.http;
 
@@ -610,8 +614,6 @@ export default function Page() {
                 )
             });
         }
-
-        setCreateLoading(false);
     }
 
     useEffect(() => {
@@ -1465,7 +1467,7 @@ export default function Page() {
                                         console.log(httpForm.getValues());
 
                                         if (baseValid && settingsValid) {
-                                            onSubmit();
+                                            startTransition(onSubmit);
                                         }
                                     }}
                                     loading={createLoading}

src/app/navigation.tsx

@@ -11,6 +11,7 @@ import {
     CreditCard,
     Fingerprint,
     Globe,
+    GlobeIcon,
     GlobeLock,
     KeyRound,
     Laptop,
@@ -22,6 +23,7 @@ import {
     ScanEye,
     Server,
     Settings,
+    ShieldIcon,
     SquareMousePointer,
     TicketCheck,
     Unplug,
@@ -99,7 +101,7 @@ export const orgNavSections = (
                 href: "/{orgId}/settings/domains",
                 icon: <Globe className="size-4 flex-none" />
             },
-            ...(build == "saas"
+            ...(build === "saas"
                 ? [
                       {
                           title: "sidebarRemoteExitNodes",
@@ -134,6 +136,24 @@ export const orgNavSections = (
                     }
                 ]
             },
+            ...(build !== "oss"
+                ? [
+                      {
+                          title: "sidebarPolicies",
+
+                          icon: <ShieldIcon className="size-4 flex-none" />,
+                          items: [
+                              {
+                                  title: "sidebarResourcePolicies",
+                                  href: "/{orgId}/settings/policies/resource",
+                                  icon: (
+                                      <GlobeIcon className="size-4 flex-none" />
+                                  )
+                              }
+                          ]
+                      }
+                  ]
+                : []),
             // PaidFeaturesAlert
             ...((build === "oss" && !env?.flags.disableEnterpriseFeatures) ||
             build === "saas" ||

src/components/AuthPageBrandingForm.tsx

@@ -28,15 +28,14 @@ import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { build } from "@server/build";
+import { validateLocalPath } from "@app/lib/validateLocalPath";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import type { GetLoginPageBrandingResponse } from "@server/routers/loginPage/types";
 import { XIcon } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { PaidFeaturesAlert } from "./PaidFeaturesAlert";
 import { Button } from "./ui/button";
 import { Input } from "./ui/input";
-import { validateLocalPath } from "@app/lib/validateLocalPath";
-import { Alert, AlertDescription, AlertTitle } from "./ui/alert";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
 
 export type AuthPageCustomizationProps = {
     orgId: string;

src/components/CertificateStatus.tsx

@@ -31,8 +31,9 @@ export function CertificateStatusContent({
     const t = useTranslations();
 
     const labelClass =
-        "inline-flex shrink-0 items-center self-center text-sm font-medium leading-none";
-    const valueClass = "inline-flex items-center gap-2 text-sm leading-none";
+        "inline-flex shrink-0 items-center self-center text-sm font-medium leading-normal";
+    const valueClass =
+        "inline-flex items-center gap-2 text-sm leading-normal";
 
     const handleRefresh = async () => {
         await refreshCert();
@@ -133,14 +134,14 @@ export function CertificateStatusContent({
             {isPending && !disableRestartButton ? (
                 <Button
                     variant="ghost"
-                    className="h-auto min-h-0 shrink-0 p-0 text-sm font-normal leading-none inline-flex items-center self-center"
+                    className="h-auto min-h-0 shrink-0 p-0 text-sm font-normal leading-normal inline-flex items-center self-center"
                     onClick={handleRefresh}
                     disabled={refreshing}
                     title={t("restartCertificate", {
                         defaultValue: "Restart Certificate"
                     })}
                 >
-                    <span className="inline-flex items-center gap-2 leading-none">
+                    <span className="inline-flex items-center gap-2 leading-normal">
                         <FileBadge
                             className={`h-4 w-4 shrink-0 ${getStatusColor(cert.status)}`}
                             aria-hidden
@@ -148,7 +149,7 @@ export function CertificateStatusContent({
                         {cert.status.charAt(0).toUpperCase() +
                             cert.status.slice(1)}
                         <RotateCw
-                            className={`h-3 w-3 shrink-0 ${refreshing ? "animate-spin" : ""}`}
+                            className={`h-4 w-4 shrink-0 ${refreshing ? "animate-spin" : ""}`}
                         />
                     </span>
                 </Button>
@@ -164,7 +165,7 @@ export function CertificateStatusContent({
                         <Button
                             size="icon"
                             variant="ghost"
-                            className="inline-flex h-auto min-h-0 w-3 shrink-0 items-center justify-center self-center p-0"
+                            className="inline-flex h-4 w-4 min-h-0 shrink-0 items-center justify-center self-center p-0"
                             onClick={handleRefresh}
                             disabled={refreshing}
                             title={t("restartCertificate", {
@@ -172,7 +173,7 @@ export function CertificateStatusContent({
                             })}
                         >
                             <RotateCw
-                                className={`h-3 w-3 shrink-0 ${refreshing ? "animate-spin" : ""}`}
+                                className={`h-4 w-4 shrink-0 ${refreshing ? "animate-spin" : ""}`}
                             />
                         </Button>
                     ) : null}

src/components/CopyToClipboard.tsx

@@ -33,7 +33,7 @@ const CopyToClipboard = ({
         <div className="flex items-center space-x-2 min-w-0 max-w-full">
             <button
                 type="button"
-                className="h-6 w-6 p-0 flex items-center justify-center cursor-pointer flex-shrink-0"
+                className="h-4 w-4 p-0 flex items-center justify-center cursor-pointer flex-shrink-0"
                 onClick={handleCopy}
             >
                 {!copied ? (

src/components/Credenza.tsx

@@ -84,7 +84,7 @@ const CredenzaContent = ({ className, children, ...props }: CredenzaProps) => {
     return (
         <CredenzaContent
             className={cn(
-                "flex min-h-0 max-h-[100dvh] flex-col overflow-hidden md:top-[clamp(1.5rem,12vh,200px)] md:max-h-[calc(100vh-clamp(3rem,24vh,400px))] md:translate-y-0",
+                "flex min-h-0 max-h-[100dvh] flex-col overflow-y-auto md:top-[clamp(1.5rem,12vh,200px)] md:max-h-[calc(100vh-clamp(3rem,24vh,400px))] md:translate-y-0",
                 className
             )}
             {...props}

src/components/IdpLoginButtons.tsx

@@ -104,7 +104,7 @@ export default function IdpLoginButtons({
                 </Alert>
             )}
 
-            <div className="space-y-2">
+            <div className="space-y-4">
                 {params.get("gotoapp") ? (
                     <>
                         <Button

src/components/InfoSection.tsx

@@ -19,7 +19,7 @@ export function InfoSections({
     return (
         <div
             className={cn(
-                "grid grid-cols-2 md:grid-cols-(--columns) md:space-x-16 gap-4 md:items-start",
+                "grid w-full min-w-0 grid-cols-2 md:grid-cols-(--columns) md:space-x-16 gap-4 md:items-start",
                 columnSizing === "content" &&
                     "md:justify-items-start md:justify-start"
             )}
@@ -41,7 +41,11 @@ export function InfoSection({
     children: React.ReactNode;
     className?: string;
 }) {
-    return <div className={cn("space-y-1", className)}>{children}</div>;
+    return (
+        <div className={cn("min-w-0 w-full max-w-full space-y-1", className)}>
+            {children}
+        </div>
+    );
 }
 
 export function InfoSectionTitle({
@@ -51,7 +55,11 @@ export function InfoSectionTitle({
     children: React.ReactNode;
     className?: string;
 }) {
-    return <div className={cn("font-semibold", className)}>{children}</div>;
+    return (
+        <div className={cn("min-w-0 truncate font-semibold", className)}>
+            {children}
+        </div>
+    );
 }
 
 export function InfoSectionContent({
@@ -62,8 +70,13 @@ export function InfoSectionContent({
     className?: string;
 }) {
     return (
-        <div className={cn("min-w-0 overflow-hidden", className)}>
-            <div className="w-full truncate [&>div.flex]:min-w-0 [&>div.flex]:!whitespace-normal [&>div.flex>span]:truncate [&>div.flex>a]:truncate">
+        <div
+            className={cn(
+                "w-full min-w-0 max-w-full overflow-hidden",
+                className
+            )}
+        >
+            <div className="w-full min-w-0 max-w-full truncate [&>div.flex]:min-w-0 [&>div.flex]:!whitespace-normal [&>div.flex>span]:truncate [&>div.flex>a]:truncate">
                 {children}
             </div>
         </div>

src/components/InternalResourceForm.tsx

@@ -40,7 +40,12 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { UserType } from "@server/types/UserTypes";
 import { useQuery } from "@tanstack/react-query";
-import { ChevronsUpDown, ExternalLink } from "lucide-react";
+import {
+    ArrowDownIcon,
+    ChevronDownIcon,
+    ChevronsUpDown,
+    ExternalLink
+} from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useEffect, useRef, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -50,11 +55,13 @@ import {
     formatMultiSitesSelectorLabel
 } from "./multi-site-selector";
 import type { Selectedsite } from "./site-selector";
-import { CaretSortIcon } from "@radix-ui/react-icons";
+
 import { MachinesSelector } from "./machines-selector";
 import DomainPicker from "@app/components/DomainPicker";
 import { SwitchInput } from "@app/components/SwitchInput";
 import CertificateStatus from "@app/components/CertificateStatus";
+import { UsersSelector } from "./users-selector";
+import { RolesSelector } from "./roles-selector";
 import { build } from "@server/build";
 
 // --- Helpers (shared) ---
@@ -1118,6 +1125,30 @@ export function InternalResourceForm({
                                         }}
                                     />
                                 </div>
+                                <FormField
+                                    control={form.control}
+                                    name="ssl"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormControl>
+                                                <SwitchInput
+                                                    id="internal-resource-ssl"
+                                                    label={t(enableSslLabelKey)}
+                                                    description={t(
+                                                        enableSslDescriptionKey
+                                                    )}
+                                                    checked={!!field.value}
+                                                    onCheckedChange={
+                                                        field.onChange
+                                                    }
+                                                    disabled={
+                                                        httpSectionDisabled
+                                                    }
+                                                />
+                                            </FormControl>
+                                        </FormItem>
+                                    )}
+                                />
                                 <div className="flex items-start justify-between gap-4">
                                     <FormField
                                         control={form.control}
@@ -1484,40 +1515,22 @@ export function InternalResourceForm({
                                         <FormItem className="flex flex-col items-start">
                                             <FormLabel>{t("roles")}</FormLabel>
                                             <FormControl>
-                                                <TagInput
-                                                    {...field}
-                                                    activeTagIndex={
-                                                        activeRolesTagIndex
+                                                <RolesSelector
+                                                    selectedRoles={
+                                                        field.value ?? []
                                                     }
-                                                    setActiveTagIndex={
-                                                        setActiveRolesTagIndex
-                                                    }
-                                                    placeholder={t(
-                                                        "accessRoleSelect2"
-                                                    )}
-                                                    size="sm"
-                                                    tags={
-                                                        form.getValues()
-                                                            .roles ?? []
-                                                    }
-                                                    setTags={(newRoles) =>
+                                                    orgId={orgId}
+                                                    onSelectRoles={(
+                                                        newUsers
+                                                    ) => {
                                                         form.setValue(
                                                             "roles",
-                                                            newRoles as [
+                                                            newUsers as [
                                                                 Tag,
                                                                 ...Tag[]
                                                             ]
-                                                        )
-                                                    }
-                                                    enableAutocomplete
-                                                    autocompleteOptions={
-                                                        allRoles
-                                                    }
-                                                    allowDuplicates={false}
-                                                    restrictTagsToAutocompleteOptions={
-                                                        true
-                                                    }
-                                                    sortTags={true}
+                                                        );
+                                                    }}
                                                 />
                                             </FormControl>
                                             <FormMessage />
@@ -1530,43 +1543,21 @@ export function InternalResourceForm({
                                     render={({ field }) => (
                                         <FormItem className="flex flex-col items-start">
                                             <FormLabel>{t("users")}</FormLabel>
-                                            <FormControl>
-                                                <TagInput
-                                                    {...field}
-                                                    activeTagIndex={
-                                                        activeUsersTagIndex
-                                                    }
-                                                    setActiveTagIndex={
-                                                        setActiveUsersTagIndex
-                                                    }
-                                                    placeholder={t(
-                                                        "accessUserSelect"
-                                                    )}
-                                                    tags={
-                                                        form.getValues()
-                                                            .users ?? []
-                                                    }
-                                                    size="sm"
-                                                    setTags={(newUsers) =>
-                                                        form.setValue(
-                                                            "users",
-                                                            newUsers as [
-                                                                Tag,
-                                                                ...Tag[]
-                                                            ]
-                                                        )
-                                                    }
-                                                    enableAutocomplete={true}
-                                                    autocompleteOptions={
-                                                        allUsers
-                                                    }
-                                                    allowDuplicates={false}
-                                                    restrictTagsToAutocompleteOptions={
-                                                        true
-                                                    }
-                                                    sortTags={true}
-                                                />
-                                            </FormControl>
+                                            <UsersSelector
+                                                selectedUsers={
+                                                    field.value ?? []
+                                                }
+                                                orgId={orgId}
+                                                onSelectUsers={(newUsers) => {
+                                                    form.setValue(
+                                                        "users",
+                                                        newUsers as [
+                                                            Tag,
+                                                            ...Tag[]
+                                                        ]
+                                                    );
+                                                }}
+                                            />
                                             <FormMessage />
                                         </FormItem>
                                     )}
@@ -1580,73 +1571,20 @@ export function InternalResourceForm({
                                                 <FormLabel>
                                                     {t("machineClients")}
                                                 </FormLabel>
-                                                <Popover>
-                                                    <PopoverTrigger asChild>
-                                                        <FormControl>
-                                                            <Button
-                                                                variant="outline"
-                                                                role="combobox"
-                                                                className={cn(
-                                                                    "justify-between w-full",
-                                                                    "text-muted-foreground pl-1.5"
-                                                                )}
-                                                            >
-                                                                <span
-                                                                    className={cn(
-                                                                        "inline-flex items-center gap-1",
-                                                                        "overflow-x-auto"
-                                                                    )}
-                                                                >
-                                                                    {(
-                                                                        field.value ??
-                                                                        []
-                                                                    ).map(
-                                                                        (
-                                                                            client
-                                                                        ) => (
-                                                                            <span
-                                                                                key={
-                                                                                    client.clientId
-                                                                                }
-                                                                                className={cn(
-                                                                                    "bg-muted-foreground/20 font-normal text-foreground rounded-sm",
-                                                                                    "py-1 px-1.5 text-xs"
-                                                                                )}
-                                                                            >
-                                                                                {
-                                                                                    client.name
-                                                                                }
-                                                                            </span>
-                                                                        )
-                                                                    )}
-                                                                    <span className="pl-1 font-normal">
-                                                                        {t(
-                                                                            "accessClientSelect"
-                                                                        )}
-                                                                    </span>
-                                                                </span>
-                                                                <CaretSortIcon className="ml-2 h-4 w-4 shrink-0 opacity-50" />
-                                                            </Button>
-                                                        </FormControl>
-                                                    </PopoverTrigger>
-                                                    <PopoverContent className="p-0">
-                                                        <MachinesSelector
-                                                            selectedMachines={
-                                                                field.value ??
-                                                                []
-                                                            }
-                                                            orgId={orgId}
-                                                            onSelectMachines={(
-                                                                machines
-                                                            ) => {
-                                                                form.setValue(
-                                                                    "clients",
-                                                                    machines
-                                                                );
-                                                            }}
-                                                        />
-                                                    </PopoverContent>
-                                                </Popover>
+                                                <MachinesSelector
+                                                    selectedMachines={
+                                                        field.value ?? []
+                                                    }
+                                                    orgId={orgId}
+                                                    onSelectMachines={(
+                                                        machines
+                                                    ) => {
+                                                        form.setValue(
+                                                            "clients",
+                                                            machines
+                                                        );
+                                                    }}
+                                                />
                                                 <FormMessage />
                                             </FormItem>
                                         )}

src/components/LoginForm.tsx

@@ -368,7 +368,7 @@ export default function LoginForm({
 
                         {hasIdp && (
                             <>
-                                <div className="relative my-4">
+                                <div className="relative">
                                     <div className="absolute inset-0 flex items-center">
                                         <Separator />
                                     </div>

src/components/MfaInputForm.tsx

@@ -145,7 +145,7 @@ export default function MfaInputForm({
                 </Alert>
             )}
 
-            <div className="space-y-2">
+            <div className="space-y-4">
                 <Button
                     type="submit"
                     form={formId}

src/components/OrgRolesTagField.tsx

@@ -8,51 +8,42 @@ import {
     FormLabel,
     FormMessage
 } from "@app/components/ui/form";
-import { Tag, TagInput } from "@app/components/tags/tag-input";
+
 import { toast } from "@app/hooks/useToast";
 import { useTranslations } from "next-intl";
-import type { Dispatch, SetStateAction } from "react";
-import type { FieldValues, Path, UseFormReturn } from "react-hook-form";
 
-export type RoleTag = {
-    id: string;
-    text: string;
-};
+import type { FieldValues, Path, UseFormReturn } from "react-hook-form";
+import { RolesSelector, type SelectedRole } from "./roles-selector";
 
 type OrgRolesTagFieldProps<TFieldValues extends FieldValues> = {
-    form: Pick<UseFormReturn<TFieldValues>, "control" | "getValues" | "setValue">;
+    form: Pick<
+        UseFormReturn<TFieldValues>,
+        "control" | "getValues" | "setValue"
+    >;
+    orgId: string;
     /** Field in the form that holds Tag[] (role tags). Default: `"roles"`. */
     name?: Path<TFieldValues>;
-    label: string;
-    placeholder: string;
-    allRoleOptions: Tag[];
+    label?: string;
     supportsMultipleRolesPerUser: boolean;
     showMultiRolePaywallMessage: boolean;
     paywallMessage: string;
-    loading?: boolean;
-    activeTagIndex: number | null;
-    setActiveTagIndex: Dispatch<SetStateAction<number | null>>;
+    disabled?: boolean;
 };
 
 export default function OrgRolesTagField<TFieldValues extends FieldValues>({
     form,
     name = "roles" as Path<TFieldValues>,
     label,
-    placeholder,
-    allRoleOptions,
+    orgId,
     supportsMultipleRolesPerUser,
     showMultiRolePaywallMessage,
     paywallMessage,
-    loading = false,
-    activeTagIndex,
-    setActiveTagIndex
+    disabled
 }: OrgRolesTagFieldProps<TFieldValues>) {
     const t = useTranslations();
 
-    function setRoleTags(updater: Tag[] | ((prev: Tag[]) => Tag[])) {
-        const prev = form.getValues(name) as Tag[];
-        const nextValue =
-            typeof updater === "function" ? updater(prev) : updater;
+    function setRoleTags(nextValue: SelectedRole[]) {
+        const prev = form.getValues(name) as SelectedRole[];
         const next = supportsMultipleRolesPerUser
             ? nextValue
             : nextValue.length > 1
@@ -88,22 +79,13 @@ export default function OrgRolesTagField<TFieldValues extends FieldValues>({
             name={name}
             render={({ field }) => (
                 <FormItem className="flex flex-col items-start">
-                    <FormLabel>{label}</FormLabel>
+                    <FormLabel>{label ?? t("roles")}</FormLabel>
                     <FormControl>
-                        <TagInput
-                            {...field}
-                            activeTagIndex={activeTagIndex}
-                            setActiveTagIndex={setActiveTagIndex}
-                            placeholder={placeholder}
-                            size="sm"
-                            tags={field.value}
-                            setTags={setRoleTags}
-                            enableAutocomplete={true}
-                            autocompleteOptions={allRoleOptions}
-                            allowDuplicates={false}
-                            restrictTagsToAutocompleteOptions={true}
-                            sortTags={true}
-                            disabled={loading}
+                        <RolesSelector
+                            orgId={orgId}
+                            selectedRoles={field.value ?? []}
+                            onSelectRoles={setRoleTags}
+                            disabled={disabled}
                         />
                     </FormControl>
                     {showMultiRolePaywallMessage && (

src/components/ProxyResourcesTable.tsx

@@ -193,22 +193,17 @@ export default function ProxyResourcesTable({
         });
     };
 
-    const deleteResource = (resourceId: number) => {
-        api.delete(`/resource/${resourceId}`)
-            .catch((e) => {
-                console.error(t("resourceErrorDelte"), e);
-                toast({
-                    variant: "destructive",
-                    title: t("resourceErrorDelte"),
-                    description: formatAxiosError(e, t("resourceErrorDelte"))
-                });
-            })
-            .then(() => {
-                startTransition(() => {
-                    router.refresh();
-                    setIsDeleteModalOpen(false);
-                });
+    const deleteResource = async (resourceId: number) => {
+        await api.delete(`/resource/${resourceId}`).catch((e) => {
+            console.error(t("resourceErrorDelte"), e);
+            toast({
+                variant: "destructive",
+                title: t("resourceErrorDelte"),
+                description: formatAxiosError(e, t("resourceErrorDelte"))
             });
+        });
+        router.refresh();
+        setIsDeleteModalOpen(false);
     };
 
     async function toggleResourceEnabled(val: boolean, resourceId: number) {
@@ -770,7 +765,11 @@ export default function ProxyResourcesTable({
                         </div>
                     }
                     buttonText={t("resourceDeleteConfirm")}
-                    onConfirm={async () => deleteResource(selectedResource!.id)}
+                    onConfirm={async () =>
+                        startTransition(() =>
+                            deleteResource(selectedResource!.id)
+                        )
+                    }
                     string={selectedResource.name}
                     title={t("resourceDelete")}
                 />

src/components/ResetPasswordForm.tsx

@@ -528,7 +528,7 @@ export default function ResetPasswordForm({
                             )}
 
                             {state === "request" && (
-                                <div className="flex flex-col gap-2">
+                                <div className="flex flex-col gap-4">
                                     {env.email.emailEnabled && (
                                         <Button
                                             type="submit"

src/components/ResourceInfoBox.tsx

@@ -40,7 +40,9 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                     <InfoSection>
                         <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
                         <InfoSectionContent>
-                            {resource.niceId}
+                            <span className="inline-flex items-center">
+                                {resource.niceId}
+                            </span>
                         </InfoSectionContent>
                     </InfoSection>
                     {resource.http ? (
@@ -49,7 +51,9 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                 <InfoSectionTitle>URL</InfoSectionTitle>
                                 <InfoSectionContent>
                                     {resource.wildcard ? (
-                                        <span>{fullUrl}</span>
+                                        <span className="inline-flex items-center">
+                                            {fullUrl}
+                                        </span>
                                     ) : (
                                         <CopyToClipboard
                                             text={fullUrl}
@@ -68,7 +72,7 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                     authInfo.sso ||
                                     authInfo.whitelist ||
                                     authInfo.headerAuth ? (
-                                        <div className="flex items-start space-x-2">
+                                        <div className="flex items-center space-x-2">
                                             <ShieldCheck className="w-4 h-4 flex-shrink-0 text-green-500" />
                                             <span>{t("protected")}</span>
                                         </div>
@@ -106,7 +110,9 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                     {t("protocol")}
                                 </InfoSectionTitle>
                                 <InfoSectionContent>
-                                    {resource.protocol.toUpperCase()}
+                                    <span className="inline-flex items-center">
+                                        {resource.protocol.toUpperCase()}
+                                    </span>
                                 </InfoSectionContent>
                             </InfoSection>
                             <InfoSection>

src/components/ResourcePoliciesTable.tsx

@@ -0,0 +1,311 @@
+"use client";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { useNavigationContext } from "@app/hooks/useNavigationContext";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import type {
+    AttachedResource,
+    ListResourcePoliciesResponse
+} from "@server/routers/resource/types";
+import type { PaginationState } from "@tanstack/react-table";
+import {
+    ArrowRight,
+    ChevronDown,
+    MoreHorizontal,
+    Waypoints
+} from "lucide-react";
+import { useTranslations } from "next-intl";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { useState, useTransition } from "react";
+import { useDebouncedCallback } from "use-debounce";
+import { Button } from "./ui/button";
+import { ControlledDataTable } from "./ui/controlled-data-table";
+import type { ExtendedColumnDef } from "./ui/data-table";
+import {
+    DropdownMenu,
+    DropdownMenuContent,
+    DropdownMenuItem,
+    DropdownMenuTrigger
+} from "./ui/dropdown-menu";
+import ConfirmDeleteDialog from "./ConfirmDeleteDialog";
+import { PaidFeaturesAlert } from "./PaidFeaturesAlert";
+import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
+
+type ResourcePolicyRow = ListResourcePoliciesResponse["policies"][number];
+
+export type ResourcePoliciesTableProps = {
+    policies: Array<ResourcePolicyRow>;
+    orgId: string;
+    pagination: PaginationState;
+    rowCount: number;
+};
+
+export function ResourcePoliciesTable({
+    policies,
+    orgId,
+    pagination,
+    rowCount
+}: ResourcePoliciesTableProps) {
+    const router = useRouter();
+    const {
+        navigate: filter,
+        isNavigating: isFiltering,
+        searchParams
+    } = useNavigationContext();
+    const t = useTranslations();
+
+    const { env } = useEnvContext();
+
+    const api = createApiClient({ env });
+
+    const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+    const [selectedResourcePolicy, setSelectedResourcePolicy] =
+        useState<ResourcePolicyRow | null>(null);
+
+    const deleteResourcePolicy = async (resourcePolicyId: number) => {
+        await api
+            .delete(`/resource-policy/${resourcePolicyId}`)
+            .catch((e) => {
+                console.error(t("resourceErrorDelte"), e);
+                toast({
+                    variant: "destructive",
+                    title: t("resourceErrorDelte"),
+                    description: formatAxiosError(e, t("resourceErrorDelte"))
+                });
+            })
+            .then(() => {
+                router.refresh();
+                setIsDeleteModalOpen(false);
+            });
+    };
+
+    const [isRefreshing, startTransition] = useTransition();
+    const [isNavigatingToAddPage, startNavigation] = useTransition();
+
+    const refreshData = () => {
+        startTransition(() => {
+            try {
+                router.refresh();
+            } catch (error) {
+                toast({
+                    title: t("error"),
+                    description: t("refreshError"),
+                    variant: "destructive"
+                });
+            }
+        });
+    };
+
+    function ResourceListCell({
+        resources
+    }: {
+        resources?: AttachedResource[];
+    }) {
+        if (!resources || resources.length === 0) {
+            return (
+                <div
+                    id="LOOK_FOR_ME"
+                    className="flex items-center gap-2 text-muted-foreground"
+                >
+                    <Waypoints className="size-4 flex-none" />
+                    <span className="text-sm">
+                        {t("resourcePoliciesAttachedResourcesEmpty")}
+                    </span>
+                </div>
+            );
+        }
+
+        return (
+            <DropdownMenu>
+                <DropdownMenuTrigger asChild>
+                    <Button
+                        variant="ghost"
+                        size="sm"
+                        className="flex items-center gap-2 h-8 px-0 font-normal"
+                    >
+                        <Waypoints className="size-4 flex-none" />
+                        <span className="text-sm">
+                            {t("resourcePoliciesAttachedResources", {
+                                count: resources.length
+                            })}
+                        </span>
+                        <ChevronDown className="h-3 w-3" />
+                    </Button>
+                </DropdownMenuTrigger>
+                <DropdownMenuContent align="start" className="min-w-70">
+                    {resources.map((resource) => (
+                        <DropdownMenuItem
+                            key={resource.resourceId}
+                            className="flex items-center justify-between gap-4"
+                        >
+                            <div className="flex items-center gap-2">
+                                {resource.name}
+                            </div>
+                            <span
+                                className={`capitalize text-muted-foreground`}
+                            >
+                                {resource.fullDomain}
+                            </span>
+                        </DropdownMenuItem>
+                    ))}
+                </DropdownMenuContent>
+            </DropdownMenu>
+        );
+    }
+
+    const proxyColumns: ExtendedColumnDef<ResourcePolicyRow>[] = [
+        {
+            accessorKey: "name",
+            enableHiding: false,
+            friendlyName: t("name"),
+            header: () => <span className="p-3">{t("name")}</span>,
+            cell: ({ row }) => <span>{row.original.name}</span>
+        },
+        {
+            id: "niceId",
+            accessorKey: "nice",
+            friendlyName: t("identifier"),
+            enableHiding: true,
+            header: () => <span className="p-3">{t("identifier")}</span>,
+            cell: ({ row }) => {
+                return <span>{row.original.niceId || "-"}</span>;
+            }
+        },
+        {
+            id: "resources",
+            accessorKey: "resources",
+            friendlyName: t("resourcePoliciesAttachedResourcesColumnTitle"),
+            header: () => (
+                <span className="p-3">
+                    {t("resourcePoliciesAttachedResourcesColumnTitle")}
+                </span>
+            ),
+            cell: ({ row }) => {
+                return <ResourceListCell resources={row.original.resources} />;
+            }
+        },
+        {
+            id: "actions",
+            enableHiding: false,
+            header: () => <span className="p-3"></span>,
+            cell: ({ row }) => {
+                const policyRow = row.original;
+                return (
+                    <div className="flex items-center gap-2 justify-end">
+                        <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                                <Button variant="ghost" className="h-8 w-8 p-0">
+                                    <span className="sr-only">
+                                        {t("openMenu")}
+                                    </span>
+                                    <MoreHorizontal className="h-4 w-4" />
+                                </Button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align="end">
+                                <Link
+                                    className="block w-full"
+                                    href={`/${policyRow.orgId}/settings/policies/resource/${policyRow.niceId}`}
+                                >
+                                    <DropdownMenuItem>
+                                        {t("viewSettings")}
+                                    </DropdownMenuItem>
+                                </Link>
+                                <DropdownMenuItem
+                                    onClick={() => {
+                                        setSelectedResourcePolicy(policyRow);
+                                        setIsDeleteModalOpen(true);
+                                    }}
+                                >
+                                    <span className="text-red-500">
+                                        {t("delete")}
+                                    </span>
+                                </DropdownMenuItem>
+                            </DropdownMenuContent>
+                        </DropdownMenu>
+                        <Link
+                            href={`/${policyRow.orgId}/settings/policies/resource/${policyRow.niceId}`}
+                        >
+                            <Button variant={"outline"}>
+                                {t("edit")}
+                                <ArrowRight className="ml-2 w-4 h-4" />
+                            </Button>
+                        </Link>
+                    </div>
+                );
+            }
+        }
+    ];
+
+    const handlePaginationChange = (newPage: PaginationState) => {
+        searchParams.set("page", (newPage.pageIndex + 1).toString());
+        searchParams.set("pageSize", newPage.pageSize.toString());
+        filter({
+            searchParams
+        });
+    };
+
+    const handleSearchChange = useDebouncedCallback((query: string) => {
+        searchParams.set("query", query);
+        searchParams.delete("page");
+        filter({
+            searchParams
+        });
+    }, 300);
+
+    return (
+        <>
+            <PaidFeaturesAlert
+                tiers={tierMatrix[TierFeature.ResourcePolicies]}
+            />
+            {selectedResourcePolicy && (
+                <ConfirmDeleteDialog
+                    open={isDeleteModalOpen}
+                    setOpen={(val) => {
+                        setIsDeleteModalOpen(val);
+                        setSelectedResourcePolicy(null);
+                    }}
+                    dialog={
+                        <div className="space-y-2">
+                            <p>{t("resourcePolicyQuestionRemove")}</p>
+                            <p>{t("resourcePolicyMessageRemove")}</p>
+                        </div>
+                    }
+                    buttonText={t("resourcePolicyDeleteConfirm")}
+                    onConfirm={async () =>
+                        deleteResourcePolicy(
+                            selectedResourcePolicy.resourcePolicyId
+                        )
+                    }
+                    string={selectedResourcePolicy.name}
+                    title={t("resourcePolicyDelete")}
+                />
+            )}
+            <ControlledDataTable
+                columns={proxyColumns}
+                rows={policies}
+                tableId="resource-policies"
+                searchPlaceholder={t("resourcePoliciesSearch")}
+                pagination={pagination}
+                rowCount={rowCount}
+                onSearch={handleSearchChange}
+                onPaginationChange={handlePaginationChange}
+                onAdd={() =>
+                    startNavigation(() =>
+                        router.push(
+                            `/${orgId}/settings/policies/resource/create`
+                        )
+                    )
+                }
+                addButtonText={t("resourcePoliciesAdd")}
+                onRefresh={refreshData}
+                isRefreshing={isRefreshing || isFiltering}
+                isNavigatingToAddPage={isNavigatingToAddPage}
+                enableColumnVisibility
+                columnVisibility={{ niceId: false }}
+                stickyLeftColumn="name"
+                stickyRightColumn="actions"
+            />
+        </>
+    );
+}

src/components/RoleMappingConfigFields.tsx

@@ -16,6 +16,8 @@ import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { build } from "@server/build";
+import { RolesSelector } from "./roles-selector";
+import { useParams } from "next/navigation";
 
 export type RoleMappingRoleOption = {
     roleId: number;
@@ -58,9 +60,8 @@ export default function RoleMappingConfigFields({
     const t = useTranslations();
     const { env } = useEnvContext();
     const { isPaidUser } = usePaidStatus();
-    const [activeFixedRoleTagIndex, setActiveFixedRoleTagIndex] = useState<
-        number | null
-    >(null);
+
+    const { orgId } = useParams();
 
     const supportsMultipleRolesPerUser = isPaidUser(tierMatrix.fullRbac);
     const showSingleRoleDisclaimer =
@@ -160,23 +161,16 @@ export default function RoleMappingConfigFields({
 
             {roleMappingMode === "fixedRoles" && (
                 <div className="space-y-2 min-w-0 max-w-full">
-                    <TagInput
-                        tags={fixedRoleNames.map((name) => ({
+                    <RolesSelector
+                        selectedRoles={fixedRoleNames.map((name) => ({
                             id: name,
                             text: name
                         }))}
-                        setTags={(nextTags) => {
-                            const prevTags = fixedRoleNames.map((name) => ({
-                                id: name,
-                                text: name
-                            }));
-                            const next =
-                                typeof nextTags === "function"
-                                    ? nextTags(prevTags)
-                                    : nextTags;
-
+                        mapRolesByName
+                        orgId={orgId as string}
+                        onSelectRoles={(nextTags) => {
                             let names = [
-                                ...new Set(next.map((tag) => tag.text))
+                                ...new Set(nextTags.map((tag) => tag.text))
                             ];
 
                             if (!supportsMultipleRolesPerUser) {
@@ -198,19 +192,6 @@ export default function RoleMappingConfigFields({
 
                             onFixedRoleNamesChange(names);
                         }}
-                        activeTagIndex={activeFixedRoleTagIndex}
-                        setActiveTagIndex={setActiveFixedRoleTagIndex}
-                        placeholder={
-                            restrictToOrgRoles
-                                ? t("roleMappingFixedRolesPlaceholderSelect")
-                                : t("roleMappingFixedRolesPlaceholderFreeform")
-                        }
-                        enableAutocomplete={restrictToOrgRoles}
-                        autocompleteOptions={roleOptions}
-                        restrictTagsToAutocompleteOptions={restrictToOrgRoles}
-                        allowDuplicates={false}
-                        sortTags={true}
-                        size="sm"
                     />
                     <FormDescription>
                         {showFreeformRoleNamesHint
@@ -352,6 +333,7 @@ function BuilderRuleRow({
 }) {
     const t = useTranslations();
     const [activeTagIndex, setActiveTagIndex] = useState<number | null>(null);
+    const { orgId } = useParams();
 
     return (
         <div
@@ -378,67 +360,109 @@ function BuilderRuleRow({
                     {t("roleMappingAssignRoles")}
                 </FormLabel>
                 <div className="min-w-0 max-w-full">
-                    <TagInput
-                        tags={rule.roleNames.map((name) => ({
-                            id: name,
-                            text: name
-                        }))}
-                        setTags={(nextTags) => {
-                            const prevRoleTags = rule.roleNames.map((name) => ({
+                    {restrictToOrgRoles ? (
+                        <RolesSelector
+                            selectedRoles={rule.roleNames.map((name) => ({
                                 id: name,
                                 text: name
-                            }));
-                            const next =
-                                typeof nextTags === "function"
-                                    ? nextTags(prevRoleTags)
-                                    : nextTags;
+                            }))}
+                            buttonText={t("roleMappingAssignRoles")}
+                            mapRolesByName
+                            orgId={orgId as string}
+                            onSelectRoles={(nextTags) => {
+                                let names = [
+                                    ...new Set(nextTags.map((tag) => tag.text))
+                                ];
 
-                            let names = [
-                                ...new Set(next.map((tag) => tag.text))
-                            ];
-
-                            if (!supportsMultipleRolesPerUser) {
-                                if (
-                                    names.length === 0 &&
-                                    rule.roleNames.length > 0
-                                ) {
-                                    onChange({
-                                        ...rule,
-                                        roleNames: [
-                                            rule.roleNames[
-                                                rule.roleNames.length - 1
-                                            ]!
-                                        ]
-                                    });
-                                    return;
+                                if (!supportsMultipleRolesPerUser) {
+                                    if (
+                                        names.length === 0 &&
+                                        rule.roleNames.length > 0
+                                    ) {
+                                        onChange({
+                                            ...rule,
+                                            roleNames: [
+                                                rule.roleNames[
+                                                    rule.roleNames.length - 1
+                                                ]!
+                                            ]
+                                        });
+                                        return;
+                                    }
+                                    if (names.length > 1) {
+                                        names = [names[names.length - 1]!];
+                                    }
                                 }
-                                if (names.length > 1) {
-                                    names = [names[names.length - 1]!];
-                                }
-                            }
 
-                            onChange({
-                                ...rule,
-                                roleNames: names
-                            });
-                        }}
-                        activeTagIndex={activeTagIndex}
-                        setActiveTagIndex={setActiveTagIndex}
-                        placeholder={
-                            restrictToOrgRoles
-                                ? t("roleMappingAssignRoles")
-                                : t("roleMappingAssignRolesPlaceholderFreeform")
-                        }
-                        enableAutocomplete={restrictToOrgRoles}
-                        autocompleteOptions={roleOptions}
-                        restrictTagsToAutocompleteOptions={restrictToOrgRoles}
-                        allowDuplicates={false}
-                        sortTags={true}
-                        size="sm"
-                        styleClasses={{
-                            inlineTagsContainer: "min-w-0 max-w-full"
-                        }}
-                    />
+                                onChange({
+                                    ...rule,
+                                    roleNames: names
+                                });
+                            }}
+                        />
+                    ) : (
+                        <TagInput
+                            tags={rule.roleNames.map((name) => ({
+                                id: name,
+                                text: name
+                            }))}
+                            setTags={(nextTags) => {
+                                const prevRoleTags = rule.roleNames.map(
+                                    (name) => ({
+                                        id: name,
+                                        text: name
+                                    })
+                                );
+                                const next =
+                                    typeof nextTags === "function"
+                                        ? nextTags(prevRoleTags)
+                                        : nextTags;
+
+                                let names = [
+                                    ...new Set(next.map((tag) => tag.text))
+                                ];
+
+                                if (!supportsMultipleRolesPerUser) {
+                                    if (
+                                        names.length === 0 &&
+                                        rule.roleNames.length > 0
+                                    ) {
+                                        onChange({
+                                            ...rule,
+                                            roleNames: [
+                                                rule.roleNames[
+                                                    rule.roleNames.length - 1
+                                                ]!
+                                            ]
+                                        });
+                                        return;
+                                    }
+                                    if (names.length > 1) {
+                                        names = [names[names.length - 1]!];
+                                    }
+                                }
+
+                                onChange({
+                                    ...rule,
+                                    roleNames: names
+                                });
+                            }}
+                            activeTagIndex={activeTagIndex}
+                            setActiveTagIndex={setActiveTagIndex}
+                            placeholder={t(
+                                "roleMappingAssignRolesPlaceholderFreeform"
+                            )}
+                            enableAutocomplete={false}
+                            autocompleteOptions={roleOptions}
+                            restrictTagsToAutocompleteOptions={false}
+                            allowDuplicates={false}
+                            sortTags={true}
+                            size="sm"
+                            styleClasses={{
+                                inlineTagsContainer: "min-w-0 max-w-full"
+                            }}
+                        />
+                    )}
                 </div>
                 {showFreeformRoleNamesHint && (
                     <p className="text-sm text-muted-foreground">

src/components/Settings.tsx

@@ -61,12 +61,19 @@ export function SettingsSectionBody({
 }
 
 export function SettingsSectionFooter({
-    children
+    children,
+    className
 }: {
     children: React.ReactNode;
+    className?: string;
 }) {
     return (
-        <div className="flex flex-col md:flex-row justify-end space-y-2 md:space-y-0 md:space-x-2 mt-auto pt-6">
+        <div
+            className={cn(
+                "flex flex-col md:flex-row justify-end space-y-2 md:space-y-0 md:space-x-2 mt-auto pt-6",
+                className
+            )}
+        >
             {children}
         </div>
     );

src/components/SmartLoginForm.tsx

@@ -284,7 +284,7 @@ export default function SmartLoginForm({
 
                 {orgSignIn && (
                     <>
-                        <div className="relative my-4">
+                        <div className="relative">
                             <div className="absolute inset-0 flex items-center">
                                 <Separator />
                             </div>

src/components/SmartLoginOrgSelector.tsx

@@ -147,7 +147,7 @@ export default function SmartLoginOrgSelector({
             const response = await generateOidcUrlProxy(
                 idpId,
                 safeRedirect,
-                orgId,
+                undefined,
                 forceLogin
             );
 
@@ -207,7 +207,7 @@ export default function SmartLoginOrgSelector({
             />
 
             {hasInternalAccount && (
-                <div className="mt-3">
+                <div className="mt-4">
                     <Button
                         type="button"
                         className="w-full"
@@ -237,7 +237,7 @@ export default function SmartLoginOrgSelector({
                         </div>
                     </div>
 
-                    <div className="space-y-2">
+                    <div className="space-y-4">
                         {params.get("gotoapp") ? (
                             <Button
                                 type="button"

src/components/StrategySelect.tsx

@@ -25,11 +25,15 @@ export function StrategySelect<TValue extends string>({
     value: controlledValue,
     defaultValue,
     onChange,
-    cols
+    cols = 1
 }: StrategySelectProps<TValue>) {
-    const [uncontrolledSelected, setUncontrolledSelected] = useState<TValue | undefined>(defaultValue);
+    const [uncontrolledSelected, setUncontrolledSelected] = useState<
+        TValue | undefined
+    >(defaultValue);
     const isControlled = controlledValue !== undefined;
-    const selected = isControlled ? (controlledValue ?? undefined) : uncontrolledSelected;
+    const selected = isControlled
+        ? (controlledValue ?? undefined)
+        : uncontrolledSelected;
 
     return (
         <RadioGroup
@@ -39,7 +43,11 @@ export function StrategySelect<TValue extends string>({
                 if (!isControlled) setUncontrolledSelected(typedValue);
                 onChange?.(typedValue);
             }}
-            className={`grid md:grid-cols-${cols ? cols : 1} gap-4`}
+            style={{
+                // @ts-expect-error
+                "--cols": `repeat(${cols}, 1fr)`
+            }}
+            className="grid md:grid-cols-(--cols) gap-4"
         >
             {options.map((option: StrategyOption<TValue>) => (
                 <label

src/components/UptimeAlertSection.tsx

@@ -1,18 +1,5 @@
 "use client";
 
-import { useState, useMemo } from "react";
-import { useQuery, useQueryClient } from "@tanstack/react-query";
-import Link from "next/link";
-import { BellPlus, BellRing } from "lucide-react";
-import {
-    SettingsSection,
-    SettingsSectionHeader,
-    SettingsSectionTitle,
-    SettingsSectionDescription,
-    SettingsSectionBody
-} from "@app/components/Settings";
-import UptimeBar from "@app/components/UptimeBar";
-import { Button } from "@app/components/ui/button";
 import {
     Credenza,
     CredenzaBody,
@@ -23,18 +10,32 @@ import {
     CredenzaHeader,
     CredenzaTitle
 } from "@app/components/Credenza";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import UptimeBar from "@app/components/UptimeBar";
+import { TagInput, type Tag } from "@app/components/tags/tag-input";
+import { Button } from "@app/components/ui/button";
 import { Input } from "@app/components/ui/input";
 import { Label } from "@app/components/ui/label";
-import { TagInput, type Tag } from "@app/components/tags/tag-input";
-import { getUserDisplayName } from "@app/lib/getUserDisplayName";
-import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
-import { toast } from "@app/hooks/useToast";
-import { orgQueries } from "@app/lib/queries";
-import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { orgQueries } from "@app/lib/queries";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import { BellPlus, BellRing } from "lucide-react";
 import { useTranslations } from "next-intl";
+import Link from "next/link";
+import { useState } from "react";
+import { RolesSelector } from "./roles-selector";
+import { UsersSelector } from "./users-selector";
 
 interface UptimeAlertSectionProps {
     orgId: string;
@@ -64,12 +65,7 @@ export default function UptimeAlertSection({
     const [userTags, setUserTags] = useState<Tag[]>([]);
     const [roleTags, setRoleTags] = useState<Tag[]>([]);
     const [emailTags, setEmailTags] = useState<Tag[]>([]);
-    const [activeUserTagIndex, setActiveUserTagIndex] = useState<number | null>(
-        null
-    );
-    const [activeRoleTagIndex, setActiveRoleTagIndex] = useState<number | null>(
-        null
-    );
+
     const [activeEmailTagIndex, setActiveEmailTagIndex] = useState<
         number | null
     >(null);
@@ -80,27 +76,6 @@ export default function UptimeAlertSection({
         enabled: isPaid
     });
 
-    const { data: orgUsers = [] } = useQuery(orgQueries.users({ orgId }));
-    const { data: orgRoles = [] } = useQuery(orgQueries.roles({ orgId }));
-
-    const allUsers = useMemo(
-        () =>
-            orgUsers.map((u) => ({
-                id: String(u.id),
-                text: getUserDisplayName({
-                    email: u.email,
-                    name: u.name,
-                    username: u.username
-                })
-            })),
-        [orgUsers]
-    );
-
-    const allRoles = useMemo(
-        () => orgRoles.map((r) => ({ id: String(r.roleId), text: r.name })),
-        [orgRoles]
-    );
-
     const hasRules = (alertRules?.length ?? 0) > 0;
 
     async function handleSubmit() {
@@ -227,10 +202,16 @@ export default function UptimeAlertSection({
                     </CredenzaHeader>
                     <CredenzaBody>
                         <div className="space-y-4">
-                            <PaidFeaturesAlert tiers={tierMatrix.alertingRules} />
+                            <PaidFeaturesAlert
+                                tiers={tierMatrix.alertingRules}
+                            />
                             <fieldset
                                 disabled={!isPaid}
-                                className={!isPaid ? "opacity-50 pointer-events-none" : ""}
+                                className={
+                                    !isPaid
+                                        ? "opacity-50 pointer-events-none"
+                                        : ""
+                                }
                             >
                                 <div className="space-y-4">
                                     <div className="space-y-2">
@@ -240,65 +221,53 @@ export default function UptimeAlertSection({
                                         <Input
                                             id="alert-name"
                                             value={name}
-                                            onChange={(e) => setName(e.target.value)}
-                                            placeholder={t("uptimeAlertNamePlaceholder")}
+                                            onChange={(e) =>
+                                                setName(e.target.value)
+                                            }
+                                            placeholder={t(
+                                                "uptimeAlertNamePlaceholder"
+                                            )}
                                         />
                                     </div>
                                     <div className="space-y-2">
-                                        <Label>{t("alertingNotifyUsers")}</Label>
-                                        <TagInput
-                                            activeTagIndex={activeUserTagIndex}
-                                            setActiveTagIndex={setActiveUserTagIndex}
-                                            placeholder={t("alertingSelectUsers")}
-                                            size="sm"
-                                            tags={userTags}
-                                            setTags={(newTags) => {
-                                                const next =
-                                                    typeof newTags === "function"
-                                                        ? newTags(userTags)
-                                                        : newTags;
-                                                setUserTags(next as Tag[]);
-                                            }}
-                                            enableAutocomplete
-                                            autocompleteOptions={allUsers}
-                                            restrictTagsToAutocompleteOptions
-                                            allowDuplicates={false}
-                                            sortTags
+                                        <Label>
+                                            {t("alertingNotifyUsers")}
+                                        </Label>
+                                        <UsersSelector
+                                            selectedUsers={userTags}
+                                            orgId={orgId}
+                                            onSelectUsers={setUserTags}
                                         />
                                     </div>
                                     <div className="space-y-2">
-                                        <Label>{t("alertingNotifyRoles")}</Label>
-                                        <TagInput
-                                            activeTagIndex={activeRoleTagIndex}
-                                            setActiveTagIndex={setActiveRoleTagIndex}
-                                            placeholder={t("alertingSelectRoles")}
-                                            size="sm"
-                                            tags={roleTags}
-                                            setTags={(newTags) => {
-                                                const next =
-                                                    typeof newTags === "function"
-                                                        ? newTags(roleTags)
-                                                        : newTags;
-                                                setRoleTags(next as Tag[]);
-                                            }}
-                                            enableAutocomplete
-                                            autocompleteOptions={allRoles}
-                                            restrictTagsToAutocompleteOptions
-                                            allowDuplicates={false}
-                                            sortTags
+                                        <Label>
+                                            {t("alertingNotifyRoles")}
+                                        </Label>
+                                        <RolesSelector
+                                            selectedRoles={roleTags}
+                                            restrictAdminRole
+                                            orgId={orgId}
+                                            onSelectRoles={setRoleTags}
                                         />
                                     </div>
                                     <div className="space-y-2">
-                                        <Label>{t("uptimeAdditionalEmails")}</Label>
+                                        <Label>
+                                            {t("uptimeAdditionalEmails")}
+                                        </Label>
                                         <TagInput
                                             activeTagIndex={activeEmailTagIndex}
-                                            setActiveTagIndex={setActiveEmailTagIndex}
-                                            placeholder={t("alertingEmailPlaceholder")}
+                                            setActiveTagIndex={
+                                                setActiveEmailTagIndex
+                                            }
+                                            placeholder={t(
+                                                "alertingEmailPlaceholder"
+                                            )}
                                             size="sm"
                                             tags={emailTags}
                                             setTags={(newTags) => {
                                                 const next =
-                                                    typeof newTags === "function"
+                                                    typeof newTags ===
+                                                    "function"
                                                         ? newTags(emailTags)
                                                         : newTags;
                                                 setEmailTags(next as Tag[]);
@@ -306,7 +275,9 @@ export default function UptimeAlertSection({
                                             allowDuplicates={false}
                                             sortTags
                                             validateTag={(tag) =>
-                                                /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(tag)
+                                                /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(
+                                                    tag
+                                                )
                                             }
                                             delimiterList={[",", "Enter"]}
                                         />

src/components/ValidateOidcToken.tsx

@@ -17,6 +17,7 @@ import { Loader2, CheckCircle2, AlertCircle } from "lucide-react";
 import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
 import { useTranslations } from "next-intl";
 import { validateOidcUrlCallbackProxy } from "@app/actions/server";
+import { build } from "@server/build";
 
 type ValidateOidcTokenParams = {
     orgId: string;
@@ -96,7 +97,7 @@ export default function ValidateOidcToken(props: ValidateOidcTokenParams) {
                 stateCookie: props.stateCookie
             });
 
-            if (isLicenseViolation()) {
+            if (build === "enterprise" && isLicenseViolation()) {
                 await new Promise((resolve) => setTimeout(resolve, 5000));
             }
 

src/components/alert-rule-editor/AlertRuleFields.tsx

@@ -1,5 +1,8 @@
 "use client";
 
+import { ContactSalesBanner } from "@app/components/ContactSalesBanner";
+import { StrategySelect } from "@app/components/StrategySelect";
+import { TagInput, type Tag } from "@app/components/tags/tag-input";
 import { Button } from "@app/components/ui/button";
 import { Checkbox } from "@app/components/ui/checkbox";
 import {
@@ -21,11 +24,13 @@ import {
 import { Input } from "@app/components/ui/input";
 import { Switch } from "@app/components/ui/switch";
 import { Textarea } from "@app/components/ui/textarea";
+import { Label } from "@app/components/ui/label";
 import {
     Popover,
     PopoverContent,
     PopoverTrigger
 } from "@app/components/ui/popover";
+import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
 import {
     Select,
     SelectContent,
@@ -33,24 +38,21 @@ import {
     SelectTrigger,
     SelectValue
 } from "@app/components/ui/select";
-import { RadioGroup, RadioGroupItem } from "@app/components/ui/radio-group";
-import { Label } from "@app/components/ui/label";
-import { StrategySelect } from "@app/components/StrategySelect";
-import { TagInput, type Tag } from "@app/components/tags/tag-input";
-import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import {
     type AlertRuleFormAction,
     type AlertRuleFormValues
 } from "@app/lib/alertRuleForm";
+import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import { orgQueries } from "@app/lib/queries";
 import { useQuery } from "@tanstack/react-query";
-import { ContactSalesBanner } from "@app/components/ContactSalesBanner";
-import { Bell, Globe, ChevronsUpDown, Plus, Trash2 } from "lucide-react";
+import { Bell, ChevronsUpDown, Globe, Plus, Trash2 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useEffect, useMemo, useRef, useState } from "react";
 import type { Control, UseFormReturn } from "react-hook-form";
 import { useFormContext, useWatch } from "react-hook-form";
 import { useDebounce } from "use-debounce";
+import { RolesSelector } from "../roles-selector";
+import { UsersSelector } from "../users-selector";
 
 export function AddActionPanel({
     onAdd
@@ -498,12 +500,6 @@ function NotifyActionFields({
     const t = useTranslations();
 
     const [emailActiveIdx, setEmailActiveIdx] = useState<number | null>(null);
-    const [activeUsersTagIndex, setActiveUsersTagIndex] = useState<
-        number | null
-    >(null);
-    const [activeRolesTagIndex, setActiveRolesTagIndex] = useState<
-        number | null
-    >(null);
 
     const { data: orgUsers = [], isLoading: isLoadingUsers } = useQuery(
         orgQueries.users({ orgId })
@@ -574,14 +570,6 @@ function NotifyActionFields({
         hasResolvedTagsRef.current = true;
     }, [isLoadingUsers, isLoadingRoles, allUsers, allRoles]);
 
-    const userTags = (useWatch({
-        control,
-        name: `actions.${index}.userTags`
-    }) ?? []) as Tag[];
-    const roleTags = (useWatch({
-        control,
-        name: `actions.${index}.roleTags`
-    }) ?? []) as Tag[];
     const emailTags = (useWatch({
         control,
         name: `actions.${index}.emailTags`
@@ -596,29 +584,16 @@ function NotifyActionFields({
                     <FormItem className="flex flex-col items-start">
                         <FormLabel>{t("alertingNotifyUsers")}</FormLabel>
                         <FormControl>
-                            <TagInput
-                                {...field}
-                                activeTagIndex={activeUsersTagIndex}
-                                setActiveTagIndex={setActiveUsersTagIndex}
-                                placeholder={t("alertingSelectUsers")}
-                                size="sm"
-                                tags={userTags}
-                                setTags={(newTags) => {
-                                    const next =
-                                        typeof newTags === "function"
-                                            ? newTags(userTags)
-                                            : newTags;
+                            <UsersSelector
+                                selectedUsers={field.value ?? []}
+                                orgId={orgId}
+                                onSelectUsers={(newUsers) => {
                                     form.setValue(
                                         `actions.${index}.userTags`,
-                                        next as Tag[],
+                                        newUsers as [Tag, ...Tag[]],
                                         { shouldDirty: true }
                                     );
                                 }}
-                                enableAutocomplete={true}
-                                autocompleteOptions={allUsers}
-                                allowDuplicates={false}
-                                restrictTagsToAutocompleteOptions={true}
-                                sortTags={true}
                             />
                         </FormControl>
                         <FormMessage />
@@ -632,29 +607,17 @@ function NotifyActionFields({
                     <FormItem className="flex flex-col items-start">
                         <FormLabel>{t("alertingNotifyRoles")}</FormLabel>
                         <FormControl>
-                            <TagInput
-                                {...field}
-                                activeTagIndex={activeRolesTagIndex}
-                                setActiveTagIndex={setActiveRolesTagIndex}
-                                placeholder={t("alertingSelectRoles")}
-                                size="sm"
-                                tags={roleTags}
-                                setTags={(newTags) => {
-                                    const next =
-                                        typeof newTags === "function"
-                                            ? newTags(roleTags)
-                                            : newTags;
+                            <RolesSelector
+                                selectedRoles={field.value ?? []}
+                                restrictAdminRole
+                                orgId={orgId}
+                                onSelectRoles={(newUsers) => {
                                     form.setValue(
                                         `actions.${index}.roleTags`,
-                                        next as Tag[],
+                                        newUsers as [Tag, ...Tag[]],
                                         { shouldDirty: true }
                                     );
                                 }}
-                                enableAutocomplete={true}
-                                autocompleteOptions={allRoles}
-                                allowDuplicates={false}
-                                restrictTagsToAutocompleteOptions={true}
-                                sortTags={true}
                             />
                         </FormControl>
                         <FormMessage />

src/components/machines-selector.tsx

@@ -5,7 +5,7 @@ import { useMemo, useState } from "react";
 import { useDebounce } from "use-debounce";
 
 import { useTranslations } from "next-intl";
-import { MultiSelectTags } from "./multi-select-tags";
+import { MultiSelectTagInput } from "./multi-select/multi-select-tag-input";
 
 export type SelectedMachine = Pick<
     ListClientsResponse["clients"][number],
@@ -28,11 +28,13 @@ export function MachinesSelector({
 
     const [debouncedValue] = useDebounce(machineSearchQuery, 150);
 
+    const perPage = 7;
+
     const { data: machines = [] } = useQuery(
-        orgQueries.machineClients({ orgId, perPage: 10, query: debouncedValue })
+        orgQueries.machineClients({ orgId, perPage, query: debouncedValue })
     );
 
-    // always include the selected machines in the list of machines shown (if the user isn't searching)
+    // always include the selected machines in the list (if the user isn't searching)
     const machinesShown = useMemo(() => {
         const allMachines: Array<SelectedMachine> = [...machines];
         if (debouncedValue.trim().length === 0) {
@@ -44,75 +46,32 @@ export function MachinesSelector({
                 }
             }
         }
-
         return allMachines;
     }, [machines, selectedMachines, debouncedValue]);
 
-    // const selectedMachinesIds = new Set(
-    //     selectedMachines.map((m) => m.clientId)
-    // );
-
     return (
-        <MultiSelectTags
+        <MultiSelectTagInput
+            buttonText={t("accessClientSelect")}
+            searchPlaceholder={t("search")}
             emptyPlaceholder={t("machineNotFound")}
-            searchPlaceholder={t("machineSearch")}
-            value={selectedMachines.map((m) => ({
-                ...m,
-                text: m.name,
-                id: m.clientId.toString()
-            }))}
-            onChange={(values) => {
-                onSelectMachines(values);
-            }}
-            options={machinesShown.map((m) => ({
-                ...m,
-                id: m.clientId.toString(),
-                text: m.name
-            }))}
-            onSearch={setMachineSearchQuery}
             searchQuery={machineSearchQuery}
+            onSearch={setMachineSearchQuery}
+            options={machinesShown.map((mc) => ({
+                id: mc.clientId.toString(),
+                text: mc.name
+            }))}
+            value={selectedMachines.map((mc) => ({
+                id: mc.clientId.toString(),
+                text: mc.name
+            }))}
+            onChange={(newValues) => {
+                onSelectMachines(
+                    newValues.map((v) => ({
+                        clientId: Number(v.id),
+                        name: v.text
+                    }))
+                );
+            }}
         />
-        // <Command shouldFilter={false}>
-        //     <CommandInput
-        //         placeholder={t("machineSearch")}
-        //         value={machineSearchQuery}
-        //         onValueChange={setMachineSearchQuery}
-        //     />
-        //     <CommandList>
-        //         <CommandEmpty>{t("machineNotFound")}</CommandEmpty>
-        //         <CommandGroup>
-        //             {machinesShown.map((m) => (
-        //                 <CommandItem
-        //                     value={`${m.name}:${m.clientId}`}
-        //                     key={m.clientId}
-        //                     onSelect={() => {
-        //                         let newMachineClients = [];
-        //                         if (selectedMachinesIds.has(m.clientId)) {
-        //                             newMachineClients = selectedMachines.filter(
-        //                                 (mc) => mc.clientId !== m.clientId
-        //                             );
-        //                         } else {
-        //                             newMachineClients = [
-        //                                 ...selectedMachines,
-        //                                 m
-        //                             ];
-        //                         }
-        //                         onSelectMachines(newMachineClients);
-        //                     }}
-        //                 >
-        //                     <CheckIcon
-        //                         className={cn(
-        //                             "mr-2 h-4 w-4",
-        //                             selectedMachinesIds.has(m.clientId)
-        //                                 ? "opacity-100"
-        //                                 : "opacity-0"
-        //                         )}
-        //                     />
-        //                     {`${m.name}`}
-        //                 </CommandItem>
-        //             ))}
-        //         </CommandGroup>
-        //     </CommandList>
-        // </Command>
     );
 }

src/components/multi-select-tags.tsx

@@ -1,77 +0,0 @@
-import type { Ref } from "react";
-import {
-    Command,
-    CommandEmpty,
-    CommandGroup,
-    CommandInput,
-    CommandItem,
-    CommandList
-} from "./ui/command";
-import { cn } from "@app/lib/cn";
-import { CheckIcon } from "lucide-react";
-
-export type TagValue = { text: string; id: string };
-
-export type MultiSelectTagsProps<T extends TagValue> = {
-    emptyPlaceholder: string;
-    searchPlaceholder: string;
-    searchQuery?: string;
-    options: Array<T>;
-    value: Array<T>;
-    onChange: (newValue: Array<T>) => void;
-    onSearch: (query: string) => void;
-    ref?: Ref<HTMLButtonElement>;
-};
-
-export function MultiSelectTags<T extends TagValue>({
-    emptyPlaceholder,
-    searchPlaceholder,
-    searchQuery,
-    value,
-    options,
-    onSearch,
-    onChange
-}: MultiSelectTagsProps<T>) {
-    const selectedValues = new Set(value.map((v) => v.id));
-    return (
-        <Command shouldFilter={false}>
-            <CommandInput
-                placeholder={searchPlaceholder}
-                value={searchQuery}
-                onValueChange={onSearch}
-            />
-            <CommandList>
-                <CommandEmpty>{emptyPlaceholder}</CommandEmpty>
-                <CommandGroup>
-                    {options.map((option) => (
-                        <CommandItem
-                            value={option.id}
-                            key={option.id}
-                            onSelect={() => {
-                                let newValues = [];
-                                if (selectedValues.has(option.id)) {
-                                    newValues = value.filter(
-                                        (v) => v.id !== option.id
-                                    );
-                                } else {
-                                    newValues = [...value, option];
-                                }
-                                onChange(newValues);
-                            }}
-                        >
-                            <CheckIcon
-                                className={cn(
-                                    "mr-2 h-4 w-4",
-                                    selectedValues.has(option.id)
-                                        ? "opacity-100"
-                                        : "opacity-0"
-                                )}
-                            />
-                            {`${option.text}`}
-                        </CommandItem>
-                    ))}
-                </CommandGroup>
-            </CommandList>
-        </Command>
-    );
-}

src/components/multi-select/multi-select-content.tsx

@@ -0,0 +1,89 @@
+import type { Ref } from "react";
+import {
+    Command,
+    CommandEmpty,
+    CommandGroup,
+    CommandInput,
+    CommandItem,
+    CommandList
+} from "../ui/command";
+import { cn } from "@app/lib/cn";
+import { CheckIcon } from "lucide-react";
+import { useTranslations } from "next-intl";
+
+export type TagValue = { text: string; id: string };
+
+export type MultiSelectTagsProps<T extends TagValue> = {
+    emptyPlaceholder?: string;
+    searchPlaceholder?: string;
+    searchQuery?: string;
+    options: Array<T>;
+    value: Array<T>;
+    onChange: (newValue: Array<T>) => void;
+    onSearch: (query: string) => void;
+    ref?: Ref<HTMLButtonElement>;
+    disabled?: boolean;
+    lockedIds?: Set<string>;
+};
+
+export function MultiSelectContent<T extends TagValue>({
+    emptyPlaceholder,
+    searchPlaceholder,
+    searchQuery,
+    value,
+    options,
+    onSearch,
+    onChange,
+    lockedIds
+}: MultiSelectTagsProps<T>) {
+    const t = useTranslations();
+    const selectedValues = new Set(value.map((v) => v.id));
+    return (
+        <Command shouldFilter={false}>
+            <CommandInput
+                placeholder={searchPlaceholder ?? t("search")}
+                value={searchQuery}
+                onValueChange={onSearch}
+            />
+            <CommandList>
+                <CommandEmpty className="text-muted-foreground">
+                    {emptyPlaceholder ?? t("noResults")}
+                </CommandEmpty>
+                <CommandGroup>
+                    {options.map((option) => {
+                        const isLocked = lockedIds?.has(option.id);
+                        return (
+                            <CommandItem
+                                value={option.id}
+                                key={option.id}
+                                disabled={isLocked}
+                                onSelect={() => {
+                                    if (isLocked) return;
+                                    let newValues = [];
+                                    if (selectedValues.has(option.id)) {
+                                        newValues = value.filter(
+                                            (v) => v.id !== option.id
+                                        );
+                                    } else {
+                                        newValues = [...value, option];
+                                    }
+                                    onChange(newValues);
+                                }}
+                            >
+                                <CheckIcon
+                                    className={cn(
+                                        "mr-2 h-4 w-4",
+                                        selectedValues.has(option.id)
+                                            ? "opacity-100"
+                                            : "opacity-0"
+                                    )}
+                                />
+                                {`${option.text}`}
+                            </CommandItem>
+                        );
+                    })}
+                </CommandGroup>
+            </CommandList>
+        </Command>
+    );
+}

src/components/multi-select/multi-select-tag-input.tsx

@@ -0,0 +1,117 @@
+import { buttonVariants } from "@app/components/ui/button";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@app/components/ui/popover";
+import { cn } from "@app/lib/cn";
+import { ChevronDownIcon, LockIcon, XIcon } from "lucide-react";
+import {
+    type MultiSelectTagsProps,
+    type TagValue,
+    MultiSelectContent
+} from "./multi-select-content";
+
+export interface MultiSelectInputProps<
+    T extends TagValue
+> extends MultiSelectTagsProps<T> {
+    buttonText?: string;
+    lockedIds?: Set<string>;
+}
+
+export function MultiSelectTagInput<T extends TagValue>({
+    buttonText,
+    lockedIds,
+    ...props
+}: MultiSelectInputProps<T>) {
+    const selectedValues = new Set(props.value.map((v) => v.id));
+
+    return (
+        <Popover
+            onOpenChange={(open) => {
+                if (!open) {
+                    // clear input when popover is closed
+                    props.onSearch("");
+                }
+            }}
+        >
+            <PopoverTrigger asChild>
+                <div
+                    role="combobox"
+                    className={cn(
+                        buttonVariants({
+                            variant: "outline"
+                        }),
+                        "justify-between w-full inline-flex",
+                        "text-muted-foreground pl-1.5 cursor-text",
+                        "hover:bg-transparent hover:text-muted-foreground",
+                        props.disabled && "pointer-events-none opacity-50"
+                    )}
+                >
+                    <span
+                        className={cn(
+                            "inline-flex items-center gap-1",
+                            "overflow-x-auto"
+                        )}
+                    >
+                        {props.value.map((option) => {
+                            const isLocked = lockedIds?.has(option.id);
+                            return (
+                                <span
+                                    key={option.id}
+                                    className={cn(
+                                        "bg-muted-foreground/10 font-normal text-foreground rounded-sm",
+                                        "py-1 pl-1.5 pr-0.5 text-xs inline-flex items-center gap-0.5",
+                                        isLocked && "opacity-60"
+                                    )}
+                                    onClick={(e) => e.stopPropagation()}
+                                >
+                                    {option.text}
+                                    {isLocked ? (
+                                        <span className="p-0.5 flex-none">
+                                            <LockIcon className="size-3" />
+                                        </span>
+                                    ) : (
+                                        <button
+                                            className="p-0.5 flex-none cursor-pointer"
+                                            type="button"
+                                            onClick={(e) => {
+                                                e.stopPropagation();
+                                                let newValues = [];
+                                                if (
+                                                    selectedValues.has(
+                                                        option.id
+                                                    )
+                                                ) {
+                                                    newValues =
+                                                        props.value.filter(
+                                                            (v) =>
+                                                                v.id !==
+                                                                option.id
+                                                        );
+                                                } else {
+                                                    newValues = [
+                                                        ...props.value,
+                                                        option
+                                                    ];
+                                                }
+                                                props.onChange(newValues);
+                                            }}
+                                        >
+                                            <XIcon className="size-3.5" />
+                                        </button>
+                                    )}
+                                </span>
+                            );
+                        })}
+                        <span className="pl-1 font-normal">{buttonText}</span>
+                    </span>
+                    <ChevronDownIcon className="ml-2 h-4 w-4 shrink-0 text-muted-foreground" />
+                </div>
+            </PopoverTrigger>
+            <PopoverContent className="p-0">
+                <MultiSelectContent {...props} lockedIds={lockedIds} />
+            </PopoverContent>
+        </Popover>
+    );
+}

src/components/resource-policy/CreatePolicyAuthMethodsSectionForm.tsx

@@ -0,0 +1,521 @@
+"use client";
+
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useTranslations } from "next-intl";
+
+import z from "zod";
+
+import { createPolicySchema, type PolicyFormValues } from ".";
+
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Button } from "@app/components/ui/button";
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Input } from "@app/components/ui/input";
+import {
+    InputOTP,
+    InputOTPGroup,
+    InputOTPSlot
+} from "@app/components/ui/input-otp";
+
+import { cn } from "@app/lib/cn";
+import { Binary, Bot, Key, Plus } from "lucide-react";
+
+import { useEffect, useState } from "react";
+import { type UseFormReturn, useForm, useWatch } from "react-hook-form";
+
+// ─── CreatePolicyAuthMethodsSectionForm ───────────────────────────────────────
+
+const setPasswordSchema = z.object({
+    password: z.string().min(4).max(100)
+});
+
+const setPincodeSchema = z.object({
+    pincode: z.string().length(6)
+});
+
+const setHeaderAuthSchema = z.object({
+    user: z.string().min(4).max(100),
+    password: z.string().min(4).max(100),
+    extendedCompatibility: z.boolean()
+});
+
+export type CreatePolicyAuthMethodsSectionFormProps = {
+    form: UseFormReturn<PolicyFormValues, any, any>;
+};
+
+export function CreatePolicyAuthMethodsSectionForm({
+    form: parentForm
+}: CreatePolicyAuthMethodsSectionFormProps) {
+    const t = useTranslations();
+    const [isExpanded, setIsExpanded] = useState(false);
+    const [isSetPasswordOpen, setIsSetPasswordOpen] = useState(false);
+    const [isSetPincodeOpen, setIsSetPincodeOpen] = useState(false);
+    const [isSetHeaderAuthOpen, setIsSetHeaderAuthOpen] = useState(false);
+
+    const form = useForm({
+        resolver: zodResolver(
+            createPolicySchema.pick({
+                password: true,
+                pincode: true,
+                headerAuth: true
+            })
+        ),
+        defaultValues: {
+            password: null,
+            pincode: null,
+            headerAuth: null
+        }
+    });
+
+    useEffect(() => {
+        const subscription = form.watch((values) => {
+            parentForm.setValue("password", values.password as any);
+            parentForm.setValue("pincode", values.pincode as any);
+            parentForm.setValue("headerAuth", values.headerAuth as any);
+        });
+        return () => subscription.unsubscribe();
+    }, [form, parentForm]);
+
+    const password = useWatch({
+        control: form.control,
+        name: "password"
+    });
+    const pincode = useWatch({
+        control: form.control,
+        name: "pincode"
+    });
+    const headerAuth = useWatch({
+        control: form.control,
+        name: "headerAuth"
+    });
+
+    const passwordForm = useForm({
+        resolver: zodResolver(setPasswordSchema),
+        defaultValues: { password: "" }
+    });
+
+    const pincodeForm = useForm({
+        resolver: zodResolver(setPincodeSchema),
+        defaultValues: { pincode: "" }
+    });
+
+    const headerAuthForm = useForm({
+        resolver: zodResolver(setHeaderAuthSchema),
+        defaultValues: { user: "", password: "", extendedCompatibility: true }
+    });
+
+    if (!isExpanded) {
+        return (
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("resourceAuthMethods")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("resourcePolicyAuthMethodsDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    <Button
+                        type="button"
+                        variant="outline"
+                        onClick={() => setIsExpanded(true)}
+                    >
+                        <Plus className="mr-2 h-4 w-4" />
+                        {t("resourcePolicyAuthMethodAdd")}
+                    </Button>
+                </SettingsSectionBody>
+            </SettingsSection>
+        );
+    }
+
+    return (
+        <>
+            {/* Password Credenza */}
+            <Credenza
+                open={isSetPasswordOpen}
+                onOpenChange={(val) => {
+                    setIsSetPasswordOpen(val);
+                    if (!val) passwordForm.reset();
+                }}
+            >
+                <CredenzaContent>
+                    <CredenzaHeader>
+                        <CredenzaTitle>
+                            {t("resourcePasswordSetupTitle")}
+                        </CredenzaTitle>
+                        <CredenzaDescription>
+                            {t("resourcePasswordSetupTitleDescription")}
+                        </CredenzaDescription>
+                    </CredenzaHeader>
+                    <CredenzaBody>
+                        <Form {...passwordForm}>
+                            <form
+                                onSubmit={passwordForm.handleSubmit((data) => {
+                                    form.setValue("password", data);
+                                    setIsSetPasswordOpen(false);
+                                    passwordForm.reset();
+                                })}
+                                className="space-y-4"
+                                id="set-password-form"
+                            >
+                                <FormField
+                                    control={passwordForm.control}
+                                    name="password"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("password")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    type="password"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    </CredenzaBody>
+                    <CredenzaFooter>
+                        <CredenzaClose asChild>
+                            <Button variant="outline">{t("close")}</Button>
+                        </CredenzaClose>
+                        <Button type="submit" form="set-password-form">
+                            {t("resourcePasswordSubmit")}
+                        </Button>
+                    </CredenzaFooter>
+                </CredenzaContent>
+            </Credenza>
+
+            {/* Pincode Credenza */}
+            <Credenza
+                open={isSetPincodeOpen}
+                onOpenChange={(val) => {
+                    setIsSetPincodeOpen(val);
+                    if (!val) pincodeForm.reset();
+                }}
+            >
+                <CredenzaContent>
+                    <CredenzaHeader>
+                        <CredenzaTitle>
+                            {t("resourcePincodeSetupTitle")}
+                        </CredenzaTitle>
+                        <CredenzaDescription>
+                            {t("resourcePincodeSetupTitleDescription")}
+                        </CredenzaDescription>
+                    </CredenzaHeader>
+                    <CredenzaBody>
+                        <Form {...pincodeForm}>
+                            <form
+                                onSubmit={pincodeForm.handleSubmit((data) => {
+                                    form.setValue("pincode", data);
+                                    setIsSetPincodeOpen(false);
+                                    pincodeForm.reset();
+                                })}
+                                className="space-y-4"
+                                id="set-pincode-form"
+                            >
+                                <FormField
+                                    control={pincodeForm.control}
+                                    name="pincode"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("resourcePincode")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <div className="flex justify-center">
+                                                    <InputOTP
+                                                        autoComplete="false"
+                                                        maxLength={6}
+                                                        {...field}
+                                                    >
+                                                        <InputOTPGroup className="flex">
+                                                            <InputOTPSlot
+                                                                index={0}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={1}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={2}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={3}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={4}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={5}
+                                                                obscured
+                                                            />
+                                                        </InputOTPGroup>
+                                                    </InputOTP>
+                                                </div>
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    </CredenzaBody>
+                    <CredenzaFooter>
+                        <CredenzaClose asChild>
+                            <Button variant="outline">{t("close")}</Button>
+                        </CredenzaClose>
+                        <Button type="submit" form="set-pincode-form">
+                            {t("resourcePincodeSubmit")}
+                        </Button>
+                    </CredenzaFooter>
+                </CredenzaContent>
+            </Credenza>
+
+            {/* Header Auth Credenza */}
+            <Credenza
+                open={isSetHeaderAuthOpen}
+                onOpenChange={(val) => {
+                    setIsSetHeaderAuthOpen(val);
+                    if (!val) headerAuthForm.reset();
+                }}
+            >
+                <CredenzaContent>
+                    <CredenzaHeader>
+                        <CredenzaTitle>
+                            {t("resourceHeaderAuthSetupTitle")}
+                        </CredenzaTitle>
+                        <CredenzaDescription>
+                            {t("resourceHeaderAuthSetupTitleDescription")}
+                        </CredenzaDescription>
+                    </CredenzaHeader>
+                    <CredenzaBody>
+                        <Form {...headerAuthForm}>
+                            <form
+                                onSubmit={headerAuthForm.handleSubmit(
+                                    (data) => {
+                                        form.setValue("headerAuth", data);
+                                        setIsSetHeaderAuthOpen(false);
+                                        headerAuthForm.reset();
+                                    }
+                                )}
+                                className="space-y-4"
+                                id="set-header-auth-form"
+                            >
+                                <FormField
+                                    control={headerAuthForm.control}
+                                    name="user"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>{t("user")}</FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    type="text"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={headerAuthForm.control}
+                                    name="password"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("password")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    type="password"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={headerAuthForm.control}
+                                    name="extendedCompatibility"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormControl>
+                                                <SwitchInput
+                                                    id="header-auth-compatibility-toggle"
+                                                    label={t(
+                                                        "headerAuthCompatibility"
+                                                    )}
+                                                    info={t(
+                                                        "headerAuthCompatibilityInfo"
+                                                    )}
+                                                    checked={field.value}
+                                                    onCheckedChange={
+                                                        field.onChange
+                                                    }
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    </CredenzaBody>
+                    <CredenzaFooter>
+                        <CredenzaClose asChild>
+                            <Button variant="outline">{t("close")}</Button>
+                        </CredenzaClose>
+                        <Button type="submit" form="set-header-auth-form">
+                            {t("resourceHeaderAuthSubmit")}
+                        </Button>
+                    </CredenzaFooter>
+                </CredenzaContent>
+            </Credenza>
+
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("resourceAuthMethods")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("resourcePolicyAuthMethodsDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    <SettingsSectionForm>
+                        {/* Password row */}
+                        <div className="flex items-center justify-between border rounded-md p-2 mb-4">
+                            <div
+                                className={cn("flex items-center text-sm space-x-2", password && "text-green-500")}
+                            >
+                                <Key size="14" />
+                                <span>
+                                    {t("resourcePasswordProtection", {
+                                        status: password
+                                            ? t("enabled")
+                                            : t("disabled")
+                                    })}
+                                </span>
+                            </div>
+                            <Button
+                                type="button"
+                                variant="secondary"
+                                size="sm"
+                                onClick={
+                                    password
+                                        ? () => form.setValue("password", null)
+                                        : () => setIsSetPasswordOpen(true)
+                                }
+                            >
+                                {password
+                                    ? t("passwordRemove")
+                                    : t("passwordAdd")}
+                            </Button>
+                        </div>
+
+                        {/* Pincode row */}
+                        <div className="flex items-center justify-between border rounded-md p-2">
+                            <div
+                                className={cn("flex items-center space-x-2 text-sm", pincode && "text-green-500")}
+                            >
+                                <Binary size="14" />
+                                <span>
+                                    {t("resourcePincodeProtection", {
+                                        status: pincode
+                                            ? t("enabled")
+                                            : t("disabled")
+                                    })}
+                                </span>
+                            </div>
+                            <Button
+                                type="button"
+                                variant="secondary"
+                                size="sm"
+                                onClick={
+                                    pincode
+                                        ? () => form.setValue("pincode", null)
+                                        : () => setIsSetPincodeOpen(true)
+                                }
+                            >
+                                {pincode ? t("pincodeRemove") : t("pincodeAdd")}
+                            </Button>
+                        </div>
+
+                        {/* Header auth row */}
+                        <div className="flex items-center justify-between border rounded-md p-2">
+                            <div
+                                className={cn("flex items-center space-x-2 text-sm", headerAuth && "text-green-500")}
+                            >
+                                <Bot size="14" />
+                                <span>
+                                    {headerAuth
+                                        ? t(
+                                              "resourceHeaderAuthProtectionEnabled"
+                                          )
+                                        : t(
+                                              "resourceHeaderAuthProtectionDisabled"
+                                          )}
+                                </span>
+                            </div>
+                            <Button
+                                type="button"
+                                variant="secondary"
+                                size="sm"
+                                onClick={
+                                    headerAuth
+                                        ? () =>
+                                              form.setValue("headerAuth", null)
+                                        : () => setIsSetHeaderAuthOpen(true)
+                                }
+                            >
+                                {headerAuth
+                                    ? t("headerAuthRemove")
+                                    : t("headerAuthAdd")}
+                            </Button>
+                        </div>
+                    </SettingsSectionForm>
+                </SettingsSectionBody>
+            </SettingsSection>
+        </>
+    );
+}

src/components/resource-policy/CreatePolicyForm.tsx

@@ -0,0 +1,280 @@
+"use client";
+
+import {
+    SettingsContainer,
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { useOrgContext } from "@app/hooks/useOrgContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+import { getUserDisplayName } from "@app/lib/getUserDisplayName";
+import { orgQueries } from "@app/lib/queries";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { build } from "@server/build";
+import { UserType } from "@server/types/UserTypes";
+import { useQuery } from "@tanstack/react-query";
+import { useTranslations } from "next-intl";
+import { type PolicyFormValues, createPolicySchema } from ".";
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { orgs, type ResourcePolicy } from "@server/db";
+import type { AxiosResponse } from "axios";
+import { useRouter } from "next/navigation";
+import { Button } from "@app/components/ui/button";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Input } from "@app/components/ui/input";
+import { useMemo, useTransition } from "react";
+import { useForm } from "react-hook-form";
+import { CreatePolicyUsersRolesSectionForm } from "./CreatePolicyUserRolesSectionForm";
+import { CreatePolicyAuthMethodsSectionForm } from "./CreatePolicyAuthMethodsSectionForm";
+import { CreatePolicyOtpEmailSectionForm } from "./CreatePolicyOtpEmailSectionForm";
+import { CreatePolicyRulesSectionForm } from "./CreatePolicyRulesSectionForm";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
+import { tierMatrix, TierFeature } from "@server/lib/billing/tierMatrix";
+
+// ─── CreatePolicyForm ─────────────────────────────────────────────────────────
+
+export type CreatePolicyFormProps = {};
+
+export function CreatePolicyForm({}: CreatePolicyFormProps) {
+    const { org } = useOrgContext();
+    const t = useTranslations();
+    const { env } = useEnvContext();
+    const api = createApiClient({ env });
+    const [isSubmitting, startTransition] = useTransition();
+    const { isPaidUser } = usePaidStatus();
+
+    const router = useRouter();
+
+    const isMaxmindAvailable = !!(
+        env.server.maxmind_db_path && env.server.maxmind_db_path.length > 0
+    );
+    const isMaxmindAsnAvailable = !!(
+        env.server.maxmind_asn_path && env.server.maxmind_asn_path.length > 0
+    );
+
+    const { data: orgRoles = [], isLoading: isLoadingOrgRoles } = useQuery(
+        orgQueries.roles({ orgId: org.org.orgId })
+    );
+    const { data: orgUsers = [], isLoading: isLoadingOrgUsers } = useQuery(
+        orgQueries.users({ orgId: org.org.orgId })
+    );
+    const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery(
+        orgQueries.identityProviders({
+            orgId: org.org.orgId,
+            useOrgOnlyIdp: env.app.identityProviderMode === "org"
+        })
+    );
+
+    const form = useForm<PolicyFormValues>({
+        resolver: zodResolver(createPolicySchema) as any,
+        defaultValues: {
+            name: "",
+            sso: true,
+            skipToIdpId: null,
+            emailWhitelistEnabled: false,
+            roles: [],
+            users: [],
+            emails: [],
+            applyRules: false,
+            rules: [],
+            password: null,
+            headerAuth: null,
+            pincode: null
+        }
+    });
+
+    async function onSubmit() {
+        const isValid = await form.trigger();
+
+        if (!isValid) return;
+
+        const payload = form.getValues();
+
+        try {
+            const res = await api
+                .post<AxiosResponse<ResourcePolicy>>(
+                    `/org/${org.org.orgId}/resource-policy/`,
+                    {
+                        name: payload.name,
+                        // access control
+                        sso: payload.sso,
+                        roleIds: payload.roles.map((r) => r.id),
+                        userIds: payload.users.map((u) => u.id),
+                        skipToIdpId: payload.skipToIdpId,
+                        // auth methods
+                        password: payload.password?.password,
+                        pincode: payload.pincode?.pincode,
+                        headerAuth: payload.headerAuth,
+                        // email OTP
+                        emailWhitelistEnabled: payload.emailWhitelistEnabled,
+                        emails: payload.emails.map((email) => email.text),
+                        // rules
+                        applyRules: payload.applyRules,
+                        rules: payload.rules
+                    }
+                )
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("policyErrorCreate"),
+                        description: formatAxiosError(
+                            e,
+                            t("policyErrorCreateDescription")
+                        )
+                    });
+                });
+
+            if (res && res.status === 201) {
+                const niceId = res.data.data.niceId;
+                router.push(
+                    `/${org.org.orgId}/settings/policies/resource/${niceId}`
+                );
+                toast({
+                    title: t("success"),
+                    description: t("policyCreatedSuccess")
+                });
+            }
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("policyErrorCreate"),
+                description: t("policyErrorCreateMessageDescription")
+            });
+        }
+    }
+
+    const allRoles = useMemo(
+        () =>
+            orgRoles
+                .map((role) => ({
+                    id: role.roleId.toString(),
+                    text: role.name
+                }))
+                .filter((role) => role.text !== "Admin"),
+        [orgRoles]
+    );
+
+    const allUsers = useMemo(
+        () =>
+            orgUsers.map((user) => ({
+                id: user.id.toString(),
+                text: `${getUserDisplayName({ email: user.email, username: user.username })}${user.type !== UserType.Internal ? ` (${user.idpName})` : ""}`
+            })),
+        [orgUsers]
+    );
+
+    const allIdps = useMemo(() => {
+        if (build === "saas") {
+            if (isPaidUser(tierMatrix.orgOidc)) {
+                return orgIdps.map((idp) => ({
+                    id: idp.idpId,
+                    text: idp.name
+                }));
+            }
+        } else {
+            return orgIdps.map((idp) => ({ id: idp.idpId, text: idp.name }));
+        }
+        return [];
+    }, [orgIdps, isPaidUser]);
+
+    if (isLoadingOrgRoles || isLoadingOrgUsers || isLoadingOrgIdps) {
+        return <></>;
+    }
+
+    const policyTiers = tierMatrix[TierFeature.ResourcePolicies];
+    const isDisabled = !isPaidUser(policyTiers);
+
+    return (
+        <>
+            <PaidFeaturesAlert tiers={policyTiers} />
+            <Form {...form}>
+                <div
+                    className={
+                        isDisabled
+                            ? "pointer-events-none opacity-50"
+                            : undefined
+                    }
+                >
+                    <SettingsContainer>
+                        {/* Name */}
+                        <SettingsSection>
+                            <SettingsSectionHeader>
+                                <SettingsSectionTitle>
+                                    {t("resourcePolicyName")}
+                                </SettingsSectionTitle>
+                                <SettingsSectionDescription>
+                                    {t("resourcePolicyNameDescription")}
+                                </SettingsSectionDescription>
+                            </SettingsSectionHeader>
+                            <SettingsSectionBody>
+                                <SettingsSectionForm>
+                                    <FormField
+                                        control={form.control}
+                                        name="name"
+                                        render={({ field }) => (
+                                            <FormItem>
+                                                <FormLabel>
+                                                    {t("name")}
+                                                </FormLabel>
+                                                <FormControl>
+                                                    <Input
+                                                        {...field}
+                                                        placeholder={t(
+                                                            "resourcePolicyNamePlaceholder"
+                                                        )}
+                                                    />
+                                                </FormControl>
+                                                <FormMessage />
+                                            </FormItem>
+                                        )}
+                                    />
+                                </SettingsSectionForm>
+                            </SettingsSectionBody>
+                        </SettingsSection>
+
+                        <CreatePolicyUsersRolesSectionForm
+                            form={form}
+                            allRoles={allRoles}
+                            allUsers={allUsers}
+                            allIdps={allIdps}
+                        />
+                        <CreatePolicyAuthMethodsSectionForm form={form} />
+                        <CreatePolicyOtpEmailSectionForm
+                            form={form}
+                            emailEnabled={env.email.emailEnabled}
+                        />
+                        <CreatePolicyRulesSectionForm
+                            form={form}
+                            isMaxmindAvailable={isMaxmindAvailable}
+                            isMaxmindAsnAvailable={isMaxmindAsnAvailable}
+                        />
+                    </SettingsContainer>
+                </div>
+
+                <div className="flex py-6 justify-end">
+                    <Button
+                        type="button"
+                        onClick={() => startTransition(onSubmit)}
+                        loading={isSubmitting}
+                        disabled={isSubmitting || isDisabled}
+                    >
+                        {t("resourcePoliciesCreate")}
+                    </Button>
+                </div>
+            </Form>
+        </>
+    );
+}

src/components/resource-policy/CreatePolicyOtpEmailSectionForm.tsx

@@ -0,0 +1,213 @@
+"use client";
+
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useTranslations } from "next-intl";
+
+import z from "zod";
+
+import { createPolicySchema, type PolicyFormValues } from ".";
+
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
+import { Button } from "@app/components/ui/button";
+import {
+    Form,
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel
+} from "@app/components/ui/form";
+import { InfoPopup } from "@app/components/ui/info-popup";
+
+import { InfoIcon, Plus } from "lucide-react";
+
+import { useEffect, useState } from "react";
+import { type UseFormReturn, useForm, useWatch } from "react-hook-form";
+
+// ─── CreatePolicyOtpEmailSectionForm ──────────────────────────────────────────
+
+export type CreatePolicyOtpEmailSectionFormProps = {
+    form: UseFormReturn<PolicyFormValues, any, any>;
+    emailEnabled: boolean;
+};
+
+export function CreatePolicyOtpEmailSectionForm({
+    form: parentForm,
+    emailEnabled
+}: CreatePolicyOtpEmailSectionFormProps) {
+    const t = useTranslations();
+    const [isExpanded, setIsExpanded] = useState(false);
+    const [activeEmailTagIndex, setActiveEmailTagIndex] = useState<
+        number | null
+    >(null);
+
+    const form = useForm({
+        resolver: zodResolver(
+            createPolicySchema.pick({
+                emailWhitelistEnabled: true,
+                emails: true
+            })
+        ),
+        defaultValues: {
+            emailWhitelistEnabled: false,
+            emails: []
+        }
+    });
+
+    useEffect(() => {
+        const subscription = form.watch((values) => {
+            parentForm.setValue(
+                "emailWhitelistEnabled",
+                values.emailWhitelistEnabled as boolean
+            );
+            parentForm.setValue("emails", values.emails as [Tag, ...Tag[]]);
+        });
+        return () => subscription.unsubscribe();
+    }, [form, parentForm]);
+
+    const whitelistEnabled = useWatch({
+        control: form.control,
+        name: "emailWhitelistEnabled"
+    });
+
+    if (!isExpanded) {
+        return (
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("otpEmailTitle")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("otpEmailTitleDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    <Button
+                        type="button"
+                        variant="outline"
+                        onClick={() => setIsExpanded(true)}
+                    >
+                        <Plus className="mr-2 h-4 w-4" />
+                        {t("resourcePolicyOtpEmailAdd")}
+                    </Button>
+                </SettingsSectionBody>
+            </SettingsSection>
+        );
+    }
+
+    return (
+        <Form {...form}>
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("otpEmailTitle")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("otpEmailTitleDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    <SettingsSectionForm>
+                        {!emailEnabled && (
+                            <Alert variant="neutral" className="mb-4">
+                                <InfoIcon className="h-4 w-4" />
+                                <AlertTitle className="font-semibold">
+                                    {t("otpEmailSmtpRequired")}
+                                </AlertTitle>
+                                <AlertDescription>
+                                    {t("otpEmailSmtpRequiredDescription")}
+                                </AlertDescription>
+                            </Alert>
+                        )}
+                        <SwitchInput
+                            id="whitelist-toggle"
+                            label={t("otpEmailWhitelist")}
+                            defaultChecked={false}
+                            onCheckedChange={(val) => {
+                                form.setValue("emailWhitelistEnabled", val);
+                            }}
+                            disabled={!emailEnabled}
+                        />
+
+                        {whitelistEnabled && emailEnabled && (
+                            <FormField
+                                control={form.control}
+                                name="emails"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>
+                                            <InfoPopup
+                                                text={t("otpEmailWhitelistList")}
+                                                info={t(
+                                                    "otpEmailWhitelistListDescription"
+                                                )}
+                                            />
+                                        </FormLabel>
+                                        <FormControl>
+                                            {/* @ts-ignore */}
+                                            <TagInput
+                                                {...field}
+                                                activeTagIndex={
+                                                    activeEmailTagIndex
+                                                }
+                                                size="sm"
+                                                validateTag={(tag) => {
+                                                    return z
+                                                        .email()
+                                                        .or(
+                                                            z
+                                                                .string()
+                                                                .regex(
+                                                                    /^\*@[\w.-]+\.[a-zA-Z]{2,}$/,
+                                                                    {
+                                                                        message:
+                                                                            t(
+                                                                                "otpEmailErrorInvalid"
+                                                                            )
+                                                                    }
+                                                                )
+                                                        )
+                                                        .safeParse(tag).success;
+                                                }}
+                                                setActiveTagIndex={
+                                                    setActiveEmailTagIndex
+                                                }
+                                                placeholder={t("otpEmailEnter")}
+                                                tags={form.getValues().emails}
+                                                setTags={(newEmails) => {
+                                                    form.setValue(
+                                                        "emails",
+                                                        newEmails as [
+                                                            Tag,
+                                                            ...Tag[]
+                                                        ]
+                                                    );
+                                                }}
+                                                allowDuplicates={false}
+                                                sortTags={true}
+                                            />
+                                        </FormControl>
+                                        <FormDescription>
+                                            {t("otpEmailEnterDescription")}
+                                        </FormDescription>
+                                    </FormItem>
+                                )}
+                            />
+                        )}
+                    </SettingsSectionForm>
+                </SettingsSectionBody>
+            </SettingsSection>
+        </Form>
+    );
+}

src/components/resource-policy/CreatePolicyUserRolesSectionForm.tsx

@@ -0,0 +1,257 @@
+"use client";
+
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+
+import { zodResolver } from "@hookform/resolvers/zod";
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import {
+    Form,
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import {
+    Select,
+    SelectContent,
+    SelectItem,
+    SelectTrigger,
+    SelectValue
+} from "@app/components/ui/select";
+import { createPolicySchema, type PolicyFormValues } from ".";
+import { useTranslations } from "next-intl";
+import { useEffect, useState } from "react";
+import { type UseFormReturn, useForm, useWatch } from "react-hook-form";
+
+// ─── CreatePolicyUsersRolesSectionForm ────────────────────────────────────────
+
+export type CreatePolicyUsersRolesSectionFormProps = {
+    form: UseFormReturn<PolicyFormValues, any, any>;
+    allRoles: { id: string; text: string }[];
+    allUsers: { id: string; text: string }[];
+    allIdps: { id: number; text: string }[];
+};
+
+export function CreatePolicyUsersRolesSectionForm({
+    form: parentForm,
+    allRoles,
+    allUsers,
+    allIdps
+}: CreatePolicyUsersRolesSectionFormProps) {
+    const t = useTranslations();
+
+    const form = useForm({
+        resolver: zodResolver(
+            createPolicySchema.pick({
+                sso: true,
+                skipToIdpId: true,
+                roles: true,
+                users: true
+            })
+        ),
+        defaultValues: {
+            sso: true,
+            skipToIdpId: null,
+            roles: [],
+            users: []
+        }
+    });
+
+    useEffect(() => {
+        const subscription = form.watch((values) => {
+            parentForm.setValue("sso", values.sso as boolean);
+            parentForm.setValue("skipToIdpId", values.skipToIdpId as number | null);
+            parentForm.setValue("roles", values.roles as [Tag, ...Tag[]]);
+            parentForm.setValue("users", values.users as [Tag, ...Tag[]]);
+        });
+        return () => subscription.unsubscribe();
+    }, [form, parentForm]);
+
+    const ssoEnabled = useWatch({ control: form.control, name: "sso" });
+    const selectedIdpId = useWatch({
+        control: form.control,
+        name: "skipToIdpId"
+    });
+    const [activeRolesTagIndex, setActiveRolesTagIndex] = useState<
+        number | null
+    >(null);
+    const [activeUsersTagIndex, setActiveUsersTagIndex] = useState<
+        number | null
+    >(null);
+
+    return (
+        <Form {...form}>
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("resourceUsersRoles")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("resourcePolicyUsersRolesDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    <SettingsSectionForm>
+                        <SwitchInput
+                            id="sso-toggle"
+                            label={t("ssoUse")}
+                            defaultChecked={ssoEnabled}
+                            onCheckedChange={(val) => {
+                                form.setValue("sso", val);
+                            }}
+                        />
+
+                        {ssoEnabled && (
+                            <>
+                                <FormField
+                                    control={form.control}
+                                    name="roles"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-col items-start">
+                                            <FormLabel>{t("roles")}</FormLabel>
+                                            <FormControl>
+                                                <TagInput
+                                                    {...field}
+                                                    activeTagIndex={
+                                                        activeRolesTagIndex
+                                                    }
+                                                    setActiveTagIndex={
+                                                        setActiveRolesTagIndex
+                                                    }
+                                                    placeholder={t(
+                                                        "accessRoleSelect2"
+                                                    )}
+                                                    size="sm"
+                                                    tags={form.getValues().roles}
+                                                    setTags={(newRoles) => {
+                                                        form.setValue(
+                                                            "roles",
+                                                            newRoles as [
+                                                                Tag,
+                                                                ...Tag[]
+                                                            ]
+                                                        );
+                                                    }}
+                                                    enableAutocomplete={true}
+                                                    autocompleteOptions={allRoles}
+                                                    allowDuplicates={false}
+                                                    restrictTagsToAutocompleteOptions={
+                                                        true
+                                                    }
+                                                    sortTags={true}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                            <FormDescription>
+                                                {t("resourceRoleDescription")}
+                                            </FormDescription>
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={form.control}
+                                    name="users"
+                                    render={({ field }) => (
+                                        <FormItem className="flex flex-col items-start">
+                                            <FormLabel>{t("users")}</FormLabel>
+                                            <FormControl>
+                                                <TagInput
+                                                    {...field}
+                                                    activeTagIndex={
+                                                        activeUsersTagIndex
+                                                    }
+                                                    setActiveTagIndex={
+                                                        setActiveUsersTagIndex
+                                                    }
+                                                    placeholder={t(
+                                                        "accessUserSelect"
+                                                    )}
+                                                    size="sm"
+                                                    tags={form.getValues().users}
+                                                    setTags={(newUsers) => {
+                                                        form.setValue(
+                                                            "users",
+                                                            newUsers as [
+                                                                Tag,
+                                                                ...Tag[]
+                                                            ]
+                                                        );
+                                                    }}
+                                                    enableAutocomplete={true}
+                                                    autocompleteOptions={allUsers}
+                                                    allowDuplicates={false}
+                                                    restrictTagsToAutocompleteOptions={
+                                                        true
+                                                    }
+                                                    sortTags={true}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </>
+                        )}
+
+                        {ssoEnabled && allIdps.length > 0 && (
+                            <div className="space-y-2">
+                                <label className="text-sm font-medium">
+                                    {t("defaultIdentityProvider")}
+                                </label>
+                                <Select
+                                    onValueChange={(value) => {
+                                        if (value === "none") {
+                                            form.setValue("skipToIdpId", null);
+                                        } else {
+                                            const id = parseInt(value);
+                                            form.setValue("skipToIdpId", id);
+                                        }
+                                    }}
+                                    value={
+                                        selectedIdpId
+                                            ? selectedIdpId.toString()
+                                            : "none"
+                                    }
+                                >
+                                    <SelectTrigger className="w-full mt-1">
+                                        <SelectValue
+                                            placeholder={t(
+                                                "selectIdpPlaceholder"
+                                            )}
+                                        />
+                                    </SelectTrigger>
+                                    <SelectContent>
+                                        <SelectItem value="none">
+                                            {t("none")}
+                                        </SelectItem>
+                                        {allIdps.map((idp) => (
+                                            <SelectItem
+                                                key={idp.id}
+                                                value={idp.id.toString()}
+                                            >
+                                                {idp.text}
+                                            </SelectItem>
+                                        ))}
+                                    </SelectContent>
+                                </Select>
+                                <p className="text-sm text-muted-foreground">
+                                    {t("defaultIdentityProviderDescription")}
+                                </p>
+                            </div>
+                        )}
+                    </SettingsSectionForm>
+                </SettingsSectionBody>
+            </SettingsSection>
+        </Form>
+    );
+}

src/components/resource-policy/EditPolicyAuthMethodsSectionForm.tsx

@@ -0,0 +1,671 @@
+"use client";
+
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionFooter,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+
+import { useEnvContext } from "@app/hooks/useEnvContext";
+
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useTranslations } from "next-intl";
+
+import z from "zod";
+
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { useRouter } from "next/navigation";
+import { createPolicySchema } from ".";
+
+import {
+    Credenza,
+    CredenzaBody,
+    CredenzaClose,
+    CredenzaContent,
+    CredenzaDescription,
+    CredenzaFooter,
+    CredenzaHeader,
+    CredenzaTitle
+} from "@app/components/Credenza";
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Button } from "@app/components/ui/button";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Input } from "@app/components/ui/input";
+import {
+    InputOTP,
+    InputOTPGroup,
+    InputOTPSlot
+} from "@app/components/ui/input-otp";
+
+import { Binary, Bot, Key, Plus } from "lucide-react";
+
+import { cn } from "@app/lib/cn";
+import { useResourcePolicyContext } from "@app/providers/ResourcePolicyProvider";
+import { useActionState, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "@app/hooks/useToast";
+import type { AxiosResponse } from "axios";
+
+// ─── PolicyAuthMethodsSection ─────────────────────────────────────────────────
+
+const setPasswordSchema = z.object({
+    password: z.string().min(4).max(100)
+});
+
+const setPincodeSchema = z.object({
+    pincode: z.string().length(6)
+});
+
+const setHeaderAuthSchema = z.object({
+    user: z.string().min(4).max(100),
+    password: z.string().min(4).max(100),
+    extendedCompatibility: z.boolean()
+});
+
+export function EditPolicyAuthMethodsSectionForm({
+    readonly
+}: {
+    readonly?: boolean;
+}) {
+    const { policy } = useResourcePolicyContext();
+    const router = useRouter();
+
+    const api = createApiClient(useEnvContext());
+
+    const form = useForm({
+        resolver: zodResolver(
+            createPolicySchema.pick({
+                password: true,
+                pincode: true,
+                headerAuth: true
+            })
+        )
+    });
+
+    const t = useTranslations();
+    const [isSetPasswordOpen, setIsSetPasswordOpen] = useState(false);
+    const [isSetPincodeOpen, setIsSetPincodeOpen] = useState(false);
+    const [isSetHeaderAuthOpen, setIsSetHeaderAuthOpen] = useState(false);
+
+    const password = form.watch("password");
+    const pincode = form.watch("pincode");
+    const headerAuth = form.watch("headerAuth");
+
+    // If explicitly removed (set to `null`) it means the value has been removed
+    // in the other case (`undefined` or object value), check if the value has been modified
+    // and fallback to the policy default value
+    const hasPassword =
+        password !== null ? Boolean(password ?? policy.passwordId) : false;
+
+    const hasPincode =
+        pincode !== null ? Boolean(pincode ?? policy.pincodeId) : false;
+
+    const hasHeaderAuth =
+        headerAuth !== null ? Boolean(headerAuth ?? policy.headerAuth) : false;
+
+    const [isExpanded, setIsExpanded] = useState(
+        hasPassword || hasPincode || hasHeaderAuth
+    );
+
+    const passwordForm = useForm({
+        resolver: zodResolver(setPasswordSchema),
+        defaultValues: { password: "" }
+    });
+
+    const pincodeForm = useForm({
+        resolver: zodResolver(setPincodeSchema),
+        defaultValues: { pincode: "" }
+    });
+
+    const headerAuthForm = useForm({
+        resolver: zodResolver(setHeaderAuthSchema),
+        defaultValues: { user: "", password: "", extendedCompatibility: true }
+    });
+
+    const [, formAction, isSubmitting] = useActionState(onSubmit, null);
+
+    async function onSubmit() {
+        if (readonly) return;
+        const isValid = await form.trigger();
+
+        if (!isValid) return;
+
+        const payload = form.getValues();
+
+        const responseArray: Array<Promise<AxiosResponse<{}> | void>> = [];
+
+        if (typeof payload.password !== "undefined") {
+            responseArray.push(
+                api
+                    .put<AxiosResponse<{}>>(
+                        `/resource-policy/${policy.resourcePolicyId}/password`,
+                        {
+                            password: payload.password?.password ?? null
+                        }
+                    )
+                    .catch((e) => {
+                        toast({
+                            variant: "destructive",
+                            title: t("policyErrorUpdate"),
+                            description: formatAxiosError(
+                                e,
+                                t("policyErrorUpdateDescription")
+                            )
+                        });
+                    })
+            );
+        }
+
+        if (typeof payload.pincode !== "undefined") {
+            responseArray.push(
+                api
+                    .put<AxiosResponse<{}>>(
+                        `/resource-policy/${policy.resourcePolicyId}/pincode`,
+                        {
+                            pincode: payload.pincode?.pincode ?? null
+                        }
+                    )
+                    .catch((e) => {
+                        toast({
+                            variant: "destructive",
+                            title: t("policyErrorUpdate"),
+                            description: formatAxiosError(
+                                e,
+                                t("policyErrorUpdateDescription")
+                            )
+                        });
+                    })
+            );
+        }
+
+        if (typeof payload.headerAuth !== "undefined") {
+            responseArray.push(
+                api
+                    .put<AxiosResponse<{}>>(
+                        `/resource-policy/${policy.resourcePolicyId}/header-auth`,
+                        {
+                            headerAuth: payload.headerAuth
+                        }
+                    )
+                    .catch((e) => {
+                        toast({
+                            variant: "destructive",
+                            title: t("policyErrorUpdate"),
+                            description: formatAxiosError(
+                                e,
+                                t("policyErrorUpdateDescription")
+                            )
+                        });
+                    })
+            );
+        }
+
+        try {
+            const responseList = await Promise.all(responseArray);
+
+            if (responseList.every((res) => res && res.status === 200)) {
+                toast({
+                    title: t("success"),
+                    description: t("policyUpdatedSuccess")
+                });
+                router.refresh();
+            }
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("policyErrorUpdate"),
+                description: t("policyErrorUpdateMessageDescription")
+            });
+        }
+    }
+
+    if (!isExpanded) {
+        return (
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("resourceAuthMethods")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("resourcePolicyAuthMethodsDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    {!readonly ? (
+                        <Button
+                            type="button"
+                            variant="outline"
+                            onClick={() => setIsExpanded(true)}
+                        >
+                            <Plus className="mr-2 h-4 w-4" />
+                            {t("resourcePolicyAuthMethodAdd")}
+                        </Button>
+                    ) : (
+                        <div className="text-muted-foreground flex items-center h-full size-full bg-muted rounded-md px-8 py-6 border-dashed text-sm">
+                            <p>{t("resourcePolicyAuthMethodsEmpty")}</p>
+                        </div>
+                    )}
+                </SettingsSectionBody>
+            </SettingsSection>
+        );
+    }
+
+    return (
+        <>
+            {/* Password Credenza */}
+            <Credenza
+                open={isSetPasswordOpen}
+                onOpenChange={(val) => {
+                    setIsSetPasswordOpen(val);
+                    if (!val) passwordForm.reset();
+                }}
+            >
+                <CredenzaContent>
+                    <CredenzaHeader>
+                        <CredenzaTitle>
+                            {t("resourcePasswordSetupTitle")}
+                        </CredenzaTitle>
+                        <CredenzaDescription>
+                            {t("resourcePasswordSetupTitleDescription")}
+                        </CredenzaDescription>
+                    </CredenzaHeader>
+                    <CredenzaBody>
+                        <Form {...passwordForm}>
+                            <form
+                                onSubmit={passwordForm.handleSubmit((data) => {
+                                    form.setValue("password", data);
+                                    setIsSetPasswordOpen(false);
+                                    passwordForm.reset();
+                                })}
+                                className="space-y-4"
+                                id="set-password-form"
+                            >
+                                <FormField
+                                    control={passwordForm.control}
+                                    name="password"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("password")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    type="password"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    </CredenzaBody>
+                    <CredenzaFooter>
+                        <CredenzaClose asChild>
+                            <Button variant="outline">{t("close")}</Button>
+                        </CredenzaClose>
+                        <Button type="submit" form="set-password-form">
+                            {t("resourcePasswordSubmit")}
+                        </Button>
+                    </CredenzaFooter>
+                </CredenzaContent>
+            </Credenza>
+
+            {/* Pincode Credenza */}
+            <Credenza
+                open={isSetPincodeOpen}
+                onOpenChange={(val) => {
+                    setIsSetPincodeOpen(val);
+                    if (!val) pincodeForm.reset();
+                }}
+            >
+                <CredenzaContent>
+                    <CredenzaHeader>
+                        <CredenzaTitle>
+                            {t("resourcePincodeSetupTitle")}
+                        </CredenzaTitle>
+                        <CredenzaDescription>
+                            {t("resourcePincodeSetupTitleDescription")}
+                        </CredenzaDescription>
+                    </CredenzaHeader>
+                    <CredenzaBody>
+                        <Form {...pincodeForm}>
+                            <form
+                                onSubmit={pincodeForm.handleSubmit((data) => {
+                                    form.setValue("pincode", data);
+                                    setIsSetPincodeOpen(false);
+                                    pincodeForm.reset();
+                                })}
+                                className="space-y-4"
+                                id="set-pincode-form"
+                            >
+                                <FormField
+                                    control={pincodeForm.control}
+                                    name="pincode"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("resourcePincode")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <div className="flex justify-center">
+                                                    <InputOTP
+                                                        autoComplete="false"
+                                                        maxLength={6}
+                                                        {...field}
+                                                    >
+                                                        <InputOTPGroup className="flex">
+                                                            <InputOTPSlot
+                                                                index={0}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={1}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={2}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={3}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={4}
+                                                                obscured
+                                                            />
+                                                            <InputOTPSlot
+                                                                index={5}
+                                                                obscured
+                                                            />
+                                                        </InputOTPGroup>
+                                                    </InputOTP>
+                                                </div>
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    </CredenzaBody>
+                    <CredenzaFooter>
+                        <CredenzaClose asChild>
+                            <Button variant="outline">{t("close")}</Button>
+                        </CredenzaClose>
+                        <Button type="submit" form="set-pincode-form">
+                            {t("resourcePincodeSubmit")}
+                        </Button>
+                    </CredenzaFooter>
+                </CredenzaContent>
+            </Credenza>
+
+            {/* Header Auth Credenza */}
+            <Credenza
+                open={isSetHeaderAuthOpen}
+                onOpenChange={(val) => {
+                    setIsSetHeaderAuthOpen(val);
+                    if (!val) headerAuthForm.reset();
+                }}
+            >
+                <CredenzaContent>
+                    <CredenzaHeader>
+                        <CredenzaTitle>
+                            {t("resourceHeaderAuthSetupTitle")}
+                        </CredenzaTitle>
+                        <CredenzaDescription>
+                            {t("resourceHeaderAuthSetupTitleDescription")}
+                        </CredenzaDescription>
+                    </CredenzaHeader>
+                    <CredenzaBody>
+                        <Form {...headerAuthForm}>
+                            <form
+                                onSubmit={headerAuthForm.handleSubmit(
+                                    (data) => {
+                                        form.setValue("headerAuth", data);
+                                        setIsSetHeaderAuthOpen(false);
+                                        headerAuthForm.reset();
+                                    }
+                                )}
+                                className="space-y-4"
+                                id="set-header-auth-form"
+                            >
+                                <FormField
+                                    control={headerAuthForm.control}
+                                    name="user"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>{t("user")}</FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    type="text"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={headerAuthForm.control}
+                                    name="password"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                {t("password")}
+                                            </FormLabel>
+                                            <FormControl>
+                                                <Input
+                                                    autoComplete="off"
+                                                    type="password"
+                                                    {...field}
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                                <FormField
+                                    control={headerAuthForm.control}
+                                    name="extendedCompatibility"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormControl>
+                                                <SwitchInput
+                                                    id="header-auth-compatibility-toggle"
+                                                    label={t(
+                                                        "headerAuthCompatibility"
+                                                    )}
+                                                    info={t(
+                                                        "headerAuthCompatibilityInfo"
+                                                    )}
+                                                    checked={field.value}
+                                                    onCheckedChange={
+                                                        field.onChange
+                                                    }
+                                                />
+                                            </FormControl>
+                                            <FormMessage />
+                                        </FormItem>
+                                    )}
+                                />
+                            </form>
+                        </Form>
+                    </CredenzaBody>
+                    <CredenzaFooter>
+                        <CredenzaClose asChild>
+                            <Button variant="outline">{t("close")}</Button>
+                        </CredenzaClose>
+                        <Button type="submit" form="set-header-auth-form">
+                            {t("resourceHeaderAuthSubmit")}
+                        </Button>
+                    </CredenzaFooter>
+                </CredenzaContent>
+            </Credenza>
+
+            <Form {...form}>
+                <form action={formAction}>
+                    <SettingsSection>
+                        <SettingsSectionHeader>
+                            <SettingsSectionTitle>
+                                {t("resourceAuthMethods")}
+                            </SettingsSectionTitle>
+                            <SettingsSectionDescription>
+                                {t("resourcePolicyAuthMethodsDescription")}
+                            </SettingsSectionDescription>
+                        </SettingsSectionHeader>
+                        <SettingsSectionBody>
+                            <SettingsSectionForm>
+                                {/* Password row */}
+                                <div className="flex items-center justify-between border rounded-md p-2 mb-4">
+                                    <div
+                                        className={cn(
+                                            "flex items-center text-sm gap-x-2",
+                                            hasPassword && "text-green-500"
+                                        )}
+                                    >
+                                        <Key size="14" />
+                                        <span>
+                                            {t("resourcePasswordProtection", {
+                                                status: hasPassword
+                                                    ? t("enabled")
+                                                    : t("disabled")
+                                            })}
+                                        </span>
+                                    </div>
+                                    <Button
+                                        type="button"
+                                        variant="secondary"
+                                        size="sm"
+                                        disabled={readonly}
+                                        onClick={
+                                            hasPassword
+                                                ? () =>
+                                                      form.setValue(
+                                                          "password",
+                                                          null
+                                                      )
+                                                : () =>
+                                                      setIsSetPasswordOpen(true)
+                                        }
+                                    >
+                                        {hasPassword
+                                            ? t("passwordRemove")
+                                            : t("passwordAdd")}
+                                    </Button>
+                                </div>
+
+                                {/* Pincode row */}
+                                <div className="flex items-center justify-between border rounded-md p-2">
+                                    <div
+                                        className={cn(
+                                            "flex items-center gap-x-2 text-sm",
+                                            hasPincode && "text-green-500"
+                                        )}
+                                    >
+                                        <Binary size="14" />
+                                        <span>
+                                            {t("resourcePincodeProtection", {
+                                                status: hasPincode
+                                                    ? t("enabled")
+                                                    : t("disabled")
+                                            })}
+                                        </span>
+                                    </div>
+                                    <Button
+                                        type="button"
+                                        variant="secondary"
+                                        size="sm"
+                                        disabled={readonly}
+                                        onClick={
+                                            hasPincode
+                                                ? () =>
+                                                      form.setValue(
+                                                          "pincode",
+                                                          null
+                                                      )
+                                                : () =>
+                                                      setIsSetPincodeOpen(true)
+                                        }
+                                    >
+                                        {hasPincode
+                                            ? t("pincodeRemove")
+                                            : t("pincodeAdd")}
+                                    </Button>
+                                </div>
+
+                                {/* Header auth row */}
+                                <div className="flex items-center justify-between border rounded-md p-2">
+                                    <div
+                                        className={cn(
+                                            "flex items-center gap-x-2 text-sm",
+                                            hasHeaderAuth && "text-green-500"
+                                        )}
+                                    >
+                                        <Bot size="14" />
+                                        <span>
+                                            {hasHeaderAuth
+                                                ? t(
+                                                      "resourceHeaderAuthProtectionEnabled"
+                                                  )
+                                                : t(
+                                                      "resourceHeaderAuthProtectionDisabled"
+                                                  )}
+                                        </span>
+                                    </div>
+                                    <Button
+                                        type="button"
+                                        variant="secondary"
+                                        size="sm"
+                                        disabled={readonly}
+                                        onClick={
+                                            hasHeaderAuth
+                                                ? () =>
+                                                      form.setValue(
+                                                          "headerAuth",
+                                                          null
+                                                      )
+                                                : () =>
+                                                      setIsSetHeaderAuthOpen(
+                                                          true
+                                                      )
+                                        }
+                                    >
+                                        {hasHeaderAuth
+                                            ? t("headerAuthRemove")
+                                            : t("headerAuthAdd")}
+                                    </Button>
+                                </div>
+                            </SettingsSectionForm>
+                        </SettingsSectionBody>
+
+                        <SettingsSectionFooter>
+                            <Button
+                                type="submit"
+                                loading={isSubmitting}
+                                disabled={readonly || isSubmitting}
+                            >
+                                {t("authMethodsSave")}
+                            </Button>
+                        </SettingsSectionFooter>
+                    </SettingsSection>
+                </form>
+            </Form>
+        </>
+    );
+}

src/components/resource-policy/EditPolicyForm.tsx

@@ -0,0 +1,107 @@
+"use client";
+
+import { SettingsContainer } from "@app/components/Settings";
+
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { useOrgContext } from "@app/hooks/useOrgContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
+
+import { orgQueries } from "@app/lib/queries";
+import { build } from "@server/build";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { useQuery } from "@tanstack/react-query";
+import { useTranslations } from "next-intl";
+
+import { createApiClient } from "@app/lib/api";
+import { useRouter } from "next/navigation";
+
+import { useMemo } from "react";
+import { EditPolicyAuthMethodsSectionForm } from "./EditPolicyAuthMethodsSectionForm";
+import { EditPolicyNameSectionForm } from "./EditPolicyNameSectionForm";
+import { EditPolicyUsersRolesSectionForm } from "./EditPolicyUserRolesSectionForm";
+import { EditPolicyOtpEmailSectionForm } from "./EditPolicyOtpEmailSectionForm";
+import { EditPolicyRulesSectionForm } from "./EditPolicyRulesSectionForm";
+
+// ─── EditPolicyForm ─────────────────────────────────────────────────────────
+
+export type EditPolicyFormProps = {
+    hidePolicyNameForm?: boolean;
+    readonly?: boolean;
+    resourceId?: number;
+};
+
+export function EditPolicyForm({
+    hidePolicyNameForm,
+    readonly,
+    resourceId
+}: EditPolicyFormProps) {
+    const { org } = useOrgContext();
+    const t = useTranslations();
+    const { env } = useEnvContext();
+    const api = createApiClient({ env });
+    // const [, formAction, isSubmitting] = useActionState(onSubmit, null);
+    const { isPaidUser } = usePaidStatus();
+
+    const router = useRouter();
+
+    const isMaxmindAvailable = !!(
+        env.server.maxmind_db_path && env.server.maxmind_db_path.length > 0
+    );
+    const isMaxmindASNAvailable = !!(
+        env.server.maxmind_asn_path && env.server.maxmind_asn_path.length > 0
+    );
+
+    const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery(
+        orgQueries.identityProviders({
+            orgId: org.org.orgId,
+            useOrgOnlyIdp: env.app.identityProviderMode === "org"
+        })
+    );
+
+    const allIdps = useMemo(() => {
+        if (build === "saas") {
+            if (isPaidUser(tierMatrix.orgOidc)) {
+                return orgIdps.map((idp) => ({
+                    id: idp.idpId,
+                    text: idp.name
+                }));
+            }
+        } else {
+            return orgIdps.map((idp) => ({ id: idp.idpId, text: idp.name }));
+        }
+        return [];
+    }, [orgIdps, isPaidUser]);
+
+    if (isLoadingOrgIdps) {
+        return <></>;
+    }
+
+    return (
+        <SettingsContainer>
+            {!hidePolicyNameForm && (
+                <EditPolicyNameSectionForm readonly={readonly} />
+            )}
+
+            <EditPolicyUsersRolesSectionForm
+                orgId={org.org.orgId}
+                allIdps={allIdps}
+                readonly={readonly}
+                resourceId={resourceId}
+            />
+
+            <EditPolicyAuthMethodsSectionForm readonly={readonly} />
+
+            <EditPolicyOtpEmailSectionForm
+                emailEnabled={env.email.emailEnabled}
+                readonly={readonly}
+            />
+
+            <EditPolicyRulesSectionForm
+                isMaxmindAvailable={isMaxmindAvailable}
+                isMaxmindAsnAvailable={isMaxmindASNAvailable}
+                readonly={readonly}
+                resourceId={resourceId}
+            />
+        </SettingsContainer>
+    );
+}

src/components/resource-policy/EditPolicyNameSectionForm.tsx

@@ -0,0 +1,155 @@
+"use client";
+
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionFooter,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+
+import { useEnvContext } from "@app/hooks/useEnvContext";
+
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useTranslations } from "next-intl";
+
+import z from "zod";
+
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { type ResourcePolicy } from "@server/db";
+import type { AxiosResponse } from "axios";
+import { useRouter } from "next/navigation";
+
+import { Button } from "@app/components/ui/button";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import { Input } from "@app/components/ui/input";
+
+import { useResourcePolicyContext } from "@app/providers/ResourcePolicyProvider";
+import { useActionState } from "react";
+import { useForm } from "react-hook-form";
+
+// ─── PolicyNameSection ──────────────────────────────────────────────────
+
+export function EditPolicyNameSectionForm({ readonly }: { readonly?: boolean }) {
+    const t = useTranslations();
+    const api = createApiClient(useEnvContext());
+    const router = useRouter();
+
+    const { policy } = useResourcePolicyContext();
+
+    const form = useForm({
+        resolver: zodResolver(
+            z.object({
+                name: z.string()
+            })
+        ),
+        defaultValues: {
+            name: policy.name
+        }
+    });
+
+    const [, formAction, isSubmitting] = useActionState(onSubmit, null);
+
+    async function onSubmit() {
+        if (readonly) return;
+        const isValid = await form.trigger();
+
+        if (!isValid) return;
+
+        const payload = form.getValues();
+
+        try {
+            const res = await api
+                .put<AxiosResponse<ResourcePolicy>>(
+                    `/resource-policy/${policy.resourcePolicyId}`,
+                    {
+                        name: payload.name
+                    }
+                )
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("policyErrorUpdate"),
+                        description: formatAxiosError(
+                            e,
+                            t("policyErrorUpdateDescription")
+                        )
+                    });
+                });
+
+            if (res && res.status === 200) {
+                toast({
+                    title: t("success"),
+                    description: t("policyUpdatedSuccess")
+                });
+                router.refresh();
+            }
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("policyErrorUpdate"),
+                description: t("policyErrorUpdateMessageDescription")
+            });
+        }
+    }
+
+    return (
+        <Form {...form}>
+            <form action={formAction}>
+                <SettingsSection>
+                    <SettingsSectionHeader>
+                        <SettingsSectionTitle>
+                            {t("resourcePolicyName")}
+                        </SettingsSectionTitle>
+                        <SettingsSectionDescription>
+                            {t("resourcePolicyNameDescription")}
+                        </SettingsSectionDescription>
+                    </SettingsSectionHeader>
+                    <SettingsSectionBody>
+                        <SettingsSectionForm>
+                            <FormField
+                                control={form.control}
+                                name="name"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>{t("name")}</FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                {...field}
+                                                disabled={readonly}
+                                                placeholder={t(
+                                                    "resourcePolicyNamePlaceholder"
+                                                )}
+                                            />
+                                        </FormControl>
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
+                        </SettingsSectionForm>
+                    </SettingsSectionBody>
+
+                    <SettingsSectionFooter>
+                        <Button
+                            type="submit"
+                            loading={isSubmitting}
+                            disabled={readonly || isSubmitting}
+                        >
+                            {t("saveSettings")}
+                        </Button>
+                    </SettingsSectionFooter>
+                </SettingsSection>
+            </form>
+        </Form>
+    );
+}

src/components/resource-policy/EditPolicyOtpEmailSectionForm.tsx

@@ -0,0 +1,294 @@
+"use client";
+
+import {
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionFooter,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+
+import { useTranslations } from "next-intl";
+
+import z from "zod";
+
+import { createPolicySchema, type PolicyFormValues } from ".";
+
+import { toast } from "@app/hooks/useToast";
+import { createApiClient, formatAxiosError } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import type { AxiosResponse } from "axios";
+import { SwitchInput } from "@app/components/SwitchInput";
+import { Tag, TagInput } from "@app/components/tags/tag-input";
+import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
+import { Button } from "@app/components/ui/button";
+import {
+    Form,
+    FormControl,
+    FormDescription,
+    FormField,
+    FormItem,
+    FormLabel
+} from "@app/components/ui/form";
+import { InfoPopup } from "@app/components/ui/info-popup";
+
+import { InfoIcon, Plus } from "lucide-react";
+
+import { useActionState, useState } from "react";
+import { useForm, UseFormReturn, useWatch } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useRouter } from "next/navigation";
+import { useResourcePolicyContext } from "@app/providers/ResourcePolicyProvider";
+
+// ─── PolicyOtpEmailSection ────────────────────────────────────────────────────
+
+type PolicyOtpEmailSectionProps = {
+    emailEnabled: boolean;
+    readonly?: boolean;
+};
+
+export function EditPolicyOtpEmailSectionForm({
+    emailEnabled,
+    readonly
+}: PolicyOtpEmailSectionProps) {
+    const t = useTranslations();
+
+    const { policy } = useResourcePolicyContext();
+    const router = useRouter();
+
+    const api = createApiClient(useEnvContext());
+
+    const form = useForm({
+        resolver: zodResolver(
+            createPolicySchema.pick({
+                emailWhitelistEnabled: true,
+                emails: true
+            })
+        ),
+        defaultValues: {
+            emailWhitelistEnabled: policy.emailWhitelistEnabled,
+            emails: policy.emailWhiteList.map((email) => ({
+                id: email.whiteListId.toString(),
+                text: email.email
+            }))
+        }
+    });
+
+    const whitelistEnabled = useWatch({
+        control: form.control,
+        name: "emailWhitelistEnabled"
+    });
+
+    const [isExpanded, setIsExpanded] = useState(whitelistEnabled);
+    const [activeEmailTagIndex, setActiveEmailTagIndex] = useState<
+        number | null
+    >(null);
+
+    const [, formAction, isSubmitting] = useActionState(onSubmit, null);
+
+    async function onSubmit() {
+        if (readonly) return;
+        const isValid = await form.trigger();
+
+        if (!isValid) return;
+
+        const payload = form.getValues();
+
+        try {
+            const res = await api
+                .put<AxiosResponse<{}>>(
+                    `/resource-policy/${policy.resourcePolicyId}/whitelist`,
+                    {
+                        emailWhitelistEnabled: payload.emailWhitelistEnabled,
+                        emails: payload.emails?.map((e) => e.text) ?? []
+                    }
+                )
+                .catch((e) => {
+                    toast({
+                        variant: "destructive",
+                        title: t("policyErrorUpdate"),
+                        description: formatAxiosError(
+                            e,
+                            t("policyErrorUpdateDescription")
+                        )
+                    });
+                });
+
+            if (res && res.status === 200) {
+                toast({
+                    title: t("success"),
+                    description: t("policyUpdatedSuccess")
+                });
+                router.refresh();
+            }
+        } catch (e) {
+            toast({
+                variant: "destructive",
+                title: t("policyErrorUpdate"),
+                description: t("policyErrorUpdateMessageDescription")
+            });
+        }
+    }
+
+    if (!isExpanded) {
+        return (
+            <SettingsSection>
+                <SettingsSectionHeader>
+                    <SettingsSectionTitle>
+                        {t("otpEmailTitle")}
+                    </SettingsSectionTitle>
+                    <SettingsSectionDescription>
+                        {t("otpEmailTitleDescription")}
+                    </SettingsSectionDescription>
+                </SettingsSectionHeader>
+                <SettingsSectionBody>
+                    {!readonly ? (
+                        <Button
+                            type="button"
+                            variant="outline"
+                            onClick={() => setIsExpanded(true)}
+                        >
+                            <Plus className="mr-2 h-4 w-4" />
+                            {t("resourcePolicyOtpEmailAdd")}
+                        </Button>
+                    ) : (
+                        <div className="text-muted-foreground flex items-center h-full size-full bg-muted rounded-md px-8 py-6 border-dashed text-sm">
+                            <p>{t("resourcePolicyOtpEmpty")}</p>
+                        </div>
+                    )}
+                </SettingsSectionBody>
+            </SettingsSection>
+        );
+    }
+
+    return (
+        <Form {...form}>
+            <form action={formAction}>
+                <SettingsSection>
+                    <SettingsSectionHeader>
+                        <SettingsSectionTitle>
+                            {t("otpEmailTitle")}
+                        </SettingsSectionTitle>
+                        <SettingsSectionDescription>
+                            {t("otpEmailTitleDescription")}
+                        </SettingsSectionDescription>
+                    </SettingsSectionHeader>
+                    <SettingsSectionBody>
+                        <SettingsSectionForm>
+                            {!emailEnabled && (
+                                <Alert variant="neutral" className="mb-4">
+                                    <InfoIcon className="h-4 w-4" />
+                                    <AlertTitle className="font-semibold">
+                                        {t("otpEmailSmtpRequired")}
+                                    </AlertTitle>
+                                    <AlertDescription>
+                                        {t("otpEmailSmtpRequiredDescription")}
+                                    </AlertDescription>
+                                </Alert>
+                            )}
+                            <SwitchInput
+                                id="whitelist-toggle"
+                                label={t("otpEmailWhitelist")}
+                                defaultChecked={whitelistEnabled}
+                                onCheckedChange={(val) => {
+                                    form.setValue("emailWhitelistEnabled", val);
+                                }}
+                                disabled={readonly || !emailEnabled}
+                            />
+
+                            {whitelistEnabled && emailEnabled && (
+                                <FormField
+                                    control={form.control}
+                                    name="emails"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>
+                                                <InfoPopup
+                                                    text={t(
+                                                        "otpEmailWhitelistList"
+                                                    )}
+                                                    info={t(
+                                                        "otpEmailWhitelistListDescription"
+                                                    )}
+                                                />
+                                            </FormLabel>
+                                            <FormControl>
+                                                {/* @ts-ignore */}
+                                                <TagInput
+                                                    {...field}
+                                                    activeTagIndex={
+                                                        activeEmailTagIndex
+                                                    }
+                                                    size="sm"
+                                                    validateTag={(tag) => {
+                                                        return z
+                                                            .email()
+                                                            .or(
+                                                                z
+                                                                    .string()
+                                                                    .regex(
+                                                                        /^\*@[\w.-]+\.[a-zA-Z]{2,}$/,
+                                                                        {
+                                                                            message:
+                                                                                t(
+                                                                                    "otpEmailErrorInvalid"
+                                                                                )
+                                                                        }
+                                                                    )
+                                                            )
+                                                            .safeParse(tag)
+                                                            .success;
+                                                    }}
+                                                    setActiveTagIndex={
+                                                        setActiveEmailTagIndex
+                                                    }
+                                                    placeholder={t(
+                                                        "otpEmailEnter"
+                                                    )}
+                                                    tags={
+                                                        form.getValues()
+                                                            .emails ?? []
+                                                    }
+                                                    setTags={(newEmails) => {
+                                                        if (!readonly) {
+                                                            form.setValue(
+                                                                "emails",
+                                                                newEmails as [
+                                                                    Tag,
+                                                                    ...Tag[]
+                                                                ]
+                                                            );
+                                                        }
+                                                    }}
+                                                    allowDuplicates={false}
+                                                    sortTags={true}
+                                                />
+                                            </FormControl>
+                                            <FormDescription>
+                                                {t("otpEmailEnterDescription")}
+                                            </FormDescription>
+                                        </FormItem>
+                                    )}
+                                />
+                            )}
+                        </SettingsSectionForm>
+
+                        <SettingsSectionFooter>
+                            <Button
+                                type="submit"
+                                loading={isSubmitting}
+                                disabled={
+                                    readonly || isSubmitting || !emailEnabled
+                                }
+                            >
+                                {t("otpEmailWhitelistSave")}
+                            </Button>
+                        </SettingsSectionFooter>
+                    </SettingsSectionBody>
+                </SettingsSection>
+            </form>
+        </Form>
+    );
+}