Merge pull request #3261 from fosrl/dev

1.19.2
Allow missing agent host
2026-06-13 19:09:53 +00:00 · 2026-06-12 15:02:58 -07:00 · 2026-06-12 15:01:09 -07:00 · 2026-06-12 14:44:45 -07:00 · 2026-06-12 14:22:17 -07:00 · 2026-06-12 14:12:01 -07:00
592 changed files with 54676 additions and 21570 deletions
--- a/.cursor/rules/Button-loading-state.mdc
+++ b/.cursor/rules/Button-loading-state.mdc
@@ -0,0 +1,5 @@
+---
+alwaysApply: true
+---
+
+When adding submit buttons, don't change the text of the button during the loading state. Text should stay static and you should use the loading prop on the button.
--- a/.cursor/rules/Components.mdc
+++ b/.cursor/rules/Components.mdc
@@ -0,0 +1,5 @@
+---
+alwaysApply: true
+---
+
+When creating UI for popup dialogs or modals, use the Credenza componennt. This component is mobile responsive and works on desktop and wraps the dialog component and sheet into one.
--- a/.cursor/rules/TypeScript-rules.mdc
+++ b/.cursor/rules/TypeScript-rules.mdc
@@ -0,0 +1,7 @@
+---
+alwaysApply: true
+---
+
+When writing TypeScript:
+
+Prefer to use types instead of interfaces.
--- a/.cursor/rules/Use-React-form-and-Zod-schemas.mdc
+++ b/.cursor/rules/Use-React-form-and-Zod-schemas.mdc
@@ -0,0 +1,5 @@
+---
+alwaysApply: true
+---
+
+When creating forms, use React form for validation and use Zod schemas.
--- a/.dockerignore
+++ b/.dockerignore
@@ -34,3 +34,5 @@ build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
+allowedDevOrigins.json
+scratch/
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: [fosrl]
--- a/.github/ISSUE_TEMPLATE/1.bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1.bug_report.yml
@@ -14,12 +14,13 @@ body:
          label: Environment
          description: Please fill out the relevant details below for your environment.
          value: |
-              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - OS Type & Version:
              - Pangolin Version:
+              - Edition (Community or Enterprise):
              - Gerbil Version:
              - Traefik Version:
              - Newt Version:
-              - Olm Version: (if applicable)
+              - Client Version:
      validations:
          required: true

--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -77,7 +77,7 @@ jobs:
                  fi

            - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                  fi

            - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -407,7 +407,7 @@ jobs:
              shell: bash

            - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
@@ -415,7 +415,9 @@ jobs:

            - name: Install cosign
              # cosign is used to sign container images using keyless (OIDC) signing
-              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+              uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+              with:
+                cosign-release: v3.0.6

            - name: Sign (GHCR, keyless)
              # Sign each GHCR image by digest using keyless (OIDC) signing via Sigstore/Rekor.
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,7 +24,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Set up Node.js
-              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
              with:
                node-version: '24'

--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
          skopeo --version

      - name: Install cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

      - name: Input check
        run: |
--- a/.github/workflows/restart-runners.yml
+++ b/.github/workflows/restart-runners.yml
@@ -1,39 +0,0 @@
-name: Restart Runners
-
-on:
-  schedule:
-    - cron: '0 0 */7 * *'
-
-permissions:
-    id-token: write
-    contents: read
-
-jobs:
-  ec2-maintenance-prod:
-    runs-on: ubuntu-latest
-    permissions: write-all
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
-          role-duration-seconds: 3600
-          aws-region: ${{ secrets.AWS_REGION }}
-
-      - name: Verify AWS identity
-        run: aws sts get-caller-identity
-
-      - name: Start EC2 instance
-        run: |
-          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
-          echo "EC2 instances started"
-
-      - name: Wait
-        run: sleep 600
-
-      - name: Stop EC2 instance
-        run: |
-          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
-          echo "EC2 instances stopped"
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -1,160 +0,0 @@
-name: SAAS Pipeline
-
-# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
-# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
-
-permissions:
-  contents: read
-  packages: write      # for GHCR push
-  id-token: write      # for Cosign Keyless (OIDC) Signing
-
-on:
-    push:
-        tags:
-            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
-
-concurrency:
-  group: ${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-    pre-run:
-        runs-on: ubuntu-latest
-        permissions: write-all
-        steps:
-            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
-              with:
-                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
-                  role-duration-seconds: 3600
-                  aws-region: ${{ secrets.AWS_REGION }}
-
-            - name: Verify AWS identity
-              run: aws sts get-caller-identity
-
-            - name: Start EC2 instances
-              run: |
-                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-                  echo "EC2 instances started"
-
-
-    release-arm:
-        name: Build and Release (ARM64)
-        runs-on: [self-hosted, linux, arm64, us-east-1]
-        needs: [pre-run]
-        if: >-
-            ${{
-                needs.pre-run.result == 'success'
-            }}
-        # Job-level timeout to avoid runaway or stuck runs
-        timeout-minutes: 120
-        env:
-          # Target images
-          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
-
-        steps:
-            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-            - name: Download MaxMind GeoLite2 databases
-              env:
-                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
-              run: |
-                echo "Downloading MaxMind GeoLite2 databases..."
-
-                # Download GeoLite2-Country
-                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
-                  -o GeoLite2-Country.tar.gz
-
-                # Download GeoLite2-ASN
-                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
-                  -o GeoLite2-ASN.tar.gz
-
-                # Extract the .mmdb files
-                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
-                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
-
-                # Verify files exist
-                if [ ! -f "GeoLite2-Country.mmdb" ]; then
-                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
-                  exit 1
-                fi
-
-                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
-                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
-                  exit 1
-                fi
-
-                # Clean up tar files
-                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
-
-                echo "MaxMind databases downloaded successfully"
-                ls -lh GeoLite2-*.mmdb
-
-            - name: Monitor storage space
-              run: |
-                  THRESHOLD=75
-                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
-                  echo "Used space: $USED_SPACE%"
-                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
-                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
-                      echo y | docker system prune -a
-                  else
-                      echo "Storage space is above the threshold. No action needed."
-                  fi
-
-            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
-              with:
-                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
-                  role-duration-seconds: 3600
-                  aws-region: ${{ secrets.AWS_REGION }}
-
-            - name: Login to Amazon ECR
-              id: login-ecr
-              uses: aws-actions/amazon-ecr-login@v2
-
-            - name: Extract tag name
-              id: get-tag
-              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-              shell: bash
-
-            - name: Update version in package.json
-              run: |
-                  TAG=${{ env.TAG }}
-                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
-                  cat server/lib/consts.ts
-              shell: bash
-
-            - name: Build and push Docker images (Docker Hub - ARM64)
-              run: |
-                  TAG=${{ env.TAG }}
-                  make build-saas tag=$TAG
-                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
-              shell: bash
-
-    post-run:
-        needs: [pre-run, release-arm]
-        if: >-
-            ${{
-                always() &&
-                needs.pre-run.result == 'success' &&
-                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
-            }}
-        runs-on: ubuntu-latest
-        permissions: write-all
-        steps:
-            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
-              with:
-                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
-                  role-duration-seconds: 3600
-                  aws-region: ${{ secrets.AWS_REGION }}
-
-            - name: Verify AWS identity
-              run: aws sts get-caller-identity
-
-            - name: Stop EC2 instances
-              run: |
-                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-                  echo "EC2 instances stopped"
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -14,7 +14,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
        with:
          days-before-stale: 14
          days-before-close: 14
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '24'

--- a/.gitignore
+++ b/.gitignore
@@ -17,9 +17,9 @@ yarn-error.log*
 *.tsbuildinfo
 next-env.d.ts
 *.db
-*.sqlite
+*.sqlite*
 !Dockerfile.sqlite
-*.sqlite3
+*.sqlite3*
 *.log
 .machinelogs*.json
 *-audit.json
@@ -54,3 +54,5 @@ hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
+solo.yml
+allowedDevOrigins.json
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ the docs to illustrate some basic ideas.

 ## Licensing

-Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
+Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).

 ## Contributions

--- a/cli/commands/disableUser2fa.ts
+++ b/cli/commands/disableUser2fa.ts
@@ -0,0 +1,60 @@
+import { CommandModule } from "yargs";
+import { db, users } from "@server/db";
+import { eq } from "drizzle-orm";
+
+/**
+ * Disable 2FA for a user by email address.
+ */
+type DisableUser2faArgs = {
+    email: string;
+};
+
+export const disableUser2fa: CommandModule<{}, DisableUser2faArgs> = {
+    command: "disable-user-2fa",
+    describe: "Disable 2FA for a user (sets twoFactorEnabled=false, clears secret)",
+    builder: (yargs) => {
+        return yargs.option("email", {
+            type: "string",
+            demandOption: true,
+            describe: "User email address"
+        });
+    },
+    handler: async (argv: { email: string }) => {
+        try {
+            const { email } = argv;
+            console.log(`Looking for user with email: ${email}`);
+
+            // Find the user by email
+            const [user] = await db
+                .select()
+                .from(users)
+                .where(eq(users.email, email))
+                .limit(1);
+
+            if (!user) {
+                console.error(`User with email '${email}' not found`);
+                process.exit(1);
+            }
+
+            if (!user.twoFactorEnabled) {
+                console.log(`2FA is already disabled for user '${email}'.`);
+                process.exit(0);
+            }
+
+            // Update user: disable 2FA and clear secret
+            await db.update(users)
+                .set({
+                    twoFactorEnabled: false,
+                    twoFactorSecret: null,
+                    twoFactorSetupRequested: false
+                })
+                .where(eq(users.userId, user.userId));
+
+            console.log(`2FA disabled for user '${email}'.`);
+            process.exit(0);
+        } catch (error) {
+            console.error("Error disabling 2FA:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/commands/setServerAdmin.ts
+++ b/cli/commands/setServerAdmin.ts
@@ -0,0 +1,85 @@
+import { CommandModule } from "yargs";
+import { db, users } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type SetServerAdminArgs = {
+    email: string;
+    remove: boolean;
+};
+
+export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
+    command: "set-server-admin",
+    describe: "Add or remove server admin by email address",
+    builder: (yargs) => {
+        return yargs
+            .option("email", {
+                type: "string",
+                demandOption: true,
+                describe: "User email address"
+            })
+            .option("remove", {
+                type: "boolean",
+                default: false,
+                describe: "Remove server admin status from the user"
+            });
+    },
+    handler: async (argv: SetServerAdminArgs) => {
+        try {
+            const email = argv.email.trim().toLowerCase();
+
+            const [user] = await db
+                .select()
+                .from(users)
+                .where(eq(users.email, email))
+                .limit(1);
+
+            if (!user) {
+                console.error(`User with email '${email}' not found`);
+                process.exit(1);
+            }
+
+            if (argv.remove) {
+                if (!user.serverAdmin) {
+                    console.log(`User '${email}' is not a server admin`);
+                    process.exit(0);
+                }
+
+                const serverAdmins = await db
+                    .select()
+                    .from(users)
+                    .where(eq(users.serverAdmin, true));
+
+                if (serverAdmins.length <= 1) {
+                    console.error(
+                        "Cannot remove server admin: at least one server admin must exist"
+                    );
+                    process.exit(1);
+                }
+
+                await db
+                    .update(users)
+                    .set({ serverAdmin: false })
+                    .where(eq(users.userId, user.userId));
+
+                console.log(`Server admin status removed from user '${email}'`);
+                process.exit(0);
+            }
+
+            if (user.serverAdmin) {
+                console.log(`User '${email}' is already a server admin`);
+                process.exit(0);
+            }
+
+            await db
+                .update(users)
+                .set({ serverAdmin: true })
+                .where(eq(users.userId, user.userId));
+
+            console.log(`User '${email}' has been marked as a server admin`);
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -10,6 +10,8 @@ import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
 import { clearCertificates } from "./commands/clearCertificates";
+import { disableUser2fa } from "./commands/disableUser2fa";
+import { setServerAdmin } from "./commands/setServerAdmin";

 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -21,5 +23,7 @@ yargs(hideBin(process.argv))
    .command(deleteClient)
    .command(generateOrgCaKeys)
    .command(clearCertificates)
+    .command(disableUser2fa)
+    .command(setServerAdmin)
    .demandCommand()
    .help().argv;
--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -1,54 +1,47 @@
 api:
  insecure: true
  dashboard: true
-
 providers:
  http:
-    endpoint: "http://pangolin:3001/api/v1/traefik-config"
-    pollInterval: "5s"
+    endpoint: http://pangolin:3001/api/v1/traefik-config
+    pollInterval: 5s
  file:
-    filename: "/etc/traefik/dynamic_config.yml"
-
+    filename: /etc/traefik/dynamic_config.yml
 experimental:
  plugins:
    badger:
-      moduleName: "github.com/fosrl/badger"
-      version: "{{.BadgerVersion}}"
-
+      moduleName: github.com/fosrl/badger
+      version: v1.4.1
 log:
-  level: "INFO"
-  format: "common"
+  level: INFO
+  format: common
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true
-
 certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web
-      email: "{{.LetsEncryptEmail}}"
-      storage: "/letsencrypt/acme.json"
-      caServer: "https://acme-v02.api.letsencrypt.org/directory"
-
+      email: '{{.LetsEncryptEmail}}'
+      storage: /letsencrypt/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
 entryPoints:
  web:
-    address: ":80"
+    address: ':80'
  websecure:
-    address: ":443"
+    address: ':443'
    transport:
      respondingTimeouts:
-        readTimeout: "30m"
+        readTimeout: 30m
    http:
      tls:
-        certResolver: "letsencrypt"
+        certResolver: letsencrypt
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
-
 serversTransport:
  insecureSkipVerify: true
-
 ping:
-  entryPoint: "web"
+  entryPoint: web
--- a/drizzle.sqlite.config.ts
+++ b/drizzle.sqlite.config.ts
@@ -1,4 +1,4 @@
-import { APP_PATH } from "@server/lib/consts";
+import { APP_PATH } from "./server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";

--- a/install/config/config.yml
+++ b/install/config/config.yml
@@ -22,7 +22,8 @@ server:
        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
        allowed_headers: ["X-CSRF-Token", "Content-Type"]
        credentials: false
-    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_asn_path: "./config/GeoLite2-ASN.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
    smtp_host: "{{.EmailSMTPHost}}"
@@ -36,3 +37,6 @@ flags:
    disable_signup_without_invite: true
    disable_user_create_org: false
    allow_raw_resources: true
+
+{{if .IsPostgreSQL}}postgres:
+    connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin{{end}}
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -1,15 +1,23 @@
 name: pangolin
 services:
  pangolin:
-    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{if .IsPostgreSQL}}postgresql-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    deploy:
      resources:
        limits:
-          memory: 1g
+          memory: 2g
        reservations:
-          memory: 256m
+          memory: 512m
+    {{if or .IsPostgreSQL .IsRedis}}depends_on:
+      {{if .IsPostgreSQL}}postgres:
+          condition: service_healthy{{end}}
+      {{if .IsRedis}}redis:
+          condition: service_healthy{{end}}
+    networks:
+      - default
+      - backend{{end}}
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -17,8 +25,8 @@ services:
      interval: "10s"
      timeout: "10s"
      retries: 15
-{{if .InstallGerbil}}
-  gerbil:
+
+  {{if .InstallGerbil}}gerbil:
    image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
    container_name: gerbil
    restart: unless-stopped
@@ -39,17 +47,16 @@ services:
      - 21820:21820/udp
      - 443:443
      - 443:443/udp # For http3 QUIC if desired
-      - 80:80
-{{end}}
+      - 80:80{{end}}
+
  traefik:
    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
-{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
+    {{if .InstallGerbil}}network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
    ports:
      - 443:443
-      - 80:80
-{{end}}
+      - 80:80{{end}}
    depends_on:
      pangolin:
        condition: service_healthy
@@ -60,8 +67,50 @@ services:
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs

+  {{if .IsPostgreSQL}}postgres:
+    image: postgres:18
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: pangolin
+      POSTGRES_PASSWORD: {{.IsPostgreSQLPass}}
+      POSTGRES_DB: pangolin
+    volumes:
+      - ./postgres18:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U pangolin"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - backend{{end}}
+
+  {{if .IsRedis}}redis:
+    image: redis:8-trixie
+    container_name: redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --save 3600 1000
+      --appendonly yes
+      --requirepass {{.IsRedisPass}}
+    volumes:
+      - ./redis8:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "{{.IsRedisPass}}", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+    networks:
+      - backend{{end}}
+
 networks:
  default:
    driver: bridge
-    name: pangolin
+    name: pangolin_frontend
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
+{{if or .IsPostgreSQL .IsRedis}}  backend:
+    driver: bridge
+    name: pangolin_backend
+    internal: true{{end}}
--- a/install/config/privateConfig.yml
+++ b/install/config/privateConfig.yml
@@ -0,0 +1,4 @@
+{{if .IsRedis}}redis:
+  host: "redis"
+  port: 6379
+  password: "{{.IsRedisPass}}"{{end}}
--- a/install/go.mod
+++ b/install/go.mod
@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.42.0
+	golang.org/x/term v0.43.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
--- a/install/main.go
+++ b/install/main.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"embed"
 	"encoding/base64"
+	"flag"
 	"fmt"
 	"io"
 	"io/fs"
@@ -53,9 +54,13 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
-	EnableGeoblocking         bool
+	EnableMaxMind             bool
 	Secret                    string
 	IsEnterprise              bool
+    IsPostgreSQL              bool
+	IsPostgreSQLPass          string
+    IsRedis                   bool
+	IsRedisPass               string
 }

 type SupportedContainer string
@@ -66,8 +71,14 @@ const (
 	Undefined SupportedContainer = "undefined"
 )

+var redisFlag *bool
+
 func main() {

+	crowdsecFlag := flag.Bool("crowdsec", false, "Enable the CrowdSec installation prompt")
+	redisFlag = flag.Bool("redis", false, "Install Redis as cacheing solution. Required for HA. Not required for the Enterprise version.")
+	flag.Parse()
+
 	// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking

 	fmt.Println("Welcome to the Pangolin installer!")
@@ -119,11 +130,11 @@ func main() {

 		fmt.Println("\nConfiguration files created successfully!")

-		// Download MaxMind database if requested
-		if config.EnableGeoblocking {
-			fmt.Println("\n=== Downloading MaxMind Database ===")
+		// Download MaxMind Country / ASN database if requested
+		if config.EnableMaxMind {
+			fmt.Println("\n=== Downloading MaxMind Country and ASN Databases ===")
 			if err := downloadMaxMindDatabase(); err != nil {
-				fmt.Printf("Error downloading MaxMind database: %v\n", err)
+				fmt.Printf("Error downloading MaxMind databases: %v\n", err)
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
@@ -184,15 +195,15 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind databases (Country and ASN) to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
 				}
 			}
 		} else {
-			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			fmt.Println("MaxMind GeoLite2 Country and ASN databases not found.")
+			if readBool("Would you like to download the MaxMind GeoLite2 databases for blocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
@@ -200,13 +211,15 @@ func main() {
 				// Now you need to update your config file accordingly to enable geoblocking
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
-				fmt.Println("Add the following line under the 'server' section:")
+				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
+				fmt.Println("Add the following lines under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
+				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
 			}
 		}
 	}

-	if !checkIsCrowdsecInstalledInCompose() {
+	if *crowdsecFlag && !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
 		if readBool("Would you like to install CrowdSec?", false) {
@@ -480,6 +493,17 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Basic Configuration ===")

 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+    if config.IsEnterprise {
+        if *redisFlag {
+			config.IsRedis = true
+            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
+        }
+    }
+
+    config.IsPostgreSQL = readBool("Do you want to use PostgreSQL (not recommended for most users)?", false)
+	if config.IsPostgreSQL {
+		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
+	}

 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")

@@ -523,7 +547,7 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")

 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
+	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ASN databases for blocking functionality?", true)

 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -776,29 +800,42 @@ func checkPortsAvailable(port int) error {
 }

 func downloadMaxMindDatabase() error {
-	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
+	fmt.Println("Downloading MaxMind GeoLite2 Country and ASN databases...")

-	// Download the GeoLite2 Country database
+	// Download the GeoLite2 Country databases
 	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to download GeoLite2 Country database: %v", err)
+	}
+	if err := run("curl", "-L", "-o", "GeoLite2-ASN.tar.gz",
+		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
 	}

-	// Extract the database
+	// Extract the Country database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
+	}
+	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
 	}

 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
-		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
+		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
+	}
+	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
+		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
 	}

 	// Clean up the downloaded files
-	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
-		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
+	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
+	}
+	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
 	}

-	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
+	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
 	return nil
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Вижте частни ресурси",
    "siteInstallNewt": "Инсталирайте Newt",
    "siteInstallNewtDescription": "Пуснете Newt на вашата система",
+    "siteInstallKubernetesDocsDescription": "За повече и актуална информация относно инсталацията на Kubernetes, вижте <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "За инструкции за инсталиране на Advantech модем, вижте <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard конфигурация",
    "WgConfigurationDescription": "Използвайте следната конфигурация, за да се свържете с мрежата",
    "operatingSystem": "Операционна система",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Ще можете да виждате това само веднъж. Уверете се да го копирате на сигурно място.",
    "siteInfo": "Информация за сайта",
    "status": "Статус",
-    "shareTitle": "Управление на връзки за споделяне",
+    "shareTitle": "Управление на споделими връзки",
    "shareDescription": "Създайте споделими връзки, за да предоставите временен или постоянен достъп до прокси ресурсите",
-    "shareSearch": "Търсене на връзки за споделяне...",
-    "shareCreate": "Създайте връзка за споделяне",
+    "shareSearch": "Търсене на споделими връзки...",
+    "shareCreate": "Създаване на споделима връзка",
    "shareErrorDelete": "Неуспешно изтриване на връзката",
    "shareErrorDeleteMessage": "Възникна грешка при изтриване на връзката",
    "shareDeleted": "Връзката беше изтрита",
    "shareDeletedDescription": "Връзката беше премахната",
+    "shareDelete": "Изтриване на споделима връзка",
+    "shareDeleteConfirm": "Потвърдете изтриването на споделима връзка",
+    "shareQuestionRemove": "Сигурни ли сте, че искате да изтриете тази споделена връзка?",
+    "shareMessageRemove": "След изтриване връзката вече няма да работи и всеки, който я използва, ще загуби достъп до ресурса.",
    "shareTokenDescription": "Достъпният токен може да бъде предаван по два начина: като параметър или в хедърите на заявките. Те трябва да бъдат предавани от клиента при всяка заявка за удостоверен достъп.",
    "accessToken": "Достъп Токен",
    "usageExamples": "Примери за използване",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Възникна грешка при създаването на връзката за споделяне",
    "shareCreateDescription": "Всеки с тази връзка може да получи достъп до ресурса",
    "shareTitleOptional": "Заглавие (по избор)",
+    "sharePathOptional": "Път (по избор)",
+    "sharePathDescription": "След удостоверяване, линкът ще препрати потребителите на този път.",
    "expireIn": "Изтече",
    "neverExpire": "Никога не изтича",
    "shareExpireDescription": "Времето на изтичане е колко дълго връзката ще бъде използваема и ще предоставя достъп до ресурса. След това време, връзката няма да работи и потребителите, които са я използвали, ще загубят достъп до ресурса.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Моля, изберете ресурс",
    "proxyResourceTitle": "Управление на обществени ресурси",
    "proxyResourceDescription": "Създайте и управлявайте ресурси, които са общодостъпни чрез уеб браузър.",
-    "proxyResourcesBannerTitle": "Публичен достъп чрез уеб.",
-    "proxyResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
+    "publicResourcesBannerTitle": "Публичен достъп през Интернет",
+    "publicResourcesBannerDescription": "Публичните ресурси са HTTPS проксита, достъпни за всеки в Интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват клиентски софтуер и могат да включват издентити и контексто-осъзнати политики за достъп.",
    "clientResourceTitle": "Управление на частни ресурси",
    "clientResourceDescription": "Създайте и управлявайте ресурси, които са достъпни само чрез свързан клиент.",
    "privateResourcesBannerTitle": "Достъп до частни ресурси с нулево доверие.",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Търсене на ресурси...",
    "resourceAdd": "Добавете ресурс",
    "resourceErrorDelte": "Грешка при изтриване на ресурс",
+    "resourcePoliciesBannerTitle": "Повторно използване на Удостоверяване и Правила за Достъп",
+    "resourcePoliciesBannerDescription": "Споделените ресурсни политики ви позволяват да дефинирате методи за удостоверяване и правила за достъп веднъж, след което ги прикачвате към множество публични ресурси. Когато актуализирате политика, всеки свързан ресурс автоматично унаследява промените.",
+    "resourcePoliciesBannerButtonText": "Научете Повече",
+    "resourcePoliciesTitle": "Управление на публични ресурсни политики",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Ресурси",
+    "resourcePoliciesAttachedResources": "{count} ресурс(а)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# ресурс} other {# ресурси}}",
+    "resourcePoliciesAttachedResourcesEmpty": "няма ресурси",
+    "resourcePoliciesDescription": "Създайте и управлявайте политики за удостоверяване за контролиране на достъпа до вашите публични ресурси",
+    "resourcePoliciesSearch": "Търсене на политики...",
+    "resourcePoliciesAdd": "Добавяне на политика",
+    "resourcePoliciesDefaultBadgeText": "Стандартна политика",
+    "resourcePoliciesCreate": "Създаване на публична ресурсна политика",
+    "resourcePoliciesCreateDescription": "Следвайте стъпките по-долу, за да създадете нова политика",
+    "resourcePolicyName": "Име на политика",
+    "resourcePolicyNameDescription": "Дайте на тази политика име, за да я идентифицирате в цялото ви ресурси",
+    "resourcePolicyNamePlaceholder": "например Политика за вътрешен достъп",
+    "resourcePoliciesSeeAll": "Вижте всички политики",
+    "resourcePolicyAuthMethodAdd": "Добавяне на метод за идентификация",
+    "resourcePolicyOtpEmailAdd": "Добавяне на имейли за еднократна парола",
+    "resourcePolicyRulesAdd": "Добавяне на правила",
+    "resourcePolicyAuthMethodsDescription": "Позволете достъп до ресурси чрез допълнителни методи за идентификация",
+    "resourcePolicyUsersRolesDescription": "Конфигурирайте потребителите и ролите, които могат да посетят свързаните ресурси",
+    "rulesResourcePolicyDescription": "Конфигурирайте правилата за контрол на достъп до ресурси, свързани с тази политика",
    "authentication": "Удостоверяване",
    "protected": "Защита",
    "notProtected": "Не защитен",
    "resourceMessageRemove": "След като се премахне, ресурсът няма повече да бъде достъпен. Всички цели, свързани с ресурса, също ще бъдат премахнати.",
    "resourceQuestionRemove": "Сигурни ли сте, че искате да премахнете ресурса от организацията?",
+    "resourcePolicyMessageRemove": "След премахването, политиката за ресурс няма да бъде повече достъпна. Всички ресурси, свързани с ресурса, ще бъдат нерешени и оставени без идентификация.",
+    "resourcePolicyQuestionRemove": "Сигурни ли сте, че искате да премахнете политиката за ресурс от организацията?",
    "resourceHTTP": "HTTPS ресурс",
    "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
    "resourceRaw": "Суров TCP/UDP ресурс",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Получавайте заявки чрез суров TCP/UDP с използване на портен номер. Изисква се сайтовете да се свързват към отдалечен възел.",
    "resourceCreate": "Създайте ресурс",
    "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
+    "resourceCreateGeneralDescription": "Конфигуриране на основните настройки на ресурса, включително име и тип",
    "resourceSeeAll": "Вижте всички ресурси",
-    "resourceInfo": "Информация за ресурса",
+    "resourceCreateGeneral": "Основни параметри",
    "resourceNameDescription": "Това е дисплейното име на ресурса.",
    "siteSelect": "Изберете сайт",
    "siteSearch": "Търсене на сайт",
@@ -227,12 +262,15 @@
    "noCountryFound": "Не е намерена държава.",
    "siteSelectionDescription": "Този сайт ще осигури свързаност до целта.",
    "resourceType": "Тип ресурс",
-    "resourceTypeDescription": "Определете как да се достъпи ресурсът",
+    "resourceTypeDescription": "Това контролира протокола на ресурса и как той ще се визуализира в браузъра. Това не може да бъде променено по-късно.",
+    "resourceDomainDescription": "Ресурсът ще се обслужва на това напълно квалифицирано име на домейн.",
    "resourceHTTPSSettings": "HTTPS настройки",
    "resourceHTTPSSettingsDescription": "Конфигурирайте как ресурсът ще бъде достъпен по HTTPS",
+    "resourcePortDescription": "Външен порт на инстанцията или възела на Панголиин, където ресурсът ще бъде достъпен.",
    "domainType": "Тип домейн",
    "subdomain": "Субдомейн",
    "baseDomain": "Базов домейн",
+    "configure": "Конфигуриране",
    "subdomnainDescription": "Поддомейнът, където ресурсът ще бъде достъпен.",
    "resourceRawSettings": "TCP/UDP настройки",
    "resourceRawSettingsDescription": "Конфигурирайте как ресурсът ще бъде достъпен чрез TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Назад",
    "cancel": "Отмяна",
    "resourceConfig": "Конфигурационни фрагменти",
-    "resourceConfigDescription": "Копирайте и поставете тези конфигурационни отрязъци, за да настроите TCP/UDP ресурса",
+    "resourceConfigDescription": "Копирайте и поставете тези фрагменти от конфигурация за настройка на TCP/UDP ресурса.",
    "resourceAddEntrypoints": "Traefik: Добавете Входни точки",
    "resourceExposePorts": "Gerbil: Изложете портове в Docker Compose",
    "resourceLearnRaw": "Научете как да конфигурирате TCP/UDP ресурси",
    "resourceBack": "Назад към ресурсите",
    "resourceGoTo": "Отидете към ресурса",
+    "resourcePolicyDelete": "Изтриване на политика за ресурс",
+    "resourcePolicyDeleteConfirm": "Потвърдете изтриване на политика за ресурс",
    "resourceDelete": "Изтрийте ресурс",
    "resourceDeleteConfirm": "Потвърдете изтриване на ресурс",
+    "labelDelete": "Изтриване на етикета",
+    "labelAdd": "Добавяне на етикет",
+    "labelCreateSuccessMessage": "Етикетът е създаден успешно",
+    "labelDuplicateError": "Дублиран етикет",
+    "labelDuplicateErrorDescription": "Етикет с това име вече съществува.",
+    "labelEditSuccessMessage": "Етикетът е променен успешно",
+    "labelNameField": "Име на етикет",
+    "labelColorField": "Цвят на етикет",
+    "labelPlaceholder": "Пр.: homelab",
+    "labelCreate": "Създаване на етикет",
+    "createLabelDialogTitle": "Създаване на етикет",
+    "createLabelDialogDescription": "Създайте нов етикет, който може да се прикачи към тази организация",
+    "labelEdit": "Редактиране на етикет",
+    "editLabelDialogTitle": "Актуализиране на етикет",
+    "editLabelDialogDescription": "Редактирайте нов етикет, който може да се прикачи към тази организация",
+    "labelDeleteConfirm": "Потвърдете изтриването на етикета",
+    "labelErrorDelete": "Неуспешно изтриване на етикета",
+    "labelMessageRemove": "Това действие е постоянно. Всички сайтове, ресурси и клиенти, маркирани с този етикет, ще бъдат отмаркирани.",
+    "labelQuestionRemove": "Сигурни ли сте, че искате да премахнете етикета от организацията?",
    "visibility": "Видимост",
    "enabled": "Активиран",
    "disabled": "Деактивиран",
@@ -261,6 +320,8 @@
    "rules": "Правила",
    "resourceSettingDescription": "Конфигурирайте настройките на ресурса",
    "resourceSetting": "Настройки на {resourceName}",
+    "resourcePolicySettingDescription": "Конфигурирайте настройките на тази публична ресурсна политика",
+    "resourcePolicySetting": "Настройки за {policyName}",
    "alwaysAllow": "Заобикаляне на Ауторизацията",
    "alwaysDeny": "Блокиране на Достъпа",
    "passToAuth": "Прехвърляне към удостоверяване",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "След като бъде премахнат, този потребител няма да има достъп до организацията. Винаги можете да го поканите отново по-късно, но той ще трябва да приеме отново поканата.",
    "userRemoveOrgConfirm": "Потвърдете премахването на потребителя",
    "userRemoveOrg": "Премахване на потребителя от организацията",
+    "userQuestionOrgRemoveSelf": "Сигурни ли сте, че искате да премахнете себе си от тази организация?",
+    "userMessageOrgRemoveSelf": "Ще загубите достъп незабавно. Администратор може да ви покани отново по-късно, но ще трябва да приемете нова покана.",
+    "userRemoveOrgConfirmSelf": "Потвърдете премахването на себе си",
+    "userRemoveOrgSelf": "Премахнете себе си от организацията",
+    "userRemoveOrgSelfWarning": "Ще загубите достъп до тази организация незабавно.",
+    "userRemoveOrgConfirmPhraseSelf": "ПРЕМАХНЕТЕ МЕ ОТ ОРГАНИЗАЦИЯТА",
    "users": "Потребители",
    "accessRoleMember": "Член",
    "accessRoleOwner": "Собственик",
@@ -531,6 +598,11 @@
    "emailInvalid": "Невалиден имейл адрес",
    "inviteValidityDuration": "Моля, изберете продължителност",
    "accessRoleSelectPlease": "Моля, изберете роля",
+    "removeOwnAdminRoleConfirmTitle": "Премахване на административния ви достъп?",
+    "removeOwnAdminRoleConfirmDescription": "След записване няма да имате повече администраторски права в тази организация. Друг администратор може да възстанови достъпа, ако е необходимо.",
+    "removeOwnAdminRoleConfirmButton": "Премахнете административния ми достъп",
+    "removeOwnAdminRoleConfirmPhrase": "ПРЕМАХНЕТЕ АДМИНИСТРАТИВНИЯ МИ ДОСТЪП",
+    "ownerMustRetainAdminRole": "Собственикът на организацията трябва да запази поне една администраторска роля.",
    "usernameRequired": "Необходимо е потребителско име",
    "idpSelectPlease": "Моля, изберете доставчик на идентичност",
    "idpGenericOidc": "Основен OAuth2/OIDC доставчик.",
@@ -615,7 +687,7 @@
    "createdAt": "Създаден на",
    "proxyErrorInvalidHeader": "Невалидна стойност за заглавие на хоста. Използвайте формат на име на домейн, или оставете празно поле за да премахнете персонализирано заглавие на хост.",
    "proxyErrorTls": "Невалидно име на TLS сървър. Използвайте формат на име на домейн, или оставете празно за да премахнете името на TLS сървъра.",
-    "proxyEnableSSL": "Активиране на SSL",
+    "proxyEnableSSL": "Активиране на TLS",
    "proxyEnableSSLDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целите.",
    "target": "Цел",
    "configureTarget": "Конфигуриране на цели",
@@ -656,8 +728,9 @@
    "targetSubmit": "Добавяне на цел",
    "targetNoOne": "Този ресурс няма цели. Добавете цел, за да конфигурирате къде да се изпращат заявките към бекенда.",
    "targetNoOneDescription": "Добавянето на повече от една цел ще активира натоварването на баланса.",
-    "targetsSubmit": "Запазване на целите",
+    "targetsSubmit": "Запази Настройки",
    "addTarget": "Добавете цел",
+    "proxyMultiSiteRoundRobinNodeHelp": "Роунд Робин маршрутизирането няма да работи между сайтове, които не са свързани към един и същ възел, но автоматичното превключване ще работи.",
    "targetErrorInvalidIp": "Невалиден IP адрес",
    "targetErrorInvalidIpDescription": "Моля, въведете валиден IP адрес или име на хост",
    "targetErrorInvalidPort": "Невалиден порт",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Дубликат на правило",
    "rulesErrorDuplicateDescription": "Правило с тези настройки вече съществува",
    "rulesErrorInvalidIpAddressRange": "Невалиден CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Моля, въведете валидна стойност на CIDR",
-    "rulesErrorInvalidUrl": "Невалиден URL път",
-    "rulesErrorInvalidUrlDescription": "Моля, въведете валидна стойност за URL път",
-    "rulesErrorInvalidIpAddress": "Невалиден IP",
-    "rulesErrorInvalidIpAddressDescription": "Моля, въведете валиден IP адрес",
+    "rulesErrorInvalidIpAddressRangeDescription": "Въведете валиден CIDR диапазон (напр., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Невалиден път",
+    "rulesErrorInvalidUrlDescription": "Въведете валиден път на URL или шаблон (напр., /api/*).",
+    "rulesErrorInvalidIpAddress": "Невалиден IP адрес",
+    "rulesErrorInvalidIpAddressDescription": "Въведете валиден IPv4 или IPv6 адрес.",
    "rulesErrorUpdate": "Неуспешно актуализиране на правилата",
    "rulesErrorUpdateDescription": "Възникна грешка при актуализиране на правилата",
    "rulesUpdated": "Активиране на правилата",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Въведете IP адрес (напр. 103.21.244.12)",
    "rulesMatchUrl": "Въведете URL път или модел (напр. /api/v1/todos или /api/v1/*)",
    "rulesErrorInvalidPriority": "Невалиден приоритет",
-    "rulesErrorInvalidPriorityDescription": "Моля, въведете валиден приоритет",
-    "rulesErrorDuplicatePriority": "Дублирани приоритети",
-    "rulesErrorDuplicatePriorityDescription": "Моля, въведете уникални приоритети",
+    "rulesErrorInvalidPriorityDescription": "Въведете цяло число 1 или по-голямо.",
+    "rulesErrorDuplicatePriority": "Дублирания на приоритети",
+    "rulesErrorDuplicatePriorityDescription": "Всяко правило трябва да има уникален номер на приоритет.",
+    "rulesErrorValidation": "Невалидни правила",
+    "rulesErrorValidationRuleDescription": "Правило {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Изберете валиден тип съвпадение (път, IP, CIDR, държава, регион или ASN).",
+    "rulesErrorValueRequired": "Въведете стойност за това правило.",
+    "rulesErrorInvalidCountry": "Невалидна държава",
+    "rulesErrorInvalidCountryDescription": "Изберете валидна държава.",
+    "rulesErrorInvalidAsn": "Невалиден ASN",
+    "rulesErrorInvalidAsnDescription": "Въведете валиден ASN (напр., AS15169).",
    "ruleUpdated": "Правилата са актуализирани",
    "ruleUpdatedDescription": "Правилата бяха успешно актуализирани",
    "ruleErrorUpdate": "Операцията не бе успешна",
    "ruleErrorUpdateDescription": "Възникна грешка по време на операцията за запис",
    "rulesPriority": "Приоритет",
+    "rulesReorderDragHandle": "Плъзнете за преаранжиране на приоритети на правилата",
    "rulesAction": "Действие",
    "rulesMatchType": "Тип на съвпадение",
    "value": "Стойност",
@@ -728,9 +810,60 @@
    "rulesResource": "Конфигурация на правилата за ресурси",
    "rulesResourceDescription": "Конфигурирайте правила за контролиране на достъпа до ресурса",
    "ruleSubmit": "Добави правило",
-    "rulesNoOne": "Няма правила. Добавете правило чрез формуляра.",
+    "rulesNoOne": "Все още няма правила.",
    "rulesOrder": "Правилата се оценяват по приоритет в нарастващ ред.",
    "rulesSubmit": "Запазване на правилата",
+    "policyErrorCreate": "Грешка при създаване на политика",
+    "policyErrorCreateDescription": "Възникна грешка при създаването на политиката",
+    "policyErrorCreateMessageDescription": "Възникна неочаквана грешка",
+    "policyErrorUpdate": "Грешка при актуализиране на политика",
+    "policyErrorUpdateDescription": "Възникна грешка при актуализиране на политиката",
+    "policyErrorUpdateMessageDescription": "Възникна неочаквана грешка",
+    "policyCreatedSuccess": "Политиката за ресурс е създадена успешно",
+    "policyUpdatedSuccess": "Политиката за ресурс е актуализирана успешно",
+    "authMethodsSave": "Запази Настройки",
+    "policyAuthStackTitle": "Удостоверяване",
+    "policyAuthStackDescription": "Контролирайте кои методи за удостоверяване са необходими за достъп до този ресурс",
+    "policyAuthOrLogicTitle": "Множество активни методи за удостоверяване",
+    "policyAuthOrLogicBanner": "Посетителите могат да се удостоверяват чрез който и да е от активните методи по-долу. Не е необходимо да преминават през всичките.",
+    "policyAuthMethodActive": "Активен",
+    "policyAuthMethodOff": "Изключено",
+    "policyAuthSsoTitle": "Платформено SSO",
+    "policyAuthSsoDescription": "Изисква вход чрез удостоверител на вашата организация",
+    "policyAuthSsoSummary": "{idp} · {users} потребители, {roles} роли",
+    "policyAuthSsoDefaultIdp": "По подразбиране удостоверител",
+    "policyAuthAddDefaultIdentityProvider": "Добавете удостоверител по подразбиране",
+    "policyAuthOtherMethodsTitle": "Други Методи",
+    "policyAuthOtherMethodsDescription": "Опционални методи, които посетителите могат да използват вместо или заедно с платформния SSO",
+    "policyAuthPasscodeTitle": "Парола",
+    "policyAuthPasscodeDescription": "Изисква споделена алфанумерична парола за достъп до ресурса",
+    "policyAuthPasscodeSummary": "Зададена парола",
+    "policyAuthPincodeTitle": "ПИН код",
+    "policyAuthPincodeDescription": "Кратък цифров код, необходим за достъп до ресурса",
+    "policyAuthPincodeSummary": "Зададен 6-цифрен ПИН код",
+    "policyAuthEmailTitle": "Списък с имейл адреси",
+    "policyAuthEmailDescription": "Позволете изброените имейл адреси с еднократни пароли",
+    "policyAuthEmailSummary": "{count} адреси са позволени",
+    "policyAuthEmailOtpCallout": "Активирането на списъка с имейл адреси изпраща еднократна парола на имейла на посетителя при влизане.",
+    "policyAuthHeaderAuthTitle": "Базово удостоверяване чрез заглавие",
+    "policyAuthHeaderAuthDescription": "Валидирайте собствено HTTP заглавие и стойност при всяка заявка",
+    "policyAuthHeaderAuthSummary": "Конфигурирано заглавие",
+    "policyAuthHeaderName": "Име на заглавието",
+    "policyAuthHeaderValue": "Очаквана стойност",
+    "policyAuthSetPasscode": "Задайте парола",
+    "policyAuthSetPincode": "Задайте ПИН код",
+    "policyAuthSetEmailWhitelist": "Задайте списък с имейли",
+    "policyAuthSetHeaderAuth": "Задайте базово удостоверяване чрез заглавие",
+    "policyAccessRulesTitle": "Правила за достъп",
+    "policyAccessRulesEnableDescription": "Когато е включено, правилата се оценяват в низходящ ред, докато едно не се оцени като вярно.",
+    "policyAccessRulesFirstMatch": "Правилата се оценяват от горе надолу. Първото съвпадащо правило определя резултата.",
+    "policyAccessRulesHowItWorks": "Правилата съпоставят заявки по път, IP адрес, местоположение или друг критерий. Всяко правило прилага действие: заобикаля удостоверяване, блокира достъп или преминава към удостоверяване. Ако няма съвпадение, трафикът продължава към удостоверяване.",
+    "policyAccessRulesFallthroughOff": "Когато правилата са изключени, целият трафик преминава към удостоверяване.",
+    "policyAccessRulesFallthroughOn": "Когато няма съвпадение, трафикът преминава към удостоверяване.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Запазете правилата",
    "resourceErrorCreate": "Грешка при създаване на ресурс",
    "resourceErrorCreateDescription": "Възникна грешка при създаването на ресурса",
    "resourceErrorCreateMessage": "Грешка при създаване на ресурс:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Възникна грешка при актуализиране на ресурса",
    "access": "Достъп",
    "accessControl": "Контрол на достъпа",
-    "shareLink": "{resource} Сподели връзка",
+    "shareLink": "{resource} Споделима връзка",
    "resourceSelect": "Изберете ресурс",
-    "shareLinks": "Споделени връзки",
+    "shareLinks": "Споделими връзки",
    "share": "Споделени връзки",
    "shareDescription2": "Създайте връзки за достъп до ресурси. Връзките предоставят временен или неограничен достъп до вашия ресурс. Можете да конфигурирате продължителността на изтичане на връзката, когато я създавате.",
    "shareEasyCreate": "Лесно за създаване и споделяне",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Добави ПИН код",
    "pincodeRemove": "Премахни ПИН код",
    "resourceAuthMethods": "Методи за автентикация",
+    "resourcePolicyAuthMethodsEmpty": "Няма метод за идентификация",
+    "resourcePolicyOtpEmpty": "Без еднократна парола",
+    "resourcePolicyReadOnly": "Тази политика е само за четене",
+    "resourcePolicyReadOnlyDescription": "Тази политика за ресурс се споделя между множество ресурси, не можете да я редактирате на тази страница.",
+    "editSharedPolicy": "Редактирай споделена политика",
+    "resourcePolicyTypeSave": "Запазете типа на ресурс",
+    "resourcePolicySelect": "Изберете политика за ресурс",
+    "resourcePolicySelectError": "Изберете политика за ресурс",
+    "resourcePolicyNotFound": "Политиката не е намерена",
+    "resourcePolicySearch": "Търсене на политики",
+    "resourcePolicyRulesEmpty": "Няма правила за идентификация",
    "resourceAuthMethodsDescriptions": "Позволете достъп до ресурса чрез допълнителни методи за автентикация",
    "resourceAuthSettingsSave": "Запазено успешно",
    "resourceAuthSettingsSaveDescription": "Настройките за автентикация са запазени успешно",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Задай ПИН код",
    "resourcePincodeSetupTitleDescription": "Задайте ПИН код, за да защитите този ресурс",
    "resourceRoleDescription": "Администраторите винаги могат да имат достъп до този ресурс.",
+    "resourcePolicySelectTitle": "Политика за достъп до ресурс",
+    "resourcePolicySelectDescription": "Изберете типа на политиката за ресурс за идентификация",
+    "resourcePolicyTypeLabel": "Тип политика",
+    "resourcePolicyLabel": "Ресурсна политика",
+    "resourcePolicyInline": "Инлайн Политика за Ресурс",
+    "resourcePolicyInlineDescription": "Политика за достъп, ограничена само до този ресурс",
+    "resourcePolicyShared": "Споделена Политика за Ресурс",
+    "resourcePolicySharedDescription": "Този ресурс използва споделена политика.",
+    "sharedPolicy": "Споделена политика",
+    "sharedPolicyNoneDescription": "Този ресурс има своя собствена политика.",
+    "resourceSharedPolicyOwnDescription": "Този ресурс има свои собствени контроли за удостоверяване и правила за достъп.",
+    "resourceSharedPolicyInheritedDescription": "Този ресурс наследява от <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Този ресурс използва споделена политика. Някои настройки на удостоверяване могат да се редактират на този ресурс, за да се добавят към политиката. За да промените основната политика, трябва да редактирате <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Този ресурс използва споделена политика. Някои правила за достъп могат да се редактират на този ресурс. За да промените основната политика, трябва да редактирате <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Контроли за достъп",
    "resourceUsersRolesDescription": "Конфигурирайте кои потребители и роли могат да посещават този ресурс",
    "resourceUsersRolesSubmit": "Запазване на управлението на достъп.",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Видимост",
    "resourceVisibilityTitleDescription": "Напълно активирайте или деактивирайте видимостта на ресурса",
    "resourceGeneral": "Общи настройки",
-    "resourceGeneralDescription": "Конфигурирайте общите настройки за този ресурс",
+    "resourceGeneralDescription": "Конфигурирайте име, адрес и политика за достъп за този ресурс.",
+    "resourceGeneralDetailsSubsection": "Подробности за ресурса",
+    "resourceGeneralDetailsSubsectionDescription": "Задайте показвано име, идентификатор и публично достъпен домейн за този ресурс.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Задайте показвано име, идентификатор и публичен порт за този ресурс.",
+    "resourceGeneralPublicAddressSubsection": "Публичен Адрес",
+    "resourceGeneralPublicAddressSubsectionDescription": "Конфигурирайте как потребителите достигат до този ресурс.",
+    "resourceGeneralAuthenticationAccessSubsection": "Удостоверяване и Достъп",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Изберете дали този ресурс използва собствена политика или наследява от споделена политика.",
    "resourceEnable": "Активирайте ресурс",
    "resourceTransfer": "Прехвърлете ресурс",
    "resourceTransferDescription": "Прехвърлете този ресурс към различен сайт",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Имаше проблем със свързването към {name}. Моля, свържете се с вашия администратор.",
    "idpErrorNotFound": "Не е намерен идентификационен доставчик",
    "inviteInvalid": "Невалидна покана",
+    "labels": "Етикети",
+    "orgLabelsDescription": "Управление на етикети в тази организация.",
+    "addLabels": "Добавяне на етикети",
+    "siteLabelsTab": "Етикети",
+    "siteLabelsDescription": "Управление на етикети, свързани с този сайт.",
+    "labelsNotFound": "Не са намерени етикети.",
+    "labelsEmptyCreateHint": "Започнете да пишете горе, за да създадете етикет.",
+    "labelSearch": "Търсене на етикети",
+    "labelSearchOrCreate": "Търсене или създаване на етикет",
+    "accessLabelFilterCount": "{count, plural, one {# етикет} other {# етикети}}",
+    "labelOverflowCount": "+{count, plural, one {# етикет} other {# етикети}}",
+    "accessLabelFilterClear": "Изчисти филтрите за етикети",
+    "accessFilterClear": "Изчистване на филтри",
+    "selectColor": "Изберете цвят",
+    "createNewLabel": "Създайте нов организационен етикет \"{label}\"",
    "inviteInvalidDescription": "Линкът към поканата е невалиден.",
    "inviteErrorWrongUser": "Поканата не е за този потребител",
    "inviteErrorUserNotExists": "Потребителят не съществува. Моля, създайте акаунт първо.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Ресурси",
    "sidebarProxyResources": "Публично",
    "sidebarClientResources": "Частно",
+    "sidebarPolicies": "Споделени политики",
+    "sidebarResourcePolicies": "Публични ресурси",
    "sidebarAccessControl": "Контрол на достъпа",
    "sidebarLogsAndAnalytics": "Дневници и анализи",
    "sidebarTeam": "Екип",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Администратор",
    "sidebarInvitations": "Покани",
    "sidebarRoles": "Роли",
-    "sidebarShareableLinks": "Връзки",
+    "sidebarShareableLinks": "Споделими връзки",
    "sidebarApiKeys": "API ключове",
    "sidebarProvisioning": "Осигуряване",
    "sidebarSettings": "Настройки",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Сайт {id}",
    "standaloneHcFilterResourceIdFallback": "Ресурс {id}",
    "blueprints": "Чертежи",
-    "blueprintsDescription": "Прилагайте декларативни конфигурации и преглеждайте предишни изпълнения",
+    "blueprintsLog": "Регистър на скицописи",
+    "blueprintsDescription": "Прегледайте съществуващите blueprint приложения и резултатите им или приложете нов blueprint",
    "blueprintAdd": "Добави Чертеж",
    "blueprintGoBack": "Виж всички Чертежи",
    "blueprintCreate": "Създай Чертеж",
@@ -1559,7 +1742,17 @@
    "contents": "Съдържание",
    "parsedContents": "Парсирано съдържание (само за четене)",
    "enableDockerSocket": "Активиране на Docker Чернова",
-    "enableDockerSocketDescription": "Активиране на Docker Socket маркировка за изтегляне на етикети на чернова. Пътят на гнездото трябва да бъде предоставен на Newt.",
+    "enableDockerSocketDescription": "Активирайте изтегляне с етикети на Docker Socket за скицописи. Пътят на гнездото трябва да бъде предоставен на конектора на сайта. Прочетете как работи това в <docsLink>документацията</docsLink>.",
+    "newtAutoUpdate": "Активиране на автоматично обновяване на сайта",
+    "newtAutoUpdateDescription": "Когато е активирана, свързочният възел на сайта автоматично ще изтегли последната версия и ще се рестартира сам. Това може да бъде преодоляно на ниво сайт.",
+    "siteAutoUpdate": "Автоматично обновяване на сайта",
+    "siteAutoUpdateLabel": "Активиране на автоматично обновяване",
+    "siteAutoUpdateDescription": "Когато е активирана, конекторът на този сайт автоматично ще изтегли последната версия и ще се рестартира сам.",
+    "siteAutoUpdateOrgDefault": "По подразбиране за организацията: {state}",
+    "siteAutoUpdateOverriding": "Преодоляване на настройката на организацията",
+    "siteAutoUpdateResetToOrg": "Възстановяване към организацията по подразбиране",
+    "siteAutoUpdateEnabled": "активиран",
+    "siteAutoUpdateDisabled": "деактивиран",
    "viewDockerContainers": "Преглед на Docker контейнери",
    "containersIn": "Контейнери в {siteName}",
    "selectContainerDescription": "Изберете контейнер, който да ползвате като име на хост за целта. Натиснете порт, за да ползвате порт",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Сертификат",
    "certificateStatusAutoRefreshHint": "Състоянието се опреснява автоматично.",
    "loading": "Зареждане",
+    "loadingEllipsis": "Зареждане...",
    "loadingAnalytics": "Зареждане на анализи",
    "restart": "Рестарт",
    "domains": "Домейни",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Настройката на профила завърши успешно! Добре дошли в Pangolin!",
    "documentation": "Документация",
    "saveAllSettings": "Запазване на всички настройки",
-    "saveResourceTargets": "Запазване на целеви ресурси.",
-    "saveResourceHttp": "Запазване на прокси настройките.",
-    "saveProxyProtocol": "Запазване на настройките на прокси протокола.",
+    "saveResourceTargets": "Запази Настройки",
+    "saveResourceHttp": "Запази Настройки",
+    "saveProxyProtocol": "Запази Настройки",
    "settingsUpdated": "Настройките са обновени",
    "settingsUpdatedDescription": "Настройките са успешно актуализирани.",
    "settingsErrorUpdate": "Неуспешно обновяване на настройките",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Управлявайте абонамента си за платени самостоятелно хоствани лицензионни ключове",
    "billingCurrentKeys": "Текущи ключове",
    "billingModifyCurrentPlan": "Промяна на текущия план",
+    "billingManageLicenseSubscriptionDescription": "Управление на вашия абонамент за платени самообслужвани лицензионни ключове и изтегляне на фактури.",
    "billingConfirmUpgrade": "Потвърдете повишаването",
    "billingConfirmDowngrade": "Потвърдете понижението",
    "billingConfirmUpgradeDescription": "Предстои ви да повишите плана си. Прегледайте новите ограничения и цени по-долу.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Неизвестен",
    "healthCheck": "Проверка на здравето",
    "configureHealthCheck": "Конфигуриране на проверка на здравето",
-    "configureHealthCheckDescription": "Настройте мониторинг на здравето за {target}",
+    "configureHealthCheckDescription": "Настройте мониторинг за вашия ресурс, за да се уверите, че винаги е на разположение",
    "enableHealthChecks": "Разрешаване на проверки на здравето",
    "healthCheckDisabledStateDescription": "Когато е деактивиран, сайтът не изпълнява проверки и състоянието се счита за неизвестно.",
    "enableHealthChecksDescription": "Мониторинг на здравето на тази цел. Можете да наблюдавате различен краен пункт от целта, ако е необходимо.",
    "healthScheme": "Метод",
    "healthSelectScheme": "Избор на метод",
-    "healthCheckPortInvalid": "Портът за проверка на състоянието трябва да е между 1 и 65535",
+    "healthCheckPortInvalid": "Портът трябва да бъде между 1 и 65535",
    "healthCheckPath": "Път",
    "healthHostname": "IP / Хост",
    "healthPort": "Порт",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Времето е в секунди",
    "requireDeviceApproval": "Изискват одобрение на устройства",
    "requireDeviceApprovalDescription": "Потребители с тази роля трябва да имат нови устройства одобрени от администратор преди да могат да се свържат и да имат достъп до ресурси.",
-    "sshAccess": "SSH достъп",
+    "sshSettings": "Настройки за SSH",
+    "sshAccess": "SSH Достъп",
+    "rdpSettings": "Настройки за RDP",
+    "vncSettings": "Настройки за VNC",
+    "sshServer": "SSH сървър",
+    "rdpServer": "RDP сървър",
+    "vncServer": "VNC сървър",
+    "sshServerDescription": "Настройте метода на идентификация, местоположението на демона и дестинацията на сървъра",
+    "rdpServerDescription": "Конфигуриране на дестинацията и порта на RDP сървъра",
+    "vncServerDescription": "Конфигуриране на дестинацията и порта на VNC сървъра",
+    "sshServerMode": "Режим",
+    "sshServerModeStandard": "Стандартен SSH сървър",
+    "sshServerModePangolin": "Панголиин SSH",
+    "sshServerModeStandardDescription": "Насочва командите към мрежата до SSH сървър, като например OpenSSH.",
+    "sshServerModeNative": "Нативен SSH сървър",
+    "sshServerModeNativeDescription": "Изпълнява команди директно на хоста чрез конектора на сайта. Не е необходима мрежова конфигурация.",
+    "sshAuthenticationMethod": "Метод на идентификация",
+    "sshAuthMethodManual": "Ръчна идентификация",
+    "sshAuthMethodManualDescription": "Изисква съществуващи идентификационни данни за хоста. Пропуска автоматичното осигуряване.",
+    "sshAuthMethodAutomated": "Автоматично осигуряване",
+    "sshAuthMethodAutomatedDescription": "Създава автоматично потребители, групи и sudo разрешения на хоста.",
+    "sshAuthDaemonLocation": "Местоположение на демона за идентификация",
+    "sshDaemonLocationSiteDescription": "Изпълнява се локално на машината, която хоства конектора на сайта.",
+    "sshDaemonLocationRemote": "На отдалечен хост",
+    "sshDaemonLocationRemoteDescription": "Изпълнява се на отделна целева машина в същата мрежа.",
+    "sshDaemonDisclaimer": "Уверете се, че вашата целева хост машина е правилно конфигурирана за изпълнение на демона за идентификация преди завършване на тази настройка, в противен случай осигуряването ще се провали.",
+    "sshDaemonPort": "Порт на демона",
+    "sshServerDestination": "Дестинация на сървъра",
+    "sshServerDestinationDescription": "Конфигурирайте дестинацията на SSH сървъра",
+    "destination": "Дестинация",
+    "destinationRequired": "Дестинацията е необходима.",
+    "domainRequired": "Домейнът е необходим.",
+    "proxyPortRequired": "Портът е необходим.",
+    "invalidPathConfiguration": "Невалидна конфигурация на пътя.",
+    "invalidRewritePathConfiguration": "Невалидна конфигурация на пренаписване на пътя.",
+    "bgTargetMultiSiteDisclaimer": "Избиране на множество сайтове позволява устойчиво маршрутизиране и сокетно превключване за висока наличност.",
    "roleAllowSsh": "Разреши SSH",
    "roleAllowSshAllow": "Разреши",
    "roleAllowSshDisallow": "Забрани",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Потребителят може да изпълнява само определени команди с sudo.",
    "sshSudo": "Разреши sudo",
    "sshSudoCommands": "Sudo команди",
-    "sshSudoCommandsDescription": "Списък, разделен със запетаи, с команди, които потребителят е позволено да изпълнява с sudo.",
+    "sshSudoCommandsDescription": "Списък с команди, които потребителят има право да изпълнява със sudo, разделени със запетаи, интервали или нови редове. Необходимо е да се използват абсолютни пътища.",
    "sshCreateHomeDir": "Създай начална директория",
    "sshUnixGroups": "Unix групи",
-    "sshUnixGroupsDescription": "Списък, разделен със запетаи, с Unix групи, към които да се добави потребителят на целевия хост.",
+    "sshUnixGroupsDescription": "Unix групи, за добавяне на потребителя на целевия хост, разделени със запетаи, интервали или нови редове.",
+    "roleTextFieldPlaceholder": "Въведете стойности или пуснете .txt или .csv файл",
+    "roleTextImportTitle": "Импортиране от файл",
+    "roleTextImportDescription": "Импортиране на {fileName} в {fieldLabel}.",
+    "roleTextImportSkipHeader": "Пропускане на първи ред (заглавие)",
+    "roleTextImportOverride": "Заместване на съществуващите",
+    "roleTextImportAppend": "Добавяне към съществуващите",
+    "roleTextImportMode": "Режим на импортиране",
+    "roleTextImportPreview": "Преглед",
+    "roleTextImportItemCount": "{count, plural, =0 {Няма артикули за импортиране} one {1 артикул за импортиране} other {# артикули за импортиране}}",
+    "roleTextImportTotalCount": "{existing} съществуващи + {imported} импортирани = {total} общо",
+    "roleTextImportConfirm": "Импортиране",
+    "roleTextImportInvalidFile": "Неподдържан тип файл",
+    "roleTextImportInvalidFileDescription": "Само .txt и .csv файлове са поддържани.",
+    "roleTextImportEmpty": "Няма намерени елементи във файла",
+    "roleTextImportEmptyDescription": "Файлът не съдържа подлежащи на импортиране елементи.",
    "retryAttempts": "Опити за повторно",
    "expectedResponseCodes": "Очаквани кодове за отговор",
    "expectedResponseCodesDescription": "HTTP статус код, указващ здравословно състояние. Ако бъде оставено празно, между 200-300 се счита за здравословно.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Метод",
-    "editInternalResourceDialogEnableSsl": "Активирайте SSL",
+    "editInternalResourceDialogEnableSsl": "Активиране на TLS",
    "editInternalResourceDialogEnableSslDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целта.",
    "editInternalResourceDialogDestination": "Дестинация",
    "editInternalResourceDialogDestinationHostDescription": "IP адресът или името на хоста на ресурса в мрежата на сайта.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Метод",
    "createInternalResourceDialogScheme": "Метод",
-    "createInternalResourceDialogEnableSsl": "Активирайте SSL",
+    "createInternalResourceDialogEnableSsl": "Активиране на TLS",
    "createInternalResourceDialogEnableSslDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целта.",
    "createInternalResourceDialogDestination": "Дестинация",
    "createInternalResourceDialogDestinationHostDescription": "IP адресът или името на хоста на ресурса в мрежата на сайта.",
@@ -2217,7 +2464,7 @@
        "description": "По-надежден и по-нисък поддръжка на Самостоятелно-хостван Панголиин сървър с допълнителни екстри",
        "introTitle": "Управлявано Самостоятелно-хостван Панголиин",
        "introDescription": "е опция за внедряване, предназначена за хора, които искат простота и допълнителна надеждност, като същевременно запазят данните си частни и самостоятелно-хоствани.",
-        "introDetail": "С тази опция все още управлявате свой собствен Панголиин възел - вашите тунели, SSL терминатора и трафик остават на вашия сървър. Разликата е, че управлението и мониторингът се обработват чрез нашия облачен панел за контрол, който отключва редица предимства:",
+        "introDetail": "С тази опция все още управлявате свой собствен възел на Панголиин - вашите тунели, SSL прекратяване и трафик остават на вашия сървър. Разликата е, че управлението и мониторингът се обработват чрез нашия облачен панел, който отключва редица предимства:",
        "benefitSimplerOperations": {
            "title": "По-прости операции",
            "description": "Няма нужда да управлявате свой собствен имейл сървър или да настройвате сложни аларми. Ще получите проверки и предупреждения при прекъсване от самото начало."
@@ -2652,6 +2899,8 @@
    "validPassword": "Валидна парола",
    "validEmail": "Валиден имейл",
    "validSSO": "Валидно SSO",
+    "view": "Преглед",
+    "configManaged": "Управлявана конфигурация",
    "connectedClient": "Свързан клиент",
    "resourceBlocked": "Блокирани ресурси",
    "droppedByRule": "Прекратено от правило",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Активирайте прокси протокола",
    "proxyProtocolInfo": "Запазете IP адресите на клиентите за TCP бекендове",
    "proxyProtocolVersion": "Версия на прокси протокола",
-    "version1": "Версия 1 (Препоръчително)",
+    "version1": "Версия 1 (Препоръчана)",
    "version2": "Версия 2",
-    "versionDescription": "Версия 1 е текстово-базирана и широко поддържана. Версия 2 е бърна и по-ефективна, но по-малко съвместима.",
+    "version1Description": "Текстово-базирана и широко поддържана. Уверете се, че транспортът на сървърите е добавен към динамичната конфигурация.",
+    "version2Description": "Двоична и по-ефективна, но по-малко съвместима. Уверете се, че транспортът на сървърите е добавен към динамичната конфигурация.",
    "warning": "Предупреждение",
    "proxyProtocolWarning": "Вашето бекенд приложение трябва да бъде конфигурирано да приема прокси протоколни връзки. Ако вашият бекенд не поддържа прокси протокол, активирането му ще прекъсне всички връзки. Уверете се, че сте конфигурирали вашия бекенд да се доверява на заглавията на прокси протокола от Traefik.",
    "restarting": "Рестартиране...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Въведете потвърждение.",
    "blueprintViewDetails": "Подробности.",
    "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
-    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
+    "defaultIdentityProviderDescription": "Потребителят автоматично ще бъде пренасочен към този удостоверител за удостоверяване.",
    "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
    "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
    "editInternalResourceDialogAddRoles": "Добавяне на роли.",
@@ -2919,11 +3169,12 @@
    "learnMore": "Научете повече.",
    "backToHome": "Връщане към началната страница.",
    "needToSignInToOrg": "Трябва ли да използвате доставчика на идентичност на организацията си?",
-    "maintenanceMode": "Режим на поддръжка.",
+    "maintenanceMode": "Страница за поддръжка",
    "maintenanceModeDescription": "Показване на страницата за поддръжка на посетители.",
    "maintenanceModeType": "Тип режим на поддръжка.",
    "showMaintenancePage": "Показване на страницата за поддръжка на посетители.",
    "enableMaintenanceMode": "Активиране на режим на поддръжка.",
+    "enableMaintenanceModeDescription": "При включване, посетителите ще виждат страница за поддръжка вместо вашия ресурс.",
    "automatic": "Автоматично.",
    "automaticModeDescription": "Показване на страницата за поддръжка само когато всички целеви подсистеми са неработоспособни или в лошо състояние. Вашият ресурс продължава да работи нормално, докато поне един целеви подсистемен елемент е в здравия диапазон.",
    "forced": "Наложително.",
@@ -2931,6 +3182,8 @@
    "warning:": "Предупреждение:",
    "forcedeModeWarning": "Целият трафик ще бъде пренасочен към страницата за поддръжка. Вашите подсистемни ресурси няма да получат никакви заявки.",
    "pageTitle": "Заглавие на страницата.",
+    "maintenancePageContentSubsection": "Съдържание на страницата",
+    "maintenancePageContentSubsectionDescription": "Персонализирайте съдържанието, показвано на страницата за поддръжка",
    "pageTitleDescription": "Основното заглавие, показвано на страницата за поддръжка.",
    "maintenancePageMessage": "Съобщение за поддръжка.",
    "maintenancePageMessagePlaceholder": "Ще се върнем скоро! Нашият сайт понастоящем е в процес на планирана поддръжка.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Прогнозно завършване:",
    "createInternalResourceDialogDestinationRequired": "Дестинацията е задължителна.",
    "available": "Налично",
+    "disabledResourceDescription": "Когато е деактивиран, ресурсът ще бъде недостъпен от всеки.",
    "archived": "Архивирано",
    "noArchivedDevices": "Не са намерени архивирани устройства.",
    "deviceArchived": "Устройството е архивирано.",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Пресочвайте събития директно към вашият акаунт в Datadog. Очаквайте скоро.",
    "streamingTypePickerDescription": "Изберете вид на дестинацията, за да започнете.",
-    "streamingFailedToLoad": "Неуспешно зареждане на дестинации",
+    "streamingLastSyncError": "Възникна грешка при последната синхронизация",
    "streamingUnexpectedError": "Възникна неочаквана грешка.",
    "streamingFailedToUpdate": "Неуспешно актуализиране на дестинация",
    "streamingDeletedSuccess": "Дестинацията беше изтрита успешно",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Редактиране на дестинацията",
    "S3DestAddTitle": "Добавете S3 дестинация",
    "S3DestEditDescription": "Актуализирайте конфигурацията за тази S3 дестинация за предаване на събития.",
-    "S3DestAddDescription": "Конфигурирайте нов крайна точка на S3, за да получавате събития на вашата организация.",
+    "S3DestAddDescription": "Конфигурирайте ново хранилище Amazon S3 (или съвместимо с S3), за да получавате събития на вашата организация.",
+    "s3DestTabSettings": "Настройки",
+    "s3DestTabFormat": "Формат",
+    "s3DestNameLabel": "Име",
+    "s3DestNamePlaceholder": "Моята S3 дестинация",
+    "s3DestAccessKeyIdLabel": "Идентификатор на достъп за AWS Key ID",
+    "s3DestSecretAccessKeyLabel": "Тайният ключ за достъп на AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Вашият таен ключ за достъп за AWS",
+    "s3DestRegionLabel": "AWS Регион",
+    "s3DestBucketLabel": "Име на хранилище",
+    "s3DestPrefixLabel": "Префикс на ключ (по избор)",
+    "s3DestPrefixDescription": "По избор пътеводен префикс, добавен към всеки обектен ключ. Обектите се съхраняват в {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Потребителски крайна точка (по избор)",
+    "s3DestEndpointDescription": "Заместете крайната точка на S3 за съвместимо с S3 хранилище като MinIO или Cloudflare R2. Оставете празно за стандартното AWS S3.",
+    "s3DestGzipLabel": "Gzip компресия",
+    "s3DestGzipDescription": "Компресирайте всеки качен обект с gzip. Намалява разходите за съхранение и размера на качването.",
+    "s3DestFormatTitle": "Формат на файл",
+    "s3DestFormatDescription": "Как събитията са сериализирани вътре във всеки качен обект.",
+    "s3DestFormatJsonArrayDescription": "Всеки обект е JSON масив от записи на събития. Съвместим с повечето аналитични инструменти.",
+    "s3DestFormatNdjsonDescription": "Всеки обект съдържа един JSON запис на ред (форматиран JSON с нов ред). Съвместим с Athena, BigQuery и Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Всеки обект е RFC-4180 CSV файл с ред заглавие. Имената на колоните са извлечени от полетата на данните за събитията.",
+    "s3DestSaveChanges": "Запази промените",
+    "s3DestCreateDestination": "Създаване на дестинация",
+    "s3DestUpdatedSuccess": "Дестинацията е актуализирана успешно",
+    "s3DestCreatedSuccess": "Дестинацията е създадена успешно",
+    "s3DestUpdateFailed": "Неуспешно актуализиране на дестинацията",
+    "s3DestCreateFailed": "Неуспешно създаване на дестинация",
    "datadogDestEditTitle": "Редактиране на дестинация",
    "datadogDestAddTitle": "Добавяне на Datadog дестинация",
    "datadogDestEditDescription": "Актуализирайте конфигурацията за тази Datadog дестинация за предаване на събития.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Сигурни ли сте, че искате да отвържете този доставчик на самоличност от тази организация?",
    "idpUnassociateDescription": "Всички потребители, свързани с този доставчик на самоличност, ще бъдат премахнати от тази организация, но доставчика на самоличност ще продължи да съществува за други свързани организации.",
    "idpUnassociateConfirm": "Потвърдете отвързване на доставчика на самоличност",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "ИЗТРИВАНЕ И ПРЕМАХВАНЕ МЕ ОТ ОРГ",
+    "idpUnassociateAndRemoveMeFromOrg": "ОДЕЛЯНЕ И ПРЕМАХВАНЕ МЕ ОТ ОРГ",
    "idpUnassociateWarning": "Това не може да бъде отменено за тази организация.",
    "idpUnassociatedDescription": "Доставчика на самоличност е успешно отвързан от тази организация",
    "idpUnassociateMenu": "Отвързване",
@@ -3174,7 +3457,7 @@
    "publicIpEndpoint": "Крайна точка",
    "lastTriggeredAt": "Последен тригер",
    "reject": "Отхвърляне",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "преди {count} дни",
    "uptimeToday": "Днес",
    "uptimeNoDataAvailable": "Няма налични данни",
    "uptimeSuffix": "време без прекъсване",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Ресурсът е деактивиран",
    "memberPortalShowingResources": "Показва {start}-{end} от {total} ресурси",
    "memberPortalPrevious": "Предишен",
-    "memberPortalNext": "Следващ"
+    "memberPortalNext": "Следващ",
+    "httpSettings": "HTTP настройки",
+    "tcpSettings": "TCP настройки",
+    "udpSettings": "UDP настройки",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Установяване на защитена връзка…",
+    "sshConnecting": "Свързване…",
+    "sshInitializing": "Инициализиране…",
+    "sshSignInTitle": "Вход в SSH",
+    "sshSignInDescription": "Въведете вашите SSH данни за свързване",
+    "sshPasswordTab": "Парола",
+    "sshPrivateKeyTab": "Частен ключ",
+    "sshPrivateKeyField": "Частен ключ",
+    "sshPrivateKeyDisclaimer": "Частният ви ключ не се съхранява или видима за Панголиин. Като алтернатива, можете да използвате краткотрайни сертификати за безпроблемна автентикация с вашата съществуваща идентичност в Панголиин.",
+    "sshLearnMore": "Научете повече",
+    "sshPrivateKeyFile": "Файл с частен ключ",
+    "sshAuthenticate": "Свързване",
+    "sshTerminate": "Прекратяване",
+    "sshPoweredBy": "Подпомогнато от",
+    "sshErrorNoTarget": "Няма посочена цел",
+    "sshErrorWebSocket": "Неуспешно създаване на WebSocket връзка",
+    "sshErrorAuthFailed": "Неуспешна идентификация",
+    "sshErrorConnectionClosed": "Връзката е затворена преди завършване на идентификацията",
+    "sitePangolinSshDescription": "Позволете SSH достъп до ресурси на този сайт. Това може да бъде променено по-късно.",
+    "browserGatewayNoResourceForDomain": "Не е намерен ресурс за този домейн",
+    "browserGatewayNoTarget": "Няма цел",
+    "browserGatewayConnect": "Свързване",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Неуспешно подписване на SSH ключ за PAM push удостоверяване. Вписахте ли се като потребител?",
+    "sshTerminalError": "Грешка: {error}",
+    "sshConnectionClosedCode": "Връзката е затворена (код {code})",
+    "sshPrivateKeyPlaceholder": "-----НАЧАЛО НА OPENSSH ЧАСТЕН КЛЮЧ-----",
+    "sshPrivateKeyRequired": "Изисква се частен ключ",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Въведете вашата VNC парола за свързване",
+    "vncPasswordOptional": "Парола (по избор)",
+    "vncNoResourceTarget": "Не е налична цел за ресурса",
+    "vncFailedToLoadNovnc": "Неуспешно зареждане на noVNC",
+    "vncAuthFailedStatus": "Статус {status}",
+    "vncPasteClipboard": "Поставяне на клепач",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Вписване в Отдалечен Работен Плот",
+    "rdpSignInDescription": "Въведете данните за вашата Windows, за да се свържете",
+    "rdpLoadingModule": "Зареждане на модул...",
+    "rdpFailedToLoadModule": "Неуспешно зареждане на RDP модул",
+    "rdpNotReady": "Не е готов",
+    "rdpModuleInitializing": "RDP модулът все още се инициализира",
+    "rdpDownloadingFiles": "Изтегляне на {count} файл/файлове от отдалечено...",
+    "rdpDownloadFailed": "Изтеглянето е неуспешно: {fileName}",
+    "rdpUploaded": "Качено: {fileName}",
+    "rdpNoConnectionTarget": "Няма налична цел за свързване",
+    "rdpConnectionFailed": "Връзката неуспешна",
+    "rdpFit": "Напасване",
+    "rdpFull": "Пълен",
+    "rdpReal": "Реален",
+    "rdpMeta": "Мета",
+    "rdpUploadFiles": "Качване на файловете",
+    "rdpFilesReadyToPaste": "Файлове готови за поставяне",
+    "rdpFilesReadyToPasteDescription": "{count} файл(ове) копирани в отдалечения клипборд — натиснете Ctrl+V на отдалечения работен плот за поставяне.",
+    "rdpUploadFailed": "Качването неуспешно",
+    "rdpUnicodeKeyboardMode": "Режим на unicode клавиатура",
+    "sessionToolbarShow": "Показване на лентата с инструменти",
+    "sessionToolbarHide": "Скриване на лентата с инструменти"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Zobrazit soukromé zdroje",
    "siteInstallNewt": "Nainstalovat Newt",
    "siteInstallNewtDescription": "Spustit Newt na vašem systému",
+    "siteInstallKubernetesDocsDescription": "Pro více aktuálních informací o instalaci Kubernetes navštivte <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Pro pokyny k instalaci modemu Advantech navštivte <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Konfigurace WireGuard",
    "WgConfigurationDescription": "K připojení k síti použijte následující konfiguraci",
    "operatingSystem": "Operační systém",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Toto nastavení uvidíte pouze jednou. Ujistěte se, že jej zkopírujete na bezpečné místo.",
    "siteInfo": "Údaje o lokalitě",
    "status": "Stav",
-    "shareTitle": "Spravovat sdílení odkazů",
+    "shareTitle": "Spravovat sdílné odkazy",
    "shareDescription": "Vytvořit sdílitelné odkazy pro udělení dočasného nebo trvalého přístupu ke zdrojům proxy",
-    "shareSearch": "Hledat sdílené odkazy...",
-    "shareCreate": "Vytvořit odkaz",
+    "shareSearch": "Hledat sdílné odkazy...",
+    "shareCreate": "Vytvořit sdílný odkaz",
    "shareErrorDelete": "Nepodařilo se odstranit odkaz",
    "shareErrorDeleteMessage": "Došlo k chybě při odstraňování odkazu",
    "shareDeleted": "Odkaz odstraněn",
    "shareDeletedDescription": "Odkaz byl odstraněn",
+    "shareDelete": "Odstranit sdílný odkaz",
+    "shareDeleteConfirm": "Potvrdit odstranění sdílného odkazu",
+    "shareQuestionRemove": "Jste si jisti, že chcete smazat tento odkaz ke sdílení?",
+    "shareMessageRemove": "Jakmile bude smazán, odkaz přestane fungovat a všichni, kdo jej používají, ztratí přístup k prostředku.",
    "shareTokenDescription": "Přístupový token může být předán dvěma způsoby: jako parametr dotazu nebo v záhlaví požadavku. Tyto údaje musí být předány klientovi na každé žádosti o ověřený přístup.",
    "accessToken": "Přístupový token",
    "usageExamples": "Příklady použití",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Při vytváření odkazu došlo k chybě",
    "shareCreateDescription": "Kdokoliv s tímto odkazem může přistupovat ke zdroji",
    "shareTitleOptional": "Název (volitelné)",
+    "sharePathOptional": "Cesta (volitelně)",
+    "sharePathDescription": "Odkaz přesměruje uživatele na tuto cestu po autentikaci.",
    "expireIn": "Platnost vyprší za",
    "neverExpire": "Nikdy nevyprší",
    "shareExpireDescription": "Doba platnosti určuje, jak dlouho bude odkaz použitelný a bude poskytovat přístup ke zdroji. Po této době odkaz již nebude fungovat a uživatelé kteří tento odkaz používali ztratí přístup ke zdroji.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Zvolte prosím zdroj",
    "proxyResourceTitle": "Spravovat veřejné zdroje",
    "proxyResourceDescription": "Vytváření a správa zdrojů, které jsou veřejně přístupné prostřednictvím webového prohlížeče",
-    "proxyResourcesBannerTitle": "Veřejný přístup založený na webu",
-    "proxyResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
+    "publicResourcesBannerTitle": "Webové Veřejné Přístupy",
+    "publicResourcesBannerDescription": "Veřejné prostředky jsou HTTPS proxy přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
    "clientResourceTitle": "Spravovat soukromé zdroje",
    "clientResourceDescription": "Vytváření a správa zdrojů, které jsou přístupné pouze prostřednictvím připojeného klienta",
    "privateResourcesBannerTitle": "Zero-Trust soukromý přístup",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Prohledat zdroje...",
    "resourceAdd": "Přidat zdroj",
    "resourceErrorDelte": "Chyba při odstraňování zdroje",
+    "resourcePoliciesBannerTitle": "Opětovné použití pravidel pro autentifikaci a přístup",
+    "resourcePoliciesBannerDescription": "Sdílené politiky zdrojů vám umožňují definovat metody autentifikace a přístupová pravidla jednou, poté je připojit k více veřejným zdrojům. Při aktualizaci politiky každý propojený zdroj automaticky dědí změnu.",
+    "resourcePoliciesBannerButtonText": "Zjistit více",
+    "resourcePoliciesTitle": "Správa Veřejných Zásad Zdrojů",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Zdroje",
+    "resourcePoliciesAttachedResources": "{count} zdroj(e/ů)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# zdroj} few {# zdroje} many {# zdrojů} other {# zdrojů}}",
+    "resourcePoliciesAttachedResourcesEmpty": "žádné zdroje",
+    "resourcePoliciesDescription": "Vytvořte a spravujte zásady autentifikace pro řízení přístupu k vašim veřejným zdrojům",
+    "resourcePoliciesSearch": "Hledat zásady...",
+    "resourcePoliciesAdd": "Přidat zásadu",
+    "resourcePoliciesDefaultBadgeText": "Výchozí zásada",
+    "resourcePoliciesCreate": "Vytvořit Veřejnou Zásadu Zdroje",
+    "resourcePoliciesCreateDescription": "Postupujte podle následujících kroků k vytvoření nové zásady",
+    "resourcePolicyName": "Název zásady",
+    "resourcePolicyNameDescription": "Pojmenujte tuto zásadu, aby byla rozpoznatelná napříč vašimi zdroji",
+    "resourcePolicyNamePlaceholder": "např. Zásada interního přístupu",
+    "resourcePoliciesSeeAll": "Zobrazit všechny zásady",
+    "resourcePolicyAuthMethodAdd": "Přidat metodu ověřování",
+    "resourcePolicyOtpEmailAdd": "Přidat OTP emaily",
+    "resourcePolicyRulesAdd": "Přidat pravidla",
+    "resourcePolicyAuthMethodsDescription": "Povolit přístup ke zdrojům prostřednictvím dodatečných metod ověřování",
+    "resourcePolicyUsersRolesDescription": "Nakonfigurujte, kteří uživatelé a role mohou navštívit připojené zdroje",
+    "rulesResourcePolicyDescription": "Nakonfigurujte pravidla k řízení přístupu ke zdrojům spojeným s touto zásadou",
    "authentication": "Autentifikace",
    "protected": "Chráněno",
    "notProtected": "Nechráněno",
    "resourceMessageRemove": "Jakmile zdroj odstraníte, nebude dostupný. Všechny související služby a cíle budou také odstraněny.",
    "resourceQuestionRemove": "Jste si jisti, že chcete odstranit zdroj z organizace?",
+    "resourcePolicyMessageRemove": "Jakmile je zásada odstraněna, ke zdroji již nebude možný přístup. Všechny související zdroje budou odpojeny a zůstanou bez ověření.",
+    "resourcePolicyQuestionRemove": "Jste si jisti, že chcete odstranit zásadu zdroje z organizace?",
    "resourceHTTP": "Zdroj HTTPS",
    "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
    "resourceRaw": "Surový TCP/UDP zdroj",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy požadavky na syrové TCP/UDP pomocí čísla portu. Vyžaduje připojení stránek ke vzdálenému uzlu.",
    "resourceCreate": "Vytvořit zdroj",
    "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
+    "resourceCreateGeneralDescription": "Konfigurace základních nastavení zdroje včetně názvu a typu",
    "resourceSeeAll": "Zobrazit všechny zdroje",
-    "resourceInfo": "Informace o zdroji",
+    "resourceCreateGeneral": "Obecné",
    "resourceNameDescription": "Toto je zobrazovaný název zdroje.",
    "siteSelect": "Vybrat lokalitu",
    "siteSearch": "Hledat lokalitu",
@@ -227,12 +262,15 @@
    "noCountryFound": "Nebyla nalezena žádná země.",
    "siteSelectionDescription": "Tato lokalita poskytne připojení k cíli.",
    "resourceType": "Typ zdroje",
-    "resourceTypeDescription": "Určete, jak přistupovat ke zdroji",
+    "resourceTypeDescription": "Toto určuje protokol zdroje a jak bude zobrazen v prohlížeči. Později to nelze změnit.",
+    "resourceDomainDescription": "Zdroji bude obsluhován tento plně kvalifikovaný doménový název.",
    "resourceHTTPSSettings": "Nastavení HTTPS",
    "resourceHTTPSSettingsDescription": "Nakonfigurujte, jak bude dokument přístupný přes HTTPS",
+    "resourcePortDescription": "Externí port na instanci nebo uzlu Pangolin, kde bude zdroj dostupný.",
    "domainType": "Typ domény",
    "subdomain": "Subdoména",
    "baseDomain": "Základní doména",
+    "configure": "Konfigurovat",
    "subdomnainDescription": "Subdoména, kde bude zdroj přístupný.",
    "resourceRawSettings": "Nastavení TCP/UDP",
    "resourceRawSettingsDescription": "Nakonfigurujte, jak bude dokument přístupný přes TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Zpět",
    "cancel": "Zrušit",
    "resourceConfig": "Konfigurační snippety",
-    "resourceConfigDescription": "Zkopírujte a vložte tyto konfigurační textové bloky pro nastavení TCP/UDP zdroje",
+    "resourceConfigDescription": "Zkopírujte a vložte tyto konfigurační úryvky pro nastavení TCP/UDP zdroje.",
    "resourceAddEntrypoints": "Traefik: Přidat vstupní body",
    "resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
    "resourceLearnRaw": "Naučte se konfigurovat zdroje TCP/UDP",
    "resourceBack": "Zpět na zdroje",
    "resourceGoTo": "Přejít na dokument",
+    "resourcePolicyDelete": "Smazat zásadu zdroje",
+    "resourcePolicyDeleteConfirm": "Potvrdit smazání zásady zdroje",
    "resourceDelete": "Odstranit dokument",
    "resourceDeleteConfirm": "Potvrdit odstranění dokumentu",
+    "labelDelete": "Smazat štítek",
+    "labelAdd": "Přidat štítek",
+    "labelCreateSuccessMessage": "Štítek byl úspěšně vytvořen",
+    "labelDuplicateError": "Duplikátní štítek",
+    "labelDuplicateErrorDescription": "Štítek s tímto názvem již existuje.",
+    "labelEditSuccessMessage": "Štítek byl úspěšně změněn",
+    "labelNameField": "Název štítku",
+    "labelColorField": "Barva štítku",
+    "labelPlaceholder": "Př. domací laboratoř",
+    "labelCreate": "Vytvořit štítek",
+    "createLabelDialogTitle": "Vytvořit štítek",
+    "createLabelDialogDescription": "Vytvořte nový štítek, který může být přiřazen této organizaci",
+    "labelEdit": "Upravit štítek",
+    "editLabelDialogTitle": "Aktualizovat štítek",
+    "editLabelDialogDescription": "Upravte nový štítek, který může být přiřazen této organizaci",
+    "labelDeleteConfirm": "Potvrdit smazání štítku",
+    "labelErrorDelete": "Nepodařilo se smazat štítek",
+    "labelMessageRemove": "Tato akce je trvalá. Všechny weby, zdroje a klienti označeni tímto štítkem budou neoznačeni.",
+    "labelQuestionRemove": "Jste si jisti, že chcete odebrat štítek z organizace?",
    "visibility": "Viditelnost",
    "enabled": "Povoleno",
    "disabled": "Zakázáno",
@@ -261,6 +320,8 @@
    "rules": "Pravidla",
    "resourceSettingDescription": "Konfigurace nastavení na zdroji",
    "resourceSetting": "Nastavení {resourceName}",
+    "resourcePolicySettingDescription": "Konfigurujte nastavení této veřejné zásady zdrojů",
+    "resourcePolicySetting": "Nastavení {policyName}",
    "alwaysAllow": "Obejít Auth",
    "alwaysDeny": "Blokovat přístup",
    "passToAuth": "Předat k ověření",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Po odstranění tohoto uživatele již nebude mít přístup k organizaci. Vždy je můžete znovu pozvat později, ale budou muset pozvání znovu přijmout.",
    "userRemoveOrgConfirm": "Potvrdit odebrání uživatele",
    "userRemoveOrg": "Odebrat uživatele z organizace",
+    "userQuestionOrgRemoveSelf": "Jste si jisti, že se chcete odstranit z této organizace?",
+    "userMessageOrgRemoveSelf": "Okamžitě ztratíte přístup. Administrátor vás může později znovu pozvat, ale budete muset přijmout nové pozvání.",
+    "userRemoveOrgConfirmSelf": "Potvrdit odstranění sebe",
+    "userRemoveOrgSelf": "Odstranit se z organizace",
+    "userRemoveOrgSelfWarning": "Okamžitě ztratíte přístup k této organizaci.",
+    "userRemoveOrgConfirmPhraseSelf": "ODSTRANIT SE Z ORGANIZACE",
    "users": "Uživatelé",
    "accessRoleMember": "Člen",
    "accessRoleOwner": "Vlastník",
@@ -531,6 +598,11 @@
    "emailInvalid": "Neplatná e-mailová adresa",
    "inviteValidityDuration": "Zvolte prosím dobu trvání",
    "accessRoleSelectPlease": "Vyberte prosím roli",
+    "removeOwnAdminRoleConfirmTitle": "Odebrat přístup správce?",
+    "removeOwnAdminRoleConfirmDescription": "Po uložení již nebudete mít oprávnění správce v této organizaci. Další administrátor vám může přístup obnovit, pokud bude potřeba.",
+    "removeOwnAdminRoleConfirmButton": "Odebrat mé administrátorské oprávnění",
+    "removeOwnAdminRoleConfirmPhrase": "ODEBRAT MÉ ADMINISTRÁTORSKÉ OPRÁVNĚNÍ",
+    "ownerMustRetainAdminRole": "Vlastník organizace musí zachovat alespoň jednu roli správce.",
    "usernameRequired": "Uživatelské jméno je povinné",
    "idpSelectPlease": "Vyberte poskytovatele identity",
    "idpGenericOidc": "Generic OAuth2/OIDC provider.",
@@ -615,7 +687,7 @@
    "createdAt": "Vytvořeno v",
    "proxyErrorInvalidHeader": "Neplatná hodnota hlavičky hostitele. Použijte formát názvu domény, nebo uložte prázdné pro zrušení vlastního hlavičky hostitele.",
    "proxyErrorTls": "Neplatné jméno TLS serveru. Použijte formát doménového jména nebo uložte prázdné pro odstranění názvu TLS serveru.",
-    "proxyEnableSSL": "Povolit SSL",
+    "proxyEnableSSL": "Povolit TLS",
    "proxyEnableSSLDescription": "Povolit šifrování SSL/TLS pro zabezpečená připojení HTTPS k cílům.",
    "target": "Target",
    "configureTarget": "Konfigurace cílů",
@@ -656,8 +728,9 @@
    "targetSubmit": "Add Target",
    "targetNoOne": "Tento zdroj nemá žádné cíle. Přidejte cíl pro konfiguraci kam poslat žádosti na backend.",
    "targetNoOneDescription": "Přidáním více než jednoho cíle se umožní vyvážení zatížení.",
-    "targetsSubmit": "Uložit cíle",
+    "targetsSubmit": "Uložit Nastavení",
    "addTarget": "Add Target",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing nebude fungovat mezi lokalitami, které nejsou připojeny ke stejnému uzlu, ale failover bude fungovat.",
    "targetErrorInvalidIp": "Neplatná IP adresa",
    "targetErrorInvalidIpDescription": "Zadejte prosím platnou IP adresu nebo název hostitele",
    "targetErrorInvalidPort": "Neplatný port",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Duplikovat pravidlo",
    "rulesErrorDuplicateDescription": "Pravidlo s těmito nastaveními již existuje",
    "rulesErrorInvalidIpAddressRange": "Neplatný CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Zadejte prosím platnou hodnotu CIDR",
-    "rulesErrorInvalidUrl": "Neplatná URL cesta",
-    "rulesErrorInvalidUrlDescription": "Zadejte platnou hodnotu URL cesty",
+    "rulesErrorInvalidIpAddressRangeDescription": "Zadejte platný rozsah CIDR (např. 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Neplatná cesta",
+    "rulesErrorInvalidUrlDescription": "Zadejte platnou URL cestu nebo vzor (např. /api/*).",
    "rulesErrorInvalidIpAddress": "Neplatná IP adresa",
-    "rulesErrorInvalidIpAddressDescription": "Zadejte prosím platnou IP adresu",
+    "rulesErrorInvalidIpAddressDescription": "Zadejte platnou IPv4 nebo IPv6 adresu.",
    "rulesErrorUpdate": "Aktualizace pravidel se nezdařila",
    "rulesErrorUpdateDescription": "Při aktualizaci pravidel došlo k chybě",
    "rulesUpdated": "Povolit pravidla",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Zadejte adresu ve formátu CIDR (např. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Zadejte IP adresu (např. 103.21.244.12)",
    "rulesMatchUrl": "Zadejte URL cestu nebo vzor (např. /api/v1/todos nebo /api/v1/*)",
-    "rulesErrorInvalidPriority": "Neplatná Priorita",
-    "rulesErrorInvalidPriorityDescription": "Zadejte prosím platnou prioritu",
-    "rulesErrorDuplicatePriority": "Duplikovat priority",
-    "rulesErrorDuplicatePriorityDescription": "Zadejte prosím unikátní priority",
+    "rulesErrorInvalidPriority": "Neplatná priorita",
+    "rulesErrorInvalidPriorityDescription": "Zadejte celé číslo 1 nebo vyšší.",
+    "rulesErrorDuplicatePriority": "Duplicitní priority",
+    "rulesErrorDuplicatePriorityDescription": "Každé pravidlo musí mít unikátní číslo priority.",
+    "rulesErrorValidation": "Neplatná pravidla",
+    "rulesErrorValidationRuleDescription": "Pravidlo {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Vyberte platný typ shody (cesta, IP, CIDR, země, oblast nebo ASN).",
+    "rulesErrorValueRequired": "Zadejte hodnotu pro toto pravidlo.",
+    "rulesErrorInvalidCountry": "Neplatná země",
+    "rulesErrorInvalidCountryDescription": "Vyberte platnou zemi.",
+    "rulesErrorInvalidAsn": "Neplatný ASN",
+    "rulesErrorInvalidAsnDescription": "Zadejte platný ASN (např. AS15169).",
    "ruleUpdated": "Pravidla byla aktualizována",
    "ruleUpdatedDescription": "Pravidla byla úspěšně aktualizována",
    "ruleErrorUpdate": "Operace selhala",
    "ruleErrorUpdateDescription": "Při ukládání došlo k chybě",
    "rulesPriority": "Priorita",
+    "rulesReorderDragHandle": "Přetažením změňte prioritu pravidel",
    "rulesAction": "Akce",
    "rulesMatchType": "Typ shody",
    "value": "Hodnota",
@@ -728,9 +810,60 @@
    "rulesResource": "Konfigurace pravidel zdroje",
    "rulesResourceDescription": "Nastavit pravidla pro kontrolu přístupu ke zdroji",
    "ruleSubmit": "Přidat pravidlo",
-    "rulesNoOne": "Žádná pravidla. Přidejte pravidlo pomocí formuláře.",
+    "rulesNoOne": "Žádná pravidla zatím nejsou.",
    "rulesOrder": "Pravidla jsou hodnocena podle priority vzestupně.",
    "rulesSubmit": "Uložit pravidla",
+    "policyErrorCreate": "Chyba při vytváření zásady",
+    "policyErrorCreateDescription": "Při vytváření zásady došlo k chybě",
+    "policyErrorCreateMessageDescription": "Došlo k neočekávané chybě",
+    "policyErrorUpdate": "Chyba při aktualizaci zásady",
+    "policyErrorUpdateDescription": "Při aktualizaci zásady došlo k chybě",
+    "policyErrorUpdateMessageDescription": "Došlo k neočekávané chybě",
+    "policyCreatedSuccess": "Zásada zdroje byla úspěšně vytvořena",
+    "policyUpdatedSuccess": "Zásada zdroje byla úspěšně aktualizována",
+    "authMethodsSave": "Uložit nastavení",
+    "policyAuthStackTitle": "Autentifikace",
+    "policyAuthStackDescription": "Určete, které metody autentifikace jsou požadovány pro přístup k tomuto zdroji",
+    "policyAuthOrLogicTitle": "Více metod autentifikace je aktivních",
+    "policyAuthOrLogicBanner": "Návštěvníci mohou použít jakoukoli aktivní metodu uvedenou níže. Nemusí splnit všechny z nich.",
+    "policyAuthMethodActive": "Aktivní",
+    "policyAuthMethodOff": "Vypnuto",
+    "policyAuthSsoTitle": "Platformové SSO",
+    "policyAuthSsoDescription": "Požadujte přihlášení prostřednictvím identifikačního poskytovatele vaší organizace",
+    "policyAuthSsoSummary": "{idp} · {users} uživatelé, {roles} role",
+    "policyAuthSsoDefaultIdp": "Výchozí poskytovatel",
+    "policyAuthAddDefaultIdentityProvider": "Přidat výchozího identifikačního poskytovatele",
+    "policyAuthOtherMethodsTitle": "Ostatní metody",
+    "policyAuthOtherMethodsDescription": "Volitelné metody, které návštěvníci mohou použít místo nebo vedle platformového SSO",
+    "policyAuthPasscodeTitle": "Heslo",
+    "policyAuthPasscodeDescription": "Vyžadovat sdílené alfanumerické heslo pro přístup ke zdroji",
+    "policyAuthPasscodeSummary": "Sada hesel",
+    "policyAuthPincodeTitle": "PIN Kód",
+    "policyAuthPincodeDescription": "Krátký číselný kód vyžadován pro přístup ke zdroji",
+    "policyAuthPincodeSummary": "Nastaven 6místný PIN",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Povolit vybraným emailovým adresám s jednorázovými hesly",
+    "policyAuthEmailSummary": "Povoleno {count} adres(y)",
+    "policyAuthEmailOtpCallout": "Povolení seznamu povolených e-mailů odešle jednorázové heslo na e-mail návštěvníka při přihlášení.",
+    "policyAuthHeaderAuthTitle": "Základní Ověření Záhlaví",
+    "policyAuthHeaderAuthDescription": "Ověřit vlastní HTTP hlavičku názvu a hodnoty při každém požadavku",
+    "policyAuthHeaderAuthSummary": "Nastaveno hlavička",
+    "policyAuthHeaderName": "Název hlavičky",
+    "policyAuthHeaderValue": "Očekávaná hodnota",
+    "policyAuthSetPasscode": "Nastavit přístupový kód",
+    "policyAuthSetPincode": "Nastavit PIN kód",
+    "policyAuthSetEmailWhitelist": "Nastavit e-mailový whitelist",
+    "policyAuthSetHeaderAuth": "Nastavit základní autentizaci hlavičkou",
+    "policyAccessRulesTitle": "Pravidla Přístupu",
+    "policyAccessRulesEnableDescription": "Když je povoleno, pravidla jsou hodnocena sestupně, dokud jedno není vyhodnoceno jako pravda.",
+    "policyAccessRulesFirstMatch": "Pravidla jsou vyhodnocována shora dolů. První odpovídající pravidlo určuje výsledek.",
+    "policyAccessRulesHowItWorks": "Pravidla odpovídají požadavkům podle cesty, IP adresy, lokace nebo jiného kritéria. Každé pravidlo aplikuje akci: obejít autentizaci, zablokovat přístup nebo předat k autentizaci. Pokud žádné neodpovídá, provoz pokračuje k autentizaci.",
+    "policyAccessRulesFallthroughOff": "Když jsou pravidla zakázána, veškerý provoz přechází k autentizaci.",
+    "policyAccessRulesFallthroughOn": "Když žádné pravidlo neodpovídá, provoz přechází k autentizaci.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Uložit pravidla",
    "resourceErrorCreate": "Chyba při vytváření zdroje",
    "resourceErrorCreateDescription": "Při vytváření zdroje došlo k chybě",
    "resourceErrorCreateMessage": "Chyba při vytváření zdroje:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Došlo k chybě při aktualizaci zdroje",
    "access": "Přístup",
    "accessControl": "Kontrola přístupu",
-    "shareLink": "{resource} Sdílet odkaz",
+    "shareLink": "{resource} Sdílný odkaz",
    "resourceSelect": "Vyberte zdroj",
-    "shareLinks": "Sdílet odkazy",
+    "shareLinks": "Sdíletelné odkazy",
    "share": "Sdílené odkazy",
    "shareDescription2": "Vytvořte sdílitelné odkazy na zdroje. Odkazy poskytují dočasný nebo neomezený přístup k vašemu zdroji. Můžete nakonfigurovat dobu vypršení platnosti odkazu při jeho vytvoření.",
    "shareEasyCreate": "Snadné vytváření a sdílení",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Přidat PIN kód",
    "pincodeRemove": "Odstranit PIN kód",
    "resourceAuthMethods": "Metody ověřování",
+    "resourcePolicyAuthMethodsEmpty": "Žádná metoda ověřování",
+    "resourcePolicyOtpEmpty": "Žádné jednorázové hesla",
+    "resourcePolicyReadOnly": "Tato zásada je pouze ke čtení",
+    "resourcePolicyReadOnlyDescription": "Tato zásada zdroje je sdílena mezi více zdroji, nelze ji upravovat na této stránce.",
+    "editSharedPolicy": "Upravit sdílenou zásadu",
+    "resourcePolicyTypeSave": "Uložit typ zdroje",
+    "resourcePolicySelect": "Vybrat zásadu zdroje",
+    "resourcePolicySelectError": "Vyberte zásadu zdroje",
+    "resourcePolicyNotFound": "Zásada nenalezena",
+    "resourcePolicySearch": "Hledat zásady",
+    "resourcePolicyRulesEmpty": "Žádná pravidla ověřování",
    "resourceAuthMethodsDescriptions": "Povolit přístup ke zdroji pomocí dodatečných metod autorizace",
    "resourceAuthSettingsSave": "Úspěšně uloženo",
    "resourceAuthSettingsSaveDescription": "Nastavení ověřování bylo uloženo",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Nastavit anonymní kód",
    "resourcePincodeSetupTitleDescription": "Nastavit pincode pro ochranu tohoto zdroje",
    "resourceRoleDescription": "Administrátoři mají vždy přístup k tomuto zdroji.",
+    "resourcePolicySelectTitle": "Zásada přístupu ke zdrojům",
+    "resourcePolicySelectDescription": "Vyberte typ zásady zdroje ověřování",
+    "resourcePolicyTypeLabel": "Typ zásady zdroje",
+    "resourcePolicyLabel": "Zásada zdroje",
+    "resourcePolicyInline": "Inline Zásada Zdroje",
+    "resourcePolicyInlineDescription": "Zásada přístupu se zaměřením pouze na tento zdroj",
+    "resourcePolicyShared": "Sdílená Zásada Zdroje",
+    "resourcePolicySharedDescription": "Tento zdroj používá sdílenou zásadu.",
+    "sharedPolicy": "Sdílená Zásada",
+    "sharedPolicyNoneDescription": "Tento zdroj má vlastní zásadu.",
+    "resourceSharedPolicyOwnDescription": "Tento zdroj má vlastní ovládání autentifikace a přístupových pravidel.",
+    "resourceSharedPolicyInheritedDescription": "Tento zdroj dědí ze <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Tento zdroj používá sdílenou politiku. Některá nastavení autentizace lze upravit na tomto zdroji k doplnění politiky. Pro úpravu základní politiky musíte upravit <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Tento zdroj používá sdílenou politiku. Některá přístupová pravidla lze upravit na tomto zdroji. Chcete-li změnit základní politiku, musíte upravit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Kontrola přístupu",
    "resourceUsersRolesDescription": "Nastavení, kteří uživatelé a role mohou navštívit tento zdroj",
    "resourceUsersRolesSubmit": "Uložit přístupové řízení",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Viditelnost",
    "resourceVisibilityTitleDescription": "Zcela povolit nebo zakázat viditelnost zdrojů",
    "resourceGeneral": "Obecná nastavení",
-    "resourceGeneralDescription": "Konfigurace obecných nastavení tohoto zdroje",
+    "resourceGeneralDescription": "Nakonfigurujte název, adresu a přístupovou politiku pro tento zdroj.",
+    "resourceGeneralDetailsSubsection": "Detaily zdroje",
+    "resourceGeneralDetailsSubsectionDescription": "Nastavte zobrazovaný název, identifikátor a veřejně dostupnou doménu pro tento zdroj.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Nastavte zobrazovaný název, identifikátor a veřejný port pro tento zdroj.",
+    "resourceGeneralPublicAddressSubsection": "Veřejná Adresa",
+    "resourceGeneralPublicAddressSubsectionDescription": "Nakonfigurujte, jak uživatelé dosáhnou tento zdroj.",
+    "resourceGeneralAuthenticationAccessSubsection": "Autentizace & Přístup",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Vyberte, zda tento zdroj používá vlastní politiku, nebo dědí od sdílené politiky.",
    "resourceEnable": "Povolit dokument",
    "resourceTransfer": "Přenos zdroje",
    "resourceTransferDescription": "Přenést tento zdroj na jiný web",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Při připojování k {name}došlo k chybě. Obraťte se na správce.",
    "idpErrorNotFound": "IdP nenalezen",
    "inviteInvalid": "Neplatná pozvánka",
+    "labels": "Štítky",
+    "orgLabelsDescription": "Spravujte štítky v této organizaci.",
+    "addLabels": "Přidat štítky",
+    "siteLabelsTab": "Štítky",
+    "siteLabelsDescription": "Spravujte štítky přiřazené k této lokalitě.",
+    "labelsNotFound": "Nebyly nalezeny žádné štítky.",
+    "labelsEmptyCreateHint": "Začněte psát výše k vytvoření štítku.",
+    "labelSearch": "Hledat štítky",
+    "labelSearchOrCreate": "Hledání nebo vytvoření štítku",
+    "accessLabelFilterCount": "{count, plural, one {# štítek} few {# štítky} other {# štítků}}",
+    "labelOverflowCount": "+{count, plural, one {# štítek} few {# štítky} other {# štítků}}",
+    "accessLabelFilterClear": "Vymazat filtry štítků",
+    "accessFilterClear": "Vymazat filtry",
+    "selectColor": "Vybrat barvu",
+    "createNewLabel": "Vytvořit nový štítek organizace \"{label}\"",
    "inviteInvalidDescription": "Odkaz pro pozvání je neplatný.",
    "inviteErrorWrongUser": "Pozvat není pro tohoto uživatele",
    "inviteErrorUserNotExists": "Uživatel neexistuje. Nejprve si vytvořte účet.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Zdroje",
    "sidebarProxyResources": "Veřejnost",
    "sidebarClientResources": "Soukromé",
+    "sidebarPolicies": "Sdílené Odkazy",
+    "sidebarResourcePolicies": "Veřejné Zdroje",
    "sidebarAccessControl": "Kontrola přístupu",
    "sidebarLogsAndAnalytics": "Logy & Analytika",
    "sidebarTeam": "Tým",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Pozvánky",
    "sidebarRoles": "Role",
-    "sidebarShareableLinks": "Odkazy",
+    "sidebarShareableLinks": "Sdílené Odkazy",
    "sidebarApiKeys": "API klíče",
    "sidebarProvisioning": "Zajištění",
    "sidebarSettings": "Nastavení",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Stránka {id}",
    "standaloneHcFilterResourceIdFallback": "Zdroj {id}",
    "blueprints": "Plány",
-    "blueprintsDescription": "Použít deklarativní konfigurace a zobrazit předchozí běhy",
+    "blueprintsLog": "Protokol plánů",
+    "blueprintsDescription": "Zobrazit předchozí aplikace modrotisku a jejich výsledky nebo aplikovat nový modrotisk",
    "blueprintAdd": "Přidat plán",
    "blueprintGoBack": "Zobrazit všechny plány",
    "blueprintCreate": "Vytvořit plán",
@@ -1559,7 +1742,17 @@
    "contents": "Obsah",
    "parsedContents": "Parsed content (Pouze pro čtení)",
    "enableDockerSocket": "Povolit Docker plán",
-    "enableDockerSocketDescription": "Povolte seškrábání štítků na Docker Socket pro popisky plánů. Nová cesta musí být k dispozici.",
+    "enableDockerSocketDescription": "Povolte seškrábání štítků pro Docker Socket pro štítky plánů. Před připojením na lokalitní konektor musí být uvedena cesta k soketu. Přečtěte si, jak to funguje <docsLink>v dokumentaci</docsLink>.",
+    "newtAutoUpdate": "Povolit automatickou aktualizaci stránek",
+    "newtAutoUpdateDescription": "Když je povoleno, konektory stránek automaticky stáhnou nejnovější verzi a restartují se. To lze přepsat na základě jednotlivých míst.",
+    "siteAutoUpdate": "Automatická aktualizace stránek",
+    "siteAutoUpdateLabel": "Povolte automatickou aktualizaci",
+    "siteAutoUpdateDescription": "Když je povoleno, konektor této stránky automaticky stáhne nejnovější verzi a restartuje se sám.",
+    "siteAutoUpdateOrgDefault": "Výchozí organizace: {state}",
+    "siteAutoUpdateOverriding": "Přepsání nastavení organizace",
+    "siteAutoUpdateResetToOrg": "Obnovit na výchozí organizaci",
+    "siteAutoUpdateEnabled": "povoleno",
+    "siteAutoUpdateDisabled": "zakázáno",
    "viewDockerContainers": "Zobrazit kontejnery Dockeru",
    "containersIn": "Kontejnery v {siteName}",
    "selectContainerDescription": "Vyberte jakýkoli kontejner pro použití jako název hostitele pro tento cíl. Klikněte na port pro použití portu.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certifikát",
    "certificateStatusAutoRefreshHint": "Stav se automaticky obnovuje.",
    "loading": "Načítání",
+    "loadingEllipsis": "Načítání...",
    "loadingAnalytics": "Načítání analytiky",
    "restart": "Restartovat",
    "domains": "Domény",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Nastavení účtu dokončeno! Vítejte v Pangolinu!",
    "documentation": "Dokumentace",
    "saveAllSettings": "Uložit všechna nastavení",
-    "saveResourceTargets": "Uložit cíle",
-    "saveResourceHttp": "Uložit nastavení proxy",
-    "saveProxyProtocol": "Uložit nastavení proxy protokolu",
+    "saveResourceTargets": "Uložit Nastavení",
+    "saveResourceHttp": "Uložit Nastavení",
+    "saveProxyProtocol": "Uložit Nastavení",
    "settingsUpdated": "Nastavení aktualizováno",
    "settingsUpdatedDescription": "Nastavení úspěšně aktualizována",
    "settingsErrorUpdate": "Aktualizace nastavení se nezdařila",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Spravujte své předplatné za placené samohostované licenční klíče",
    "billingCurrentKeys": "Aktuální klíče",
    "billingModifyCurrentPlan": "Upravit aktuální tarif",
+    "billingManageLicenseSubscriptionDescription": "Spravujte své předplatné pro placené licence k samoobslužnému hostingu a stahujte faktury.",
    "billingConfirmUpgrade": "Potvrdit aktualizaci",
    "billingConfirmDowngrade": "Potvrdit downgrade",
    "billingConfirmUpgradeDescription": "Chystáte se povýšit svůj tarif. Přečtěte si nové limity a ceny.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Neznámý",
    "healthCheck": "Kontrola stavu",
    "configureHealthCheck": "Konfigurace kontroly stavu",
-    "configureHealthCheckDescription": "Nastavit sledování zdravotního stavu pro {target}",
+    "configureHealthCheckDescription": "Nastavte monitorování vašeho zdroje, abyste zajistili, že je vždy dostupný",
    "enableHealthChecks": "Povolit kontrolu stavu",
    "healthCheckDisabledStateDescription": "Pokud je zakázáno, web nebude provádět zdravotní kontroly a stav bude považován za neznámý.",
    "enableHealthChecksDescription": "Sledujte zdraví tohoto cíle. V případě potřeby můžete sledovat jiný cílový bod, než je cíl.",
    "healthScheme": "Způsob",
    "healthSelectScheme": "Vybrat metodu",
-    "healthCheckPortInvalid": "Přístav kontroly stavu musí být mezi 1 a 65535",
+    "healthCheckPortInvalid": "Port musí být mezi 1 a 65535",
    "healthCheckPath": "Cesta",
    "healthHostname": "IP / Hostitel",
    "healthPort": "Přístav",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Čas je v sekundách",
    "requireDeviceApproval": "Vyžadovat schválení zařízení",
    "requireDeviceApprovalDescription": "Uživatelé s touto rolí potřebují nová zařízení schválená správcem, než se mohou připojit a přistupovat ke zdrojům.",
-    "sshAccess": "SSH přístup",
+    "sshSettings": "Nastavení SSH",
+    "sshAccess": "SSH Přístup",
+    "rdpSettings": "Nastavení RDP",
+    "vncSettings": "Nastavení VNC",
+    "sshServer": "SSH server",
+    "rdpServer": "RDP server",
+    "vncServer": "VNC server",
+    "sshServerDescription": "Nastavit metodu ověřování, umístění démona a cíl serveru",
+    "rdpServerDescription": "Nakonfigurujte cíl a port serveru RDP",
+    "vncServerDescription": "Nakonfigurujte cíl a port serveru VNC",
+    "sshServerMode": "Režim",
+    "sshServerModeStandard": "Standardní SSH server",
+    "sshServerModePangolin": "SSH Pangolin",
+    "sshServerModeStandardDescription": "Příkazy zpracovávané po síti na SSH server jako např. OpenSSH.",
+    "sshServerModeNative": "Nativní SSH server",
+    "sshServerModeNativeDescription": "Příkazy se provádí přímo na hostiteli přes Konektor lokality. Nastavení sítě není vyžadováno.",
+    "sshAuthenticationMethod": "Metoda ověřování",
+    "sshAuthMethodManual": "Ruční ověřování",
+    "sshAuthMethodManualDescription": "Vyžaduje existující přihlašovací údaje hostitele. Obchází automatické zřizování.",
+    "sshAuthMethodAutomated": "Automatické zřizování",
+    "sshAuthMethodAutomatedDescription": "Automaticky vytváří uživatele, skupiny a oprávnění sudo na hostiteli.",
+    "sshAuthDaemonLocation": "Umístění ověřovacího démona",
+    "sshDaemonLocationSiteDescription": "Spouští se lokálně na počítači s konektorem stránky.",
+    "sshDaemonLocationRemote": "Na vzdáleném hostiteli",
+    "sshDaemonLocationRemoteDescription": "Spouští se na jiném cílovém počítači v téže síti.",
+    "sshDaemonDisclaimer": "Ujistěte se, že váš cílový hostitel je správně nakonfigurován k přímu spuštění ověřovacího démona, jinak zřizování selže.",
+    "sshDaemonPort": "Port démona",
+    "sshServerDestination": "Cíl serveru",
+    "sshServerDestinationDescription": "Nakonfigurujte cíl serveru SSH",
+    "destination": "Cíl",
+    "destinationRequired": "Destinace je vyžadována.",
+    "domainRequired": "Doména je vyžadována.",
+    "proxyPortRequired": "Port je vyžadován.",
+    "invalidPathConfiguration": "Neplatná konfigurace cesty.",
+    "invalidRewritePathConfiguration": "Neplatná konfigurace přepsat cesty.",
+    "bgTargetMultiSiteDisclaimer": "Výběr více lokalit umožňuje odolné směrování a převzetí služeb při selhání pro vysokou dostupnost.",
    "roleAllowSsh": "Povolit SSH",
    "roleAllowSshAllow": "Povolit",
    "roleAllowSshDisallow": "Zakázat",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Uživatel může spustit pouze zadané příkazy s sudo.",
    "sshSudo": "Povolit sudo",
    "sshSudoCommands": "Sudo příkazy",
-    "sshSudoCommandsDescription": "Čárkami oddělený seznam příkazů, které může uživatel spouštět s sudo.",
+    "sshSudoCommandsDescription": "Seznam příkazů, které je uživateli povoleno spouštět se sudo, oddělený čárkami, mezerami, nebo novými řádky. Je třeba používat absolutní cesty.",
    "sshCreateHomeDir": "Vytvořit domovský adresář",
    "sshUnixGroups": "Unixové skupiny",
-    "sshUnixGroupsDescription": "Čárkou oddělené skupiny Unix přidají uživatele do cílového hostitele.",
+    "sshUnixGroupsDescription": "Unixové skupiny, do kterých má být uživatel přidán na cílovém hostu, oddělené čárkami, mezerami, nebo novými řádky.",
+    "roleTextFieldPlaceholder": "Zadejte hodnoty nebo přetáhněte soubor .txt nebo .csv",
+    "roleTextImportTitle": "Importovat ze souboru",
+    "roleTextImportDescription": "Importuje se {fileName} do {fieldLabel}.",
+    "roleTextImportSkipHeader": "Přeskočit první řádek (záhlaví)",
+    "roleTextImportOverride": "Nahradit existující",
+    "roleTextImportAppend": "Přidat k existujícímu",
+    "roleTextImportMode": "Režim importu",
+    "roleTextImportPreview": "Náhled",
+    "roleTextImportItemCount": "{count, plural, =0 {Žádné položky k importu} one {1 položka k importu} few {# položky k importu} many {# položek k importu} other {# položek k importu}}",
+    "roleTextImportTotalCount": "{existing} existující + {imported} importované = {total} celkem",
+    "roleTextImportConfirm": "Importovat",
+    "roleTextImportInvalidFile": "Nepodporovaný typ souboru",
+    "roleTextImportInvalidFileDescription": "Podporovány jsou pouze soubory .txt a .csv.",
+    "roleTextImportEmpty": "V souboru nebyly nalezeny žádné položky",
+    "roleTextImportEmptyDescription": "Soubor neobsahuje žádné položky k importu.",
    "retryAttempts": "Opakovat pokusy",
    "expectedResponseCodes": "Očekávané kódy odezvy",
    "expectedResponseCodesDescription": "HTTP kód stavu, který označuje zdravý stav. Ponecháte-li prázdné, 200-300 je považováno za zdravé.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schéma",
-    "editInternalResourceDialogEnableSsl": "Povolit SSL",
+    "editInternalResourceDialogEnableSsl": "Povolit TLS",
    "editInternalResourceDialogEnableSslDescription": "Povolit šifrování SSL/TLS pro zabezpečené HTTPS připojení k cíli.",
    "editInternalResourceDialogDestination": "Místo určení",
    "editInternalResourceDialogDestinationHostDescription": "IP adresa nebo název hostitele zdroje v síti webu.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schéma",
    "createInternalResourceDialogScheme": "Schéma",
-    "createInternalResourceDialogEnableSsl": "Povolit SSL",
+    "createInternalResourceDialogEnableSsl": "Povolit TLS",
    "createInternalResourceDialogEnableSslDescription": "Povolit šifrování SSL/TLS pro zabezpečené HTTPS připojení k cíli.",
    "createInternalResourceDialogDestination": "Místo určení",
    "createInternalResourceDialogDestinationHostDescription": "IP adresa nebo název hostitele zdroje v síti webu.",
@@ -2217,7 +2464,7 @@
        "description": "Spolehlivější a nízko udržovaný Pangolinův server s dalšími zvony a bičkami",
        "introTitle": "Spravovaný Pangolin",
        "introDescription": "je možnost nasazení určená pro lidi, kteří chtějí jednoduchost a spolehlivost při zachování soukromých a samoobslužných dat.",
-        "introDetail": "Pomocí této volby stále provozujete vlastní uzel Pangolin - tunely, SSL terminály a provoz všech pobytů na vašem serveru. Rozdíl spočívá v tom, že řízení a monitorování se řeší prostřednictvím našeho cloudového panelu, který odemkne řadu výhod:",
+        "introDetail": "Pomocí této volby stále provozujete vlastní uzel Pangolin - vaše tunely, ukončení TLS a provoz zůstávají na vašem serveru. Rozdíl spočívá v tom, že správa a monitoring jsou řešeny prostřednictvím naší cloudové řídící desky, což odemyká řadu výhod:",
        "benefitSimplerOperations": {
            "title": "Jednoduchý provoz",
            "description": "Není třeba spouštět svůj vlastní poštovní server nebo nastavit komplexní upozornění. Ze schránky dostanete upozornění na zdravotní kontrolu a výpadek."
@@ -2652,6 +2899,8 @@
    "validPassword": "Platné heslo",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Zobrazit",
+    "configManaged": "Správa konfigurace",
    "connectedClient": "Připojený klient",
    "resourceBlocked": "Zablokované zdroje",
    "droppedByRule": "Zrušeno pravidlem",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Povolit Proxy protokol",
    "proxyProtocolInfo": "Zachovat IP adresu klienta pro TCP zálohy",
    "proxyProtocolVersion": "Verze proxy protokolu",
-    "version1": " Verze 1 (doporučeno)",
+    "version1": "Verze 1 (Doporučeno)",
    "version2": "Verze 2",
-    "versionDescription": "Verze 1 je textová a široce podporovaná. Verze 2 je binární a efektivnější, ale méně kompatibilní.",
+    "version1Description": "Textově založený a široce podporovaný. Ujistěte se, že je transport serveru přidán do dynamické konfigurace.",
+    "version2Description": "Binární a efektivnější, ale méně kompatibilní. Ujistěte se, že je transport serveru přidán do dynamické konfigurace.",
    "warning": "Varování",
    "proxyProtocolWarning": "Aplikace backend musí být nakonfigurována, aby mohla přijímat připojení k Proxy protokolu. Pokud vaše backend nepodporuje Proxy protokol, povolením tohoto protokolu dojde k přerušení všech připojení, takže toto povolíte pouze pokud víte, co děláte. Ujistěte se, že nastavíte svou backend a důvěřujte hlavičkám Proxy protokolu z Traefik.",
    "restarting": "Restartování...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Zadejte potvrzení",
    "blueprintViewDetails": "Detaily",
    "defaultIdentityProvider": "Výchozí poskytovatel identity",
-    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
+    "defaultIdentityProviderDescription": "Uživatel bude automaticky přesměrován na tohoto identifikačního poskytovatele pro autentifikaci.",
    "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
    "editInternalResourceDialogAccessPolicy": "Přístupová politika",
    "editInternalResourceDialogAddRoles": "Přidat role",
@@ -2919,11 +3169,12 @@
    "learnMore": "Zjistit více",
    "backToHome": "Zpět na domovskou stránku",
    "needToSignInToOrg": "Potřebujete použít identitního poskytovatele vaší organizace?",
-    "maintenanceMode": "Režim údržby",
+    "maintenanceMode": "Údržbová stránka",
    "maintenanceModeDescription": "Zobrazit stránku údržby návštěvníkům",
    "maintenanceModeType": "Typ režimu údržby",
    "showMaintenancePage": "Zobrazit stránku údržby návštěvníkům",
    "enableMaintenanceMode": "Povolit režim údržby",
+    "enableMaintenanceModeDescription": "Když je povoleno, návštěvníci uvidí údržbu místo vašeho zdroje.",
    "automatic": "Automatické",
    "automaticModeDescription": "Zobrazte stránku údržby pouze, když jsou všechny cílové servery uživatele nebo prostředku nefunkční nebo nezdravé. Vaše prostředky budou nadále fungovat normálně, pokud je alespoň jeden cíl v pořádku.",
    "forced": "Nucené",
@@ -2931,6 +3182,8 @@
    "warning:": "Varování:",
    "forcedeModeWarning": "Veškerý provoz bude směrován na stránku údržby. Vaše prostředky backendu neobdrží žádné žádosti.",
    "pageTitle": "Název stránky",
+    "maintenancePageContentSubsection": "Obsah Stránky",
+    "maintenancePageContentSubsectionDescription": "Přizpůsobte obsah zobrazovaný na stránce údržby",
    "pageTitleDescription": "Hlavní titulek zobrazovaný na stránce údržby",
    "maintenancePageMessage": "Zpráva údržby",
    "maintenancePageMessagePlaceholder": "Vrátíme se brzy! Naše stránka právě prochází plánovanou údrbou.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Odhadované dokončení:",
    "createInternalResourceDialogDestinationRequired": "Cíl je povinný",
    "available": "Dostupné",
+    "disabledResourceDescription": "Když je deaktivován, zdroj bude nedostupný pro každého.",
    "archived": "Archivováno",
    "noArchivedDevices": "Nebyla nalezena žádná archivovaná zařízení",
    "deviceArchived": "Zařízení archivováno",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Přeposlat události přímo do vašeho účtu Datadog účtu. Brzy přijde.",
    "streamingTypePickerDescription": "Vyberte cílový typ pro začátek.",
-    "streamingFailedToLoad": "Nepodařilo se načíst destinace",
+    "streamingLastSyncError": "Došlo k chybě při poslední synchronizaci",
    "streamingUnexpectedError": "Došlo k neočekávané chybě.",
    "streamingFailedToUpdate": "Nepodařilo se aktualizovat cíl",
    "streamingDeletedSuccess": "Cíl byl úspěšně odstraněn",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Upravit cíl",
    "S3DestAddTitle": "Přidat S3 cíl",
    "S3DestEditDescription": "Aktualizujte konfiguraci tohoto S3 cíle pro streamování událostí.",
-    "S3DestAddDescription": "Konfigurujte nový S3 koncový bod pro přijímání událostí vaší organizace.",
+    "S3DestAddDescription": "Nakonfigurujte nový Amazon S3 (nebo S3-kompatibilní) bucket, aby přijímal události vaší organizace.",
+    "s3DestTabSettings": "Nastavení",
+    "s3DestTabFormat": "Formát",
+    "s3DestNameLabel": "Jméno",
+    "s3DestNamePlaceholder": "Moje cílové S3",
+    "s3DestAccessKeyIdLabel": "ID přístupového klíče AWS",
+    "s3DestSecretAccessKeyLabel": "Tajný přístupový klíč AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Váš tajný přístupový klíč AWS",
+    "s3DestRegionLabel": "Oblast AWS",
+    "s3DestBucketLabel": "Název bucketu",
+    "s3DestPrefixLabel": "Předpona klíče (volitelné)",
+    "s3DestPrefixDescription": "Volitelná cesta předpony přidaná ke každému objektovému klíči. Objekty jsou uloženy na {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Vlastní koncový bod (volitelné)",
+    "s3DestEndpointDescription": "Přepište koncový bod S3 pro S3-kompatibilní úložiště, jako je MinIO nebo Cloudflare R2. Nechte prázdné pro standardní AWS S3.",
+    "s3DestGzipLabel": "Komprese Gzip",
+    "s3DestGzipDescription": "Komprimujte každý nahraný objekt pomocí gzip. Snižuje náklady na uložení a velikost nahrávání.",
+    "s3DestFormatTitle": "Formát souboru",
+    "s3DestFormatDescription": "Jak jsou události serializovány v každém nahraném objektu.",
+    "s3DestFormatJsonArrayDescription": "Každý objekt je pole JSON záznamů událostí. Kompatibilní s většinou analytických nástrojů.",
+    "s3DestFormatNdjsonDescription": "Každý objekt obsahuje jeden JSON záznam na řádku (newline-delimited JSON). Kompatibilní s Athena, BigQuery a Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Každý objekt je soubor CSV podle RFC-4180 s řádkem záhlaví. Názvy sloupců jsou odvozeny z polí dat událostí.",
+    "s3DestSaveChanges": "Uložit změny",
+    "s3DestCreateDestination": "Vytvořit destinaci",
+    "s3DestUpdatedSuccess": "Destinace úspěšně aktualizována",
+    "s3DestCreatedSuccess": "Destinace úspěšně vytvořena",
+    "s3DestUpdateFailed": "Aktualizace destinace se nezdařila",
+    "s3DestCreateFailed": "Vytvoření destinace se nezdařilo",
    "datadogDestEditTitle": "Upravit cíl",
    "datadogDestAddTitle": "Přidat Datadog cíl",
    "datadogDestEditDescription": "Aktualizujte konfiguraci tohoto Datadog cíle pro streamování událostí.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Opravdu chcete odpojit tohoto poskytovatele identity od této organizace?",
    "idpUnassociateDescription": "Všichni uživatelé spojení s tímto poskytovatelem identity budou odstraněni z této organizace, ale poskytovatel identity zůstane nadále existovat pro ostatní přidružené organizace.",
    "idpUnassociateConfirm": "Potvrdit odpojení poskytovatele identity",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "SMAZAT A ODSTRANIT MĚ Z ORGANIZACE",
+    "idpUnassociateAndRemoveMeFromOrg": "ODPOJIT A ODSTRANIT MĚ Z ORGANIZACE",
    "idpUnassociateWarning": "Toto nelze pro tuto organizaci vrátit.",
    "idpUnassociatedDescription": "Poskytovatel identity byl úspěšně odpojen od této organizace",
    "idpUnassociateMenu": "Odpojit",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Zdroj je zakázán",
    "memberPortalShowingResources": "Zobrazeny {start}-{end} z {total} zdrojů",
    "memberPortalPrevious": "Předchozí",
-    "memberPortalNext": "Následující"
+    "memberPortalNext": "Následující",
+    "httpSettings": "Nastavení HTTP",
+    "tcpSettings": "Nastavení TCP",
+    "udpSettings": "Nastavení UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Zřizování bezpečného připojení…",
+    "sshConnecting": "Připojení…",
+    "sshInitializing": "Inicializace…",
+    "sshSignInTitle": "Přihlášení do SSH",
+    "sshSignInDescription": "Zadejte své údaje SSH pro připojení",
+    "sshPasswordTab": "Heslo",
+    "sshPrivateKeyTab": "Soukromý klíč",
+    "sshPrivateKeyField": "Soukromý klíč",
+    "sshPrivateKeyDisclaimer": "Váš soukromý klíč není ukládán ani viditelný pro Pangolin. Alternativně můžete použít krátkodobé certifikáty pro bezproblémové ověřování pomocí vaší stávající identity Pangolin.",
+    "sshLearnMore": "Přečtěte si více",
+    "sshPrivateKeyFile": "Soubor soukromého klíče",
+    "sshAuthenticate": "Připojit",
+    "sshTerminate": "Ukončit",
+    "sshPoweredBy": "Vytváří",
+    "sshErrorNoTarget": "Cíl nebyl určen",
+    "sshErrorWebSocket": "Chyba připojení WebSocketu",
+    "sshErrorAuthFailed": "Ověření selhalo",
+    "sshErrorConnectionClosed": "Připojení bylo uzavřeno před dokončením ověřování",
+    "sitePangolinSshDescription": "Povolte SSH přístup k zdrojům na tomto místě. Toto lze změnit později.",
+    "browserGatewayNoResourceForDomain": "Pro tuto doménu nebyl nalezen žádný zdroj",
+    "browserGatewayNoTarget": "Žádný cíl",
+    "browserGatewayConnect": "Připojit",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Nepodařilo se podepsat klíč SSH pro ověřování pomocí PAM push. Přihlásili jste se jako uživatel?",
+    "sshTerminalError": "Chyba: {error}",
+    "sshConnectionClosedCode": "Připojení bylo uzavřeno (kód {code})",
+    "sshPrivateKeyPlaceholder": "-----ZAČÁTEK SOUKROMÉHO KLÍČE OPENSSH-----",
+    "sshPrivateKeyRequired": "Je vyžadován soukromý klíč",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Zadejte své heslo VNC pro připojení",
+    "vncPasswordOptional": "Heslo (nepovinné)",
+    "vncNoResourceTarget": "Není k dispozici žádný cíl zdroje",
+    "vncFailedToLoadNovnc": "Nepodařilo se načíst noVNC",
+    "vncAuthFailedStatus": "Stav {status}",
+    "vncPasteClipboard": "Vložit schránku",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Přihlásit se k Vzdálené ploše",
+    "rdpSignInDescription": "Zadejte přihlašovací údaje pro Windows k připojení",
+    "rdpLoadingModule": "Načítá se modul...",
+    "rdpFailedToLoadModule": "Nepodařilo se načíst modul RDP",
+    "rdpNotReady": "Není připraveno",
+    "rdpModuleInitializing": "Modul RDP se stále inicializuje",
+    "rdpDownloadingFiles": "Stahuje se {count} soubor(y) z dálky...",
+    "rdpDownloadFailed": "Stažení se nezdařilo: {fileName}",
+    "rdpUploaded": "Nahráno: {fileName}",
+    "rdpNoConnectionTarget": "Žádný dostupný cíl připojení",
+    "rdpConnectionFailed": "Připojení se nezdařilo",
+    "rdpFit": "Přizpůsobit",
+    "rdpFull": "Celé",
+    "rdpReal": "Skutečný",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Nahrát soubory",
+    "rdpFilesReadyToPaste": "Soubory připravené ke vložení",
+    "rdpFilesReadyToPasteDescription": "{count} soubor(y) zkopírován(y) do vzdálené schránky — stiskněte Ctrl+V na vzdálené ploše pro vložení.",
+    "rdpUploadFailed": "Nahrání selhalo",
+    "rdpUnicodeKeyboardMode": "Režim Unicode klávesnice",
+    "sessionToolbarShow": "Zobrazit panel nástrojů",
+    "sessionToolbarHide": "Skrýt panel nástrojů"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -22,11 +22,11 @@
    "componentsMember": "Du bist Mitglied von {count, plural, =0 {keiner Organisation} one {einer Organisation} other {# Organisationen}}.",
    "componentsInvalidKey": "Ungültige oder abgelaufene Lizenzschlüssel erkannt. Beachte die Lizenzbedingungen, um alle Funktionen weiterhin zu nutzen.",
    "dismiss": "Verwerfen",
-    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Webseiten, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
+    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Standorte, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
    "trialBannerMessage": "Ihre Testversion läuft in {countdown} ab. Upgraden, um den Zugriff zu behalten.",
    "trialBannerExpired": "Ihre Testversion ist abgelaufen. Jetzt upgraden, um den Zugriff wiederherzustellen.",
    "billingTrialBannerTitle": "Kostenlose Testversion aktiv",
-    "billingTrialBannerDescription": "Sie nutzen derzeit eine kostenlose Testversion auf der Geschäftsstufe. Wenn die Testversion endet, wird Ihr Konto automatisch auf die Funktionen und Beschränkungen der Basisstufe zurückgesetzt. Upgraden Sie jederzeit, um weiterhin Zugriff auf die Funktionen Ihres aktuellen Plans zu behalten.",
+    "billingTrialBannerDescription": "Sie nutzen derzeit eine kostenlose Testversion auf der Business-Tarif. Wenn die Testversion endet, wird Ihr Konto automatisch auf die Funktionen und Beschränkungen der Basis-Tarif zurückgesetzt. Upgraden Sie jederzeit, um weiterhin Zugriff auf die Funktionen Ihres aktuellen Plans zu behalten.",
    "billingTrialBannerUpgrade": "Jetzt upgraden",
    "billingTrialBadge": "Kostenlose Testversion",
    "trialActive": "Kostenlose Testversion aktiv",
@@ -34,8 +34,8 @@
    "trialHasEnded": "Ihre Testversion ist beendet.",
    "trialDaysRemaining": "{count, plural, one {# Tag übrig} other {# Tage übrig}}",
    "trialDaysLeftShort": "Noch {days}d in der Testversion",
-    "trialGoToBilling": "Zur Rechnungsseite gehen",
-    "subscriptionViolationViewBilling": "Rechnung anzeigen",
+    "trialGoToBilling": "Zur Abrechnung gehen",
+    "subscriptionViolationViewBilling": "Abrechnung anzeigen",
    "componentsLicenseViolation": "Lizenzverstoß: Dieser Server benutzt {usedSites} Standorte, was das Lizenzlimit von {maxSites} Standorten überschreitet. Beachte die Lizenzbedingungen, um alle Funktionen weiterhin zu nutzen.",
    "componentsSupporterMessage": "Vielen Dank für die Unterstützung von Pangolin als {tier}!",
    "inviteErrorNotValid": "Es tut uns leid, aber es sieht so aus, als wäre die Einladung, auf die du zugreifen möchtest, entweder nicht angenommen worden oder nicht mehr gültig.",
@@ -67,7 +67,7 @@
    "edit": "Bearbeiten",
    "siteConfirmDelete": "Löschen des Standorts bestätigen",
    "siteDelete": "Standort löschen",
-    "siteMessageRemove": "Sobald der Standort entfernt ist, wird sie nicht mehr zugänglich sein. Alle mit dem Standort verbundenen Ziele werden ebenfalls entfernt.",
+    "siteMessageRemove": "Sobald der Standort entfernt ist, wird er nicht mehr zugänglich sein. Alle mit dem Standort verbundenen Ziele werden ebenfalls entfernt.",
    "siteQuestionRemove": "Sind Sie sicher, dass Sie den Standort aus der Organisation entfernen möchten?",
    "siteManageSites": "Standorte verwalten",
    "siteDescription": "Erstellen und Verwalten von Standorten, um die Verbindung zu privaten Netzwerken zu ermöglichen",
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Private Ressourcen anzeigen",
    "siteInstallNewt": "Newt installieren",
    "siteInstallNewtDescription": "Installiere Newt auf deinem System.",
+    "siteInstallKubernetesDocsDescription": "Für aktuelle Installationsinformationen zu Kubernetes, siehe <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Für Installationsanweisungen für Advantech-Modems siehe <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Konfiguration",
    "WgConfigurationDescription": "Verwenden Sie folgende Konfiguration, um sich mit dem Netzwerk zu verbinden",
    "operatingSystem": "Betriebssystem",
@@ -117,20 +119,20 @@
    "siteGeneralDescription": "Allgemeine Einstellungen für diesen Standort konfigurieren",
    "siteSettingDescription": "Standorteinstellungen konfigurieren",
    "siteResourcesTab": "Ressourcen",
-    "siteResourcesNoneOnSite": "Diese Seite hat noch keine öffentlichen oder privaten Ressourcen.",
+    "siteResourcesNoneOnSite": "Dieser Standort hat noch keine öffentlichen oder privaten Ressourcen",
    "siteResourcesSectionPublic": "Öffentliche Ressourcen",
    "siteResourcesSectionPrivate": "Private Ressourcen",
    "siteResourcesSectionPublicDescription": "Ressourcen, die extern über Domains oder Ports bereitgestellt werden.",
-    "siteResourcesSectionPrivateDescription": "Ressourcen, die in Ihrem privaten Netzwerk über die Seite verfügbar sind.",
+    "siteResourcesSectionPrivateDescription": "Ressourcen, die in Ihrem privaten Netzwerk über den Standort verfügbar sind.",
    "siteResourcesViewAllPublic": "Alle Ressourcen anzeigen",
    "siteResourcesViewAllPrivate": "Alle Ressourcen anzeigen",
-    "siteResourcesDialogDescription": "Überblick über öffentliche und private Ressourcen, die mit dieser Seite verbunden sind.",
+    "siteResourcesDialogDescription": "Überblick über öffentliche und private Ressourcen, die mit diesem Standort verbunden sind.",
    "siteResourcesShowMore": "Mehr anzeigen",
    "siteResourcesPermissionDenied": "Sie haben keine Berechtigung, diese Ressourcen aufzulisten.",
-    "siteResourcesEmptyPublic": "Noch sind keine öffentlichen Ressourcen für diese Seite vorhanden.",
-    "siteResourcesEmptyPrivate": "Noch sind keine privaten Ressourcen mit dieser Seite verbunden.",
+    "siteResourcesEmptyPublic": "Noch sind keine öffentlichen Ressourcen für diesen Standort vorhanden.",
+    "siteResourcesEmptyPrivate": "Noch sind keine privaten Ressourcen mit diesem Standort verbunden.",
    "siteResourcesHowToAccess": "Zugriffsmöglichkeiten",
-    "siteResourcesTargetsOnSite": "Ziele auf dieser Seite",
+    "siteResourcesTargetsOnSite": "Ziele an diesem Standort",
    "siteSetting": "{siteName} Einstellungen",
    "siteNewtTunnel": "Newt Standort (empfohlen)",
    "siteNewtTunnelDescription": "Einfachster Weg, einen Einstiegspunkt in jedes Netzwerk zu erstellen. Keine zusätzliche Einrichtung.",
@@ -148,16 +150,20 @@
    "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
    "siteInfo": "Standortinformationen",
    "status": "Status",
-    "shareTitle": "Links zum Teilen verwalten",
+    "shareTitle": "Freigabelinks verwalten",
    "shareDescription": "Erstelle teilbare Links, um temporären oder permanenten Zugriff auf Proxy-Ressourcen zu gewähren",
-    "shareSearch": "Freigabe-Links suchen...",
-    "shareCreate": "Link erstellen",
+    "shareSearch": "Freigabelinks suchen...",
+    "shareCreate": "Freigabelink erstellen",
    "shareErrorDelete": "Link konnte nicht gelöscht werden",
    "shareErrorDeleteMessage": "Fehler beim Löschen des Links",
    "shareDeleted": "Link gelöscht",
    "shareDeletedDescription": "Der Link wurde gelöscht",
+    "shareDelete": "Freigabelink löschen",
+    "shareDeleteConfirm": "Löschung des Freigabelinks bestätigen",
+    "shareQuestionRemove": "Sind Sie sicher, dass Sie diesen Freigabelink löschen möchten?",
+    "shareMessageRemove": "Nach dem Löschen funktioniert der Link nicht mehr, und jeder, der ihn nutzt, verliert den Zugriff auf die Ressource.",
    "shareTokenDescription": "Das Zugriffstoken kann auf zwei Arten übergeben werden: als Abfrageparameter oder in den Request-Headern. Diese müssen vom Client auf jeder Anfrage für authentifizierten Zugriff weitergegeben werden.",
-    "accessToken": "Zugangs-Token",
+    "accessToken": "Zugriffstoken",
    "usageExamples": "Nutzungsbeispiele",
    "tokenId": "Token-ID",
    "requestHeades": "Anfrage-Header",
@@ -168,12 +174,14 @@
    "shareTokenSecurety": "Bewahren Sie das Zugriffstoken sicher. Teilen Sie es nicht in öffentlich zugänglichen Bereichen oder Client-seitigem Code.",
    "shareErrorFetchResource": "Fehler beim Abrufen der Ressourcen",
    "shareErrorFetchResourceDescription": "Beim Abrufen der Ressourcen ist ein Fehler aufgetreten",
-    "shareErrorCreate": "Fehler beim Erstellen des Teilen-Links",
-    "shareErrorCreateDescription": "Beim Erstellen des Teilen-Links ist ein Fehler aufgetreten",
+    "shareErrorCreate": "Fehler beim Erstellen des Freigabelinks",
+    "shareErrorCreateDescription": "Beim Erstellen des Freigabelinks ist ein Fehler aufgetreten",
    "shareCreateDescription": "Jeder mit diesem Link kann auf die Ressource zugreifen",
    "shareTitleOptional": "Titel (optional)",
-    "expireIn": "Verfällt in",
-    "neverExpire": "Nie ablaufen",
+    "sharePathOptional": "Pfad (optional)",
+    "sharePathDescription": "Der Link leitet Benutzer nach der Authentifizierung zu diesem Pfad weiter.",
+    "expireIn": "Läuft ab in",
+    "neverExpire": "Läuft nie ab",
    "shareExpireDescription": "Ablaufzeit ist, wie lange der Link verwendet werden kann und bietet Zugriff auf die Ressource. Nach dieser Zeit wird der Link nicht mehr funktionieren und Benutzer, die diesen Link benutzt haben, verlieren den Zugriff auf die Ressource.",
    "shareSeeOnce": "Sie können diesen Link nur einmal sehen. Bitte kopieren Sie ihn.",
    "shareAccessHint": "Jeder mit diesem Link kann auf die Ressource zugreifen. Teilen Sie sie mit Vorsicht.",
@@ -182,7 +190,7 @@
    "resourcesNotFound": "Keine Ressourcen gefunden",
    "resourceSearch": "Suche Ressourcen",
    "machineSearch": "Maschinen suchen",
-    "machinesSearch": "Suche Maschinen-Klienten...",
+    "machinesSearch": "Maschinen-Clients suchen",
    "machineNotFound": "Keine Maschinen gefunden",
    "userDeviceSearch": "Benutzergeräte durchsuchen",
    "userDevicesSearch": "Benutzergeräte durchsuchen...",
@@ -195,20 +203,46 @@
    "shareErrorSelectResource": "Bitte wählen Sie eine Ressource",
    "proxyResourceTitle": "Öffentliche Ressourcen verwalten",
    "proxyResourceDescription": "Erstelle und verwalte Ressourcen, die über einen Webbrowser öffentlich zugänglich sind",
-    "proxyResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
-    "proxyResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
+    "publicResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
+    "publicResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS-Proxys, die über einen Webbrowser für jeden im Internet zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextuelle Zugriffsrichtlinien enthalten.",
    "clientResourceTitle": "Private Ressourcen verwalten",
    "clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
-    "privateResourcesBannerTitle": "Zero-Trust Privater Zugang",
+    "privateResourcesBannerTitle": "Zero-Trust-Zugriff auf private Ressourcen",
    "privateResourcesBannerDescription": "Private Ressourcen nutzen Zero-Trust und stellen sicher, dass Benutzer und Maschinen nur auf Ressourcen zugreifen können, die Sie explizit gewähren. Verbinden Sie Benutzergeräte oder Maschinen-Clients, um auf diese Ressourcen über ein sicheres virtuelles privates Netzwerk zuzugreifen.",
    "resourcesSearch": "Suche Ressourcen...",
    "resourceAdd": "Ressource hinzufügen",
    "resourceErrorDelte": "Fehler beim Löschen der Ressource",
+    "resourcePoliciesBannerTitle": "Authentifizierungs- und Zugriffsregeln wiederverwenden",
+    "resourcePoliciesBannerDescription": "Freigegebene Ressourcenrichtlinien ermöglichen es Ihnen, Authentifizierungsmethoden und Zugriffsregeln einmal zu definieren und sie dann an mehrere öffentliche Ressourcen zu binden. Wenn Sie eine Richtlinie aktualisieren, übernimmt jede verknüpfte Ressource die Änderung automatisch.",
+    "resourcePoliciesBannerButtonText": "Mehr erfahren",
+    "resourcePoliciesTitle": "Öffentliche Ressourcen Richtlinien verwalten",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Ressourcen",
+    "resourcePoliciesAttachedResources": "{count} Ressource(n)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# Ressource} other {# Ressourcen}}",
+    "resourcePoliciesAttachedResourcesEmpty": "keine Ressourcen",
+    "resourcePoliciesDescription": "Erstellen und verwalten Sie Authentifizierungsrichtlinien, um den Zugriff auf Ihre öffentlichen Ressourcen zu steuern",
+    "resourcePoliciesSearch": "Richtlinien suchen...",
+    "resourcePoliciesAdd": "Richtlinie hinzufügen",
+    "resourcePoliciesDefaultBadgeText": "Standardrichtlinie",
+    "resourcePoliciesCreate": "Öffentliche Ressourcen Richtlinie erstellen",
+    "resourcePoliciesCreateDescription": "Befolgen Sie die unten stehenden Schritte, um eine neue Richtlinie zu erstellen",
+    "resourcePolicyName": "Richtlinienname",
+    "resourcePolicyNameDescription": "Geben Sie dieser Richtlinie einen Namen, um sie für Ihre Ressourcen zu identifizieren",
+    "resourcePolicyNamePlaceholder": "z. B. Richtlinie für internen Zugriff",
+    "resourcePoliciesSeeAll": "Alle Richtlinien anzeigen",
+    "resourcePolicyAuthMethodAdd": "Authentifizierungsmethode hinzufügen",
+    "resourcePolicyOtpEmailAdd": "OTP-E-Mails hinzufügen",
+    "resourcePolicyRulesAdd": "Regeln hinzufügen",
+    "resourcePolicyAuthMethodsDescription": "Ermöglichen Sie den Zugriff auf Ressourcen über zusätzliche Authentifizierungsmethoden",
+    "resourcePolicyUsersRolesDescription": "Konfigurieren Sie, welche Benutzer und Rollen diese Ressource besuchen können",
+    "rulesResourcePolicyDescription": "Konfigurieren Sie Regeln, um den Zugang zu den mit dieser Richtlinie verbundenen Ressourcen zu kontrollieren",
    "authentication": "Authentifizierung",
    "protected": "Geschützt",
    "notProtected": "Nicht geschützt",
    "resourceMessageRemove": "Einmal entfernt, wird die Ressource nicht mehr zugänglich sein. Alle mit der Ressource verbundenen Ziele werden ebenfalls entfernt.",
    "resourceQuestionRemove": "Sind Sie sicher, dass Sie die Ressource aus der Organisation entfernen möchten?",
+    "resourcePolicyMessageRemove": "Einmal entfernt, wird die Ressourcenrichtlinie nicht mehr zugänglich sein. Alle mit der Ressource verbundenen Ressourcen werden nicht mehr zugeordnet und bleiben ohne Authentifizierung.",
+    "resourcePolicyQuestionRemove": "Sind Sie sicher, dass Sie die Ressourcenrichtlinie aus der Organisation entfernen möchten?",
    "resourceHTTP": "HTTPS-Ressource",
    "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
    "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit Portnummer. Benötigt Sites, um sich mit einem entfernten Knoten zu verbinden.",
    "resourceCreate": "Ressource erstellen",
    "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
+    "resourceCreateGeneralDescription": "Konfigurieren Sie die Grundeinstellungen der Ressource, einschließlich Name und Typ",
    "resourceSeeAll": "Alle Ressourcen anzeigen",
-    "resourceInfo": "Ressourcen-Informationen",
+    "resourceCreateGeneral": "Allgemein",
    "resourceNameDescription": "Dies ist der Anzeigename für die Ressource.",
    "siteSelect": "Standort auswählen",
    "siteSearch": "Standorte durchsuchen",
@@ -227,12 +262,15 @@
    "noCountryFound": "Kein Land gefunden.",
    "siteSelectionDescription": "Dieser Standort wird die Verbindung zum Ziel herstellen.",
    "resourceType": "Ressourcentyp",
-    "resourceTypeDescription": "Legen Sie fest, wie Sie auf die Ressource zugreifen",
+    "resourceTypeDescription": "Dies steuert das Ressourcenprotokoll und wie es im Browser gerendert wird. Dies kann später nicht geändert werden.",
+    "resourceDomainDescription": "Die Ressource wird unter diesem vollständig qualifizierten Domainnamen bereitgestellt.",
    "resourceHTTPSSettings": "HTTPS-Einstellungen",
    "resourceHTTPSSettingsDescription": "Konfigurieren Sie den Zugriff auf die Ressource über HTTPS",
+    "resourcePortDescription": "Der externe Port auf der Pangolin-Instanz oder dem Knoten, an dem die Ressource zugänglich ist.",
    "domainType": "Domain-Typ",
    "subdomain": "Subdomain",
    "baseDomain": "Basis-Domain",
+    "configure": "Konfiguration",
    "subdomnainDescription": "Die Subdomäne, auf die die Ressource zugegriffen werden soll.",
    "resourceRawSettings": "TCP/UDP Einstellungen",
    "resourceRawSettingsDescription": "Konfigurieren, wie auf die Ressource über TCP/UDP zugegriffen wird",
@@ -243,14 +281,35 @@
    "back": "Zurück",
    "cancel": "Abbrechen",
    "resourceConfig": "Konfiguration Snippets",
-    "resourceConfigDescription": "Kopieren und fügen Sie diese Konfigurations-Snippets ein, um die TCP/UDP Ressource einzurichten",
+    "resourceConfigDescription": "Kopieren und fügen Sie diese Konfigurationsschnipsel ein, um die TCP/UDP-Ressource einzurichten.",
    "resourceAddEntrypoints": "Traefik: Einstiegspunkte hinzufügen",
    "resourceExposePorts": "Gerbil: Ports im Docker Compose freigeben",
    "resourceLearnRaw": "Lernen Sie, wie Sie TCP/UDP Ressourcen konfigurieren",
    "resourceBack": "Zurück zu den Ressourcen",
    "resourceGoTo": "Zu Ressource gehen",
+    "resourcePolicyDelete": "Ressourcenrichtlinie löschen",
+    "resourcePolicyDeleteConfirm": "Löschen der Ressourcenrichtlinie bestätigen",
    "resourceDelete": "Ressource löschen",
    "resourceDeleteConfirm": "Ressource löschen bestätigen",
+    "labelDelete": "Etikett löschen",
+    "labelAdd": "Etikett hinzufügen",
+    "labelCreateSuccessMessage": "Etikett erfolgreich erstellt",
+    "labelDuplicateError": "Doppeltes Label",
+    "labelDuplicateErrorDescription": "Ein Label mit diesem Namen existiert bereits.",
+    "labelEditSuccessMessage": "Etikett erfolgreich bearbeitet",
+    "labelNameField": "Etikettenname",
+    "labelColorField": "Etikettenfarbe",
+    "labelPlaceholder": "Beispiel: Heimlabor",
+    "labelCreate": "Etikett erstellen",
+    "createLabelDialogTitle": "Etikett erstellen",
+    "createLabelDialogDescription": "Erstellen Sie ein neues Etikett, das dieser Organisation zugeordnet werden kann",
+    "labelEdit": "Etikett bearbeiten",
+    "editLabelDialogTitle": "Etikett aktualisieren",
+    "editLabelDialogDescription": "Bearbeiten Sie ein neues Etikett, das dieser Organisation zugeordnet werden kann",
+    "labelDeleteConfirm": "Löschen des Etiketts bestätigen",
+    "labelErrorDelete": "Etikett konnte nicht gelöscht werden",
+    "labelMessageRemove": "Diese Aktion ist dauerhaft. Alle Standorte, Ressourcen und Clients, die mit diesem Etikett versehen sind, werden nicht mehr zugeordnet.",
+    "labelQuestionRemove": "Sind Sie sicher, dass Sie das Etikett aus der Organisation entfernen möchten?",
    "visibility": "Sichtbarkeit",
    "enabled": "Aktiviert",
    "disabled": "Deaktiviert",
@@ -261,7 +320,9 @@
    "rules": "Regeln",
    "resourceSettingDescription": "Einstellungen für die Ressource konfigurieren",
    "resourceSetting": "{resourceName} Einstellungen",
-    "alwaysAllow": "Auth umgehen",
+    "resourcePolicySettingDescription": "Richten Sie die Einstellungen für diese öffentliche Ressourcenrichtlinie ein",
+    "resourcePolicySetting": "{policyName} Einstellungen",
+    "alwaysAllow": "Authentifizierung umgehen",
    "alwaysDeny": "Zugriff blockieren",
    "passToAuth": "Weiterleiten zur Authentifizierung",
    "orgSettingsDescription": "Organisationseinstellungen konfigurieren",
@@ -270,7 +331,7 @@
    "saveGeneralSettings": "Allgemeine Einstellungen speichern",
    "saveSettings": "Einstellungen speichern",
    "orgDangerZone": "Gefahrenzone",
-    "orgDangerZoneDescription": "Sobald Sie diesen Org löschen, gibt es kein Zurück mehr. Bitte seien Sie vorsichtig.",
+    "orgDangerZoneDescription": "Sobald Sie diese Organisation löschen, gibt es kein Zurück mehr. Bitte seien Sie vorsichtig.",
    "orgDelete": "Organisation löschen",
    "orgDeleteConfirm": "Organisation löschen bestätigen",
    "orgMessageRemove": "Diese Aktion ist unwiderruflich und löscht alle zugehörigen Daten.",
@@ -319,7 +380,7 @@
    "accessApprovalsManage": "Genehmigungen verwalten",
    "accessApprovalsDescription": "Zeige und verwalte ausstehende Genehmigungen für den Zugriff auf diese Organisation",
    "description": "Beschreibung",
-    "inviteTitle": "Einladungen öffnen",
+    "inviteTitle": "Offene Einladungen",
    "inviteDescription": "Einladungen für andere Benutzer verwalten, der Organisation beizutreten",
    "inviteSearch": "Einladungen suchen...",
    "minutes": "Minuten",
@@ -366,12 +427,12 @@
    "apiKeysDescription": "API-Schlüssel werden zur Authentifizierung mit der Integrations-API verwendet",
    "provisioningKeysTitle": "Bereitstellungsschlüssel",
    "provisioningKeysManage": "Bereitstellungsschlüssel verwalten",
-    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Seiten für Ihr Unternehmen zu authentifizieren.",
+    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Standorten für Ihr Unternehmen zu authentifizieren.",
    "provisioningManage": "Bereitstellung",
-    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Seiten prüfen, die noch auf Genehmigung warten.",
-    "pendingSites": "Ausstehende Seiten",
-    "siteApproveSuccess": "Site erfolgreich freigegeben",
-    "siteApproveError": "Fehler beim Bestätigen der Seite",
+    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Standorte prüfen, die noch auf Genehmigung warten.",
+    "pendingSites": "Ausstehende Standorte",
+    "siteApproveSuccess": "Standort erfolgreich freigegeben",
+    "siteApproveError": "Fehler beim Genehmigen des Standorts",
    "provisioningKeys": "Bereitstellungsschlüssel",
    "searchProvisioningKeys": "Bereitstellungsschlüssel suchen...",
    "provisioningKeysAdd": "Bereitstellungsschlüssel generieren",
@@ -401,7 +462,7 @@
    "provisioningKeysNeverUsed": "Nie",
    "provisioningKeysEdit": "Bereitstellungsschlüssel bearbeiten",
    "provisioningKeysEditDescription": "Aktualisieren Sie die maximale Batch-Größe und Ablaufzeit für diesen Schlüssel.",
-    "provisioningKeysApproveNewSites": "Neue Seiten genehmigen",
+    "provisioningKeysApproveNewSites": "Neuen Standort genehmigen",
    "provisioningKeysApproveNewSitesDescription": "Sites, die sich mit diesem Schlüssel registrieren, automatisch freigeben.",
    "provisioningKeysUpdateError": "Fehler beim Aktualisieren des Bereitstellungsschlüssels",
    "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
@@ -409,8 +470,8 @@
    "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Connector, um Standorte beim ersten Start automatisch zu erstellen - keine Notwendigkeit, separate Anmeldedaten für jede Seite einzurichten.",
    "provisioningKeysBannerButtonText": "Mehr erfahren",
-    "pendingSitesBannerTitle": "Ausstehende Seiten",
-    "pendingSitesBannerDescription": "Websites, die mit einem Bereitstellungsschlüssel verbunden sind, erscheinen hier zur Überprüfung.",
+    "pendingSitesBannerTitle": "Ausstehende Standorte",
+    "pendingSitesBannerDescription": "Standorte, die mit einem Bereitstellungsschlüssel verbunden sind, erscheinen hier zur Überprüfung.",
    "pendingSitesBannerButtonText": "Mehr erfahren",
    "apiKeysSettings": "{apiKeyName} Einstellungen",
    "userTitle": "Alle Benutzer verwalten",
@@ -457,7 +518,7 @@
    "licenseActivateKeyDescription": "Geben Sie einen Lizenzschlüssel ein, um ihn zu aktivieren.",
    "licenseActivate": "Lizenz aktivieren",
    "licenseAgreement": "Durch Ankreuzung dieses Kästchens bestätigen Sie, dass Sie die Lizenzbedingungen gelesen und akzeptiert haben, die mit dem Lizenzschlüssel in Verbindung stehen.",
-    "fossorialLicense": "Fossorial Gewerbelizenz & Abonnementbedingungen anzeigen",
+    "fossorialLicense": "Kommerzielle Fossorial-Lizenz und Abonnementbedingungen anzeigen",
    "licenseMessageRemove": "Dadurch werden der Lizenzschlüssel und alle zugehörigen Berechtigungen entfernt.",
    "licenseMessageConfirm": "Um zu bestätigen, geben Sie bitte den Lizenzschlüssel unten ein.",
    "licenseQuestionRemove": "Sind Sie sicher, dass Sie den Lizenzschlüssel löschen möchten?",
@@ -477,7 +538,7 @@
    "licensePurchaseSites": "Zusätzliche Standorte kaufen\n",
    "licenseSitesUsedMax": "{usedSites} von {maxSites} Standorten verwendet",
    "licenseSitesUsed": "{count, plural, =0 {# Standorte} one {# Standort} other {# Standorte}} im System.",
-    "licensePurchaseDescription": "Wähle aus, für wieviele Seiten du möchtest {selectedMode, select, license {kaufe eine Lizenz. Du kannst später immer weitere Seiten hinzufügen.} other {Füge zu deiner bestehenden Lizenz hinzu.}}",
+    "licensePurchaseDescription": "Wähle aus, für wie viele Standorte du möchtest {selectedMode, select, license {kaufe eine Lizenz. Du kannst später immer weitere Standorte hinzufügen.} other {Füge zu deiner bestehenden Lizenz hinzu.}}",
    "licenseFee": "Lizenzgebühr",
    "licensePriceSite": "Preis pro Standort",
    "total": "Gesamt",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Nach dem Entfernen hat dieser Benutzer keinen Zugriff mehr auf die Organisation. Sie können ihn später jederzeit wieder einladen, aber er muss die Einladung erneut annehmen.",
    "userRemoveOrgConfirm": "Entfernen des Benutzers bestätigen",
    "userRemoveOrg": "Benutzer aus der Organisation entfernen",
+    "userQuestionOrgRemoveSelf": "Sind Sie sicher, dass Sie sich aus dieser Organisation entfernen möchten?",
+    "userMessageOrgRemoveSelf": "Sie verlieren sofort den Zugriff. Ein Administrator kann Sie später erneut einladen, aber Sie müssen eine neue Einladung annehmen.",
+    "userRemoveOrgConfirmSelf": "Entfernung bestätigen",
+    "userRemoveOrgSelf": "Sich selbst aus der Organisation entfernen",
+    "userRemoveOrgSelfWarning": "Sie verlieren sofort den Zugriff auf diese Organisation.",
+    "userRemoveOrgConfirmPhraseSelf": "MICH SELBST AUS DER ORGANISATION ENTFERNEN",
    "users": "Benutzer",
    "accessRoleMember": "Mitglied",
    "accessRoleOwner": "Eigentümer",
@@ -531,6 +598,11 @@
    "emailInvalid": "Ungültige E-Mail-Adresse",
    "inviteValidityDuration": "Bitte wählen Sie eine Dauer",
    "accessRoleSelectPlease": "Bitte wählen Sie eine Rolle",
+    "removeOwnAdminRoleConfirmTitle": "Möchten Sie Ihren Administratorzugriff entfernen?",
+    "removeOwnAdminRoleConfirmDescription": "Nach dem Speichern haben Sie keine Administratorrechte mehr in dieser Organisation. Ein anderer Administrator kann den Zugriff bei Bedarf wiederherstellen.",
+    "removeOwnAdminRoleConfirmButton": "Meinen Administratorzugriff entfernen",
+    "removeOwnAdminRoleConfirmPhrase": "NIMM MEINEN ADMIN-ZUGRIFF WEG",
+    "ownerMustRetainAdminRole": "Der Organisationsinhaber muss mindestens eine Administratorrolle behalten.",
    "usernameRequired": "Benutzername ist erforderlich",
    "idpSelectPlease": "Bitte wählen Sie einen Identitätsanbieter",
    "idpGenericOidc": "Generischer OAuth2/OIDC-Anbieter.",
@@ -615,7 +687,7 @@
    "createdAt": "Erstellt am",
    "proxyErrorInvalidHeader": "Ungültiger benutzerdefinierter Host-Header-Wert. Verwenden Sie das Domain-Namensformat oder speichern Sie leer, um den benutzerdefinierten Host-Header zu deaktivieren.",
    "proxyErrorTls": "Ungültiger TLS-Servername. Verwenden Sie das Domain-Namensformat oder speichern Sie leer, um den TLS-Servernamen zu entfernen.",
-    "proxyEnableSSL": "SSL aktivieren",
+    "proxyEnableSSL": "TLS aktivieren",
    "proxyEnableSSLDescription": "Aktiviere SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zu den Zielen.",
    "target": "Ziel",
    "configureTarget": "Ziele konfigurieren",
@@ -656,8 +728,9 @@
    "targetSubmit": "Ziel hinzufügen",
    "targetNoOne": "Diese Ressource hat keine Ziele. Fügen Sie ein Ziel hinzu, um zu konfigurieren, wo Anfragen an das Backend gesendet werden sollen.",
    "targetNoOneDescription": "Das Hinzufügen von mehr als einem Ziel aktiviert den Lastausgleich.",
-    "targetsSubmit": "Ziele speichern",
+    "targetsSubmit": "Einstellungen speichern",
    "addTarget": "Ziel hinzufügen",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round-Robin-Routing funktioniert nicht zwischen Standorten, die nicht mit demselben Knoten verbunden sind, aber Failover funktioniert.",
    "targetErrorInvalidIp": "Ungültige IP-Adresse",
    "targetErrorInvalidIpDescription": "Bitte geben Sie eine gültige IP-Adresse oder einen Hostnamen ein",
    "targetErrorInvalidPort": "Ungültiger Port",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Doppelte Regel",
    "rulesErrorDuplicateDescription": "Eine Regel mit diesen Einstellungen existiert bereits",
    "rulesErrorInvalidIpAddressRange": "Ungültiger CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Bitte geben Sie einen gültigen CIDR-Wert ein",
-    "rulesErrorInvalidUrl": "Ungültiger URL-Pfad",
-    "rulesErrorInvalidUrlDescription": "Bitte geben Sie einen gültigen URL-Pfad-Wert ein",
-    "rulesErrorInvalidIpAddress": "Ungültige IP",
-    "rulesErrorInvalidIpAddressDescription": "Bitte geben Sie eine gültige IP-Adresse ein",
+    "rulesErrorInvalidIpAddressRangeDescription": "Geben Sie einen gültigen CIDR-Bereich ein (z.B., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Ungültiger Pfad",
+    "rulesErrorInvalidUrlDescription": "Geben Sie einen gültigen URL-Pfad oder ein gültiges Muster ein (z.B., /api/*).",
+    "rulesErrorInvalidIpAddress": "Ungültige IP-Adresse",
+    "rulesErrorInvalidIpAddressDescription": "Geben Sie eine gültige IPv4 oder IPv6 Adresse ein.",
    "rulesErrorUpdate": "Fehler beim Aktualisieren der Regeln",
    "rulesErrorUpdateDescription": "Beim Aktualisieren der Regeln ist ein Fehler aufgetreten",
    "rulesUpdated": "Regeln aktivieren",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Geben Sie eine IP-Adresse ein (z.B. 103.21.244.12)",
    "rulesMatchUrl": "Geben Sie einen URL-Pfad oder -Muster ein (z.B. /api/v1/todos oder /api/v1/*)",
    "rulesErrorInvalidPriority": "Ungültige Priorität",
-    "rulesErrorInvalidPriorityDescription": "Bitte geben Sie eine gültige Priorität ein",
+    "rulesErrorInvalidPriorityDescription": "Geben Sie eine ganze Zahl von 1 oder höher ein.",
    "rulesErrorDuplicatePriority": "Doppelte Prioritäten",
-    "rulesErrorDuplicatePriorityDescription": "Bitte geben Sie eindeutige Prioritäten ein",
+    "rulesErrorDuplicatePriorityDescription": "Jede Regel muss eine eindeutige Prioritätsnummer haben.",
+    "rulesErrorValidation": "Ungültige Regeln",
+    "rulesErrorValidationRuleDescription": "Regel {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Wählen Sie einen gültigen Vergleichstyp (Pfad, IP, CIDR, Land, Region oder ASN).",
+    "rulesErrorValueRequired": "Geben Sie einen Wert für diese Regel ein.",
+    "rulesErrorInvalidCountry": "Ungültiges Land",
+    "rulesErrorInvalidCountryDescription": "Wählen Sie ein gültiges Land aus.",
+    "rulesErrorInvalidAsn": "Ungültiges ASN",
+    "rulesErrorInvalidAsnDescription": "Geben Sie ein gültiges ASN ein (z.B., AS15169).",
    "ruleUpdated": "Regeln aktualisiert",
    "ruleUpdatedDescription": "Regeln erfolgreich aktualisiert",
    "ruleErrorUpdate": "Operation fehlgeschlagen",
    "ruleErrorUpdateDescription": "Während des Speichervorgangs ist ein Fehler aufgetreten",
    "rulesPriority": "Priorität",
+    "rulesReorderDragHandle": "Ziehen, um die Regelpriorität neu zu ordnen",
    "rulesAction": "Aktion",
    "rulesMatchType": "Übereinstimmungstyp",
    "value": "Wert",
@@ -728,9 +810,60 @@
    "rulesResource": "Ressourcen-Regelkonfiguration",
    "rulesResourceDescription": "Regeln konfigurieren, um den Zugriff auf die Ressource zu steuern",
    "ruleSubmit": "Regel hinzufügen",
-    "rulesNoOne": "Keine Regeln. Fügen Sie eine Regel über das Formular hinzu.",
+    "rulesNoOne": "Noch keine Regeln vorhanden.",
    "rulesOrder": "Regeln werden nach aufsteigender Priorität ausgewertet.",
    "rulesSubmit": "Regeln speichern",
+    "policyErrorCreate": "Fehler beim Erstellen der Richtlinie",
+    "policyErrorCreateDescription": "Beim Erstellen der Richtlinie ist ein Fehler aufgetreten",
+    "policyErrorCreateMessageDescription": "Ein unerwarteter Fehler ist aufgetreten",
+    "policyErrorUpdate": "Fehler beim Aktualisieren der Richtlinie",
+    "policyErrorUpdateDescription": "Beim Aktualisieren der Richtlinie ist ein Fehler aufgetreten",
+    "policyErrorUpdateMessageDescription": "Ein unerwarteter Fehler ist aufgetreten",
+    "policyCreatedSuccess": "Ressourcenrichtlinie erfolgreich erstellt",
+    "policyUpdatedSuccess": "Ressourcenrichtlinie erfolgreich aktualisiert",
+    "authMethodsSave": "Einstellungen speichern",
+    "policyAuthStackTitle": "Authentifizierung",
+    "policyAuthStackDescription": "Kontrollieren Sie, welche Authentifizierungsmethoden erforderlich sind, um auf diese Ressource zuzugreifen",
+    "policyAuthOrLogicTitle": "Mehrere Authentifizierungsmethoden aktiv",
+    "policyAuthOrLogicBanner": "Besucher können sich mit einer der unten aktiven Methoden authentifizieren. Sie müssen nicht alle abschließen.",
+    "policyAuthMethodActive": "Aktiv",
+    "policyAuthMethodOff": "Aus",
+    "policyAuthSsoTitle": "Plattform SSO",
+    "policyAuthSsoDescription": "Anmeldung über den Identitätsanbieter Ihrer Organisation erforderlich",
+    "policyAuthSsoSummary": "{idp} · {users} Benutzer, {roles} Rollen",
+    "policyAuthSsoDefaultIdp": "Standardanbieter",
+    "policyAuthAddDefaultIdentityProvider": "Standardidentitätsanbieter hinzufügen",
+    "policyAuthOtherMethodsTitle": "Andere Methoden",
+    "policyAuthOtherMethodsDescription": "Optionale Methoden, die Besucher anstelle von oder zusammen mit Plattform-SSO verwenden können",
+    "policyAuthPasscodeTitle": "Passwort",
+    "policyAuthPasscodeDescription": "Erfordere einen geteilten alphanumerischen Passcode für den Zugriff auf die Ressource",
+    "policyAuthPasscodeSummary": "Passcode festgelegt",
+    "policyAuthPincodeTitle": "PIN-Code",
+    "policyAuthPincodeDescription": "Ein kurzer numerischer Code, der erforderlich ist, um auf die Ressource zuzugreifen",
+    "policyAuthPincodeSummary": "6-stelliger PIN festgelegt",
+    "policyAuthEmailTitle": "E-Mail-Whitelist",
+    "policyAuthEmailDescription": "Erlaubte E-Mail-Adressen mit Einmalpasswörtern",
+    "policyAuthEmailSummary": "{count} Adressen erlaubt",
+    "policyAuthEmailOtpCallout": "Durch Aktivieren der E-Mail-Whitelist wird beim Einloggen ein Einmalpasswort an die E-Mail des Besuchers gesendet.",
+    "policyAuthHeaderAuthTitle": "Grundlegende Header-Authentifizierung",
+    "policyAuthHeaderAuthDescription": "Überprüfen Sie einen benutzerdefinierten HTTP-Headernamen und -wert bei jeder Anfrage",
+    "policyAuthHeaderAuthSummary": "Header konfiguriert",
+    "policyAuthHeaderName": "Header-Name",
+    "policyAuthHeaderValue": "Erwarteter Wert",
+    "policyAuthSetPasscode": "Passcode setzen",
+    "policyAuthSetPincode": "PIN-Code festlegen",
+    "policyAuthSetEmailWhitelist": "E-Mail-Whitelist festlegen",
+    "policyAuthSetHeaderAuth": "Grundlegende Header-Authentifizierung festlegen",
+    "policyAccessRulesTitle": "Zugriffsregeln",
+    "policyAccessRulesEnableDescription": "Bei Aktivierung werden die Regeln in absteigender Reihenfolge ausgewertet, bis eine als wahr ausgewertet wird.",
+    "policyAccessRulesFirstMatch": "Regeln werden von oben nach unten ausgewertet. Die erste übereinstimmende Regel bestimmt das Ergebnis.",
+    "policyAccessRulesHowItWorks": "Regeln vergleichen Anfragen nach Pfad, IP-Adresse, Standort oder anderen Kriterien. Jede Regel wendet eine Aktion an: Authentifizierung umgehen, Zugriff blockieren oder zur Authentifizierung weiterleiten. Wenn keine Regel zutrifft, wird der Verkehr zur Authentifizierung weitergeleitet.",
+    "policyAccessRulesFallthroughOff": "Wenn Regeln deaktiviert sind, wird der gesamte Verkehr zur Authentifizierung weitergeleitet.",
+    "policyAccessRulesFallthroughOn": "Wenn keine Regel übereinstimmt, wird der Verkehr zur Authentifizierung weitergeleitet.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Regeln speichern",
    "resourceErrorCreate": "Fehler beim Erstellen der Ressource",
    "resourceErrorCreateDescription": "Beim Erstellen der Ressource ist ein Fehler aufgetreten",
    "resourceErrorCreateMessage": "Fehler beim Erstellen der Ressource:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Beim Aktualisieren der Ressource ist ein Fehler aufgetreten",
    "access": "Zugriff",
    "accessControl": "Zugriffskontrolle",
-    "shareLink": "{resource} Freigabe-Link",
+    "shareLink": "{resource} Freigabelink",
    "resourceSelect": "Ressource auswählen",
-    "shareLinks": "Freigabe-Links",
+    "shareLinks": "Teilbare Links",
    "share": "Teilbare Links",
    "shareDescription2": "Erstellen Sie teilbare Links zu Ressourcen. Links bieten temporären oder unbegrenzten Zugriff auf Ihre Ressource. Sie können die Verfallsdauer des Links beim Erstellen eines Links festlegen.",
    "shareEasyCreate": "Einfach zu erstellen und zu teilen",
@@ -794,6 +927,17 @@
    "pincodeAdd": "PIN-Code hinzufügen",
    "pincodeRemove": "PIN-Code entfernen",
    "resourceAuthMethods": "Authentifizierungsmethoden",
+    "resourcePolicyAuthMethodsEmpty": "Keine Authentifizierungsmethode",
+    "resourcePolicyOtpEmpty": "Kein Einmal-Passwort",
+    "resourcePolicyReadOnly": "Diese Richtlinie ist nur lesbar",
+    "resourcePolicyReadOnlyDescription": "Diese Ressourcenrichtlinie wird über mehrere Ressourcen geteilt, Sie können sie auf dieser Seite nicht bearbeiten.",
+    "editSharedPolicy": "Geteilte Richtlinie bearbeiten",
+    "resourcePolicyTypeSave": "Ressourcentyp speichern",
+    "resourcePolicySelect": "Ressourcenrichtlinie auswählen",
+    "resourcePolicySelectError": "Wählen Sie eine Ressourcenrichtlinie aus",
+    "resourcePolicyNotFound": "Richtlinie nicht gefunden",
+    "resourcePolicySearch": "Richtlinien suchen",
+    "resourcePolicyRulesEmpty": "Keine Authentifizierungsregeln",
    "resourceAuthMethodsDescriptions": "Ermöglichen Sie den Zugriff auf die Ressource über zusätzliche Authentifizierungsmethoden",
    "resourceAuthSettingsSave": "Erfolgreich gespeichert",
    "resourceAuthSettingsSaveDescription": "Authentifizierungseinstellungen wurden gespeichert",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "PIN-Code festlegen",
    "resourcePincodeSetupTitleDescription": "Legen Sie einen PIN-Code fest, um diese Ressource zu schützen",
    "resourceRoleDescription": "Administratoren haben immer Zugriff auf diese Ressource.",
+    "resourcePolicySelectTitle": "Zugriffsrichtlinie für Ressourcen",
+    "resourcePolicySelectDescription": "Wählen Sie den Ressourcentransfertyp für die Authentifizierung",
+    "resourcePolicyTypeLabel": "Richtlinientyp",
+    "resourcePolicyLabel": "Ressourcenrichtlinie",
+    "resourcePolicyInline": "Inline-Ressourcenrichtlinie",
+    "resourcePolicyInlineDescription": "Zugriffsrichtlinie nur für diese Ressource",
+    "resourcePolicyShared": "Geteilte Ressourcenrichtlinie",
+    "resourcePolicySharedDescription": "Diese Ressource verwendet eine gemeinsame Richtlinie.",
+    "sharedPolicy": "Gemeinsame Richtlinie",
+    "sharedPolicyNoneDescription": "Diese Ressource hat ihre eigene Richtlinie.",
+    "resourceSharedPolicyOwnDescription": "Diese Ressource hat eigene Authentifizierungs- und Zugriffsregel-Kontrollen.",
+    "resourceSharedPolicyInheritedDescription": "Diese Ressource erbt von <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Diese Ressource verwendet eine geteilte Richtlinie. Einige Authentifizierungseinstellungen können in dieser Ressource bearbeitet werden, um zur Richtlinie beizutragen. Um die zugrunde liegende Richtlinie zu ändern, müssen Sie zu <policyLink>{policyName}</policyLink> wechseln.",
+    "resourceSharedPolicyRulesNotice": "Diese Ressource verwendet eine gemeinsame Richtlinie. Einige Zugriffsregeln können in dieser Ressource bearbeitet werden. Um die zugrunde liegende Richtlinie zu ändern, müssen Sie <policyLink>{policyName}</policyLink> bearbeiten.",
    "resourceUsersRoles": "Zugriffskontrolle",
    "resourceUsersRolesDescription": "Konfigurieren Sie, welche Benutzer und Rollen diese Ressource besuchen können",
    "resourceUsersRolesSubmit": "Zugriffskontrollen speichern",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Sichtbarkeit",
    "resourceVisibilityTitleDescription": "Ressourcensichtbarkeit vollständig aktivieren oder deaktivieren",
    "resourceGeneral": "Allgemeine Einstellungen",
-    "resourceGeneralDescription": "Konfigurieren Sie die allgemeinen Einstellungen für diese Ressource",
+    "resourceGeneralDescription": "Konfigurieren Sie Name, Adresse und Zugriffsrichtlinie für diese Ressource.",
+    "resourceGeneralDetailsSubsection": "Ressourcendetails",
+    "resourceGeneralDetailsSubsectionDescription": "Legen Sie den Anzeigenamen, die Kennung und die öffentlich zugängliche Domain für diese Ressource fest.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Legen Sie den Anzeigenamen, die Kennung und den öffentlichen Port für diese Ressource fest.",
+    "resourceGeneralPublicAddressSubsection": "Öffentliche Adresse",
+    "resourceGeneralPublicAddressSubsectionDescription": "Bestimmen Sie, wie Benutzer diese Ressource erreichen.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentifizierung und Zugriff",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Wählen Sie, ob diese Ressource ihre eigene Richtlinie verwendet oder von einer gemeinsamen Richtlinie erbt.",
    "resourceEnable": "Ressource aktivieren",
    "resourceTransfer": "Ressource übertragen",
    "resourceTransferDescription": "Diese Ressource auf einen anderen Standort übertragen",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Es gab ein Problem bei der Verbindung zu {name}. Bitte kontaktieren Sie Ihren Administrator.",
    "idpErrorNotFound": "IdP nicht gefunden",
    "inviteInvalid": "Ungültige Einladung",
+    "labels": "Etiketten",
+    "orgLabelsDescription": "Etiketten in dieser Organisation verwalten.",
+    "addLabels": "Etiketten hinzufügen",
+    "siteLabelsTab": "Etiketten",
+    "siteLabelsDescription": "Verwalten Sie die mit diesem Standort verbundenen Etiketten.",
+    "labelsNotFound": "Keine Kennzeichnungen gefunden.",
+    "labelsEmptyCreateHint": "Beginnen Sie oben zu tippen, um ein Label zu erstellen.",
+    "labelSearch": "Etiketten suchen",
+    "labelSearchOrCreate": "Suchen oder erstellen Sie ein Label",
+    "accessLabelFilterCount": "{count, plural, one {# Etikett} other {# Etiketten}}",
+    "labelOverflowCount": "+{count, plural, one {# Etikett} other {# Etiketten}}",
+    "accessLabelFilterClear": "Etikettenfilter löschen",
+    "accessFilterClear": "Filter löschen",
+    "selectColor": "Farbe auswählen",
+    "createNewLabel": "Neues Org-Etikett \"{label}\" erstellen",
    "inviteInvalidDescription": "Der Einladungslink ist ungültig.",
    "inviteErrorWrongUser": "Einladung ist nicht für diesen Benutzer",
    "inviteErrorUserNotExists": "Benutzer existiert nicht. Bitte erstelle zuerst ein Konto.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Ressourcen",
    "sidebarProxyResources": "Öffentlich",
    "sidebarClientResources": "Privat",
+    "sidebarPolicies": "Gemeinsame Richtlinien",
+    "sidebarResourcePolicies": "Öffentliche Ressourcen",
    "sidebarAccessControl": "Zugriffskontrolle",
    "sidebarLogsAndAnalytics": "Protokolle & Analysen",
    "sidebarTeam": "Team",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Einladungen",
    "sidebarRoles": "Rollen",
-    "sidebarShareableLinks": "Links",
+    "sidebarShareableLinks": "Teilbare Links",
    "sidebarApiKeys": "API-Schlüssel",
    "sidebarProvisioning": "Bereitstellung",
    "sidebarSettings": "Einstellungen",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Standort {id}",
    "standaloneHcFilterResourceIdFallback": "Ressource {id}",
    "blueprints": "Blaupausen",
-    "blueprintsDescription": "Deklarative Konfigurationen anwenden und vorherige Abläufe anzeigen",
+    "blueprintsLog": "Blaupausen-Protokoll",
+    "blueprintsDescription": "Betrachten Sie vergangene Blueprint-Anwendungen und deren Ergebnisse oder wenden Sie einen neuen Blueprint an",
    "blueprintAdd": "Blueprint hinzufügen",
    "blueprintGoBack": "Alle Blueprints ansehen",
    "blueprintCreate": "Blueprint erstellen",
@@ -1559,7 +1742,17 @@
    "contents": "Inhalt",
    "parsedContents": "Analysierte Inhalte (Nur lesen)",
    "enableDockerSocket": "Docker Blueprint aktivieren",
-    "enableDockerSocketDescription": "Aktiviere Docker-Socket-Label-Scraping für Blueprintbeschriftungen. Der Socket-Pfad muss neu angegeben werden.",
+    "enableDockerSocketDescription": "Aktiviere Docker-Socket-Label-Scraping für Blueprint-Etiketten. Der Socket-Pfad muss dem Site-Connector angegeben werden. Lesen Sie, wie dies in <docsLink>der Dokumentation</docsLink> funktioniert.",
+    "newtAutoUpdate": "Standort-Auto-Update aktivieren",
+    "newtAutoUpdateDescription": "Wenn aktiviert, werden die Seiten-Connectoren automatisch die neueste Version herunterladen und sich selbst neu starten. Dies kann für jede Seite überschrieben werden.",
+    "siteAutoUpdate": "Standort-Auto-Update",
+    "siteAutoUpdateLabel": "Autoupdate aktivieren",
+    "siteAutoUpdateDescription": "Wenn aktiviert, wird der Seiten-Connector automatisch die neueste Version herunterladen und sich selbst neu starten.",
+    "siteAutoUpdateOrgDefault": "Standard der Organisation: {state}",
+    "siteAutoUpdateOverriding": "Organisations-Einstellung überschreiben",
+    "siteAutoUpdateResetToOrg": "Auf Standard der Organisation zurücksetzen",
+    "siteAutoUpdateEnabled": "aktiviert",
+    "siteAutoUpdateDisabled": "deaktiviert",
    "viewDockerContainers": "Docker Container anzeigen",
    "containersIn": "Container in {siteName}",
    "selectContainerDescription": "Wählen Sie einen Container, der als Hostname für dieses Ziel verwendet werden soll. Klicken Sie auf einen Port, um einen Port zu verwenden.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Zertifikat",
    "certificateStatusAutoRefreshHint": "Der Status wird automatisch aktualisiert.",
    "loading": "Laden",
+    "loadingEllipsis": "Laden...",
    "loadingAnalytics": "Analytik wird geladen",
    "restart": "Neustart",
    "domains": "Domänen",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Kontoeinrichtung abgeschlossen! Willkommen bei Pangolin!",
    "documentation": "Dokumentation",
    "saveAllSettings": "Alle Einstellungen speichern",
-    "saveResourceTargets": "Ziele speichern",
-    "saveResourceHttp": "Proxy-Einstellungen speichern",
-    "saveProxyProtocol": "Proxy-Protokolleinstellungen speichern",
+    "saveResourceTargets": "Einstellungen speichern",
+    "saveResourceHttp": "Einstellungen speichern",
+    "saveProxyProtocol": "Einstellungen speichern",
    "settingsUpdated": "Einstellungen aktualisiert",
    "settingsUpdatedDescription": "Einstellungen erfolgreich aktualisiert",
    "settingsErrorUpdate": "Einstellungen konnten nicht aktualisiert werden",
@@ -1695,11 +1889,11 @@
    "regionSelectorComingSoon": "Kommt bald",
    "billingLoadingSubscription": "Abonnement wird geladen...",
    "billingFreeTier": "Kostenlose Stufe",
-    "billingWarningOverLimit": "Warnung: Sie haben ein oder mehrere Nutzungslimits überschritten. Ihre Webseiten werden nicht verbunden, bis Sie Ihr Abonnement ändern oder Ihren Verbrauch anpassen.",
+    "billingWarningOverLimit": "Warnung: Sie haben ein oder mehrere Nutzungslimits überschritten. Ihre Standorte werden nicht verbunden, bis Sie Ihr Abonnement ändern oder Ihren Verbrauch anpassen.",
    "billingUsageLimitsOverview": "Übersicht über Nutzungsgrenzen",
    "billingMonitorUsage": "Überwachen Sie Ihren Verbrauch im Vergleich zu konfigurierten Grenzwerten. Wenn Sie eine Erhöhung der Limits benötigen, kontaktieren Sie uns bitte support@pangolin.net.",
    "billingDataUsage": "Datenverbrauch",
-    "billingSites": "Seiten",
+    "billingSites": "Standorte",
    "billingUsers": "Benutzergeräte",
    "billingDomains": "Domänen",
    "billingOrganizations": "Orden",
@@ -1727,7 +1921,7 @@
    "billingCheckoutError": "Checkout-Fehler",
    "billingFailedToGetPortalUrl": "Fehler beim Abrufen der Portal-URL",
    "billingPortalError": "Portalfehler",
-    "billingDataUsageInfo": "Wenn Sie mit der Cloud verbunden sind, werden alle Daten über Ihre sicheren Tunnel belastet. Dies schließt eingehenden und ausgehenden Datenverkehr über alle Ihre Websites ein. Wenn Sie Ihr Limit erreichen, werden Ihre Seiten die Verbindung trennen, bis Sie Ihr Paket upgraden oder die Nutzung verringern. Daten werden nicht belastet, wenn Sie Knoten verwenden.",
+    "billingDataUsageInfo": "Wenn Sie mit der Cloud verbunden sind, werden alle Daten über Ihre sicheren Tunnel belastet. Dies schließt eingehenden und ausgehenden Datenverkehr über alle Ihre Standorte ein. Wenn Sie Ihr Limit erreichen, werden Ihre Standorte die Verbindung trennen, bis Sie Ihr Paket upgraden oder die Nutzung verringern. Daten werden nicht belastet, wenn Sie Knoten verwenden.",
    "billingSInfo": "Anzahl der Sites die Sie verwenden können",
    "billingUsersInfo": "Wie viele Benutzer Sie verwenden können",
    "billingDomainInfo": "Wie viele Domains Sie verwenden können",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Verwalten Sie Ihr Abonnement für kostenpflichtige selbstgehostete Lizenzschlüssel",
    "billingCurrentKeys": "Aktuelle Tasten",
    "billingModifyCurrentPlan": "Aktuelles Paket ändern",
+    "billingManageLicenseSubscriptionDescription": "Verwalten Sie Ihr Abonnement für bezahlte selbst gehostete Lizenzschlüssel und laden Sie Rechnungen herunter.",
    "billingConfirmUpgrade": "Upgrade bestätigen",
    "billingConfirmDowngrade": "Downgrade bestätigen",
    "billingConfirmUpgradeDescription": "Sie sind dabei, Ihr Paket zu aktualisieren. Schauen Sie sich die neuen Limits und Preise unten an.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Unbekannt",
    "healthCheck": "Gesundheits-Check",
    "configureHealthCheck": "Gesundheits-Check konfigurieren",
-    "configureHealthCheckDescription": "Richten Sie die Gesundheitsüberwachung für {target} ein",
+    "configureHealthCheckDescription": "Richten Sie die Überwachung für Ihre Resource ein, um sicherzustellen, dass sie immer verfügbar ist",
    "enableHealthChecks": "Gesundheits-Checks aktivieren",
-    "healthCheckDisabledStateDescription": "Wenn deaktiviert, führt die Seite keine Gesundheitsprüfungen durch und der Zustand wird als unbekannt betrachtet.",
+    "healthCheckDisabledStateDescription": "Wenn deaktiviert, führt der Standort keine Gesundheitsprüfungen durch und der Zustand wird als unbekannt betrachtet.",
    "enableHealthChecksDescription": "Überwachen Sie die Gesundheit dieses Ziels. Bei Bedarf können Sie einen anderen Endpunkt als das Ziel überwachen.",
    "healthScheme": "Methode",
    "healthSelectScheme": "Methode auswählen",
-    "healthCheckPortInvalid": "Der Gesundheitskontroll-Port muss zwischen 1 und 65535 liegen",
+    "healthCheckPortInvalid": "Der Port muss zwischen 1 und 65535 liegen",
    "healthCheckPath": "Pfad",
    "healthHostname": "IP / Host",
    "healthPort": "Port",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Zeit ist in Sekunden",
    "requireDeviceApproval": "Gerätegenehmigungen erforderlich",
    "requireDeviceApprovalDescription": "Benutzer mit dieser Rolle benötigen neue Geräte, die von einem Administrator genehmigt wurden, bevor sie sich verbinden und auf Ressourcen zugreifen können.",
-    "sshAccess": "SSH-Zugriff",
+    "sshSettings": "SSH-Einstellungen",
+    "sshAccess": "SSH Zugriff",
+    "rdpSettings": "RDP-Einstellungen",
+    "vncSettings": "VNC-Einstellungen",
+    "sshServer": "SSH-Server",
+    "rdpServer": "RDP-Server",
+    "vncServer": "VNC-Server",
+    "sshServerDescription": "Richten Sie die Authentifizierungsmethode, den Daemon-Standort und das Serverziel ein",
+    "rdpServerDescription": "Konfigurieren Sie das Ziel und den Port des RDP-Servers",
+    "vncServerDescription": "Konfigurieren Sie das Ziel und den Port des VNC-Servers",
+    "sshServerMode": "Modus",
+    "sshServerModeStandard": "Standard-SSH-Server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Routen Befehle über Netzwerk zu einem SSH-Server wie OpenSSH.",
+    "sshServerModeNative": "Nativer SSH-Server",
+    "sshServerModeNativeDescription": "Führt Befehle direkt auf dem Host über den Site Connector aus. Keine Netzwerkkonfiguration erforderlich.",
+    "sshAuthenticationMethod": "Authentifizierungsmethode",
+    "sshAuthMethodManual": "Manuelle Authentifizierung",
+    "sshAuthMethodManualDescription": "Erfordert vorhandene Host-Anmeldeinformationen. Umgeht die automatische Bereitstellung.",
+    "sshAuthMethodAutomated": "Automatisierte Bereitstellung",
+    "sshAuthMethodAutomatedDescription": "Erstellt automatisch Benutzer, Gruppen und Sudo-Berechtigungen auf dem Host.",
+    "sshAuthDaemonLocation": "Standort des Auth-Daemon",
+    "sshDaemonLocationSiteDescription": "Wird lokal auf dem Rechner ausgeführt, der den Site-Connector beherbergt.",
+    "sshDaemonLocationRemote": "Auf Remote-Host",
+    "sshDaemonLocationRemoteDescription": "Wird auf einem separaten Zielrechner im gleichen Netzwerk ausgeführt.",
+    "sshDaemonDisclaimer": "Stellen Sie sicher, dass Ihr Zielhost korrekt konfiguriert ist, um den Auth-Daemon auszuführen, bevor Sie dieses Setup abschließen, andernfalls wird die Bereitstellung fehlschlagen.",
+    "sshDaemonPort": "Daemon-Port",
+    "sshServerDestination": "Serverziel",
+    "sshServerDestinationDescription": "Ziel des SSH-Servers konfigurieren",
+    "destination": "Ziel",
+    "destinationRequired": "Ziel ist erforderlich.",
+    "domainRequired": "Domain ist erforderlich.",
+    "proxyPortRequired": "Port ist erforderlich.",
+    "invalidPathConfiguration": "Ungültige Pfadkonfiguration.",
+    "invalidRewritePathConfiguration": "Ungültige Neupfad-Konfiguration.",
+    "bgTargetMultiSiteDisclaimer": "Die Auswahl mehrerer Standorte ermöglicht eine widerstandsfähige Weiterleitung und einen Failover für hohe Verfügbarkeit.",
    "roleAllowSsh": "SSH erlauben",
    "roleAllowSshAllow": "Erlauben",
    "roleAllowSshDisallow": "Nicht zulassen",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Benutzer kann nur die angegebenen Befehle mit sudo ausführen.",
    "sshSudo": "sudo erlauben",
    "sshSudoCommands": "Sudo-Befehle",
-    "sshSudoCommandsDescription": "Kommagetrennte Liste von Befehlen, die der Benutzer mit sudo ausführen darf.",
+    "sshSudoCommandsDescription": "Liste der Befehle, die der Benutzer mit sudo ausführen darf, durch Kommas, Leerzeichen oder neue Zeilen getrennt. Absolute Pfade müssen verwendet werden.",
    "sshCreateHomeDir": "Home-Verzeichnis erstellen",
    "sshUnixGroups": "Unix-Gruppen",
-    "sshUnixGroupsDescription": "Durch Komma getrennte Unix-Gruppen, um den Benutzer auf dem Zielhost hinzuzufügen.",
+    "sshUnixGroupsDescription": "Unix-Gruppen, in die der Benutzer auf dem Ziel-Host aufgenommen werden soll, getrennt durch Kommas, Leerzeichen oder neue Zeilen.",
+    "roleTextFieldPlaceholder": "Werte eingeben oder eine .txt- oder .csv-Datei ablegen",
+    "roleTextImportTitle": "Von Datei importieren",
+    "roleTextImportDescription": "Importiere {fileName} in {fieldLabel}.",
+    "roleTextImportSkipHeader": "Erste Zeile überspringen (Header)",
+    "roleTextImportOverride": "Vorhandenes ersetzen",
+    "roleTextImportAppend": "An vorhandenes anfügen",
+    "roleTextImportMode": "Importmodus",
+    "roleTextImportPreview": "Vorschau",
+    "roleTextImportItemCount": "{count, plural, =0 {Keine Elemente zu importieren} one {1 Element zu importieren} other {# Elemente zu importieren}}",
+    "roleTextImportTotalCount": "{existing} vorhanden + {imported} importiert = {total} gesamt",
+    "roleTextImportConfirm": "Importieren",
+    "roleTextImportInvalidFile": "Nicht unterstützter Dateityp",
+    "roleTextImportInvalidFileDescription": "Nur .txt- und .csv-Dateien werden unterstützt.",
+    "roleTextImportEmpty": "Keine Elemente in der Datei gefunden",
+    "roleTextImportEmptyDescription": "Die Datei enthält keine importierbaren Elemente.",
    "retryAttempts": "Wiederholungsversuche",
    "expectedResponseCodes": "Erwartete Antwortcodes",
    "expectedResponseCodesDescription": "HTTP-Statuscode, der einen gesunden Zustand anzeigt. Wenn leer gelassen, wird 200-300 als gesund angesehen.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schema",
-    "editInternalResourceDialogEnableSsl": "SSL aktivieren",
+    "editInternalResourceDialogEnableSsl": "TLS aktivieren",
    "editInternalResourceDialogEnableSslDescription": "SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zum Ziel aktivieren.",
    "editInternalResourceDialogDestination": "Ziel",
    "editInternalResourceDialogDestinationHostDescription": "Die IP-Adresse oder der Hostname der Ressource im Netzwerk der Website.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schema",
    "createInternalResourceDialogScheme": "Schema",
-    "createInternalResourceDialogEnableSsl": "SSL aktivieren",
+    "createInternalResourceDialogEnableSsl": "TLS aktivieren",
    "createInternalResourceDialogEnableSslDescription": "SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zum Ziel aktivieren.",
    "createInternalResourceDialogDestination": "Ziel",
    "createInternalResourceDialogDestinationHostDescription": "Die IP-Adresse oder der Hostname der Ressource im Netzwerk der Website.",
@@ -2171,8 +2418,8 @@
        }
    },
    "remoteExitNodeSelection": "Knotenauswahl",
-    "remoteExitNodeSelectionDescription": "Wählen Sie einen Knoten aus, durch den Traffic für diese lokale Seite geleitet werden soll",
-    "remoteExitNodeRequired": "Ein Knoten muss für lokale Seiten ausgewählt sein",
+    "remoteExitNodeSelectionDescription": "Wählen Sie einen Knoten aus, durch den Traffic für diesen lokalen Standort geleitet werden soll",
+    "remoteExitNodeRequired": "Ein Knoten muss für lokale Standorte ausgewählt sein",
    "noRemoteExitNodesAvailable": "Keine Knoten verfügbar",
    "noRemoteExitNodesAvailableDescription": "Für diese Organisation sind keine Knoten verfügbar. Erstellen Sie zuerst einen Knoten, um lokale Standorte zu verwenden.",
    "exitNode": "Exit-Node",
@@ -2217,7 +2464,7 @@
        "description": "Zuverlässiger und wartungsarmer Pangolin Server mit zusätzlichen Glocken und Pfeifen",
        "introTitle": "Verwalteter selbstgehosteter Pangolin",
        "introDescription": "ist eine Deployment-Option, die für Personen konzipiert wurde, die Einfachheit und zusätzliche Zuverlässigkeit wünschen, während sie ihre Daten privat und selbstgehostet halten.",
-        "introDetail": "Mit dieser Option haben Sie immer noch Ihren eigenen Pangolin-Knoten – Ihre Tunnel, SSL-Terminierung und Traffic bleiben auf Ihrem Server. Der Unterschied besteht darin, dass Verwaltung und Überwachung über unser Cloud-Dashboard abgewickelt werden, das eine Reihe von Vorteilen freischaltet:",
+        "introDetail": "Mit dieser Option betreiben Sie weiterhin Ihren eigenen Pangolin-Knoten – Ihre Tunnel, TLS-Terminierung und der gesamte Datenverkehr bleiben auf Ihrem Server. Der Unterschied besteht darin, dass die Verwaltung und Überwachung über unser Cloud-Dashboard erfolgt, was eine Reihe von Vorteilen freischaltet:",
        "benefitSimplerOperations": {
            "title": "Einfachere Operationen",
            "description": "Sie brauchen keinen eigenen Mail-Server auszuführen oder komplexe Warnungen einzurichten. Sie erhalten Gesundheitschecks und Ausfallwarnungen aus dem Box."
@@ -2652,6 +2899,8 @@
    "validPassword": "Gültiges Passwort",
    "validEmail": "Gültige E-Mail-Adresse",
    "validSSO": "Gültige SSO-Anmeldung",
+    "view": "Ansehen",
+    "configManaged": "Konfiguration verwaltet",
    "connectedClient": "Verbundenes Gerät",
    "resourceBlocked": "Ressource blockiert",
    "droppedByRule": "Abgelegt durch Regel",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Proxy-Protokoll aktivieren",
    "proxyProtocolInfo": "Client-IP-Adressen für TCP-Backends beibehalten",
    "proxyProtocolVersion": "Proxy-Protokollversion",
-    "version1": " Version 1 (empfohlen)",
+    "version1": "Version 1 (Empfohlen)",
    "version2": "Version 2",
-    "versionDescription": "Die Version 1 ist textbasiert und unterstützt die Version 2, ist binär und effizienter, aber weniger kompatibel.",
+    "version1Description": "Textbasiert und weit verbreitet. Sicherstellen, dass das Servers-Transport zur dynamischen Konfiguration hinzugefügt wurde.",
+    "version2Description": "Binär und effizienter, aber weniger kompatibel. Sicherstellen, dass das Servers-Transport zur dynamischen Konfiguration hinzugefügt wurde.",
    "warning": "Warnung",
    "proxyProtocolWarning": "Die Backend-Anwendung muss so konfiguriert sein, dass Proxy-Protokoll-Verbindungen akzeptiert werden. Wenn Ihr Backend das Proxy-Protokoll nicht unterstützt, wird das Aktivieren aller Verbindungen unterbrochen, so dass Sie dies nur aktivieren, wenn Sie wissen, was Sie tun. Stellen Sie sicher, dass Sie Ihr Backend so konfigurieren, dass es Proxy-Protokoll-Header von Traefik vertraut.",
    "restarting": "Neustarten...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Bestätigung eingeben",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Standard Identitätsanbieter",
-    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
+    "defaultIdentityProviderDescription": "Der Benutzer wird automatisch zu diesem Identitätsanbieter für die Authentifizierung weitergeleitet.",
    "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
    "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
    "editInternalResourceDialogAddRoles": "Rollen hinzufügen",
@@ -2919,11 +3169,12 @@
    "learnMore": "Mehr erfahren",
    "backToHome": "Zurück zur Startseite",
    "needToSignInToOrg": "Benötigen Sie den Identitätsanbieter Ihres Unternehmens?",
-    "maintenanceMode": "Wartungsmodus",
+    "maintenanceMode": "Wartungsseite",
    "maintenanceModeDescription": "Eine Wartungsseite für Besucher anzeigen",
    "maintenanceModeType": "Art des Wartungsmodus",
    "showMaintenancePage": "Eine Wartungsseite für Besucher anzeigen",
    "enableMaintenanceMode": "Wartungsmodus aktivieren",
+    "enableMaintenanceModeDescription": "Bei Aktivierung sehen Besucher eine Wartungsseite anstelle Ihrer Ressource.",
    "automatic": "Automatisch",
    "automaticModeDescription": " Wartungsseite nur anzeigen, wenn alle Backend-Ziele deaktiviert oder ungesund sind. Deine Ressource funktioniert normal, solange mindestens ein Ziel gesund ist.",
    "forced": "Erzwungen",
@@ -2931,6 +3182,8 @@
    "warning:": "Warnung:",
    "forcedeModeWarning": "Der gesamte Datenverkehr wird zur Wartungsseite weitergeleitet. Ihre Backend-Ressourcen werden keine Anfragen erhalten.",
    "pageTitle": "Seitentitel",
+    "maintenancePageContentSubsection": "Seiteninhalt",
+    "maintenancePageContentSubsectionDescription": "Passen Sie den auf der Wartungsseite angezeigten Inhalt an",
    "pageTitleDescription": "Die Hauptüberschrift auf der Wartungsseite",
    "maintenancePageMessage": "Wartungsmeldung",
    "maintenancePageMessagePlaceholder": "Wir sind bald wieder da! Unsere Seite wird derzeit planmäßig gewartet.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Geschätzter Abschluss:",
    "createInternalResourceDialogDestinationRequired": "Ziel ist erforderlich",
    "available": "Verfügbar",
+    "disabledResourceDescription": "Wenn deaktiviert, ist die Ressource für alle unzugänglich.",
    "archived": "Archiviert",
    "noArchivedDevices": "Keine archivierten Geräte gefunden",
    "deviceArchived": "Gerät archiviert",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Events direkt an Ihr Datadog Konto weiterleiten. Kommen Sie bald.",
    "streamingTypePickerDescription": "Wählen Sie einen Zieltyp aus, um loszulegen.",
-    "streamingFailedToLoad": "Fehler beim Laden der Ziele",
+    "streamingLastSyncError": "Beim letzten Synchronisieren ist ein Fehler aufgetreten.",
    "streamingUnexpectedError": "Ein unerwarteter Fehler ist aufgetreten.",
    "streamingFailedToUpdate": "Fehler beim Aktualisieren des Ziels",
    "streamingDeletedSuccess": "Ziel erfolgreich gelöscht",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Ziel bearbeiten",
    "S3DestAddTitle": "S3-Ziel hinzufügen",
    "S3DestEditDescription": "Konfiguration für dieses S3-Ereignis-Streamingziel aktualisieren.",
-    "S3DestAddDescription": "Neuen S3-Endpunkt konfigurieren, um die Ereignisse Ihrer Organisation zu erhalten.",
+    "S3DestAddDescription": "Konfigurieren Sie einen neuen Amazon S3 (oder S3-kompatiblen) Bucket, um die Ereignisse Ihrer Organisation zu empfangen.",
+    "s3DestTabSettings": "Einstellungen",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Name",
+    "s3DestNamePlaceholder": "Mein S3-Ziel",
+    "s3DestAccessKeyIdLabel": "AWS-Zugriffsschlüssel-ID",
+    "s3DestSecretAccessKeyLabel": "AWS-Geheimzugriffsschlüssel",
+    "s3DestSecretAccessKeyPlaceholder": "Ihr AWS-Geheimzugriffsschlüssel",
+    "s3DestRegionLabel": "AWS-Region",
+    "s3DestBucketLabel": "Bucket-Name",
+    "s3DestPrefixLabel": "Schlüssel-Präfix (optional)",
+    "s3DestPrefixDescription": "Optionales Pfadpräfix, das jedem Objektschlüssel vorangestellt wird. Objekte werden unter {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename} gespeichert.",
+    "s3DestEndpointLabel": "Benutzerdefinierter Endpunkt (optional)",
+    "s3DestEndpointDescription": "Überschreiben Sie den S3-Endpunkt für S3-kompatiblen Speicher wie MinIO oder Cloudflare R2. Lassen Sie das Feld leer für standardmäßiges AWS S3.",
+    "s3DestGzipLabel": "Gzip-Komprimierung",
+    "s3DestGzipDescription": "Jedes hochgeladene Objekt mit Gzip komprimieren. Reduziert die Speicherkosten und die Upload-Größe.",
+    "s3DestFormatTitle": "Dateiformat",
+    "s3DestFormatDescription": "Wie Ereignisse in jedem hochgeladenen Objekt serialisiert werden.",
+    "s3DestFormatJsonArrayDescription": "Jedes Objekt ist ein JSON-Array von Ereignisdaten. Kompatibel mit den meisten Analysetools.",
+    "s3DestFormatNdjsonDescription": "Jedes Objekt enthält einen JSON-Datensatz pro Zeile (newline-delimited JSON). Kompatibel mit Athena, BigQuery und Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Jedes Objekt ist eine RFC-4180 CSV-Datei mit einer Kopfzeile. Spaltennamen werden aus den Ereignisdatenfeldern abgeleitet.",
+    "s3DestSaveChanges": "Änderungen speichern",
+    "s3DestCreateDestination": "Ziel erstellen",
+    "s3DestUpdatedSuccess": "Ziel erfolgreich aktualisiert",
+    "s3DestCreatedSuccess": "Ziel erfolgreich erstellt",
+    "s3DestUpdateFailed": "Fehler beim Aktualisieren des Ziels",
+    "s3DestCreateFailed": "Fehler beim Erstellen des Ziels",
    "datadogDestEditTitle": "Ziel bearbeiten",
    "datadogDestAddTitle": "Datadog-Ziel hinzufügen",
    "datadogDestEditDescription": "Konfiguration für dieses Datadog-Ereignis-Streamingziel aktualisieren.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Sind Sie sicher, dass Sie die Verknüpfung dieses Identitätsanbieters mit dieser Organisation aufheben möchten?",
    "idpUnassociateDescription": "Alle Benutzer, die mit diesem Identitätsanbieter verbunden sind, werden aus dieser Organisation entfernt, aber der Identitätsanbieter bleibt für andere verbundene Organisationen weiterhin bestehen.",
    "idpUnassociateConfirm": "Verknüpfung des Identitätsanbieters aufheben bestätigen",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "LÖSCHE UND ENTFERNE MICH AUS DER ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "VERBINDUNG LÖSEN UND ENTFERNE MICH AUS DER ORG",
    "idpUnassociateWarning": "Dies kann für diese Organisation nicht rückgängig gemacht werden.",
    "idpUnassociatedDescription": "Identitätsanbieter erfolgreich von dieser Organisation gelöst",
    "idpUnassociateMenu": "Verknüpfung aufheben",
@@ -3190,7 +3473,7 @@
    "uptimeAddAlert": "Warnmeldung hinzufügen",
    "uptimeViewAlerts": "Warnungen anzeigen",
    "uptimeCreateEmailAlert": "E-Mail Alarm erstellen",
-    "uptimeAlertDescriptionSite": "Werde per E-Mail benachrichtigt, wenn diese Seite offline oder wieder online ist.",
+    "uptimeAlertDescriptionSite": "Werde per E-Mail benachrichtigt, wenn dieser Standort offline oder wieder online ist.",
    "uptimeAlertDescriptionResource": "Werde per E-Mail benachrichtigt, wenn diese Ressource offline oder wieder online ist.",
    "uptimeAlertNamePlaceholder": "Alarmname",
    "uptimeAdditionalEmails": "Zusätzliche E-Mails",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Ressource deaktiviert",
    "memberPortalShowingResources": "Zeige {start}-{end} von {total} Ressourcen",
    "memberPortalPrevious": "Vorherige",
-    "memberPortalNext": "Nächste"
+    "memberPortalNext": "Nächste",
+    "httpSettings": "HTTP-Einstellungen",
+    "tcpSettings": "TCP-Einstellungen",
+    "udpSettings": "UDP-Einstellungen",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Aufbau einer sicheren Verbindung…",
+    "sshConnecting": "Verbindung wird hergestellt…",
+    "sshInitializing": "Initialisieren…",
+    "sshSignInTitle": "Anmelden bei SSH",
+    "sshSignInDescription": "Geben Sie Ihre SSH-Anmeldedaten ein, um sich zu verbinden",
+    "sshPasswordTab": "Passwort",
+    "sshPrivateKeyTab": "Privater Schlüssel",
+    "sshPrivateKeyField": "Privater Schlüssel",
+    "sshPrivateKeyDisclaimer": "Ihr privater Schlüssel wird von Pangolin nicht gespeichert oder angezeigt. Alternativ können Sie kurzlebige Zertifikate für nahtlose Authentifizierung mit Ihrer bestehenden Pangolin-Identität verwenden.",
+    "sshLearnMore": "Mehr erfahren",
+    "sshPrivateKeyFile": "Private Schlüsseldatei",
+    "sshAuthenticate": "Verbinden",
+    "sshTerminate": "Beenden",
+    "sshPoweredBy": "Bereitgestellt von",
+    "sshErrorNoTarget": "Kein Ziel angegeben",
+    "sshErrorWebSocket": "WebSocket-Verbindung fehlgeschlagen",
+    "sshErrorAuthFailed": "Authentifizierung fehlgeschlagen",
+    "sshErrorConnectionClosed": "Verbindung geschlossen, bevor die Authentifizierung abgeschlossen wurde",
+    "sitePangolinSshDescription": "Erlaube SSH-Zugriff auf Ressourcen an diesem Standort. Dies kann später geändert werden.",
+    "browserGatewayNoResourceForDomain": "Keine Ressource für diese Domain gefunden",
+    "browserGatewayNoTarget": "Kein Ziel",
+    "browserGatewayConnect": "Verbinden",
+    "browserGatewayCtrlAltDel": "Strg+Alt+Entf",
+    "sshErrorSignKeyFailed": "Fehler beim Signieren des SSH-Schlüssels für die PAM-Push-Authentifizierung. Haben Sie sich als Benutzer angemeldet?",
+    "sshTerminalError": "Fehler: {error}",
+    "sshConnectionClosedCode": "Verbindung geschlossen (Code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Privater Schlüssel ist erforderlich",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Geben Sie Ihr VNC-Passwort ein, um sich zu verbinden",
+    "vncPasswordOptional": "Passwort (optional)",
+    "vncNoResourceTarget": "Kein Ressourcen-Ziel verfügbar",
+    "vncFailedToLoadNovnc": "Fehler beim Laden von noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Zwischenablage einfügen",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Anmeldung bei Remote Desktop",
+    "rdpSignInDescription": "Geben Sie die Windows-Anmeldedaten ein, um sich zu verbinden",
+    "rdpLoadingModule": "Modul wird geladen...",
+    "rdpFailedToLoadModule": "Fehler beim Laden des RDP-Moduls",
+    "rdpNotReady": "Nicht bereit",
+    "rdpModuleInitializing": "RDP-Modul wird noch initialisiert",
+    "rdpDownloadingFiles": "Herunterladen von {count} Datei(en) von Remote…",
+    "rdpDownloadFailed": "Download fehlgeschlagen: {fileName}",
+    "rdpUploaded": "Hochgeladen: {fileName}",
+    "rdpNoConnectionTarget": "Kein Verbindungsziel verfügbar",
+    "rdpConnectionFailed": "Verbindung fehlgeschlagen",
+    "rdpFit": "Anpassen",
+    "rdpFull": "Vollständig",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Dateien hochladen",
+    "rdpFilesReadyToPaste": "Dateien bereit zum Einfügen",
+    "rdpFilesReadyToPasteDescription": "{count} Datei(en) in die Remote-Zwischenablage kopiert — drücken Sie Strg+V auf dem Remote-Desktop, um einzufügen.",
+    "rdpUploadFailed": "Upload fehlgeschlagen",
+    "rdpUnicodeKeyboardMode": "Unicode-Tastaturmodus",
+    "sessionToolbarShow": "Werkzeugleiste zeigen",
+    "sessionToolbarHide": "Werkzeugleiste ausblenden"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "View Private Resources",
    "siteInstallNewt": "Install Site",
    "siteInstallNewtDescription": "Install the site connector for your system",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Configuration",
    "WgConfigurationDescription": "Use the following configuration to connect to the network",
    "operatingSystem": "Operating System",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "You will only be able to see this once. Make sure to copy it to a secure place.",
    "siteInfo": "Site Information",
    "status": "Status",
-    "shareTitle": "Manage Share Links",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Create shareable links to grant temporary or permanent access to proxy resources",
-    "shareSearch": "Search share links...",
-    "shareCreate": "Create Share Link",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Failed to delete link",
    "shareErrorDeleteMessage": "An error occurred deleting link",
    "shareDeleted": "Link deleted",
    "shareDeletedDescription": "The link has been deleted",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
+    "shareQuestionRemove": "Are you sure you want to delete this share link?",
+    "shareMessageRemove": "Once deleted, the link will no longer work and anyone using it will lose access to the resource.",
    "shareTokenDescription": "The access token can be passed in two ways: as a query parameter or in the request headers. These must be passed from the client on every request for authenticated access.",
    "accessToken": "Access Token",
    "usageExamples": "Usage Examples",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "An error occurred while creating the share link",
    "shareCreateDescription": "Anyone with this link can access the resource",
    "shareTitleOptional": "Title (optional)",
+    "sharePathOptional": "Path (optional)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Expire In",
    "neverExpire": "Never expire",
    "shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Please select a resource",
    "proxyResourceTitle": "Manage Public Resources",
    "proxyResourceDescription": "Create and manage resources that are publicly accessible through a web browser",
-    "proxyResourcesBannerTitle": "Web-based Public Access",
-    "proxyResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Manage Private Resources",
    "clientResourceDescription": "Create and manage resources that are only accessible through a connected client",
    "privateResourcesBannerTitle": "Zero-Trust Private Access",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Search resources...",
    "resourceAdd": "Add Resource",
    "resourceErrorDelte": "Error deleting resource",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
+    "resourcePoliciesAttachedResources": "{count} resource(s)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
+    "resourcePoliciesAttachedResourcesEmpty": "no resources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
+    "resourcePoliciesSearch": "Search policies...",
+    "resourcePoliciesAdd": "Add Policy",
+    "resourcePoliciesDefaultBadgeText": "Default policy",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
+    "resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
+    "resourcePolicyName": "Policy Name",
+    "resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
+    "resourcePolicyNamePlaceholder": "e.g. Internal Access Policy",
+    "resourcePoliciesSeeAll": "See All Policies",
+    "resourcePolicyAuthMethodAdd": "Add Authentication Method",
+    "resourcePolicyOtpEmailAdd": "Add OTP emails",
+    "resourcePolicyRulesAdd": "Add Rules",
+    "resourcePolicyAuthMethodsDescription": "Allow access to resources via additional auth methods",
+    "resourcePolicyUsersRolesDescription": "Configure which users and roles can visit associated resources",
+    "rulesResourcePolicyDescription": "Configure rules to control access resources associated to this policy",
    "authentication": "Authentication",
    "protected": "Protected",
    "notProtected": "Not Protected",
    "resourceMessageRemove": "Once removed, the resource will no longer be accessible. All targets associated with the resource will also be removed.",
    "resourceQuestionRemove": "Are you sure you want to remove the resource from the organization?",
+    "resourcePolicyMessageRemove": "Once removed, the resource policy will no longer be accessible. All resources associated with the resource will be unlinked and left without authentication.",
+    "resourcePolicyQuestionRemove": "Are you sure you want to remove the resource policy from the organization?",
    "resourceHTTP": "HTTPS Resource",
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
+    "resourceCreateGeneralDescription": "Configure the basic resource settings including the name and the type",
    "resourceSeeAll": "See All Resources",
-    "resourceInfo": "Resource Information",
+    "resourceCreateGeneral": "General",
    "resourceNameDescription": "This is the display name for the resource.",
    "siteSelect": "Select site",
    "siteSearch": "Search site",
@@ -227,12 +262,15 @@
    "noCountryFound": "No country found.",
    "siteSelectionDescription": "This site will provide connectivity to the target.",
    "resourceType": "Resource Type",
-    "resourceTypeDescription": "Determine how to access the resource",
+    "resourceTypeDescription": "This controls the resource protocol and how it will be rendered in the browser. This can’t be changed later.",
+    "resourceDomainDescription": "The resource will be served at this fully qualified domain name.",
    "resourceHTTPSSettings": "HTTPS Settings",
    "resourceHTTPSSettingsDescription": "Configure how the resource will be accessed over HTTPS",
+    "resourcePortDescription": "The external port on the Pangolin instance or node where the resource will be accessible.",
    "domainType": "Domain Type",
    "subdomain": "Subdomain",
    "baseDomain": "Base Domain",
+    "configure": "Configure",
    "subdomnainDescription": "The subdomain where the resource will be accessible.",
    "resourceRawSettings": "TCP/UDP Settings",
    "resourceRawSettingsDescription": "Configure how the resource will be accessed over TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Back",
    "cancel": "Cancel",
    "resourceConfig": "Configuration Snippets",
-    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Add Entrypoints",
    "resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
    "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
    "resourceBack": "Back to Resources",
    "resourceGoTo": "Go to Resource",
+    "resourcePolicyDelete": "Delete Resource Policy",
+    "resourcePolicyDeleteConfirm": "Confirm Delete Resource Policy",
    "resourceDelete": "Delete Resource",
    "resourceDeleteConfirm": "Confirm Delete Resource",
+    "labelDelete": "Delete Label",
+    "labelAdd": "Add Label",
+    "labelCreateSuccessMessage": "Label Created Successfully",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
+    "labelEditSuccessMessage": "Label Modified Successfully",
+    "labelNameField": "Label Name",
+    "labelColorField": "Label Color",
+    "labelPlaceholder": "Ex: homelab",
+    "labelCreate": "Create Label",
+    "createLabelDialogTitle": "Create Label",
+    "createLabelDialogDescription": "Create a new label that can be attached to this organization",
+    "labelEdit": "Edit Label",
+    "editLabelDialogTitle": "Update Label",
+    "editLabelDialogDescription": "Edit a new label that can be attached to this organization",
+    "labelDeleteConfirm": "Confirm Delete Label",
+    "labelErrorDelete": "Failed to delete label",
+    "labelMessageRemove": "This action is permanent. All sites, resources, and clients tagged with this label will be untagged.",
+    "labelQuestionRemove": "Are you sure you want to remove the label from the organization?",
    "visibility": "Visibility",
    "enabled": "Enabled",
    "disabled": "Disabled",
@@ -261,6 +320,8 @@
    "rules": "Rules",
    "resourceSettingDescription": "Configure the settings on the resource",
    "resourceSetting": "{resourceName} Settings",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
+    "resourcePolicySetting": "{policyName} Settings",
    "alwaysAllow": "Bypass Auth",
    "alwaysDeny": "Block Access",
    "passToAuth": "Pass to Auth",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Once removed, this user will no longer have access to the organization. You can always re-invite them later, but they will need to accept the invitation again.",
    "userRemoveOrgConfirm": "Confirm Remove User",
    "userRemoveOrg": "Remove User from Organization",
+    "userQuestionOrgRemoveSelf": "Are you sure you want to remove yourself from this organization?",
+    "userMessageOrgRemoveSelf": "You will lose access immediately. An administrator can invite you again later, but you will need to accept a new invitation.",
+    "userRemoveOrgConfirmSelf": "Confirm Remove Myself",
+    "userRemoveOrgSelf": "Remove yourself from the organization",
+    "userRemoveOrgSelfWarning": "You will lose access to this organization immediately.",
+    "userRemoveOrgConfirmPhraseSelf": "REMOVE MYSELF FROM ORG",
    "users": "Users",
    "accessRoleMember": "Member",
    "accessRoleOwner": "Owner",
@@ -531,6 +598,11 @@
    "emailInvalid": "Invalid email address",
    "inviteValidityDuration": "Please select a duration",
    "accessRoleSelectPlease": "Please select a role",
+    "removeOwnAdminRoleConfirmTitle": "Remove your administrator access?",
+    "removeOwnAdminRoleConfirmDescription": "You will no longer have administrator permissions in this organization after saving. Another administrator can restore access if needed.",
+    "removeOwnAdminRoleConfirmButton": "Remove My Administrator Access",
+    "removeOwnAdminRoleConfirmPhrase": "REMOVE MY ADMIN ACCESS",
+    "ownerMustRetainAdminRole": "The organization owner must keep at least one administrator role.",
    "usernameRequired": "Username is required",
    "idpSelectPlease": "Please select an identity provider",
    "idpGenericOidc": "Generic OAuth2/OIDC provider.",
@@ -615,7 +687,7 @@
    "createdAt": "Created At",
    "proxyErrorInvalidHeader": "Invalid custom Host Header value. Use domain name format, or save empty to unset custom Host Header.",
    "proxyErrorTls": "Invalid TLS Server Name. Use domain name format, or save empty to remove the TLS Server Name.",
-    "proxyEnableSSL": "Enable SSL",
+    "proxyEnableSSL": "Enable TLS",
    "proxyEnableSSLDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the targets.",
    "target": "Target",
    "configureTarget": "Configure Targets",
@@ -656,8 +728,9 @@
    "targetSubmit": "Add Target",
    "targetNoOne": "This resource doesn't have any targets. Add a target to configure where to send requests to the backend.",
    "targetNoOneDescription": "Adding more than one target above will enable load balancing.",
-    "targetsSubmit": "Save Targets",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Add Target",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing will not work between sites that are not connected to the same node, but failover will work.",
    "targetErrorInvalidIp": "Invalid IP address",
    "targetErrorInvalidIpDescription": "Please enter a valid IP address or hostname",
    "targetErrorInvalidPort": "Invalid port",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Duplicate rule",
    "rulesErrorDuplicateDescription": "A rule with these settings already exists",
    "rulesErrorInvalidIpAddressRange": "Invalid CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Please enter a valid CIDR value",
-    "rulesErrorInvalidUrl": "Invalid URL path",
-    "rulesErrorInvalidUrlDescription": "Please enter a valid URL path value",
-    "rulesErrorInvalidIpAddress": "Invalid IP",
-    "rulesErrorInvalidIpAddressDescription": "Please enter a valid IP address",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Failed to update rules",
    "rulesErrorUpdateDescription": "An error occurred while updating rules",
    "rulesUpdated": "Enable Rules",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Enter an address in CIDR format (e.g., 103.21.244.0/22)",
    "rulesMatchIpAddress": "Enter an IP address (e.g., 103.21.244.12)",
    "rulesMatchUrl": "Enter a URL path or pattern (e.g., /api/v1/todos or /api/v1/*)",
-    "rulesErrorInvalidPriority": "Invalid Priority",
-    "rulesErrorInvalidPriorityDescription": "Please enter a valid priority",
-    "rulesErrorDuplicatePriority": "Duplicate Priorities",
-    "rulesErrorDuplicatePriorityDescription": "Please enter unique priorities",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Rules updated",
    "ruleUpdatedDescription": "Rules updated successfully",
    "ruleErrorUpdate": "Operation failed",
    "ruleErrorUpdateDescription": "An error occurred during the save operation",
    "rulesPriority": "Priority",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Action",
    "rulesMatchType": "Match Type",
    "value": "Value",
@@ -728,9 +810,60 @@
    "rulesResource": "Resource Rules Configuration",
    "rulesResourceDescription": "Configure rules to control access to the resource",
    "ruleSubmit": "Add Rule",
-    "rulesNoOne": "No rules. Add a rule using the form.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Rules are evaluated by priority in ascending order.",
    "rulesSubmit": "Save Rules",
+    "policyErrorCreate": "Error creating policy",
+    "policyErrorCreateDescription": "An error occurred when creating the policy",
+    "policyErrorCreateMessageDescription": "An unexpected error occurred",
+    "policyErrorUpdate": "Error updating policy",
+    "policyErrorUpdateDescription": "An error occurred when updating the policy",
+    "policyErrorUpdateMessageDescription": "An unexpected error occurred",
+    "policyCreatedSuccess": "Resource policy succesfully created",
+    "policyUpdatedSuccess": "Resource policy succesfully updated",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Save Rules",
    "resourceErrorCreate": "Error creating resource",
    "resourceErrorCreateDescription": "An error occurred when creating the resource",
    "resourceErrorCreateMessage": "Error creating resource:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "An error occurred while updating the resource",
    "access": "Access",
    "accessControl": "Access Control",
-    "shareLink": "{resource} Share Link",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Select resource",
-    "shareLinks": "Share Links",
+    "shareLinks": "Shareable Links",
    "share": "Shareable Links",
    "shareDescription2": "Create shareable links to resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one.",
    "shareEasyCreate": "Easy to create and share",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Add PIN Code",
    "pincodeRemove": "Remove PIN Code",
    "resourceAuthMethods": "Authentication Methods",
+    "resourcePolicyAuthMethodsEmpty": "No authentication method",
+    "resourcePolicyOtpEmpty": "No one time password",
+    "resourcePolicyReadOnly": "This policy is Read only",
+    "resourcePolicyReadOnlyDescription": "This resource policy is shared accross multiple resources, you cannot edit it on this page.",
+    "editSharedPolicy": "Edit Shared Policy",
+    "resourcePolicyTypeSave": "Save Resource type",
+    "resourcePolicySelect": "Select resource policy",
+    "resourcePolicySelectError": "Select a resource policy",
+    "resourcePolicyNotFound": "Policy not found",
+    "resourcePolicySearch": "Search policies",
+    "resourcePolicyRulesEmpty": "No authentication rules",
    "resourceAuthMethodsDescriptions": "Allow access to the resource via additional auth methods",
    "resourceAuthSettingsSave": "Saved successfully",
    "resourceAuthSettingsSaveDescription": "Authentication settings have been saved",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Set Pincode",
    "resourcePincodeSetupTitleDescription": "Set a pincode to protect this resource",
    "resourceRoleDescription": "Admins can always access this resource.",
+    "resourcePolicySelectTitle": "Resource Access Policy",
+    "resourcePolicySelectDescription": "Select the resource policy type for authentication",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
+    "resourcePolicyInline": "Inline Resource Policy",
+    "resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
+    "resourcePolicyShared": "Shared Resource Policy",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Access Controls",
    "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
    "resourceUsersRolesSubmit": "Save Access Controls",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibility",
    "resourceVisibilityTitleDescription": "Completely enable or disable resource visibility",
    "resourceGeneral": "General Settings",
-    "resourceGeneralDescription": "Configure the general settings for this resource",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Enable Resource",
    "resourceTransfer": "Transfer Resource",
    "resourceTransferDescription": "Transfer this resource to a different site",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "There was a problem connecting to {name}. Please contact your administrator.",
    "idpErrorNotFound": "IdP not found",
    "inviteInvalid": "Invalid Invite",
+    "labels": "Labels",
+    "orgLabelsDescription": "Manage labels in this organization.",
+    "addLabels": "Add labels",
+    "siteLabelsTab": "Labels",
+    "siteLabelsDescription": "Manage labels associated with this site.",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
+    "labelSearch": "Search labels",
+    "labelSearchOrCreate": "Search or create a label",
+    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
+    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
+    "accessLabelFilterClear": "Clear label filters",
+    "accessFilterClear": "Clear filters",
+    "selectColor": "Select color",
+    "createNewLabel": "Create new org label \"{label}\"",
    "inviteInvalidDescription": "The invite link is invalid.",
    "inviteErrorWrongUser": "Invite is not for this user",
    "inviteErrorUserNotExists": "User does not exist. Please create an account first.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Access Control",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Invitations",
    "sidebarRoles": "Roles",
-    "sidebarShareableLinks": "Links",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API Keys",
    "sidebarProvisioning": "Provisioning",
    "sidebarSettings": "Settings",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Resource {id}",
    "blueprints": "Blueprints",
-    "blueprintsDescription": "Apply declarative configurations and view previous runs",
+    "blueprintsLog": "Blueprints Log",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Add Blueprint",
    "blueprintGoBack": "See all Blueprints",
    "blueprintCreate": "Create Blueprint",
@@ -1559,7 +1742,17 @@
    "contents": "Contents",
    "parsedContents": "Parsed Contents (Read Only)",
    "enableDockerSocket": "Enable Docker Blueprint",
-    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to Newt. Read about how this works in <docsLink>the documentation</docsLink>.",
+    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
+    "newtAutoUpdate": "Enable Site Auto-Update",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
+    "siteAutoUpdate": "Site Auto-Update",
+    "siteAutoUpdateLabel": "Enable Auto-Update",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
+    "siteAutoUpdateOrgDefault": "Organization default: {state}",
+    "siteAutoUpdateOverriding": "Overriding organization setting",
+    "siteAutoUpdateResetToOrg": "Reset to Organization Default",
+    "siteAutoUpdateEnabled": "enabled",
+    "siteAutoUpdateDisabled": "disabled",
    "viewDockerContainers": "View Docker Containers",
    "containersIn": "Containers in {siteName}",
    "selectContainerDescription": "Select any container to use as a hostname for this target. Click a port to use a port.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certificate",
    "certificateStatusAutoRefreshHint": "Status refreshes automatically.",
    "loading": "Loading",
+    "loadingEllipsis": "Loading...",
    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
    "domains": "Domains",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Account setup completed! Welcome to Pangolin!",
    "documentation": "Documentation",
    "saveAllSettings": "Save All Settings",
-    "saveResourceTargets": "Save Targets",
-    "saveResourceHttp": "Save Proxy Settings",
-    "saveProxyProtocol": "Save Proxy protocol settings",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Settings updated",
    "settingsUpdatedDescription": "Settings updated successfully",
    "settingsErrorUpdate": "Failed to update settings",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
    "billingCurrentKeys": "Current Keys",
    "billingModifyCurrentPlan": "Modify Current Plan",
+    "billingManageLicenseSubscriptionDescription": "Manage your subscription for paid self-hosted license keys and download invoices.",
    "billingConfirmUpgrade": "Confirm Upgrade",
    "billingConfirmDowngrade": "Confirm Downgrade",
    "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Unknown",
    "healthCheck": "Health Check",
    "configureHealthCheck": "Configure Health Check",
-    "configureHealthCheckDescription": "Set up health monitoring for {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Enable Health Checks",
    "healthCheckDisabledStateDescription": "When disabled, the site will not perform health checks and the state will be considered unknown.",
    "enableHealthChecksDescription": "Monitor the health of this target. You can monitor a different endpoint than the target if required.",
    "healthScheme": "Method",
    "healthSelectScheme": "Select Method",
-    "healthCheckPortInvalid": "Health check port must be between 1 and 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Path",
    "healthHostname": "IP / Host",
    "healthPort": "Port",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Time is in seconds",
    "requireDeviceApproval": "Require Device Approvals",
    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
+    "sshSettings": "SSH Settings",
    "sshAccess": "SSH Access",
+    "rdpSettings": "RDP Settings",
+    "vncSettings": "VNC Settings",
+    "sshServer": "SSH Server",
+    "rdpServer": "RDP Server",
+    "vncServer": "VNC Server",
+    "sshServerDescription": "Set up the authentication method, daemon location, and server destination",
+    "rdpServerDescription": "Configure the destination and port of the RDP server",
+    "vncServerDescription": "Configure the destination and port of the VNC server",
+    "sshServerMode": "Mode",
+    "sshServerModeStandard": "Standard SSH Server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Routes commands over network to an SSH server such as OpenSSH.",
+    "sshServerModeNative": "Native SSH Server",
+    "sshServerModeNativeDescription": "Executes commands directly on the host via the Site Connector. No network config required.",
+    "sshAuthenticationMethod": "Authentication Method",
+    "sshAuthMethodManual": "Manual Authentication",
+    "sshAuthMethodManualDescription": "Requires existing host credentials. Bypasses automatic provisioning.",
+    "sshAuthMethodAutomated": "Automated Provisioning",
+    "sshAuthMethodAutomatedDescription": "Automatically creates users, groups, and sudo permissions on host.",
+    "sshAuthDaemonLocation": "Auth Daemon Location",
+    "sshDaemonLocationSiteDescription": "Executes locally on the machine hosting the site connector.",
+    "sshDaemonLocationRemote": "On Remote Host",
+    "sshDaemonLocationRemoteDescription": "Executes on a separate target machine on the same network.",
+    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
+    "sshDaemonPort": "Daemon Port",
+    "sshServerDestination": "Server Destination",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
+    "destination": "Destination",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
+    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
    "roleAllowSsh": "Allow SSH",
    "roleAllowSshAllow": "Allow",
    "roleAllowSshDisallow": "Disallow",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
    "sshSudo": "Allow sudo",
    "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Create Home Directory",
    "sshUnixGroups": "Unix Groups",
-    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Scheme",
-    "editInternalResourceDialogEnableSsl": "Enable SSL",
+    "editInternalResourceDialogEnableSsl": "Enable TLS",
    "editInternalResourceDialogEnableSslDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the destination.",
    "editInternalResourceDialogDestination": "Destination",
    "editInternalResourceDialogDestinationHostDescription": "The IP address or hostname of the resource on the site's network.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Scheme",
    "createInternalResourceDialogScheme": "Scheme",
-    "createInternalResourceDialogEnableSsl": "Enable SSL",
+    "createInternalResourceDialogEnableSsl": "Enable TLS",
    "createInternalResourceDialogEnableSslDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the destination.",
    "createInternalResourceDialogDestination": "Destination",
    "createInternalResourceDialogDestinationHostDescription": "The IP address or hostname of the resource on the site's network.",
@@ -2217,7 +2464,7 @@
        "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
        "introTitle": "Managed Self-Hosted Pangolin",
        "introDescription": "is a deployment option designed for people who want simplicity and extra reliability while still keeping their data private and self-hosted.",
-        "introDetail": "With this option, you still run your own Pangolin node - your tunnels, SSL termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of benefits:",
+        "introDetail": "With this option, you still run your own Pangolin node - your tunnels, TLS termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of benefits:",
        "benefitSimplerOperations": {
            "title": "Simpler operations",
            "description": "No need to run your own mail server or set up complex alerting. You'll get health checks and downtime alerts out of the box."
@@ -2652,6 +2899,8 @@
    "validPassword": "Valid Password",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "View",
+    "configManaged": "Config Managed",
    "connectedClient": "Connected Client",
    "resourceBlocked": "Resource Blocked",
    "droppedByRule": "Dropped by Rule",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Enable Proxy Protocol",
    "proxyProtocolInfo": "Preserve client IP addresses for TCP backends",
    "proxyProtocolVersion": "Proxy Protocol Version",
-    "version1": " Version 1 (Recommended)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Version 2",
-    "versionDescription": "Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Warning",
    "proxyProtocolWarning": "The backend application must be configured to accept Proxy Protocol connections. If your backend doesn't support Proxy Protocol, enabling this will break all connections so only enable this if you know what you're doing. Make sure to configure your backend to trust Proxy Protocol headers from Traefik.",
    "restarting": "Restarting...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Enter confirmation",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Default Identity Provider",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Network Settings",
    "editInternalResourceDialogAccessPolicy": "Access Policy",
    "editInternalResourceDialogAddRoles": "Add Roles",
@@ -2919,11 +3169,12 @@
    "learnMore": "Learn more",
    "backToHome": "Go back to home",
    "needToSignInToOrg": "Need to use your organization's identity provider?",
-    "maintenanceMode": "Maintenance Mode",
+    "maintenanceMode": "Maintenance Page",
    "maintenanceModeDescription": "Display a maintenance page to visitors",
    "maintenanceModeType": "Maintenance Mode Type",
    "showMaintenancePage": "Show a maintenance page to visitors",
    "enableMaintenanceMode": "Enable Maintenance Mode",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatic",
    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
    "forced": "Forced",
@@ -2931,6 +3182,8 @@
    "warning:": "Warning:",
    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
    "pageTitle": "Page Title",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "The main heading displayed on the maintenance page",
    "maintenancePageMessage": "Maintenance Message",
    "maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
    "createInternalResourceDialogDestinationRequired": "Destination is required",
    "available": "Available",
+    "disabledResourceDescription": "When disabled, the resource will be inaccessible by everyone.",
    "archived": "Archived",
    "noArchivedDevices": "No archived devices found",
    "deviceArchived": "Device archived",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Forward events directly to your Datadog account.",
    "streamingTypePickerDescription": "Choose a destination type to get started.",
-    "streamingFailedToLoad": "Failed to load destinations",
+    "streamingLastSyncError": "An error occurred on the last sync",
    "streamingUnexpectedError": "An unexpected error occurred.",
    "streamingFailedToUpdate": "Failed to update destination",
    "streamingDeletedSuccess": "Destination deleted successfully",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Edit Destination",
    "S3DestAddTitle": "Add S3 Destination",
    "S3DestEditDescription": "Update the configuration for this S3 event streaming destination.",
-    "S3DestAddDescription": "Configure a new S3 endpoint to receive your organization's events.",
+    "S3DestAddDescription": "Configure a new Amazon S3 (or S3-compatible) bucket to receive your organization's events.",
+    "s3DestTabSettings": "Settings",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Name",
+    "s3DestNamePlaceholder": "My S3 destination",
+    "s3DestAccessKeyIdLabel": "AWS Access Key ID",
+    "s3DestSecretAccessKeyLabel": "AWS Secret Access Key",
+    "s3DestSecretAccessKeyPlaceholder": "Your AWS secret access key",
+    "s3DestRegionLabel": "AWS Region",
+    "s3DestBucketLabel": "Bucket Name",
+    "s3DestPrefixLabel": "Key Prefix (optional)",
+    "s3DestPrefixDescription": "Optional path prefix prepended to every object key. Objects are stored at {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Custom Endpoint (optional)",
+    "s3DestEndpointDescription": "Override the S3 endpoint for S3-compatible storage such as MinIO or Cloudflare R2. Leave blank for standard AWS S3.",
+    "s3DestGzipLabel": "Gzip compression",
+    "s3DestGzipDescription": "Compress each uploaded object with gzip. Reduces storage costs and upload size.",
+    "s3DestFormatTitle": "File Format",
+    "s3DestFormatDescription": "How events are serialised inside each uploaded object.",
+    "s3DestFormatJsonArrayDescription": "Each object is a JSON array of event records. Compatible with most analytics tools.",
+    "s3DestFormatNdjsonDescription": "Each object contains one JSON record per line (newline-delimited JSON). Compatible with Athena, BigQuery, and Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Each object is an RFC-4180 CSV file with a header row. Column names are derived from the event data fields.",
+    "s3DestSaveChanges": "Save Changes",
+    "s3DestCreateDestination": "Create Destination",
+    "s3DestUpdatedSuccess": "Destination updated successfully",
+    "s3DestCreatedSuccess": "Destination created successfully",
+    "s3DestUpdateFailed": "Failed to update destination",
+    "s3DestCreateFailed": "Failed to create destination",
    "datadogDestEditTitle": "Edit Destination",
    "datadogDestAddTitle": "Add Datadog Destination",
    "datadogDestEditDescription": "Update the configuration for this Datadog event streaming destination.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Are you sure you want to unassociate this identity provider from this organization?",
    "idpUnassociateDescription": "All users associated with this identity provider will be removed from this organization, but the identity provider will still continue to exist for other associated organizations.",
    "idpUnassociateConfirm": "Confirm Unassociate Identity Provider",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "This cannot be undone for this organization.",
    "idpUnassociatedDescription": "Identity provider unassociated from this organization successfully",
    "idpUnassociateMenu": "Unassociate",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Resource Disabled",
    "memberPortalShowingResources": "Showing {start}-{end} of {total} resources",
    "memberPortalPrevious": "Previous",
-    "memberPortalNext": "Next"
+    "memberPortalNext": "Next",
+    "httpSettings": "HTTP Settings",
+    "tcpSettings": "TCP Settings",
+    "udpSettings": "UDP Settings",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Establishing a secure connection…",
+    "sshConnecting": "Connecting…",
+    "sshInitializing": "Initializing…",
+    "sshSignInTitle": "Sign in to SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
+    "sshPasswordTab": "Password",
+    "sshPrivateKeyTab": "Private Key",
+    "sshPrivateKeyField": "Private Key",
+    "sshPrivateKeyDisclaimer": "Your private key is not stored or visible to Pangolin. Alternatively, you can use short-lived certificates for seamless authentication using your existing Pangolin identity.",
+    "sshLearnMore": "Learn more",
+    "sshPrivateKeyFile": "Private Key File",
+    "sshAuthenticate": "Connect",
+    "sshTerminate": "Terminate",
+    "sshPoweredBy": "Powered by",
+    "sshErrorNoTarget": "No target specified",
+    "sshErrorWebSocket": "WebSocket connection failed",
+    "sshErrorAuthFailed": "Authentication failed",
+    "sshErrorConnectionClosed": "Connection closed before authentication completed",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Ver Recursos Privados",
    "siteInstallNewt": "Instalar Newt",
    "siteInstallNewtDescription": "Recibe Newt corriendo en tu sistema",
+    "siteInstallKubernetesDocsDescription": "Para información de instalación de Kubernetes más reciente, consulta <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Para instrucciones de instalación del módem Advantech, consulta <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configuración de Wirex Guard",
    "WgConfigurationDescription": "Utilice la siguiente configuración para conectarse a la red",
    "operatingSystem": "Sistema operativo",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Sólo podrás verlo una vez. Asegúrate de copiarlo a un lugar seguro.",
    "siteInfo": "Información del sitio",
    "status": "Estado",
-    "shareTitle": "Administrar Enlaces de Compartir",
+    "shareTitle": "Gestionar Enlaces Compartibles",
    "shareDescription": "Crear enlaces compartidos para conceder acceso temporal o permanente a recursos proxy",
-    "shareSearch": "Buscar enlaces compartidos...",
-    "shareCreate": "Crear enlace Compartir",
+    "shareSearch": "Buscar enlaces compartibles...",
+    "shareCreate": "Crear Enlace Compartible",
    "shareErrorDelete": "Error al eliminar el enlace",
    "shareErrorDeleteMessage": "Se ha producido un error al eliminar el enlace",
    "shareDeleted": "Enlace eliminado",
    "shareDeletedDescription": "El enlace ha sido eliminado",
+    "shareDelete": "Eliminar Enlace Compartible",
+    "shareDeleteConfirm": "Confirmar Eliminación de Enlace Compartible",
+    "shareQuestionRemove": "¿Está seguro de que desea borrar este enlace compartido?",
+    "shareMessageRemove": "Una vez borrado, el enlace dejará de funcionar y cualquier persona que lo use perderá acceso al recurso.",
    "shareTokenDescription": "El token de acceso puede ser pasado de dos maneras: como parámetro de consulta o en las cabeceras de solicitud. Estos deben ser pasados del cliente en cada solicitud de acceso autenticado.",
    "accessToken": "Token de acceso",
    "usageExamples": "Ejemplos de uso",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Se ha producido un error al crear el enlace compartido",
    "shareCreateDescription": "Cualquiera con este enlace puede acceder al recurso",
    "shareTitleOptional": "Título (opcional)",
+    "sharePathOptional": "Ruta (opcional)",
+    "sharePathDescription": "El enlace redirigirá a los usuarios a esta ruta tras la autenticación.",
    "expireIn": "Caduca en",
    "neverExpire": "Nunca expirar",
    "shareExpireDescription": "El tiempo de caducidad es cuánto tiempo el enlace será utilizable y proporcionará acceso al recurso. Después de este tiempo, el enlace ya no funcionará, y los usuarios que usaron este enlace perderán el acceso al recurso.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Por favor, seleccione un recurso",
    "proxyResourceTitle": "Administrar recursos públicos",
    "proxyResourceDescription": "Crear y administrar recursos que sean accesibles públicamente a través de un navegador web",
-    "proxyResourcesBannerTitle": "Acceso público basado en web",
-    "proxyResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
+    "publicResourcesBannerTitle": "Acceso Público basado en Web",
+    "publicResourcesBannerDescription": "Los recursos públicos son proxies HTTPS accesibles para cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluyen políticas de acceso basadas en identidad y contexto.",
    "clientResourceTitle": "Administrar recursos privados",
    "clientResourceDescription": "Crear y administrar recursos que sólo son accesibles a través de un cliente conectado",
    "privateResourcesBannerTitle": "Acceso privado de confianza cero",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Buscar recursos...",
    "resourceAdd": "Añadir Recurso",
    "resourceErrorDelte": "Error al eliminar el recurso",
+    "resourcePoliciesBannerTitle": "Reutilizar Reglas de Autenticación y Acceso",
+    "resourcePoliciesBannerDescription": "Las políticas de recursos compartidos te permiten definir métodos de autenticación y reglas de acceso una vez, y luego adjuntarlas a múltiples recursos públicos. Al actualizar una política, cada recurso vinculado hereda automáticamente el cambio.",
+    "resourcePoliciesBannerButtonText": "Saber más",
+    "resourcePoliciesTitle": "Gestionar Políticas de Recursos Públicos",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Recursos",
+    "resourcePoliciesAttachedResources": "{count} recurso/s",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# recurso} other {# recursos}}",
+    "resourcePoliciesAttachedResourcesEmpty": "sin recursos",
+    "resourcePoliciesDescription": "Crear y gestionar políticas de autenticación para controlar el acceso a tus recursos públicos",
+    "resourcePoliciesSearch": "Buscar políticas...",
+    "resourcePoliciesAdd": "Agregar Política",
+    "resourcePoliciesDefaultBadgeText": "Política predeterminada",
+    "resourcePoliciesCreate": "Crear Política de Recursos Públicos",
+    "resourcePoliciesCreateDescription": "Siga los pasos a continuación para crear una nueva política",
+    "resourcePolicyName": "Nombre de la política",
+    "resourcePolicyNameDescription": "Déle a esta política un nombre para identificarla en sus recursos",
+    "resourcePolicyNamePlaceholder": "por ejemplo, Política de Acceso Interno",
+    "resourcePoliciesSeeAll": "Ver todas las políticas",
+    "resourcePolicyAuthMethodAdd": "Agregar Método de Autenticación",
+    "resourcePolicyOtpEmailAdd": "Agregar correos electrónicos OTP",
+    "resourcePolicyRulesAdd": "Añadir reglas",
+    "resourcePolicyAuthMethodsDescription": "Permitir el acceso a los recursos a través de métodos de autenticación adicionales",
+    "resourcePolicyUsersRolesDescription": "Configure qué usuarios y roles pueden visitar los recursos asociados",
+    "rulesResourcePolicyDescription": "Configure reglas para controlar el acceso a los recursos asociados a esta política",
    "authentication": "Autenticación",
    "protected": "Protegido",
    "notProtected": "No protegido",
    "resourceMessageRemove": "Una vez eliminado, el recurso ya no será accesible. Todos los objetivos asociados con el recurso también serán eliminados.",
    "resourceQuestionRemove": "¿Está seguro que desea eliminar el recurso de la organización?",
+    "resourcePolicyMessageRemove": "Una vez eliminada, la política de recursos ya no será accesible. Todos los recursos asociados al recurso serán desvinculados y quedarán sin autenticación.",
+    "resourcePolicyQuestionRemove": "¿Está seguro de que desea eliminar la política de recursos de la organización?",
    "resourceHTTP": "HTTPS Recurso",
    "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
    "resourceRaw": "Recurso TCP/UDP sin procesar",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. Requiere que los sitios se conecten a un nodo remoto.",
    "resourceCreate": "Crear Recurso",
    "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
+    "resourceCreateGeneralDescription": "Configurar la configuración básica del recurso, incluido el nombre y el tipo",
    "resourceSeeAll": "Ver todos los recursos",
-    "resourceInfo": "Información del recurso",
+    "resourceCreateGeneral": "General",
    "resourceNameDescription": "Este es el nombre para mostrar el recurso.",
    "siteSelect": "Seleccionar sitio",
    "siteSearch": "Buscar sitio",
@@ -227,12 +262,15 @@
    "noCountryFound": "Ningún país encontrado.",
    "siteSelectionDescription": "Este sitio proporcionará conectividad al objetivo.",
    "resourceType": "Tipo de recurso",
-    "resourceTypeDescription": "Determina cómo acceder al recurso",
+    "resourceTypeDescription": "Esto controla el protocolo del recurso y cómo se renderizará en el navegador. Esto no se puede cambiar más tarde.",
+    "resourceDomainDescription": "El recurso se servirá en este nombre de dominio completamente calificado.",
    "resourceHTTPSSettings": "Configuración HTTPS",
    "resourceHTTPSSettingsDescription": "Configurar cómo se accederá al recurso a través de HTTPS",
+    "resourcePortDescription": "El puerto externo en la instancia o nodo de Pangolin donde el recurso será accesible.",
    "domainType": "Tipo de dominio",
    "subdomain": "Subdominio",
    "baseDomain": "Dominio base",
+    "configure": "Configurar",
    "subdomnainDescription": "El subdominio al que el recurso será accesible.",
    "resourceRawSettings": "Configuración TCP/UDP",
    "resourceRawSettingsDescription": "Configurar cómo se accederá al recurso a través de TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Atrás",
    "cancel": "Cancelar",
    "resourceConfig": "Fragmentos de configuración",
-    "resourceConfigDescription": "Copia y pega estos fragmentos de configuración para configurar el recurso TCP/UDP",
+    "resourceConfigDescription": "Copia y pega estos fragmentos de configuración para configurar el recurso TCP/UDP.",
    "resourceAddEntrypoints": "Traefik: Añadir puntos de entrada",
    "resourceExposePorts": "Gerbil: Exponer puertos en Docker Compose",
    "resourceLearnRaw": "Aprende cómo configurar los recursos TCP/UDP",
    "resourceBack": "Volver a Recursos",
    "resourceGoTo": "Ir a Recurso",
+    "resourcePolicyDelete": "Eliminar Política de Recursos",
+    "resourcePolicyDeleteConfirm": "Confirmar eliminación de la política de recursos",
    "resourceDelete": "Eliminar Recurso",
    "resourceDeleteConfirm": "Confirmar Borrar Recurso",
+    "labelDelete": "Eliminar etiqueta",
+    "labelAdd": "Agregar etiqueta",
+    "labelCreateSuccessMessage": "Etiqueta creada correctamente",
+    "labelDuplicateError": "Etiqueta Duplicada",
+    "labelDuplicateErrorDescription": "Una etiqueta con este nombre ya existe.",
+    "labelEditSuccessMessage": "Etiqueta modificada correctamente",
+    "labelNameField": "Nombre de la etiqueta",
+    "labelColorField": "Color de la etiqueta",
+    "labelPlaceholder": "Ej: homelab",
+    "labelCreate": "Crear etiqueta",
+    "createLabelDialogTitle": "Crear etiqueta",
+    "createLabelDialogDescription": "Cree una nueva etiqueta que se pueda adjuntar a esta organización",
+    "labelEdit": "Editar etiqueta",
+    "editLabelDialogTitle": "Actualizar etiqueta",
+    "editLabelDialogDescription": "Edite una nueva etiqueta que se pueda adjuntar a esta organización",
+    "labelDeleteConfirm": "Confirmar eliminación de etiqueta",
+    "labelErrorDelete": "Error al eliminar la etiqueta",
+    "labelMessageRemove": "Esta acción es permanente. Todos los sitios, recursos y clientes etiquetados con esta etiqueta serán des- etiquetados.",
+    "labelQuestionRemove": "¿Está seguro de que desea eliminar la etiqueta de la organización?",
    "visibility": "Visibilidad",
    "enabled": "Activado",
    "disabled": "Deshabilitado",
@@ -261,6 +320,8 @@
    "rules": "Reglas",
    "resourceSettingDescription": "Configurar la configuración del recurso",
    "resourceSetting": "Ajustes {resourceName}",
+    "resourcePolicySettingDescription": "Configura los ajustes de esta política de recursos públicos",
+    "resourcePolicySetting": "Configuración {policyName}",
    "alwaysAllow": "Autorización Bypass",
    "alwaysDeny": "Bloquear acceso",
    "passToAuth": "Pasar a Autenticación",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Una vez eliminado, este usuario ya no tendrá acceso a la organización. Siempre puede volver a invitarlos más tarde, pero tendrán que aceptar la invitación de nuevo.",
    "userRemoveOrgConfirm": "Confirmar eliminar usuario",
    "userRemoveOrg": "Eliminar usuario de la organización",
+    "userQuestionOrgRemoveSelf": "¿Está seguro de que desea eliminarse de esta organización?",
+    "userMessageOrgRemoveSelf": "Perderá acceso inmediatamente. Un administrador puede invitarlo de nuevo más tarde, pero necesitará aceptar una nueva invitación.",
+    "userRemoveOrgConfirmSelf": "Confirmar Eliminarme",
+    "userRemoveOrgSelf": "Eliminarse de la organización",
+    "userRemoveOrgSelfWarning": "Perderá acceso a esta organización inmediatamente.",
+    "userRemoveOrgConfirmPhraseSelf": "ELIMINARME DE LA ORGANIZACIÓN",
    "users": "Usuarios",
    "accessRoleMember": "Miembro",
    "accessRoleOwner": "Propietario",
@@ -531,6 +598,11 @@
    "emailInvalid": "Dirección de correo inválida",
    "inviteValidityDuration": "Por favor, seleccione una duración",
    "accessRoleSelectPlease": "Por favor, seleccione un rol",
+    "removeOwnAdminRoleConfirmTitle": "¿Eliminar su acceso de administrador?",
+    "removeOwnAdminRoleConfirmDescription": "Ya no tendrá permisos de administrador en esta organización después de guardar. Otro administrador puede restaurar el acceso si es necesario.",
+    "removeOwnAdminRoleConfirmButton": "Eliminar Mi Acceso de Administrador",
+    "removeOwnAdminRoleConfirmPhrase": "ELIMINAR MI ACCESO DE ADMINISTRADOR",
+    "ownerMustRetainAdminRole": "El propietario de la organización debe mantener al menos un rol de administrador.",
    "usernameRequired": "Nombre de usuario requerido",
    "idpSelectPlease": "Por favor, seleccione un proveedor de identidad",
    "idpGenericOidc": "Proveedor OAuth2/OIDC genérico.",
@@ -615,7 +687,7 @@
    "createdAt": "Creado el",
    "proxyErrorInvalidHeader": "Valor de cabecera de host personalizado no válido. Utilice el formato de nombre de dominio, o guarde en blanco para desestablecer cabecera de host personalizada.",
    "proxyErrorTls": "Nombre de servidor TLS inválido. Utilice el formato de nombre de dominio o guarde en blanco para eliminar el nombre de servidor TLS.",
-    "proxyEnableSSL": "Activar SSL",
+    "proxyEnableSSL": "Activar TLS",
    "proxyEnableSSLDescription": "Habilita el cifrado SSL/TLS para conexiones seguras HTTPS a los objetivos.",
    "target": "Target",
    "configureTarget": "Configurar objetivos",
@@ -656,8 +728,9 @@
    "targetSubmit": "Añadir destino",
    "targetNoOne": "Este recurso no tiene ningún objetivo. Agrega un objetivo para configurar dónde enviar peticiones al backend.",
    "targetNoOneDescription": "Si se añade más de un objetivo anterior se activará el balance de carga.",
-    "targetsSubmit": "Guardar objetivos",
+    "targetsSubmit": "Guardar ajustes",
    "addTarget": "Añadir destino",
+    "proxyMultiSiteRoundRobinNodeHelp": "El enrutamiento de turnos no funcionará entre sitios que no están conectados al mismo nodo, pero el failover funcionará.",
    "targetErrorInvalidIp": "Dirección IP inválida",
    "targetErrorInvalidIpDescription": "Por favor, introduzca una dirección IP válida o nombre de host",
    "targetErrorInvalidPort": "Puerto inválido",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Duplicar regla",
    "rulesErrorDuplicateDescription": "Ya existe una regla con estos ajustes",
    "rulesErrorInvalidIpAddressRange": "CIDR inválido",
-    "rulesErrorInvalidIpAddressRangeDescription": "Por favor, introduzca un valor CIDR válido",
-    "rulesErrorInvalidUrl": "Ruta URL inválida",
-    "rulesErrorInvalidUrlDescription": "Por favor, introduzca un valor de ruta de URL válido",
-    "rulesErrorInvalidIpAddress": "IP inválida",
-    "rulesErrorInvalidIpAddressDescription": "Por favor, introduzca una dirección IP válida",
+    "rulesErrorInvalidIpAddressRangeDescription": "Introduce un rango CIDR válido (por ejemplo, 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Ruta no válida",
+    "rulesErrorInvalidUrlDescription": "Introduce una ruta URL o patrón válido (por ejemplo, /api/*).",
+    "rulesErrorInvalidIpAddress": "Dirección IP no válida",
+    "rulesErrorInvalidIpAddressDescription": "Introduce una dirección IPv4 o IPv6 válida.",
    "rulesErrorUpdate": "Error al actualizar las reglas",
    "rulesErrorUpdateDescription": "Se ha producido un error al actualizar las reglas",
    "rulesUpdated": "Activar Reglas",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Introduzca una dirección en formato CIDR (por ejemplo, 103.21.244.0/22)",
    "rulesMatchIpAddress": "Introduzca una dirección IP (por ejemplo, 103.21.244.12)",
    "rulesMatchUrl": "Introduzca una ruta URL o patrón (por ej., /api/v1/todos o /api/v1/*)",
-    "rulesErrorInvalidPriority": "Prioridad inválida",
-    "rulesErrorInvalidPriorityDescription": "Por favor, introduzca una prioridad válida",
+    "rulesErrorInvalidPriority": "Prioridad no válida",
+    "rulesErrorInvalidPriorityDescription": "Introduce un número entero de 1 o mayor.",
    "rulesErrorDuplicatePriority": "Prioridades duplicadas",
-    "rulesErrorDuplicatePriorityDescription": "Por favor, introduzca prioridades únicas",
+    "rulesErrorDuplicatePriorityDescription": "Cada regla debe tener un número de prioridad único.",
+    "rulesErrorValidation": "Reglas no válidas",
+    "rulesErrorValidationRuleDescription": "Regla {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Selecciona un tipo de coincidencia válido (ruta, IP, CIDR, país, región o ASN).",
+    "rulesErrorValueRequired": "Introduce un valor para esta regla.",
+    "rulesErrorInvalidCountry": "País no válido",
+    "rulesErrorInvalidCountryDescription": "Selecciona un país válido.",
+    "rulesErrorInvalidAsn": "ASN no válido",
+    "rulesErrorInvalidAsnDescription": "Introduce un ASN válido (por ejemplo, AS15169).",
    "ruleUpdated": "Reglas actualizadas",
    "ruleUpdatedDescription": "Reglas actualizadas correctamente",
    "ruleErrorUpdate": "Operación fallida",
    "ruleErrorUpdateDescription": "Se ha producido un error durante la operación de guardado",
    "rulesPriority": "Prioridad",
+    "rulesReorderDragHandle": "Arrastra para reordenar la prioridad de reglas",
    "rulesAction": "Accin",
    "rulesMatchType": "Tipo de partida",
    "value": "Valor",
@@ -728,9 +810,60 @@
    "rulesResource": "Configuración de reglas de recursos",
    "rulesResourceDescription": "Configurar reglas para controlar el acceso al recurso",
    "ruleSubmit": "Añadir Regla",
-    "rulesNoOne": "No hay reglas. Agregue una regla usando el formulario.",
+    "rulesNoOne": "Aún no hay reglas.",
    "rulesOrder": "Las reglas son evaluadas por prioridad en orden ascendente.",
    "rulesSubmit": "Guardar Reglas",
+    "policyErrorCreate": "Error al crear la política",
+    "policyErrorCreateDescription": "Se ha producido un error al crear la política",
+    "policyErrorCreateMessageDescription": "Se ha producido un error inesperado",
+    "policyErrorUpdate": "Error al actualizar la política",
+    "policyErrorUpdateDescription": "Se ha producido un error al actualizar la política",
+    "policyErrorUpdateMessageDescription": "Se ha producido un error inesperado",
+    "policyCreatedSuccess": "Política de recursos creada con éxito",
+    "policyUpdatedSuccess": "Política de recursos actualizada con éxito",
+    "authMethodsSave": "Guardar ajustes",
+    "policyAuthStackTitle": "Autenticación",
+    "policyAuthStackDescription": "Controla qué métodos de autenticación son necesarios para acceder a este recurso",
+    "policyAuthOrLogicTitle": "Múltiples métodos de autenticación activos",
+    "policyAuthOrLogicBanner": "Los visitantes pueden autenticarse utilizando cualquier método activo a continuación. No necesitan completar todos ellos.",
+    "policyAuthMethodActive": "Activo",
+    "policyAuthMethodOff": "Apagado",
+    "policyAuthSsoTitle": "SSO de Plataforma",
+    "policyAuthSsoDescription": "Requiere iniciar sesión a través del proveedor de identidad de tu organización",
+    "policyAuthSsoSummary": "{idp} · {users} usuarios, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Proveedor por defecto",
+    "policyAuthAddDefaultIdentityProvider": "Añadir Proveedor de Identidad Predeterminado",
+    "policyAuthOtherMethodsTitle": "Otros Métodos",
+    "policyAuthOtherMethodsDescription": "Métodos opcionales que los visitantes pueden utilizar en lugar de o junto con el SSO de plataforma",
+    "policyAuthPasscodeTitle": "Código de Acceso",
+    "policyAuthPasscodeDescription": "Requiere un código alfanumérico compartido para acceder al recurso",
+    "policyAuthPasscodeSummary": "Código de acceso establecido",
+    "policyAuthPincodeTitle": "Código PIN",
+    "policyAuthPincodeDescription": "Un código numérico corto necesario para acceder al recurso",
+    "policyAuthPincodeSummary": "Código PIN de 6 dígitos establecido",
+    "policyAuthEmailTitle": "Lista Blanca de Correo",
+    "policyAuthEmailDescription": "Permitir direcciones de correo listadas con contraseñas de un solo uso",
+    "policyAuthEmailSummary": "{count} direcciones permitidas",
+    "policyAuthEmailOtpCallout": "Habilitar la lista blanca de correos envía una contraseña de un solo uso al correo del visitante al iniciar sesión.",
+    "policyAuthHeaderAuthTitle": "Autenticación Básica del Encabezado",
+    "policyAuthHeaderAuthDescription": "Valida un nombre y valor de encabezado HTTP personalizado en cada petición",
+    "policyAuthHeaderAuthSummary": "Encabezado configurado",
+    "policyAuthHeaderName": "Nombre del encabezado",
+    "policyAuthHeaderValue": "Valor esperado",
+    "policyAuthSetPasscode": "Establecer Código de Acceso",
+    "policyAuthSetPincode": "Establecer Código PIN",
+    "policyAuthSetEmailWhitelist": "Establecer Lista Blanca de Correo",
+    "policyAuthSetHeaderAuth": "Establecer Autenticación Básica del Encabezado",
+    "policyAccessRulesTitle": "Reglas de Acceso",
+    "policyAccessRulesEnableDescription": "Cuando está habilitado, las reglas se evalúan en orden descendente hasta que una se evalúa como verdadera.",
+    "policyAccessRulesFirstMatch": "Las reglas se evalúan de arriba a abajo. La primera regla coincidente decide el resultado.",
+    "policyAccessRulesHowItWorks": "Las reglas coinciden con las solicitudes por ruta, dirección IP, ubicación u otros criterios. Cada regla aplica una acción: omitir autenticación, bloquear acceso o pasar a autenticación. Si ninguna regla coincide, el tráfico sigue a la autenticación.",
+    "policyAccessRulesFallthroughOff": "Cuando las reglas están deshabilitadas, todo el tráfico pasa a autenticación.",
+    "policyAccessRulesFallthroughOn": "Cuando no coincide ninguna regla, el tráfico pasa a autenticación.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Guardar reglas",
    "resourceErrorCreate": "Error al crear recurso",
    "resourceErrorCreateDescription": "Se ha producido un error al crear el recurso",
    "resourceErrorCreateMessage": "Error al crear el recurso:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Se ha producido un error al actualizar el recurso",
    "access": "Acceder",
    "accessControl": "Control de acceso",
-    "shareLink": "{resource} Compartir Enlace",
+    "shareLink": "Enlace Compartible de {resource}",
    "resourceSelect": "Seleccionar recurso",
-    "shareLinks": "Compartir enlaces",
+    "shareLinks": "Enlaces Compartibles",
    "share": "Enlaces compartibles",
    "shareDescription2": "Crea enlaces compartidos a recursos. Los enlaces proporcionan acceso temporal o ilimitado a tu recurso. Puede configurar la duración de caducidad del enlace cuando cree uno.",
    "shareEasyCreate": "Fácil de crear y compartir",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Añadir código PIN",
    "pincodeRemove": "Eliminar código PIN",
    "resourceAuthMethods": "Métodos de autenticación",
+    "resourcePolicyAuthMethodsEmpty": "No hay método de autenticación",
+    "resourcePolicyOtpEmpty": "Sin contraseña de un solo uso",
+    "resourcePolicyReadOnly": "Esta política es solo de lectura",
+    "resourcePolicyReadOnlyDescription": "Esta política de recursos se comparte entre varios recursos, no puede editarla en esta página.",
+    "editSharedPolicy": "Editar Política Compartida",
+    "resourcePolicyTypeSave": "Guardar tipo de recurso",
+    "resourcePolicySelect": "Seleccionar política de recursos",
+    "resourcePolicySelectError": "Seleccione una política de recursos",
+    "resourcePolicyNotFound": "Política no encontrada",
+    "resourcePolicySearch": "Buscar políticas",
+    "resourcePolicyRulesEmpty": "Sin reglas de autenticación",
    "resourceAuthMethodsDescriptions": "Permitir el acceso al recurso a través de métodos de autenticación adicionales",
    "resourceAuthSettingsSave": "Guardado correctamente",
    "resourceAuthSettingsSaveDescription": "Se han guardado los ajustes de autenticación",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Definir Pincode",
    "resourcePincodeSetupTitleDescription": "Establecer un pincode para proteger este recurso",
    "resourceRoleDescription": "Los administradores siempre pueden acceder a este recurso.",
+    "resourcePolicySelectTitle": "Política de Acceso a Recursos",
+    "resourcePolicySelectDescription": "Seleccione el tipo de política de recursos para la autenticación",
+    "resourcePolicyTypeLabel": "Tipo de política",
+    "resourcePolicyLabel": "Política de recurso",
+    "resourcePolicyInline": "Política de Recursos Integrada",
+    "resourcePolicyInlineDescription": "Política de Acceso solo destinada a este recurso",
+    "resourcePolicyShared": "Política de Recursos Compartida",
+    "resourcePolicySharedDescription": "Este recurso utiliza una política compartida.",
+    "sharedPolicy": "Política Compartida",
+    "sharedPolicyNoneDescription": "Este recurso tiene su propia política.",
+    "resourceSharedPolicyOwnDescription": "Este recurso tiene sus propios controles de autenticación y reglas de acceso.",
+    "resourceSharedPolicyInheritedDescription": "Este recurso hereda de <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Este recurso está usando una política compartida. Algunas configuraciones de autenticación se pueden editar en este recurso para añadirse a la política. Para cambiar la política subyacente, debes editar a <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Este recurso está utilizando una política compartida. Algunas reglas de acceso se pueden editar en este recurso. Para cambiar la política subyacente, debes editar <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Controles de acceso",
    "resourceUsersRolesDescription": "Configurar qué usuarios y roles pueden visitar este recurso",
    "resourceUsersRolesSubmit": "Guardar controles de acceso",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilidad",
    "resourceVisibilityTitleDescription": "Activar o desactivar completamente la visibilidad de los recursos",
    "resourceGeneral": "Configuración General",
-    "resourceGeneralDescription": "Configurar la configuración general de este recurso",
+    "resourceGeneralDescription": "Configurar nombre, dirección y política de acceso para este recurso.",
+    "resourceGeneralDetailsSubsection": "Detalles del Recurso",
+    "resourceGeneralDetailsSubsectionDescription": "Establecer el nombre de visualización, identificador y dominio públicamente accesible para este recurso.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Establecer el nombre de visualización, identificador y puerto público para este recurso.",
+    "resourceGeneralPublicAddressSubsection": "Dirección Pública",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configura cómo los usuarios acceden a este recurso.",
+    "resourceGeneralAuthenticationAccessSubsection": "Autenticación y Acceso",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Elige si este recurso utiliza su propia política o hereda de una política compartida.",
    "resourceEnable": "Activar recurso",
    "resourceTransfer": "Transferir recursos",
    "resourceTransferDescription": "Transferir este recurso a un sitio diferente",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Hubo un problema al conectar con {name}. Por favor, póngase en contacto con su administrador.",
    "idpErrorNotFound": "IdP no encontrado",
    "inviteInvalid": "Invitación inválida",
+    "labels": "Etiquetas",
+    "orgLabelsDescription": "Administrar etiquetas en esta organización.",
+    "addLabels": "Agregar etiquetas",
+    "siteLabelsTab": "Etiquetas",
+    "siteLabelsDescription": "Administrar las etiquetas asociadas con este sitio.",
+    "labelsNotFound": "No se encontraron etiquetas.",
+    "labelsEmptyCreateHint": "Empieza a escribir arriba para crear una etiqueta.",
+    "labelSearch": "Buscar etiquetas",
+    "labelSearchOrCreate": "Buscar o crear una etiqueta",
+    "accessLabelFilterCount": "{count, plural, one {# etiqueta} other {# etiquetas}}",
+    "labelOverflowCount": "+{count, plural, one {# etiqueta} other {# etiquetas}}",
+    "accessLabelFilterClear": "Borrar filtros de etiquetas",
+    "accessFilterClear": "Limpiar filtros",
+    "selectColor": "Seleccionar color",
+    "createNewLabel": "Crear nueva etiqueta de organización \"{label}\"",
    "inviteInvalidDescription": "El enlace de invitación no es válido.",
    "inviteErrorWrongUser": "La invitación no es para este usuario",
    "inviteErrorUserNotExists": "El usuario no existe. Por favor, cree una cuenta primero.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
+    "sidebarPolicies": "Políticas Compartidas",
+    "sidebarResourcePolicies": "Recursos Públicos",
    "sidebarAccessControl": "Control de acceso",
    "sidebarLogsAndAnalytics": "Registros y análisis",
    "sidebarTeam": "Equipo",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Invitaciones",
    "sidebarRoles": "Roles",
-    "sidebarShareableLinks": "Enlaces",
+    "sidebarShareableLinks": "Enlaces Compartibles",
    "sidebarApiKeys": "Claves API",
    "sidebarProvisioning": "Aprovisionamiento",
    "sidebarSettings": "Ajustes",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Sitio {id}",
    "standaloneHcFilterResourceIdFallback": "Recurso {id}",
    "blueprints": "Planos",
-    "blueprintsDescription": "Aplicar configuraciones declarativas y ver ejecuciones anteriores",
+    "blueprintsLog": "Registro de planos",
+    "blueprintsDescription": "Ver aplicaciones de planos anteriores y sus resultados o aplicar un nuevo plano",
    "blueprintAdd": "Añadir plano",
    "blueprintGoBack": "Ver todos los Planos",
    "blueprintCreate": "Crear Plano",
@@ -1559,7 +1742,17 @@
    "contents": "Contenido",
    "parsedContents": "Contenido analizado (Sólo lectura)",
    "enableDockerSocket": "Habilitar Plano Docker",
-    "enableDockerSocketDescription": "Activar el raspado de etiquetas de Socket Docker para etiquetas de planos. La ruta del Socket debe proporcionarse a Newt.",
+    "enableDockerSocketDescription": "Activar el raspado de etiquetas del socket Docker para etiquetas de planos. La ruta del socket debe proporcionarse al conector del sitio. Lea sobre cómo funciona esto en <docsLink>la documentación</docsLink>.",
+    "newtAutoUpdate": "Habilitar actualización automática del sitio",
+    "newtAutoUpdateDescription": "Cuando está habilitado, los conectores del sitio descargarán automáticamente la última versión y se reiniciarán. Esto se puede anular por sitio.",
+    "siteAutoUpdate": "Actualización automática del sitio",
+    "siteAutoUpdateLabel": "Habilitar actualización automática",
+    "siteAutoUpdateDescription": "Cuando está habilitado, el conector de este sitio descargará automáticamente la última versión y se reiniciará.",
+    "siteAutoUpdateOrgDefault": "Predeterminado de la organización: {state}",
+    "siteAutoUpdateOverriding": "Configuración de anulación de la organización",
+    "siteAutoUpdateResetToOrg": "Restablecer al predeterminado de la organización",
+    "siteAutoUpdateEnabled": "activado",
+    "siteAutoUpdateDisabled": "deshabilitado",
    "viewDockerContainers": "Ver contenedores Docker",
    "containersIn": "Contenedores en {siteName}",
    "selectContainerDescription": "Seleccione cualquier contenedor para usar como nombre de host para este objetivo. Haga clic en un puerto para usar un puerto.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certificado",
    "certificateStatusAutoRefreshHint": "El estado se actualiza automáticamente.",
    "loading": "Cargando",
+    "loadingEllipsis": "Cargando...",
    "loadingAnalytics": "Cargando analíticas",
    "restart": "Reiniciar",
    "domains": "Dominios",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "¡Configuración de cuenta completada! ¡Bienvenido a Pangolin!",
    "documentation": "Documentación",
    "saveAllSettings": "Guardar todos los ajustes",
-    "saveResourceTargets": "Guardar objetivos",
-    "saveResourceHttp": "Guardar ajustes de proxy",
-    "saveProxyProtocol": "Guardar configuraciones del protocolo de proxy",
+    "saveResourceTargets": "Guardar ajustes",
+    "saveResourceHttp": "Guardar ajustes",
+    "saveProxyProtocol": "Guardar ajustes",
    "settingsUpdated": "Ajustes actualizados",
    "settingsUpdatedDescription": "Configuraciones actualizadas correctamente",
    "settingsErrorUpdate": "Error al actualizar ajustes",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Administra tu suscripción para las claves de licencia autoalojadas pagadas",
    "billingCurrentKeys": "Claves actuales",
    "billingModifyCurrentPlan": "Modificar plan actual",
+    "billingManageLicenseSubscriptionDescription": "Administre su suscripción para claves de licencia autogestionadas pagas y descargue facturas.",
    "billingConfirmUpgrade": "Confirmar actualización",
    "billingConfirmDowngrade": "Confirmar descenso",
    "billingConfirmUpgradeDescription": "Estás a punto de actualizar tu plan. Revisa los nuevos límites y precios a continuación.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Desconocido",
    "healthCheck": "Chequeo de salud",
    "configureHealthCheck": "Configurar Chequeo de Salud",
-    "configureHealthCheckDescription": "Configura la monitorización de salud para {target}",
+    "configureHealthCheckDescription": "Configura la monitorización para tu recurso para asegurarte que siempre está disponible",
    "enableHealthChecks": "Activar Chequeos de Salud",
    "healthCheckDisabledStateDescription": "Cuando está deshabilitado, el sitio no realizará comprobaciones de salud y el estado se considerará desconocido.",
    "enableHealthChecksDescription": "Controlar la salud de este objetivo. Puedes supervisar un punto final diferente al objetivo si es necesario.",
    "healthScheme": "Método",
    "healthSelectScheme": "Seleccionar método",
-    "healthCheckPortInvalid": "El puerto de chequeo de salud debe estar entre 1 y 65535",
+    "healthCheckPortInvalid": "El puerto debe estar entre 1 y 65535",
    "healthCheckPath": "Ruta",
    "healthHostname": "IP / Nombre del host",
    "healthPort": "Puerto",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "El tiempo está en segundos",
    "requireDeviceApproval": "Requiere aprobaciones del dispositivo",
    "requireDeviceApprovalDescription": "Los usuarios con este rol necesitan nuevos dispositivos aprobados por un administrador antes de poder conectarse y acceder a los recursos.",
-    "sshAccess": "Acceso a SSH",
+    "sshSettings": "Configuración SSH",
+    "sshAccess": "Acceso SSH",
+    "rdpSettings": "Configuración RDP",
+    "vncSettings": "Configuración VNC",
+    "sshServer": "Servidor SSH",
+    "rdpServer": "Servidor RDP",
+    "vncServer": "Servidor VNC",
+    "sshServerDescription": "Configure el método de autenticación, la ubicación del daemon y el destino del servidor",
+    "rdpServerDescription": "Configure el destino y el puerto del servidor RDP",
+    "vncServerDescription": "Configure el destino y el puerto del servidor VNC",
+    "sshServerMode": "Modo",
+    "sshServerModeStandard": "Servidor SSH estándar",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Rutas de comandos a través de la red a un servidor SSH como OpenSSH.",
+    "sshServerModeNative": "Servidor SSH nativo",
+    "sshServerModeNativeDescription": "Ejecuta comandos directamente en el host a través del Conector de Sitio. No se requiere configuración de red.",
+    "sshAuthenticationMethod": "Método de autenticación",
+    "sshAuthMethodManual": "Autenticación manual",
+    "sshAuthMethodManualDescription": "Requiere credenciales de host existentes. Omite la provisión automática.",
+    "sshAuthMethodAutomated": "Provisión automatizada",
+    "sshAuthMethodAutomatedDescription": "Crea automáticamente usuarios, grupos y permisos de sudo en el host.",
+    "sshAuthDaemonLocation": "Ubicación del Daemon de Autenticación",
+    "sshDaemonLocationSiteDescription": "Ejecuta localmente en la máquina que aloja el conector de sitio.",
+    "sshDaemonLocationRemote": "En Host Remoto",
+    "sshDaemonLocationRemoteDescription": "Ejecuta en una máquina objetivo separada en la misma red.",
+    "sshDaemonDisclaimer": "Asegúrese de que su host objetivo esté correctamente configurado para ejecutar el daemon de autenticación antes de completar esta configuración, o la provisión fallará.",
+    "sshDaemonPort": "Puerto del Daemon",
+    "sshServerDestination": "Destino del Servidor",
+    "sshServerDestinationDescription": "Configurar el destino del servidor SSH",
+    "destination": "Destino",
+    "destinationRequired": "Se requiere destino.",
+    "domainRequired": "Se requiere dominio.",
+    "proxyPortRequired": "Se requiere puerto.",
+    "invalidPathConfiguration": "Configuración de ruta no válida.",
+    "invalidRewritePathConfiguration": "Configuración de ruta de reescritura no válida.",
+    "bgTargetMultiSiteDisclaimer": "Seleccionar múltiples sitios permite el enrutamiento resiliente y el failover para alta disponibilidad.",
    "roleAllowSsh": "Permitir SSH",
    "roleAllowSshAllow": "Permitir",
    "roleAllowSshDisallow": "Rechazar",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "El usuario sólo puede ejecutar los comandos especificados con sudo.",
    "sshSudo": "Permitir sudo",
    "sshSudoCommands": "Comandos Sudo",
-    "sshSudoCommandsDescription": "Lista separada por comas de comandos que el usuario puede ejecutar con sudo.",
+    "sshSudoCommandsDescription": "Lista de comandos que el usuario tiene permitido ejecutar con sudo, separados por comas, espacios o nuevas líneas. Se deben usar rutas absolutas.",
    "sshCreateHomeDir": "Crear directorio principal",
    "sshUnixGroups": "Grupos Unix",
-    "sshUnixGroupsDescription": "Grupos Unix separados por comas para agregar el usuario en el host de destino.",
+    "sshUnixGroupsDescription": "Grupos Unix a los que añadir el usuario en el host de destino, separados por comas, espacios o nuevas líneas.",
+    "roleTextFieldPlaceholder": "Introduce valores, o suelta un archivo .txt o .csv",
+    "roleTextImportTitle": "Importar desde Archivo",
+    "roleTextImportDescription": "Importando {fileName} en {fieldLabel}.",
+    "roleTextImportSkipHeader": "Omitir Primera Fila (Encabezado)",
+    "roleTextImportOverride": "Reemplazar Existente",
+    "roleTextImportAppend": "Añadir al Existente",
+    "roleTextImportMode": "Modo de Importación",
+    "roleTextImportPreview": "Previsualizar",
+    "roleTextImportItemCount": "{count, plural, =0 {No hay elementos para importar} one {1 elemento para importar} other {# elementos para importar}}",
+    "roleTextImportTotalCount": "{existing} existentes + {imported} importados = {total} total",
+    "roleTextImportConfirm": "Importar",
+    "roleTextImportInvalidFile": "Tipo de archivo no soportado",
+    "roleTextImportInvalidFileDescription": "Sólo se soportan archivos .txt y .csv.",
+    "roleTextImportEmpty": "No se encontraron elementos en el archivo",
+    "roleTextImportEmptyDescription": "El archivo no contiene ningún elemento importable.",
    "retryAttempts": "Intentos de Reintento",
    "expectedResponseCodes": "Códigos de respuesta esperados",
    "expectedResponseCodesDescription": "Código de estado HTTP que indica un estado saludable. Si se deja en blanco, se considera saludable de 200 a 300.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Esquema",
-    "editInternalResourceDialogEnableSsl": "Activar SSL",
+    "editInternalResourceDialogEnableSsl": "Activar TLS",
    "editInternalResourceDialogEnableSslDescription": "Habilitar cifrado SSL/TLS para conexiones HTTPS seguras al destino.",
    "editInternalResourceDialogDestination": "Destino",
    "editInternalResourceDialogDestinationHostDescription": "La dirección IP o nombre de host del recurso en la red del sitio.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Esquema",
    "createInternalResourceDialogScheme": "Esquema",
-    "createInternalResourceDialogEnableSsl": "Activar SSL",
+    "createInternalResourceDialogEnableSsl": "Activar TLS",
    "createInternalResourceDialogEnableSslDescription": "Habilitar cifrado SSL/TLS para conexiones HTTPS seguras al destino.",
    "createInternalResourceDialogDestination": "Destino",
    "createInternalResourceDialogDestinationHostDescription": "La dirección IP o nombre de host del recurso en la red del sitio.",
@@ -2217,7 +2464,7 @@
        "description": "Servidor Pangolin autoalojado más fiable y de bajo mantenimiento con campanas y silbidos extra",
        "introTitle": "Pangolin autogestionado",
        "introDescription": "es una opción de despliegue diseñada para personas que quieren simplicidad y fiabilidad extra mientras mantienen sus datos privados y autoalojados.",
-        "introDetail": "Con esta opción, todavía ejecuta su propio nodo Pangolin, sus túneles, terminación SSL y tráfico permanecen en su servidor. La diferencia es que la gestión y el control se gestionan a través de nuestro panel de control en la nube, que desbloquea una serie de ventajas:",
+        "introDetail": "Con esta opción, todavía ejecuta su propio nodo Pangolin, sus túneles, terminación del TLS y tráfico permanecen en su servidor. La diferencia es que la gestión y el monitoreo se manejan a través de nuestro panel de control en la nube, lo que desbloquea una serie de beneficios:",
        "benefitSimplerOperations": {
            "title": "Operaciones simples",
            "description": "No necesitas ejecutar tu propio servidor de correo o configurar alertas complejas. Recibirás cheques de salud y alertas de tiempo de inactividad."
@@ -2652,6 +2899,8 @@
    "validPassword": "Contraseña válida",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Ver",
+    "configManaged": "Configuración Gestionada",
    "connectedClient": "Cliente conectado",
    "resourceBlocked": "Recurso bloqueado",
    "droppedByRule": "Soltado por regla",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Habilitar protocolo proxy",
    "proxyProtocolInfo": "Conservar direcciones IP del cliente para backends TCP",
    "proxyProtocolVersion": "Versión del Protocolo Proxy",
-    "version1": " Versión 1 (Recomendado)",
+    "version1": "Versión 1 (Recomendada)",
    "version2": "Versión 2",
-    "versionDescription": "La versión 1 está basada en texto y es ampliamente soportada. La versión 2 es binaria y más eficiente pero menos compatible.",
+    "version1Description": "Basado en texto y ampliamente compatible. Asegúrate de que el transporte de servidores está agregado a la configuración dinámica.",
+    "version2Description": "Binario y más eficiente, pero menos compatible. Asegúrate de que el transporte de servidores está agregado a la configuración dinámica.",
    "warning": "Advertencia",
    "proxyProtocolWarning": "La aplicación backend debe configurarse para aceptar conexiones Proxy Protocol. Si el backend no soporta Proxy Protocol, activarlo romperá todas las conexiones, así que sólo habilítelo si sabe lo que está haciendo. Asegúrese de configurar su backend para que confíe en las cabeceras del protocolo Proxy de Traefik.",
    "restarting": "Reiniciando...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Ingresar confirmación",
    "blueprintViewDetails": "Detalles",
    "defaultIdentityProvider": "Proveedor de identidad predeterminado",
-    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
+    "defaultIdentityProviderDescription": "El usuario será redirigido automáticamente a este proveedor de identidad para autenticación.",
    "editInternalResourceDialogNetworkSettings": "Configuración de red",
    "editInternalResourceDialogAccessPolicy": "Política de acceso",
    "editInternalResourceDialogAddRoles": "Agregar roles",
@@ -2919,11 +3169,12 @@
    "learnMore": "Más información",
    "backToHome": "Volver a inicio",
    "needToSignInToOrg": "¿Necesita usar el proveedor de identidad de su organización?",
-    "maintenanceMode": "Modo de mantenimiento",
+    "maintenanceMode": "Página de Mantenimiento",
    "maintenanceModeDescription": "Muestra una página de mantenimiento a los visitantes",
    "maintenanceModeType": "Tipo de modo de mantenimiento",
    "showMaintenancePage": "Mostrar página de mantenimiento a los visitantes",
    "enableMaintenanceMode": "Habilitar modo de mantenimiento",
+    "enableMaintenanceModeDescription": "Cuando esté habilitado, los visitantes verán una página de mantenimiento en lugar de tu recurso.",
    "automatic": "Automático",
    "automaticModeDescription": "Mostrar página de mantenimiento solo cuando todos los objetivos de backend están caídos o no saludables. Su recurso continúa funcionando normalmente siempre que al menos un objetivo esté saludable.",
    "forced": "Forzado",
@@ -2931,6 +3182,8 @@
    "warning:": "Advertencia:",
    "forcedeModeWarning": "Todo el tráfico será dirigido a la página de mantenimiento. Sus recursos de backend no recibirán solicitudes.",
    "pageTitle": "Título de la página",
+    "maintenancePageContentSubsection": "Contenido de la Página",
+    "maintenancePageContentSubsectionDescription": "Personaliza el contenido mostrado en la página de mantenimiento",
    "pageTitleDescription": "El encabezado principal visible en la página de mantenimiento",
    "maintenancePageMessage": "Mensaje de mantenimiento",
    "maintenancePageMessagePlaceholder": "¡Volveremos pronto! Nuestro sitio está actualmente en mantenimiento programado.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Estimado completado:",
    "createInternalResourceDialogDestinationRequired": "Se requiere destino",
    "available": "Disponible",
+    "disabledResourceDescription": "Cuando está deshabilitado, el recurso será inaccesible para todos.",
    "archived": "Archivado",
    "noArchivedDevices": "No se encontraron dispositivos archivados",
    "deviceArchived": "Dispositivo archivado",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Reenviar eventos directamente a tu cuenta de Datadog. Próximamente.",
    "streamingTypePickerDescription": "Elija un tipo de destino para empezar.",
-    "streamingFailedToLoad": "Error al cargar destinos",
+    "streamingLastSyncError": "Ocurrió un error en la última sincronización.",
    "streamingUnexpectedError": "Se ha producido un error inesperado.",
    "streamingFailedToUpdate": "Error al actualizar destino",
    "streamingDeletedSuccess": "Destino eliminado correctamente",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Editar destino",
    "S3DestAddTitle": "Añadir destino S3",
    "S3DestEditDescription": "Actualice la configuración para este destino de transmisión de eventos S3.",
-    "S3DestAddDescription": "Configure un nuevo punto final S3 para recibir los eventos de su organización.",
+    "S3DestAddDescription": "Configura un nuevo bucket de Amazon S3 (o compatible con S3) para recibir los eventos de tu organización.",
+    "s3DestTabSettings": "Ajustes",
+    "s3DestTabFormat": "Formato",
+    "s3DestNameLabel": "Nombre",
+    "s3DestNamePlaceholder": "Mi destino S3",
+    "s3DestAccessKeyIdLabel": "ID de clave de acceso de AWS",
+    "s3DestSecretAccessKeyLabel": "Clave de acceso secreta de AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Tu clave de acceso secreta de AWS",
+    "s3DestRegionLabel": "Región de AWS",
+    "s3DestBucketLabel": "Nombre del bucket",
+    "s3DestPrefixLabel": "Prefijo clave (opcional)",
+    "s3DestPrefixDescription": "Prefijo de ruta opcional preanexado a cada clave de objeto. Los objetos se almacenan en {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Punto final personalizado (opcional)",
+    "s3DestEndpointDescription": "Sobrescribe el punto final de S3 para almacenamiento compatible con S3 como MinIO o Cloudflare R2. Deja en blanco para el estándar AWS S3.",
+    "s3DestGzipLabel": "Compresión Gzip",
+    "s3DestGzipDescription": "Comprime cada objeto subido con gzip. Reduce costos de almacenamiento y tamaño de carga.",
+    "s3DestFormatTitle": "Formato de archivo",
+    "s3DestFormatDescription": "Cómo se serializan los eventos dentro de cada objeto cargado.",
+    "s3DestFormatJsonArrayDescription": "Cada objeto es un arreglo JSON de registros de eventos. Compatible con la mayoría de las herramientas de analítica.",
+    "s3DestFormatNdjsonDescription": "Cada objeto contiene un registro JSON por línea (JSON delimitado por nueva línea). Compatible con Athena, BigQuery y Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Cada objeto es un archivo CSV conforme a RFC-4180 con una fila de encabezado. Los nombres de columna se derivan de los campos de datos del evento.",
+    "s3DestSaveChanges": "Guardar cambios",
+    "s3DestCreateDestination": "Crear destino",
+    "s3DestUpdatedSuccess": "Destino actualizado con éxito",
+    "s3DestCreatedSuccess": "Destino creado con éxito",
+    "s3DestUpdateFailed": "No se pudo actualizar el destino",
+    "s3DestCreateFailed": "No se pudo crear el destino",
    "datadogDestEditTitle": "Editar destino",
    "datadogDestAddTitle": "Añadir destino Datadog",
    "datadogDestEditDescription": "Actualice la configuración para este destino de transmisión de eventos Datadog.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "¿Está seguro de que desea desasociar este proveedor de identidad de esta organización?",
    "idpUnassociateDescription": "Todos los usuarios asociados con este proveedor de identidad serán eliminados de esta organización, pero el proveedor de identidad continuará existiendo para otras organizaciones asociadas.",
    "idpUnassociateConfirm": "Confirme Desasociar Proveedor de Identidad",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "ELIMINAR Y QUITARME DE ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "DESASOCIAR Y QUITARME DE ORG",
    "idpUnassociateWarning": "Esto no se puede deshacer para esta organización.",
    "idpUnassociatedDescription": "Proveedor de identidad desasociado de esta organización con éxito",
    "idpUnassociateMenu": "Desasociar",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Recurso Deshabilitado",
    "memberPortalShowingResources": "Mostrando {start}-{end} de {total} recursos",
    "memberPortalPrevious": "Anterior",
-    "memberPortalNext": "Siguiente"
+    "memberPortalNext": "Siguiente",
+    "httpSettings": "Configuración HTTP",
+    "tcpSettings": "Configuración TCP",
+    "udpSettings": "Configuración UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Estableciendo una conexión segura…",
+    "sshConnecting": "Conectando…",
+    "sshInitializing": "Inicializando…",
+    "sshSignInTitle": "Iniciar sesión en SSH",
+    "sshSignInDescription": "Ingresa tus credenciales SSH para conectar",
+    "sshPasswordTab": "Contraseña",
+    "sshPrivateKeyTab": "Clave Privada",
+    "sshPrivateKeyField": "Clave Privada",
+    "sshPrivateKeyDisclaimer": "Su clave privada no se almacena ni es visible para Pangolin. Alternativamente, puede usar certificados de corta duración para una autenticación sin interrupciones usando su identidad Pangolin existente.",
+    "sshLearnMore": "Más información",
+    "sshPrivateKeyFile": "Archivo de clave privada",
+    "sshAuthenticate": "Conectar",
+    "sshTerminate": "Terminar",
+    "sshPoweredBy": "Desarrollado por",
+    "sshErrorNoTarget": "No se especificó el objetivo",
+    "sshErrorWebSocket": "Conexión WebSocket fallida",
+    "sshErrorAuthFailed": "Falló la autenticación",
+    "sshErrorConnectionClosed": "La conexión se cerró antes de completar la autenticación",
+    "sitePangolinSshDescription": "Permitir acceso SSH a los recursos en este sitio. Esto se puede cambiar más tarde.",
+    "browserGatewayNoResourceForDomain": "No se encontró un recurso para este dominio",
+    "browserGatewayNoTarget": "Sin destino",
+    "browserGatewayConnect": "Conectar",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Error al firmar la clave SSH para autenticación PAM push. ¿Te has iniciado sesión como usuario?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Conexión cerrada (código {code})",
+    "sshPrivateKeyPlaceholder": "-----COMIENZO DE LA CLAVE PRIVADA OPENSSH-----",
+    "sshPrivateKeyRequired": "Se requiere clave privada",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Introduce tu contraseña VNC para conectar",
+    "vncPasswordOptional": "Contraseña (opcional)",
+    "vncNoResourceTarget": "No hay objetivo de recurso disponible",
+    "vncFailedToLoadNovnc": "Error al cargar noVNC",
+    "vncAuthFailedStatus": "Estado {status}",
+    "vncPasteClipboard": "Pegar portapapeles",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Iniciar sesión en el Escritorio Remoto",
+    "rdpSignInDescription": "Introduce las credenciales de Windows para conectar",
+    "rdpLoadingModule": "Cargando módulo...",
+    "rdpFailedToLoadModule": "Error al cargar el módulo RDP",
+    "rdpNotReady": "No está listo",
+    "rdpModuleInitializing": "El módulo RDP aún se está iniciando",
+    "rdpDownloadingFiles": "Descargando {count} archivo(s) del remoto…",
+    "rdpDownloadFailed": "Error al descargar: {fileName}",
+    "rdpUploaded": "Subido: {fileName}",
+    "rdpNoConnectionTarget": "No hay objetivo de conexión disponible",
+    "rdpConnectionFailed": "Conexión fallida",
+    "rdpFit": "Ajustar",
+    "rdpFull": "Completo",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Subir archivos",
+    "rdpFilesReadyToPaste": "Archivos listos para pegar",
+    "rdpFilesReadyToPasteDescription": "{count, plural, one {# archivo copiado al portapapeles remoto — pulsa Ctrl+V en el escritorio remoto para pegar.} other {# archivos copiados al portapapeles remoto — pulsa Ctrl+V en el escritorio remoto para pegar.}}",
+    "rdpUploadFailed": "Error de subida",
+    "rdpUnicodeKeyboardMode": "Modo teclado Unicode",
+    "sessionToolbarShow": "Mostrar barra de herramientas",
+    "sessionToolbarHide": "Ocultar barra de herramientas"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Voir les ressources privées",
    "siteInstallNewt": "Installer Newt",
    "siteInstallNewtDescription": "Faites fonctionner Newt sur votre système",
+    "siteInstallKubernetesDocsDescription": "Pour plus d'informations à jour sur l'installation de Kubernetes, consultez <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Pour les instructions d'installation du modem Advantech, voir <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configuration WireGuard",
    "WgConfigurationDescription": "Utilisez la configuration suivante pour vous connecter au réseau",
    "operatingSystem": "Système d'exploitation",
@@ -156,6 +158,10 @@
    "shareErrorDeleteMessage": "Une erreur s'est produite lors de la suppression du lien",
    "shareDeleted": "Lien supprimé",
    "shareDeletedDescription": "Le lien a été supprimé",
+    "shareDelete": "Supprimer le lien partageable",
+    "shareDeleteConfirm": "Confirmer la suppression du lien partageable",
+    "shareQuestionRemove": "Êtes-vous sûr de vouloir supprimer ce lien de partage ?",
+    "shareMessageRemove": "Une fois supprimé, le lien ne fonctionnera plus et toute personne l'utilisant perdra l'accès à la ressource.",
    "shareTokenDescription": "Le jeton d'accès peut être passé de deux façons : en tant que paramètre de requête ou dans les en-têtes de la requête. Elles doivent être transmises par le client à chaque demande d'accès authentifié.",
    "accessToken": "Jeton d'accès",
    "usageExamples": "Exemples d'utilisation",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Une erreur s'est produite lors de la création du lien partageable",
    "shareCreateDescription": "N'importe qui avec ce lien peut accéder à la ressource",
    "shareTitleOptional": "Titre (facultatif)",
+    "sharePathOptional": "Chemin (optionnel)",
+    "sharePathDescription": "Le lien redirigera les utilisateurs vers ce chemin après l'authentification.",
    "expireIn": "Expire dans",
    "neverExpire": "N'expire jamais",
    "shareExpireDescription": "Le délai d'expiration correspond à la période pendant laquelle le lien sera utilisable et permettra d'accéder à la ressource. Passé ce délai, le lien ne fonctionnera plus et les utilisateurs qui l'ont utilisé perdront l'accès à la ressource.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Veuillez sélectionner une ressource",
    "proxyResourceTitle": "Gérer les ressources publiques",
    "proxyResourceDescription": "Créer et gérer des ressources accessibles au public via un navigateur web",
-    "proxyResourcesBannerTitle": "Accès public basé sur le Web",
-    "proxyResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
+    "publicResourcesBannerTitle": "Accès public basé sur le Web",
+    "publicResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS accessibles à quiconque sur Internet via un navigateur Web. Contrairement aux ressources privées, elles ne nécessitent pas de logiciel côté client et peuvent inclure des politiques d'accès fondées sur l'identité et le contexte.",
    "clientResourceTitle": "Gérer les ressources privées",
    "clientResourceDescription": "Créer et gérer des ressources qui ne sont accessibles que via un client connecté",
    "privateResourcesBannerTitle": "Accès privé sans confiance",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Chercher des ressources...",
    "resourceAdd": "Ajouter une ressource",
    "resourceErrorDelte": "Erreur lors de la de suppression de la ressource",
+    "resourcePoliciesBannerTitle": "Réutiliser les règles d'authentification et d'accès",
+    "resourcePoliciesBannerDescription": "Les politiques de ressources partagées vous permettent de définir des méthodes d'authentification et des règles d'accès une fois, puis de les attacher à plusieurs ressources publiques. Lorsque vous mettez à jour une politique, chaque ressource liée hérite automatiquement des changements.",
+    "resourcePoliciesBannerButtonText": "En Savoir Plus",
+    "resourcePoliciesTitle": "Gérer les politiques de ressources publiques",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Ressources",
+    "resourcePoliciesAttachedResources": "{count} ressource(s)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# ressource} other {# ressources}}",
+    "resourcePoliciesAttachedResourcesEmpty": "pas de ressources",
+    "resourcePoliciesDescription": "Créez et gérer les politiques d'authentification pour contrôler l'accès à vos ressources publiques",
+    "resourcePoliciesSearch": "Chercher des politiques...",
+    "resourcePoliciesAdd": "Ajouter une politique",
+    "resourcePoliciesDefaultBadgeText": "Politique par défaut",
+    "resourcePoliciesCreate": "Créer une politique de ressource publique",
+    "resourcePoliciesCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle politique",
+    "resourcePolicyName": "Nom de la politique",
+    "resourcePolicyNameDescription": "Donnez à cette politique un nom pour l'identifier parmi vos ressources",
+    "resourcePolicyNamePlaceholder": "par exemple : Politique d'Accès Interne",
+    "resourcePoliciesSeeAll": "Voir toutes les politiques",
+    "resourcePolicyAuthMethodAdd": "Ajouter une méthode d'authentification",
+    "resourcePolicyOtpEmailAdd": "Ajouter des emails pour OTP",
+    "resourcePolicyRulesAdd": "Ajouter des règles",
+    "resourcePolicyAuthMethodsDescription": "Permettre l'accès aux ressources via des méthodes d'authentification supplémentaires",
+    "resourcePolicyUsersRolesDescription": "Configurer quels utilisateurs et rôles peuvent visiter les ressources associées",
+    "rulesResourcePolicyDescription": "Configurer les règles pour contrôler l'accès aux ressources associées à cette politique",
    "authentication": "Authentification",
    "protected": "Protégé",
    "notProtected": "Non Protégé",
    "resourceMessageRemove": "Une fois supprimée, la ressource ne sera plus accessible. Toutes les cibles associées à la ressource seront également supprimées.",
    "resourceQuestionRemove": "Êtes-vous sûr de vouloir retirer la ressource de l'organisation ?",
+    "resourcePolicyMessageRemove": "Une fois supprimée, la politique de ressource ne sera plus accessible. Toutes les ressources associées seront détachées et laissées sans authentification.",
+    "resourcePolicyQuestionRemove": "Êtes-vous sûr de vouloir supprimer la politique de ressource de l'organisation ?",
    "resourceHTTP": "Ressource HTTPS",
    "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
    "resourceRaw": "Ressource TCP/UDP brute",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. Nécessite des sites pour se connecter à un noeud distant.",
    "resourceCreate": "Créer une ressource",
    "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
+    "resourceCreateGeneralDescription": "Configurer les paramètres de ressource de base, y compris le nom et le type",
    "resourceSeeAll": "Voir toutes les ressources",
-    "resourceInfo": "Informations sur la ressource",
+    "resourceCreateGeneral": "Général",
    "resourceNameDescription": "Ceci est le nom d'affichage de la ressource.",
    "siteSelect": "Sélectionnez un nœud",
    "siteSearch": "Chercher un nœud",
@@ -227,12 +262,15 @@
    "noCountryFound": "Aucun pays trouvé.",
    "siteSelectionDescription": "Ce site fournira la connectivité à la cible.",
    "resourceType": "Type de ressource",
-    "resourceTypeDescription": "Déterminer comment accéder à la ressource",
+    "resourceTypeDescription": "Cela contrôle le protocole de la ressource et comment il sera rendu dans le navigateur. Cela ne peut pas être changé plus tard.",
+    "resourceDomainDescription": "La ressource sera servie à ce nom de domaine pleinement qualifié.",
    "resourceHTTPSSettings": "Paramètres HTTPS",
    "resourceHTTPSSettingsDescription": "Configurer comment la ressource sera accédée via HTTPS",
+    "resourcePortDescription": "Le port externe sur l'instance ou nœud Pangolin où la ressource sera accessible.",
    "domainType": "Type de domaine",
    "subdomain": "Sous-domaine",
    "baseDomain": "Domaine racine",
+    "configure": "Configurer",
    "subdomnainDescription": "Le sous-domaine où la ressource sera accessible.",
    "resourceRawSettings": "Paramètres TCP/UDP",
    "resourceRawSettingsDescription": "Configurer comment la ressource sera accédée via TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Précédent",
    "cancel": "Abandonner",
    "resourceConfig": "Snippets de configuration",
-    "resourceConfigDescription": "Copiez et collez ces extraits de configuration pour configurer la ressource TCP/UDP",
+    "resourceConfigDescription": "Copiez et collez ces extraits de configuration pour configurer la ressource TCP/UDP.",
    "resourceAddEntrypoints": "Traefik: Ajouter des points d'entrée",
    "resourceExposePorts": "Gerbil: Exposer des ports dans Docker Compose",
    "resourceLearnRaw": "Apprenez à configurer les ressources TCP/UDP",
    "resourceBack": "Retour aux ressources",
    "resourceGoTo": "Aller à la ressource",
+    "resourcePolicyDelete": "Supprimer la politique de ressource",
+    "resourcePolicyDeleteConfirm": "Confirmer la suppression de la politique de ressource",
    "resourceDelete": "Supprimer la ressource",
    "resourceDeleteConfirm": "Confirmer la suppression de la ressource",
+    "labelDelete": "Supprimer Étiquette",
+    "labelAdd": "Ajouter Étiquette",
+    "labelCreateSuccessMessage": "Étiquette créée avec succès",
+    "labelDuplicateError": "Étiquette en double",
+    "labelDuplicateErrorDescription": "Une étiquette avec ce nom existe déjà.",
+    "labelEditSuccessMessage": "Étiquette modifiée avec succès",
+    "labelNameField": "Nom de l'étiquette",
+    "labelColorField": "Couleur de l'étiquette",
+    "labelPlaceholder": "Ex : homelab",
+    "labelCreate": "Créer Étiquette",
+    "createLabelDialogTitle": "Créer Étiquette",
+    "createLabelDialogDescription": "Créer une nouvelle étiquette qui peut être attachée à cette organisation",
+    "labelEdit": "Modifier Étiquette",
+    "editLabelDialogTitle": "Mettre à jour Étiquette",
+    "editLabelDialogDescription": "Modifier une nouvelle étiquette qui peut être attachée à cette organisation",
+    "labelDeleteConfirm": "Confirmer la suppression de l'étiquette",
+    "labelErrorDelete": "Échec de la suppression de l'étiquette",
+    "labelMessageRemove": "Cette action est permanente. Tous les sites, ressources et clients étiquetés avec cette étiquette seront détachés.",
+    "labelQuestionRemove": "Êtes-vous sûr de vouloir supprimer l'étiquette de l'organisation ?",
    "visibility": "Visibilité",
    "enabled": "Activé",
    "disabled": "Désactivé",
@@ -261,6 +320,8 @@
    "rules": "Règles",
    "resourceSettingDescription": "Configurer les paramètres de la ressource",
    "resourceSetting": "Réglages de {resourceName}",
+    "resourcePolicySettingDescription": "Configurez les paramètres de cette politique de ressource publique",
+    "resourcePolicySetting": "Paramètres de {policyName}",
    "alwaysAllow": "Outrepasser l'authentification",
    "alwaysDeny": "Bloquer l'accès",
    "passToAuth": "Passer à l'authentification",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Une fois retiré, cet utilisateur n'aura plus accès à l'organisation. Vous pouvez toujours le réinviter plus tard, mais il devra accepter l'invitation à nouveau.",
    "userRemoveOrgConfirm": "Confirmer la suppression de l'utilisateur",
    "userRemoveOrg": "Retirer l'utilisateur de l'organisation",
+    "userQuestionOrgRemoveSelf": "Êtes-vous sûr de vouloir vous retirer de cette organisation ?",
+    "userMessageOrgRemoveSelf": "Vous perdrez immédiatement l'accès. Un administrateur pourra vous inviter à nouveau plus tard, mais vous devrez accepter une nouvelle invitation.",
+    "userRemoveOrgConfirmSelf": "Confirmer la suppression de moi-même",
+    "userRemoveOrgSelf": "Se retirer de l'organisation",
+    "userRemoveOrgSelfWarning": "Vous perdrez immédiatement l'accès à cette organisation.",
+    "userRemoveOrgConfirmPhraseSelf": "SUPPRIMER MOI-MÊME DE L'ORG",
    "users": "Utilisateurs",
    "accessRoleMember": "Membre",
    "accessRoleOwner": "Propriétaire",
@@ -531,6 +598,11 @@
    "emailInvalid": "Adresse e-mail invalide",
    "inviteValidityDuration": "Veuillez sélectionner une durée",
    "accessRoleSelectPlease": "Veuillez sélectionner un rôle",
+    "removeOwnAdminRoleConfirmTitle": "Retirer votre accès administrateur ?",
+    "removeOwnAdminRoleConfirmDescription": "Vous n'aurez plus de droits d'administrateur dans cette organisation après avoir enregistré. Un autre administrateur pourra restaurer cet accès si nécessaire.",
+    "removeOwnAdminRoleConfirmButton": "Retirer mon accès administrateur",
+    "removeOwnAdminRoleConfirmPhrase": "RETIRER MON ACCÈS ADMIN",
+    "ownerMustRetainAdminRole": "Le propriétaire de l'organisation doit conserver au moins un rôle d'administrateur.",
    "usernameRequired": "Le nom d'utilisateur est requis",
    "idpSelectPlease": "Veuillez sélectionner un fournisseur d'identité",
    "idpGenericOidc": "Fournisseur OAuth2/OIDC générique.",
@@ -615,7 +687,7 @@
    "createdAt": "Créé le",
    "proxyErrorInvalidHeader": "Valeur d'en-tête Host personnalisée invalide. Utilisez le format de nom de domaine, ou laissez vide pour désactiver l'en-tête Host personnalisé.",
    "proxyErrorTls": "Nom de serveur TLS invalide. Utilisez le format de nom de domaine, ou laissez vide pour supprimer le nom de serveur TLS.",
-    "proxyEnableSSL": "Activer SSL",
+    "proxyEnableSSL": "Activer TLS",
    "proxyEnableSSLDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers les cibles.",
    "target": "Cible",
    "configureTarget": "Configurer les cibles",
@@ -656,8 +728,9 @@
    "targetSubmit": "Ajouter une cible",
    "targetNoOne": "Cette ressource n'a aucune cible. Ajoutez une cible pour configurer où envoyer des requêtes à l'arrière-plan.",
    "targetNoOneDescription": "L'ajout de plus d'une cible ci-dessus activera l'équilibrage de charge.",
-    "targetsSubmit": "Enregistrer les cibles",
+    "targetsSubmit": "Enregistrer les paramètres",
    "addTarget": "Ajouter une cible",
+    "proxyMultiSiteRoundRobinNodeHelp": "Le routage en tourniquet n'opérera pas entre des sites qui ne sont pas connectés au même nœud, mais le basculement fonctionnera.",
    "targetErrorInvalidIp": "Adresse IP invalide",
    "targetErrorInvalidIpDescription": "Veuillez entrer une adresse IP ou un nom d'hôte valide",
    "targetErrorInvalidPort": "Port invalide",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Règle en double",
    "rulesErrorDuplicateDescription": "Une règle avec ces paramètres existe déjà",
    "rulesErrorInvalidIpAddressRange": "CIDR invalide",
-    "rulesErrorInvalidIpAddressRangeDescription": "Veuillez entrer une valeur CIDR valide",
-    "rulesErrorInvalidUrl": "Chemin URL invalide",
-    "rulesErrorInvalidUrlDescription": "Veuillez entrer un chemin URL valide",
-    "rulesErrorInvalidIpAddress": "IP invalide",
-    "rulesErrorInvalidIpAddressDescription": "Veuillez entrer une adresse IP valide",
+    "rulesErrorInvalidIpAddressRangeDescription": "Entrez une plage CIDR valide (par ex., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Chemin non valide",
+    "rulesErrorInvalidUrlDescription": "Entrez un chemin URL valide ou un modèle (par exemple, /api/*).",
+    "rulesErrorInvalidIpAddress": "Adresse IP invalide",
+    "rulesErrorInvalidIpAddressDescription": "Entrez une adresse IPv4 ou IPv6 valide.",
    "rulesErrorUpdate": "Échec de la mise à jour des règles",
    "rulesErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour des règles",
    "rulesUpdated": "Activer les règles",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Entrez une adresse IP (ex: 103.21.244.12)",
    "rulesMatchUrl": "Entrez un chemin URL ou un motif (ex: /api/v1/todos ou /api/v1/*)",
    "rulesErrorInvalidPriority": "Priorité invalide",
-    "rulesErrorInvalidPriorityDescription": "Veuillez entrer une priorité valide",
+    "rulesErrorInvalidPriorityDescription": "Entrez un nombre entier de 1 ou plus.",
    "rulesErrorDuplicatePriority": "Priorités en double",
-    "rulesErrorDuplicatePriorityDescription": "Veuillez entrer des priorités uniques",
+    "rulesErrorDuplicatePriorityDescription": "Chaque règle doit avoir un numéro de priorité unique.",
+    "rulesErrorValidation": "Règles invalides",
+    "rulesErrorValidationRuleDescription": "Règle {ruleNumber} : {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Sélectionnez un type de correspondance valide (chemin, IP, CIDR, pays, région ou ASN).",
+    "rulesErrorValueRequired": "Entrez une valeur pour cette règle.",
+    "rulesErrorInvalidCountry": "Pays invalide",
+    "rulesErrorInvalidCountryDescription": "Sélectionnez un pays valide.",
+    "rulesErrorInvalidAsn": "ASN invalide",
+    "rulesErrorInvalidAsnDescription": "Entrez un ASN valide (par exemple, AS15169).",
    "ruleUpdated": "Règles mises à jour",
    "ruleUpdatedDescription": "Règles mises à jour avec succès",
    "ruleErrorUpdate": "L'opération a échoué",
    "ruleErrorUpdateDescription": "Une erreur s'est produite lors de l'enregistrement",
    "rulesPriority": "Priorité",
+    "rulesReorderDragHandle": "Faites glisser pour réorganiser la priorité des règles",
    "rulesAction": "Action",
    "rulesMatchType": "Type de correspondance",
    "value": "Valeur",
@@ -728,9 +810,60 @@
    "rulesResource": "Configuration des règles de ressource",
    "rulesResourceDescription": "Configurer les règles pour contrôler l'accès à la ressource",
    "ruleSubmit": "Ajouter une règle",
-    "rulesNoOne": "Aucune règle. Ajoutez une règle en utilisant le formulaire.",
+    "rulesNoOne": "Aucune règle pour le moment.",
    "rulesOrder": "Les règles sont évaluées par priorité dans l'ordre croissant.",
    "rulesSubmit": "Enregistrer les règles",
+    "policyErrorCreate": "Erreur lors de la création de la politique",
+    "policyErrorCreateDescription": "Une erreur s'est produite lors de la création de la politique",
+    "policyErrorCreateMessageDescription": "Une erreur inattendue s'est produite",
+    "policyErrorUpdate": "Erreur lors de la mise à jour de la politique",
+    "policyErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour de la politique",
+    "policyErrorUpdateMessageDescription": "Une erreur inattendue s'est produite",
+    "policyCreatedSuccess": "Politique de ressource créée avec succès",
+    "policyUpdatedSuccess": "Politique de ressource mise à jour avec succès",
+    "authMethodsSave": "Enregistrer les paramètres",
+    "policyAuthStackTitle": "Authentification",
+    "policyAuthStackDescription": "Contrôlez quelles méthodes d'authentification sont nécessaires pour accéder à cette ressource",
+    "policyAuthOrLogicTitle": "Plusieurs méthodes d'authentification actives",
+    "policyAuthOrLogicBanner": "Les visiteurs peuvent s'authentifier en utilisant l'une des méthodes actives ci-dessous. Ils n'ont pas besoin de toutes les compléter.",
+    "policyAuthMethodActive": "Actif",
+    "policyAuthMethodOff": "Éteint",
+    "policyAuthSsoTitle": "SSO de la plateforme",
+    "policyAuthSsoDescription": "Exigez une connexion via le fournisseur d'identité de votre organisation",
+    "policyAuthSsoSummary": "{idp} · {users} utilisateurs, {roles} rôles",
+    "policyAuthSsoDefaultIdp": "Fournisseur par défaut",
+    "policyAuthAddDefaultIdentityProvider": "Ajouter un fournisseur d'identité par défaut",
+    "policyAuthOtherMethodsTitle": "Autres méthodes",
+    "policyAuthOtherMethodsDescription": "Des méthodes facultatives que les visiteurs peuvent utiliser à la place de ou en parallèle avec la SSO de la plateforme",
+    "policyAuthPasscodeTitle": "Code confidentiel",
+    "policyAuthPasscodeDescription": "Exiger un code confidentiel alphanumérique partagé pour accéder à la ressource",
+    "policyAuthPasscodeSummary": "Code confidentiel établi",
+    "policyAuthPincodeTitle": "Code PIN",
+    "policyAuthPincodeDescription": "Un code numérique court requis pour accéder à la ressource",
+    "policyAuthPincodeSummary": "Code PIN à 6 chiffres établi",
+    "policyAuthEmailTitle": "Liste blanche des e-mails",
+    "policyAuthEmailDescription": "Autorisez les adresses e-mail listées avec des mots de passe à usage unique",
+    "policyAuthEmailSummary": "{count} adresses autorisées",
+    "policyAuthEmailOtpCallout": "Activer la liste blanche des e-mails envoie un mot de passe à usage unique à l'e-mail du visiteur lors de la connexion.",
+    "policyAuthHeaderAuthTitle": "Authentification de l'en-tête de base",
+    "policyAuthHeaderAuthDescription": "Validez un nom et une valeur d'en-tête HTTP personnalisé à chaque requête",
+    "policyAuthHeaderAuthSummary": "En-tête configuré",
+    "policyAuthHeaderName": "Nom de l'en-tête",
+    "policyAuthHeaderValue": "Valeur attendue",
+    "policyAuthSetPasscode": "Définir le code confidentiel",
+    "policyAuthSetPincode": "Définir le code PIN",
+    "policyAuthSetEmailWhitelist": "Définir la liste blanche des e-mails",
+    "policyAuthSetHeaderAuth": "Configurer l'authentification des en-têtes de base",
+    "policyAccessRulesTitle": "Règles d'accès",
+    "policyAccessRulesEnableDescription": "Lorsqu'elles sont activées, les règles sont évaluées dans l'ordre décroissant jusqu'à ce que l'une soit évaluée comme vraie.",
+    "policyAccessRulesFirstMatch": "Les règles sont évaluées de haut en bas. La première règle correspondante décide du résultat.",
+    "policyAccessRulesHowItWorks": "Les règles correspondent aux demandes par chemin, adresse IP, emplacement, ou d'autres critères. Chaque règle applique une action : contourner l'authentification, bloquer l'accès, ou passer à l'authentification. Si aucune règle ne correspond, le trafic continue jusqu'à l'authentification.",
+    "policyAccessRulesFallthroughOff": "Lorsque les règles sont désactivées, tout le trafic passe par l'authentification.",
+    "policyAccessRulesFallthroughOn": "Lorsqu'aucune règle ne correspond, le trafic passe par l'authentification.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Enregistrer les règles",
    "resourceErrorCreate": "Erreur lors de la création de la ressource",
    "resourceErrorCreateDescription": "Une erreur s'est produite lors de la création de la ressource",
    "resourceErrorCreateMessage": "Erreur lors de la création de la ressource :",
@@ -752,7 +885,7 @@
    "accessControl": "Contrôle d'accès",
    "shareLink": "Lien de partage {resource}",
    "resourceSelect": "Sélectionner une ressource",
-    "shareLinks": "Liens de partage",
+    "shareLinks": "Liens partageables",
    "share": "Liens partageables",
    "shareDescription2": "Créez des liens partageables vers des ressources. Les liens fournissent un accès temporaire ou illimité à votre ressource. Vous pouvez configurer la durée d'expiration du lien lorsque vous en créez un.",
    "shareEasyCreate": "Facile à créer et à partager",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Ajouter un code PIN",
    "pincodeRemove": "Supprimer le code PIN",
    "resourceAuthMethods": "Méthodes d'authentification",
+    "resourcePolicyAuthMethodsEmpty": "Pas de méthode d'authentification",
+    "resourcePolicyOtpEmpty": "Aucun mot de passe à usage unique",
+    "resourcePolicyReadOnly": "Cette politique est en lecture seule",
+    "resourcePolicyReadOnlyDescription": "Cette politique de ressource est partagée sur plusieurs ressources, vous ne pouvez pas l'éditer sur cette page.",
+    "editSharedPolicy": "Modifier la politique partagée",
+    "resourcePolicyTypeSave": "Enregistrer le type de ressource",
+    "resourcePolicySelect": "Sélectionner la politique de ressource",
+    "resourcePolicySelectError": "Sélectionner une politique de ressource",
+    "resourcePolicyNotFound": "Politique introuvable",
+    "resourcePolicySearch": "Chercher des politiques",
+    "resourcePolicyRulesEmpty": "Pas de règles d'authentification",
    "resourceAuthMethodsDescriptions": "Permettre l'accès à la ressource via des méthodes d'authentification supplémentaires",
    "resourceAuthSettingsSave": "Enregistré avec succès",
    "resourceAuthSettingsSaveDescription": "Les paramètres d'authentification ont été enregistrés",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Définir le code PIN",
    "resourcePincodeSetupTitleDescription": "Définir un code PIN pour protéger cette ressource",
    "resourceRoleDescription": "Les administrateurs peuvent toujours accéder à cette ressource.",
+    "resourcePolicySelectTitle": "Politique d'accès à la ressource",
+    "resourcePolicySelectDescription": "Sélectionner le type de politique de ressource pour l'authentification",
+    "resourcePolicyTypeLabel": "Type de politique",
+    "resourcePolicyLabel": "Politique de ressource",
+    "resourcePolicyInline": "Politique de ressource en ligne",
+    "resourcePolicyInlineDescription": "Politique d'accès limitée uniquement à cette ressource",
+    "resourcePolicyShared": "Politique de ressource partagée",
+    "resourcePolicySharedDescription": "Cette ressource utilise une politique partagée.",
+    "sharedPolicy": "Politique partagée",
+    "sharedPolicyNoneDescription": "Cette ressource a sa propre politique.",
+    "resourceSharedPolicyOwnDescription": "Cette ressource a ses propres contrôles de règles d'authentification et d'accès.",
+    "resourceSharedPolicyInheritedDescription": "Cette ressource hérite de <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Cette ressource utilise une politique partagée. Certains paramètres d'authentification peuvent être modifiés sur cette ressource pour ajouter à la politique. Pour changer la politique sous-jacente, vous devez éditer à <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Cette ressource utilise une politique partagée. Certaines règles d'accès peuvent être modifiées sur cette ressource. Pour changer la politique sous-jacente, vous devez éditer <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Contrôles d'accès",
    "resourceUsersRolesDescription": "Configurer quels utilisateurs et rôles peuvent visiter cette ressource",
    "resourceUsersRolesSubmit": "Enregistrer les contrôles d'accès",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilité",
    "resourceVisibilityTitleDescription": "Activer ou désactiver complètement la visibilité de la ressource",
    "resourceGeneral": "Paramètres généraux",
-    "resourceGeneralDescription": "Configurer les paramètres généraux de cette ressource",
+    "resourceGeneralDescription": "Configurer le nom, l'adresse et la politique d'accès pour cette ressource.",
+    "resourceGeneralDetailsSubsection": "Détails de la ressource",
+    "resourceGeneralDetailsSubsectionDescription": "Définir le nom d'affichage, l'identifiant et le domaine accessible publiquement pour cette ressource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Définir le nom d'affichage, l'identifiant et le port public pour cette ressource.",
+    "resourceGeneralPublicAddressSubsection": "Adresse publique",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configurez comment les utilisateurs accèdent à cette ressource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentification & Accès",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choisissez si cette ressource utilise sa propre politique ou hérite d'une politique partagée.",
    "resourceEnable": "Activer la ressource",
    "resourceTransfer": "Transférer la ressource",
    "resourceTransferDescription": "Transférer cette ressource vers un autre site",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Un problème est survenu lors de la connexion à {name}. Veuillez contacter votre administrateur.",
    "idpErrorNotFound": "IdP introuvable",
    "inviteInvalid": "Invitation invalide",
+    "labels": "Étiquettes",
+    "orgLabelsDescription": "Gérer les étiquettes dans cette organisation.",
+    "addLabels": "Ajouter des étiquettes",
+    "siteLabelsTab": "Étiquettes",
+    "siteLabelsDescription": "Gérer les étiquettes associées à ce site.",
+    "labelsNotFound": "Aucune étiquette trouvée.",
+    "labelsEmptyCreateHint": "Commencez à taper ci-dessus pour créer une étiquette.",
+    "labelSearch": "Chercher des étiquettes",
+    "labelSearchOrCreate": "Recherchez ou créez une étiquette",
+    "accessLabelFilterCount": "{count, plural, one {# étiquette} other {# étiquettes}}",
+    "labelOverflowCount": "+{count, plural, one {# étiquette} other {# étiquettes}}",
+    "accessLabelFilterClear": "Effacer les filtres d'étiquette",
+    "accessFilterClear": "Effacer les filtres",
+    "selectColor": "Sélectionner la couleur",
+    "createNewLabel": "Créer une nouvelle étiquette d'organisation \"{label}\"",
    "inviteInvalidDescription": "Le lien d'invitation n'est pas valide.",
    "inviteErrorWrongUser": "L'invitation n'est pas pour cet utilisateur",
    "inviteErrorUserNotExists": "L'utilisateur n'existe pas. Veuillez d'abord créer un compte.",
@@ -1356,8 +1536,10 @@
    "sidebarSites": "Nœuds",
    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
-    "sidebarProxyResources": "Publiques",
+    "sidebarProxyResources": "Publique",
    "sidebarClientResources": "Privé",
+    "sidebarPolicies": "Politiques partagées",
+    "sidebarResourcePolicies": "Ressources publiques",
    "sidebarAccessControl": "Contrôle d'accès",
    "sidebarLogsAndAnalytics": "Journaux & Analytiques",
    "sidebarTeam": "Equipe",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Administrateur",
    "sidebarInvitations": "Invitations",
    "sidebarRoles": "Rôles",
-    "sidebarShareableLinks": "Liens",
+    "sidebarShareableLinks": "Liens partageables",
    "sidebarApiKeys": "Clés API",
    "sidebarProvisioning": "Mise en place",
    "sidebarSettings": "Réglages",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Ressource {id}",
    "blueprints": "Configs",
-    "blueprintsDescription": "Appliquer les configurations déclaratives et afficher les exécutions précédentes",
+    "blueprintsLog": "Journal des plans",
+    "blueprintsDescription": "Consultez les applications et leurs résultats de planches à dessin passées ou appliquez une nouvelle planche à dessin",
    "blueprintAdd": "Ajouter une Config",
    "blueprintGoBack": "Voir toutes les Configs",
    "blueprintCreate": "Créer une Config",
@@ -1559,7 +1742,17 @@
    "contents": "Contenus",
    "parsedContents": "Contenu analysé (lecture seule)",
    "enableDockerSocket": "Activer la Config Docker",
-    "enableDockerSocketDescription": "Activer le ramassage d'étiquettes de socket Docker pour les étiquettes de plan. Le chemin de socket doit être fourni à Newt.",
+    "enableDockerSocketDescription": "Activer le ramassage d'étiquettes de socket Docker pour les étiquettes de plan. Le chemin du socket doit être fourni au connecteur du site. Lisez plus à ce sujet dans <docsLink>la documentation</docsLink>.",
+    "newtAutoUpdate": "Activer la mise à jour automatique du site",
+    "newtAutoUpdateDescription": "Lorsqu'il est activé, les connecteurs de site téléchargeront automatiquement la dernière version et redémarreront eux-mêmes. Cela peut être contourné sur une base par site.",
+    "siteAutoUpdate": "Mise à jour automatique du site",
+    "siteAutoUpdateLabel": "Activer la mise à jour automatique",
+    "siteAutoUpdateDescription": "Lorsqu'il est activé, le connecteur de ce site téléchargera automatiquement la dernière version et se redémarrera.",
+    "siteAutoUpdateOrgDefault": "Valeur par défaut de l'organisation : {state}",
+    "siteAutoUpdateOverriding": "Substitution des paramètres de l'organisation",
+    "siteAutoUpdateResetToOrg": "Réinitialiser à la valeur par défaut de l'organisation",
+    "siteAutoUpdateEnabled": "activé",
+    "siteAutoUpdateDisabled": "désactivé",
    "viewDockerContainers": "Voir les conteneurs Docker",
    "containersIn": "Conteneurs en {siteName}",
    "selectContainerDescription": "Sélectionnez n'importe quel conteneur à utiliser comme nom d'hôte pour cette cible. Cliquez sur un port pour utiliser un port.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certificat",
    "certificateStatusAutoRefreshHint": "L'état se rafraîchit automatiquement.",
    "loading": "Chargement",
+    "loadingEllipsis": "Chargement...",
    "loadingAnalytics": "Chargement de l'analyse",
    "restart": "Redémarrer",
    "domains": "Domaines",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Configuration du compte terminée! Bienvenue chez Pangolin !",
    "documentation": "Documentation",
    "saveAllSettings": "Enregistrer tous les paramètres",
-    "saveResourceTargets": "Enregistrer les cibles",
-    "saveResourceHttp": "Enregistrer les paramètres de proxy",
-    "saveProxyProtocol": "Enregistrer les paramètres du protocole proxy",
+    "saveResourceTargets": "Enregistrer les paramètres",
+    "saveResourceHttp": "Enregistrer les paramètres",
+    "saveProxyProtocol": "Enregistrer les paramètres",
    "settingsUpdated": "Paramètres mis à jour",
    "settingsUpdatedDescription": "Paramètres mis à jour avec succès",
    "settingsErrorUpdate": "Échec de la mise à jour des paramètres",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Gérer votre abonnement pour les clés de licence auto-hébergées payantes",
    "billingCurrentKeys": "Clés actuelles",
    "billingModifyCurrentPlan": "Modifier le plan actuel",
+    "billingManageLicenseSubscriptionDescription": "Gérez votre abonnement pour clés de licence auto-hébergées payantes et téléchargez les factures.",
    "billingConfirmUpgrade": "Confirmer la mise à niveau",
    "billingConfirmDowngrade": "Confirmer la rétrogradation",
    "billingConfirmUpgradeDescription": "Vous êtes sur le point de mettre à niveau votre offre. Examinez les nouvelles limites et les nouveaux prix ci-dessous.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Inconnu",
    "healthCheck": "Vérification de l'état de santé",
    "configureHealthCheck": "Configurer la vérification de l'état de santé",
-    "configureHealthCheckDescription": "Configurer la surveillance de la santé pour {target}",
+    "configureHealthCheckDescription": "Configurez la surveillance de votre ressource pour vous assurer qu'elle est toujours disponible",
    "enableHealthChecks": "Activer les vérifications de santé",
    "healthCheckDisabledStateDescription": "Lorsqu'il est désactivé, le site ne procédera pas aux vérifications de santé et l'état sera considéré comme inconnu.",
    "enableHealthChecksDescription": "Surveiller la vie de cette cible. Vous pouvez surveiller un point de terminaison différent de la cible si nécessaire.",
    "healthScheme": "Méthode",
    "healthSelectScheme": "Sélectionnez la méthode",
-    "healthCheckPortInvalid": "Le port du bilan de santé doit être compris entre 1 et 65535",
+    "healthCheckPortInvalid": "Le port doit être compris entre 1 et 65535",
    "healthCheckPath": "Chemin d'accès",
    "healthHostname": "IP / Hôte",
    "healthPort": "Port",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Le temps est exprimé en secondes",
    "requireDeviceApproval": "Exiger les autorisations de l'appareil",
    "requireDeviceApprovalDescription": "Les utilisateurs ayant ce rôle ont besoin de nouveaux périphériques approuvés par un administrateur avant de pouvoir se connecter et accéder aux ressources.",
+    "sshSettings": "Paramètres SSH",
    "sshAccess": "Accès SSH",
+    "rdpSettings": "Paramètres RDP",
+    "vncSettings": "Paramètres VNC",
+    "sshServer": "Serveur SSH",
+    "rdpServer": "Serveur RDP",
+    "vncServer": "Serveur VNC",
+    "sshServerDescription": "Configurer la méthode d'authentification, l'emplacement du démon et la destination du serveur",
+    "rdpServerDescription": "Configurer la destination et le port du serveur RDP",
+    "vncServerDescription": "Configurer la destination et le port du serveur VNC",
+    "sshServerMode": "Mode",
+    "sshServerModeStandard": "Serveur SSH Standard",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Relai les commandes sur le réseau vers un serveur SSH tel qu'OpenSSH.",
+    "sshServerModeNative": "Serveur SSH Natif",
+    "sshServerModeNativeDescription": "Exécute les commandes directement sur l'hôte via le Connecteur de Site. Aucune configuration réseau requise.",
+    "sshAuthenticationMethod": "Méthode d'authentification",
+    "sshAuthMethodManual": "Authentification Manuelle",
+    "sshAuthMethodManualDescription": "Nécessite des identifiants d'hôte existants. Évite l'approvisionnement automatique.",
+    "sshAuthMethodAutomated": "Approvisionnement Automatisé",
+    "sshAuthMethodAutomatedDescription": "Crée automatiquement des utilisateurs, groupes, et permissions sudo sur l'hôte.",
+    "sshAuthDaemonLocation": "Emplacement du Démon Auth",
+    "sshDaemonLocationSiteDescription": "Exécute localement sur la machine hébergeant le connecteur de site.",
+    "sshDaemonLocationRemote": "Sur hôte distant",
+    "sshDaemonLocationRemoteDescription": "S'exécute sur une machine cible séparée sur le même réseau.",
+    "sshDaemonDisclaimer": "Assurez-vous que votre hôte cible est correctement configuré pour exécuter le daemon auth avant de terminer cette configuration, ou l'approvisionnement échouera.",
+    "sshDaemonPort": "Port du Démon",
+    "sshServerDestination": "Destination du Serveur",
+    "sshServerDestinationDescription": "Configurez la destination du serveur SSH",
+    "destination": "Destination",
+    "destinationRequired": "La destination est requise.",
+    "domainRequired": "Le domaine est requis.",
+    "proxyPortRequired": "Le port est requis.",
+    "invalidPathConfiguration": "Configuration de chemin invalide.",
+    "invalidRewritePathConfiguration": "Configuration de réécriture de chemin invalide.",
+    "bgTargetMultiSiteDisclaimer": "La sélection de plusieurs sites permet un routage résilient et une bascule pour une haute disponibilité.",
    "roleAllowSsh": "Autoriser SSH",
    "roleAllowSshAllow": "Autoriser",
    "roleAllowSshDisallow": "Interdire",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "L'utilisateur ne peut exécuter que les commandes spécifiées avec sudo.",
    "sshSudo": "Autoriser sudo",
    "sshSudoCommands": "Commandes Sudo",
-    "sshSudoCommandsDescription": "Liste des commandes séparées par des virgules que l'utilisateur est autorisé à exécuter avec sudo.",
+    "sshSudoCommandsDescription": "Liste des commandes que l'utilisateur est autorisé à exécuter avec sudo, séparées par des virgules, des espaces ou des nouvelles lignes. Les chemins absolus doivent être utilisés.",
    "sshCreateHomeDir": "Créer un répertoire personnel",
    "sshUnixGroups": "Groupes Unix",
-    "sshUnixGroupsDescription": "Groupes Unix séparés par des virgules pour ajouter l'utilisateur sur l'hôte cible.",
+    "sshUnixGroupsDescription": "Groupes Unix auxquels ajouter l'utilisateur sur l'hôte cible, séparés par des virgules, des espaces, ou des nouvelles lignes.",
+    "roleTextFieldPlaceholder": "Entrez des valeurs, ou déposez un fichier .txt ou .csv",
+    "roleTextImportTitle": "Importer depuis un fichier",
+    "roleTextImportDescription": "Importation de {fileName} dans {fieldLabel}.",
+    "roleTextImportSkipHeader": "Ignorer la première ligne (en-tête)",
+    "roleTextImportOverride": "Remplacer l'existant",
+    "roleTextImportAppend": "Ajouter à l'existant",
+    "roleTextImportMode": "Mode d'importation",
+    "roleTextImportPreview": "Aperçu",
+    "roleTextImportItemCount": "{count, plural, =0 {Aucun élément à importer} one {1 élément à importer} other {# éléments à importer}}",
+    "roleTextImportTotalCount": "{existing} existant + {imported} importé = {total} total",
+    "roleTextImportConfirm": "Importer",
+    "roleTextImportInvalidFile": "Type de fichier non pris en charge",
+    "roleTextImportInvalidFileDescription": "Seuls les fichiers .txt et .csv sont pris en charge.",
+    "roleTextImportEmpty": "Aucun élément trouvé dans le fichier",
+    "roleTextImportEmptyDescription": "Le fichier ne contient aucun élément importable.",
    "retryAttempts": "Tentatives de réessai",
    "expectedResponseCodes": "Codes de réponse attendus",
    "expectedResponseCodesDescription": "Code de statut HTTP indiquant un état de santé satisfaisant. Si non renseigné, 200-300 est considéré comme satisfaisant.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Méthode HTTP",
-    "editInternalResourceDialogEnableSsl": "Activer SSL",
+    "editInternalResourceDialogEnableSsl": "Activer TLS",
    "editInternalResourceDialogEnableSslDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers la destination.",
    "editInternalResourceDialogDestination": "Destination",
    "editInternalResourceDialogDestinationHostDescription": "L'adresse IP ou le nom d'hôte de la ressource sur le réseau du site.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Méthode HTTP",
    "createInternalResourceDialogScheme": "Méthode HTTP",
-    "createInternalResourceDialogEnableSsl": "Activer SSL",
+    "createInternalResourceDialogEnableSsl": "Activer TLS",
    "createInternalResourceDialogEnableSslDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers la destination.",
    "createInternalResourceDialogDestination": "Destination",
    "createInternalResourceDialogDestinationHostDescription": "L'adresse IP ou le nom d'hôte de la ressource sur le réseau du site.",
@@ -2217,7 +2464,7 @@
        "description": "Serveur Pangolin auto-hébergé avec des cloches et des sifflets supplémentaires",
        "introTitle": "Pangolin auto-hébergé géré",
        "introDescription": "est une option de déploiement conçue pour les personnes qui veulent de la simplicité et de la fiabilité tout en gardant leurs données privées et auto-hébergées.",
-        "introDetail": "Avec cette option, vous exécutez toujours votre propre nœud Pangolin - vos tunnels, la terminaison SSL et le trafic restent sur votre serveur. La différence est que la gestion et la surveillance sont gérées via notre tableau de bord du cloud, qui déverrouille un certain nombre d'avantages :",
+        "introDetail": "Avec cette option, vous exécutez toujours votre propre nœud Pangolin - vos tunnels, la terminaison TLS et le trafic restent sur votre serveur. La différence est que la gestion et la surveillance sont gérées via notre tableau de bord du cloud, ce qui débloque un certain nombre d'avantages :",
        "benefitSimplerOperations": {
            "title": "Opérations plus simples",
            "description": "Pas besoin de faire tourner votre propre serveur de messagerie ou de configurer des alertes complexes. Vous obtiendrez des contrôles de santé et des alertes de temps d'arrêt par la suite."
@@ -2458,8 +2705,8 @@
    "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
    "downloadClientBannerTitle": "Télécharger le client Pangolin",
    "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
-    "manageMachineClients": "Gérer les machines",
-    "manageMachineClientsDescription": "Créer et gérer les clients que les serveurs et systèmes utilisent pour se connecter en privé aux ressources",
+    "manageMachineClients": "Gérer les clients de la machine",
+    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
    "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
    "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
    "machineClientsBannerPangolinCLI": "Pangolin CLI",
@@ -2652,6 +2899,8 @@
    "validPassword": "Mot de passe valide",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Afficher",
+    "configManaged": "Configuration gérée",
    "connectedClient": "Client connecté",
    "resourceBlocked": "Ressource bloquée",
    "droppedByRule": "Abandonné par la règle",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Activer le protocole Proxy",
    "proxyProtocolInfo": "Conserver les adresses IP du client pour les backends TCP",
    "proxyProtocolVersion": "Version du protocole proxy",
-    "version1": " Version 1 (Recommandé)",
+    "version1": "Version 1 (Recommandée)",
    "version2": "Version 2",
-    "versionDescription": "La version 1 est basée sur du texte et est largement supportée. La version 2 est binaire et plus efficace mais moins compatible.",
+    "version1Description": "Basé sur texte et largement pris en charge. Assurez-vous que le transport des serveurs est ajouté à la configuration dynamique.",
+    "version2Description": "Binaire et plus efficace mais moins compatible. Assurez-vous que le transport des serveurs est ajouté à la configuration dynamique.",
    "warning": "Avertissement",
    "proxyProtocolWarning": "L'application backend doit être configurée pour accepter les connexions Proxy Protocol. Si votre backend ne prend pas en charge le protocole Proxy, l'activation de cette option va perturber toutes les connexions, donc n'activez cette option que si vous savez ce que vous faites. Assurez-vous de configurer votre backend pour faire confiance aux en-têtes du protocole Proxy de Traefik.",
    "restarting": "Redémarrage...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Entrez la confirmation",
    "blueprintViewDetails": "Détails",
    "defaultIdentityProvider": "Fournisseur d'identité par défaut",
-    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
+    "defaultIdentityProviderDescription": "L'utilisateur sera automatiquement redirigé vers ce fournisseur d'identité pour l'authentification.",
    "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
    "editInternalResourceDialogAccessPolicy": "Politique d'accès",
    "editInternalResourceDialogAddRoles": "Ajouter des rôles",
@@ -2919,11 +3169,12 @@
    "learnMore": "En savoir plus",
    "backToHome": "Retour à l'accueil",
    "needToSignInToOrg": "Besoin d'utiliser le fournisseur d'identité de votre organisation ?",
-    "maintenanceMode": "Mode de maintenance",
+    "maintenanceMode": "Page de maintenance",
    "maintenanceModeDescription": "Afficher une page de maintenance aux visiteurs",
    "maintenanceModeType": "Type de mode de maintenance",
    "showMaintenancePage": "Afficher une page de maintenance aux visiteurs",
    "enableMaintenanceMode": "Activer le mode de maintenance",
+    "enableMaintenanceModeDescription": "Lorsqu'il est activé, les visiteurs verront une page de maintenance au lieu de votre ressource.",
    "automatic": "Automatique",
    "automaticModeDescription": "Afficher la page de maintenance uniquement lorsque toutes les cibles backend sont en panne ou dégradées. Votre ressource continue à fonctionner normalement tant qu'au moins une cible est en bonne santé.",
    "forced": "Forcé",
@@ -2931,6 +3182,8 @@
    "warning:": "Attention :",
    "forcedeModeWarning": "Tout le trafic sera dirigé vers la page de maintenance. Vos ressources backend ne recevront aucune demande.",
    "pageTitle": "Titre de la page",
+    "maintenancePageContentSubsection": "Contenu de la page",
+    "maintenancePageContentSubsectionDescription": "Personnalisez le contenu affiché sur la page de maintenance",
    "pageTitleDescription": "Le titre principal affiché sur la page de maintenance",
    "maintenancePageMessage": "Message de maintenance",
    "maintenancePageMessagePlaceholder": "Nous serons bientôt de retour ! Notre site est actuellement en maintenance planifiée.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Achèvement estimé :",
    "createInternalResourceDialogDestinationRequired": "La destination est requise",
    "available": "Disponible",
+    "disabledResourceDescription": "Lorsqu'il est désactivé, la ressource sera inaccessible pour tout le monde.",
    "archived": "Archivé",
    "noArchivedDevices": "Aucun périphérique archivé trouvé",
    "deviceArchived": "Appareil archivé",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Transférer des événements directement sur votre compte Datadog. Prochainement.",
    "streamingTypePickerDescription": "Choisissez un type de destination pour commencer.",
-    "streamingFailedToLoad": "Impossible de charger les destinations",
+    "streamingLastSyncError": "Une erreur s'est produite lors de la dernière synchronisation",
    "streamingUnexpectedError": "Une erreur inattendue s'est produite.",
    "streamingFailedToUpdate": "Impossible de mettre à jour la destination",
    "streamingDeletedSuccess": "Destination supprimée avec succès",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Modifier la destination",
    "S3DestAddTitle": "Ajouter une destination S3",
    "S3DestEditDescription": "Mettre à jour la configuration de cette destination de diffusion d'événements S3.",
-    "S3DestAddDescription": "Configurer un nouveau point de terminaison S3 pour recevoir les événements de votre organisation.",
+    "S3DestAddDescription": "Configurez un nouveau bucket Amazon S3 (ou compatible S3) pour recevoir les événements de votre organisation.",
+    "s3DestTabSettings": "Réglages",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Nom",
+    "s3DestNamePlaceholder": "Ma destination S3",
+    "s3DestAccessKeyIdLabel": "ID de clé d'accès AWS",
+    "s3DestSecretAccessKeyLabel": "Clé d'accès secrète AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Votre clé d'accès secrète AWS",
+    "s3DestRegionLabel": "Région AWS",
+    "s3DestBucketLabel": "Nom du bucket",
+    "s3DestPrefixLabel": "Préfixe clé (facultatif)",
+    "s3DestPrefixDescription": "Préfixe de chemin facultatif préfixé à chaque clé d'objet. Les objets sont stockés à {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Point de terminaison personnalisé (facultatif)",
+    "s3DestEndpointDescription": "Modifiez le point de terminaison S3 pour un stockage compatible S3 tel que MinIO ou Cloudflare R2. Laissez vide pour l'AWS S3 standard.",
+    "s3DestGzipLabel": "Compression Gzip",
+    "s3DestGzipDescription": "Compressez chaque objet téléchargé avec gzip. Réduit les coûts de stockage et la taille de téléchargement.",
+    "s3DestFormatTitle": "Format de fichier",
+    "s3DestFormatDescription": "Comment les événements sont sérialisés dans chaque objet téléchargé.",
+    "s3DestFormatJsonArrayDescription": "Chaque objet est un tableau JSON des enregistrements d'événements. Compatible avec la plupart des outils d'analyse.",
+    "s3DestFormatNdjsonDescription": "Chaque objet contient un enregistrement JSON par ligne (JSON délimité par saut de ligne). Compatible avec Athena, BigQuery et Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Chaque objet est un fichier CSV RFC-4180 avec une ligne d'en-tête. Les noms de colonne sont dérivés des champs de données de l'événement.",
+    "s3DestSaveChanges": "Enregistrer les modifications",
+    "s3DestCreateDestination": "Créer une destination",
+    "s3DestUpdatedSuccess": "Destination mise à jour avec succès",
+    "s3DestCreatedSuccess": "Destination créée avec succès",
+    "s3DestUpdateFailed": "Échec de la mise à jour de la destination",
+    "s3DestCreateFailed": "Échec de la création de la destination",
    "datadogDestEditTitle": "Modifier la destination",
    "datadogDestAddTitle": "Ajouter une destination Datadog",
    "datadogDestEditDescription": "Mettre à jour la configuration de cette destination de diffusion d'événements Datadog.",
@@ -3154,7 +3435,6 @@
    "healthCheckTabAdvanced": "Avancé",
    "healthCheckStrategyNotAvailable": "Cette stratégie n'est pas disponible. Veuillez contacter le service commercial pour activer cette fonctionnalité.",
    "uptime30d": "Disponibilité (30j)",
-    "uptimeNoData": "Aucune donnée",
    "idpAddActionCreateNew": "Créer un nouveau fournisseur d'identité",
    "idpAddActionImportFromOrg": "Importer d'une autre organisation",
    "idpImportDialogTitle": "Importer le fournisseur d'identité",
@@ -3168,6 +3448,8 @@
    "idpUnassociateQuestion": "Êtes-vous sûr de vouloir dissocier ce fournisseur d'identités de cette organisation?",
    "idpUnassociateDescription": "Tous les utilisateurs associés à ce fournisseur d'identités seront retirés de cette organisation, mais le fournisseur d'identités continuera d'exister pour d'autres organisations associées.",
    "idpUnassociateConfirm": "Confirmer la dissociation du fournisseur d'identités",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "SUPPRIMER ET ME RETIRER DE L'ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "DÉ-ASSOCIER ET ME RETIRER DE L'ORG",
    "idpUnassociateWarning": "Cela ne peut pas être annulé pour cette organisation.",
    "idpUnassociatedDescription": "Fournisseur d'identités dissocié de cette organisation avec succès",
    "idpUnassociateMenu": "Dissocier",
@@ -3252,5 +3534,67 @@
    "memberPortalResourceDisabled": "Ressource désactivée",
    "memberPortalShowingResources": "Affichage de {start}-{end} sur {total} ressources",
    "memberPortalPrevious": "Précédent",
-    "memberPortalNext": "Suivant"
+    "memberPortalNext": "Suivant",
+    "httpSettings": "Paramètres HTTP",
+    "tcpSettings": "Paramètres TCP",
+    "udpSettings": "Paramètres UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Établissement d'une connexion sécurisée…",
+    "sshConnecting": "Connexion…",
+    "sshInitializing": "Initialisation…",
+    "sshSignInTitle": "Se connecter à SSH",
+    "sshSignInDescription": "Entrez vos identifiants SSH pour vous connecter",
+    "sshPasswordTab": "Mot de passe",
+    "sshPrivateKeyTab": "Clé Privée",
+    "sshPrivateKeyField": "Clé Privée",
+    "sshPrivateKeyDisclaimer": "Votre clé privée n'est pas stockée ou visible par Pangolin. Alternativement, vous pouvez utiliser des certificats de courte durée pour une authentification transparente utilisant votre identité Pangolin existante.",
+    "sshLearnMore": "En savoir plus",
+    "sshPrivateKeyFile": "Fichier de Clé Privée",
+    "sshAuthenticate": "Connecter",
+    "sshTerminate": "Terminer",
+    "sshPoweredBy": "Propulsé par",
+    "sshErrorNoTarget": "Aucune cible spécifiée",
+    "sshErrorWebSocket": "Échec de la connexion WebSocket",
+    "sshErrorAuthFailed": "Échec de l'authentification",
+    "sshErrorConnectionClosed": "Connexion fermée avant que l'authentification soit terminée",
+    "sitePangolinSshDescription": "Autoriser l'accès SSH aux ressources sur ce site. Cela peut être modifié plus tard.",
+    "browserGatewayNoResourceForDomain": "Aucune ressource trouvée pour ce domaine",
+    "browserGatewayNoTarget": "Aucune cible",
+    "browserGatewayConnect": "Connecter",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Suppr",
+    "sshErrorSignKeyFailed": "Échec de la signature de la clé SSH pour l'authentification Push PAM. Vous êtes-vous connecté en tant qu'utilisateur ?",
+    "sshTerminalError": "Erreur : {error}",
+    "sshConnectionClosedCode": "Connexion fermée (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Une clé privée est requise",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Entrez votre mot de passe VNC pour vous connecter",
+    "vncPasswordOptional": "Mot de passe (facultatif)",
+    "vncNoResourceTarget": "Aucune cible de ressource disponible",
+    "vncFailedToLoadNovnc": "Échec du chargement de noVNC",
+    "vncAuthFailedStatus": "Statut {status}",
+    "vncPasteClipboard": "Coller le presse-papiers",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Se connecter au Bureau à distance",
+    "rdpSignInDescription": "Entrez vos identifiants Windows pour vous connecter",
+    "rdpLoadingModule": "Chargement du module...",
+    "rdpFailedToLoadModule": "Échec du chargement du module RDP",
+    "rdpNotReady": "Pas prêt",
+    "rdpModuleInitializing": "Le module RDP est encore en cours d'initialisation",
+    "rdpDownloadingFiles": "Téléchargement de {count} fichier(s) depuis le site distant…",
+    "rdpDownloadFailed": "Échec du téléchargement : {fileName}",
+    "rdpUploaded": "Téléchargé : {fileName}",
+    "rdpNoConnectionTarget": "Aucune cible de connexion disponible",
+    "rdpConnectionFailed": "Échec de la connexion",
+    "rdpFit": "Ajuster",
+    "rdpFull": "Plein",
+    "rdpReal": "Réel",
+    "rdpMeta": "Méta",
+    "rdpUploadFiles": "Télécharger des fichiers",
+    "rdpFilesReadyToPaste": "Fichiers prêts à coller",
+    "rdpFilesReadyToPasteDescription": "{count} fichier(s) copié(s) vers le presse-papier distant — appuyez sur Ctrl+V sur le bureau distant pour coller.",
+    "rdpUploadFailed": "Échec du téléchargement",
+    "rdpUnicodeKeyboardMode": "Mode clavier Unicode",
+    "sessionToolbarShow": "Afficher la barre d'outils",
+    "sessionToolbarHide": "Masquer la barre d'outils"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Visualizza Risorse Private",
    "siteInstallNewt": "Installa Newt",
    "siteInstallNewtDescription": "Esegui Newt sul tuo sistema",
+    "siteInstallKubernetesDocsDescription": "Per ulteriori informazioni aggiornate sull'installazione di Kubernetes, consulta <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Per le istruzioni sull'installazione del modem Advantech, consulta <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configurazione WireGuard",
    "WgConfigurationDescription": "Utilizzare la seguente configurazione per connettersi alla rete",
    "operatingSystem": "Sistema Operativo",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Potrai vederlo solo una volta. Assicurati di copiarlo in un luogo sicuro.",
    "siteInfo": "Informazioni Sito",
    "status": "Stato",
-    "shareTitle": "Gestisci Collegamenti Di Condivisione",
+    "shareTitle": "Gestisci Collegamenti Condivisibili",
    "shareDescription": "Crea link condivisibili per concedere accesso temporaneo o permanente alle risorse proxy",
-    "shareSearch": "Cerca link condivisi...",
-    "shareCreate": "Crea Link Di Condivisione",
+    "shareSearch": "Cerca collegamenti condivisibili...",
+    "shareCreate": "Crea Collegamento Condivisibile",
    "shareErrorDelete": "Impossibile eliminare il link",
    "shareErrorDeleteMessage": "Si è verificato un errore durante l'eliminazione del link",
    "shareDeleted": "Link eliminato",
    "shareDeletedDescription": "Il link è stato eliminato",
+    "shareDelete": "Elimina Collegamento Condivisibile",
+    "shareDeleteConfirm": "Conferma Eliminazione Collegamento Condivisibile",
+    "shareQuestionRemove": "Sei sicuro di voler eliminare questo link di condivisione?",
+    "shareMessageRemove": "Una volta eliminato, il link non funzionerà più e chiunque lo utilizzi perderà l'accesso alla risorsa.",
    "shareTokenDescription": "Il token di accesso può essere passato in due modi: come parametro di interrogazione o nelle intestazioni della richiesta. Questi devono essere passati dal client su ogni richiesta di accesso autenticato.",
    "accessToken": "Token Di Accesso",
    "usageExamples": "Esempi Di Utilizzo",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Si è verificato un errore durante la creazione del link di condivisione",
    "shareCreateDescription": "Chiunque con questo link può accedere alla risorsa",
    "shareTitleOptional": "Titolo (facoltativo)",
+    "sharePathOptional": "Percorso (opzionale)",
+    "sharePathDescription": "Il link reindirizzerà gli utenti a questo percorso dopo l'autenticazione.",
    "expireIn": "Scadenza In",
    "neverExpire": "Nessuna scadenza",
    "shareExpireDescription": "Il tempo di scadenza indica per quanto tempo il link sarà utilizzabile e fornirà accesso alla risorsa. Dopo questo tempo, il link non funzionerà più e gli utenti che hanno utilizzato questo link perderanno l'accesso alla risorsa.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Seleziona una risorsa",
    "proxyResourceTitle": "Gestisci Risorse Pubbliche",
    "proxyResourceDescription": "Creare e gestire risorse pubbliche accessibili tramite un browser web",
-    "proxyResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
-    "proxyResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
+    "publicResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
+    "publicResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS accessibili a chiunque su Internet tramite un browser web. A differenza delle risorse private, non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
    "clientResourceTitle": "Gestisci Risorse Private",
    "clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
    "privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Cerca risorse...",
    "resourceAdd": "Aggiungi Risorsa",
    "resourceErrorDelte": "Errore nell'eliminare la risorsa",
+    "resourcePoliciesBannerTitle": "Riutilizza Regole di Autenticazione e Accesso",
+    "resourcePoliciesBannerDescription": "Le politiche di risorsa condivise ti permettono di definire metodi di autenticazione e regole di accesso una volta, poi di applicarle a più risorse pubbliche. Quando aggiorni una politica, ogni risorsa collegata eredita il cambiamento automaticamente.",
+    "resourcePoliciesBannerButtonText": "Scopri di più",
+    "resourcePoliciesTitle": "Gestisci Politiche delle Risorse Pubbliche",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Risorse",
+    "resourcePoliciesAttachedResources": "{count} risorsa(e)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# risorsa} other {# risorse}}",
+    "resourcePoliciesAttachedResourcesEmpty": "nessuna risorsa",
+    "resourcePoliciesDescription": "Crea e gestisci politiche d'autenticazione per controllare l'accesso alle tue risorse pubbliche",
+    "resourcePoliciesSearch": "Cerca politiche...",
+    "resourcePoliciesAdd": "Aggiungi Politica",
+    "resourcePoliciesDefaultBadgeText": "Politica Predefinita",
+    "resourcePoliciesCreate": "Crea Politica Risorse Pubbliche",
+    "resourcePoliciesCreateDescription": "Segui i passaggi seguenti per creare una nuova politica",
+    "resourcePolicyName": "Nome Politica",
+    "resourcePolicyNameDescription": "Dai un nome a questa politica per identificarla tra le tue risorse",
+    "resourcePolicyNamePlaceholder": "es. Politica di Accesso Interno",
+    "resourcePoliciesSeeAll": "Vedi Tutte le Politiche",
+    "resourcePolicyAuthMethodAdd": "Aggiungi Metodo di Autenticazione",
+    "resourcePolicyOtpEmailAdd": "Aggiungi email OTP",
+    "resourcePolicyRulesAdd": "Aggiungi Regole",
+    "resourcePolicyAuthMethodsDescription": "Consenti l'accesso alle risorse tramite metodi di autenticazione aggiuntivi",
+    "resourcePolicyUsersRolesDescription": "Configura quali utenti e ruoli possono visitare le risorse associate",
+    "rulesResourcePolicyDescription": "Configura regole per controllare l'accesso alle risorse associate a questa politica",
    "authentication": "Autenticazione",
    "protected": "Protetto",
    "notProtected": "Non Protetto",
    "resourceMessageRemove": "Una volta rimossa la risorsa non sarà più accessibile. Tutti gli oggetti target associati alla risorsa saranno rimossi.",
    "resourceQuestionRemove": "Sei sicuro di voler rimuovere la risorsa dall'organizzazione?",
+    "resourcePolicyMessageRemove": "Una volta rimossa, la politica delle risorse non sarà più accessibile. Tutte le risorse associate saranno dissociate e rimarranno senza autenticazione.",
+    "resourcePolicyQuestionRemove": "Sei sicuro di voler rimuovere la politica delle risorse dall'organizzazione?",
    "resourceHTTP": "Risorsa HTTPS",
    "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
    "resourceRaw": "Risorsa Raw TCP/UDP",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Richiesta proxy su TCP/UDP grezzo utilizzando un numero di porta. Richiede siti per connettersi a un nodo remoto.",
    "resourceCreate": "Crea Risorsa",
    "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
+    "resourceCreateGeneralDescription": "Configura le impostazioni generali delle risorse, inclusi il nome e il tipo",
    "resourceSeeAll": "Vedi Tutte Le Risorse",
-    "resourceInfo": "Informazioni Risorsa",
+    "resourceCreateGeneral": "Generale",
    "resourceNameDescription": "Questo è il nome visualizzato per la risorsa.",
    "siteSelect": "Seleziona sito",
    "siteSearch": "Cerca sito",
@@ -227,12 +262,15 @@
    "noCountryFound": "Nessun paese trovato.",
    "siteSelectionDescription": "Questo sito fornirà connettività all'oggetto target.",
    "resourceType": "Tipo Di Risorsa",
-    "resourceTypeDescription": "Determinare come accedere alla risorsa",
+    "resourceTypeDescription": "Questo controlla il protocollo delle risorse e come verrà reso nel browser. Questo non può essere modificato in seguito.",
+    "resourceDomainDescription": "La risorsa sarà servita su questo dominio completamente qualificato.",
    "resourceHTTPSSettings": "Impostazioni HTTPS",
    "resourceHTTPSSettingsDescription": "Configura come sarà possibile accedere alla risorsa su HTTPS",
+    "resourcePortDescription": "La porta esterna sull'istanza o nodo Pangolin dove la risorsa sarà accessibile.",
    "domainType": "Tipo Di Dominio",
    "subdomain": "Sottodominio",
    "baseDomain": "Dominio Base",
+    "configure": "Configura",
    "subdomnainDescription": "Il sottodominio in cui la risorsa sarà accessibile.",
    "resourceRawSettings": "Impostazioni TCP/UDP",
    "resourceRawSettingsDescription": "Configura come accedere alla risorsa tramite TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Indietro",
    "cancel": "Annulla",
    "resourceConfig": "Snippet Di Configurazione",
-    "resourceConfigDescription": "Copia e incolla questi snippet di configurazione per configurare la risorsa TCP/UDP",
+    "resourceConfigDescription": "Copia e incolla questi snippet di configurazione per configurare la risorsa TCP/UDP.",
    "resourceAddEntrypoints": "Traefik: Aggiungi Entrypoint",
    "resourceExposePorts": "Gerbil: espone le porte in Docker Compose",
    "resourceLearnRaw": "Scopri come configurare le risorse TCP/UDP",
    "resourceBack": "Torna alle risorse",
    "resourceGoTo": "Vai alla Risorsa",
+    "resourcePolicyDelete": "Elimina Politica Risorse",
+    "resourcePolicyDeleteConfirm": "Conferma Eliminazione Politica Risorse",
    "resourceDelete": "Elimina Risorsa",
    "resourceDeleteConfirm": "Conferma Eliminazione Risorsa",
+    "labelDelete": "Elimina Etichetta",
+    "labelAdd": "Aggiungi Etichetta",
+    "labelCreateSuccessMessage": "Etichetta Creata con Successo",
+    "labelDuplicateError": "Etichetta Duplicata",
+    "labelDuplicateErrorDescription": "Esiste già un'etichetta con questo nome.",
+    "labelEditSuccessMessage": "Etichetta Modificata con Successo",
+    "labelNameField": "Nome Etichetta",
+    "labelColorField": "Colore Etichetta",
+    "labelPlaceholder": "Es: homelab",
+    "labelCreate": "Crea Etichetta",
+    "createLabelDialogTitle": "Crea Etichetta",
+    "createLabelDialogDescription": "Crea una nuova etichetta che può essere allegata a questa organizzazione",
+    "labelEdit": "Modifica Etichetta",
+    "editLabelDialogTitle": "Aggiorna Etichetta",
+    "editLabelDialogDescription": "Modifica una nuova etichetta che può essere allegata a questa organizzazione",
+    "labelDeleteConfirm": "Conferma Eliminazione Etichetta",
+    "labelErrorDelete": "Impossibile eliminare l'etichetta",
+    "labelMessageRemove": "Questa azione è permanente. Tutti i siti, le risorse e i clienti associati a questa etichetta verranno dissociati.",
+    "labelQuestionRemove": "Sei sicuro di voler rimuovere l'etichetta dall'organizzazione?",
    "visibility": "Visibilità",
    "enabled": "Abilitato",
    "disabled": "Disabilitato",
@@ -261,6 +320,8 @@
    "rules": "Regole",
    "resourceSettingDescription": "Configura le impostazioni sulla risorsa",
    "resourceSetting": "Impostazioni {resourceName}",
+    "resourcePolicySettingDescription": "Configura le impostazioni su questa politica di risorsa pubblica",
+    "resourcePolicySetting": "Impostazioni del sito {policyName}",
    "alwaysAllow": "Bypass Autenticazione",
    "alwaysDeny": "Blocca Accesso",
    "passToAuth": "Passa all'autenticazione",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Una volta rimosso questo utente non avrà più accesso all'organizzazione. Puoi sempre reinvitarlo in seguito, ma dovrà accettare nuovamente l'invito.",
    "userRemoveOrgConfirm": "Conferma Rimozione Utente",
    "userRemoveOrg": "Rimuovi Utente dall'Organizzazione",
+    "userQuestionOrgRemoveSelf": "Sei sicuro di voler rimuovere te stesso da questa organizzazione?",
+    "userMessageOrgRemoveSelf": "Perderai immediatamente l'accesso. Un amministratore può invitarti nuovamente in seguito, ma dovrai accettare un nuovo invito.",
+    "userRemoveOrgConfirmSelf": "Conferma Rimozione Me Stesso",
+    "userRemoveOrgSelf": "Rimuoviti dall'organizzazione",
+    "userRemoveOrgSelfWarning": "Perderai immediatamente l'accesso a questa organizzazione.",
+    "userRemoveOrgConfirmPhraseSelf": "RIMUOVITI DALL'ORGANIZZAZIONE",
    "users": "Utenti",
    "accessRoleMember": "Membro",
    "accessRoleOwner": "Proprietario",
@@ -531,6 +598,11 @@
    "emailInvalid": "Indirizzo email non valido",
    "inviteValidityDuration": "Seleziona una durata",
    "accessRoleSelectPlease": "Seleziona un ruolo",
+    "removeOwnAdminRoleConfirmTitle": "Rimuovere il tuo accesso amministrativo?",
+    "removeOwnAdminRoleConfirmDescription": "Non avrai più i permessi di amministratore in questa organizzazione dopo il salvataggio. Un altro amministratore può ripristinare l'accesso se necessario.",
+    "removeOwnAdminRoleConfirmButton": "Rimuovere il Mio Accesso Amministrativo",
+    "removeOwnAdminRoleConfirmPhrase": "RIMUOVERE IL MIO ACCESSO AMMINISTRATIVO",
+    "ownerMustRetainAdminRole": "Il proprietario dell'organizzazione deve mantenere almeno un ruolo di amministratore.",
    "usernameRequired": "Username richiesto",
    "idpSelectPlease": "Seleziona un provider di identità",
    "idpGenericOidc": "Provider OAuth2/OIDC generico.",
@@ -615,7 +687,7 @@
    "createdAt": "Creato Il",
    "proxyErrorInvalidHeader": "Valore dell'intestazione Host personalizzata non valido. Usa il formato nome dominio o salva vuoto per rimuovere l'intestazione Host personalizzata.",
    "proxyErrorTls": "Nome Server TLS non valido. Usa il formato nome dominio o salva vuoto per rimuovere il Nome Server TLS.",
-    "proxyEnableSSL": "Abilita SSL",
+    "proxyEnableSSL": "Abilita TLS",
    "proxyEnableSSLDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alle risorse interne target.",
    "target": "Target",
    "configureTarget": "Configura Risorse Interne",
@@ -656,8 +728,9 @@
    "targetSubmit": "Aggiungi Target",
    "targetNoOne": "Questa risorsa non ha destinazioni. Aggiungi un obiettivo per configurare dove inviare richieste al backend.",
    "targetNoOneDescription": "L'aggiunta di più di un target abiliterà il bilanciamento del carico.",
-    "targetsSubmit": "Salva Target",
+    "targetsSubmit": "Salva Impostazioni",
    "addTarget": "Aggiungi Target",
+    "proxyMultiSiteRoundRobinNodeHelp": "Il routing round robin non funzionerà tra siti che non sono connessi allo stesso nodo, ma il failover funzionerà.",
    "targetErrorInvalidIp": "Indirizzo IP non valido",
    "targetErrorInvalidIpDescription": "Inserisci un indirizzo IP o un hostname valido",
    "targetErrorInvalidPort": "Porta non valida",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Regola duplicata",
    "rulesErrorDuplicateDescription": "Esiste già una regola con queste impostazioni",
    "rulesErrorInvalidIpAddressRange": "CIDR non valido",
-    "rulesErrorInvalidIpAddressRangeDescription": "Inserisci un valore CIDR valido",
-    "rulesErrorInvalidUrl": "Percorso URL non valido",
-    "rulesErrorInvalidUrlDescription": "Inserisci un valore di percorso URL valido",
-    "rulesErrorInvalidIpAddress": "IP non valido",
-    "rulesErrorInvalidIpAddressDescription": "Inserisci un indirizzo IP valido",
+    "rulesErrorInvalidIpAddressRangeDescription": "Inserisci un intervallo CIDR valido (es., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Percorso non valido",
+    "rulesErrorInvalidUrlDescription": "Inserisci un percorso URL valido o un pattern (es., /api/*).",
+    "rulesErrorInvalidIpAddress": "Indirizzo IP non valido",
+    "rulesErrorInvalidIpAddressDescription": "Inserisci un indirizzo IPv4 o IPv6 valido.",
    "rulesErrorUpdate": "Impossibile aggiornare le regole",
    "rulesErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento delle regole",
    "rulesUpdated": "Abilita Regole",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Inserisci un indirizzo in formato CIDR (es. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Inserisci un indirizzo IP (es. 103.21.244.12)",
    "rulesMatchUrl": "Inserisci un percorso URL o pattern (es. /api/v1/todos o /api/v1/*)",
-    "rulesErrorInvalidPriority": "Priorità Non Valida",
-    "rulesErrorInvalidPriorityDescription": "Inserisci una priorità valida",
-    "rulesErrorDuplicatePriority": "Priorità Duplicate",
-    "rulesErrorDuplicatePriorityDescription": "Inserisci priorità uniche",
+    "rulesErrorInvalidPriority": "Priorità non valida",
+    "rulesErrorInvalidPriorityDescription": "Inserisci un numero intero di 1 o superiore.",
+    "rulesErrorDuplicatePriority": "Priorità duplicate",
+    "rulesErrorDuplicatePriorityDescription": "Ogni regola deve avere un numero di priorità univoco.",
+    "rulesErrorValidation": "Regole non valide",
+    "rulesErrorValidationRuleDescription": "Regola {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Seleziona un tipo di corrispondenza valido (percorso, IP, CIDR, paese, regione o ASN).",
+    "rulesErrorValueRequired": "Inserisci un valore per questa regola.",
+    "rulesErrorInvalidCountry": "Nazione non valida",
+    "rulesErrorInvalidCountryDescription": "Seleziona un paese valido.",
+    "rulesErrorInvalidAsn": "ASN non valido",
+    "rulesErrorInvalidAsnDescription": "Inserisci un ASN valido (es., AS15169).",
    "ruleUpdated": "Regole aggiornate",
    "ruleUpdatedDescription": "Regole aggiornate con successo",
    "ruleErrorUpdate": "Operazione fallita",
    "ruleErrorUpdateDescription": "Si è verificato un errore durante il salvataggio",
    "rulesPriority": "Priorità",
+    "rulesReorderDragHandle": "Trascina per riorganizzare la priorità delle regole",
    "rulesAction": "Azione",
    "rulesMatchType": "Tipo di Corrispondenza",
    "value": "Valore",
@@ -728,9 +810,60 @@
    "rulesResource": "Configurazione Regole Risorsa",
    "rulesResourceDescription": "Configura le regole per controllare l'accesso alla risorsa",
    "ruleSubmit": "Aggiungi Regola",
-    "rulesNoOne": "Nessuna regola. Aggiungi una regola usando il modulo.",
+    "rulesNoOne": "Nessuna regola ancora.",
    "rulesOrder": "Le regole sono valutate per priorità in ordine crescente.",
    "rulesSubmit": "Salva Regole",
+    "policyErrorCreate": "Errore nella creazione della politica",
+    "policyErrorCreateDescription": "Si è verificato un errore durante la creazione della politica",
+    "policyErrorCreateMessageDescription": "Si è verificato un errore imprevisto",
+    "policyErrorUpdate": "Errore nell'aggiornamento della politica",
+    "policyErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento della politica",
+    "policyErrorUpdateMessageDescription": "Si è verificato un errore imprevisto",
+    "policyCreatedSuccess": "Politica risorse creata con successo",
+    "policyUpdatedSuccess": "Politica risorse aggiornata con successo",
+    "authMethodsSave": "Salva Impostazioni",
+    "policyAuthStackTitle": "Autenticazione",
+    "policyAuthStackDescription": "Controlla quali metodi di autenticazione sono richiesti per accedere a questa risorsa",
+    "policyAuthOrLogicTitle": "Più metodi di autenticazione attivi",
+    "policyAuthOrLogicBanner": "I visitatori possono autenticarsi utilizzando uno qualsiasi dei metodi attivi sottostanti. Non è necessario completarli tutti.",
+    "policyAuthMethodActive": "Attivo",
+    "policyAuthMethodOff": "Disattivo",
+    "policyAuthSsoTitle": "SSO della Piattaforma",
+    "policyAuthSsoDescription": "Richiedi l'accesso tramite il provider di identità della tua organizzazione",
+    "policyAuthSsoSummary": "{idp} · {users} utenti, {roles} ruoli",
+    "policyAuthSsoDefaultIdp": "Provider predefinito",
+    "policyAuthAddDefaultIdentityProvider": "Aggiungi Provider di Identità Predefinito",
+    "policyAuthOtherMethodsTitle": "Altri Metodi",
+    "policyAuthOtherMethodsDescription": "Metodi opzionali che i visitatori possono utilizzare al posto o insieme al SSO della piattaforma",
+    "policyAuthPasscodeTitle": "Codice di Accesso",
+    "policyAuthPasscodeDescription": "Richiedi un codice alfanumerico condiviso per accedere alla risorsa",
+    "policyAuthPasscodeSummary": "Codice di accesso impostato",
+    "policyAuthPincodeTitle": "Codice PIN",
+    "policyAuthPincodeDescription": "Un breve codice numerico richiesto per accedere alla risorsa",
+    "policyAuthPincodeSummary": "Codice PIN a 6 cifre impostato",
+    "policyAuthEmailTitle": "Lista Autorizzazioni Email",
+    "policyAuthEmailDescription": "Consenti indirizzi email elencati con password monouso",
+    "policyAuthEmailSummary": "{count} indirizzi consentiti",
+    "policyAuthEmailOtpCallout": "L'abilitazione dell'elenco email invia una password monouso all'email del visitatore durante il login.",
+    "policyAuthHeaderAuthTitle": "Autenticazione Header Base",
+    "policyAuthHeaderAuthDescription": "Convalida un nome e un valore di intestazione HTTP personalizzato su ogni richiesta",
+    "policyAuthHeaderAuthSummary": "Intestazione configurata",
+    "policyAuthHeaderName": "Nome dell'intestazione",
+    "policyAuthHeaderValue": "Valore atteso",
+    "policyAuthSetPasscode": "Imposta Codice di Accesso",
+    "policyAuthSetPincode": "Imposta Codice PIN",
+    "policyAuthSetEmailWhitelist": "Imposta Lista Autorizzazioni Email",
+    "policyAuthSetHeaderAuth": "Imposta Autenticazione Header Base",
+    "policyAccessRulesTitle": "Regole di Accesso",
+    "policyAccessRulesEnableDescription": "Quando abilitate, le regole vengono valutate in ordine discendente finché una non è vera.",
+    "policyAccessRulesFirstMatch": "Le regole sono valutate dall'alto verso il basso. La prima regola corrispondente decide il risultato.",
+    "policyAccessRulesHowItWorks": "Le regole corrispondono alle richieste per percorso, indirizzo IP, posizione o altri criteri. Ogni regola applica un'azione: bypassa l'autenticazione, blocca l'accesso o passa all'autenticazione. Se nessuna regola corrisponde, il traffico continua all'autenticazione.",
+    "policyAccessRulesFallthroughOff": "Quando le regole sono disabilitate, tutto il traffico passa all'autenticazione.",
+    "policyAccessRulesFallthroughOn": "Quando nessuna regola corrisponde, il traffico passa all'autenticazione.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Salva Regole",
    "resourceErrorCreate": "Errore nella creazione della risorsa",
    "resourceErrorCreateDescription": "Si è verificato un errore durante la creazione della risorsa",
    "resourceErrorCreateMessage": "Errore nella creazione della risorsa:",
@@ -752,7 +885,7 @@
    "accessControl": "Controllo Accessi",
    "shareLink": "Link di Condivisione {resource}",
    "resourceSelect": "Seleziona risorsa",
-    "shareLinks": "Link di Condivisione",
+    "shareLinks": "Collegamenti Condivisibili",
    "share": "Link Condivisibili",
    "shareDescription2": "Crea link condivisibili alle risorse. I link forniscono un accesso temporaneo o illimitato alla tua risorsa. È possibile configurare la durata di scadenza del collegamento quando ne viene creato uno.",
    "shareEasyCreate": "Facile da creare e condividere",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Aggiungi Codice PIN",
    "pincodeRemove": "Rimuovi Codice PIN",
    "resourceAuthMethods": "Metodi di Autenticazione",
+    "resourcePolicyAuthMethodsEmpty": "Nessun metodo di autenticazione",
+    "resourcePolicyOtpEmpty": "Nessuna password monouso",
+    "resourcePolicyReadOnly": "Questa politica è sola lettura",
+    "resourcePolicyReadOnlyDescription": "Questa politica delle risorse è condivisa su più risorse, non puoi modificarla in questa pagina.",
+    "editSharedPolicy": "Modifica Politica Condivisa",
+    "resourcePolicyTypeSave": "Salva tipo di risorsa",
+    "resourcePolicySelect": "Seleziona politica delle risorse",
+    "resourcePolicySelectError": "Seleziona una politica delle risorse",
+    "resourcePolicyNotFound": "Politica non trovata",
+    "resourcePolicySearch": "Cerca politiche",
+    "resourcePolicyRulesEmpty": "Nessuna regola di autenticazione",
    "resourceAuthMethodsDescriptions": "Consenti l'accesso alla risorsa tramite metodi di autenticazione aggiuntivi",
    "resourceAuthSettingsSave": "Salvato con successo",
    "resourceAuthSettingsSaveDescription": "Le impostazioni di autenticazione sono state salvate",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Imposta Codice PIN",
    "resourcePincodeSetupTitleDescription": "Imposta un codice PIN per proteggere questa risorsa",
    "resourceRoleDescription": "Gli amministratori possono sempre accedere a questa risorsa.",
+    "resourcePolicySelectTitle": "Politica di Accesso Risorse",
+    "resourcePolicySelectDescription": "Seleziona il tipo di politica delle risorse per l'autenticazione",
+    "resourcePolicyTypeLabel": "Tipo di politica",
+    "resourcePolicyLabel": "Politica delle risorse",
+    "resourcePolicyInline": "Politica Inline delle Risorse",
+    "resourcePolicyInlineDescription": "Politica di Accesso limitata solo a questa risorsa",
+    "resourcePolicyShared": "Politica Condivisa delle Risorse",
+    "resourcePolicySharedDescription": "Questa risorsa utilizza una politica condivisa.",
+    "sharedPolicy": "Politica Condivisa",
+    "sharedPolicyNoneDescription": "Questa risorsa ha la sua politica.",
+    "resourceSharedPolicyOwnDescription": "Questa risorsa ha il controllo delle proprie regole di autenticazione e accesso.",
+    "resourceSharedPolicyInheritedDescription": "Questa risorsa eredita da <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Questa risorsa utilizza una politica condivisa. Alcune impostazioni di autenticazione possono essere modificate su questa risorsa per aggiungerle alla politica. Per cambiare la politica sottostante, devi modificare <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Questa risorsa utilizza una politica condivisa. Alcune regole di accesso possono essere modificate su questa risorsa. Per cambiare la politica sottostante, devi modificare <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Controlli di Accesso",
    "resourceUsersRolesDescription": "Configura quali utenti e ruoli possono visitare questa risorsa",
    "resourceUsersRolesSubmit": "Salva Controlli di Accesso",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilità",
    "resourceVisibilityTitleDescription": "Abilita o disabilita completamente la visibilità della risorsa",
    "resourceGeneral": "Impostazioni Generali",
-    "resourceGeneralDescription": "Configura le impostazioni generali per questa risorsa",
+    "resourceGeneralDescription": "Configura nome, indirizzo e politica di accesso per questa risorsa.",
+    "resourceGeneralDetailsSubsection": "Dettagli Risorsa",
+    "resourceGeneralDetailsSubsectionDescription": "Imposta il nome visualizzato, l'identificatore e il dominio pubblicamente accessibile per questa risorsa.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Imposta il nome visualizzato, l'identificatore e la porta pubblica per questa risorsa.",
+    "resourceGeneralPublicAddressSubsection": "Indirizzo Pubblico",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configura come gli utenti raggiungono questa risorsa.",
+    "resourceGeneralAuthenticationAccessSubsection": "Autenticazione e Accesso",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Scegli se questa risorsa utilizza la sua politica o eredita da una politica condivisa.",
    "resourceEnable": "Abilita Risorsa",
    "resourceTransfer": "Trasferisci Risorsa",
    "resourceTransferDescription": "Trasferisci questa risorsa a un sito diverso",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Si è verificato un problema durante la connessione a {name}. Contatta il tuo amministratore.",
    "idpErrorNotFound": "IdP non trovato",
    "inviteInvalid": "Invito Non Valido",
+    "labels": "Etichette",
+    "orgLabelsDescription": "Gestisci le etichette in questa organizzazione.",
+    "addLabels": "Aggiungi etichette",
+    "siteLabelsTab": "Etichette",
+    "siteLabelsDescription": "Gestisci le etichette associate a questo sito.",
+    "labelsNotFound": "Nessuna etichetta trovata.",
+    "labelsEmptyCreateHint": "Inizia a digitare sopra per creare un'etichetta.",
+    "labelSearch": "Cerca etichette",
+    "labelSearchOrCreate": "Cerca o crea un'etichetta",
+    "accessLabelFilterCount": "{count, plural, one {# etichetta} other {# etichette}}",
+    "labelOverflowCount": "+{count, plural, one {# etichetta} other {# etichette}}",
+    "accessLabelFilterClear": "Cancella filtri etichette",
+    "accessFilterClear": "Cancella filtri",
+    "selectColor": "Seleziona colore",
+    "createNewLabel": "Crea nuova etichetta dell'organizzazione \"{label}\"",
    "inviteInvalidDescription": "Il link di invito non è valido.",
    "inviteErrorWrongUser": "L'invito non è per questo utente",
    "inviteErrorUserNotExists": "L'utente non esiste. Si prega di creare prima un account.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Risorse",
    "sidebarProxyResources": "Pubblico",
    "sidebarClientResources": "Privato",
+    "sidebarPolicies": "Politiche Condivise",
+    "sidebarResourcePolicies": "Risorse Pubbliche",
    "sidebarAccessControl": "Controllo Accesso",
    "sidebarLogsAndAnalytics": "Registri E Analisi",
    "sidebarTeam": "Squadra",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Amministratore",
    "sidebarInvitations": "Inviti",
    "sidebarRoles": "Ruoli",
-    "sidebarShareableLinks": "Collegamenti",
+    "sidebarShareableLinks": "Collegamenti Condivisibili",
    "sidebarApiKeys": "Chiavi API",
    "sidebarProvisioning": "Accantonamento",
    "sidebarSettings": "Impostazioni",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Sito {id}",
    "standaloneHcFilterResourceIdFallback": "Risorsa {id}",
    "blueprints": "Progetti",
-    "blueprintsDescription": "Applica le configurazioni dichiarative e visualizza le partite precedenti",
+    "blueprintsLog": "Registro Progetti",
+    "blueprintsDescription": "Visualizza le applicazioni blueprint passate e i loro risultati o applica un nuovo blueprint",
    "blueprintAdd": "Aggiungi Progetto",
    "blueprintGoBack": "Vedi tutti i progetti",
    "blueprintCreate": "Crea Progetto",
@@ -1559,7 +1742,17 @@
    "contents": "Contenuti",
    "parsedContents": "Sommario Analizzato (Solo Lettura)",
    "enableDockerSocket": "Abilita Progetto Docker",
-    "enableDockerSocketDescription": "Abilita la raschiatura dell'etichetta Docker Socket per le etichette dei progetti. Il percorso del socket deve essere fornito a Newt.",
+    "enableDockerSocketDescription": "Abilita lo scraping delle etichette Docker Socket per le etichette dei progetti. Il percorso del socket deve essere fornito al connettore del sito. Leggi come funziona nel <docsLink>documentazione</docsLink>.",
+    "newtAutoUpdate": "Abilita Aggiornamento Automatico del Sito",
+    "newtAutoUpdateDescription": "Quando abilitati, i connettori del sito scaricheranno automaticamente l'ultima versione e si riavvieranno. Questo può essere sovrascritto caso per caso.",
+    "siteAutoUpdate": "Aggiornamento Automatico del Sito",
+    "siteAutoUpdateLabel": "Abilita Aggiornamento Automatico",
+    "siteAutoUpdateDescription": "Quando abilitato, il connettore di questo sito scaricherà automaticamente l'ultima versione e si riavvierà.",
+    "siteAutoUpdateOrgDefault": "Predefinito dell'organizzazione: {state}",
+    "siteAutoUpdateOverriding": "Sovrascrivere le impostazioni dell'organizzazione",
+    "siteAutoUpdateResetToOrg": "Reimposta al Predefinito dell'Organizzazione",
+    "siteAutoUpdateEnabled": "abilitato",
+    "siteAutoUpdateDisabled": "disabilitato",
    "viewDockerContainers": "Visualizza Contenitori Docker",
    "containersIn": "Contenitori in {siteName}",
    "selectContainerDescription": "Seleziona qualsiasi contenitore da usare come hostname per questo obiettivo. Fai clic su una porta per usare una porta.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certificato",
    "certificateStatusAutoRefreshHint": "Lo stato si aggiorna automaticamente.",
    "loading": "Caricamento",
+    "loadingEllipsis": "Caricamento...",
    "loadingAnalytics": "Caricamento Delle Analisi",
    "restart": "Riavvia",
    "domains": "Domini",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Configurazione dell'account completata! Benvenuto su Pangolin!",
    "documentation": "Documentazione",
    "saveAllSettings": "Salva Tutte le Impostazioni",
-    "saveResourceTargets": "Salva Target",
-    "saveResourceHttp": "Salva Impostazioni Proxy",
-    "saveProxyProtocol": "Salva impostazioni protocollo proxy",
+    "saveResourceTargets": "Salva Impostazioni",
+    "saveResourceHttp": "Salva Impostazioni",
+    "saveProxyProtocol": "Salva Impostazioni",
    "settingsUpdated": "Impostazioni aggiornate",
    "settingsUpdatedDescription": "Impostazioni aggiornate con successo",
    "settingsErrorUpdate": "Impossibile aggiornare le impostazioni",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Gestisci il tuo abbonamento per le chiavi di licenza self-hosted a pagamento",
    "billingCurrentKeys": "Tasti Attuali",
    "billingModifyCurrentPlan": "Modifica Il Piano Corrente",
+    "billingManageLicenseSubscriptionDescription": "Gestisci il tuo abbonamento per le chiavi di licenza autogestite a pagamento e scarica le fatture.",
    "billingConfirmUpgrade": "Conferma Aggiornamento",
    "billingConfirmDowngrade": "Conferma Downgrade",
    "billingConfirmUpgradeDescription": "Stai per aggiornare il tuo piano. Controlla i nuovi limiti e prezzi qui sotto.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Sconosciuto",
    "healthCheck": "Controllo Salute",
    "configureHealthCheck": "Configura Controllo Salute",
-    "configureHealthCheckDescription": "Imposta il monitoraggio della salute per {target}",
+    "configureHealthCheckDescription": "Imposta il monitoraggio per la tua risorsa per assicurarti che sia sempre disponibile",
    "enableHealthChecks": "Abilita i Controlli di Salute",
    "healthCheckDisabledStateDescription": "Quando disabilitato, il sito non eseguirà controlli di integrità e lo stato sarà considerato sconosciuto.",
    "enableHealthChecksDescription": "Monitorare lo stato di salute di questo obiettivo. Se necessario, è possibile monitorare un endpoint diverso da quello del bersaglio.",
    "healthScheme": "Metodo",
    "healthSelectScheme": "Seleziona Metodo",
-    "healthCheckPortInvalid": "La porta di controllo dello stato di salute deve essere compresa tra 1 e 65535",
+    "healthCheckPortInvalid": "La porta deve essere compresa tra 1 e 65535",
    "healthCheckPath": "Percorso",
    "healthHostname": "IP / Nome host",
    "healthPort": "Porta",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Il tempo è in secondi",
    "requireDeviceApproval": "Richiede Approvazioni Dispositivo",
    "requireDeviceApprovalDescription": "Gli utenti con questo ruolo hanno bisogno di nuovi dispositivi approvati da un amministratore prima di poter connettersi e accedere alle risorse.",
+    "sshSettings": "Impostazioni SSH",
    "sshAccess": "Accesso SSH",
+    "rdpSettings": "Impostazioni RDP",
+    "vncSettings": "Impostazioni VNC",
+    "sshServer": "Server SSH",
+    "rdpServer": "Server RDP",
+    "vncServer": "Server VNC",
+    "sshServerDescription": "Configura il metodo di autenticazione, la posizione del demone e la destinazione del server",
+    "rdpServerDescription": "Configura la destinazione e la porta del server RDP",
+    "vncServerDescription": "Configura la destinazione e la porta del server VNC",
+    "sshServerMode": "Modalità",
+    "sshServerModeStandard": "Server SSH Standard",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Instrada comandi sulla rete a un server SSH come OpenSSH.",
+    "sshServerModeNative": "Server SSH Nativo",
+    "sshServerModeNativeDescription": "Esegue comandi direttamente sull'host tramite il connettore del sito. Non è richiesta la configurazione di rete.",
+    "sshAuthenticationMethod": "Metodo di Autenticazione",
+    "sshAuthMethodManual": "Autenticazione Manuale",
+    "sshAuthMethodManualDescription": "Richiede credenziali host esistenti. Bypassa il provisioning automatico.",
+    "sshAuthMethodAutomated": "Provisioning Automatico",
+    "sshAuthMethodAutomatedDescription": "Crea automaticamente utenti, gruppi e permessi sudo sull'host.",
+    "sshAuthDaemonLocation": "Posizione Daemon Autenticazione",
+    "sshDaemonLocationSiteDescription": "Eseguito localmente sulla macchina che ospita il connettore del sito.",
+    "sshDaemonLocationRemote": "Su Host Remoto",
+    "sshDaemonLocationRemoteDescription": "Eseguito su una macchina target separata nella stessa rete.",
+    "sshDaemonDisclaimer": "Assicurati che l'host target sia correttamente configurato per eseguire il demone di autenticazione prima di completare questa configurazione, altrimenti il provisioning fallirà.",
+    "sshDaemonPort": "Porta Daemon",
+    "sshServerDestination": "Destinazione Server",
+    "sshServerDestinationDescription": "Configura la destinazione del server SSH",
+    "destination": "Destinazione",
+    "destinationRequired": "La destinazione è obbligatoria.",
+    "domainRequired": "Il dominio è obbligatorio.",
+    "proxyPortRequired": "La porta è obbligatoria.",
+    "invalidPathConfiguration": "Configurazione percorso non valida.",
+    "invalidRewritePathConfiguration": "Configurazione percorso di riscrittura non valida.",
+    "bgTargetMultiSiteDisclaimer": "Selezionare più siti abilita instradamento resiliente e failover per alta disponibilità.",
    "roleAllowSsh": "Consenti SSH",
    "roleAllowSshAllow": "Consenti",
    "roleAllowSshDisallow": "Non Consentire",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "L'utente può eseguire solo i comandi specificati con sudo.",
    "sshSudo": "Consenti sudo",
    "sshSudoCommands": "Comandi Sudo",
-    "sshSudoCommandsDescription": "Elenco di comandi separati da virgole che l'utente può eseguire con sudo.",
+    "sshSudoCommandsDescription": "Elenco di comandi che l'utente è autorizzato ad eseguire con sudo, separati da virgole, spazi o nuove righe. Devono essere utilizzati percorsi assoluti.",
    "sshCreateHomeDir": "Crea Cartella Home",
    "sshUnixGroups": "Gruppi Unix",
-    "sshUnixGroupsDescription": "Gruppi Unix separati da virgole per aggiungere l'utente sull'host di destinazione.",
+    "sshUnixGroupsDescription": "Gruppi Unix a cui aggiungere l'utente sull'host di destinazione, separati da virgole, spazi o nuove righe.",
+    "roleTextFieldPlaceholder": "Inserisci i valori o rilascia un file .txt o .csv",
+    "roleTextImportTitle": "Importa da File",
+    "roleTextImportDescription": "Importazione di {fileName} in {fieldLabel}.",
+    "roleTextImportSkipHeader": "Ignora Prima Riga (Intestazione)",
+    "roleTextImportOverride": "Sostituisci Esistente",
+    "roleTextImportAppend": "Aggiungi a Esistente",
+    "roleTextImportMode": "Modalità Importazione",
+    "roleTextImportPreview": "Anteprima",
+    "roleTextImportItemCount": "{count, plural, =0 {Nessun elemento da importare} one {1 elemento da importare} other {# elementi da importare}}",
+    "roleTextImportTotalCount": "{existing} esistente + {imported} importato = {total} totale",
+    "roleTextImportConfirm": "Importa",
+    "roleTextImportInvalidFile": "Tipo di file non supportato",
+    "roleTextImportInvalidFileDescription": "Sono supportati solo file .txt e .csv.",
+    "roleTextImportEmpty": "Nessun elemento trovato nel file",
+    "roleTextImportEmptyDescription": "Il file non contiene elementi importabili.",
    "retryAttempts": "Tentativi di Riprova",
    "expectedResponseCodes": "Codici di Risposta Attesi",
    "expectedResponseCodesDescription": "Codice di stato HTTP che indica lo stato di salute. Se lasciato vuoto, considerato sano è compreso tra 200-300.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Metodo HTTP",
-    "editInternalResourceDialogEnableSsl": "Abilitare SSL",
+    "editInternalResourceDialogEnableSsl": "Abilita TLS",
    "editInternalResourceDialogEnableSslDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alla destinazione.",
    "editInternalResourceDialogDestination": "Destinazione",
    "editInternalResourceDialogDestinationHostDescription": "L'indirizzo IP o il nome host della risorsa nella rete del sito.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Metodo HTTP",
    "createInternalResourceDialogScheme": "Metodo HTTP",
-    "createInternalResourceDialogEnableSsl": "Abilitare SSL",
+    "createInternalResourceDialogEnableSsl": "Abilita TLS",
    "createInternalResourceDialogEnableSslDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alla destinazione.",
    "createInternalResourceDialogDestination": "Destinazione",
    "createInternalResourceDialogDestinationHostDescription": "L'indirizzo IP o il nome host della risorsa nella rete del sito.",
@@ -2217,7 +2464,7 @@
        "description": "Server Pangolin self-hosted più affidabile e a bassa manutenzione con campanelli e fischietti extra",
        "introTitle": "Managed Self-Hosted Pangolin",
        "introDescription": "è un'opzione di distribuzione progettata per le persone che vogliono la semplicità e l'affidabilità extra mantenendo i loro dati privati e self-hosted.",
-        "introDetail": "Con questa opzione, esegui ancora il tuo nodo Pangolin - i tunnel, la terminazione SSL e il traffico rimangono tutti sul tuo server. La differenza è che la gestione e il monitoraggio sono gestiti attraverso il nostro cruscotto cloud, che sblocca una serie di vantaggi:",
+        "introDetail": "Con questa opzione, esegui ancora il tuo nodo Pangolin - i tunnel, la terminazione TLS e il traffico rimangono tutti sul tuo server. La differenza è che la gestione e il monitoraggio sono gestiti attraverso il nostro cruscotto cloud, che sblocca una serie di vantaggi:",
        "benefitSimplerOperations": {
            "title": "Operazioni più semplici",
            "description": "Non è necessario eseguire il proprio server di posta o impostare un avviso complesso. Otterrai controlli di salute e avvisi di inattività fuori dalla casella."
@@ -2652,6 +2899,8 @@
    "validPassword": "Password Valida",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Visualizza",
+    "configManaged": "Gestione Configurazione",
    "connectedClient": "Cliente Connesso",
    "resourceBlocked": "Risorsa Bloccata",
    "droppedByRule": "Eliminato dalla regola",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Abilita Protocollo Proxy",
    "proxyProtocolInfo": "Conserva gli indirizzi IP del client per i backend TCP",
    "proxyProtocolVersion": "Versione Protocollo Proxy",
-    "version1": " Versione 1 (Consigliato)",
+    "version1": "Versione 1 (Consigliato)",
    "version2": "Versione 2",
-    "versionDescription": "La versione 1 è testuale e ampiamente supportata. La versione 2 è binaria e più efficiente, ma meno compatibile.",
+    "version1Description": "Testuale e ampiamente supportata. Assicurati che il trasporto server sia aggiunto alla configurazione dinamica.",
+    "version2Description": "Binaria e più efficiente ma meno compatibile. Assicurati che il trasporto server sia aggiunto alla configurazione dinamica.",
    "warning": "Attenzione",
    "proxyProtocolWarning": "L'applicazione backend deve essere configurata per accettare le connessioni del protocollo proxy. Se il tuo backend non supporta il protocollo proxy, abilitarlo interromperà tutte le connessioni, quindi attivalo solo se sai cosa stai facendo. Assicurati di configurare il tuo backend per fidarti delle intestazioni del protocollo proxy da Traefik.",
    "restarting": "Riavvio...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Inserisci conferma",
    "blueprintViewDetails": "Dettagli",
    "defaultIdentityProvider": "Provider di Identità Predefinito",
-    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
+    "defaultIdentityProviderDescription": "L'utente verrà automaticamente reindirizzato a questo provider di identità per l'autenticazione.",
    "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
    "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
    "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",
@@ -2919,11 +3169,12 @@
    "learnMore": "Scopri di più",
    "backToHome": "Torna alla home",
    "needToSignInToOrg": "Hai bisogno di utilizzare il provider di identità della tua organizzazione?",
-    "maintenanceMode": "Modalità di Manutenzione",
+    "maintenanceMode": "Pagina di Manutenzione",
    "maintenanceModeDescription": "Visualizza una pagina di manutenzione ai visitatori",
    "maintenanceModeType": "Tipo di Modalità di Manutenzione",
    "showMaintenancePage": "Mostra una pagina di manutenzione ai visitatori",
    "enableMaintenanceMode": "Abilita Modalità di Manutenzione",
+    "enableMaintenanceModeDescription": "Quando abilitato, i visitatori vedranno una pagina di manutenzione invece della tua risorsa.",
    "automatic": "Automatico",
    "automaticModeDescription": "Mostra pagina di manutenzione solo quando tutti i target del backend sono inattivi o non in salute. La tua risorsa continua a funzionare normalmente finché almeno un target è in salute.",
    "forced": "Forzato",
@@ -2931,6 +3182,8 @@
    "warning:": "Avviso:",
    "forcedeModeWarning": "Tutto il traffico verrà indirizzato alla pagina di manutenzione. Le risorse del tuo backend non riceveranno richieste.",
    "pageTitle": "Titolo Pagina",
+    "maintenancePageContentSubsection": "Contenuto della Pagina",
+    "maintenancePageContentSubsectionDescription": "Personalizza il contenuto visualizzato sulla pagina di manutenzione",
    "pageTitleDescription": "L'intestazione principale visualizzata sulla pagina di manutenzione",
    "maintenancePageMessage": "Messaggio di Manutenzione",
    "maintenancePageMessagePlaceholder": "Torneremo presto! Il nostro sito è attualmente in manutenzione programmata.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Completamento Stimato:",
    "createInternalResourceDialogDestinationRequired": "Destinazione richiesta",
    "available": "Disponibile",
+    "disabledResourceDescription": "Quando disabilitato, la risorsa sarà inaccessibile a tutti.",
    "archived": "Archiviato",
    "noArchivedDevices": "Nessun dispositivo archiviato trovato",
    "deviceArchived": "Dispositivo archiviato",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Inoltra gli eventi direttamente al tuo account Datadog. In arrivo.",
    "streamingTypePickerDescription": "Scegli un tipo di destinazione per iniziare.",
-    "streamingFailedToLoad": "Impossibile caricare le destinazioni",
+    "streamingLastSyncError": "Si è verificato un errore durante l'ultima sincronizzazione",
    "streamingUnexpectedError": "Si è verificato un errore imprevisto.",
    "streamingFailedToUpdate": "Impossibile aggiornare la destinazione",
    "streamingDeletedSuccess": "Destinazione eliminata con successo",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Modifica Destinazione",
    "S3DestAddTitle": "Aggiungi Destinazione S3",
    "S3DestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming eventi S3.",
-    "S3DestAddDescription": "Configura un nuovo endpoint S3 per ricevere gli eventi della tua organizzazione.",
+    "S3DestAddDescription": "Configura un nuovo bucket Amazon S3 (o compatibile con S3) per ricevere gli eventi della tua organizzazione.",
+    "s3DestTabSettings": "Impostazioni",
+    "s3DestTabFormat": "Formato",
+    "s3DestNameLabel": "Nome",
+    "s3DestNamePlaceholder": "La mia destinazione S3",
+    "s3DestAccessKeyIdLabel": "ID Chiave Accesso AWS",
+    "s3DestSecretAccessKeyLabel": "Chiave Segreta Accesso AWS",
+    "s3DestSecretAccessKeyPlaceholder": "La tua chiave segreta di accesso AWS",
+    "s3DestRegionLabel": "Regione AWS",
+    "s3DestBucketLabel": "Nome Bucket",
+    "s3DestPrefixLabel": "Prefisso Chiave (facoltativo)",
+    "s3DestPrefixDescription": "Prefisso percorso facoltativo anteposto a ogni chiave oggetto. Gli oggetti vengono archiviati in {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Endpoint personalizzato (facoltativo)",
+    "s3DestEndpointDescription": "Sostituisci l'endpoint S3 per lo storage compatibile con S3 come MinIO o Cloudflare R2. Lasciare vuoto per l'AWS S3 standard.",
+    "s3DestGzipLabel": "Compressione Gzip",
+    "s3DestGzipDescription": "Comprimi ogni oggetto caricato con gzip. Riduce i costi di archiviazione e la dimensione di caricamento.",
+    "s3DestFormatTitle": "Formato del File",
+    "s3DestFormatDescription": "Come gli eventi sono serializzati all'interno di ciascun oggetto caricato.",
+    "s3DestFormatJsonArrayDescription": "Ogni oggetto è un array JSON di record di eventi. Compatibile con la maggior parte degli strumenti analitici.",
+    "s3DestFormatNdjsonDescription": "Ogni oggetto contiene un record JSON per linea (JSON delimitato da newline). Compatibile con Athena, BigQuery e Spark.",
+    "s3DestFormatCsvTitle": "\"CSV\"",
+    "s3DestFormatCsvDescription": "Ogni oggetto è un file CSV RFC-4180 con una riga di intestazione. I nomi delle colonne sono derivati dai campi dei dati degli eventi.",
+    "s3DestSaveChanges": "Salva modifiche",
+    "s3DestCreateDestination": "Crea destinazione",
+    "s3DestUpdatedSuccess": "Destinazione aggiornata con successo",
+    "s3DestCreatedSuccess": "Destinazione creata con successo",
+    "s3DestUpdateFailed": "Aggiornamento della destinazione fallito",
+    "s3DestCreateFailed": "Creazione della destinazione fallita",
    "datadogDestEditTitle": "Modifica Destinazione",
    "datadogDestAddTitle": "Aggiungi Destinazione Datadog",
    "datadogDestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming eventi Datadog.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Sei sicuro di voler disassociare questo provider di identità da questa organizzazione?",
    "idpUnassociateDescription": "Tutti gli utenti associati a questo provider di identità verranno rimossi da questa organizzazione, ma il provider di identità continuerà ad esistere per altre organizzazioni associate.",
    "idpUnassociateConfirm": "Conferma Disassociazione Provider di Identità",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "CANCELLA E RIMUOVIMI DALL'ORGANIZZAZIONE",
+    "idpUnassociateAndRemoveMeFromOrg": "DISASSOCIA E RIMUOVIMI DALL'ORGANIZZAZIONE",
    "idpUnassociateWarning": "Questo non può essere annullato per questa organizzazione.",
    "idpUnassociatedDescription": "Provider di identità disassociato con successo da questa organizzazione",
    "idpUnassociateMenu": "Disassocia",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Risorsa Disabilitata",
    "memberPortalShowingResources": "Mostrando {start}-{end} di {total} risorse",
    "memberPortalPrevious": "Precedente",
-    "memberPortalNext": "Successivo"
+    "memberPortalNext": "Successivo",
+    "httpSettings": "Impostazioni HTTP",
+    "tcpSettings": "Impostazioni TCP",
+    "udpSettings": "Impostazioni UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Stabilire una connessione sicura…",
+    "sshConnecting": "Connessione…",
+    "sshInitializing": "Inizializzazione…",
+    "sshSignInTitle": "Accedi a SSH",
+    "sshSignInDescription": "Inserisci le tue credenziali SSH per connetterti",
+    "sshPasswordTab": "Password",
+    "sshPrivateKeyTab": "Chiave Privata",
+    "sshPrivateKeyField": "Chiave Privata",
+    "sshPrivateKeyDisclaimer": "La tua chiave privata non è memorizzata o visibile a Pangolin. In alternativa, puoi utilizzare certificati a vita breve per un'autenticazione continua utilizzando la tua identità Pangolin esistente.",
+    "sshLearnMore": "Scopri di più",
+    "sshPrivateKeyFile": "File Chiave Privata",
+    "sshAuthenticate": "Connetti",
+    "sshTerminate": "Termina",
+    "sshPoweredBy": "Offerto da",
+    "sshErrorNoTarget": "Nessun obiettivo specificato",
+    "sshErrorWebSocket": "Connessione WebSocket fallita",
+    "sshErrorAuthFailed": "Autenticazione fallita",
+    "sshErrorConnectionClosed": "Connessione chiusa prima del completamento dell'autenticazione",
+    "sitePangolinSshDescription": "Consenti l'accesso SSH alle risorse su questo sito. Questo può essere modificato in seguito.",
+    "browserGatewayNoResourceForDomain": "Nessuna risorsa trovata per questo dominio",
+    "browserGatewayNoTarget": "Nessun bersaglio",
+    "browserGatewayConnect": "Connetti",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Canc",
+    "sshErrorSignKeyFailed": "Impossibile firmare la chiave SSH per l'autenticazione push PAM. Ti sei autenticato come utente?",
+    "sshTerminalError": "Errore: {error}",
+    "sshConnectionClosedCode": "Connessione chiusa (codice {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "È richiesta una chiave privata",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Inserisci la tua password VNC per connetterti",
+    "vncPasswordOptional": "Password (opzionale)",
+    "vncNoResourceTarget": "Nessun bersaglio di risorsa disponibile",
+    "vncFailedToLoadNovnc": "Impossibile caricare noVNC",
+    "vncAuthFailedStatus": "Stato {status}",
+    "vncPasteClipboard": "Incolla appunti",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Accedi al Desktop Remoto",
+    "rdpSignInDescription": "Inserisci le credenziali di Windows per connetterti",
+    "rdpLoadingModule": "Caricamento modulo...",
+    "rdpFailedToLoadModule": "Impossibile caricare il modulo RDP",
+    "rdpNotReady": "Non pronto",
+    "rdpModuleInitializing": "Il modulo RDP è ancora in inizializzazione",
+    "rdpDownloadingFiles": "Scaricamento di {count} file(s) da remoto…",
+    "rdpDownloadFailed": "Download fallito: {fileName}",
+    "rdpUploaded": "Caricato: {fileName}",
+    "rdpNoConnectionTarget": "Nessun bersaglio di connessione disponibile",
+    "rdpConnectionFailed": "Connessione fallita",
+    "rdpFit": "Adatta",
+    "rdpFull": "Completo",
+    "rdpReal": "Reale",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Carica file",
+    "rdpFilesReadyToPaste": "File pronti per essere incollati",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copiati negli appunti remoti — premi Ctrl+V sul desktop remoto per incollare.",
+    "rdpUploadFailed": "Caricamento fallito",
+    "rdpUnicodeKeyboardMode": "Modalità tastiera Unicode",
+    "sessionToolbarShow": "Mostra barra degli strumenti",
+    "sessionToolbarHide": "Nascondi barra degli strumenti"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "개인 리소스 보기",
    "siteInstallNewt": "Newt 설치",
    "siteInstallNewtDescription": "시스템에서 Newt 실행하기",
+    "siteInstallKubernetesDocsDescription": "더 많은 정보와 최신의 쿠버네티스 설치 정보를 보려면 <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>를 참조하세요.",
+    "siteInstallAdvantechDocsDescription": "Advantech 모뎀 설치 지침은 <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>을 참조하세요.",
    "WgConfiguration": "WireGuard 구성",
    "WgConfigurationDescription": "네트워크에 연결하기 위한 다음 구성을 사용하세요.",
    "operatingSystem": "운영 체제",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
    "siteInfo": "사이트 정보",
    "status": "상태",
-    "shareTitle": "공유 링크 관리",
+    "shareTitle": "공유 가능한 링크 관리",
    "shareDescription": "공유 가능한 링크를 생성하여 프록시 리소스에 임시 또는 영구적으로 액세스하세요.",
-    "shareSearch": "공유 링크 검색...",
-    "shareCreate": "공유 링크 생성",
+    "shareSearch": "공유 가능한 링크 검색...",
+    "shareCreate": "공유 가능한 링크 생성",
    "shareErrorDelete": "링크 삭제에 실패했습니다.",
    "shareErrorDeleteMessage": "링크 삭제 중 오류가 발생했습니다.",
    "shareDeleted": "링크가 삭제되었습니다.",
    "shareDeletedDescription": "링크가 삭제되었습니다.",
+    "shareDelete": "공유 가능한 링크 삭제",
+    "shareDeleteConfirm": "공유 가능한 링크 삭제 확인",
+    "shareQuestionRemove": "이 공유 링크를 삭제하시겠습니까?",
+    "shareMessageRemove": "삭제되면 링크가 더 이상 작동하지 않으며, 이를 사용하는 모든 사용자는 자원에 대한 접근을 잃게 됩니다.",
    "shareTokenDescription": "액세스 토큰은 쿼리 매개변수 또는 요청 헤더의 두 가지 방법으로 전달될 수 있습니다. 이는 인증된 액세스를 위해 클라이언트에서 모든 요청마다 전달되어야 합니다.",
    "accessToken": "액세스 토큰",
    "usageExamples": "사용 예",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "공유 링크를 생성하는 동안 오류가 발생했습니다",
    "shareCreateDescription": "이 링크가 있는 누구나 리소스에 접근할 수 있습니다.",
    "shareTitleOptional": "제목 (선택 사항)",
+    "sharePathOptional": "경로 (선택 사항)",
+    "sharePathDescription": "링크는 인증 후 이 경로로 사용자를 리디렉션합니다.",
    "expireIn": "만료됨",
    "neverExpire": "만료되지 않음",
    "shareExpireDescription": "만료 시간은 링크가 사용 가능하고 리소스에 접근할 수 있는 기간입니다. 이 시간이 지나면 링크는 더 이상 작동하지 않으며, 이 링크를 사용한 사용자는 리소스에 대한 접근 권한을 잃게 됩니다.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "리소스를 선택하세요",
    "proxyResourceTitle": "공개 리소스 관리",
    "proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
-    "proxyResourcesBannerTitle": "웹 기반 공공 접근",
-    "proxyResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
+    "publicResourcesBannerTitle": "웹 기반의 공개 액세스",
+    "publicResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
    "clientResourceTitle": "개인 리소스 관리",
    "clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
    "privateResourcesBannerTitle": "제로 트러스트 개인 접근",
@@ -204,11 +212,37 @@
    "resourcesSearch": "리소스 검색...",
    "resourceAdd": "리소스 추가",
    "resourceErrorDelte": "리소스 삭제 중 오류 발생",
+    "resourcePoliciesBannerTitle": "인증 및 액세스 규칙 재사용",
+    "resourcePoliciesBannerDescription": "공유 리소스 정책을 사용하면 한 번 인증 방법 및 액세스 규칙을 정의하고, 여러 공개 리소스에 첨부할 수 있습니다. 정책을 업데이트하면 모든 연결된 리소스가 자동으로 변경 사항을 상속받습니다.",
+    "resourcePoliciesBannerButtonText": "자세히 알아보기",
+    "resourcePoliciesTitle": "공개 리소스 정책 관리",
+    "resourcePoliciesAttachedResourcesColumnTitle": "리소스",
+    "resourcePoliciesAttachedResources": "{count} 리소스",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, other {# 자원}}",
+    "resourcePoliciesAttachedResourcesEmpty": "리소스 없음",
+    "resourcePoliciesDescription": "공개 리소스에 대한 인증 정책을 생성하고 관리하여 접근을 제어합니다",
+    "resourcePoliciesSearch": "정책 검색...",
+    "resourcePoliciesAdd": "정책 추가",
+    "resourcePoliciesDefaultBadgeText": "기본 정책",
+    "resourcePoliciesCreate": "공개 리소스 정책 생성",
+    "resourcePoliciesCreateDescription": "새로운 정책을 생성하려면 아래 단계들을 따르세요",
+    "resourcePolicyName": "정책 이름",
+    "resourcePolicyNameDescription": "이 정책에 리소스 간에 식별할 이름을 지정합니다",
+    "resourcePolicyNamePlaceholder": "예: 내부 접근 정책",
+    "resourcePoliciesSeeAll": "모든 정책 보기",
+    "resourcePolicyAuthMethodAdd": "인증 방법 추가",
+    "resourcePolicyOtpEmailAdd": "OTP 이메일 추가",
+    "resourcePolicyRulesAdd": "규칙 추가",
+    "resourcePolicyAuthMethodsDescription": "추가 인증 방법을 통해 리소스에 대한 접근을 허용합니다",
+    "resourcePolicyUsersRolesDescription": "어떤 사용자와 역할이 관련된 리소스를 방문할 수 있는지 구성합니다",
+    "rulesResourcePolicyDescription": "이 정책에 연결된 접근 리소스를 제어할 규칙을 구성하세요",
    "authentication": "인증",
    "protected": "보호됨",
    "notProtected": "보호되지 않음",
    "resourceMessageRemove": "제거되면 리소스에 더 이상 접근할 수 없습니다. 리소스와 연결된 모든 대상도 제거됩니다.",
    "resourceQuestionRemove": "조직에서 리소스를 제거하시겠습니까?",
+    "resourcePolicyMessageRemove": "제거되면 리소스 정책에 접근할 수 없습니다. 리소스와 관련된 모든 리소스가 연동되지 않으며 인증 없이 남겨집니다.",
+    "resourcePolicyQuestionRemove": "정말로 조직에서 리소스 정책을 제거하시겠습니까?",
    "resourceHTTP": "HTTPS 리소스",
    "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
    "resourceRaw": "원시 TCP/UDP 리소스",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "포트 번호를 사용하여 원격 노드에 연결해야 합니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
    "resourceCreate": "리소스 생성",
    "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
+    "resourceCreateGeneralDescription": "이름 및 유형을 포함한 기본 리소스 설정 구성",
    "resourceSeeAll": "모든 리소스 보기",
-    "resourceInfo": "리소스 정보",
+    "resourceCreateGeneral": "일반",
    "resourceNameDescription": "이것은 리소스의 표시 이름입니다.",
    "siteSelect": "사이트 선택",
    "siteSearch": "사이트 검색",
@@ -227,12 +262,15 @@
    "noCountryFound": "국가를 찾을 수 없습니다.",
    "siteSelectionDescription": "이 사이트는 대상에 대한 연결을 제공합니다.",
    "resourceType": "리소스 유형",
-    "resourceTypeDescription": "리소스에 액세스하는 방법을 결정하세요.",
+    "resourceTypeDescription": "이것은 리소스 프로토콜 및 브라우저에서 렌더링되는 방식에 영향을 줍니다. 나중에 변경할 수 없습니다.",
+    "resourceDomainDescription": "리소스는 숙주 네임에서 제공됩니다.",
    "resourceHTTPSSettings": "HTTPS 설정",
    "resourceHTTPSSettingsDescription": "리소스가 HTTPS로 접근할 수 있는 방식을 구성합니다.",
+    "resourcePortDescription": "리소스에 접근할 수 있는 Pangolin 인스턴스나 노드의 외부 포트입니다.",
    "domainType": "도메인 유형",
    "subdomain": "서브도메인",
    "baseDomain": "기본 도메인",
+    "configure": "구성",
    "subdomnainDescription": "리소스에 접근할 수 있는 하위 도메인입니다.",
    "resourceRawSettings": "TCP/UDP 설정",
    "resourceRawSettingsDescription": "TCP/UDP를 통해 리소스에 접근하는 방법을 구성하세요.",
@@ -243,14 +281,35 @@
    "back": "뒤로",
    "cancel": "취소",
    "resourceConfig": "구성 스니펫",
-    "resourceConfigDescription": "TCP/UDP 리소스를 설정하기 위해 이 구성 스니펫을 복사하여 붙여넣습니다.",
+    "resourceConfigDescription": "TCP/UDP 리소스를 설정하기 위해 이 구성 스니펫을 복사하여 붙여넣으세요.",
    "resourceAddEntrypoints": "Traefik: 엔트리포인트 추가",
    "resourceExposePorts": "Gerbil: Docker Compose에서 포트 노출",
    "resourceLearnRaw": "TCP/UDP 리소스 구성 방법 알아보기",
    "resourceBack": "리소스로 돌아가기",
    "resourceGoTo": "리소스로 이동",
+    "resourcePolicyDelete": "리소스 정책 삭제",
+    "resourcePolicyDeleteConfirm": "리소스 정책 삭제 확인",
    "resourceDelete": "리소스 삭제",
    "resourceDeleteConfirm": "리소스 삭제 확인",
+    "labelDelete": "레이블 삭제",
+    "labelAdd": "레이블 추가",
+    "labelCreateSuccessMessage": "레이블이 성공적으로 생성되었습니다",
+    "labelDuplicateError": "중복 레이블",
+    "labelDuplicateErrorDescription": "이 이름의 레이블이 이미 존재합니다.",
+    "labelEditSuccessMessage": "레이블이 성공적으로 수정되었습니다",
+    "labelNameField": "레이블 이름",
+    "labelColorField": "레이블 색상",
+    "labelPlaceholder": "예: homelab",
+    "labelCreate": "레이블 만들기",
+    "createLabelDialogTitle": "레이블 만들기",
+    "createLabelDialogDescription": "이 조직에 연결할 수 있는 새 레이블을 만듭니다",
+    "labelEdit": "레이블 편집",
+    "editLabelDialogTitle": "레이블 업데이트",
+    "editLabelDialogDescription": "이 조직에 연결할 수 있는 새 레이블을 편집합니다",
+    "labelDeleteConfirm": "레이블 삭제 확인",
+    "labelErrorDelete": "레이블 삭제 실패",
+    "labelMessageRemove": "이 작업은 영구적입니다. 이 레이블과 태그된 모든 사이트, 리소스, 클라이언트의 태그가 제거됩니다.",
+    "labelQuestionRemove": "정말로 조직에서 레이블을 제거하시겠습니까?",
    "visibility": "가시성",
    "enabled": "활성화됨",
    "disabled": "비활성화됨",
@@ -261,6 +320,8 @@
    "rules": "규칙",
    "resourceSettingDescription": "리소스의 설정을 구성하세요.",
    "resourceSetting": "{resourceName} 설정",
+    "resourcePolicySettingDescription": "이 공개 리소스 정책의 설정을 구성하세요",
+    "resourcePolicySetting": "{policyName} 설정",
    "alwaysAllow": "인증 우회",
    "alwaysDeny": "접근 차단",
    "passToAuth": "인증으로 전달",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "이 사용자가 제거되면 더 이상 조직에 접근할 수 없습니다. 나중에 다시 초대할 수 있지만, 초대를 다시 수락해야 합니다.",
    "userRemoveOrgConfirm": "사용자 제거 확인",
    "userRemoveOrg": "조직에서 사용자 제거",
+    "userQuestionOrgRemoveSelf": "이 조직에서 자신을 제거하시겠습니까?",
+    "userMessageOrgRemoveSelf": "귀하는 즉시 접근 권한을 잃게 됩니다. 관리자가 나중에 다시 초대할 수 있지만, 새 초대를 수락해야 합니다.",
+    "userRemoveOrgConfirmSelf": "내 제거 확인",
+    "userRemoveOrgSelf": "조직에서 자신을 제거하십시오",
+    "userRemoveOrgSelfWarning": "귀하는 이 조직에 대한 접근 권한을 즉시 상실합니다.",
+    "userRemoveOrgConfirmPhraseSelf": "조직에서 나를 제거",
    "users": "사용자",
    "accessRoleMember": "회원",
    "accessRoleOwner": "소유자",
@@ -531,6 +598,11 @@
    "emailInvalid": "유효하지 않은 이메일 주소입니다.",
    "inviteValidityDuration": "지속 시간을 선택하십시오.",
    "accessRoleSelectPlease": "역할을 선택하세요",
+    "removeOwnAdminRoleConfirmTitle": "관리자 권한을 제거하시겠습니까?",
+    "removeOwnAdminRoleConfirmDescription": "저장 후 이 조직에 대한 관리자 권한이 없어집니다. 필요한 경우 다른 관리자가 접근 권한을 복구할 수 있습니다.",
+    "removeOwnAdminRoleConfirmButton": "내 관리자 권한 제거",
+    "removeOwnAdminRoleConfirmPhrase": "내 관리자 권한 제거",
+    "ownerMustRetainAdminRole": "조직 소유자는 최소한 하나의 관리자 역할을 유지해야 합니다.",
    "usernameRequired": "사용자 이름은 필수입니다.",
    "idpSelectPlease": "신원 제공자를 선택하십시오",
    "idpGenericOidc": "일반 OAuth2/OIDC 공급자.",
@@ -615,7 +687,7 @@
    "createdAt": "생성일",
    "proxyErrorInvalidHeader": "잘못된 사용자 정의 호스트 헤더 값입니다. 도메인 이름 형식을 사용하거나 사용자 정의 호스트 헤더를 해제하려면 비워 두십시오.",
    "proxyErrorTls": "유효하지 않은 TLS 서버 이름입니다. 도메인 이름 형식을 사용하거나 비워 두어 TLS 서버 이름을 제거하십시오.",
-    "proxyEnableSSL": "SSL 활성화",
+    "proxyEnableSSL": "TLS 활성화",
    "proxyEnableSSLDescription": "타겟과의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화를 활성화하세요.",
    "target": "대상",
    "configureTarget": "대상 구성",
@@ -656,8 +728,9 @@
    "targetSubmit": "대상 추가",
    "targetNoOne": "이 리소스에는 대상이 없습니다. 백엔드로 요청을 보낼 대상을 구성하려면 대상을 추가하세요.",
    "targetNoOneDescription": "위에 하나 이상의 대상을 추가하면 로드 밸런싱이 활성화됩니다.",
-    "targetsSubmit": "대상 저장",
+    "targetsSubmit": "설정 저장",
    "addTarget": "대상 추가",
+    "proxyMultiSiteRoundRobinNodeHelp": "라운드 로빈 라우팅은 동일한 노드에 연결되지 않은 사이트 간에는 작동하지 않으나, 대체 라우팅은 작동합니다.",
    "targetErrorInvalidIp": "유효하지 않은 IP 주소",
    "targetErrorInvalidIpDescription": "유효한 IP 주소 또는 호스트 이름을 입력하세요.",
    "targetErrorInvalidPort": "유효하지 않은 포트",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "중복 규칙",
    "rulesErrorDuplicateDescription": "이 설정을 가진 규칙이 이미 존재합니다.",
    "rulesErrorInvalidIpAddressRange": "유효하지 않은 CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "유효한 CIDR 값을 입력하십시오.",
-    "rulesErrorInvalidUrl": "유효하지 않은 URL 경로",
-    "rulesErrorInvalidUrlDescription": "유효한 URL 경로 값을 입력해 주세요.",
-    "rulesErrorInvalidIpAddress": "유효하지 않은 IP",
-    "rulesErrorInvalidIpAddressDescription": "유효한 IP 주소를 입력하세요",
+    "rulesErrorInvalidIpAddressRangeDescription": "유효한 CIDR 범위를 입력하세요 (예: 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "유효하지 않은 경로",
+    "rulesErrorInvalidUrlDescription": "유효한 URL 경로 또는 패턴을 입력하세요 (예: /api/*).",
+    "rulesErrorInvalidIpAddress": "유효하지 않은 IP 주소",
+    "rulesErrorInvalidIpAddressDescription": "유효한 IPv4 또는 IPv6 주소를 입력하세요.",
    "rulesErrorUpdate": "규칙 업데이트에 실패했습니다.",
    "rulesErrorUpdateDescription": "규칙 업데이트 중 오류가 발생했습니다.",
    "rulesUpdated": "규칙 활성화",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "IP 주소를 입력하세요 (예: 103.21.244.12)",
    "rulesMatchUrl": "URL 경로 또는 패턴을 입력하세요 (예: /api/v1/todos 또는 /api/v1/*)",
    "rulesErrorInvalidPriority": "유효하지 않은 우선순위",
-    "rulesErrorInvalidPriorityDescription": "유효한 우선 순위를 입력하세요.",
-    "rulesErrorDuplicatePriority": "중복 우선순위",
-    "rulesErrorDuplicatePriorityDescription": "고유한 우선 순위를 입력하십시오.",
+    "rulesErrorInvalidPriorityDescription": "1 이상의 정수를 입력하세요.",
+    "rulesErrorDuplicatePriority": "중복된 우선순위",
+    "rulesErrorDuplicatePriorityDescription": "각 규칙은 고유한 우선순위 번호를 가져야 합니다.",
+    "rulesErrorValidation": "유효하지 않은 규칙",
+    "rulesErrorValidationRuleDescription": "규칙 {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "유효한 매칭 유형을 선택하세요 (경로, IP, CIDR, 국가, 지역, 또는 ASN).",
+    "rulesErrorValueRequired": "이 규칙에 대한 값을 입력하세요.",
+    "rulesErrorInvalidCountry": "유효하지 않은 국가",
+    "rulesErrorInvalidCountryDescription": "유효한 국가를 선택하세요.",
+    "rulesErrorInvalidAsn": "유효하지 않은 ASN",
+    "rulesErrorInvalidAsnDescription": "유효한 ASN을 입력하세요 (예: AS15169).",
    "ruleUpdated": "규칙이 업데이트되었습니다",
    "ruleUpdatedDescription": "규칙이 성공적으로 업데이트되었습니다",
    "ruleErrorUpdate": "작업 실패",
    "ruleErrorUpdateDescription": "저장 작업 중 오류가 발생했습니다.",
    "rulesPriority": "우선순위",
+    "rulesReorderDragHandle": "드래그하여 규칙 우선순위 재정렬",
    "rulesAction": "작업",
    "rulesMatchType": "일치 유형",
    "value": "값",
@@ -728,9 +810,60 @@
    "rulesResource": "리소스 규칙 구성",
    "rulesResourceDescription": "리소스에 대한 접근을 제어하는 규칙 구성",
    "ruleSubmit": "규칙 추가",
-    "rulesNoOne": "규칙이 없습니다. 양식을 사용하여 규칙을 추가하십시오.",
+    "rulesNoOne": "아직 규칙이 없습니다.",
    "rulesOrder": "규칙은 우선 순위에 따라 오름차순으로 평가됩니다.",
    "rulesSubmit": "규칙 저장",
+    "policyErrorCreate": "정책 생성 오류",
+    "policyErrorCreateDescription": "정책 생성 중 오류가 발생했습니다",
+    "policyErrorCreateMessageDescription": "예기치 않은 오류가 발생했습니다",
+    "policyErrorUpdate": "정책 업데이트 오류",
+    "policyErrorUpdateDescription": "정책 업데이트 중 오류가 발생했습니다",
+    "policyErrorUpdateMessageDescription": "예기치 않은 오류가 발생했습니다",
+    "policyCreatedSuccess": "리소스 정책이 성공적으로 생성되었습니다",
+    "policyUpdatedSuccess": "리소스 정책이 성공적으로 업데이트되었습니다",
+    "authMethodsSave": "설정 저장",
+    "policyAuthStackTitle": "인증",
+    "policyAuthStackDescription": "이 리소스에 접근하려면 어떤 인증 방법이 필요한지 제어합니다",
+    "policyAuthOrLogicTitle": "다수의 인증 방법 활성화",
+    "policyAuthOrLogicBanner": "방문자는 아래 활성화된 방법 중 하나만을 선택하여 인증할 수 있습니다. 모든 방법을 완료할 필요는 없습니다.",
+    "policyAuthMethodActive": "활성화",
+    "policyAuthMethodOff": "비활성화",
+    "policyAuthSsoTitle": "플랫폼 SSO",
+    "policyAuthSsoDescription": "사용자의 아이덴티티 공급자를 통해 로그인 필요",
+    "policyAuthSsoSummary": "{idp} · {users} 사용자, {roles} 역할",
+    "policyAuthSsoDefaultIdp": "기본 공급자",
+    "policyAuthAddDefaultIdentityProvider": "기본 아이덴티티 공급자 추가",
+    "policyAuthOtherMethodsTitle": "기타 방법",
+    "policyAuthOtherMethodsDescription": "플랫폼 SSO 대신 또는 함께 사용할 수 있는 선택적 방법",
+    "policyAuthPasscodeTitle": "패스코드",
+    "policyAuthPasscodeDescription": "리소스 접근을 위한 공유 알파벳 및 숫자 패스코드 필요",
+    "policyAuthPasscodeSummary": "패스코드 설정됨",
+    "policyAuthPincodeTitle": "PIN 코드",
+    "policyAuthPincodeDescription": "리소스 접근에 필요한 짧은 숫자 코드",
+    "policyAuthPincodeSummary": "6자리 PIN 코드 설정됨",
+    "policyAuthEmailTitle": "이메일 화이트리스트",
+    "policyAuthEmailDescription": "허용된 이메일 주소로 일회용 비밀번호 전송",
+    "policyAuthEmailSummary": "{count}개의 주소 허용됨",
+    "policyAuthEmailOtpCallout": "이메일 화이트리스트를 활성화하면 로그인 시 방문자의 이메일로 일회용 비밀번호가 전송됩니다.",
+    "policyAuthHeaderAuthTitle": "기본 헤더 인증",
+    "policyAuthHeaderAuthDescription": "각 요청에서 맞춤 HTTP 헤더 이름 및 값을 검증",
+    "policyAuthHeaderAuthSummary": "헤더 구성됨",
+    "policyAuthHeaderName": "헤더 이름",
+    "policyAuthHeaderValue": "예상 값",
+    "policyAuthSetPasscode": "패스코드 설정",
+    "policyAuthSetPincode": "PIN 코드 설정",
+    "policyAuthSetEmailWhitelist": "이메일 화이트리스트 설정",
+    "policyAuthSetHeaderAuth": "기본 헤더 인증 설정",
+    "policyAccessRulesTitle": "액세스 규칙",
+    "policyAccessRulesEnableDescription": "활성화되면 규칙은 내림차순으로 평가되며, 하나가 참으로 평가될 때까지 계속됩니다.",
+    "policyAccessRulesFirstMatch": "규칙은 위에서 아래로 평가됩니다. 첫 번째 매칭 규칙이 결과를 결정합니다.",
+    "policyAccessRulesHowItWorks": "규칙은 경로, IP 주소, 위치 또는 기타 기준에 따라 요청을 매칭합니다. 각 규칙은 인증 우회, 접근 차단 또는 인증 전송의 액션을 적용합니다. 매칭되는 규칙이 없으면, 트래픽은 인증으로 계속됩니다.",
+    "policyAccessRulesFallthroughOff": "규칙이 비활성화되면, 모든 트래픽은 인증으로 넘어갑니다.",
+    "policyAccessRulesFallthroughOn": "매칭되는 규칙이 없으면, 트래픽은 인증으로 넘어갑니다.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "규칙 저장",
    "resourceErrorCreate": "리소스 생성 오류",
    "resourceErrorCreateDescription": "리소스를 생성하는 중 오류가 발생했습니다.",
    "resourceErrorCreateMessage": "리소스 생성 오류:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "리소스를 업데이트하는 동안 오류가 발생했습니다.",
    "access": "접속",
    "accessControl": "액세스 제어",
-    "shareLink": "{resource} 공유 링크",
+    "shareLink": "{resource} 공유 가능한 링크",
    "resourceSelect": "리소스 선택",
-    "shareLinks": "공유 링크",
+    "shareLinks": "공유 가능한 링크",
    "share": "공유 가능한 링크",
    "shareDescription2": "리소스에 대한 공유 가능한 링크를 생성하세요. 링크는 리소스에 대한 임시 또는 무제한 액세스를 제공합니다. 링크를 생성할 때 만료 기간을 설정할 수 있습니다.",
    "shareEasyCreate": "생성하고 공유하기 쉬움",
@@ -794,6 +927,17 @@
    "pincodeAdd": "PIN 코드 추가",
    "pincodeRemove": "PIN 코드 제거",
    "resourceAuthMethods": "인증 방법",
+    "resourcePolicyAuthMethodsEmpty": "인증 방법 없음",
+    "resourcePolicyOtpEmpty": "일회용 비밀번호 없음",
+    "resourcePolicyReadOnly": "이 정책은 읽기 전용입니다",
+    "resourcePolicyReadOnlyDescription": "이 리소스 정책은 여러 리소스에 걸쳐 공유됩니다. 이 페이지에서는 수정할 수 없습니다.",
+    "editSharedPolicy": "공유 정책 편집",
+    "resourcePolicyTypeSave": "리소스 유형 저장",
+    "resourcePolicySelect": "리소스 정책 선택",
+    "resourcePolicySelectError": "리소스 정책 선택 오류",
+    "resourcePolicyNotFound": "정책을 찾을 수 없습니다",
+    "resourcePolicySearch": "정책 검색",
+    "resourcePolicyRulesEmpty": "인증 규칙 없음",
    "resourceAuthMethodsDescriptions": "추가 인증 방법을 통해 리소스에 대한 액세스 허용",
    "resourceAuthSettingsSave": "성공적으로 저장되었습니다.",
    "resourceAuthSettingsSaveDescription": "인증 설정이 저장되었습니다",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "핀코드 설정",
    "resourcePincodeSetupTitleDescription": "이 리소스를 보호하기 위해 핀 코드를 설정하십시오.",
    "resourceRoleDescription": "관리자는 항상 이 리소스에 접근할 수 있습니다.",
+    "resourcePolicySelectTitle": "리소스 액세스 정책",
+    "resourcePolicySelectDescription": "인증을 위한 리소스 정책 유형을 선택하세요",
+    "resourcePolicyTypeLabel": "정책 유형",
+    "resourcePolicyLabel": "리소스 정책",
+    "resourcePolicyInline": "인라인 리소스 정책",
+    "resourcePolicyInlineDescription": "이 리소스에만 범위가 있는 액세스 정책",
+    "resourcePolicyShared": "공유 리소스 정책",
+    "resourcePolicySharedDescription": "이 리소스는 공유 정책을 사용합니다.",
+    "sharedPolicy": "공유 정책",
+    "sharedPolicyNoneDescription": "이 리소스는 자체 정책을 가지고 있습니다.",
+    "resourceSharedPolicyOwnDescription": "이 리소스는 자체 인증 및 접근 규칙 제어를 가지고 있습니다.",
+    "resourceSharedPolicyInheritedDescription": "이 리소스는 <policyLink>{policyName}</policyLink>에서 상속받습니다.",
+    "resourceSharedPolicyAuthenticationNotice": "이 리소스는 공유 정책을 사용합니다. 일부 인증 설정은 이 리소스에서 정책에 추가하기 위해 편집할 수 있습니다. 기본 정책을 변경하려면 <policyLink>{policyName}</policyLink>을 편집해야 합니다.",
+    "resourceSharedPolicyRulesNotice": "이 리소스는 공유 정책을 사용합니다. 일부 액세스 규칙은 이 리소스에서 편집할 수 있습니다. 기본 정책을 변경하려면 <policyLink>{policyName}</policyLink>을 수정해야 합니다.",
    "resourceUsersRoles": "접근 제어",
    "resourceUsersRolesDescription": "이 리소스를 방문할 수 있는 사용자 및 역할을 구성하십시오",
    "resourceUsersRolesSubmit": "접근 제어 저장",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "가시성",
    "resourceVisibilityTitleDescription": "리소스 가시성을 완전히 활성화하거나 비활성화",
    "resourceGeneral": "일반 설정",
-    "resourceGeneralDescription": "이 리소스에 대한 일반 설정을 구성하십시오.",
+    "resourceGeneralDescription": "이 리소스를 위한 이름, 주소 및 접근 정책을 구성하세요.",
+    "resourceGeneralDetailsSubsection": "리소스 세부 정보",
+    "resourceGeneralDetailsSubsectionDescription": "이 리소스를 위한 표시 이름, 식별자 및 공개 도메인을 설정합니다.",
+    "resourceGeneralDetailsSubsectionPortDescription": "이 리소스를 위한 표시 이름, 식별자 및 공개 포트를 설정합니다.",
+    "resourceGeneralPublicAddressSubsection": "공공 주소",
+    "resourceGeneralPublicAddressSubsectionDescription": "사용자가 이 리소스에 도달하는 방법을 구성하세요.",
+    "resourceGeneralAuthenticationAccessSubsection": "인증 및 접근",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "이 리소스가 자체 정책을 사용하는지 또는 공유 정책에서 상속받는지를 선택하세요.",
    "resourceEnable": "리소스 활성화",
    "resourceTransfer": "리소스 전송",
    "resourceTransferDescription": "이 리소스를 다른 사이트로 전송",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "{name}에 연결하는 데 문제가 발생했습니다. 관리자에게 문의하십시오.",
    "idpErrorNotFound": "IdP를 찾을 수 없습니다.",
    "inviteInvalid": "유효하지 않은 초대",
+    "labels": "레이블",
+    "orgLabelsDescription": "이 조직의 레이블을 관리합니다.",
+    "addLabels": "레이블 추가",
+    "siteLabelsTab": "레이블",
+    "siteLabelsDescription": "이 사이트와 연결된 레이블을 관리합니다.",
+    "labelsNotFound": "레이블을 찾을 수 없습니다.",
+    "labelsEmptyCreateHint": "라벨을 생성하려면 위에서 입력을 시작하세요.",
+    "labelSearch": "레이블 검색",
+    "labelSearchOrCreate": "레이블을 검색하거나 생성하세요",
+    "accessLabelFilterCount": "{count, plural, other {# 레이블}}",
+    "labelOverflowCount": " +{count, plural, other {# 레이블}}",
+    "accessLabelFilterClear": "레이블 필터 초기화",
+    "accessFilterClear": "필터 지우기",
+    "selectColor": "색상 선택",
+    "createNewLabel": "새 조직 레이블 \"{label}\" 만들기",
    "inviteInvalidDescription": "초대 링크가 유효하지 않습니다.",
    "inviteErrorWrongUser": "이 초대는 이 사용자에게 해당되지 않습니다",
    "inviteErrorUserNotExists": "사용자가 존재하지 않습니다. 먼저 계정을 생성해 주세요.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "리소스",
    "sidebarProxyResources": "공유",
    "sidebarClientResources": "비공개",
+    "sidebarPolicies": "공유 정책들",
+    "sidebarResourcePolicies": "공개 리소스",
    "sidebarAccessControl": "액세스 제어",
    "sidebarLogsAndAnalytics": "로그 및 분석",
    "sidebarTeam": "팀",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "관리자",
    "sidebarInvitations": "초대",
    "sidebarRoles": "역할",
-    "sidebarShareableLinks": "링크",
+    "sidebarShareableLinks": "공유 가능한 링크",
    "sidebarApiKeys": "API 키",
    "sidebarProvisioning": "프로비저닝",
    "sidebarSettings": "설정",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "사이트 {id}",
    "standaloneHcFilterResourceIdFallback": "리소스 {id}",
    "blueprints": "청사진",
-    "blueprintsDescription": "선언적 구성을 적용하고 이전 실행을 봅니다",
+    "blueprintsLog": "블루프린트 로그",
+    "blueprintsDescription": "이전에 블루프린트 응용 프로그램과 그 결과를 보거나 새 블루프린트를 적용하세요",
    "blueprintAdd": "청사진 추가",
    "blueprintGoBack": "모든 청사진 보기",
    "blueprintCreate": "청사진 생성",
@@ -1559,7 +1742,17 @@
    "contents": "콘텐츠",
    "parsedContents": "구문 분석된 콘텐츠 (읽기 전용)",
    "enableDockerSocket": "Docker 청사진 활성화",
-    "enableDockerSocketDescription": "블루프린트 레이블을 위한 Docker 소켓 레이블 수집을 활성화합니다. 소켓 경로는 Newt에 제공되어야 합니다.",
+    "enableDockerSocketDescription": "블루프린트 레이블을 위한 Docker 소켓 레이블 스크래핑을 활성화합니다. 소켓 경로는 사이트 커넥터에 제공되어야 합니다. 동작 방법에 대한 자세한 정보는 <docsLink>문서</docsLink>에서 확인하세요.",
+    "newtAutoUpdate": "사이트 자동 업데이트 활성화",
+    "newtAutoUpdateDescription": "활성화되면, 사이트 커넥터는 최신 버전을 자동으로 다운로드하고 재시작합니다. 각 사이트별로 이를 무시할 수 있습니다.",
+    "siteAutoUpdate": "사이트 자동 업데이트",
+    "siteAutoUpdateLabel": "자동 업데이트 활성화",
+    "siteAutoUpdateDescription": "활성화되면, 이 사이트의 커넥터는 최신 버전을 자동으로 다운로드하고 재시작합니다.",
+    "siteAutoUpdateOrgDefault": "조직 기본값: {state}",
+    "siteAutoUpdateOverriding": "조직 설정 재정의",
+    "siteAutoUpdateResetToOrg": "조직 기본값으로 재설정",
+    "siteAutoUpdateEnabled": "활성화됨",
+    "siteAutoUpdateDisabled": "비활성화됨",
    "viewDockerContainers": "도커 컨테이너 보기",
    "containersIn": "{siteName}의 컨테이너",
    "selectContainerDescription": "이 대상을 위한 호스트 이름으로 사용할 컨테이너를 선택하세요. 포트를 사용하려면 포트를 클릭하세요.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "인증서",
    "certificateStatusAutoRefreshHint": "상태가 자동으로 새로 고쳐집니다.",
    "loading": "로딩 중",
+    "loadingEllipsis": "로딩 중...",
    "loadingAnalytics": "분석 로딩 중",
    "restart": "재시작",
    "domains": "도메인",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "계정 설정이 완료되었습니다! 판골린에 오신 것을 환영합니다!",
    "documentation": "문서",
    "saveAllSettings": "모든 설정 저장",
-    "saveResourceTargets": "대상 저장",
-    "saveResourceHttp": "프록시 설정 저장",
-    "saveProxyProtocol": "프록시 프로토콜 설정 저장",
+    "saveResourceTargets": "설정 저장",
+    "saveResourceHttp": "설정 저장",
+    "saveProxyProtocol": "설정 저장",
    "settingsUpdated": "설정이 업데이트되었습니다",
    "settingsUpdatedDescription": "설정이 성공적으로 업데이트되었습니다.",
    "settingsErrorUpdate": "설정 업데이트 실패",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "유료 독립 호스트 라이센스 키를 위한 구독 관리",
    "billingCurrentKeys": "현재 키",
    "billingModifyCurrentPlan": "현재 계획 수정",
+    "billingManageLicenseSubscriptionDescription": "유료 셀프호스티드 라이선스 키에 대한 구독을 관리하고 송장을 다운로드합니다.",
    "billingConfirmUpgrade": "업그레이드 확인",
    "billingConfirmDowngrade": "다운그레이드 확인",
    "billingConfirmUpgradeDescription": "계획을 업그레이드하려고 합니다. 아래의 새로운 제한 및 가격을 검토하세요.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "알 수 없음",
    "healthCheck": "상태 확인",
    "configureHealthCheck": "상태 확인 설정",
-    "configureHealthCheckDescription": "{target}에 대한 상태 모니터링 설정",
+    "configureHealthCheckDescription": "리소스의 모니터링을 설정하여 항상 이용 가능하도록 하세요",
    "enableHealthChecks": "상태 확인 활성화",
    "healthCheckDisabledStateDescription": "비활성화되면 이 사이트가 상태 확인을 수행하지 않으며 상태가 알 수 없는 것으로 간주됩니다.",
    "enableHealthChecksDescription": "이 대상을 모니터링하여 건강 상태를 확인하세요. 필요에 따라 대상과 다른 엔드포인트를 모니터링할 수 있습니다.",
    "healthScheme": "방법",
    "healthSelectScheme": "방법 선택",
-    "healthCheckPortInvalid": "올바르지 않은 서브넷 마스크입니다. 1에서 65535 사이여야 합니다",
+    "healthCheckPortInvalid": "포트는 1에서 65535 사이여야 합니다",
    "healthCheckPath": "경로",
    "healthHostname": "IP / 호스트",
    "healthPort": "포트",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "시간은 초 단위입니다",
    "requireDeviceApproval": "장치 승인 요구",
    "requireDeviceApprovalDescription": "이 역할을 가진 사용자는 장치가 연결되기 전에 관리자의 승인이 필요합니다.",
+    "sshSettings": "SSH 설정",
    "sshAccess": "SSH 접속",
+    "rdpSettings": "RDP 설정",
+    "vncSettings": "VNC 설정",
+    "sshServer": "SSH 서버",
+    "rdpServer": "RDP 서버",
+    "vncServer": "VNC 서버",
+    "sshServerDescription": "인증 방법, 데몬 위치 및 서버 목적지를 설정합니다",
+    "rdpServerDescription": "RDP 서버의 목적지 및 포트를 구성합니다",
+    "vncServerDescription": "VNC 서버의 목적지 및 포트를 구성합니다",
+    "sshServerMode": "모드",
+    "sshServerModeStandard": "표준 SSH 서버",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "네트워크를 통해 OpenSSH와 같은 SSH 서버로 명령을 전달합니다.",
+    "sshServerModeNative": "네이티브 SSH 서버",
+    "sshServerModeNativeDescription": "사이트 커넥터를 통해 호스트에서 직접 명령을 실행합니다. 네트워크 구성이 필요 없습니다.",
+    "sshAuthenticationMethod": "인증 방법",
+    "sshAuthMethodManual": "수동 인증",
+    "sshAuthMethodManualDescription": "기존 호스트 자격 증명이 필요합니다. 자동 프로비저닝을 우회합니다.",
+    "sshAuthMethodAutomated": "자동 프로비저닝",
+    "sshAuthMethodAutomatedDescription": "호스트에 사용자, 그룹 및 sudo 권한을 자동으로 생성합니다.",
+    "sshAuthDaemonLocation": "인증 데몬 위치",
+    "sshDaemonLocationSiteDescription": "사이트 커넥터를 호스팅하는 기계에서 로컬로 실행됩니다.",
+    "sshDaemonLocationRemote": "원격 호스트에서",
+    "sshDaemonLocationRemoteDescription": "같은 네트워크의 별도의 대상 기계에서 실행됩니다.",
+    "sshDaemonDisclaimer": "이 설정을 완료하기 전에 인증 데몬을 실행할 대상 호스트가 적절히 구성되었는지 확인하십시오. 그렇지 않으면 프로비저닝이 실패할 수 있습니다.",
+    "sshDaemonPort": "데몬 포트",
+    "sshServerDestination": "서버 목적지",
+    "sshServerDestinationDescription": "SSH 서버의 목적지를 설정합니다",
+    "destination": "대상지",
+    "destinationRequired": "목적지가 필요합니다.",
+    "domainRequired": "도메인은 필수입니다.",
+    "proxyPortRequired": "포트가 필요합니다.",
+    "invalidPathConfiguration": "유효하지 않은 경로 구성입니다.",
+    "invalidRewritePathConfiguration": "유효하지 않은 재작성 경로 구성입니다.",
+    "bgTargetMultiSiteDisclaimer": "여러 사이트를 선택하면 고가용성을 위한 내구성 있는 라우팅 및 장애 조치를 활성화합니다.",
    "roleAllowSsh": "SSH 허용",
    "roleAllowSshAllow": "허용",
    "roleAllowSshDisallow": "허용 안 함",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "사용자는 sudo로 지정된 명령만 실행할 수 있습니다.",
    "sshSudo": "Sudo 허용",
    "sshSudoCommands": "Sudo 명령",
-    "sshSudoCommandsDescription": "사용자가 sudo로 실행할 수 있는 명령어의 쉼표로 구분된 목록입니다.",
+    "sshSudoCommandsDescription": "사용자가 쉘에서 sudo로 실행할 수 있는 명령 목록, 쉼표, 공백 또는 새 줄로 구분됩니다. 절대 경로를 사용해야 합니다.",
    "sshCreateHomeDir": "홈 디렉터리 생성",
    "sshUnixGroups": "유닉스 그룹",
-    "sshUnixGroupsDescription": "대상 호스트에서 사용자에게 추가할 유닉스 그룹의 쉼표로 구분된 목록입니다.",
+    "sshUnixGroupsDescription": "사용자를 대상 호스트에 추가할 유닉스 그룹들, 쉼표, 공백 또는 새 줄로 구분됩니다.",
+    "roleTextFieldPlaceholder": "값을 입력하거나 .txt나 .csv 파일을 드롭하세요",
+    "roleTextImportTitle": "파일에서 가져오기",
+    "roleTextImportDescription": "{fileName}을(를) {fieldLabel}에 가져오는 중",
+    "roleTextImportSkipHeader": "첫 행 건너뛰기 (헤더)",
+    "roleTextImportOverride": "기존 항목 교체",
+    "roleTextImportAppend": "기존 항목에 추가",
+    "roleTextImportMode": "가져오기 모드",
+    "roleTextImportPreview": "미리보기",
+    "roleTextImportItemCount": "{count, plural, =0 {가져올 항목 없음} other {# 개의 항목 가져오기}}",
+    "roleTextImportTotalCount": "{existing} 기존 + {imported} 가져옴 = {total} 총계",
+    "roleTextImportConfirm": "가져오기",
+    "roleTextImportInvalidFile": "지원되지 않는 파일 유형",
+    "roleTextImportInvalidFileDescription": ".txt 및 .csv 파일만 지원됩니다.",
+    "roleTextImportEmpty": "파일에서 항목을 찾을 수 없습니다",
+    "roleTextImportEmptyDescription": "파일에 가져올 항목이 포함되어 있지 않습니다.",
    "retryAttempts": "재시도 횟수",
    "expectedResponseCodes": "예상 응답 코드",
    "expectedResponseCodesDescription": "정상 상태를 나타내는 HTTP 상태 코드입니다. 비워 두면 200-300이 정상으로 간주됩니다.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "스킴",
-    "editInternalResourceDialogEnableSsl": "SSL 활성화",
+    "editInternalResourceDialogEnableSsl": "TLS 활성화",
    "editInternalResourceDialogEnableSslDescription": "목적지로의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화 활성화.",
    "editInternalResourceDialogDestination": "대상지",
    "editInternalResourceDialogDestinationHostDescription": "사이트 네트워크의 자원 IP 주소입니다.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "스킴",
    "createInternalResourceDialogScheme": "스킴",
-    "createInternalResourceDialogEnableSsl": "SSL 활성화",
+    "createInternalResourceDialogEnableSsl": "TLS 활성화",
    "createInternalResourceDialogEnableSslDescription": "목적지로의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화 활성화.",
    "createInternalResourceDialogDestination": "대상지",
    "createInternalResourceDialogDestinationHostDescription": "사이트 네트워크의 자원 IP 주소입니다.",
@@ -2217,7 +2464,7 @@
        "description": "더 신뢰할 수 있고 낮은 유지보수의 자체 호스팅 팡골린 서버, 추가 기능 포함",
        "introTitle": "관리 자체 호스팅 팡골린",
        "introDescription": "는 자신의 데이터를 프라이빗하고 자체 호스팅을 유지하면서 더 간단하고 추가적인 신뢰성을 원하는 사람들을 위한 배포 옵션입니다.",
-        "introDetail": "이 옵션을 사용하면 여전히 자신의 팡골린 노드를 운영하고 - 터널, SSL 종료 및 트래픽 모두 서버에 유지됩니다. 차이점은 관리 및 모니터링이 클라우드 대시보드를 통해 처리되어 여러 혜택을 제공합니다.",
+        "introDetail": "이 옵션을 사용하면 여전히 자신의 Pangolin 노드를 운영하고 - 터널, TLS 종료, 트래픽 모두 서버에 유지됩니다. 차이점은 관리 및 모니터링이 클라우드 대시보드를 통해 처리되어 여러 혜택을 제공합니다:",
        "benefitSimplerOperations": {
            "title": "더 간단한 운영",
            "description": "자체 메일 서버를 운영하거나 복잡한 경고를 설정할 필요가 없습니다. 기본적으로 상태 점검 및 다운타임 경고를 받을 수 있습니다."
@@ -2652,6 +2899,8 @@
    "validPassword": "유효한 비밀번호",
    "validEmail": "유효한 이메일",
    "validSSO": "유효한 SSO",
+    "view": "보기",
+    "configManaged": "구성 관리됨",
    "connectedClient": "연결된 클라이언트",
    "resourceBlocked": "리소스 차단됨",
    "droppedByRule": "룰에 의해 드롭됨",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "프록시 프로토콜 활성화",
    "proxyProtocolInfo": "TCP 백엔드에 대한 클라이언트 IP 주소를 유지합니다.",
    "proxyProtocolVersion": "프록시 프로토콜 버전",
-    "version1": " 버전 1 (추천)",
+    "version1": "버전 1 (추천)",
    "version2": "버전 2",
-    "versionDescription": "버전 1은 텍스트 기반으로 널리 지원됩니다. 버전 2는 이진 기반으로 더 효율적이지만 호환성이 낮습니다.",
+    "version1Description": "텍스트 기반으로 널리 지원됩니다. 서버 전송이 동적 구성에 추가되었는지 확인하세요.",
+    "version2Description": "바이너리 및 더 효율적이지만 호환성은 낮습니다. 서버 전송이 동적 구성에 추가되었는지 확인하세요.",
    "warning": "경고",
    "proxyProtocolWarning": "백엔드 애플리케이션이 프록시 프로토콜 연결을 허용하도록 구성되어야 합니다. 백엔드가 프록시 프로토콜을 지원하지 않으면, 이를 활성화하면 모든 연결이 끊어집니다. 트래픽에서 온 프록시 프로토콜 헤더를 백엔드가 신뢰하도록 구성하십시오.",
    "restarting": "재시작 중...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "확인 입력",
    "blueprintViewDetails": "세부 정보",
    "defaultIdentityProvider": "기본 아이덴티티 공급자",
-    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
+    "defaultIdentityProviderDescription": "사용자는 인증을 위해 이 아이덴티티 공급자로 자동 리디렉션됩니다.",
    "editInternalResourceDialogNetworkSettings": "네트워크 설정",
    "editInternalResourceDialogAccessPolicy": "액세스 정책",
    "editInternalResourceDialogAddRoles": "역할 추가",
@@ -2919,11 +3169,12 @@
    "learnMore": "자세히 알아보기",
    "backToHome": "홈으로 돌아가기",
    "needToSignInToOrg": "조직의 아이덴티티 공급자를 사용해야 합니까?",
-    "maintenanceMode": "유지보수 모드",
+    "maintenanceMode": "유지 관리 페이지",
    "maintenanceModeDescription": "방문자에게 유지보수 페이지 표시",
    "maintenanceModeType": "유지보수 모드 유형",
    "showMaintenancePage": "방문자에게 유지보수 페이지 표시",
    "enableMaintenanceMode": "유지보수 모드 활성화",
+    "enableMaintenanceModeDescription": "활성화되면 방문자는 리소스 대신 유지보수 페이지를 보게 됩니다.",
    "automatic": "자동",
    "automaticModeDescription": "백엔드 타깃이 모두 다운되거나 건강하지 않을 때만 유지보수 페이지를 표시합니다. 적어도 하나의 타깃이 건강한 한 리소스는 정상 작동합니다.",
    "forced": "강제",
@@ -2931,6 +3182,8 @@
    "warning:": "경고:",
    "forcedeModeWarning": "모든 트래픽이 유지보수 페이지로 전달됩니다. 백엔드 리소스는 어떠한 요청도 받지 않습니다.",
    "pageTitle": "페이지 제목",
+    "maintenancePageContentSubsection": "페이지 콘텐츠",
+    "maintenancePageContentSubsectionDescription": "유지보수 페이지에 표시될 콘텐츠를 사용자 정의하세요",
    "pageTitleDescription": "유지보수 페이지에 표시될 주요 제목",
    "maintenancePageMessage": "유지보수 메시지",
    "maintenancePageMessagePlaceholder": "곧 돌아오겠습니다! 사이트는 현재 예정된 유지보수를 진행 중입니다.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "예상 완료:",
    "createInternalResourceDialogDestinationRequired": "목적지가 필요합니다.",
    "available": "사용 가능",
+    "disabledResourceDescription": "비활성화되면 리소스에 모든 사람이 접근할 수 없습니다.",
    "archived": "보관된",
    "noArchivedDevices": "보관된 장치가 없습니다.",
    "deviceArchived": "장치가 보관되었습니다.",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "데이터독",
    "streamingDatadogDescription": "이벤트를 직접 Datadog 계정으로 전달합니다. 곧 제공됩니다.",
    "streamingTypePickerDescription": "목표 유형을 선택하여 시작합니다.",
-    "streamingFailedToLoad": "대상 로드에 실패했습니다",
+    "streamingLastSyncError": "마지막 동기화에서 오류가 발생했습니다.",
    "streamingUnexpectedError": "예기치 않은 오류가 발생했습니다.",
    "streamingFailedToUpdate": "대상지를 업데이트하는 데 실패했습니다",
    "streamingDeletedSuccess": "대상지가 성공적으로 삭제되었습니다",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "대상지 수정",
    "S3DestAddTitle": "S3 대상지 추가",
    "S3DestEditDescription": "이 S3 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
-    "S3DestAddDescription": "조직의 이벤트를 받기 위한 새로운 S3 엔드포인트를 구성하세요.",
+    "S3DestAddDescription": "조직의 이벤트를 수신할 새로운 Amazon S3(또는 S3 호환) 버킷을 구성하세요.",
+    "s3DestTabSettings": "설정",
+    "s3DestTabFormat": "형식",
+    "s3DestNameLabel": "이름",
+    "s3DestNamePlaceholder": "내 S3 대상",
+    "s3DestAccessKeyIdLabel": "AWS 액세스 키 ID",
+    "s3DestSecretAccessKeyLabel": "AWS 비밀 액세스 키",
+    "s3DestSecretAccessKeyPlaceholder": "귀하의 AWS 비밀 액세스 키",
+    "s3DestRegionLabel": "AWS 지역",
+    "s3DestBucketLabel": "버킷 이름",
+    "s3DestPrefixLabel": "키 접두사(선택 사항)",
+    "s3DestPrefixDescription": "하나의 객체 키 앞에 붙이는 선택적 경로 접두사입니다. 객체는 {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}에 저장됩니다.",
+    "s3DestEndpointLabel": "사용자 정의 엔드포인트(선택 사항)",
+    "s3DestEndpointDescription": "MinIO 또는 Cloudflare R2와 같은 S3 호환 저장소에 대한 S3 엔드포인트를 재정의합니다. 표준 AWS S3의 경우 비워 두십시오.",
+    "s3DestGzipLabel": "Gzip 압축",
+    "s3DestGzipDescription": "각 업로드된 객체를 gzip으로 압축합니다. 저장 비용과 업로드 크기를 줄입니다.",
+    "s3DestFormatTitle": "파일 형식",
+    "s3DestFormatDescription": "업로드된 각 객체 내에서 이벤트가 직렬화되는 방식입니다.",
+    "s3DestFormatJsonArrayDescription": "각 객체는 이벤트 기록의 JSON 배열입니다. 대부분의 분석 도구와 호환됩니다.",
+    "s3DestFormatNdjsonDescription": "각 객체는 한 줄당 하나의 JSON 레코드를 포함합니다(새 줄로 구분된 JSON). Athena, BigQuery, Spark와 호환됩니다.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "각 객체는 헤더 행이 있는 RFC-4180 CSV 파일입니다. 열 이름은 이벤트 데이터 필드에서 파생됩니다.",
+    "s3DestSaveChanges": "변경 사항 저장",
+    "s3DestCreateDestination": "대상 생성",
+    "s3DestUpdatedSuccess": "대상이 성공적으로 업데이트되었습니다",
+    "s3DestCreatedSuccess": "대상이 성공적으로 생성되었습니다",
+    "s3DestUpdateFailed": "대상 업데이트에 실패했습니다",
+    "s3DestCreateFailed": "대상 생성에 실패했습니다",
    "datadogDestEditTitle": "대상지 수정",
    "datadogDestAddTitle": "Datadog 대상지 추가",
    "datadogDestEditDescription": "이 Datadog 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "정말로 이 조직에서 이 아이덴티티 공급자의 연관을 해제하시겠습니까?",
    "idpUnassociateDescription": "이 아이덴티티 공급자와 연관된 모든 사용자는 이 조직에서 제거될 것이지만, 아이덴티티 공급자는 다른 연관된 조직에 계속해서 존재할 것입니다.",
    "idpUnassociateConfirm": "아이덴티티 공급자 연관 해제 확인",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "조직에서 삭제하고 제거하기",
+    "idpUnassociateAndRemoveMeFromOrg": "조직에서 연관 해제하고 제거하기",
    "idpUnassociateWarning": "이 조직에서 이것은 되돌릴 수 없습니다.",
    "idpUnassociatedDescription": "아이덴티티 공급자가 이 조직에서 성공적으로 연관 해제되었습니다",
    "idpUnassociateMenu": "연관 해제",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "리소스 비활성화됨",
    "memberPortalShowingResources": "{start}-{end} 중 {total}개의 리소스를 표시 중",
    "memberPortalPrevious": "이전",
-    "memberPortalNext": "다음"
+    "memberPortalNext": "다음",
+    "httpSettings": "HTTP 설정",
+    "tcpSettings": "TCP 설정",
+    "udpSettings": "UDP 설정",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "보안 연결 설정 중…",
+    "sshConnecting": "연결 중…",
+    "sshInitializing": "초기화 중…",
+    "sshSignInTitle": "SSH에 로그인",
+    "sshSignInDescription": "연결하려면 SSH 자격 증명을 입력하세요",
+    "sshPasswordTab": "비밀번호",
+    "sshPrivateKeyTab": "개인 키",
+    "sshPrivateKeyField": "개인 키",
+    "sshPrivateKeyDisclaimer": "당신의 개인 키는 Pangolin에 저장되거나 보이지 않습니다. 대신, 기존 Pangolin 신원을 사용하여 매끄러운 인증을 제공하는 단기 인증서를 사용할 수 있습니다.",
+    "sshLearnMore": "자세히 알아보기",
+    "sshPrivateKeyFile": "개인 키 파일",
+    "sshAuthenticate": "연결",
+    "sshTerminate": "종료",
+    "sshPoweredBy": "제공자",
+    "sshErrorNoTarget": "지정된 대상이 없습니다",
+    "sshErrorWebSocket": "WebSocket 연결 실패",
+    "sshErrorAuthFailed": "인증 실패",
+    "sshErrorConnectionClosed": "인증이 완료되기 전에 연결이 닫혔습니다",
+    "sitePangolinSshDescription": "이 사이트의 리소스에 SSH 접속을 허용합니다. 나중에 변경할 수 있습니다.",
+    "browserGatewayNoResourceForDomain": "이 도메인에 대한 리소스를 찾을 수 없습니다",
+    "browserGatewayNoTarget": "대상 없음",
+    "browserGatewayConnect": "연결",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "PAM 푸시 인증을 위한 SSH 키 서명 실패. 사용자로 로그인하셨나요?",
+    "sshTerminalError": "오류: {error}",
+    "sshConnectionClosedCode": "연결 종료됨 (코드 {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "프라이빗 키가 필요합니다",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "연결하려면 VNC 비밀번호를 입력하세요",
+    "vncPasswordOptional": "비밀번호 (선택 사항)",
+    "vncNoResourceTarget": "사용할 수 있는 리소스 대상이 없습니다",
+    "vncFailedToLoadNovnc": "noVNC 로드를 실패했습니다",
+    "vncAuthFailedStatus": "상태 {status}",
+    "vncPasteClipboard": "클립보드 붙여넣기",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "원격 데스크톱에 로그인",
+    "rdpSignInDescription": "연결하려면 Windows 자격 증명을 입력하세요",
+    "rdpLoadingModule": "모듈 로딩 중...",
+    "rdpFailedToLoadModule": "RDP 모듈 로딩 실패",
+    "rdpNotReady": "준비되지 않음",
+    "rdpModuleInitializing": "RDP 모듈이 아직 초기화 중입니다",
+    "rdpDownloadingFiles": "원격에서 {count}개의 파일 다운로드 중…",
+    "rdpDownloadFailed": "다운로드 실패: {fileName}",
+    "rdpUploaded": "업로드 완료: {fileName}",
+    "rdpNoConnectionTarget": "연결 대상 없음",
+    "rdpConnectionFailed": "연결 실패",
+    "rdpFit": "적합",
+    "rdpFull": "전체",
+    "rdpReal": "실제",
+    "rdpMeta": "메타",
+    "rdpUploadFiles": "파일 업로드",
+    "rdpFilesReadyToPaste": "붙여넣기 준비 완료된 파일",
+    "rdpFilesReadyToPasteDescription": "{count}개의 파일이 원격 클립보드에 복사되었습니다 — 원격 데스크탑에서 Ctrl+V를 눌러 붙여 넣으세요.",
+    "rdpUploadFailed": "업로드 실패",
+    "rdpUnicodeKeyboardMode": "유니코드 키보드 모드",
+    "sessionToolbarShow": "툴바 보기",
+    "sessionToolbarHide": "툴바 숨기기"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Vis private ressurser",
    "siteInstallNewt": "Installer Newt",
    "siteInstallNewtDescription": "Få Newt til å kjøre på systemet ditt",
+    "siteInstallKubernetesDocsDescription": "For mer og oppdatert informasjon om Kubernetes-installasjon, se <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For installasjonsinstruksjoner for Advantech-modem, se <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Konfigurasjon",
    "WgConfigurationDescription": "Bruk følgende konfigurasjon for å koble til nettverket",
    "operatingSystem": "Operativsystem",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Du vil kun kunne se dette én gang. Sørg for å kopiere det til et sikkert sted.",
    "siteInfo": "Områdeinformasjon",
    "status": "Status",
-    "shareTitle": "Administrer delingslenker",
+    "shareTitle": "Administrer delbare lenker",
    "shareDescription": "Opprett delbare lenker for å gi midlertidige eller permanent tilgang til proxyressurser",
-    "shareSearch": "Søk delingslenker...",
-    "shareCreate": "Opprett delingslenke",
+    "shareSearch": "Søk delbare lenker...",
+    "shareCreate": "Opprett delbar lenke",
    "shareErrorDelete": "Klarte ikke å slette lenke",
    "shareErrorDeleteMessage": "En feil oppstod ved sletting av lenke",
    "shareDeleted": "Lenke slettet",
    "shareDeletedDescription": "Lenken har blitt slettet",
+    "shareDelete": "Slett delbar lenke",
+    "shareDeleteConfirm": "Bekreft sletting av delbar lenke",
+    "shareQuestionRemove": "Er du sikker på at du vil slette denne delingslenken?",
+    "shareMessageRemove": "Når slettet, vil lenken ikke lenger fungere, og alle som bruker den vil miste tilgang til ressursen.",
    "shareTokenDescription": "Adgangstoken kan sendes på to måter: som en spørringsparameter eller i forespørselsoverskriftene. Disse må sendes fra klienten på hver forespørsel om autentisert tilgang.",
    "accessToken": "Tilgangsnøkkel",
    "usageExamples": "Brukseksempler",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Det oppsto en feil ved opprettelse av delingslenken",
    "shareCreateDescription": "Alle med denne lenken får tilgang til ressursen",
    "shareTitleOptional": "Tittel (valgfritt)",
+    "sharePathOptional": "Bane (valgfritt)",
+    "sharePathDescription": "Lenken vil videresende brukere til denne stien etter autentisering.",
    "expireIn": "Utløper om",
    "neverExpire": "Utløper aldri",
    "shareExpireDescription": "Utløpstid er hvor lenge lenken vil være brukbar og gi tilgang til ressursen. Etter denne tiden vil lenken ikke lenger fungere, og brukere som brukte denne lenken vil miste tilgangen til ressursen.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Vennligst velg en ressurs",
    "proxyResourceTitle": "Administrere offentlige ressurser",
    "proxyResourceDescription": "Opprett og administrer ressurser som er offentlig tilgjengelige via en nettleser",
-    "proxyResourcesBannerTitle": "Nettbasert offentlig tilgang",
-    "proxyResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
+    "publicResourcesBannerTitle": "Web-basert offentlig tilgang",
+    "publicResourcesBannerDescription": "Offentlige ressurser er HTTPS-proxyer som er tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klientprogramvare og kan inkludere identitets- og kontekstsensitive tilgangspolicyer.",
    "clientResourceTitle": "Administrer private ressurser",
    "clientResourceDescription": "Opprette og administrere ressurser som bare er tilgjengelige via en tilkoblet klient",
    "privateResourcesBannerTitle": "Zero-Trust privat tilgang",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Søk i ressurser...",
    "resourceAdd": "Legg til ressurs",
    "resourceErrorDelte": "Feil ved sletting av ressurs",
+    "resourcePoliciesBannerTitle": "Gjenbruk autentisering og tilgangsregler",
+    "resourcePoliciesBannerDescription": "Delte ressursretningslinjer lar deg definere autentiseringsmetoder og tilgangsregler en gang, for deretter å knytte dem til flere offentlige ressurser. Når du oppdaterer en policy, arver alle tilknyttede ressurser endringen automatisk.",
+    "resourcePoliciesBannerButtonText": "Lær mer",
+    "resourcePoliciesTitle": "Administrer offentlige ressursretningslinjer",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Ressurser",
+    "resourcePoliciesAttachedResources": "{count} ressurs(er)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# ressurs} other {# ressurser}}",
+    "resourcePoliciesAttachedResourcesEmpty": "ingen ressurser",
+    "resourcePoliciesDescription": "Opprett og administrer autentiseringsretningslinjer for å kontrollere tilgang til dine offentlige ressurser",
+    "resourcePoliciesSearch": "Søk etter regler...",
+    "resourcePoliciesAdd": "Legg til policy",
+    "resourcePoliciesDefaultBadgeText": "Standard politisk",
+    "resourcePoliciesCreate": "Opprett offentlig ressursretningslinje",
+    "resourcePoliciesCreateDescription": "Følg trinnene nedenfor for å lage en ny policy",
+    "resourcePolicyName": "Polisnavn",
+    "resourcePolicyNameDescription": "Gi denne policynavnet for å identifisere den på tvers av dine ressurser",
+    "resourcePolicyNamePlaceholder": "f.eks. Intern Tilgangspolicy",
+    "resourcePoliciesSeeAll": "Se Alle Policies",
+    "resourcePolicyAuthMethodAdd": "Legg til Autentiseringsmetode",
+    "resourcePolicyOtpEmailAdd": "Legg til OTP e-poster",
+    "resourcePolicyRulesAdd": "Legg til Regler",
+    "resourcePolicyAuthMethodsDescription": "Tillat tilgang til ressurser via tilleggsauthentiseringsmetoder",
+    "resourcePolicyUsersRolesDescription": "Konfigurer hvilke brukere og roller som kan besøke tilknyttede ressurser",
+    "rulesResourcePolicyDescription": "Konfigurer regler for å kontrollere tilgangen til ressurser som er knyttet til denne policyen",
    "authentication": "Autentisering",
    "protected": "Beskyttet",
    "notProtected": "Ikke beskyttet",
    "resourceMessageRemove": "Når den er fjernet, vil ressursen ikke lenger være tilgjengelig. Alle mål knyttet til ressursen vil også bli fjernet.",
    "resourceQuestionRemove": "Er du sikker på at du vil fjerne ressursen fra organisasjonen?",
+    "resourcePolicyMessageRemove": "Når den er fjernet, vil ressursen ikke lenger være tilgjengelig. Alle ressurser knyttet til ressursen vil bli frakoblet og stå uten autentisering.",
+    "resourcePolicyQuestionRemove": "Er du sikker på at du vil fjerne ressurspolitikken fra organisasjonen?",
    "resourceHTTP": "HTTPS-ressurs",
    "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
    "resourceRaw": "Rå TCP/UDP-ressurs",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy forespørsler om rå TCP/UDP ved hjelp av et portnummer. Krever sider for å koble til en ekstern node.",
    "resourceCreate": "Opprett ressurs",
    "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
+    "resourceCreateGeneralDescription": "Konfigurer de grunnleggende ressursinnstillingene inkludert navnet og typen",
    "resourceSeeAll": "Se alle ressurser",
-    "resourceInfo": "Ressursinformasjon",
+    "resourceCreateGeneral": "Generelt",
    "resourceNameDescription": "Dette er visningsnavnet for ressursen.",
    "siteSelect": "Velg område",
    "siteSearch": "Søk i område",
@@ -227,12 +262,15 @@
    "noCountryFound": "Ingen land funnet.",
    "siteSelectionDescription": "Dette området vil gi tilkobling til mål.",
    "resourceType": "Ressurstype",
-    "resourceTypeDescription": "Bestemme hvordan denne ressursen skal brukes",
+    "resourceTypeDescription": "Dette kontrollerer ressursprotokollen og hvordan den vil vises i nettleseren. Dette kan ikke endres senere.",
+    "resourceDomainDescription": "Ressursen vil bli servert på dette fullstendig kvalifiserte domenenavnet.",
    "resourceHTTPSSettings": "HTTPS-innstillinger",
    "resourceHTTPSSettingsDescription": "Konfigurer hvordan ressursen skal nås over HTTPS",
+    "resourcePortDescription": "Den eksterne porten på Pangolin-instansen eller noden der ressursen vil være tilgjengelig.",
    "domainType": "Domenetype",
    "subdomain": "Underdomene",
    "baseDomain": "Grunndomene",
+    "configure": "Konfigurer",
    "subdomnainDescription": "Underdomenet hvor ressursen vil være tilgjengelig.",
    "resourceRawSettings": "TCP/UDP-innstillinger",
    "resourceRawSettingsDescription": "Konfigurer hvordan ressursen vil bli tilgjengelig over TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Tilbake",
    "cancel": "Avbryt",
    "resourceConfig": "Konfigurasjonsutdrag",
-    "resourceConfigDescription": "Kopier og lim inn disse konfigurasjons-øyeblikkene for å sette opp TCP/UDP ressursen",
+    "resourceConfigDescription": "Kopier og lim inn disse konfigurasjonsbitene for å sette opp TCP/UDP ressursen.",
    "resourceAddEntrypoints": "Traefik: Legg til inngangspunkter",
    "resourceExposePorts": "Gerbil: Eksponer Porter i Docker Compose",
    "resourceLearnRaw": "Lær hvordan å konfigurere TCP/UDP-ressurser",
    "resourceBack": "Tilbake til ressurser",
    "resourceGoTo": "Gå til ressurs",
+    "resourcePolicyDelete": "Slett Ressurspolitikk",
+    "resourcePolicyDeleteConfirm": "Bekreft sletting av ressurspolitikk",
    "resourceDelete": "Slett ressurs",
    "resourceDeleteConfirm": "Bekreft sletting av ressurs",
+    "labelDelete": "Slett etikett",
+    "labelAdd": "Legg til etikett",
+    "labelCreateSuccessMessage": "Etikett opprettet vellykket",
+    "labelDuplicateError": "Dupliser etikett",
+    "labelDuplicateErrorDescription": "En etikett med dette navnet finnes allerede.",
+    "labelEditSuccessMessage": "Etikett endret vellykket",
+    "labelNameField": "Etikettnavn",
+    "labelColorField": "Etikettfarge",
+    "labelPlaceholder": "Eksempel: homelab",
+    "labelCreate": "Opprett etikett",
+    "createLabelDialogTitle": "Opprett etikett",
+    "createLabelDialogDescription": "Opprett en ny etikett som kan knyttes til denne organisasjonen",
+    "labelEdit": "Rediger etikett",
+    "editLabelDialogTitle": "Oppdater etikett",
+    "editLabelDialogDescription": "Rediger en ny etikett som kan knyttes til denne organisasjonen",
+    "labelDeleteConfirm": "Bekreft sletting av etikett",
+    "labelErrorDelete": "Kunne ikke slette etikett",
+    "labelMessageRemove": "Denne handlingen er permanent. Alle steder, ressurser, og klienter tagget med denne etiketten vil bli umerket.",
+    "labelQuestionRemove": "Er du sikker på at du vil fjerne etiketten fra organisasjonen?",
    "visibility": "Synlighet",
    "enabled": "Aktivert",
    "disabled": "Deaktivert",
@@ -261,6 +320,8 @@
    "rules": "Regler",
    "resourceSettingDescription": "Konfigurere innstillingene på ressursen",
    "resourceSetting": "{resourceName} Innstillinger",
+    "resourcePolicySettingDescription": "Konfigurer innstillingene for denne offentlige ressursretningslinjen",
+    "resourcePolicySetting": "{policyName} Innstillinger",
    "alwaysAllow": "Omgå Auth",
    "alwaysDeny": "Blokker tilgang",
    "passToAuth": "Pass til Autentisering",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Når denne brukeren er fjernet, vil de ikke lenger ha tilgang til organisasjonen. Du kan alltid invitere dem på nytt senere, men de vil måtte godta invitasjonen på nytt.",
    "userRemoveOrgConfirm": "Bekreft fjerning av bruker",
    "userRemoveOrg": "Fjern bruker fra organisasjon",
+    "userQuestionOrgRemoveSelf": "Er du sikker på at du vil fjerne deg selv fra denne organisasjonen?",
+    "userMessageOrgRemoveSelf": "Du vil miste tilgang umiddelbart. En administrator kan invitere deg igjen senere, men du må godta en ny invitasjon.",
+    "userRemoveOrgConfirmSelf": "Bekreft fjerning av meg selv",
+    "userRemoveOrgSelf": "Fjern deg selv fra organisasjonen",
+    "userRemoveOrgSelfWarning": "Du vil miste tilgangen til denne organisasjonen umiddelbart.",
+    "userRemoveOrgConfirmPhraseSelf": "FJERN MEG SELV FRA ORG",
    "users": "Brukere",
    "accessRoleMember": "Medlem",
    "accessRoleOwner": "Eier",
@@ -531,6 +598,11 @@
    "emailInvalid": "Ugyldig e-postadresse",
    "inviteValidityDuration": "Vennligst velg en varighet",
    "accessRoleSelectPlease": "Vennligst velg en rolle",
+    "removeOwnAdminRoleConfirmTitle": "Fjern din administratoradgang?",
+    "removeOwnAdminRoleConfirmDescription": "Du vil ikke lenger ha administratorrettigheter i denne organisasjonen etter lagring. En annen administrator kan gjenopprette tilgang hvis nødvendig.",
+    "removeOwnAdminRoleConfirmButton": "Fjern min administratoradgang",
+    "removeOwnAdminRoleConfirmPhrase": "FJERN MIN ADMINISTRATORADGANG",
+    "ownerMustRetainAdminRole": "Organisasjonseier må beholde minst én administratorrolle.",
    "usernameRequired": "Brukernavn er påkrevd",
    "idpSelectPlease": "Vennligst velg en identitetsleverandør",
    "idpGenericOidc": "Generisk OAuth2/OIDC-leverandør.",
@@ -615,7 +687,7 @@
    "createdAt": "Opprettet",
    "proxyErrorInvalidHeader": "Ugyldig verdi for egendefinert vertsoverskrift. Bruk domenenavnformat, eller lagre tomt for å fjerne den egendefinerte vertsoverskriften.",
    "proxyErrorTls": "Ugyldig TLS-servernavn. Bruk domenenavnformat, eller la stå tomt for å fjerne TLS-servernavnet.",
-    "proxyEnableSSL": "Aktiver SSL",
+    "proxyEnableSSL": "Aktiver TLS",
    "proxyEnableSSLDescription": "Aktivere SSL/TLS-kryptering for sikker HTTPS tilkobling til målene.",
    "target": "Target",
    "configureTarget": "Konfigurer mål",
@@ -656,8 +728,9 @@
    "targetSubmit": "Legg til mål",
    "targetNoOne": "Denne ressursen har ikke noen mål. Legg til et mål for å konfigurere hvor du vil sende forespørsler til backend.",
    "targetNoOneDescription": "Å legge til mer enn ett mål ovenfor vil aktivere lastbalansering.",
-    "targetsSubmit": "Lagre mål",
+    "targetsSubmit": "Lagre innstillinger",
    "addTarget": "Legg til mål",
+    "proxyMultiSiteRoundRobinNodeHelp": "Rundkjøringrutefordeling vil ikke fungere mellom steder som ikke er koblet til samme node, men failover vil fungere.",
    "targetErrorInvalidIp": "Ugyldig IP-adresse",
    "targetErrorInvalidIpDescription": "Skriv inn en gyldig IP-adresse eller vertsnavn",
    "targetErrorInvalidPort": "Ugyldig port",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Duplisert regel",
    "rulesErrorDuplicateDescription": "En regel med disse innstillingene finnes allerede",
    "rulesErrorInvalidIpAddressRange": "Ugyldig CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Vennligst skriv inn en gyldig CIDR-verdi",
-    "rulesErrorInvalidUrl": "Ugyldig URL-sti",
-    "rulesErrorInvalidUrlDescription": "Skriv inn en gyldig verdi for URL-sti",
-    "rulesErrorInvalidIpAddress": "Ugyldig IP",
-    "rulesErrorInvalidIpAddressDescription": "Skriv inn en gyldig IP-adresse",
+    "rulesErrorInvalidIpAddressRangeDescription": "Skriv inn et gyldig CIDR-område (f.eks. 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Ugyldig sti",
+    "rulesErrorInvalidUrlDescription": "Skriv inn en gyldig URL-sti eller et mønster (f.eks., /api/*).",
+    "rulesErrorInvalidIpAddress": "Ugyldig IP-adresse",
+    "rulesErrorInvalidIpAddressDescription": "Skriv inn en gyldig IPv4 eller IPv6 adresse.",
    "rulesErrorUpdate": "Kunne ikke oppdatere regler",
    "rulesErrorUpdateDescription": "Det oppsto en feil under oppdatering av regler",
    "rulesUpdated": "Aktiver Regler",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Angi en IP-adresse (f.eks. 103.21.244.12)",
    "rulesMatchUrl": "Skriv inn en URL-sti eller et mønster (f.eks. /api/v1/todos eller /api/v1/*)",
    "rulesErrorInvalidPriority": "Ugyldig prioritet",
-    "rulesErrorInvalidPriorityDescription": "Vennligst skriv inn en gyldig prioritet",
-    "rulesErrorDuplicatePriority": "Dupliserte prioriteringer",
-    "rulesErrorDuplicatePriorityDescription": "Vennligst angi unike prioriteringer",
+    "rulesErrorInvalidPriorityDescription": "Skriv inn et heltall på 1 eller høyere.",
+    "rulesErrorDuplicatePriority": "Dupliserte prioriteter",
+    "rulesErrorDuplicatePriorityDescription": "Hver regel må ha et unikt prioritetstall.",
+    "rulesErrorValidation": "Ugyldige regler",
+    "rulesErrorValidationRuleDescription": "Regel {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Velg en gyldig samsvarstype (sti, IP, CIDR, land, region eller ASN).",
+    "rulesErrorValueRequired": "Skriv inn en verdi for denne regelen.",
+    "rulesErrorInvalidCountry": "Ugyldig land",
+    "rulesErrorInvalidCountryDescription": "Velg et gyldig land.",
+    "rulesErrorInvalidAsn": "Ugyldig ASN",
+    "rulesErrorInvalidAsnDescription": "Skriv inn en gyldig ASN (f.eks., AS15169).",
    "ruleUpdated": "Regler oppdatert",
    "ruleUpdatedDescription": "Reglene er oppdatert",
    "ruleErrorUpdate": "Operasjon mislyktes",
    "ruleErrorUpdateDescription": "En feil oppsto under lagringsoperasjonen",
    "rulesPriority": "Prioritet",
+    "rulesReorderDragHandle": "Dra for å omorganisere regelprioriteringen",
    "rulesAction": "Handling",
    "rulesMatchType": "Trefftype",
    "value": "Verdi",
@@ -728,9 +810,60 @@
    "rulesResource": "Konfigurasjon av ressursregler",
    "rulesResourceDescription": "Konfigurer regler for å kontrollere tilgang til ressursen",
    "ruleSubmit": "Legg til regel",
-    "rulesNoOne": "Ingen regler. Legg til en regel ved å bruke skjemaet.",
+    "rulesNoOne": "Ingen regler ennå.",
    "rulesOrder": "Regler evalueres etter prioritet i stigende rekkefølge.",
    "rulesSubmit": "Lagre regler",
+    "policyErrorCreate": "Feil ved opprettelse av policy",
+    "policyErrorCreateDescription": "Det oppstod en feil under opprettelse av policyen",
+    "policyErrorCreateMessageDescription": "En uventet feil oppstod",
+    "policyErrorUpdate": "Feil ved oppdatering av policy",
+    "policyErrorUpdateDescription": "Det oppstod en feil ved oppdatering av policyen",
+    "policyErrorUpdateMessageDescription": "En uventet feil oppstod",
+    "policyCreatedSuccess": "Ressurspolitikken ble opprettet vellykket",
+    "policyUpdatedSuccess": "Ressurspolitikken ble oppdatert vellykket",
+    "authMethodsSave": "Lagre innstillinger",
+    "policyAuthStackTitle": "Autentisering",
+    "policyAuthStackDescription": "Kontroller hvilke autentiseringsmetoder som kreves for å få tilgang til denne ressursen",
+    "policyAuthOrLogicTitle": "Flere autentiseringsmetoder aktive",
+    "policyAuthOrLogicBanner": "Besøkende kan autentisere ved bruk av en hvilken som helst av de aktive metodene nedenfor. De trenger ikke å fullføre alle.",
+    "policyAuthMethodActive": "Aktiv",
+    "policyAuthMethodOff": "Av",
+    "policyAuthSsoTitle": "Plattform SSO",
+    "policyAuthSsoDescription": "Krev pålogging gjennom din organisasjons identitetsleverandør",
+    "policyAuthSsoSummary": "{idp} · {users} brukere, {roles} roller",
+    "policyAuthSsoDefaultIdp": "Standardleverandør",
+    "policyAuthAddDefaultIdentityProvider": "Legg til standard identitetsleverandør",
+    "policyAuthOtherMethodsTitle": "Andre metoder",
+    "policyAuthOtherMethodsDescription": "Valgfrie metoder som besøkende kan bruke i stedet for eller i tillegg til plattform SSO",
+    "policyAuthPasscodeTitle": "Kodeord",
+    "policyAuthPasscodeDescription": "Krev en delt alfanumerisk kodeord for å få tilgang til ressursen",
+    "policyAuthPasscodeSummary": "Kodeord satt",
+    "policyAuthPincodeTitle": "PIN-kode",
+    "policyAuthPincodeDescription": "En kort numerisk kode kreves for å få tilgang til ressursen",
+    "policyAuthPincodeSummary": "6-sifret PIN satt",
+    "policyAuthEmailTitle": "E-post hviteliste",
+    "policyAuthEmailDescription": "Tillat oppførte e-postadresser med engangspassord",
+    "policyAuthEmailSummary": "{count} adresser tillatt",
+    "policyAuthEmailOtpCallout": "Aktivering av e-post hviteliste sender en engangskode til den besøkendes e-post ved innlogging.",
+    "policyAuthHeaderAuthTitle": "Grunnleggende Header Autentisering",
+    "policyAuthHeaderAuthDescription": "Bekreft et tilpasset HTTP-headernavn og verdi ved hver forespørsel",
+    "policyAuthHeaderAuthSummary": "Header konfigurert",
+    "policyAuthHeaderName": "Headernavn",
+    "policyAuthHeaderValue": "Forventet verdi",
+    "policyAuthSetPasscode": "Angi passordkode",
+    "policyAuthSetPincode": "Sett PIN-kode",
+    "policyAuthSetEmailWhitelist": "Angi e-post hviteliste",
+    "policyAuthSetHeaderAuth": "Sett grunnleggende Header Autentisering",
+    "policyAccessRulesTitle": "Tilgangsregler",
+    "policyAccessRulesEnableDescription": "Når aktivert, blir regler evaluert i synkende rekkefølge til en evaluerer til sann.",
+    "policyAccessRulesFirstMatch": "Regler evalueres ovenfra og ned. Den første samsvarande regeln bestemmer utfall.",
+    "policyAccessRulesHowItWorks": "Regler samsvarer forespørsler etter sti, IP-adresse, lokasjon eller andre kriterier. Hver regel anvender en handling: omgå autentisering, blokkere tilgang, eller sende til autentisering. Hvis ingen regler samsvarer, fortsetter trafikken til autentisering.",
+    "policyAccessRulesFallthroughOff": "Når regler er deaktivert, går all trafikk gjennom til autentisering.",
+    "policyAccessRulesFallthroughOn": "Når ingen regler samsvarer, fortsetter trafikken til autentisering.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Lagre Regler",
    "resourceErrorCreate": "Feil under oppretting av ressurs",
    "resourceErrorCreateDescription": "Det oppstod en feil under oppretting av ressursen",
    "resourceErrorCreateMessage": "Feil ved oppretting av ressurs:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "En feil oppstod under oppdatering av ressursen",
    "access": "Tilgang",
    "accessControl": "Tilgangskontroll",
-    "shareLink": "{resource} Del Lenke",
+    "shareLink": "{resource} Delbar lenke",
    "resourceSelect": "Velg ressurs",
-    "shareLinks": "Del lenker",
+    "shareLinks": "Delbare lenker",
    "share": "Delbare lenker",
    "shareDescription2": "Opprett delbare lenker til ressurser. Lenker gir midlertidig eller ubegrenset tilgang til din ressurs. Du kan konfigurere utløpsvarigheten på lenken når du oppretter en.",
    "shareEasyCreate": "Enkelt å lage og dele",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Legg til PIN-kode",
    "pincodeRemove": "Fjern PIN-kode",
    "resourceAuthMethods": "Autentiseringsmetoder",
+    "resourcePolicyAuthMethodsEmpty": "Ingen autentiseringsmetode",
+    "resourcePolicyOtpEmpty": "Ingen engangspassord",
+    "resourcePolicyReadOnly": "Denne policyen er kun lesbar",
+    "resourcePolicyReadOnlyDescription": "Denne ressursreglen deles på tvers av flere ressurser, du kan ikke redigere den på denne siden.",
+    "editSharedPolicy": "Rediger Delte Rekvireringer",
+    "resourcePolicyTypeSave": "Lagre Ressurstype",
+    "resourcePolicySelect": "Velg ressurspolitikk",
+    "resourcePolicySelectError": "Velg en ressursregel",
+    "resourcePolicyNotFound": "Policy ikke funnet",
+    "resourcePolicySearch": "Søk etter regler",
+    "resourcePolicyRulesEmpty": "Ingen autentiseringsregler",
    "resourceAuthMethodsDescriptions": "Tillat tilgang til ressursen via ytterligere autentiseringsmetoder",
    "resourceAuthSettingsSave": "Lagret vellykket",
    "resourceAuthSettingsSaveDescription": "Autentiseringsinnstillinger er lagret",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Angi PIN-kode",
    "resourcePincodeSetupTitleDescription": "Sett en pinkode for å beskytte denne ressursen",
    "resourceRoleDescription": "Administratorer har alltid tilgang til denne ressursen.",
+    "resourcePolicySelectTitle": "Ressurstilgangspolitikk",
+    "resourcePolicySelectDescription": "Velg policytype for autentisering",
+    "resourcePolicyTypeLabel": "Policy-type",
+    "resourcePolicyLabel": "Ressurspolicy",
+    "resourcePolicyInline": "Inline Ressursregler",
+    "resourcePolicyInlineDescription": "Tilgangspolitikk som kun er gyldig for denne ressursen",
+    "resourcePolicyShared": "Delte Ressursregler",
+    "resourcePolicySharedDescription": "Denne ressursen bruker en delt policy.",
+    "sharedPolicy": "Delt policy",
+    "sharedPolicyNoneDescription": "Denne ressursen har sin egen policy.",
+    "resourceSharedPolicyOwnDescription": "Denne ressursen har sine egne autentiserings- og tilgangskontroller.",
+    "resourceSharedPolicyInheritedDescription": "Denne ressursen arver fra <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Denne ressursen bruker en delt policy. Noen autentiseringsinnstillinger kan redigeres på denne ressursen for å legge til policyen. For å endre den underliggende policyen, må du redigere til <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Denne ressursen bruker en delt policy. Noen tilgangsregler kan redigeres på denne ressursen. For å endre den underliggende policyen, må du redigere <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Tilgangskontroller",
    "resourceUsersRolesDescription": "Konfigurer hvilke brukere og roller som har tilgang til denne ressursen",
    "resourceUsersRolesSubmit": "Lagre tilgangskontroller",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Synlighet",
    "resourceVisibilityTitleDescription": "Fullstendig aktiver eller deaktiver ressursynlighet",
    "resourceGeneral": "Generelle innstillinger",
-    "resourceGeneralDescription": "Konfigurer de generelle innstillingene for denne ressursen",
+    "resourceGeneralDescription": "Konfigurer navn, adresse og tilgangspolicy for denne ressursen.",
+    "resourceGeneralDetailsSubsection": "Ressursdetaljer",
+    "resourceGeneralDetailsSubsectionDescription": "Angi visningsnavn, identifikator og offentlig tilgjengelig domene for denne ressursen.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Angi visningsnavn, identifikator og offentlig port for denne ressursen.",
+    "resourceGeneralPublicAddressSubsection": "Offentlig adresse",
+    "resourceGeneralPublicAddressSubsectionDescription": "Konfigurer hvordan brukere får tilgang til denne ressursen.",
+    "resourceGeneralAuthenticationAccessSubsection": "Autentisering og tilgang",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Velg om denne ressursen bruker sin egen policy eller arver fra en delt policy.",
    "resourceEnable": "Aktiver ressurs",
    "resourceTransfer": "Overfør Ressurs",
    "resourceTransferDescription": "Overfør denne ressursen til et annet område",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Det oppstod et problem med å koble til {name}. Vennligst kontakt din administrator.",
    "idpErrorNotFound": "IdP ikke funnet",
    "inviteInvalid": "Ugyldig invitasjon",
+    "labels": "Etiketter",
+    "orgLabelsDescription": "Administrer etiketter i denne organisasjonen.",
+    "addLabels": "Legg til etiketter",
+    "siteLabelsTab": "Etiketter",
+    "siteLabelsDescription": "Administrer etiketter knyttet til dette nettstedet.",
+    "labelsNotFound": "Ingen etiketter funnet.",
+    "labelsEmptyCreateHint": "Start å skrive ovenfor for å lage en etikett.",
+    "labelSearch": "Søk etter etiketter",
+    "labelSearchOrCreate": "Søk eller opprett en etikett",
+    "accessLabelFilterCount": "{count, plural, one {en etikett} other {# etiketter}}",
+    "labelOverflowCount": "+{count, plural, one {en etikett} other {# etiketter}}",
+    "accessLabelFilterClear": "Fjern etikettfiltre",
+    "accessFilterClear": "Fjern filtre",
+    "selectColor": "Velg farge",
+    "createNewLabel": "Opprett ny org-etikett \"{label}\"",
    "inviteInvalidDescription": "Invitasjonslenken er ugyldig.",
    "inviteErrorWrongUser": "Invitasjonen er ikke for denne brukeren",
    "inviteErrorUserNotExists": "Brukeren eksisterer ikke. Vennligst opprett en konto først.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Ressurser",
    "sidebarProxyResources": "Offentlig",
    "sidebarClientResources": "Privat",
+    "sidebarPolicies": "Delte policies",
+    "sidebarResourcePolicies": "Offentlige ressurser",
    "sidebarAccessControl": "Tilgangskontroll",
    "sidebarLogsAndAnalytics": "Logger og analyser",
    "sidebarTeam": "Lag",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Administrator",
    "sidebarInvitations": "Invitasjoner",
    "sidebarRoles": "Roller",
-    "sidebarShareableLinks": "Lenker",
+    "sidebarShareableLinks": "Delbare lenker",
    "sidebarApiKeys": "API-nøkler",
    "sidebarProvisioning": "Levering",
    "sidebarSettings": "Innstillinger",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Område {id}",
    "standaloneHcFilterResourceIdFallback": "Ressurs {id}",
    "blueprints": "Tegninger",
-    "blueprintsDescription": "Bruk deklarative konfigurasjoner og vis tidligere kjøringer",
+    "blueprintsLog": "Blåkopieringslogg",
+    "blueprintsDescription": "Se tidligere blueprint-applikasjoner og deres resultater, eller bruk et nytt blueprint",
    "blueprintAdd": "Legg til blåkopi",
    "blueprintGoBack": "Se alle blåkopier",
    "blueprintCreate": "Opprette mal",
@@ -1559,7 +1742,17 @@
    "contents": "Innhold",
    "parsedContents": "Parastinnhold (kun lese)",
    "enableDockerSocket": "Aktiver Docker blåkopi",
-    "enableDockerSocketDescription": "Aktiver skraping av Docker Socket for blueprint Etiketter. Socket bane må brukes for nye.",
+    "enableDockerSocketDescription": "Aktiver Docker Socket etikett skrubbing for blueprint etiketter. Socket bane må oppgis til nettstedkobleren. Les om hvordan dette fungerer i <docsLink>dokumentasjonen</docsLink>.",
+    "newtAutoUpdate": "Aktiver Automatisk Oppdatering av Nettsted",
+    "newtAutoUpdateDescription": "Når aktivert, vil nettstedskoblinger automatisk laste ned den nyeste versjonen og starte seg selv på nytt. Dette kan overstyres på basis per nettsted.",
+    "siteAutoUpdate": "Automatisk Oppdatering av Nettsted",
+    "siteAutoUpdateLabel": "Aktiver Automatisk Oppdatering",
+    "siteAutoUpdateDescription": "Når aktivert, vil denne nettstedets kobling automatisk laste ned den nyeste versjonen og starte seg selv på nytt.",
+    "siteAutoUpdateOrgDefault": "Organisasjon standard: {state}",
+    "siteAutoUpdateOverriding": "Overstyrer organisasjonens innstilling",
+    "siteAutoUpdateResetToOrg": "Tilbakestill til Organisasjonsstandard",
+    "siteAutoUpdateEnabled": "aktivert",
+    "siteAutoUpdateDisabled": "deaktivert",
    "viewDockerContainers": "Vis Docker-containere",
    "containersIn": "Containere i {siteName}",
    "selectContainerDescription": "Velg en hvilken som helst container for å bruke som vertsnavn for dette målet. Klikk på en port for å bruke en port.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Sertifikat",
    "certificateStatusAutoRefreshHint": "Status oppdateres automatisk.",
    "loading": "Laster inn",
+    "loadingEllipsis": "Laster inn...",
    "loadingAnalytics": "Laster inn analyser",
    "restart": "Start på nytt",
    "domains": "Domener",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Kontooppsett fullført! Velkommen til Pangolin!",
    "documentation": "Dokumentasjon",
    "saveAllSettings": "Lagre alle innstillinger",
-    "saveResourceTargets": "Lagre mål",
-    "saveResourceHttp": "Lagre proxy-innstillinger",
-    "saveProxyProtocol": "Lagre proxy-protokollinnstillinger",
+    "saveResourceTargets": "Lagre innstillinger",
+    "saveResourceHttp": "Lagre innstillinger",
+    "saveProxyProtocol": "Lagre innstillinger",
    "settingsUpdated": "Innstillinger oppdatert",
    "settingsUpdatedDescription": "Innstillinger oppdatert vellykket",
    "settingsErrorUpdate": "Klarte ikke å oppdatere innstillinger",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Administrer abonnementet for betalte lisensnøkler selv hostet",
    "billingCurrentKeys": "Nåværende nøkler",
    "billingModifyCurrentPlan": "Endre gjeldende plan",
+    "billingManageLicenseSubscriptionDescription": "Administrer ditt abonnement for betalte egenvertslisensnøkler og last ned fakturaer.",
    "billingConfirmUpgrade": "Bekreft oppgradering",
    "billingConfirmDowngrade": "Bekreft nedgradering",
    "billingConfirmUpgradeDescription": "Du er i ferd med å oppgradere abonnementet ditt. Gå gjennom de nye grensene og pris nedenfor.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Ukjent",
    "healthCheck": "Helsekontroll",
    "configureHealthCheck": "Konfigurer Helsekontroll",
-    "configureHealthCheckDescription": "Sett opp helsekontroll for {target}",
+    "configureHealthCheckDescription": "Sett opp overvåking av ressursen din for å sikre at den alltid er tilgjengelig",
    "enableHealthChecks": "Aktiver Helsekontroller",
    "healthCheckDisabledStateDescription": "Når deaktivert, vil ikke nettstedet utføre helsekontroller, og tilstanden vil anses som ukjent.",
    "enableHealthChecksDescription": "Overvåk helsen til dette målet. Du kan overvåke et annet endepunkt enn målet hvis nødvendig.",
    "healthScheme": "Metode",
    "healthSelectScheme": "Velg metode",
-    "healthCheckPortInvalid": "Helsekontrollporten må være mellom 1 og 65535",
+    "healthCheckPortInvalid": "Porten må være mellom 1 og 65535",
    "healthCheckPath": "Sti",
    "healthHostname": "IP / Vert",
    "healthPort": "Port",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Tid er i sekunder",
    "requireDeviceApproval": "Krev enhetsgodkjenning",
    "requireDeviceApprovalDescription": "Brukere med denne rollen trenger nye enheter godkjent av en admin før de kan koble seg og få tilgang til ressurser.",
-    "sshAccess": "SSH tilgang",
+    "sshSettings": "SSH Innstillinger",
+    "sshAccess": "SSH-tilgang",
+    "rdpSettings": "RDP Innstillinger",
+    "vncSettings": "VNC Innstillinger",
+    "sshServer": "SSH-server",
+    "rdpServer": "RDP-server",
+    "vncServer": "VNC-server",
+    "sshServerDescription": "Sett opp autentiseringsmetoden, daemonplasseringen, og serverens destinasjon",
+    "rdpServerDescription": "Konfigurer destinasjonen og porten til RDP-serveren",
+    "vncServerDescription": "Konfigurer destinasjonen og porten til VNC-serveren",
+    "sshServerMode": "Modus",
+    "sshServerModeStandard": "Standard SSH-server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Ruter kommandoer over nettverk til en SSH-server som OpenSSH.",
+    "sshServerModeNative": "Innfødt SSH Server",
+    "sshServerModeNativeDescription": "Utfører kommandoer direkte på verten via Nettsted-kobleren. Ingen nettverkskonfigurasjon kreves.",
+    "sshAuthenticationMethod": "Autentiseringsmetode",
+    "sshAuthMethodManual": "Manuell Autentisering",
+    "sshAuthMethodManualDescription": "Krever eksisterende vertlegitimasjon. Omgår automatisk klargjøring.",
+    "sshAuthMethodAutomated": "Automatisk Klargjøring",
+    "sshAuthMethodAutomatedDescription": "Oppretter automatisk brukere, grupper og sudo-tillatelser på verten.",
+    "sshAuthDaemonLocation": "Autentisering Daemon-plassering",
+    "sshDaemonLocationSiteDescription": "Utføres lokalt på maskinen som er vert for nettstedkobleren.",
+    "sshDaemonLocationRemote": "På Ekstern Vert",
+    "sshDaemonLocationRemoteDescription": "Utføres på en separat målenhet på samme nettverk.",
+    "sshDaemonDisclaimer": "Sørg for at målenheten din er riktig konfigurert for å kjøre autentiseringsdaemon før du fullfører denne oppsettet, eller klargjøring vil mislykkes.",
+    "sshDaemonPort": "Daemon-port",
+    "sshServerDestination": "Serverens Destinasjon",
+    "sshServerDestinationDescription": "Konfigurer destinasjonen for SSH-serveren",
+    "destination": "Destinasjon",
+    "destinationRequired": "Destinasjon er påkrevd.",
+    "domainRequired": "Domene er påkrevd.",
+    "proxyPortRequired": "Port er påkrevd.",
+    "invalidPathConfiguration": "Ugyldig sti-konfigurasjon.",
+    "invalidRewritePathConfiguration": "Ugyldig omskrivingssti-konfigurasjon.",
+    "bgTargetMultiSiteDisclaimer": "Ved å velge flere nettsteder aktiveres robust ruting og feilaktig avbrudd for høy tilgjengelighet.",
    "roleAllowSsh": "Tillat SSH",
    "roleAllowSshAllow": "Tillat",
    "roleAllowSshDisallow": "Forby",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Brukeren kan bare kjøre de angitte kommandoene med sudo.",
    "sshSudo": "Tillat sudo",
    "sshSudoCommands": "Sudo kommandoer",
-    "sshSudoCommandsDescription": "Kommaseparert liste med kommandoer brukeren kan kjøre med sudo.",
+    "sshSudoCommandsDescription": "Liste over kommandoer brukeren har lov til å kjøre med sudo, separert med komma, mellomrom eller nye linjer. Absolutte stier må brukes.",
    "sshCreateHomeDir": "Opprett hjemmappe",
    "sshUnixGroups": "Unix grupper",
-    "sshUnixGroupsDescription": "Kommaseparerte Unix grupper for å legge brukeren til på mål-verten.",
+    "sshUnixGroupsDescription": "Unix-grupper å legge til brukeren i på målverten, separert med komma, mellomrom eller nye linjer.",
+    "roleTextFieldPlaceholder": "Skriv inn verdier, eller slipp en .txt eller .csv fil",
+    "roleTextImportTitle": "Importer fra fil",
+    "roleTextImportDescription": "Importerer {fileName} til {fieldLabel}.",
+    "roleTextImportSkipHeader": "Hopp over første rad (header)",
+    "roleTextImportOverride": "Erstatte eksisterende",
+    "roleTextImportAppend": "Legg til eksisterende",
+    "roleTextImportMode": "Importmodus",
+    "roleTextImportPreview": "Forhåndsvisning",
+    "roleTextImportItemCount": "{count, plural, =0 {Ingen elementer å importere} one {ett element å importere} other {# elementer å importere}}",
+    "roleTextImportTotalCount": "{existing} eksisterende + {imported} importert = {total} totalt",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Ustøttet filtype",
+    "roleTextImportInvalidFileDescription": "Bare .txt og .csv filer er støttet.",
+    "roleTextImportEmpty": "Ingen elementer funnet i filen",
+    "roleTextImportEmptyDescription": "Filen inneholder ingen importerbare elementer.",
    "retryAttempts": "Forsøk på nytt",
    "expectedResponseCodes": "Forventede svarkoder",
    "expectedResponseCodesDescription": "HTTP-statuskode som indikerer sunn status. Hvis den blir stående tom, regnes 200-300 som sunn.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Skjema",
-    "editInternalResourceDialogEnableSsl": "Aktiver SSL",
+    "editInternalResourceDialogEnableSsl": "Aktiver TLS",
    "editInternalResourceDialogEnableSslDescription": "Aktiver SSL/TLS-kryptering for sikre HTTPS-tilkoblinger til destinasjonen.",
    "editInternalResourceDialogDestination": "Destinasjon",
    "editInternalResourceDialogDestinationHostDescription": "IP-adressen eller vertsnavnet til ressursen på nettstedets nettverk.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Skjema",
    "createInternalResourceDialogScheme": "Skjema",
-    "createInternalResourceDialogEnableSsl": "Aktiver SSL",
+    "createInternalResourceDialogEnableSsl": "Aktiver TLS",
    "createInternalResourceDialogEnableSslDescription": "Aktiver SSL/TLS-kryptering for sikre HTTPS-tilkoblinger til destinasjonen.",
    "createInternalResourceDialogDestination": "Destinasjon",
    "createInternalResourceDialogDestinationHostDescription": "IP-adressen eller vertsnavnet til ressursen på nettstedets nettverk.",
@@ -2217,7 +2464,7 @@
        "description": "Sikre og lavvedlikeholdsservere, selvbetjente Pangolin med ekstra klokker, og understell",
        "introTitle": "Administrert Self-Hosted Pangolin",
        "introDescription": "er et alternativ for bruk utviklet for personer som ønsker enkel og ekstra pålitelighet mens de fortsatt holder sine data privat og selvdrevne.",
-        "introDetail": "Med dette valget kjører du fortsatt din egen Pangolin-node - tunneler, SSL-terminering og trafikken ligger på serveren din. Forskjellen er at behandling og overvåking håndteres gjennom vårt skydashbord, som låser opp en rekke fordeler:",
+        "introDetail": "Med dette valget kjører du fortsatt din egen Pangolin-node - tunneler, TLS-terminering, og trafikken ligger på serveren din. Forskjellen er at behandling og overvåking håndteres gjennom vårt sky-dashbord, som låser opp en rekke fordeler:",
        "benefitSimplerOperations": {
            "title": "Enklere operasjoner",
            "description": "Ingen grunn til å kjøre din egen e-postserver eller sette opp kompleks varsling. Du vil få helsesjekk og nedetid varsler ut av boksen."
@@ -2652,6 +2899,8 @@
    "validPassword": "Gyldig passord",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Vis",
+    "configManaged": "Konfigurasjon administrert",
    "connectedClient": "Tilkoblet klient",
    "resourceBlocked": "Ressurs blokkert",
    "droppedByRule": "Legg i regelen",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Aktiver Proxy-protokoll",
    "proxyProtocolInfo": "Bevar klientens IP-adresser for TCP backends",
    "proxyProtocolVersion": "Proxy protokoll versjon",
-    "version1": " Versjon 1 (Anbefalt)",
+    "version1": "Versjon 1 (Anbefalt)",
    "version2": "Versjon 2",
-    "versionDescription": "Versjon 1 er tekstbasert og støttet. Versjon 2 er binært og mer effektivt, men mindre kompatibel.",
+    "version1Description": "Tekstbasert og bredt støttet. Sørg for at servertransport er lagt til dynamisk konfigurasjon.",
+    "version2Description": "Binært og mer effektivt, men mindre kompatibel. Sørg for at servertransport er lagt til dynamisk konfigurasjon.",
    "warning": "Advarsel",
    "proxyProtocolWarning": "backend-programmet må konfigureres til å akseptere forbindelser i Proxy Protokoll. Hvis backend ikke støtter Proxy Beskyttelse vil aktivering av dette ødelegge alle tilkoblinger så bare dette hvis du vet hva du gjør. Sørg for å konfigurere backend til å stole på Proxy Protokoll overskrifter fra Traefik.",
    "restarting": "Restarter...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Skriv inn bekreftelse",
    "blueprintViewDetails": "Detaljer",
    "defaultIdentityProvider": "Standard identitetsleverandør",
-    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
+    "defaultIdentityProviderDescription": "Brukeren vil automatisk bli videresendt til denne identitetsleverandøren for autentisering.",
    "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
    "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
    "editInternalResourceDialogAddRoles": "Legg til roller",
@@ -2919,11 +3169,12 @@
    "learnMore": "Lær mer",
    "backToHome": "Gå tilbake til start",
    "needToSignInToOrg": "Trenger du å bruke organisasjonens identitetsleverandør?",
-    "maintenanceMode": "Vedlikeholdsmodus",
+    "maintenanceMode": "Vedlikeholdsside",
    "maintenanceModeDescription": "Vis en vedlikeholdsside til besøkende",
    "maintenanceModeType": "Vedlikeholdsmodus type",
    "showMaintenancePage": "Vis en vedlikeholdsside til besøkende",
    "enableMaintenanceMode": "Aktiver vedlikeholdsmodus",
+    "enableMaintenanceModeDescription": "Når aktivert, vil besøkende se en vedlikeholdsside i stedet for ressursen din.",
    "automatic": "Automatisk",
    "automaticModeDescription": "Vis vedlikeholdsside kun når alle serverens mål er nede eller usunne. Ressursen din fortsetter å fungere normalt så lenge minst ett mål er sunt.",
    "forced": "Tvunget",
@@ -2931,6 +3182,8 @@
    "warning:": "Advarsel:",
    "forcedeModeWarning": "All trafikk vil bli dirigeres til vedlikeholdssiden. Serverens ressurser vil ikke motta noen forespørsler.",
    "pageTitle": "Sidetittel",
+    "maintenancePageContentSubsection": "Sideinnhold",
+    "maintenancePageContentSubsectionDescription": "Tilpass innholdet som vises på vedlikeholdssiden",
    "pageTitleDescription": "Hovedoverskriften vist på vedlikeholdssiden",
    "maintenancePageMessage": "Vedlikeholdsbeskjed",
    "maintenancePageMessagePlaceholder": "Vi kommer snart tilbake! Vårt nettsted gjennomgår for øyeblikket planlagt vedlikehold.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Estimert ferdigstillelse:",
    "createInternalResourceDialogDestinationRequired": "Destinasjonen er nødvendig",
    "available": "Tilgjengelig",
+    "disabledResourceDescription": "Når deaktivert, vil ressursen være utilgjengelig for alle.",
    "archived": "Arkivert",
    "noArchivedDevices": "Ingen arkiverte enheter funnet",
    "deviceArchived": "Enhet arkivert",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Videresend arrangementer direkte til din Datadog-konto. Kommer snart.",
    "streamingTypePickerDescription": "Velg en måltype for å komme i gang.",
-    "streamingFailedToLoad": "Kan ikke laste inn destinasjoner",
+    "streamingLastSyncError": "Det oppstod en feil under siste synkronisering",
    "streamingUnexpectedError": "En uventet feil oppstod.",
    "streamingFailedToUpdate": "Kunne ikke oppdatere destinasjon",
    "streamingDeletedSuccess": "Målet ble slettet",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Rediger destinasjon",
    "S3DestAddTitle": "Legg til S3 destinasjon",
    "S3DestEditDescription": "Oppdatere konfigurasjonen for denne S3-hendelsesstrømmingsdestinasjonen.",
-    "S3DestAddDescription": "Konfigurer et nytt S3-endepunkt for å motta organisasjonens hendelser.",
+    "S3DestAddDescription": "Konfigurer en ny Amazon S3 (eller S3-kompatibel) bucket for å motta din organisasjons hendelser.",
+    "s3DestTabSettings": "Innstillinger",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Navn",
+    "s3DestNamePlaceholder": "Min S3-destinasjon",
+    "s3DestAccessKeyIdLabel": "AWS tilgangsnøkkel-ID",
+    "s3DestSecretAccessKeyLabel": "AWS hemmelige tilgangsnøkkel",
+    "s3DestSecretAccessKeyPlaceholder": "Din AWS secret access key",
+    "s3DestRegionLabel": "AWS-region",
+    "s3DestBucketLabel": "Bucket-navn",
+    "s3DestPrefixLabel": "Nøkkelprefiks (valgfritt)",
+    "s3DestPrefixDescription": "Valgfritt bane-prefiks lagt til hver objektnøkkel. Objekter er lagret på {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Egendefinert endepunkt (valgfritt)",
+    "s3DestEndpointDescription": "Overstyr S3-endepunktet for S3-kompatibel lagring som MinIO eller Cloudflare R2. La stå tomt for standard AWS S3.",
+    "s3DestGzipLabel": "Gzip-komprimering",
+    "s3DestGzipDescription": "Komprimer hvert opplastede objekt med gzip. Reduserer lagringskostnader og opplastingsstørrelse.",
+    "s3DestFormatTitle": "Filformat",
+    "s3DestFormatDescription": "Hvordan hendelser er serialisert inni hvert opplastede objekt.",
+    "s3DestFormatJsonArrayDescription": "Hvert objekt er et JSON-array av hendelsesposter. Kompatibel med de fleste analyseverktøy.",
+    "s3DestFormatNdjsonDescription": "Hvert objekt inneholder en JSON-post per linje (nylinje-delt JSON). Kompatibel med Athena, BigQuery, og Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Hvert objekt er en RFC-4180 CSV-fil med en overskriftsrad. Kolonnenavn er avledet fra hendelsesdatafeltene.",
+    "s3DestSaveChanges": "Lagre endringer",
+    "s3DestCreateDestination": "Opprett destinasjon",
+    "s3DestUpdatedSuccess": "Destinasjon oppdatert vellykket",
+    "s3DestCreatedSuccess": "Destinasjon opprettet vellykket",
+    "s3DestUpdateFailed": "Kunne ikke oppdatere destinasjon",
+    "s3DestCreateFailed": "Kunne ikke opprette destinasjon",
    "datadogDestEditTitle": "Rediger destinasjon",
    "datadogDestAddTitle": "Legg til Datadog destinasjon",
    "datadogDestEditDescription": "Oppdatere konfigurasjonen for denne Datadog-hendelsesstrømmingsdestinasjonen.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Er du sikker på at du vil frakoble denne identitetsleverandøren fra denne organisasjonen?",
    "idpUnassociateDescription": "Alle brukere knyttet til denne identitetsleverandøren vil bli fjernet fra denne organisasjonen, men identitetsleverandøren vil fortsatt eksistere for andre tilknyttede organisasjoner.",
    "idpUnassociateConfirm": "Bekreft frakobling av identitetsleverandør",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "SLETT OG FJERN MEG FRA ORGANISASJONEN",
+    "idpUnassociateAndRemoveMeFromOrg": "AVKOBLE OG FJERN MEG FRA ORGANISASJONEN",
    "idpUnassociateWarning": "Dette kan ikke angres for denne organisasjonen.",
    "idpUnassociatedDescription": "Identitetsleverandør er vellykket frakoblet fra denne organisasjonen",
    "idpUnassociateMenu": "Frakoble",
@@ -3174,7 +3457,7 @@
    "publicIpEndpoint": "Endepunkt",
    "lastTriggeredAt": "Siste utløste",
    "reject": "Avvis",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "{count} dager siden",
    "uptimeToday": "I dag",
    "uptimeNoDataAvailable": "Ingen data tilgjengelig",
    "uptimeSuffix": "oppetid",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Ressurs deaktivert",
    "memberPortalShowingResources": "Viser {start}-{end} av {total} ressurser",
    "memberPortalPrevious": "Forrige",
-    "memberPortalNext": "Neste"
+    "memberPortalNext": "Neste",
+    "httpSettings": "HTTP Innstillinger",
+    "tcpSettings": "TCP Innstillinger",
+    "udpSettings": "UDP Innstillinger",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Opprette en sikker tilkobling…",
+    "sshConnecting": "Kobler til…",
+    "sshInitializing": "Initialiserer…",
+    "sshSignInTitle": "Logg inn på SSH",
+    "sshSignInDescription": "Skriv inn dine SSH-legitimasjon for å koble til",
+    "sshPasswordTab": "Passord",
+    "sshPrivateKeyTab": "Privat Nøkkel",
+    "sshPrivateKeyField": "Privat Nøkkel",
+    "sshPrivateKeyDisclaimer": "Din private nøkkel er ikke lagret eller synlig for Pangolin. Alternativt kan du bruke kortevaliderte sertifikater for sømløs autentisering ved å bruke din eksisterende Pangolin-identitet.",
+    "sshLearnMore": "Lær mer",
+    "sshPrivateKeyFile": "Privat Nøkkelfil",
+    "sshAuthenticate": "Koble til",
+    "sshTerminate": "Avslutt",
+    "sshPoweredBy": "Drevet av",
+    "sshErrorNoTarget": "Ingen mål spesifisert",
+    "sshErrorWebSocket": "WebSocket-tilkobling mislyktes",
+    "sshErrorAuthFailed": "Autentisering mislyktes",
+    "sshErrorConnectionClosed": "Tilkobling avsluttet før autentisering ble fullført",
+    "sitePangolinSshDescription": "Tillat SSH-tilgang til ressurser på dette nettstedet. Dette kan endres senere.",
+    "browserGatewayNoResourceForDomain": "Ingen ressurser funnet for dette domenet",
+    "browserGatewayNoTarget": "Ingen mål",
+    "browserGatewayConnect": "Koble til",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Kunne ikke signere SSH-nøkkel for PAM-påloggingsautentisering. Logget du inn som bruker?",
+    "sshTerminalError": "Feil: {error}",
+    "sshConnectionClosedCode": "Tilkoblingen ble lukket (kode {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGYNN OPENSSH PRIVAT NØKKEL-----",
+    "sshPrivateKeyRequired": "Privat nøkkel er påkrevd",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Skriv inn VNC-passordet for å koble til",
+    "vncPasswordOptional": "Passord (valgfritt)",
+    "vncNoResourceTarget": "Ingen ressursemål tilgjengelig",
+    "vncFailedToLoadNovnc": "Klarte ikke å laste noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Lim inn utklippstavle",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Logg på Fjernskrivebord",
+    "rdpSignInDescription": "Skriv inn Windows-legitimasjon for å koble til",
+    "rdpLoadingModule": "Laster modul...",
+    "rdpFailedToLoadModule": "Kunne ikke laste RDP-modul",
+    "rdpNotReady": "Ikke klar",
+    "rdpModuleInitializing": "RDP-modulen er fortsatt under initialisering",
+    "rdpDownloadingFiles": "Laster ned {count} fil(er) fra fjern…",
+    "rdpDownloadFailed": "Nedlasting feilet: {fileName}",
+    "rdpUploaded": "Opplastet: {fileName}",
+    "rdpNoConnectionTarget": "Ingen tilkoblingsmål tilgjengelig",
+    "rdpConnectionFailed": "Tilkoblingen feilet",
+    "rdpFit": "Tilpass",
+    "rdpFull": "Full",
+    "rdpReal": "Ekte",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Last opp filer",
+    "rdpFilesReadyToPaste": "Filer klare til å limes inn",
+    "rdpFilesReadyToPasteDescription": "{count} fil(er) kopiert til fjernutklippstavlen — trykk Ctrl+V på fjernskrivebordet for å lime inn.",
+    "rdpUploadFailed": "Opplastningen mislyktes",
+    "rdpUnicodeKeyboardMode": "Unicode tastaturmodus",
+    "sessionToolbarShow": "Vis verktøylinje",
+    "sessionToolbarHide": "Skjul verktøylinje"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Privébronnen bekijken",
    "siteInstallNewt": "Installeer Newt",
    "siteInstallNewtDescription": "Laat Newt draaien op uw systeem",
+    "siteInstallKubernetesDocsDescription": "Voor meer informatie over de installatie van Kubernetes, zie <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Voor instructies voor de installatie van Advantech modems, zie <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Configuratie",
    "WgConfigurationDescription": "Gebruik de volgende configuratie om verbinding te maken met het netwerk",
    "operatingSystem": "Operating systeem",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Je kunt dit slechts één keer zien. Kopieer het naar een beveiligde plek.",
    "siteInfo": "Site informatie",
    "status": "Status",
-    "shareTitle": "Beheer deellinks",
+    "shareTitle": "Beheer Deelbare Links",
    "shareDescription": "Maak deelbare links aan om tijdelijke of permanente toegang tot proxybronnen te verlenen",
-    "shareSearch": "Zoek share links...",
-    "shareCreate": "Maak Share link",
+    "shareSearch": "Zoek deelbare links...",
+    "shareCreate": "Creëer Deelbare Link",
    "shareErrorDelete": "Kan link niet verwijderen",
    "shareErrorDeleteMessage": "Fout opgetreden tijdens het verwijderen link",
    "shareDeleted": "Link verwijderd",
    "shareDeletedDescription": "De link is verwijderd",
+    "shareDelete": "Verwijder Deelbare Link",
+    "shareDeleteConfirm": "Bevestig Verwijdering Deelbare Link",
+    "shareQuestionRemove": "Weet u zeker dat u deze deel link wilt verwijderen?",
+    "shareMessageRemove": "Zodra verwijderd, zal de link niet meer werken en zal iedereen die het gebruikt de toegang tot de bron verliezen.",
    "shareTokenDescription": "De toegangstoken kan op twee manieren worden doorgegeven: als queryparameter of in de aanvraagheaders. Deze moeten worden doorgegeven van de client op elk verzoek voor geverifieerde toegang.",
    "accessToken": "Toegangs-token",
    "usageExamples": "Voorbeelden van gebruik",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Fout opgetreden tijdens het maken van de share link",
    "shareCreateDescription": "Iedereen met deze link heeft toegang tot de pagina",
    "shareTitleOptional": "Titel (optioneel)",
+    "sharePathOptional": "Pad (optioneel)",
+    "sharePathDescription": "De link zal gebruikers naar dit pad doorsturen na authenticatie.",
    "expireIn": "Vervalt in",
    "neverExpire": "Nooit verlopen",
    "shareExpireDescription": "Vervaltijd is hoe lang de link bruikbaar is en geeft toegang tot de bron. Na deze tijd zal de link niet meer werken en zullen gebruikers die deze link hebben gebruikt de toegang tot de pagina verliezen.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Selecteer een bron",
    "proxyResourceTitle": "Openbare bronnen beheren",
    "proxyResourceDescription": "Creëer en beheer bronnen die openbaar toegankelijk zijn via een webbrowser",
-    "proxyResourcesBannerTitle": "Webgebaseerde openbare toegang",
-    "proxyResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<EFBFBD><EFBFBD>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
+    "publicResourcesBannerTitle": "Web-gebaseerde Openbare Toegang",
+    "publicResourcesBannerDescription": "Openbare bronnen zijn HTTPS-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot privébronnen hoeven ze geen client-software te hebben en kunnen ze identiteit- en context bewuste toegangsmiddelen bevatten.",
    "clientResourceTitle": "Privébronnen beheren",
    "clientResourceDescription": "Creëer en beheer bronnen die alleen toegankelijk zijn via een verbonden client",
    "privateResourcesBannerTitle": "Zero-Trust Private Access",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Zoek bronnen...",
    "resourceAdd": "Bron toevoegen",
    "resourceErrorDelte": "Fout bij verwijderen document",
+    "resourcePoliciesBannerTitle": "Herbruik Authenticatie en Toegangsregels",
+    "resourcePoliciesBannerDescription": "Gedeelde bronbeleidslijnen laten u authenticatiemethoden en toegangsregels eenmaal definiëren, en ze vervolgens koppelen aan meerdere openbare bronnen. Wanneer u een beleid bijwerkt, erft elke gekoppelde bron de wijziging automatisch.",
+    "resourcePoliciesBannerButtonText": "Meer informatie",
+    "resourcePoliciesTitle": "Beheer Openbare Bronnenbeleid",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Bronnen",
+    "resourcePoliciesAttachedResources": "{count} bron(nen)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# bron} other {# bronnen}}",
+    "resourcePoliciesAttachedResourcesEmpty": "geen bronnen",
+    "resourcePoliciesDescription": "Creëer en beheer authenticatiebeleid om toegang tot uw openbare bronnen te controleren",
+    "resourcePoliciesSearch": "Beleidsregels zoeken...",
+    "resourcePoliciesAdd": "Beleid toevoegen",
+    "resourcePoliciesDefaultBadgeText": "Standaard beleidsregel",
+    "resourcePoliciesCreate": "Openbare Bronbeleid maken",
+    "resourcePoliciesCreateDescription": "Volg de onderstaande stappen om een nieuw beleid aan te maken",
+    "resourcePolicyName": "Beleidsregelnaam",
+    "resourcePolicyNameDescription": "Geef deze beleidsregel een naam om deze te identificeren in uw bronnen",
+    "resourcePolicyNamePlaceholder": "bijv. Intern Toegangsbeleid",
+    "resourcePoliciesSeeAll": "Zie Alle Beleid",
+    "resourcePolicyAuthMethodAdd": "Authenticatiemethode toevoegen",
+    "resourcePolicyOtpEmailAdd": "OTP e-mails toevoegen",
+    "resourcePolicyRulesAdd": "Regels toevoegen",
+    "resourcePolicyAuthMethodsDescription": "Sta toegang tot bronnen toe via aanvullende authenticatiemethoden",
+    "resourcePolicyUsersRolesDescription": "Bepaal welke gebruikers en rollen geassocieerde bronnen kunnen bezoeken",
+    "rulesResourcePolicyDescription": "Stel regels in om toegang te regelen tot bronnen die zijn gekoppeld aan dit beleid",
    "authentication": "Authenticatie",
    "protected": "Beschermd",
    "notProtected": "Niet beveiligd",
    "resourceMessageRemove": "Eenmaal verwijderd, zal het bestand niet langer toegankelijk zijn. Alle doelen die gekoppeld zijn aan het hulpbron, zullen ook verwijderd worden.",
    "resourceQuestionRemove": "Weet u zeker dat u het document van de organisatie wilt verwijderen?",
+    "resourcePolicyMessageRemove": "Zodra verwijderd, zal het bronbeleid niet langer toegankelijk zijn. Alle met de bron geassocieerde bronnen worden ontkoppeld en zonder authenticatie achtergelaten.",
+    "resourcePolicyQuestionRemove": "Weet u zeker dat u het bronbeleid uit de organisatie wilt verwijderen?",
    "resourceHTTP": "HTTPS bron",
    "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
    "resourceRaw": "TCP/UDP bron",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy verzoeken over rauwe TCP/UDP met behulp van een poortnummer. Vereist sites om verbinding te maken met een remote node.",
    "resourceCreate": "Bron maken",
    "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
+    "resourceCreateGeneralDescription": "Configureer de basisinstellingen van de bron, inclusief de naam en het type",
    "resourceSeeAll": "Alle bronnen bekijken",
-    "resourceInfo": "Bron informatie",
+    "resourceCreateGeneral": "Algemeen",
    "resourceNameDescription": "Dit is de weergavenaam voor het document.",
    "siteSelect": "Selecteer site",
    "siteSearch": "Zoek site",
@@ -227,12 +262,15 @@
    "noCountryFound": "Geen land gevonden.",
    "siteSelectionDescription": "Deze site zal connectiviteit met het doelwit bieden.",
    "resourceType": "Type bron",
-    "resourceTypeDescription": "Bepaal hoe u toegang wilt tot de bron",
+    "resourceTypeDescription": "Dit bepaalt het bronprotocol en hoe het in de browser wordt weergegeven. Dit kan later niet gewijzigd worden.",
+    "resourceDomainDescription": "De bron zal worden bediend onder deze volledig gekwalificeerde domeinnaam.",
    "resourceHTTPSSettings": "HTTPS instellingen",
    "resourceHTTPSSettingsDescription": "Stel in hoe de bron wordt benaderd via HTTPS",
+    "resourcePortDescription": "De externe poort op de Pangolin-instantie of -node waar de bron toegankelijk zal zijn.",
    "domainType": "Domein type",
    "subdomain": "Subdomein",
    "baseDomain": "Basis domein",
+    "configure": "Configureren",
    "subdomnainDescription": "Het subdomein waar de bron toegankelijk zal zijn.",
    "resourceRawSettings": "TCP/UDP instellingen",
    "resourceRawSettingsDescription": "Stel in hoe de bron wordt benaderd via TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Achterzijde",
    "cancel": "Annuleren",
    "resourceConfig": "Configuratie tekstbouwstenen",
-    "resourceConfigDescription": "Kopieer en plak deze configuratie-snippets om de TCP/UDP-bron in te stellen",
+    "resourceConfigDescription": "Kopieer en plak deze configuratiesnippets om de TCP/UDP-bron op te zetten.",
    "resourceAddEntrypoints": "Traefik: Entrypoints toevoegen",
    "resourceExposePorts": "Gerbild: Gevangen blootstellen in Docker Compose",
    "resourceLearnRaw": "Leer hoe je TCP/UDP bronnen kunt configureren",
    "resourceBack": "Terug naar bronnen",
    "resourceGoTo": "Ga naar Resource",
+    "resourcePolicyDelete": "Verwijder Bronbeleid",
+    "resourcePolicyDeleteConfirm": "Bevestig Verwijderen Bronbeleid",
    "resourceDelete": "Document verwijderen",
    "resourceDeleteConfirm": "Bevestig Verwijderen Document",
+    "labelDelete": "Label verwijderen",
+    "labelAdd": "Label toevoegen",
+    "labelCreateSuccessMessage": "Label succesvol aangemaakt",
+    "labelDuplicateError": "Dubbel Label",
+    "labelDuplicateErrorDescription": "Een label met deze naam bestaat al.",
+    "labelEditSuccessMessage": "Label succesvol gewijzigd",
+    "labelNameField": "Labelnaam",
+    "labelColorField": "Label kleur",
+    "labelPlaceholder": "Bijv.: homelab",
+    "labelCreate": "Label aanmaken",
+    "createLabelDialogTitle": "Label aanmaken",
+    "createLabelDialogDescription": "Maak een nieuw label aan dat aan deze organisatie kan worden gekoppeld",
+    "labelEdit": "Label bewerken",
+    "editLabelDialogTitle": "Label bijwerken",
+    "editLabelDialogDescription": "Bewerk een nieuw label dat aan deze organisatie kan worden gekoppeld",
+    "labelDeleteConfirm": "Bevestigen Verwijderen Label",
+    "labelErrorDelete": "Kan label niet verwijderen",
+    "labelMessageRemove": "Deze handeling is definitief. Alle sites, bronnen en klanten met dit label zullen worden onttakeld.",
+    "labelQuestionRemove": "Weet u zeker dat u het label uit de organisatie wilt verwijderen?",
    "visibility": "Zichtbaarheid",
    "enabled": "Ingeschakeld",
    "disabled": "Uitgeschakeld",
@@ -261,6 +320,8 @@
    "rules": "Regels",
    "resourceSettingDescription": "Configureer de instellingen in de bron",
    "resourceSetting": "{resourceName} instellingen",
+    "resourcePolicySettingDescription": "Configureer de instellingen van dit openbare bronbeleid",
+    "resourcePolicySetting": "{policyName} instellingen",
    "alwaysAllow": "Authenticatie omzeilen",
    "alwaysDeny": "Blokkeer toegang",
    "passToAuth": "Passeren naar Auth",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Eenmaal verwijderd, heeft deze gebruiker geen toegang meer tot de organisatie. Je kunt ze later altijd opnieuw uitnodigen, maar ze zullen de uitnodiging opnieuw moeten accepteren.",
    "userRemoveOrgConfirm": "Bevestig verwijderen gebruiker",
    "userRemoveOrg": "Gebruiker uit organisatie verwijderen",
+    "userQuestionOrgRemoveSelf": "Weet u zeker dat u zichzelf uit deze organisatie wilt verwijderen?",
+    "userMessageOrgRemoveSelf": "U verliest onmiddellijk toegang. Een beheerder kan u later opnieuw uitnodigen, maar u moet een nieuwe uitnodiging accepteren.",
+    "userRemoveOrgConfirmSelf": "Bevestig Verwijder Mijn Persoon",
+    "userRemoveOrgSelf": "Verwijder uzelf uit de organisatie",
+    "userRemoveOrgSelfWarning": "U verliest onmiddellijk toegang tot deze organisatie.",
+    "userRemoveOrgConfirmPhraseSelf": "VERWIJDER MIJ UIT ORGANISATIE",
    "users": "Gebruikers",
    "accessRoleMember": "Lid",
    "accessRoleOwner": "Eigenaar",
@@ -531,6 +598,11 @@
    "emailInvalid": "Ongeldig e-mailadres",
    "inviteValidityDuration": "Selecteer een tijdsduur",
    "accessRoleSelectPlease": "Selecteer een rol",
+    "removeOwnAdminRoleConfirmTitle": "Uw beheerderstoegang verwijderen?",
+    "removeOwnAdminRoleConfirmDescription": "U zult na het opslaan geen beheerdersrechten meer hebben in deze organisatie. Een andere beheerder kan de toegang indien nodig herstellen.",
+    "removeOwnAdminRoleConfirmButton": "Verwijder Mijn Beheerderstoegang",
+    "removeOwnAdminRoleConfirmPhrase": "VERWIJDER MIJN BEHEERDERSTOEGANG",
+    "ownerMustRetainAdminRole": "De organisatie-eigenaar moet minstens één beheerdersrol behouden.",
    "usernameRequired": "Gebruikersnaam is verplicht",
    "idpSelectPlease": "Selecteer een identiteitsprovider",
    "idpGenericOidc": "Algemene OAuth2/OIDC provider.",
@@ -615,7 +687,7 @@
    "createdAt": "Aangemaakt op",
    "proxyErrorInvalidHeader": "Ongeldige aangepaste Header waarde. Gebruik het domeinnaam formaat, of sla leeg op om de aangepaste Host header ongedaan te maken.",
    "proxyErrorTls": "Ongeldige TLS servernaam. Gebruik de domeinnaam of sla leeg op om de TLS servernaam te verwijderen.",
-    "proxyEnableSSL": "SSL inschakelen",
+    "proxyEnableSSL": "Schakel TLS in",
    "proxyEnableSSLDescription": "SSL/TLS-versleuteling inschakelen voor beveiligde HTTPS-verbindingen naar de doelen.",
    "target": "Target",
    "configureTarget": "Doelstellingen configureren",
@@ -656,8 +728,9 @@
    "targetSubmit": "Doelwit toevoegen",
    "targetNoOne": "Deze bron heeft geen doelwitten. Voeg een doel toe om te configureren waar verzoeken naar de backend verzonden kunnen worden.",
    "targetNoOneDescription": "Het toevoegen van meer dan één doel hierboven zal de load balancering mogelijk maken.",
-    "targetsSubmit": "Doelstellingen opslaan",
+    "targetsSubmit": "Instellingen opslaan",
    "addTarget": "Doelwit toevoegen",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round-robin routering werkt niet tussen locaties die niet met hetzelfde knooppunt zijn verbonden, maar failover werkt wel.",
    "targetErrorInvalidIp": "Ongeldig IP-adres",
    "targetErrorInvalidIpDescription": "Voer een geldig IP-adres of hostnaam in",
    "targetErrorInvalidPort": "Ongeldige poort",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Dupliceer regel",
    "rulesErrorDuplicateDescription": "Een regel met deze instellingen bestaat al",
    "rulesErrorInvalidIpAddressRange": "Ongeldige CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Voer een geldige CIDR waarde in",
-    "rulesErrorInvalidUrl": "Ongeldige URL pad",
-    "rulesErrorInvalidUrlDescription": "Voer een geldige URL padwaarde in",
-    "rulesErrorInvalidIpAddress": "Ongeldig IP",
-    "rulesErrorInvalidIpAddressDescription": "Voer een geldig IP-adres in",
+    "rulesErrorInvalidIpAddressRangeDescription": "Voer een geldig CIDR-bereik in (bijv. 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Ongeldig pad",
+    "rulesErrorInvalidUrlDescription": "Voer een geldig URL-pad of patroon in (bijv. /api/*).",
+    "rulesErrorInvalidIpAddress": "Ongeldig IP-adres",
+    "rulesErrorInvalidIpAddressDescription": "Voer een geldig IPv4- of IPv6-adres in.",
    "rulesErrorUpdate": "Regels bijwerken mislukt",
    "rulesErrorUpdateDescription": "Fout opgetreden tijdens het bijwerken van de regels",
    "rulesUpdated": "Regels inschakelen",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Voer een IP-adres in (bijv. 103.21.244.12)",
    "rulesMatchUrl": "Voer een URL-pad of patroon in (bijv. /api/v1/todos of /api/v1/*)",
    "rulesErrorInvalidPriority": "Ongeldige prioriteit",
-    "rulesErrorInvalidPriorityDescription": "Voer een geldige prioriteit in",
+    "rulesErrorInvalidPriorityDescription": "Voer een geheel getal van 1 of hoger in.",
    "rulesErrorDuplicatePriority": "Dubbele prioriteiten",
-    "rulesErrorDuplicatePriorityDescription": "Voer unieke prioriteiten in",
+    "rulesErrorDuplicatePriorityDescription": "Elke regel moet een uniek prioriteitsnummer hebben.",
+    "rulesErrorValidation": "Ongeldige regels",
+    "rulesErrorValidationRuleDescription": "Regel {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Selecteer een geldig matchtype (pad, IP, CIDR, land, regio of ASN).",
+    "rulesErrorValueRequired": "Voer een waarde in voor deze regel.",
+    "rulesErrorInvalidCountry": "Ongeldig land",
+    "rulesErrorInvalidCountryDescription": "Selecteer een geldig land.",
+    "rulesErrorInvalidAsn": "Ongeldige ASN",
+    "rulesErrorInvalidAsnDescription": "Voer een geldig ASN in (bijv. AS15169).",
    "ruleUpdated": "Regels bijgewerkt",
    "ruleUpdatedDescription": "Regels met succes bijgewerkt",
    "ruleErrorUpdate": "Bewerking mislukt",
    "ruleErrorUpdateDescription": "Er is een fout opgetreden tijdens het opslaan",
    "rulesPriority": "Prioriteit",
+    "rulesReorderDragHandle": "Sleep om de regelprioriteit te herordenen",
    "rulesAction": "actie",
    "rulesMatchType": "Wedstrijd Type",
    "value": "Waarde",
@@ -728,9 +810,60 @@
    "rulesResource": "Configuratie Resource Regels",
    "rulesResourceDescription": "Regels instellen om toegang tot de bron te beheren",
    "ruleSubmit": "Regel toevoegen",
-    "rulesNoOne": "Geen regels. Voeg een regel toe via het formulier.",
+    "rulesNoOne": "Nog geen regels.",
    "rulesOrder": "Regels worden in oplopende volgorde volgens prioriteit beoordeeld.",
    "rulesSubmit": "Regels opslaan",
+    "policyErrorCreate": "Fout bij het maken van beleid",
+    "policyErrorCreateDescription": "Er is een fout opgetreden bij het maken van het beleid",
+    "policyErrorCreateMessageDescription": "Er is een onverwachte fout opgetreden",
+    "policyErrorUpdate": "Fout bij het bijwerken van beleid",
+    "policyErrorUpdateDescription": "Er is een fout opgetreden bij het bijwerken van het beleid",
+    "policyErrorUpdateMessageDescription": "Er is een onverwachte fout opgetreden",
+    "policyCreatedSuccess": "Bronbeleid met succes aangemaakt",
+    "policyUpdatedSuccess": "Bronbeleid succesvol bijgewerkt",
+    "authMethodsSave": "Instellingen opslaan",
+    "policyAuthStackTitle": "Authenticatie",
+    "policyAuthStackDescription": "Bepaal welke authenticatiemethoden vereist zijn om toegang tot deze bron te krijgen",
+    "policyAuthOrLogicTitle": "Meerdere authenticatiemethoden actief",
+    "policyAuthOrLogicBanner": "Bezoekers kunnen zich aanmelden met een van de hieronder actieve methoden. Ze hoeven ze niet allemaal te voltooien.",
+    "policyAuthMethodActive": "Actief",
+    "policyAuthMethodOff": "Uit",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Vereis inloggen via de identiteit provider van uw organisatie",
+    "policyAuthSsoSummary": "{idp} · {users} gebruikers, {roles} rollen",
+    "policyAuthSsoDefaultIdp": "Standaard provider",
+    "policyAuthAddDefaultIdentityProvider": "Standaard Identiteit Provider Toevoegen",
+    "policyAuthOtherMethodsTitle": "Andere Methoden",
+    "policyAuthOtherMethodsDescription": "Optionele methoden die bezoekers kunnen gebruiken in plaats van of samen met platform SSO",
+    "policyAuthPasscodeTitle": "Toegangscode",
+    "policyAuthPasscodeDescription": "Vereis een alfanumerieke toegangscode om toegang te krijgen tot de bron",
+    "policyAuthPasscodeSummary": "Toegangscode ingesteld",
+    "policyAuthPincodeTitle": "Pincode",
+    "policyAuthPincodeDescription": "Een korte numerieke code vereist om toegang tot de bron te krijgen",
+    "policyAuthPincodeSummary": "6-cijferige Pincode ingesteld",
+    "policyAuthEmailTitle": "E-mail Whitelist",
+    "policyAuthEmailDescription": "Sta vermelde e-mailadressen toe met eenmalige wachtwoorden",
+    "policyAuthEmailSummary": "{count} adressen toegestaan",
+    "policyAuthEmailOtpCallout": "Het inschakelen van e-mailwhitelist stuurt een eenmalig wachtwoord naar de e-mail van de bezoeker bij het inloggen.",
+    "policyAuthHeaderAuthTitle": "Basic Header Authenticatie",
+    "policyAuthHeaderAuthDescription": "Valideer een aangepaste HTTP-headernaam en waarde bij elk verzoek",
+    "policyAuthHeaderAuthSummary": "Header geconfigureerd",
+    "policyAuthHeaderName": "Header naam",
+    "policyAuthHeaderValue": "Verwachte waarde",
+    "policyAuthSetPasscode": "Stel toegangscode in",
+    "policyAuthSetPincode": "Stel Pincode in",
+    "policyAuthSetEmailWhitelist": "Stel E-mail Whitelist in",
+    "policyAuthSetHeaderAuth": "Stel Basis Header Authenticatie in",
+    "policyAccessRulesTitle": "Toegang Regels",
+    "policyAccessRulesEnableDescription": "Wanneer ingeschakeld, worden regels in aflopende volgorde geëvalueerd totdat er één als waar wordt geoordeeld.",
+    "policyAccessRulesFirstMatch": "Regels worden van boven naar beneden geëvalueerd. De eerste overeenkomstige regel bepaalt de uitkomst.",
+    "policyAccessRulesHowItWorks": "Regels komen overeen met verzoeken op basis van pad, IP-adres, locatie of andere criteria. Elke regel past een actie toe: authenticatie omzeilen, toegang blokkeren of authenticatie doorgeven. Als er geen regel overeenkomt, gaat het verkeer door naar authenticatie.",
+    "policyAccessRulesFallthroughOff": "Wanneer regels zijn uitgeschakeld, passeert al het verkeer naar authenticatie.",
+    "policyAccessRulesFallthroughOn": "Wanneer geen regel overeenkomt, passeert het verkeer naar authenticatie.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Regels opslaan",
    "resourceErrorCreate": "Fout bij maken document",
    "resourceErrorCreateDescription": "Er is een fout opgetreden bij het maken van het document",
    "resourceErrorCreateMessage": "Fout bij maken bron:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Er is een fout opgetreden tijdens het bijwerken van het document",
    "access": "Toegangsrechten",
    "accessControl": "Toegangs controle",
-    "shareLink": "{resource} Share link",
+    "shareLink": "{resource} Deelbare Link",
    "resourceSelect": "Selecteer resource",
-    "shareLinks": "Links delen",
+    "shareLinks": "Deelbare Links",
    "share": "Deelbare links",
    "shareDescription2": "Maak deelbare links naar bronnen. Links bieden tijdelijke of onbeperkte toegang tot je bestand. U kunt de vervalduur van de link configureren wanneer u er een aanmaakt.",
    "shareEasyCreate": "Makkelijk te maken en te delen",
@@ -794,6 +927,17 @@
    "pincodeAdd": "PIN-code toevoegen",
    "pincodeRemove": "PIN-code verwijderen",
    "resourceAuthMethods": "Authenticatie methoden",
+    "resourcePolicyAuthMethodsEmpty": "Geen authenticatiemethode",
+    "resourcePolicyOtpEmpty": "Geen eenmalig wachtwoord",
+    "resourcePolicyReadOnly": "Dit beleid is alleen-lezen",
+    "resourcePolicyReadOnlyDescription": "Dit bronbeleid wordt gedeeld over meerdere bronnen, u kunt het niet op deze pagina bewerken.",
+    "editSharedPolicy": "Gedeeld Beleid Bewerken",
+    "resourcePolicyTypeSave": "Bewaar brontype",
+    "resourcePolicySelect": "Selecteer bronbeleid",
+    "resourcePolicySelectError": "Selecteer een bronbeleid",
+    "resourcePolicyNotFound": "Beleid niet gevonden",
+    "resourcePolicySearch": "Beleidsregels zoeken",
+    "resourcePolicyRulesEmpty": "Geen authenticatieregels",
    "resourceAuthMethodsDescriptions": "Sta toegang tot de bron toe via extra autorisatiemethoden",
    "resourceAuthSettingsSave": "Succesvol opgeslagen",
    "resourceAuthSettingsSaveDescription": "Verificatie-instellingen zijn opgeslagen",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Pincode instellen",
    "resourcePincodeSetupTitleDescription": "Stel een pincode in om deze hulpbron te beschermen",
    "resourceRoleDescription": "Beheerders hebben altijd toegang tot deze bron.",
+    "resourcePolicySelectTitle": "Toegangsbeleid voor bronnen",
+    "resourcePolicySelectDescription": "Selecteer het bronbeleidstype voor authenticatie",
+    "resourcePolicyTypeLabel": "Beleidstype",
+    "resourcePolicyLabel": "Bronbeleid",
+    "resourcePolicyInline": "Inline bronbeleid",
+    "resourcePolicyInlineDescription": "Toegangsbeleid alleen gericht op deze bron",
+    "resourcePolicyShared": "Gedeeld bronbeleid",
+    "resourcePolicySharedDescription": "Deze bron gebruikt een gedeeld beleid.",
+    "sharedPolicy": "Gedeeld Beleid",
+    "sharedPolicyNoneDescription": "Deze bron heeft zijn eigen beleid.",
+    "resourceSharedPolicyOwnDescription": "Deze bron heeft zijn eigen authenticatie- en toegangsvanregels.",
+    "resourceSharedPolicyInheritedDescription": "Deze bron erft van <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Deze bron gebruikt een gedeeld beleid. Sommige authenticatie-instellingen kunnen op deze bron worden bewerkt om toe te voegen aan het beleid. Om het onderliggende beleid te wijzigen, moet u het beleid bewerken in <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Deze bron gebruikt een gedeeld beleid. Sommige toegangsregels kunnen op deze bron worden bewerkt. Om het onderliggende beleid te wijzigen, moet u <policyLink>{policyName}</policyLink> bewerken.",
    "resourceUsersRoles": "Toegang Bediening",
    "resourceUsersRolesDescription": "Configureer welke gebruikers en rollen deze pagina kunnen bezoeken",
    "resourceUsersRolesSubmit": "Bewaar Toegangsbesturing",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Zichtbaarheid",
    "resourceVisibilityTitleDescription": "Zichtbaarheid van bestanden volledig in- of uitschakelen",
    "resourceGeneral": "Algemene instellingen",
-    "resourceGeneralDescription": "Configureer de algemene instellingen voor deze bron",
+    "resourceGeneralDescription": "Configureer naam, adres en toegangspolicy voor deze bron.",
+    "resourceGeneralDetailsSubsection": "Bron Details",
+    "resourceGeneralDetailsSubsectionDescription": "Stel de weergavenaam, identificatiecode en publiek toegankelijk domein voor deze bron in.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Stel de weergavenaam, identificatiecode en publieke poort voor deze bron in.",
+    "resourceGeneralPublicAddressSubsection": "Publiek Adres",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configureer hoe gebruikers deze bron bereiken.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authenticatie & Toegang",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Kies of deze bron zijn eigen beleid gebruikt of van een gedeeld beleid erft.",
    "resourceEnable": "Resource inschakelen",
    "resourceTransfer": "Bronnen overdragen",
    "resourceTransferDescription": "Verplaats dit document naar een andere site",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Er was een probleem bij het verbinden met {name}. Neem contact op met uw beheerder.",
    "idpErrorNotFound": "IdP niet gevonden",
    "inviteInvalid": "Ongeldige uitnodiging",
+    "labels": "Labels",
+    "orgLabelsDescription": "Beheer labels in deze organisatie.",
+    "addLabels": "Labels toevoegen",
+    "siteLabelsTab": "Labels",
+    "siteLabelsDescription": "Beheer labels geassocieerd met deze site.",
+    "labelsNotFound": "Geen labels gevonden.",
+    "labelsEmptyCreateHint": "Begin hierboven te typen om een label te maken.",
+    "labelSearch": "Labels zoeken",
+    "labelSearchOrCreate": "Zoek of maak een label",
+    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
+    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
+    "accessLabelFilterClear": "Labelfilters wissen",
+    "accessFilterClear": "Wissen van filters",
+    "selectColor": "Kleur selecteren",
+    "createNewLabel": "Nieuw org-label \"{label}\" aanmaken",
    "inviteInvalidDescription": "Uitnodigingslink is ongeldig.",
    "inviteErrorWrongUser": "Uitnodiging is niet voor deze gebruiker",
    "inviteErrorUserNotExists": "Gebruiker bestaat niet. Maak eerst een account aan.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Bronnen",
    "sidebarProxyResources": "Openbaar",
    "sidebarClientResources": "Privé",
+    "sidebarPolicies": "Gedeeld Beleid",
+    "sidebarResourcePolicies": "Openbare Bronnen",
    "sidebarAccessControl": "Toegangs controle",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Beheerder",
    "sidebarInvitations": "Uitnodigingen",
    "sidebarRoles": "Rollen",
-    "sidebarShareableLinks": "Koppelingen",
+    "sidebarShareableLinks": "Deelbare Links",
    "sidebarApiKeys": "API sleutels",
    "sidebarProvisioning": "Provisie",
    "sidebarSettings": "Instellingen",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Bron {id}",
    "blueprints": "Blauwdrukken",
-    "blueprintsDescription": "Gebruik declaratieve configuraties en bekijk vorige uitvoeringen.",
+    "blueprintsLog": "Log Blueprints",
+    "blueprintsDescription": "Bekijk eerdere blauwdruktoepassingen en hun resultaten of pas een nieuwe blauwdruk toe",
    "blueprintAdd": "Blauwdruk toevoegen",
    "blueprintGoBack": "Bekijk alle Blauwdrukken",
    "blueprintCreate": "Creëer blauwdruk",
@@ -1559,7 +1742,17 @@
    "contents": "Inhoud",
    "parsedContents": "Geparseerde inhoud (alleen lezen)",
    "enableDockerSocket": "Schakel Docker Blauwdruk in",
-    "enableDockerSocketDescription": "Schakel Docker Socket label in voor blauwdruk labels. Pad naar Nieuw.",
+    "enableDockerSocketDescription": "Schakel Docker Socket-label in voor blueprint-labels. Socket-pad moet worden opgegeven aan de siteconnector. Lees meer over hoe dit werkt in <docsLink>de documentatie</docsLink>.",
+    "newtAutoUpdate": "Automatische site-update inschakelen",
+    "newtAutoUpdateDescription": "Als ingeschakeld, downloaden de site-connectoren automatisch de laatste versie en starten zichzelf opnieuw. Dit kan per site worden overschreven.",
+    "siteAutoUpdate": "Automatische site-update",
+    "siteAutoUpdateLabel": "Automatische update inschakelen",
+    "siteAutoUpdateDescription": "Als dit is ingeschakeld, downloadt en start deze site-connector automatisch de nieuwste versie opnieuw.",
+    "siteAutoUpdateOrgDefault": "Standaard van organisatie: {state}",
+    "siteAutoUpdateOverriding": "Overschrijving van organisatiestandaardinstelling",
+    "siteAutoUpdateResetToOrg": "Terugzetten naar standaard van organisatie",
+    "siteAutoUpdateEnabled": "ingeschakeld",
+    "siteAutoUpdateDisabled": "uitgeschakeld",
    "viewDockerContainers": "Bekijk Docker containers",
    "containersIn": "Containers in {siteName}",
    "selectContainerDescription": "Selecteer een container om als hostnaam voor dit doel te gebruiken. Klik op een poort om een poort te gebruiken.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certificaat",
    "certificateStatusAutoRefreshHint": "Status ververst automatisch.",
    "loading": "Bezig met laden",
+    "loadingEllipsis": "Bezig met laden...",
    "loadingAnalytics": "Laden van Analytics",
    "restart": "Herstarten",
    "domains": "Domeinen",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Accountinstelling voltooid! Welkom bij Pangolin!",
    "documentation": "Documentatie",
    "saveAllSettings": "Alle instellingen opslaan",
-    "saveResourceTargets": "Doelstellingen opslaan",
-    "saveResourceHttp": "Proxyinstellingen opslaan",
-    "saveProxyProtocol": "Proxy-protocolinstellingen opslaan",
+    "saveResourceTargets": "Instellingen opslaan",
+    "saveResourceHttp": "Instellingen opslaan",
+    "saveProxyProtocol": "Instellingen opslaan",
    "settingsUpdated": "Instellingen bijgewerkt",
    "settingsUpdatedDescription": "Instellingen succesvol bijgewerkt",
    "settingsErrorUpdate": "Bijwerken van instellingen mislukt",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Beheer je abonnement voor betaalde zelf gehoste licentiesleutels",
    "billingCurrentKeys": "Huidige toetsen",
    "billingModifyCurrentPlan": "Huidig plan wijzigen",
+    "billingManageLicenseSubscriptionDescription": "Beheer uw abonnement voor betaalde zelf-gehoste licentiesleutels en download facturen.",
    "billingConfirmUpgrade": "Bevestig Upgrade",
    "billingConfirmDowngrade": "Downgraden bevestigen",
    "billingConfirmUpgradeDescription": "U staat op het punt uw abonnement te upgraden. Controleer de nieuwe limieten en prijzen hieronder.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Onbekend",
    "healthCheck": "Gezondheidscontrole",
    "configureHealthCheck": "Configureer Gezondheidscontrole",
-    "configureHealthCheckDescription": "Stel gezondheid monitor voor {target} in",
+    "configureHealthCheckDescription": "Stel monitoring in voor uw bron om ervoor te zorgen dat deze altijd beschikbaar is",
    "enableHealthChecks": "Inschakelen Gezondheidscontroles",
    "healthCheckDisabledStateDescription": "Wanneer uitgeschakeld, zal de site geen gezondheidscontroles uitvoeren en wordt de staat als onbekend beschouwd.",
    "enableHealthChecksDescription": "Controleer de gezondheid van dit doel. U kunt een ander eindpunt monitoren dan het doel indien vereist.",
    "healthScheme": "Methode",
    "healthSelectScheme": "Selecteer methode",
-    "healthCheckPortInvalid": "Health check poort moet tussen 1 en 65535 zijn",
+    "healthCheckPortInvalid": "Poort moet tussen 1 en 65535 zijn",
    "healthCheckPath": "Pad",
    "healthHostname": "IP / Hostnaam",
    "healthPort": "Poort",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Tijd is in seconden",
    "requireDeviceApproval": "Vereist goedkeuring van apparaat",
    "requireDeviceApprovalDescription": "Gebruikers met deze rol hebben nieuwe apparaten nodig die door een beheerder zijn goedgekeurd voordat ze verbinding kunnen maken met bronnen en deze kunnen gebruiken.",
-    "sshAccess": "SSH toegang",
+    "sshSettings": "SSH-instellingen",
+    "sshAccess": "SSH Toegang",
+    "rdpSettings": "RDP-instellingen",
+    "vncSettings": "VNC-instellingen",
+    "sshServer": "SSH-server",
+    "rdpServer": "RDP-server",
+    "vncServer": "VNC-server",
+    "sshServerDescription": "Stel de authenticatiemethode, demoonlocatie en serverbestemming in",
+    "rdpServerDescription": "Configureer de bestemming en poort van de RDP-server",
+    "vncServerDescription": "Configureer de bestemming en poort van de VNC-server",
+    "sshServerMode": "Modus",
+    "sshServerModeStandard": "Standaard SSH-server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Opdrachten over netwerk routeren naar een SSH-server zoals OpenSSH.",
+    "sshServerModeNative": "Natuurlijke SSH-server",
+    "sshServerModeNativeDescription": "Voert rechtstreeks opdrachten uit op de host via de Siteconnector. Geen netwerkconfiguratie vereist.",
+    "sshAuthenticationMethod": "Authenticatiemethode",
+    "sshAuthMethodManual": "Handmatige authenticatie",
+    "sshAuthMethodManualDescription": "Vereist bestaande hostreferenties. Omzeilt automatische voorziening.",
+    "sshAuthMethodAutomated": "Automatische voorziening",
+    "sshAuthMethodAutomatedDescription": "Creëert automatisch gebruikers, groepen en sudo-rechten op host.",
+    "sshAuthDaemonLocation": "Auth Daemon Locatie",
+    "sshDaemonLocationSiteDescription": "Wordt lokaal uitgevoerd op de machine die de siteconnector host.",
+    "sshDaemonLocationRemote": "Op Remote Host",
+    "sshDaemonLocationRemoteDescription": "Wordt uitgevoerd op een aparte doelmachine in hetzelfde netwerk.",
+    "sshDaemonDisclaimer": "Zorg ervoor dat uw doelhost goed is geconfigureerd om de auth daemon uit te voeren voordat u deze configuratie voltooit, anders zal de voorziening mislukken.",
+    "sshDaemonPort": "Demonpoort",
+    "sshServerDestination": "Serverbestemming",
+    "sshServerDestinationDescription": "Configureer de bestemming van de SSH-server",
+    "destination": "Bestemming",
+    "destinationRequired": "Bestemming is vereist.",
+    "domainRequired": "Domein is vereist.",
+    "proxyPortRequired": "Poort is vereist.",
+    "invalidPathConfiguration": "Ongeldige padconfiguratie.",
+    "invalidRewritePathConfiguration": "Ongeldige overschrijfpadconfiguratie.",
+    "bgTargetMultiSiteDisclaimer": "Het selecteren van meerdere sites maakt veerkrachtige routering mogelijk en failover voor hoge beschikbaarheid.",
    "roleAllowSsh": "SSH toestaan",
    "roleAllowSshAllow": "Toestaan",
    "roleAllowSshDisallow": "Weigeren",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Gebruiker kan alleen de opgegeven commando's uitvoeren met de sudo.",
    "sshSudo": "sudo toestaan",
    "sshSudoCommands": "Sudo Commando's",
-    "sshSudoCommandsDescription": "Komma's gescheiden lijst van commando's waar de gebruiker een sudo mee mag uitvoeren.",
+    "sshSudoCommandsDescription": "Lijst met commando's die de gebruiker mag uitvoeren met sudo, gescheiden door komma's, spaties of nieuwe regels. Absolute paden moeten worden gebruikt.",
    "sshCreateHomeDir": "Maak Home Directory",
    "sshUnixGroups": "Unix groepen",
-    "sshUnixGroupsDescription": "Door komma's gescheiden Unix-groepen om de gebruiker toe te voegen aan de doelhost.",
+    "sshUnixGroupsDescription": "Unix-groepen om de gebruiker aan toe te voegen op de doelhost, gescheiden door komma's, spaties of nieuwe regels.",
+    "roleTextFieldPlaceholder": "Voer waarden in, of sleep een .txt of .csv-bestand",
+    "roleTextImportTitle": "Importeer vanuit Bestand",
+    "roleTextImportDescription": "{fileName} importeren naar {fieldLabel}.",
+    "roleTextImportSkipHeader": "Sla de eerste rij over (header)",
+    "roleTextImportOverride": "Vervang Bestaande",
+    "roleTextImportAppend": "Voeg toe aan Bestaande",
+    "roleTextImportMode": "Importeer modus",
+    "roleTextImportPreview": "Voorbeeld",
+    "roleTextImportItemCount": "{count, plural, =0 {Geen items om te importeren} one {1 item om te importeren} other {# items om te importeren}}",
+    "roleTextImportTotalCount": "{existing} bestaande + {imported} geïmporteerd = {total} totaal",
+    "roleTextImportConfirm": "Importeren",
+    "roleTextImportInvalidFile": "Niet-ondersteund bestandstype",
+    "roleTextImportInvalidFileDescription": "Alleen .txt en .csv-bestanden worden ondersteund.",
+    "roleTextImportEmpty": "Geen items gevonden in bestand",
+    "roleTextImportEmptyDescription": "Het bestand bevat geen importeerbare items.",
    "retryAttempts": "Herhaal Pogingen",
    "expectedResponseCodes": "Verwachte Reactiecodes",
    "expectedResponseCodesDescription": "HTTP-statuscode die gezonde status aangeeft. Indien leeg wordt 200-300 als gezond beschouwd.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schema",
-    "editInternalResourceDialogEnableSsl": "SSL inschakelen",
+    "editInternalResourceDialogEnableSsl": "Schakel TLS in",
    "editInternalResourceDialogEnableSslDescription": "Schakel SSL/TLS-encryptie in voor beveiligde HTTPS-verbindingen met de bestemming.",
    "editInternalResourceDialogDestination": "Bestemming",
    "editInternalResourceDialogDestinationHostDescription": "Het IP-adres of de hostnaam van de bron op het netwerk van de site.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schema",
    "createInternalResourceDialogScheme": "Schema",
-    "createInternalResourceDialogEnableSsl": "SSL inschakelen",
+    "createInternalResourceDialogEnableSsl": "Schakel TLS in",
    "createInternalResourceDialogEnableSslDescription": "Schakel SSL/TLS-encryptie in voor beveiligde HTTPS-verbindingen met de bestemming.",
    "createInternalResourceDialogDestination": "Bestemming",
    "createInternalResourceDialogDestinationHostDescription": "Het IP-adres of de hostnaam van de bron op het netwerk van de site.",
@@ -2217,7 +2464,7 @@
        "description": "betrouwbaardere en slecht onderhouden Pangolin server met extra klokken en klokkenluiders",
        "introTitle": "Beheerde zelfgehoste pangolin",
        "introDescription": "is een implementatieoptie ontworpen voor mensen die eenvoud en extra betrouwbaarheid willen, terwijl hun gegevens privé en zelf georganiseerd blijven.",
-        "introDetail": "Met deze optie beheert u nog steeds uw eigen Pangolin node - uw tunnels, SSL-verbinding en verkeer alles op uw server. Het verschil is dat beheer en monitoring worden behandeld via onze cloud dashboard, wat een aantal voordelen oplevert:",
+        "introDetail": "Met deze optie beheert u nog steeds uw eigen Pangolin-node - uw tunnels, TLS-terminatie en verkeer blijven allemaal op uw server. Het verschil is dat beheer en monitoring worden afgehandeld via ons cloud-dashboard, wat een aantal voordelen oplevert:",
        "benefitSimplerOperations": {
            "title": "Simpler operaties",
            "description": "Je hoeft geen eigen mailserver te draaien of complexe waarschuwingen in te stellen. Je krijgt gezondheidscontroles en downtime meldingen uit de box."
@@ -2652,6 +2899,8 @@
    "validPassword": "Geldig wachtwoord",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Bekijk",
+    "configManaged": "Configuratie Beheerd",
    "connectedClient": "Verbonden Client",
    "resourceBlocked": "Bron geblokkeerd",
    "droppedByRule": "Achtergelaten door regel",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Proxy Protocol inschakelen",
    "proxyProtocolInfo": "Behoud IP adressen van de client voor TCP backends",
    "proxyProtocolVersion": "Proxy Protocol Versie",
-    "version1": " Versie 1 (Aanbevolen)",
+    "version1": "Versie 1 (Aanbevolen)",
    "version2": "Versie 2",
-    "versionDescription": "Versie 1 is text-based en breed ondersteund. Versie 2 is binair en efficiënter maar minder compatibel.",
+    "version1Description": "Tekstgebaseerd en breed ondersteund. Zorg ervoor dat servertransport aan dynamische configuratie is toegevoegd.",
+    "version2Description": "Binair en efficiënter maar minder compatibel. Zorg ervoor dat servertransport aan dynamische configuratie is toegevoegd.",
    "warning": "Waarschuwing",
    "proxyProtocolWarning": "De backend applicatie moet worden geconfigureerd om Proxy Protocol verbindingen te accepteren. Als je backend geen Proxy Protocol ondersteunt, zal het inschakelen van dit alle verbindingen verbreken, dus schakel dit alleen in als je weet wat je doet. Zorg ervoor dat je je backend configureert om Proxy Protocol headers van Traefik.",
    "restarting": "Herstarten...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Bevestiging invoeren",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Standaard Identiteitsprovider",
-    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
+    "defaultIdentityProviderDescription": "De gebruiker wordt automatisch doorgestuurd naar deze identity provider voor authenticatie.",
    "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
    "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
    "editInternalResourceDialogAddRoles": "Rollen toevoegen",
@@ -2919,11 +3169,12 @@
    "learnMore": "Meer informatie",
    "backToHome": "Ga terug naar startpagina",
    "needToSignInToOrg": "Moet u de identiteit provider van uw organisatie gebruiken?",
-    "maintenanceMode": "Onderhoudsmodus",
+    "maintenanceMode": "Onderhoudspagina",
    "maintenanceModeDescription": "Toon een onderhoudspagina aan bezoekers",
    "maintenanceModeType": "Type onderhoudsmodus",
    "showMaintenancePage": "Toon een onderhoudspagina aan bezoekers",
    "enableMaintenanceMode": "Onderhoudsmodus inschakelen",
+    "enableMaintenanceModeDescription": "Wanneer ingeschakeld zien bezoekers een onderhoudspagina in plaats van uw bron.",
    "automatic": "Automatisch",
    "automaticModeDescription": " Toon onderhoudspagina alleen wanneer alle back-enddoelen niet beschikbaar zijn of ongezond zijn. Jouw bron blijft normaal functioneren zolang er tenminste één doel gezond is.",
    "forced": "Geforceerd",
@@ -2931,6 +3182,8 @@
    "warning:": "Waarschuwing:",
    "forcedeModeWarning": "Al het verkeer wordt naar de onderhoudspagina geleid. Jouw back-endbronnen ontvangen geen verzoeken.",
    "pageTitle": "Paginatitel",
+    "maintenancePageContentSubsection": "Pagina-inhoud",
+    "maintenancePageContentSubsectionDescription": "Pas de inhoud aan die op de onderhoudspagina wordt weergegeven",
    "pageTitleDescription": "De hoofdkop die op de onderhoudspagina wordt weergegeven",
    "maintenancePageMessage": "Onderhoudsbericht",
    "maintenancePageMessagePlaceholder": "We keren snel terug! Onze site ondergaat momenteel gepland onderhoud.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Geschatte voltooiing:",
    "createInternalResourceDialogDestinationRequired": "Bestemming is vereist",
    "available": "Beschikbaar",
+    "disabledResourceDescription": "Wanneer uitgeschakeld, zal de bron voor iedereen ontoegankelijk zijn.",
    "archived": "Gearchiveerd",
    "noArchivedDevices": "Geen gearchiveerde apparaten gevonden",
    "deviceArchived": "Apparaat gearchiveerd",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Stuur gebeurtenissen rechtstreeks door naar je Datadog account. Binnenkort beschikbaar.",
    "streamingTypePickerDescription": "Kies een bestemmingstype om te beginnen.",
-    "streamingFailedToLoad": "Laden van bestemmingen mislukt",
+    "streamingLastSyncError": "Er is een fout opgetreden bij de laatste synchronisatie",
    "streamingUnexpectedError": "Er is een onverwachte fout opgetreden.",
    "streamingFailedToUpdate": "Bijwerken bestemming mislukt",
    "streamingDeletedSuccess": "Bestemming succesvol verwijderd",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Bestemming bewerken",
    "S3DestAddTitle": "S3-bestemming toevoegen",
    "S3DestEditDescription": "Werk de configuratie bij voor deze S3-gebeurtenisstreamingbestemming.",
-    "S3DestAddDescription": "Configureer een nieuw S3-eindpunt om de gebeurtenissen van uw organisatie te ontvangen.",
+    "S3DestAddDescription": "Configureer een nieuwe Amazon S3 (of S3-compatibele) bucket om de gebeurtenissen van uw organisatie te ontvangen.",
+    "s3DestTabSettings": "Instellingen",
+    "s3DestTabFormat": "Formaat",
+    "s3DestNameLabel": "Naam",
+    "s3DestNamePlaceholder": "Mijn S3-bestemming",
+    "s3DestAccessKeyIdLabel": "AWS-toegangssleutel-ID",
+    "s3DestSecretAccessKeyLabel": "AWS Geheime Toegangssleutel",
+    "s3DestSecretAccessKeyPlaceholder": "Uw AWS geheime toegangssleutel",
+    "s3DestRegionLabel": "AWS-regio",
+    "s3DestBucketLabel": "Bucketnaam",
+    "s3DestPrefixLabel": "Sleutelvoorvoegsel (optioneel)",
+    "s3DestPrefixDescription": "Optioneel padvoorvoegsel dat aan elke object sleutel wordt toegevoegd. Objecten worden opgeslagen op {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Aangepast Eindpunt (optioneel)",
+    "s3DestEndpointDescription": "Overschrijf het S3-eindpunt voor S3-compatibele opslag zoals MinIO of Cloudflare R2. Laat leeg voor standaard AWS S3.",
+    "s3DestGzipLabel": "Gzip-compressie",
+    "s3DestGzipDescription": "Comprimeer elk geüpload object met gzip. Verlaagt opslagkosten en uploadgrootte.",
+    "s3DestFormatTitle": "Bestandsformaat",
+    "s3DestFormatDescription": "Hoe gebeurtenissen binnen elk geüpload object worden geserialiseerd.",
+    "s3DestFormatJsonArrayDescription": "Elk object is een JSON-array van gebeurtenisrecords. Compatibel met de meeste analysetools.",
+    "s3DestFormatNdjsonDescription": "Elk object bevat één JSON-record per regel (nieuwregel-gescheiden JSON). Compatibel met Athena, BigQuery en Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Elk object is een RFC-4180 CSV-bestand met een kopregel. Kolomnamen zijn afgeleid van de gebeurtenis gegevensvelden.",
+    "s3DestSaveChanges": "Wijzigingen opslaan",
+    "s3DestCreateDestination": "Bestemming maken",
+    "s3DestUpdatedSuccess": "Bestemming succesvol bijgewerkt",
+    "s3DestCreatedSuccess": "Bestemming succesvol gecreëerd",
+    "s3DestUpdateFailed": "Bijwerken bestemming mislukt",
+    "s3DestCreateFailed": "Aanmaken bestemming mislukt",
    "datadogDestEditTitle": "Bestemming bewerken",
    "datadogDestAddTitle": "Datadog-bestemming toevoegen",
    "datadogDestEditDescription": "Werk de configuratie bij voor deze Datadog-gebeurtenisstreamingbestemming.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Weet u zeker dat u deze identiteitsprovider van deze organisatie wilt loskoppelen?",
    "idpUnassociateDescription": "Alle gebruikers die aan deze identiteitsprovider zijn gekoppeld, worden uit deze organisatie verwijderd, maar de identiteitsprovider blijft bestaan voor andere gerelateerde organisaties.",
    "idpUnassociateConfirm": "Bevestig ontkoppelen identiteitsprovider",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "VERWIJDER EN VERWIJDER ME VAN ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "ONTKOPPEL EN VERWIJDER ME VAN ORG",
    "idpUnassociateWarning": "Dit kan niet ongedaan worden gemaakt voor deze organisatie.",
    "idpUnassociatedDescription": "Identiteitsprovider succesvol losgekoppeld van deze organisatie",
    "idpUnassociateMenu": "Ontkoppelen",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Bron Uitgeschakeld",
    "memberPortalShowingResources": "Toont {start}-{end} van {total} bronnen",
    "memberPortalPrevious": "Vorige",
-    "memberPortalNext": "Volgende"
+    "memberPortalNext": "Volgende",
+    "httpSettings": "HTTP-instellingen",
+    "tcpSettings": "TCP-instellingen",
+    "udpSettings": "UDP-instellingen",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Veilige verbinding tot stand brengen…",
+    "sshConnecting": "Verbinding maken…",
+    "sshInitializing": "Initialiseren…",
+    "sshSignInTitle": "Meld u aan bij SSH",
+    "sshSignInDescription": "Voer uw SSH-gegevens in om verbinding te maken",
+    "sshPasswordTab": "Wachtwoord",
+    "sshPrivateKeyTab": "Privésleutel",
+    "sshPrivateKeyField": "Privésleutel",
+    "sshPrivateKeyDisclaimer": "Uw privésleutel wordt niet opgeslagen of zichtbaar gemaakt voor Pangolin. U kunt ook gebruik maken van kortlopende certificaten voor naadloze authenticatie met uw bestaande Pangolin-identiteit.",
+    "sshLearnMore": "Meer informatie",
+    "sshPrivateKeyFile": "Bestand met privésleutel",
+    "sshAuthenticate": "Verbinden",
+    "sshTerminate": "Beëindigen",
+    "sshPoweredBy": "Aangeboden door",
+    "sshErrorNoTarget": "Geen doelwit gespecificeerd",
+    "sshErrorWebSocket": "WebSocket-verbinding is mislukt",
+    "sshErrorAuthFailed": "Authenticatie mislukt",
+    "sshErrorConnectionClosed": "Verbinding gesloten voordat authenticatie was voltooid",
+    "sitePangolinSshDescription": "Sta SSH-toegang toe tot bronnen op deze site. Dit kan later worden gewijzigd.",
+    "browserGatewayNoResourceForDomain": "Geen bron gevonden voor dit domein",
+    "browserGatewayNoTarget": "Geen doelwit",
+    "browserGatewayConnect": "Verbinden",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Kan SSH-sleutel voor PAM push-authenticatie niet ondertekenen. Heeft u als gebruiker aangemeld?",
+    "sshTerminalError": "Fout: {error}",
+    "sshConnectionClosedCode": "Verbinding gesloten (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Privésleutel is vereist",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Voer uw VNC-wachtwoord in om verbinding te maken",
+    "vncPasswordOptional": "Wachtwoord (optioneel)",
+    "vncNoResourceTarget": "Geen bron doelwit beschikbaar",
+    "vncFailedToLoadNovnc": "Laden van noVNC mislukt",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Klembord plakken",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Meld u aan bij Remote Desktop",
+    "rdpSignInDescription": "Voer Windows-gegevens in om verbinding te maken",
+    "rdpLoadingModule": "Module laden...",
+    "rdpFailedToLoadModule": "Laden van RDP-module mislukt",
+    "rdpNotReady": "Niet gereed",
+    "rdpModuleInitializing": "RDP-module is nog aan het initialiseren",
+    "rdpDownloadingFiles": "{count} bestand(en) worden van een externe locatie gedownload…",
+    "rdpDownloadFailed": "Download mislukt: {fileName}",
+    "rdpUploaded": "Geüpload: {fileName}",
+    "rdpNoConnectionTarget": "Geen verbinding doelwit beschikbaar",
+    "rdpConnectionFailed": "Verbinding mislukt",
+    "rdpFit": "Schalen",
+    "rdpFull": "Volledig",
+    "rdpReal": "Reëel",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Bestanden uploaden",
+    "rdpFilesReadyToPaste": "Bestanden klaar om te plakken",
+    "rdpFilesReadyToPasteDescription": "{count} bestand(en) gekopieerd naar klembord op afstand — druk op Ctrl+V op het externe bureaublad om te plakken.",
+    "rdpUploadFailed": "Upload mislukt",
+    "rdpUnicodeKeyboardMode": "Unicode toetsenbordmodus",
+    "sessionToolbarShow": "Toon werkbalk",
+    "sessionToolbarHide": "Verberg werkbalk"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Zobacz zasoby prywatne",
    "siteInstallNewt": "Zainstaluj Newt",
    "siteInstallNewtDescription": "Uruchom Newt w swoim systemie",
+    "siteInstallKubernetesDocsDescription": "Aby uzyskać więcej aktualnych informacji o instalacji Kubernetes, zobacz <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Aby uzyskać instrukcje dotyczące instalacji modemu Advantech, zobacz: <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Konfiguracja WireGuard",
    "WgConfigurationDescription": "Użyj następującej konfiguracji, aby połączyć się z siecią",
    "operatingSystem": "System operacyjny",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Możesz to zobaczyć tylko raz. Upewnij się, że skopiuj je do bezpiecznego miejsca.",
    "siteInfo": "Informacje o witrynie",
    "status": "Status",
-    "shareTitle": "Zarządzaj linkami udostępniania",
+    "shareTitle": "Zarządzaj linkami do udostępnienia",
    "shareDescription": "Utwórz linki do współdzielenia, aby przyznać tymczasowy lub stały dostęp do zasobów proxy",
-    "shareSearch": "Szukaj linków udostępnienia...",
-    "shareCreate": "Utwórz link udostępniania",
+    "shareSearch": "Wyszukaj linki do udostępnienia...",
+    "shareCreate": "Utwórz link do udostępnienia",
    "shareErrorDelete": "Nie udało się usunąć linku",
    "shareErrorDeleteMessage": "Wystąpił błąd podczas usuwania linku",
    "shareDeleted": "Link usunięty",
    "shareDeletedDescription": "Link został usunięty",
+    "shareDelete": "Usuń link do udostępnienia",
+    "shareDeleteConfirm": "Potwierdź usunięcie linku do udostępnienia",
+    "shareQuestionRemove": "Czy na pewno chcesz usunąć ten link udostępniania?",
+    "shareMessageRemove": "Po usunięciu, link przestanie działać i wszyscy korzystający z niego stracą dostęp do zasobu.",
    "shareTokenDescription": "Token dostępu może być przekazywany na dwa sposoby: jako parametr zapytania lub w nagłówkach żądania. Muszą być przekazywane z klienta na każde żądanie uwierzytelnionego dostępu.",
    "accessToken": "Token dostępu",
    "usageExamples": "Przykłady użycia",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Wystąpił błąd podczas tworzenia linku udostępniania",
    "shareCreateDescription": "Każdy z tym linkiem może uzyskać dostęp do zasobu",
    "shareTitleOptional": "Tytuł (opcjonalnie)",
+    "sharePathOptional": "Ścieżka (opcjonalnie)",
+    "sharePathDescription": "Link przekieruje użytkowników do tej ścieżki po uwierzytelnieniu.",
    "expireIn": "Wygasa za",
    "neverExpire": "Nigdy nie wygasa",
    "shareExpireDescription": "Czas wygaśnięcia to jak długo link będzie mógł być użyty i zapewni dostęp do zasobu. Po tym czasie link nie będzie już działał, a użytkownicy, którzy użyli tego linku, utracą dostęp do zasobu.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Wybierz zasób",
    "proxyResourceTitle": "Zarządzaj zasobami publicznymi",
    "proxyResourceDescription": "Twórz i zarządzaj zasobami, które są publicznie dostępne w przeglądarce internetowej",
-    "proxyResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
-    "proxyResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
+    "publicResourcesBannerTitle": "Publiczny dostęp przez przeglądarkę internetową",
+    "publicResourcesBannerDescription": "Zasoby publiczne to serwery proxy HTTPS, dostępne dla każdego w Internecie za pośrednictwem przeglądarki. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
    "clientResourceTitle": "Zarządzaj zasobami prywatnymi",
    "clientResourceDescription": "Twórz i zarządzaj zasobami, które są dostępne tylko za pośrednictwem połączonego klienta",
    "privateResourcesBannerTitle": "Zero zaufania do prywatnego dostępu",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Szukaj zasobów...",
    "resourceAdd": "Dodaj zasób",
    "resourceErrorDelte": "Błąd podczas usuwania zasobu",
+    "resourcePoliciesBannerTitle": "Ponownie użyj Uwierzytelniania i Zasad Dostępu",
+    "resourcePoliciesBannerDescription": "Polityki zasobów współdzielonych pozwalają zdefiniować metody uwierzytelniania oraz zasady dostępu jednokrotnie, a następnie przypiąć je do wielu zasobów publicznych. Po zaktualizowaniu polityki każda powiązana zasób automatycznie dziedziczy zmianę.",
+    "resourcePoliciesBannerButtonText": "Dowiedz się więcej",
+    "resourcePoliciesTitle": "Zarządzaj publicznymi zasadami zasobów",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Zasoby",
+    "resourcePoliciesAttachedResources": "{count} zasób(y)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# zasób} few {# zasoby} many {# zasobów} other {# zasobów}}",
+    "resourcePoliciesAttachedResourcesEmpty": "brak zasobów",
+    "resourcePoliciesDescription": "Twórz i zarządzaj politykami uwierzytelniania, aby kontrolować dostęp do swoich zasobów publicznych",
+    "resourcePoliciesSearch": "Szukaj polityk...",
+    "resourcePoliciesAdd": "Dodaj politykę",
+    "resourcePoliciesDefaultBadgeText": "Domyślna polityka",
+    "resourcePoliciesCreate": "Utwórz publiczną politykę zasobów",
+    "resourcePoliciesCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nową politykę",
+    "resourcePolicyName": "Nazwa polityki",
+    "resourcePolicyNameDescription": "Nadaj tej polityce nazwę, aby można ją było zidentyfikować w całych zasobach",
+    "resourcePolicyNamePlaceholder": "np. Polityka Dostępu Wewnętrznego",
+    "resourcePoliciesSeeAll": "Zobacz wszystkie polityki",
+    "resourcePolicyAuthMethodAdd": "Dodaj metodę uwierzytelniania",
+    "resourcePolicyOtpEmailAdd": "Dodaj OTP e-maile",
+    "resourcePolicyRulesAdd": "Dodaj zasady",
+    "resourcePolicyAuthMethodsDescription": "Zezwól na dostęp do zasobu poprzez dodatkowe metody uwierzytelniania",
+    "resourcePolicyUsersRolesDescription": "Skonfiguruj, którzy użytkownicy i role mogą odwiedzać powiązane zasoby",
+    "rulesResourcePolicyDescription": "Skonfiguruj zasady, aby kontrolować zasoby dostępne w ramach tej polityki",
    "authentication": "Uwierzytelnianie",
    "protected": "Chronione",
    "notProtected": "Niechronione",
    "resourceMessageRemove": "Po usunięciu zasób nie będzie już dostępny. Wszystkie cele związane z zasobem zostaną również usunięte.",
    "resourceQuestionRemove": "Czy na pewno chcesz usunąć zasób z organizacji?",
+    "resourcePolicyMessageRemove": "Po usunięciu polityka zasobów nie będzie już dostępna. Wszystkie zasoby połączone z zasobem zostaną odłączone i pozostawione bez uwierzytelniania.",
+    "resourcePolicyQuestionRemove": "Czy na pewno chcesz usunąć politykę zasobu z organizacji?",
    "resourceHTTP": "Zasób HTTPS",
    "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
    "resourceRaw": "Surowy zasób TCP/UDP",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Żądania proxy nad surowym TCP/UDP przy użyciu numeru portu. Wymaga stron aby połączyć się ze zdalnym węzłem.",
    "resourceCreate": "Utwórz zasób",
    "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
+    "resourceCreateGeneralDescription": "Skonfiguruj podstawowe ustawienia zasobu, w tym nazwę i typ",
    "resourceSeeAll": "Zobacz wszystkie zasoby",
-    "resourceInfo": "Informacje o zasobach",
+    "resourceCreateGeneral": "Ogólny",
    "resourceNameDescription": "To jest wyświetlana nazwa zasobu.",
    "siteSelect": "Wybierz witrynę",
    "siteSearch": "Szukaj witryny",
@@ -227,12 +262,15 @@
    "noCountryFound": "Nie znaleziono kraju.",
    "siteSelectionDescription": "Ta strona zapewni połączenie z celem.",
    "resourceType": "Typ zasobu",
-    "resourceTypeDescription": "Określ jak uzyskać dostęp do zasobu",
+    "resourceTypeDescription": "To kontroluje protokół zasobu i sposób jego renderowania w przeglądarce. Później nie można tego zmienić.",
+    "resourceDomainDescription": "Zasób będzie udostępniany pod tym w pełni kwalifikowanym adresem domenowym.",
    "resourceHTTPSSettings": "Ustawienia HTTPS",
    "resourceHTTPSSettingsDescription": "Skonfiguruj jak zasób będzie dostępny przez HTTPS",
+    "resourcePortDescription": "Zewnętrzny port na instancji lub węźle Pangolina, gdzie zasób będzie dostępny.",
    "domainType": "Typ domeny",
    "subdomain": "Poddomena",
    "baseDomain": "Bazowa domena",
+    "configure": "Konfiguracja",
    "subdomnainDescription": "Poddomena, w której zasób będzie dostępny.",
    "resourceRawSettings": "Ustawienia TCP/UDP",
    "resourceRawSettingsDescription": "Skonfiguruj jak zasób będzie dostępny przez TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Powrót",
    "cancel": "Anuluj",
    "resourceConfig": "Snippety konfiguracji",
-    "resourceConfigDescription": "Skopiuj i wklej te fragmenty konfiguracji, aby skonfigurować zasób TCP/UDP",
+    "resourceConfigDescription": "Skopiuj i wklej te fragmenty konfiguracji, aby skonfigurować zasób TCP/UDP.",
    "resourceAddEntrypoints": "Traefik: Dodaj punkty wejścia",
    "resourceExposePorts": "Gerbil: Podnieś porty w Komponencie Dockera",
    "resourceLearnRaw": "Dowiedz się, jak skonfigurować zasoby TCP/UDP",
    "resourceBack": "Powrót do zasobów",
    "resourceGoTo": "Przejdź do zasobu",
+    "resourcePolicyDelete": "Usuń politykę zasobu",
+    "resourcePolicyDeleteConfirm": "Potwierdź usunięcie polityki zasobu",
    "resourceDelete": "Usuń zasób",
    "resourceDeleteConfirm": "Potwierdź usunięcie zasobu",
+    "labelDelete": "Usuń etykietę",
+    "labelAdd": "Dodaj etykietę",
+    "labelCreateSuccessMessage": "Etykieta została utworzona pomyślnie",
+    "labelDuplicateError": "Zduplikowana etykieta",
+    "labelDuplicateErrorDescription": "Etykieta o tej nazwie już istnieje.",
+    "labelEditSuccessMessage": "Etykieta została pomyślnie zmodyfikowana",
+    "labelNameField": "Nazwa etykiety",
+    "labelColorField": "Kolor etykiety",
+    "labelPlaceholder": "Np.: homelab",
+    "labelCreate": "Utwórz etykietę",
+    "createLabelDialogTitle": "Utwórz etykietę",
+    "createLabelDialogDescription": "Utwórz nową etykietę, która może być przypisana do tej organizacji",
+    "labelEdit": "Edytuj etykietę",
+    "editLabelDialogTitle": "Aktualizuj etykietę",
+    "editLabelDialogDescription": "Edytuj nową etykietę, która może być przypisana do tej organizacji",
+    "labelDeleteConfirm": "Potwierdź usunięcie etykiety",
+    "labelErrorDelete": "Nie udało się usunąć etykiety",
+    "labelMessageRemove": "To działanie jest nieodwracalne. Wszystkie strony, zasoby i klienci oznaczeni tą etykietą zostaną odznaczeni.",
+    "labelQuestionRemove": "Czy na pewno chcesz usunąć etykietę z organizacji?",
    "visibility": "Widoczność",
    "enabled": "Włączone",
    "disabled": "Wyłączone",
@@ -261,6 +320,8 @@
    "rules": "Regulamin",
    "resourceSettingDescription": "Skonfiguruj ustawienia zasobu",
    "resourceSetting": "Ustawienia {resourceName}",
+    "resourcePolicySettingDescription": "Skonfiguruj ustawienia tej publicznej polityki zasobów",
+    "resourcePolicySetting": "Ustawienia {policyName}",
    "alwaysAllow": "Omijanie uwierzytelniania",
    "alwaysDeny": "Blokuj dostęp",
    "passToAuth": "Przekaż do Autoryzacji",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Po usunięciu ten użytkownik nie będzie miał już dostępu do organizacji. Zawsze możesz ponownie go zaprosić później, ale będzie musiał ponownie zaakceptować zaproszenie.",
    "userRemoveOrgConfirm": "Potwierdź usunięcie użytkownika",
    "userRemoveOrg": "Usuń użytkownika z organizacji",
+    "userQuestionOrgRemoveSelf": "Czy na pewno chcesz usunąć się z tej organizacji?",
+    "userMessageOrgRemoveSelf": "Stracisz dostęp natychmiastowo. Administrator może cię ponownie zaprosić, ale będziesz musiał przyjąć nowe zaproszenie.",
+    "userRemoveOrgConfirmSelf": "Potwierdź usunięcie siebie",
+    "userRemoveOrgSelf": "Usuń siebie z organizacji",
+    "userRemoveOrgSelfWarning": "Natychmiast stracisz dostęp do tej organizacji.",
+    "userRemoveOrgConfirmPhraseSelf": "USUŃ SIEBIE Z ORGANIZACJI",
    "users": "Użytkownicy",
    "accessRoleMember": "Członek",
    "accessRoleOwner": "Właściciel",
@@ -531,6 +598,11 @@
    "emailInvalid": "Nieprawidłowy adres e-mail",
    "inviteValidityDuration": "Proszę wybrać okres ważności",
    "accessRoleSelectPlease": "Proszę wybrać rolę",
+    "removeOwnAdminRoleConfirmTitle": "Usunąć dostęp administratora?",
+    "removeOwnAdminRoleConfirmDescription": "Po zapisaniu nie będziesz już posiadał uprawnień administratora w tej organizacji. Inny administrator może przywrócić dostęp, jeśli to konieczne.",
+    "removeOwnAdminRoleConfirmButton": "Usuń mój dostęp administratora",
+    "removeOwnAdminRoleConfirmPhrase": "USUŃ MÓJ DOSTĘP ADMINISTRATORA",
+    "ownerMustRetainAdminRole": "Właściciel organizacji musi zachować co najmniej jedną rolę administratora.",
    "usernameRequired": "Nazwa użytkownika jest wymagana",
    "idpSelectPlease": "Proszę wybrać dostawcę tożsamości",
    "idpGenericOidc": "Ogólny dostawca OAuth2/OIDC.",
@@ -615,7 +687,7 @@
    "createdAt": "Utworzono",
    "proxyErrorInvalidHeader": "Nieprawidłowa wartość niestandardowego nagłówka hosta. Użyj formatu nazwy domeny lub zapisz pusty, aby usunąć niestandardowy nagłówek hosta.",
    "proxyErrorTls": "Nieprawidłowa nazwa serwera TLS. Użyj formatu nazwy domeny lub zapisz pusty, aby usunąć nazwę serwera TLS.",
-    "proxyEnableSSL": "Włącz SSL",
+    "proxyEnableSSL": "Włącz TLS",
    "proxyEnableSSLDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z celami.",
    "target": "Target",
    "configureTarget": "Konfiguruj Targety",
@@ -656,8 +728,9 @@
    "targetSubmit": "Dodaj cel",
    "targetNoOne": "Ten zasób nie ma żadnych celów. Dodaj cel do skonfigurowania adresów wysyłania żądań do backendu.",
    "targetNoOneDescription": "Dodanie więcej niż jednego celu powyżej włączy równoważenie obciążenia.",
-    "targetsSubmit": "Zapisz cele",
+    "targetsSubmit": "Zapisz ustawienia",
    "addTarget": "Dodaj cel",
+    "proxyMultiSiteRoundRobinNodeHelp": "Trasowanie round-robin nie będzie działać między witrynami, które nie są połączone z tym samym węzłem, ale przełączanie awaryjne będzie działać.",
    "targetErrorInvalidIp": "Nieprawidłowy adres IP",
    "targetErrorInvalidIpDescription": "Wprowadź prawidłowy adres IP lub nazwę hosta",
    "targetErrorInvalidPort": "Nieprawidłowy port",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Duplikat reguły",
    "rulesErrorDuplicateDescription": "Reguła o tych ustawieniach już istnieje",
    "rulesErrorInvalidIpAddressRange": "Nieprawidłowy CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Wprowadź prawidłową wartość CIDR",
-    "rulesErrorInvalidUrl": "Nieprawidłowa ścieżka URL",
-    "rulesErrorInvalidUrlDescription": "Wprowadź prawidłową wartość ścieżki URL",
-    "rulesErrorInvalidIpAddress": "Nieprawidłowe IP",
-    "rulesErrorInvalidIpAddressDescription": "Wprowadź prawidłowy adres IP",
+    "rulesErrorInvalidIpAddressRangeDescription": "Wprowadź poprawny zakres CIDR (np. 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Nieprawidłowa ścieżka",
+    "rulesErrorInvalidUrlDescription": "Wprowadź poprawną ścieżkę URL lub wzorzec (np. /api/*).",
+    "rulesErrorInvalidIpAddress": "Nieprawidłowy adres IP",
+    "rulesErrorInvalidIpAddressDescription": "Wprowadź poprawny adres IPv4 lub IPv6.",
    "rulesErrorUpdate": "Nie udało się zaktualizować reguł",
    "rulesErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji reguł",
    "rulesUpdated": "Włącz reguły",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Wprowadź adres IP (np. 103.21.244.12)",
    "rulesMatchUrl": "Wprowadź ścieżkę URL lub wzorzec (np. /api/v1/todos lub /api/v1/*)",
    "rulesErrorInvalidPriority": "Nieprawidłowy priorytet",
-    "rulesErrorInvalidPriorityDescription": "Wprowadź prawidłowy priorytet",
+    "rulesErrorInvalidPriorityDescription": "Wprowadź liczbę całkowitą 1 lub wyższą.",
    "rulesErrorDuplicatePriority": "Zduplikowane priorytety",
-    "rulesErrorDuplicatePriorityDescription": "Wprowadź unikalne priorytety",
+    "rulesErrorDuplicatePriorityDescription": "Każda reguła musi mieć unikalny numer priorytetu.",
+    "rulesErrorValidation": "Nieprawidłowe reguły",
+    "rulesErrorValidationRuleDescription": "Reguła {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Wybierz poprawny typ dopasowania (ścieżka, IP, CIDR, kraj, region lub ASN).",
+    "rulesErrorValueRequired": "Wprowadź wartość dla tej reguły.",
+    "rulesErrorInvalidCountry": "Nieprawidłowy kraj",
+    "rulesErrorInvalidCountryDescription": "Wybierz poprawny kraj.",
+    "rulesErrorInvalidAsn": "Nieprawidłowy ASN",
+    "rulesErrorInvalidAsnDescription": "Wprowadź poprawny ASN (np. AS15169).",
    "ruleUpdated": "Reguły zaktualizowane",
    "ruleUpdatedDescription": "Reguły zostały pomyślnie zaktualizowane",
    "ruleErrorUpdate": "Operacja nie powiodła się",
    "ruleErrorUpdateDescription": "Wystąpił błąd podczas operacji zapisu",
    "rulesPriority": "Priorytet",
+    "rulesReorderDragHandle": "Przeciągnij, aby zmienić kolejność priorytetów reguł",
    "rulesAction": "Akcja",
    "rulesMatchType": "Typ dopasowania",
    "value": "Wartość",
@@ -728,9 +810,60 @@
    "rulesResource": "Konfiguracja reguł zasobu",
    "rulesResourceDescription": "Skonfiguruj reguły, aby kontrolować dostęp do zasobu",
    "ruleSubmit": "Dodaj regułę",
-    "rulesNoOne": "Brak reguł. Dodaj regułę używając formularza.",
+    "rulesNoOne": "Brak reguł.",
    "rulesOrder": "Reguły są oceniane według priorytetu w kolejności rosnącej.",
    "rulesSubmit": "Zapisz reguły",
+    "policyErrorCreate": "Błąd przy tworzeniu polityki",
+    "policyErrorCreateDescription": "Wystąpił błąd podczas tworzenia polityki",
+    "policyErrorCreateMessageDescription": "Wystąpił nieoczekiwany błąd",
+    "policyErrorUpdate": "Błąd przy aktualizacji polityki",
+    "policyErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji polityki",
+    "policyErrorUpdateMessageDescription": "Wystąpił nieoczekiwany błąd",
+    "policyCreatedSuccess": "Polityka zasobów została pomyślnie utworzona",
+    "policyUpdatedSuccess": "Polityka zasobów została pomyślnie zaktualizowana",
+    "authMethodsSave": "Zapisz ustawienia",
+    "policyAuthStackTitle": "Uwierzytelnianie",
+    "policyAuthStackDescription": "Kontroluj, które metody uwierzytelniania są wymagane do uzyskania dostępu do tego zasobu",
+    "policyAuthOrLogicTitle": "Kilka metod uwierzytelniania jest aktywnych",
+    "policyAuthOrLogicBanner": "Odwiedzający mogą się uwierzytelnić, korzystając z jednej z poniższych aktywnych metod. Nie muszą ukończyć wszystkich z nich.",
+    "policyAuthMethodActive": "Aktywny",
+    "policyAuthMethodOff": "Wyłączony",
+    "policyAuthSsoTitle": "Platforma SSO",
+    "policyAuthSsoDescription": "Wymagany znak w identyfikatorze dostawcy Twojej organizacji",
+    "policyAuthSsoSummary": "{idp} · {users} użytkowników, {roles} ról",
+    "policyAuthSsoDefaultIdp": "Dostawca domyślny",
+    "policyAuthAddDefaultIdentityProvider": "Dodaj Dostawcę Tożsamości Domyślnej",
+    "policyAuthOtherMethodsTitle": "Inne Metody",
+    "policyAuthOtherMethodsDescription": "Opcjonalne metody, których odwiedzający mogą używać zamiast lub razem z platformą SSO",
+    "policyAuthPasscodeTitle": "Hasło dostępu",
+    "policyAuthPasscodeDescription": "Wymagane wspólne hasło alfanumeryczne do uzyskania dostępu do zasobu",
+    "policyAuthPasscodeSummary": "Zestaw hasła dostępu",
+    "policyAuthPincodeTitle": "Kod PIN",
+    "policyAuthPincodeDescription": "Krótki kod numeryczny wymagany do uzyskania dostępu do zasobu",
+    "policyAuthPincodeSummary": "Ustawiono 6-cyfrowy kod PIN",
+    "policyAuthEmailTitle": "Biała lista e-mail",
+    "policyAuthEmailDescription": "Dozwolone adresy e-mail z hasłami jednorazowymi",
+    "policyAuthEmailSummary": "Dozwolonych {count} adresów",
+    "policyAuthEmailOtpCallout": "Włączenie białej listy e-mail wysyła hasło jednorazowe na e-mail odwiedzającego podczas logowania.",
+    "policyAuthHeaderAuthTitle": "Podstawowe Uwierzytelnianie Nagłówka",
+    "policyAuthHeaderAuthDescription": "Walidacja niestandardowej nazwy i wartości nagłówka HTTP przy każdym żądaniu",
+    "policyAuthHeaderAuthSummary": "Skonfigurowany nagłówek",
+    "policyAuthHeaderName": "Nazwa nagłówka",
+    "policyAuthHeaderValue": "Oczekiwana wartość",
+    "policyAuthSetPasscode": "Ustaw hasło dostępu",
+    "policyAuthSetPincode": "Ustaw kod PIN",
+    "policyAuthSetEmailWhitelist": "Ustaw białą listę e-mail",
+    "policyAuthSetHeaderAuth": "Ustaw Podstawowe Uwierzytelnianie Nagłówka",
+    "policyAccessRulesTitle": "Zasady Dostępu",
+    "policyAccessRulesEnableDescription": "Gdy zostaną włączone, reguły są oceniane w kolejności malejącej, aż jedna z nich zostanie oceniona jako prawdziwa.",
+    "policyAccessRulesFirstMatch": "Reguły są oceniane od góry do dołu. Pierwsza pasująca reguła decyduje o wyniku.",
+    "policyAccessRulesHowItWorks": "Reguły dopasowują żądania według ścieżki, adresu IP, lokalizacji lub innych kryteriów. Każda reguła stosuje działanie: pominięcie uwierzytelniania, blokowanie dostępu lub przekazanie do uwierzytelniania. Jeśli żadna reguła nie pasuje, ruch przechodzi dalej do uwierzytelniania.",
+    "policyAccessRulesFallthroughOff": "Gdy reguły są wyłączone, cały ruch przechodzi do uwierzytelniania.",
+    "policyAccessRulesFallthroughOn": "Gdy żadna reguła nie pasuje, ruch przechodzi do uwierzytelniania.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Zapisz zasady",
    "resourceErrorCreate": "Błąd podczas tworzenia zasobu",
    "resourceErrorCreateDescription": "Wystąpił błąd podczas tworzenia zasobu",
    "resourceErrorCreateMessage": "Błąd podczas tworzenia zasobu:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji zasobu",
    "access": "Dostęp",
    "accessControl": "Kontrola dostępu",
-    "shareLink": "Link udostępniania {resource}",
+    "shareLink": "{resource} Link do udostępnienia",
    "resourceSelect": "Wybierz zasób",
-    "shareLinks": "Linki udostępniania",
+    "shareLinks": "Linki do udostępnienia",
    "share": "Linki do udostępniania",
    "shareDescription2": "Utwórz linki do zasobów, które można współdzielić. Linki zapewniają tymczasowy lub nieograniczony dostęp do twojego zasobu. Możesz skonfigurować czas ważności linku, gdy go utworzysz.",
    "shareEasyCreate": "Łatwe tworzenie i udostępnianie",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Dodaj kod PIN",
    "pincodeRemove": "Usuń kod PIN",
    "resourceAuthMethods": "Metody uwierzytelniania",
+    "resourcePolicyAuthMethodsEmpty": "Brak metody uwierzytelniania",
+    "resourcePolicyOtpEmpty": "Brak jednorazowego hasła",
+    "resourcePolicyReadOnly": "Ta polityka jest tylko do odczytu",
+    "resourcePolicyReadOnlyDescription": "Ta polityka zasobów jest dzielona pomiędzy wieloma zasobami, nie możesz jej edytować na tej stronie.",
+    "editSharedPolicy": "Edytuj Dzieleną Politykę",
+    "resourcePolicyTypeSave": "Zapisz typ zasobu",
+    "resourcePolicySelect": "Wybierz politykę zasobów",
+    "resourcePolicySelectError": "Wybierz politykę zasobów",
+    "resourcePolicyNotFound": "Nie znaleziono polityki",
+    "resourcePolicySearch": "Szukaj polityki",
+    "resourcePolicyRulesEmpty": "Brak zasad uwierzytelniania",
    "resourceAuthMethodsDescriptions": "Zezwól na dostęp do zasobu przez dodatkowe metody uwierzytelniania",
    "resourceAuthSettingsSave": "Zapisano pomyślnie",
    "resourceAuthSettingsSaveDescription": "Ustawienia uwierzytelniania zostały zapisane",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Ustaw kod PIN",
    "resourcePincodeSetupTitleDescription": "Ustaw kod PIN, aby chronić ten zasób",
    "resourceRoleDescription": "Administratorzy zawsze mają dostęp do tego zasobu.",
+    "resourcePolicySelectTitle": "Polityka dostępu do zasobów",
+    "resourcePolicySelectDescription": "Wybierz typ polityki zasobów do uwierzytelniania",
+    "resourcePolicyTypeLabel": "Typ polityki",
+    "resourcePolicyLabel": "Polityka zasobów",
+    "resourcePolicyInline": "Warunkowa polityka zasobów",
+    "resourcePolicyInlineDescription": "Polityka dostępu tylko do tego zasobu",
+    "resourcePolicyShared": "Dzielona polityka zasobów",
+    "resourcePolicySharedDescription": "Ten zasób korzysta z polityki współdzielonej.",
+    "sharedPolicy": "Polityka Współdzielona",
+    "sharedPolicyNoneDescription": "Ten zasób ma własną politykę.",
+    "resourceSharedPolicyOwnDescription": "Ten zasób ma własne kontrole zasad uwierzytelniania i dostępu.",
+    "resourceSharedPolicyInheritedDescription": "Ten zasób dziedziczy z <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Ten zasób używa polityki współdzielonej. Niektóre ustawienia uwierzytelniania można edytować w tym zasobie, aby dodać do polityki. Aby zmienić podlegającą politykę, musisz ją edytować do <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Ten zasób używa polityki współdzielonej. Niektóre zasady dostępu można edytować w tym zasobie. Aby zmienić podlegającą politykę, musisz edytować <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Kontrola dostępu",
    "resourceUsersRolesDescription": "Skonfiguruj, którzy użytkownicy i role mogą odwiedzać ten zasób",
    "resourceUsersRolesSubmit": "Zapisz kontrole dostępu",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Widoczność",
    "resourceVisibilityTitleDescription": "Całkowicie włącz lub wyłącz widoczność zasobu",
    "resourceGeneral": "Ustawienia ogólne",
-    "resourceGeneralDescription": "Skonfiguruj ustawienia ogólne dla tego zasobu",
+    "resourceGeneralDescription": "Skonfiguruj nazwę, adres i zasady dostępu dla tego zasobu.",
+    "resourceGeneralDetailsSubsection": "Szczegóły zasobu",
+    "resourceGeneralDetailsSubsectionDescription": "Ustaw nazwę wyświetlaną, identyfikator i publicznie dostępna domenę dla tego zasobu.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Ustaw nazwę wyświetlaną, identyfikator i publiczny port dla tego zasobu.",
+    "resourceGeneralPublicAddressSubsection": "Publiczny Adres",
+    "resourceGeneralPublicAddressSubsectionDescription": "Skonfiguruj, jak użytkownicy mogą dotrzeć do tego zasobu.",
+    "resourceGeneralAuthenticationAccessSubsection": "Uwierzytelnianie i Dostęp",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Wybierz, czy ten zasób używa własnej polityki, czy dziedziczy z polityki współdzielonej.",
    "resourceEnable": "Włącz zasób",
    "resourceTransfer": "Przenieś zasób",
    "resourceTransferDescription": "Przenieś ten zasób do innej witryny",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Wystąpił problem z połączeniem z {name}. Skontaktuj się z administratorem.",
    "idpErrorNotFound": "Nie znaleziono IdP",
    "inviteInvalid": "Nieprawidłowe zaproszenie",
+    "labels": "Etykiety",
+    "orgLabelsDescription": "Zarządzaj etykietami w tej organizacji.",
+    "addLabels": "Dodaj etykiety",
+    "siteLabelsTab": "Etykiety",
+    "siteLabelsDescription": "Zarządzaj etykietami powiązanymi z tą stroną.",
+    "labelsNotFound": "Nie znaleziono etykiet.",
+    "labelsEmptyCreateHint": "Zacznij pisać powyżej, aby utworzyć etykietę.",
+    "labelSearch": "Szukaj etykiet",
+    "labelSearchOrCreate": "Wyszukaj lub utwórz etykietę",
+    "accessLabelFilterCount": "{count, plural, one {# etykieta} few {# etykiety} many {# etykiet} other {# etykiet}}",
+    "labelOverflowCount": "+{count, plural, one {# etykieta} few {# etykiety} many {# etykiet} other {# etykiet}}",
+    "accessLabelFilterClear": "Wyczyść filtry etykiet",
+    "accessFilterClear": "Wyczyść filtry",
+    "selectColor": "Wybierz kolor",
+    "createNewLabel": "Utwórz nową etykietę org \"{label}\"",
    "inviteInvalidDescription": "Link zapraszający jest nieprawidłowy.",
    "inviteErrorWrongUser": "Zaproszenie nie jest dla tego użytkownika",
    "inviteErrorUserNotExists": "Użytkownik nie istnieje. Najpierw utwórz konto.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Zasoby",
    "sidebarProxyResources": "Publiczne",
    "sidebarClientResources": "Prywatny",
+    "sidebarPolicies": "Polityki Współdzielone",
+    "sidebarResourcePolicies": "Zasoby publiczne",
    "sidebarAccessControl": "Kontrola dostępu",
    "sidebarLogsAndAnalytics": "Logi i Analityki",
    "sidebarTeam": "Drużyna",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Administrator",
    "sidebarInvitations": "Zaproszenia",
    "sidebarRoles": "Role",
-    "sidebarShareableLinks": "Linki",
+    "sidebarShareableLinks": "Linki do udostępnienia",
    "sidebarApiKeys": "Klucze API",
    "sidebarProvisioning": "Dostarczanie",
    "sidebarSettings": "Ustawienia",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Witryna {id}",
    "standaloneHcFilterResourceIdFallback": "Zasób {id}",
    "blueprints": "Schematy",
-    "blueprintsDescription": "Zastosuj konfiguracje deklaracyjne i wyświetl poprzednie operacje",
+    "blueprintsLog": "Dziennik szablonów",
+    "blueprintsDescription": "Przeglądaj wcześniejsze aplikacje wzorców i ich wyniki lub zastosuj nowy wzorzec",
    "blueprintAdd": "Dodaj schemat",
    "blueprintGoBack": "Zobacz wszystkie schematy",
    "blueprintCreate": "Utwórz schemat",
@@ -1559,7 +1742,17 @@
    "contents": "Treść",
    "parsedContents": "Przetworzona zawartość (tylko do odczytu)",
    "enableDockerSocket": "Włącz schemat dokera",
-    "enableDockerSocketDescription": "Włącz etykietowanie kieszeni dokującej dla etykiet schematów. Ścieżka do gniazda musi być dostarczona do Newt.",
+    "enableDockerSocketDescription": "Włącz etykietowanie gniazda dokera dla etykiet szablonów. Ścieżka do gniazda musi być dostarczona do łącznika strony. Przeczytaj zarówno jak to działa w <docsLink>dokumentacji</docsLink>.",
+    "newtAutoUpdate": "Włącz automatyczną aktualizację witryny",
+    "newtAutoUpdateDescription": "Po włączeniu, łączniki witryn automatycznie pobiorą najnowszą wersję i uruchomią się ponownie. Można to nadpisać na poziomie poszczególnych witryn.",
+    "siteAutoUpdate": "Automatyczna aktualizacja strony",
+    "siteAutoUpdateLabel": "Włącz aktualizacje automatyczne",
+    "siteAutoUpdateDescription": "Po włączeniu, łącznik tej witryny automatycznie pobierze najnowszą wersję i uruchomi się ponownie.",
+    "siteAutoUpdateOrgDefault": "Domyślnie dla organizacji: {state}",
+    "siteAutoUpdateOverriding": "Nadpisywanie ustawień organizacji",
+    "siteAutoUpdateResetToOrg": "Zresetuj do domyślnych ustawień organizacji",
+    "siteAutoUpdateEnabled": "włączone",
+    "siteAutoUpdateDisabled": "wyłączone",
    "viewDockerContainers": "Zobacz kontenery dokujące",
    "containersIn": "Pojemniki w {siteName}",
    "selectContainerDescription": "Wybierz dowolny kontener do użycia jako nazwa hosta dla tego celu. Kliknij port, aby użyć portu.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certyfikat",
    "certificateStatusAutoRefreshHint": "Status odświeża się automatycznie.",
    "loading": "Ładowanie",
+    "loadingEllipsis": "Ładowanie...",
    "loadingAnalytics": "Ładowanie Analityki",
    "restart": "Uruchom ponownie",
    "domains": "Domeny",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Konfiguracja konta zakończona! Witaj w Pangolin!",
    "documentation": "Dokumentacja",
    "saveAllSettings": "Zapisz wszystkie ustawienia",
-    "saveResourceTargets": "Zapisz cele",
-    "saveResourceHttp": "Zapisz ustawienia proxy",
-    "saveProxyProtocol": "Zapisz ustawienia protokołu proxy",
+    "saveResourceTargets": "Zapisz ustawienia",
+    "saveResourceHttp": "Zapisz ustawienia",
+    "saveProxyProtocol": "Zapisz ustawienia",
    "settingsUpdated": "Ustawienia zaktualizowane",
    "settingsUpdatedDescription": "Ustawienia zostały pomyślnie zaktualizowane",
    "settingsErrorUpdate": "Nie udało się zaktualizować ustawień",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Zarządzaj subskrypcją płatnych własnych kluczy licencyjnych",
    "billingCurrentKeys": "Bieżące klucze",
    "billingModifyCurrentPlan": "Modyfikuj bieżący plan",
+    "billingManageLicenseSubscriptionDescription": "Zarządzaj swoją subskrypcją dla płatnych kluczy licencyjnych na samoobsługowy hosting i pobieraj faktury.",
    "billingConfirmUpgrade": "Potwierdź aktualizację",
    "billingConfirmDowngrade": "Potwierdź obniżenie",
    "billingConfirmUpgradeDescription": "Zamierzasz ulepszyć swój plan. Przejrzyj nowe limity i ceny poniżej.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Nieznany",
    "healthCheck": "Kontrola Zdrowia",
    "configureHealthCheck": "Skonfiguruj Kontrolę Zdrowia",
-    "configureHealthCheckDescription": "Skonfiguruj monitorowanie zdrowia dla {target}",
+    "configureHealthCheckDescription": "Skonfiguruj monitorowanie zasobu, aby zapewnić jego dostępność",
    "enableHealthChecks": "Włącz Kontrole Zdrowia",
    "healthCheckDisabledStateDescription": "Gdy wyłączone, strona nie będzie wykonywać kontroli zdrowia, a stan zostanie uznany za nieznany.",
    "enableHealthChecksDescription": "Monitoruj zdrowie tego celu. Możesz monitorować inny punkt końcowy niż docelowy w razie potrzeby.",
    "healthScheme": "Metoda",
    "healthSelectScheme": "Wybierz metodę",
-    "healthCheckPortInvalid": "Port oceny stanu musi znajdować się między 1 a 65535",
+    "healthCheckPortInvalid": "Port musi być pomiędzy 1 a 65535",
    "healthCheckPath": "Ścieżka",
    "healthHostname": "IP / Nazwa hosta",
    "healthPort": "Port",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Czas w sekundach",
    "requireDeviceApproval": "Wymagaj zatwierdzenia urządzenia",
    "requireDeviceApprovalDescription": "Użytkownicy o tej roli potrzebują nowych urządzeń zatwierdzonych przez administratora, zanim będą mogli połączyć się i uzyskać dostęp do zasobów.",
+    "sshSettings": "Ustawienia SSH",
    "sshAccess": "Dostęp SSH",
+    "rdpSettings": "Ustawienia RDP",
+    "vncSettings": "Ustawienia VNC",
+    "sshServer": "Serwer SSH",
+    "rdpServer": "Serwer RDP",
+    "vncServer": "Serwer VNC",
+    "sshServerDescription": "Skonfiguruj metodę uwierzytelniania, lokalizację demona i miejsce docelowe serwera",
+    "rdpServerDescription": "Skonfiguruj miejsce docelowe i port serwera RDP",
+    "vncServerDescription": "Skonfiguruj miejsce docelowe i port serwera VNC",
+    "sshServerMode": "Tryb",
+    "sshServerModeStandard": "Standardowy Serwer SSH",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Przesyła polecenia przez sieć do serwera SSH takiego jak OpenSSH.",
+    "sshServerModeNative": "Natywny Serwer SSH",
+    "sshServerModeNativeDescription": "Wykonuje polecenia bezpośrednio na hoście za pomocą łącznika strony. Nie wymaga konfiguracji sieci.",
+    "sshAuthenticationMethod": "Metoda uwierzytelniania",
+    "sshAuthMethodManual": "Ręczne uwierzytelnianie",
+    "sshAuthMethodManualDescription": "Wymaga istniejących poświadczeń hosta. Omiija automatyczne provisioning.",
+    "sshAuthMethodAutomated": "Automatyczne Provisioning",
+    "sshAuthMethodAutomatedDescription": "Automatycznie tworzy użytkowników, grupy i uprawnienia sudo na hoście.",
+    "sshAuthDaemonLocation": "Lokalizacja Demona Uwierzytelniania",
+    "sshDaemonLocationSiteDescription": "Wykonuje lokalnie na maszynie hostującej łącznik strony.",
+    "sshDaemonLocationRemote": "Na Zdalnym Hoście",
+    "sshDaemonLocationRemoteDescription": "Wykonuje się na innej maszynie docelowej w tej samej sieci.",
+    "sshDaemonDisclaimer": "Upewnij się, że Twoja maszyna docelowa jest poprawnie skonfigurowana do uruchamiania demona uwierzytelniania zanim ukończysz tę konfigurację, w przeciwnym razie provisioning zakończy się niepowodzeniem.",
+    "sshDaemonPort": "Port Demona",
+    "sshServerDestination": "Miejsce docelowe serwera",
+    "sshServerDestinationDescription": "Skonfiguruj miejsce docelowe serwera SSH",
+    "destination": "Miejsce docelowe",
+    "destinationRequired": "Wymagane jest miejsce docelowe.",
+    "domainRequired": "Wymagana jest domena.",
+    "proxyPortRequired": "Wymagany jest port.",
+    "invalidPathConfiguration": "Nieprawidłowa konfiguracja ścieżki.",
+    "invalidRewritePathConfiguration": "Nieprawidłowa konfiguracja ścieżki modyfikacji.",
+    "bgTargetMultiSiteDisclaimer": "Wybór wielu stron umożliwia odporność trasowania i zmienioność dla wysokiej dostępności.",
    "roleAllowSsh": "Zezwalaj na SSH",
    "roleAllowSshAllow": "Zezwól",
    "roleAllowSshDisallow": "Nie zezwalaj",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Użytkownik może uruchamiać tylko określone polecenia z sudo.",
    "sshSudo": "Zezwól na sudo",
    "sshSudoCommands": "Komendy Sudo",
-    "sshSudoCommandsDescription": "Lista poleceń oddzielonych przecinkami, które użytkownik może uruchamiać z sudo.",
+    "sshSudoCommandsDescription": "Lista poleceń, które użytkownik może uruchomić z sudo, oddzielone przecinkami, spacjami lub nowymi liniami. Absolutne ścieżki muszą być używane.",
    "sshCreateHomeDir": "Utwórz katalog domowy",
    "sshUnixGroups": "Grupy Unix",
-    "sshUnixGroupsDescription": "Oddzielone przecinkami grupy Unix, aby dodać użytkownika do docelowego hosta.",
+    "sshUnixGroupsDescription": "Grupy Uniksowe, do których dodać użytkownika na docelowym hoście, oddzielone przecinkami, spacjami, lub nowymi liniami.",
+    "roleTextFieldPlaceholder": "Wprowadź wartości lub upuść plik .txt lub .csv",
+    "roleTextImportTitle": "Importuj z pliku",
+    "roleTextImportDescription": "Importowanie {fileName} do {fieldLabel}.",
+    "roleTextImportSkipHeader": "Pomiń pierwszy wiersz (Nagłówek)",
+    "roleTextImportOverride": "Zamień istniejące",
+    "roleTextImportAppend": "Dołącz do istniejącego",
+    "roleTextImportMode": "Tryb importu",
+    "roleTextImportPreview": "Podgląd",
+    "roleTextImportItemCount": "{count, plural, =0 {Brak elementów do zaimportowania} one {1 element do zaimportowania} few {# elementy do zaimportowania} many {# elementów do zaimportowania} other {# elementów do zaimportowania}}",
+    "roleTextImportTotalCount": "{existing} istniejące + {imported} zaimportowane = {total} łącznie",
+    "roleTextImportConfirm": "Importuj",
+    "roleTextImportInvalidFile": "Nieobsługiwany typ pliku",
+    "roleTextImportInvalidFileDescription": "Obsługiwane są tylko pliki .txt i .csv.",
+    "roleTextImportEmpty": "Nie znaleziono elementów w pliku",
+    "roleTextImportEmptyDescription": "Plik nie zawiera żadnych elementów możliwych do zaimportowania.",
    "retryAttempts": "Próby Ponowienia",
    "expectedResponseCodes": "Oczekiwane Kody Odpowiedzi",
    "expectedResponseCodesDescription": "Kod statusu HTTP, który wskazuje zdrowy status. Jeśli pozostanie pusty, uznaje się 200-300 za zdrowy.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schemat",
-    "editInternalResourceDialogEnableSsl": "Włącz SSL",
+    "editInternalResourceDialogEnableSsl": "Włącz TLS",
    "editInternalResourceDialogEnableSslDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z miejscem docelowym.",
    "editInternalResourceDialogDestination": "Miejsce docelowe",
    "editInternalResourceDialogDestinationHostDescription": "Adres IP lub nazwa hosta zasobu w sieci witryny.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schemat",
    "createInternalResourceDialogScheme": "Schemat",
-    "createInternalResourceDialogEnableSsl": "Włącz SSL",
+    "createInternalResourceDialogEnableSsl": "Włącz TLS",
    "createInternalResourceDialogEnableSslDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z miejscem docelowym.",
    "createInternalResourceDialogDestination": "Miejsce docelowe",
    "createInternalResourceDialogDestinationHostDescription": "Adres IP lub nazwa hosta zasobu w sieci witryny.",
@@ -2217,7 +2464,7 @@
        "description": "Większa niezawodność i niska konserwacja serwera Pangolin z dodatkowymi dzwonkami i sygnałami",
        "introTitle": "Zarządzany samowystarczalny Pangolin",
        "introDescription": "jest opcją wdrażania zaprojektowaną dla osób, które chcą prostoty i dodatkowej niezawodności, przy jednoczesnym utrzymaniu swoich danych prywatnych i samodzielnych.",
-        "introDetail": "Z tą opcją nadal obsługujesz swój własny węzeł Pangolin - tunele, zakończenie SSL i ruch na Twoim serwerze. Różnica polega na tym, że zarządzanie i monitorowanie odbywa się za pomocą naszej tablicy rozdzielczej, która odblokowuje szereg korzyści:",
+        "introDetail": "Z tą opcją nadal obsługujesz swój własny węzeł Pangolin - tunele, zakończenie TLS i ruch na Twoim serwerze. Różnica polega na tym, że zarządzanie i monitorowanie odbywa się za pomocą naszej tablicy rozdzielczej, która odblokowuje szereg korzyści:",
        "benefitSimplerOperations": {
            "title": "Uproszczone operacje",
            "description": "Nie ma potrzeby uruchamiania własnego serwera pocztowego lub ustawiania skomplikowanych powiadomień. Będziesz mieć kontrolę zdrowia i powiadomienia o przestoju."
@@ -2652,6 +2899,8 @@
    "validPassword": "Prawidłowe hasło",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Zobacz",
+    "configManaged": "Konfiguracja zarządzana",
    "connectedClient": "Połączony Klient",
    "resourceBlocked": "Zasób zablokowany",
    "droppedByRule": "Upuszczone przez regułę",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Włącz protokół proxy",
    "proxyProtocolInfo": "Zachowaj adresy IP klienta dla backendów TCP",
    "proxyProtocolVersion": "Wersja protokołu proxy",
-    "version1": " Wersja 1 (zalecane)",
+    "version1": "Wersja 1 (Zalecane)",
    "version2": "Wersja 2",
-    "versionDescription": "Wersja 1 jest oparta na tekście i szeroko wspierana. Wersja 2 jest binarna i bardziej efektywna, ale mniej kompatybilna.",
+    "version1Description": "Oparta na tekście i szeroko wspierana. Upewnij się, że transport serwera został dodany do dynamicznej konfiguracji.",
+    "version2Description": "Binarna i bardziej efektywna, ale mniej kompatybilna. Upewnij się, że transport serwera został dodany do dynamicznej konfiguracji.",
    "warning": "Ostrzeżenie",
    "proxyProtocolWarning": "Aplikacja backend musi być skonfigurowana do akceptowania połączeń protokołu proxy. Jeśli Twój backend nie obsługuje protokołu Proxy, włączenie tego spowoduje przerwanie wszystkich połączeń, więc włącz to tylko jeśli wiesz, co robisz. Upewnij się, że konfiguracja twojego backendu do zaufanych nagłówków protokołu proxy z Traefik.",
    "restarting": "Restartowanie...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Wprowadź potwierdzenie",
    "blueprintViewDetails": "Szczegóły",
    "defaultIdentityProvider": "Domyślny dostawca tożsamości",
-    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
+    "defaultIdentityProviderDescription": "Użytkownik zostanie automatycznie przekierowany do tego dostawcy tożsamości w celu uwierzytelnienia.",
    "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
    "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
    "editInternalResourceDialogAddRoles": "Dodaj role",
@@ -2919,11 +3169,12 @@
    "learnMore": "Dowiedz się więcej",
    "backToHome": "Wróć do strony głównej",
    "needToSignInToOrg": "Czy potrzebujesz użyć dostawcy tożsamości organizacji?",
-    "maintenanceMode": "Tryb konserwacji",
+    "maintenanceMode": "Strona konserwacji",
    "maintenanceModeDescription": "Wyświetl stronę konserwacyjną odwiedzającym",
    "maintenanceModeType": "Typ trybu konserwacji",
    "showMaintenancePage": "Pokaż odwiedzającym stronę konserwacji",
    "enableMaintenanceMode": "Włącz tryb konserwacji",
+    "enableMaintenanceModeDescription": "Gdy włączone, odwiedzający zobaczą stronę konserwacyjną zamiast Twojego zasobu.",
    "automatic": "Automatycznie",
    "automaticModeDescription": "Pokaż stronę konserwacyjną tylko wtedy, gdy wszystkie cele zaplecza są wyłączone lub niezdrowe. Twój zasób działa nadal normalnie, o ile przynajmniej jeden cel jest zdrowy.",
    "forced": "Wymuszone",
@@ -2931,6 +3182,8 @@
    "warning:": "Ostrzeżenie:",
    "forcedeModeWarning": "Cały ruch zostanie skierowany na stronę konserwacyjną. Twoje zasoby zaplecza nie otrzymają żadnych żądań.",
    "pageTitle": "Tytuł strony",
+    "maintenancePageContentSubsection": "Zawartość strony",
+    "maintenancePageContentSubsectionDescription": "Dostosuj treść wyświetlaną na stronie konserwacyjnej",
    "pageTitleDescription": "Główny nagłówek wyświetlany na stronie konserwacyjnej",
    "maintenancePageMessage": "Komunikat konserwacyjny",
    "maintenancePageMessagePlaceholder": "Wrócimy wkrótce! Nasza strona przechodzi obecnie zaplanowaną konserwację.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Szacowane zakończenie:",
    "createInternalResourceDialogDestinationRequired": "Miejsce docelowe jest wymagane",
    "available": "Dostępny",
+    "disabledResourceDescription": "Kiedy wyłączone, zasób będzie niedostępny dla wszystkich.",
    "archived": "Zarchiwizowane",
    "noArchivedDevices": "Nie znaleziono zarchiwizowanych urządzeń",
    "deviceArchived": "Urządzenie zarchiwizowane",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Przekaż wydarzenia bezpośrednio do Twojego konta Datadog. Już wkrótce.",
    "streamingTypePickerDescription": "Wybierz typ docelowy, aby rozpocząć.",
-    "streamingFailedToLoad": "Nie udało się załadować miejsc docelowych",
+    "streamingLastSyncError": "Wystąpił błąd podczas ostatniej synchronizacji",
    "streamingUnexpectedError": "Wystąpił nieoczekiwany błąd.",
    "streamingFailedToUpdate": "Nie udało się zaktualizować miejsca docelowego",
    "streamingDeletedSuccess": "Cel usunięty pomyślnie",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Edytuj Miejsce Docelowe",
    "S3DestAddTitle": "Dodaj Miejsce Docelowe S3",
    "S3DestEditDescription": "Zaktualizuj konfigurację dla tego miejsca docelowego strumieniowego zdarzeń S3.",
-    "S3DestAddDescription": "Skonfiguruj nowy punkt końcowy S3, aby odbierać zdarzenia Twojej organizacji.",
+    "S3DestAddDescription": "Skonfiguruj nowy zasobnik Amazon S3 (lub zgodny z S3), aby otrzymywać zdarzenia twojej organizacji.",
+    "s3DestTabSettings": "Ustawienia",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Nazwa",
+    "s3DestNamePlaceholder": "Moje miejsce docelowe S3",
+    "s3DestAccessKeyIdLabel": "AWS Access Key ID",
+    "s3DestSecretAccessKeyLabel": "AWS Secret Access Key",
+    "s3DestSecretAccessKeyPlaceholder": "Twój AWS Secret Access Key",
+    "s3DestRegionLabel": "Region AWS",
+    "s3DestBucketLabel": "Nazwa kubła",
+    "s3DestPrefixLabel": "Prefiks klucza (opcjonalnie)",
+    "s3DestPrefixDescription": "Opcjonalny prefiks ścieżki dołączony do każdego klucza obiektu. Obiekty są przechowywane w {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Niestandardowy punkt końcowy (opcjonalnie)",
+    "s3DestEndpointDescription": "Nadpisz punkt końcowy S3 dla zgodnego przechowywania danych, takiego jak MinIO lub Cloudflare R2. Pozostaw puste dla standardowego AWS S3.",
+    "s3DestGzipLabel": "Kompresja Gzip",
+    "s3DestGzipDescription": "Skompresuj każdy przesłany obiekt za pomocą gzip. Zmniejsza koszty przechowywania i rozmiar przesyłu.",
+    "s3DestFormatTitle": "Format pliku",
+    "s3DestFormatDescription": "Jak zdarzenia są serializowane w każdym przesłanym obiekcie.",
+    "s3DestFormatJsonArrayDescription": "Każdy obiekt to tablica JSON z rekordami zdarzeń. Zgodne z większością narzędzi analitycznych.",
+    "s3DestFormatNdjsonDescription": "Każdy obiekt zawiera jeden rekord JSON na linię (nowa linia-dzielone JSON). Zgodne z Athena, BigQuery i Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Każdy obiekt to plik CSV zgodny z RFC-4180 z wierszem nagłówka. Nazwy kolumn pochodzą z pól danych zdarzeń.",
+    "s3DestSaveChanges": "Zapisz zmiany",
+    "s3DestCreateDestination": "Utwórz miejsce docelowe",
+    "s3DestUpdatedSuccess": "Miejsce docelowe zaktualizowane pomyślnie",
+    "s3DestCreatedSuccess": "Miejsce docelowe utworzone pomyślnie",
+    "s3DestUpdateFailed": "Nie udało się zaktualizować miejsca docelowego",
+    "s3DestCreateFailed": "Nie udało się utworzyć miejsca docelowego",
    "datadogDestEditTitle": "Edytuj Miejsce Docelowe",
    "datadogDestAddTitle": "Dodaj Miejsce Docelowe Datadog",
    "datadogDestEditDescription": "Zaktualizuj konfigurację dla tego miejsca docelowego strumieniowego zdarzeń Datadog.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Czy na pewno chcesz odłączyć tego dostawcę tożsamości od tej organizacji?",
    "idpUnassociateDescription": "Wszystkie użytkownicy powiązani z tym dostawcą tożsamości zostaną usunięci z tej organizacji, ale dostawca tożsamości będzie nadal istniał dla innych powiązanych organizacji.",
    "idpUnassociateConfirm": "Potwierdź odłączenie dostawcy tożsamości",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "USUŃ I USUŃ MNIE Z ORGANIZACJI",
+    "idpUnassociateAndRemoveMeFromOrg": "ODSTAW I USUŃ MNIE Z ORGANIZACJI",
    "idpUnassociateWarning": "Tego nie można cofnąć dla tej organizacji.",
    "idpUnassociatedDescription": "Dostawca tożsamości pomyślnie odłączony od tej organizacji",
    "idpUnassociateMenu": "Odłącz",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Zasób wyłączony",
    "memberPortalShowingResources": "Wyświetlanie zasobów od {start} do {end} z {total}",
    "memberPortalPrevious": "Poprzedni",
-    "memberPortalNext": "Następny"
+    "memberPortalNext": "Następny",
+    "httpSettings": "Ustawienia HTTP",
+    "tcpSettings": "Ustawienia TCP",
+    "udpSettings": "Ustawienia UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Nawiązywanie bezpiecznego połączenia…",
+    "sshConnecting": "Łączenie…",
+    "sshInitializing": "Inicjalizacja…",
+    "sshSignInTitle": "Zaloguj się do SSH",
+    "sshSignInDescription": "Wprowadź poświadczenia SSH, aby się połączyć",
+    "sshPasswordTab": "Hasło",
+    "sshPrivateKeyTab": "Klucz prywatny",
+    "sshPrivateKeyField": "Klucz prywatny",
+    "sshPrivateKeyDisclaimer": "Twój klucz prywatny nie jest przechowywany ani widoczny dla Pangolin. Alternatywnie, możesz używać certyfikatów krótkoterminowych do bezproblemowego uwierzytelniania za pomocą Twojej istniejącej tożsamości Pangolin.",
+    "sshLearnMore": "Dowiedz się więcej",
+    "sshPrivateKeyFile": "Plik klucza prywatnego",
+    "sshAuthenticate": "Połącz",
+    "sshTerminate": "Zakończ",
+    "sshPoweredBy": "Obsługiwane przez",
+    "sshErrorNoTarget": "Nie określono celu",
+    "sshErrorWebSocket": "Połączenie WebSocket nie powiodło się",
+    "sshErrorAuthFailed": "Uwierzytelnianie nie powiodło się",
+    "sshErrorConnectionClosed": "Połączenie zamknięte przed ukończeniem uwierzytelniania",
+    "sitePangolinSshDescription": "Pozwól na dostęp SSH do zasobów na tej stronie. Można to zmienić później.",
+    "browserGatewayNoResourceForDomain": "Nie znaleziono zasobu dla tej domeny",
+    "browserGatewayNoTarget": "Brak celu",
+    "browserGatewayConnect": "Połącz",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Nie udało się podpisać klucza SSH dla uwierzytelniania PAM. Czy zalogowałeś się jako użytkownik?",
+    "sshTerminalError": "Błąd: {error}",
+    "sshConnectionClosedCode": "Połączenie zamknięte (kod {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Wymagany jest klucz prywatny",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Wprowadź hasło VNC, aby się połączyć",
+    "vncPasswordOptional": "Hasło (opcjonalne)",
+    "vncNoResourceTarget": "Brak dostępnego celu zasobu",
+    "vncFailedToLoadNovnc": "Błąd ładowania noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Wklej schowek",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Zaloguj się na Pulpit Zdalny",
+    "rdpSignInDescription": "Wprowadź poświadczenia Windows, aby się połączyć",
+    "rdpLoadingModule": "Ładowanie modułu...",
+    "rdpFailedToLoadModule": "Nie udało się załadować modułu RDP",
+    "rdpNotReady": "Nie gotowy",
+    "rdpModuleInitializing": "Moduł RDP jest nadal inicjalizowany",
+    "rdpDownloadingFiles": "Pobieranie {count} pliku(ów) zdalnego…",
+    "rdpDownloadFailed": "Nie udało się pobrać: {fileName}",
+    "rdpUploaded": "Przesłano: {fileName}",
+    "rdpNoConnectionTarget": "Brak dostępnego celu połączenia",
+    "rdpConnectionFailed": "Połączenie niepowiodło się",
+    "rdpFit": "Dopasuj",
+    "rdpFull": "Pełny",
+    "rdpReal": "Rzeczywisty",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Prześlij pliki",
+    "rdpFilesReadyToPaste": "Pliki gotowe do wklejenia",
+    "rdpFilesReadyToPasteDescription": "Skopiowano {count} plik(-ów/-i) do zdalnego schowka — naciśnij Ctrl+V na zdalnym pulpicie, aby wkleić.",
+    "rdpUploadFailed": "Niepowodzenie przesyłania",
+    "rdpUnicodeKeyboardMode": "Tryb klawiatury Unicode",
+    "sessionToolbarShow": "Pokaż pasek narzędzi",
+    "sessionToolbarHide": "Ukryj pasek narzędzi"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Visualizar Recursos Privados",
    "siteInstallNewt": "Instalar Novo",
    "siteInstallNewtDescription": "Novo item em execução no seu sistema",
+    "siteInstallKubernetesDocsDescription": "Para mais informações atualizadas sobre a instalação do Kubernetes, veja <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Para instruções de instalação do modem da Advantech, veja <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configuração do WireGuard",
    "WgConfigurationDescription": "Use a seguinte configuração para conectar-se à rede",
    "operatingSystem": "Sistema operacional",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Você só será capaz de ver esta vez. Certifique-se de copiá-lo para um lugar seguro.",
    "siteInfo": "Informações do Site",
    "status": "SItuação",
-    "shareTitle": "Gerir links partilhados",
+    "shareTitle": "Gerenciar Links Compartilháveis",
    "shareDescription": "Criar links compartilháveis para conceder acesso temporário ou permanente aos recursos do proxy",
-    "shareSearch": "Pesquisar links de compartilhamento...",
-    "shareCreate": "Criar Link de Compartilhamento",
+    "shareSearch": "Pesquisar links compartilháveis...",
+    "shareCreate": "Criar Link Compartilhável",
    "shareErrorDelete": "Falha ao apagar o link",
    "shareErrorDeleteMessage": "Ocorreu um erro ao apagar o link",
    "shareDeleted": "Link excluído",
    "shareDeletedDescription": "O link foi eliminado",
+    "shareDelete": "Excluir Link Compartilhável",
+    "shareDeleteConfirm": "Confirmar exclusão do Link Compartilhável",
+    "shareQuestionRemove": "Tem certeza de que deseja excluir este link de compartilhamento?",
+    "shareMessageRemove": "Uma vez excluído, o link não funcionará mais e qualquer pessoa que o utilizar perderá o acesso ao recurso.",
    "shareTokenDescription": "O token de acesso pode ser passado de duas maneiras: como um parâmetro de consulta ou nos cabeçalhos da solicitação. Estes devem ser passados do cliente em todas as solicitações para acesso autenticado.",
    "accessToken": "Token de acesso",
    "usageExamples": "Exemplos de uso",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Ocorreu um erro ao criar o link de compartilhamento",
    "shareCreateDescription": "Qualquer um com este link pode aceder o recurso",
    "shareTitleOptional": "Título (opcional)",
+    "sharePathOptional": "Caminho (opcional)",
+    "sharePathDescription": "O link redirecionará os usuários para este caminho após a autenticação.",
    "expireIn": "Expira em",
    "neverExpire": "Nunca expirar",
    "shareExpireDescription": "Tempo de expiração é quanto tempo o link será utilizável e oferecerá acesso ao recurso. Após este tempo, o link não funcionará mais, e os utilizadores que usaram este link perderão acesso ao recurso.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Por favor, selecione um recurso",
    "proxyResourceTitle": "Gerenciar Recursos Públicos",
    "proxyResourceDescription": "Criar e gerenciar recursos que são acessíveis publicamente por meio de um navegador da web",
-    "proxyResourcesBannerTitle": "Acesso Público via Web",
-    "proxyResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
+    "publicResourcesBannerTitle": "Acesso Público Baseado em Web",
+    "publicResourcesBannerDescription": "Os recursos públicos são proxies HTTPS acessíveis a qualquer pessoa na internet através de um navegador web. Ao contrário dos recursos privados, eles não exigem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
    "clientResourceTitle": "Gerenciar recursos privados",
    "clientResourceDescription": "Criar e gerenciar recursos que só são acessíveis por meio de um cliente conectado",
    "privateResourcesBannerTitle": "Acesso Privado com Confiança Zero",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Procurar recursos...",
    "resourceAdd": "Adicionar Recurso",
    "resourceErrorDelte": "Erro ao apagar recurso",
+    "resourcePoliciesBannerTitle": "Reutilizar Regras de Autenticação e Acesso",
+    "resourcePoliciesBannerDescription": "Políticas de recursos compartilhados permitem que você defina métodos de autenticação e regras de acesso apenas uma vez, e então as associe a vários recursos públicos. Quando você atualiza uma política, cada recurso vinculado herda a alteração automaticamente.",
+    "resourcePoliciesBannerButtonText": "Saiba mais",
+    "resourcePoliciesTitle": "Gerenciar Políticas de Recursos Públicos",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Recursos",
+    "resourcePoliciesAttachedResources": "{count} recurso(s)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# recurso} other {# recursos}}",
+    "resourcePoliciesAttachedResourcesEmpty": "sem recursos",
+    "resourcePoliciesDescription": "Crie e gerencie políticas de autenticação para controlar o acesso aos seus recursos públicos",
+    "resourcePoliciesSearch": "Pesquisar políticas...",
+    "resourcePoliciesAdd": "Adicionar Política",
+    "resourcePoliciesDefaultBadgeText": "Política Padrão",
+    "resourcePoliciesCreate": "Criar Política de Recurso Público",
+    "resourcePoliciesCreateDescription": "Siga os passos abaixo para criar uma nova política",
+    "resourcePolicyName": "Nome da Política",
+    "resourcePolicyNameDescription": "Dê um nome a esta política para identificá-la em seus recursos",
+    "resourcePolicyNamePlaceholder": "ex.: Política de Acesso Interno",
+    "resourcePoliciesSeeAll": "Ver Todas as Políticas",
+    "resourcePolicyAuthMethodAdd": "Adicionar Método de Autenticação",
+    "resourcePolicyOtpEmailAdd": "Adicionar emails OTP",
+    "resourcePolicyRulesAdd": "Adicionar Regras",
+    "resourcePolicyAuthMethodsDescription": "Permitir acesso aos recursos via métodos de autenticação adicionais",
+    "resourcePolicyUsersRolesDescription": "Configure quais usuários e funções podem acessar os recursos associados",
+    "rulesResourcePolicyDescription": "Configure regras para controlar o acesso a recursos associados a esta política",
    "authentication": "Autenticação",
    "protected": "Protegido",
    "notProtected": "Não Protegido",
    "resourceMessageRemove": "Uma vez removido, o recurso não estará mais acessível. Todos os alvos associados ao recurso também serão removidos.",
    "resourceQuestionRemove": "Você tem certeza que deseja remover o recurso da organização?",
+    "resourcePolicyMessageRemove": "Uma vez removida, a política de recurso não estará mais acessível. Todos os recursos associados serão desvinculados e deixados sem autenticação.",
+    "resourcePolicyQuestionRemove": "Tem certeza de que deseja remover a política de recurso da organização?",
    "resourceHTTP": "Recurso HTTPS",
    "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
    "resourceRaw": "Recurso TCP/UDP bruto",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy solicita por TCP/UDP bruto usando um número de porta. Requer que sites se conectem a um nó remoto.",
    "resourceCreate": "Criar Recurso",
    "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
+    "resourceCreateGeneralDescription": "Configure as configurações gerais do recurso, incluindo o nome e o tipo",
    "resourceSeeAll": "Ver todos os recursos",
-    "resourceInfo": "Informação do recurso",
+    "resourceCreateGeneral": "Gerais",
    "resourceNameDescription": "Este é o nome de exibição para o recurso.",
    "siteSelect": "Selecionar site",
    "siteSearch": "Procurar no site",
@@ -227,12 +262,15 @@
    "noCountryFound": "Nenhum país encontrado.",
    "siteSelectionDescription": "Este site fornecerá conectividade ao destino.",
    "resourceType": "Tipo de Recurso",
-    "resourceTypeDescription": "Determine como acessar o recurso",
+    "resourceTypeDescription": "Isso controla o protocolo do recurso e como ele será renderizado no navegador. Isso não pode ser alterado posteriormente.",
+    "resourceDomainDescription": "O recurso será servido neste nome de domínio totalmente qualificado.",
    "resourceHTTPSSettings": "Configurações de HTTPS",
    "resourceHTTPSSettingsDescription": "Configure como o recurso será acessado por HTTPS",
+    "resourcePortDescription": "A porta externa na instância ou nó Pangolin onde o recurso estará acessível.",
    "domainType": "Tipo de domínio",
    "subdomain": "Subdomínio",
    "baseDomain": "Domínio Base",
+    "configure": "Configurar",
    "subdomnainDescription": "O subdomínio onde o recurso será acessível.",
    "resourceRawSettings": "Configurações TCP/UDP",
    "resourceRawSettingsDescription": "Configurar como o recurso será acessado sobre TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Anterior",
    "cancel": "cancelar",
    "resourceConfig": "Snippets de Configuração",
-    "resourceConfigDescription": "Copie e cole estes snippets de configuração para configurar o recurso TCP/UDP",
+    "resourceConfigDescription": "Copie e cole estes trechos de configuração para configurar o recurso TCP/UDP.",
    "resourceAddEntrypoints": "Traefik: Adicionar pontos de entrada",
    "resourceExposePorts": "Gerbil: Expor Portas no Docker Compose",
    "resourceLearnRaw": "Aprenda como configurar os recursos TCP/UDP",
    "resourceBack": "Voltar aos recursos",
    "resourceGoTo": "Ir para o Recurso",
+    "resourcePolicyDelete": "Excluir Política de Recurso",
+    "resourcePolicyDeleteConfirm": "Confirmar Exclusão da Política de Recurso",
    "resourceDelete": "Excluir Recurso",
    "resourceDeleteConfirm": "Confirmar que pretende apagar o  recurso",
+    "labelDelete": "Excluir Etiqueta",
+    "labelAdd": "Adicionar Etiqueta",
+    "labelCreateSuccessMessage": "Etiqueta Criada com Sucesso",
+    "labelDuplicateError": "Etiqueta Duplicada",
+    "labelDuplicateErrorDescription": "Já existe uma etiqueta com este nome.",
+    "labelEditSuccessMessage": "Etiqueta Modificada com Sucesso",
+    "labelNameField": "Nome da Etiqueta",
+    "labelColorField": "Cor da Etiqueta",
+    "labelPlaceholder": "Ex: homelab",
+    "labelCreate": "Criar Etiqueta",
+    "createLabelDialogTitle": "Criar Etiqueta",
+    "createLabelDialogDescription": "Crie uma nova etiqueta que pode ser anexada a esta organização",
+    "labelEdit": "Editar Etiqueta",
+    "editLabelDialogTitle": "Atualizar Etiqueta",
+    "editLabelDialogDescription": "Edite uma nova etiqueta que pode ser anexada a esta organização",
+    "labelDeleteConfirm": "Confirmar Exclusão da Etiqueta",
+    "labelErrorDelete": "Falha ao excluir a etiqueta",
+    "labelMessageRemove": "Esta ação é permanente. Todos os sites, recursos e clientes etiquetados com esta etiqueta serão desmarcados.",
+    "labelQuestionRemove": "Tem certeza de que deseja remover a etiqueta da organização?",
    "visibility": "Visibilidade",
    "enabled": "Ativado",
    "disabled": "Desabilitado",
@@ -261,6 +320,8 @@
    "rules": "Regras",
    "resourceSettingDescription": "Configure as configurações do recurso",
    "resourceSetting": "Configurações do {resourceName}",
+    "resourcePolicySettingDescription": "Configure as configurações nesta política de recurso público",
+    "resourcePolicySetting": "Configurações de {policyName}",
    "alwaysAllow": "Autenticação de bypass",
    "alwaysDeny": "Bloquear Acesso",
    "passToAuth": "Passar para Autenticação",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Uma vez removido, este utilizador não terá mais acesso à organização. Você sempre pode reconvidá-lo depois, mas eles precisarão aceitar o convite novamente.",
    "userRemoveOrgConfirm": "Confirmar Remoção do Usuário",
    "userRemoveOrg": "Remover Usuário da Organização",
+    "userQuestionOrgRemoveSelf": "Tem certeza de que deseja se remover desta organização?",
+    "userMessageOrgRemoveSelf": "Você perderá o acesso imediatamente. Um administrador poderá convidá-lo novamente mais tarde, mas você precisará aceitar um novo convite.",
+    "userRemoveOrgConfirmSelf": "Confirmar a Remoção de Mim Mesmo",
+    "userRemoveOrgSelf": "Remover-se da organização",
+    "userRemoveOrgSelfWarning": "Você perderá o acesso a esta organização imediatamente.",
+    "userRemoveOrgConfirmPhraseSelf": "REMOVER-ME DA ORG",
    "users": "Utilizadores",
    "accessRoleMember": "Membro",
    "accessRoleOwner": "Proprietário",
@@ -531,6 +598,11 @@
    "emailInvalid": "Endereço de email inválido",
    "inviteValidityDuration": "Por favor, selecione uma duração",
    "accessRoleSelectPlease": "Por favor, selecione uma função",
+    "removeOwnAdminRoleConfirmTitle": "Remover seu acesso de administrador?",
+    "removeOwnAdminRoleConfirmDescription": "Você não terá mais permissões de administrador nesta organização após salvar. Outro administrador pode restaurar seu acesso, se necessário.",
+    "removeOwnAdminRoleConfirmButton": "Remover Meu Acesso de Administrador",
+    "removeOwnAdminRoleConfirmPhrase": "REMOVER MEU ACESSO DE ADMIN",
+    "ownerMustRetainAdminRole": "O proprietário da organização deve manter pelo menos um papel de administrador.",
    "usernameRequired": "Nome de utilizador é obrigatório",
    "idpSelectPlease": "Por favor, selecione um provedor de identidade",
    "idpGenericOidc": "Provedor genérico OAuth2/OIDC.",
@@ -615,7 +687,7 @@
    "createdAt": "Criado Em",
    "proxyErrorInvalidHeader": "Valor do cabeçalho Host personalizado inválido. Use o formato de nome de domínio ou salve vazio para remover o cabeçalho Host personalizado.",
    "proxyErrorTls": "Nome do Servidor TLS inválido. Use o formato de nome de domínio ou salve vazio para remover o Nome do Servidor TLS.",
-    "proxyEnableSSL": "Habilitar SSL",
+    "proxyEnableSSL": "Ativar TLS",
    "proxyEnableSSLDescription": "Habilitar criptografia SSL/TLS para conexões HTTPS seguras aos alvos.",
    "target": "Target",
    "configureTarget": "Configurar Alvos",
@@ -656,8 +728,9 @@
    "targetSubmit": "Adicionar Alvo",
    "targetNoOne": "Este recurso não tem nenhum alvo. Adicione um alvo para configurar para onde enviar solicitações para o backend.",
    "targetNoOneDescription": "Adicionar mais de um alvo acima habilitará o balanceamento de carga.",
-    "targetsSubmit": "Guardar Alvos",
+    "targetsSubmit": "Salvar Configurações",
    "addTarget": "Adicionar Alvo",
+    "proxyMultiSiteRoundRobinNodeHelp": "O roteamento round robin não funcionará entre sites que não estão conectados ao mesmo nó, mas o failover funcionará.",
    "targetErrorInvalidIp": "Endereço IP inválido",
    "targetErrorInvalidIpDescription": "Por favor, insira um endereço IP ou nome de host válido",
    "targetErrorInvalidPort": "Porta inválida",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Regra duplicada",
    "rulesErrorDuplicateDescription": "Uma regra com estas configurações já existe",
    "rulesErrorInvalidIpAddressRange": "CIDR inválido",
-    "rulesErrorInvalidIpAddressRangeDescription": "Por favor, insira um valor CIDR válido",
-    "rulesErrorInvalidUrl": "Caminho URL inválido",
-    "rulesErrorInvalidUrlDescription": "Por favor, insira um valor de caminho URL válido",
-    "rulesErrorInvalidIpAddress": "IP inválido",
-    "rulesErrorInvalidIpAddressDescription": "Por favor, insira um endereço IP válido",
+    "rulesErrorInvalidIpAddressRangeDescription": "Digite um intervalo CIDR válido (ex.: 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Caminho inválido",
+    "rulesErrorInvalidUrlDescription": "Insira um caminho URL válido ou padrão (ex.: /api/*).",
+    "rulesErrorInvalidIpAddress": "Endereço IP inválido",
+    "rulesErrorInvalidIpAddressDescription": "Insira um endereço IPv4 ou IPv6 válido.",
    "rulesErrorUpdate": "Falha ao atualizar regras",
    "rulesErrorUpdateDescription": "Ocorreu um erro ao atualizar regras",
    "rulesUpdated": "Ativar Regras",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Insira um endereço no formato CIDR (ex: 103.21.244.0/22)",
    "rulesMatchIpAddress": "Insira um endereço IP (ex: 103.21.244.12)",
    "rulesMatchUrl": "Insira um caminho URL ou padrão (ex: /api/v1/todos ou /api/v1/*)",
-    "rulesErrorInvalidPriority": "Prioridade Inválida",
-    "rulesErrorInvalidPriorityDescription": "Por favor, insira uma prioridade válida",
-    "rulesErrorDuplicatePriority": "Prioridades Duplicadas",
-    "rulesErrorDuplicatePriorityDescription": "Por favor, insira prioridades únicas",
+    "rulesErrorInvalidPriority": "Prioridade inválida",
+    "rulesErrorInvalidPriorityDescription": "Digite um número inteiro de 1 ou mais.",
+    "rulesErrorDuplicatePriority": "Prioridades duplicadas",
+    "rulesErrorDuplicatePriorityDescription": "Cada regra deve ter um número de prioridade único.",
+    "rulesErrorValidation": "Regras inválidas",
+    "rulesErrorValidationRuleDescription": "Regra {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Selecione um tipo de correspondência válido (caminho, IP, CIDR, país, região ou ASN).",
+    "rulesErrorValueRequired": "Digite um valor para esta regra.",
+    "rulesErrorInvalidCountry": "País inválido",
+    "rulesErrorInvalidCountryDescription": "Selecione um país válido.",
+    "rulesErrorInvalidAsn": "ASN inválido",
+    "rulesErrorInvalidAsnDescription": "Insira um ASN válido (ex.: AS15169).",
    "ruleUpdated": "Regras atualizadas",
    "ruleUpdatedDescription": "Regras atualizadas com sucesso",
    "ruleErrorUpdate": "Operação falhou",
    "ruleErrorUpdateDescription": "Ocorreu um erro durante a operação de salvamento",
    "rulesPriority": "Prioridade",
+    "rulesReorderDragHandle": "Arraste para reordenar a prioridade da regra",
    "rulesAction": "Ação",
    "rulesMatchType": "Tipo de Correspondência",
    "value": "Valor",
@@ -728,9 +810,60 @@
    "rulesResource": "Configuração de Regras do Recurso",
    "rulesResourceDescription": "Configurar regras para controlar o acesso ao recurso",
    "ruleSubmit": "Adicionar Regra",
-    "rulesNoOne": "Sem regras. Adicione uma regra usando o formulário.",
+    "rulesNoOne": "Ainda não há regras.",
    "rulesOrder": "As regras são avaliadas por prioridade em ordem ascendente.",
    "rulesSubmit": "Guardar Regras",
+    "policyErrorCreate": "Erro ao criar política",
+    "policyErrorCreateDescription": "Ocorreu um erro ao criar a política",
+    "policyErrorCreateMessageDescription": "Ocorreu um erro inesperado",
+    "policyErrorUpdate": "Erro ao atualizar política",
+    "policyErrorUpdateDescription": "Ocorreu um erro ao atualizar a política",
+    "policyErrorUpdateMessageDescription": "Ocorreu um erro inesperado",
+    "policyCreatedSuccess": "Política de recurso criada com sucesso",
+    "policyUpdatedSuccess": "Política de recurso atualizada com sucesso",
+    "authMethodsSave": "Salvar Configurações",
+    "policyAuthStackTitle": "Autenticação",
+    "policyAuthStackDescription": "Controle quais métodos de autenticação são necessários para acessar este recurso",
+    "policyAuthOrLogicTitle": "Vários métodos de autenticação ativos",
+    "policyAuthOrLogicBanner": "Os visitantes podem autenticar-se usando qualquer um dos métodos ativos abaixo. Eles não precisam completar todos eles.",
+    "policyAuthMethodActive": "Ativo",
+    "policyAuthMethodOff": "Desligado",
+    "policyAuthSsoTitle": "SSO da Plataforma",
+    "policyAuthSsoDescription": "Exigir login pelo provedor de identidade da sua organização",
+    "policyAuthSsoSummary": "{idp} · {users} usuários, {roles} funções",
+    "policyAuthSsoDefaultIdp": "Provedor padrão",
+    "policyAuthAddDefaultIdentityProvider": "Adicionar Provedor de Identidade Padrão",
+    "policyAuthOtherMethodsTitle": "Outros Métodos",
+    "policyAuthOtherMethodsDescription": "Métodos opcionais que os visitantes podem usar em vez da SSO da plataforma ou junto com ela",
+    "policyAuthPasscodeTitle": "Código de Acesso",
+    "policyAuthPasscodeDescription": "Requer um código de acesso alfanumérico compartilhado para acessar o recurso",
+    "policyAuthPasscodeSummary": "Código de acesso definido",
+    "policyAuthPincodeTitle": "Código PIN",
+    "policyAuthPincodeDescription": "Um código numérico curto necessário para acessar o recurso",
+    "policyAuthPincodeSummary": "Código PIN de 6 dígitos definido",
+    "policyAuthEmailTitle": "Lista de E-mails Permitidos",
+    "policyAuthEmailDescription": "Permitir endereços de e-mail listados com senhas temporárias",
+    "policyAuthEmailSummary": "{count} endereços permitidos",
+    "policyAuthEmailOtpCallout": "Ativar a lista de e-mails permitidos envia uma senha temporária para o e-mail do visitante no login.",
+    "policyAuthHeaderAuthTitle": "Autenticação de Cabeçalho Básico",
+    "policyAuthHeaderAuthDescription": "Valide um nome e valor de cabeçalho HTTP personalizado em cada solicitação",
+    "policyAuthHeaderAuthSummary": "Cabeçalho configurado",
+    "policyAuthHeaderName": "Nome do Cabeçalho",
+    "policyAuthHeaderValue": "Valor esperado",
+    "policyAuthSetPasscode": "Definir Código de Acesso",
+    "policyAuthSetPincode": "Definir Código PIN",
+    "policyAuthSetEmailWhitelist": "Definir Lista de E-mails Permitidos",
+    "policyAuthSetHeaderAuth": "Definir Autenticação de Cabeçalho Básico",
+    "policyAccessRulesTitle": "Regras de Acesso",
+    "policyAccessRulesEnableDescription": "Quando ativadas, as regras são avaliadas em ordem decrescente até que uma delas seja verdadeira.",
+    "policyAccessRulesFirstMatch": "As regras são avaliadas de cima para baixo. A primeira regra correspondente decide o resultado.",
+    "policyAccessRulesHowItWorks": "As regras correspondem a solicitações por caminho, endereço IP, localização ou outros critérios. Cada regra aplica uma ação: ignorar autenticação, bloquear acesso ou passar para autenticação. Se nenhuma regra corresponder, o tráfego continua até a autenticação.",
+    "policyAccessRulesFallthroughOff": "Quando as regras estão desativadas, todo o tráfego passa para a autenticação.",
+    "policyAccessRulesFallthroughOn": "Quando nenhuma regra corresponde, o tráfego passa para a autenticação.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Guardar Regras",
    "resourceErrorCreate": "Erro ao criar recurso",
    "resourceErrorCreateDescription": "Ocorreu um erro ao criar o recurso",
    "resourceErrorCreateMessage": "Erro ao criar recurso:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Ocorreu um erro ao atualizar o recurso",
    "access": "Acesso",
    "accessControl": "Controle de Acesso",
-    "shareLink": "Link de Compartilhamento {resource}",
+    "shareLink": "Link Compartilhável {resource}",
    "resourceSelect": "Selecionar recurso",
-    "shareLinks": "Links de Compartilhamento",
+    "shareLinks": "Links Compartilháveis",
    "share": "Links Compartilháveis",
    "shareDescription2": "Crie links compartilháveis para recursos. Links fornecem acesso temporário ou ilimitado ao seu recurso. Você pode configurar a duração de expiração do link quando você criar um.",
    "shareEasyCreate": "Fácil de criar e compartilhar",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Adicionar Código PIN",
    "pincodeRemove": "Remover Código PIN",
    "resourceAuthMethods": "Métodos de Autenticação",
+    "resourcePolicyAuthMethodsEmpty": "Nenhum método de autenticação",
+    "resourcePolicyOtpEmpty": "Sem senha única",
+    "resourcePolicyReadOnly": "Esta política é apenas leitura",
+    "resourcePolicyReadOnlyDescription": "Esta política de recurso é compartilhada entre vários recursos, você não pode editá-la nesta página.",
+    "editSharedPolicy": "Editar Política Compartilhada",
+    "resourcePolicyTypeSave": "Salvar Tipo de Recurso",
+    "resourcePolicySelect": "Selecionar política de recurso",
+    "resourcePolicySelectError": "Selecionar uma política de recurso",
+    "resourcePolicyNotFound": "Política não encontrada",
+    "resourcePolicySearch": "Pesquisar políticas",
+    "resourcePolicyRulesEmpty": "Nenhuma regra de autenticação",
    "resourceAuthMethodsDescriptions": "Permitir acesso ao recurso via métodos de autenticação adicionais",
    "resourceAuthSettingsSave": "Salvo com sucesso",
    "resourceAuthSettingsSaveDescription": "As configurações de autenticação foram salvas",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Definir Código PIN",
    "resourcePincodeSetupTitleDescription": "Defina um código PIN para proteger este recurso",
    "resourceRoleDescription": "Administradores sempre podem aceder este recurso.",
+    "resourcePolicySelectTitle": "Política de Acesso ao Recurso",
+    "resourcePolicySelectDescription": "Selecione o tipo de política de recurso para autenticação",
+    "resourcePolicyTypeLabel": "Tipo de política",
+    "resourcePolicyLabel": "Política de recurso",
+    "resourcePolicyInline": "Política de Recurso Inline",
+    "resourcePolicyInlineDescription": "Política de Acesso abrange apenas este recurso",
+    "resourcePolicyShared": "Política de Recurso Compartilhada",
+    "resourcePolicySharedDescription": "Este recurso usa uma política compartilhada.",
+    "sharedPolicy": "Política Compartilhada",
+    "sharedPolicyNoneDescription": "Este recurso tem sua própria política.",
+    "resourceSharedPolicyOwnDescription": "Este recurso possui seus próprios controles de autenticação e regras de acesso.",
+    "resourceSharedPolicyInheritedDescription": "Este recurso herda de <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Este recurso está usando uma política compartilhada. Algumas configurações de autenticação podem ser editadas neste recurso para adicionar à política. Para alterar a política subjacente, você deve editar para <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Este recurso está usando uma política compartilhada. Algumas regras de acesso podem ser editadas neste recurso. Para alterar a política subjacente, você deve editar <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Controlos de Acesso",
    "resourceUsersRolesDescription": "Configure quais utilizadores e funções podem visitar este recurso",
    "resourceUsersRolesSubmit": "Guardar Controlos de Acesso",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilidade",
    "resourceVisibilityTitleDescription": "Ativar ou desativar completamente a visibilidade do recurso",
    "resourceGeneral": "Configurações Gerais",
-    "resourceGeneralDescription": "Configure as configurações gerais para este recurso",
+    "resourceGeneralDescription": "Configure o nome, endereço e política de acesso para este recurso.",
+    "resourceGeneralDetailsSubsection": "Detalhes do Recurso",
+    "resourceGeneralDetailsSubsectionDescription": "Defina o nome de exibição, identificador e domínio publicamente acessível para este recurso.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Defina o nome de exibição, identificador e porta pública para este recurso.",
+    "resourceGeneralPublicAddressSubsection": "Endereço Público",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure como os usuários alcançarão este recurso.",
+    "resourceGeneralAuthenticationAccessSubsection": "Autenticação & Acesso",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Escolha se este recurso usa sua própria política ou herda de uma política compartilhada.",
    "resourceEnable": "Ativar Recurso",
    "resourceTransfer": "Transferir Recurso",
    "resourceTransferDescription": "Transferir este recurso para um site diferente",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Ocorreu um problema ao ligar a {name}. Por favor, contacte o seu administrador.",
    "idpErrorNotFound": "IdP não encontrado",
    "inviteInvalid": "Convite Inválido",
+    "labels": "Etiquetas",
+    "orgLabelsDescription": "Gerencie etiquetas nesta organização.",
+    "addLabels": "Adicionar etiquetas",
+    "siteLabelsTab": "Etiquetas",
+    "siteLabelsDescription": "Gerencie etiquetas associadas a este site.",
+    "labelsNotFound": "Nenhuma etiqueta encontrada.",
+    "labelsEmptyCreateHint": "Comece a digitar acima para criar uma etiqueta.",
+    "labelSearch": "Pesquisar etiquetas",
+    "labelSearchOrCreate": "Pesquisar ou criar uma etiqueta",
+    "accessLabelFilterCount": "{count, plural, one {# etiqueta} other {# etiquetas}}",
+    "labelOverflowCount": "+{count, plural, one {# etiqueta} other {# etiquetas}}",
+    "accessLabelFilterClear": "Limpar filtros de etiquetas",
+    "accessFilterClear": "Limpar filtros",
+    "selectColor": "Selecionar cor",
+    "createNewLabel": "Criar nova etiqueta na organização \"{label}\"",
    "inviteInvalidDescription": "O link do convite é inválido.",
    "inviteErrorWrongUser": "O convite não é para este utilizador",
    "inviteErrorUserNotExists": "O utilizador não existe. Por favor, crie uma conta primeiro.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
+    "sidebarPolicies": "Políticas Compartilhadas",
+    "sidebarResourcePolicies": "Recursos Públicos",
    "sidebarAccessControl": "Controle de Acesso",
    "sidebarLogsAndAnalytics": "Registros e Análises",
    "sidebarTeam": "Equipe",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Administrador",
    "sidebarInvitations": "Convites",
    "sidebarRoles": "Papéis",
-    "sidebarShareableLinks": "Links",
+    "sidebarShareableLinks": "Links Compartilháveis",
    "sidebarApiKeys": "Chaves API",
    "sidebarProvisioning": "Provisionamento",
    "sidebarSettings": "Configurações",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Recurso {id}",
    "blueprints": "Diagramas",
-    "blueprintsDescription": "Aplicar configurações declarativas e ver execuções anteriores",
+    "blueprintsLog": "Registo dos Blueprint",
+    "blueprintsDescription": "Visualizar aplicações de blueprint passadas e seus resultados ou aplicar um novo blueprint",
    "blueprintAdd": "Adicionar Diagrama",
    "blueprintGoBack": "Ver todos os Diagramas",
    "blueprintCreate": "Criar Diagrama",
@@ -1559,7 +1742,17 @@
    "contents": "Conteúdo",
    "parsedContents": "Conteúdo analisado (Somente Leitura)",
    "enableDockerSocket": "Habilitar o Diagrama Docker",
-    "enableDockerSocketDescription": "Ativar a scraping de rótulo Docker para rótulos de diagramas. Caminho de Socket deve ser fornecido para Newt.",
+    "enableDockerSocketDescription": "Ative a raspagem de etiquetas do Docker Socket para etiquetas de modelo. O caminho do Socket deve ser fornecido ao conector do site. Leia sobre como isso funciona na <docsLink>documentação</docsLink>.",
+    "newtAutoUpdate": "Ativar Atualização Automática do Site",
+    "newtAutoUpdateDescription": "Quando ativada, os conectores do site baixarão automaticamente a versão mais recente e reiniciarão por conta própria. Isto pode ser sobrescrito com base em cada site.",
+    "siteAutoUpdate": "Atualização Automática do Site",
+    "siteAutoUpdateLabel": "Ativar Atualização Automática",
+    "siteAutoUpdateDescription": "Quando ativado, o conector deste site baixará automaticamente a versão mais recente e reiniciará por si mesmo.",
+    "siteAutoUpdateOrgDefault": "Padrão da organização: {state}",
+    "siteAutoUpdateOverriding": "Substituindo configuração da organização",
+    "siteAutoUpdateResetToOrg": "Redefinir para Padrão da Organização",
+    "siteAutoUpdateEnabled": "ativado",
+    "siteAutoUpdateDisabled": "desabilitado",
    "viewDockerContainers": "Ver contêineres Docker",
    "containersIn": "Contêineres em {siteName}",
    "selectContainerDescription": "Selecione qualquer contêiner para usar como hostname para este alvo. Clique em uma porta para usar uma porta.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Certificado",
    "certificateStatusAutoRefreshHint": "Status atualiza automaticamente.",
    "loading": "Carregando",
+    "loadingEllipsis": "Carregando...",
    "loadingAnalytics": "Carregando Analytics",
    "restart": "Reiniciar",
    "domains": "Domínios",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Configuração da conta concluída! Bem-vindo ao Pangolin!",
    "documentation": "Documentação",
    "saveAllSettings": "Guardar Todas as Configurações",
-    "saveResourceTargets": "Guardar Alvos",
-    "saveResourceHttp": "Guardar Configurações de Proxy",
-    "saveProxyProtocol": "Salvar configurações do protocolo de proxy",
+    "saveResourceTargets": "Salvar Configurações",
+    "saveResourceHttp": "Salvar Configurações",
+    "saveProxyProtocol": "Salvar Configurações",
    "settingsUpdated": "Configurações atualizadas",
    "settingsUpdatedDescription": "Configurações atualizadas com sucesso",
    "settingsErrorUpdate": "Falha ao atualizar configurações",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Gerencie sua assinatura para as chaves de licenças auto-hospedadas pagas",
    "billingCurrentKeys": "Chaves atuais",
    "billingModifyCurrentPlan": "Modificar o Plano Atual",
+    "billingManageLicenseSubscriptionDescription": "Gerencie sua assinatura de chaves de licença auto-hospedadas pagas e baixe faturas.",
    "billingConfirmUpgrade": "Confirmar a atualização",
    "billingConfirmDowngrade": "Confirmar downgrade",
    "billingConfirmUpgradeDescription": "Você está prestes a atualizar seu plano. Revise os novos limites e preços abaixo.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Desconhecido",
    "healthCheck": "Verificação de Saúde",
    "configureHealthCheck": "Configurar Verificação de Saúde",
-    "configureHealthCheckDescription": "Configure a monitorização de saúde para {target}",
+    "configureHealthCheckDescription": "Configure a monitorização para o seu recurso para garantir que ele esteja sempre disponível",
    "enableHealthChecks": "Ativar Verificações de Saúde",
    "healthCheckDisabledStateDescription": "Quando desativado, o site não realizará verificações de saúde e o estado será considerado desconhecido.",
    "enableHealthChecksDescription": "Monitore a saúde deste alvo. Você pode monitorar um ponto de extremidade diferente do alvo, se necessário.",
    "healthScheme": "Método",
    "healthSelectScheme": "Selecione o Método",
-    "healthCheckPortInvalid": "A porta do exame de saúde deve estar entre 1 e 65535",
+    "healthCheckPortInvalid": "A porta deve estar entre 1 e 65535",
    "healthCheckPath": "Caminho",
    "healthHostname": "IP / Nome do Host",
    "healthPort": "Porta",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "O tempo está em segundos",
    "requireDeviceApproval": "Exigir aprovação do dispositivo",
    "requireDeviceApprovalDescription": "Usuários com esta função precisam de novos dispositivos aprovados por um administrador antes que eles possam se conectar e acessar recursos.",
+    "sshSettings": "Configurações SSH",
    "sshAccess": "Acesso SSH",
+    "rdpSettings": "Configurações RDP",
+    "vncSettings": "Configurações VNC",
+    "sshServer": "Servidor SSH",
+    "rdpServer": "Servidor RDP",
+    "vncServer": "Servidor VNC",
+    "sshServerDescription": "Configure o método de autenticação, localização do daemon e destino do servidor",
+    "rdpServerDescription": "Configure o destino e a porta do servidor RDP",
+    "vncServerDescription": "Configure o destino e a porta do servidor VNC",
+    "sshServerMode": "Modo",
+    "sshServerModeStandard": "Servidor SSH Padrão",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Roteia comandos pela rede para um servidor SSH como o OpenSSH.",
+    "sshServerModeNative": "Servidor SSH Nativo",
+    "sshServerModeNativeDescription": "Executa comandos diretamente no host via Site Connector. Não é necessária configuração de rede.",
+    "sshAuthenticationMethod": "Método de Autenticação",
+    "sshAuthMethodManual": "Autenticação Manual",
+    "sshAuthMethodManualDescription": "Requer credenciais de host existentes. Ignora provisionamento automático.",
+    "sshAuthMethodAutomated": "Provisionamento Automatizado",
+    "sshAuthMethodAutomatedDescription": "Cria automaticamente usuários, grupos e permissões sudo no host.",
+    "sshAuthDaemonLocation": "Localização do Daemon de Autenticação",
+    "sshDaemonLocationSiteDescription": "Executa locais na máquina que hospeda o conector do site.",
+    "sshDaemonLocationRemote": "Em Host Remoto",
+    "sshDaemonLocationRemoteDescription": "Executa em uma máquina de destino separada na mesma rede.",
+    "sshDaemonDisclaimer": "Certifique-se de que seu host de destino está devidamente configurado para executar o daemon de autenticação antes de concluir esta configuração, ou o provisionamento falhará.",
+    "sshDaemonPort": "Porta do Daemon",
+    "sshServerDestination": "Destino do Servidor",
+    "sshServerDestinationDescription": "Configure o destino do servidor SSH",
+    "destination": "Destino",
+    "destinationRequired": "Destino é obrigatório.",
+    "domainRequired": "Domínio é obrigatório.",
+    "proxyPortRequired": "Porta é obrigatória.",
+    "invalidPathConfiguration": "Configuração de caminho inválida.",
+    "invalidRewritePathConfiguration": "Configuração de caminho de reescrita inválida.",
+    "bgTargetMultiSiteDisclaimer": "Selecionar vários sites permite roteamento resiliente e failover para alta disponibilidade.",
    "roleAllowSsh": "Permitir SSH",
    "roleAllowSshAllow": "Autorizar",
    "roleAllowSshDisallow": "Anular",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Usuário só pode executar os comandos especificados com sudo.",
    "sshSudo": "Permitir sudo",
    "sshSudoCommands": "Comandos Sudo",
-    "sshSudoCommandsDescription": "Lista separada por vírgulas de comandos que o usuário pode executar com sudo.",
+    "sshSudoCommandsDescription": "Lista de comandos que o usuário está autorizado a executar com sudo, separados por vírgulas, espaços ou novas linhas. Devem ser usados caminhos absolutos.",
    "sshCreateHomeDir": "Criar Diretório Inicial",
    "sshUnixGroups": "Grupos Unix",
-    "sshUnixGroupsDescription": "Grupos Unix separados por vírgulas para adicionar o usuário no host alvo.",
+    "sshUnixGroupsDescription": "Grupos Unix para adicionar o usuário no host de destino, separados por vírgulas, espaços ou novas linhas.",
+    "roleTextFieldPlaceholder": "Insira valores, ou solte um arquivo .txt ou .csv",
+    "roleTextImportTitle": "Importar de Arquivo",
+    "roleTextImportDescription": "Importando {fileName} para {fieldLabel}.",
+    "roleTextImportSkipHeader": "Pular Primeira Linha (Cabeçalho)",
+    "roleTextImportOverride": "Substituir Existente",
+    "roleTextImportAppend": "Anexar ao Existente",
+    "roleTextImportMode": "Modo de Importação",
+    "roleTextImportPreview": "Visualizar",
+    "roleTextImportItemCount": "{count, plural, =0 {Sem itens para importar} one {1 item para importar} other {# itens para importar}}",
+    "roleTextImportTotalCount": "{existing} existente + {imported} importado = {total} total",
+    "roleTextImportConfirm": "Importar",
+    "roleTextImportInvalidFile": "Tipo de arquivo não suportado",
+    "roleTextImportInvalidFileDescription": "Apenas arquivos .txt e .csv são suportados.",
+    "roleTextImportEmpty": "Nenhum item encontrado no arquivo",
+    "roleTextImportEmptyDescription": "O arquivo não contém quaisquer itens importáveis.",
    "retryAttempts": "Tentativas de Repetição",
    "expectedResponseCodes": "Códigos de Resposta Esperados",
    "expectedResponseCodesDescription": "Código de status HTTP que indica estado saudável. Se deixado em branco, 200-300 é considerado saudável.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Esquema",
-    "editInternalResourceDialogEnableSsl": "Ativar SSL",
+    "editInternalResourceDialogEnableSsl": "Ativar TLS",
    "editInternalResourceDialogEnableSslDescription": "Ativar criptografia SSL/TLS para conexões HTTPS seguras com o destino.",
    "editInternalResourceDialogDestination": "Destino",
    "editInternalResourceDialogDestinationHostDescription": "O endereço IP ou o nome do host do recurso na rede do site.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Esquema",
    "createInternalResourceDialogScheme": "Esquema",
-    "createInternalResourceDialogEnableSsl": "Ativar SSL",
+    "createInternalResourceDialogEnableSsl": "Ativar TLS",
    "createInternalResourceDialogEnableSslDescription": "Ativar criptografia SSL/TLS para conexões HTTPS seguras com o destino.",
    "createInternalResourceDialogDestination": "Destino",
    "createInternalResourceDialogDestinationHostDescription": "O endereço IP ou o nome do host do recurso na rede do site.",
@@ -2217,7 +2464,7 @@
        "description": "Servidor Pangolin auto-hospedado mais confiável e com baixa manutenção com sinos extras e assobiamentos",
        "introTitle": "Pangolin Auto-Hospedado Gerenciado",
        "introDescription": "é uma opção de implantação projetada para pessoas que querem simplicidade e confiança adicional, mantendo os seus dados privados e auto-hospedados.",
-        "introDetail": "Com esta opção, você ainda roda seu próprio nó Pangolin - seus túneis, terminação SSL e tráfego todos permanecem no seu servidor. A diferença é que a gestão e a monitorização são geridos através do nosso painel de nuvem, que desbloqueia vários benefícios:",
+        "introDetail": "Com esta opção, você ainda roda seu próprio nó Pangolin - seus túneis, terminação TLS e tráfego permanecem no seu servidor. A diferença é que a gestão e a monitorização são feitas através do nosso painel de nuvem, que desbloqueia uma série de benefícios:",
        "benefitSimplerOperations": {
            "title": "Operações simples",
            "description": "Não é necessário executar o seu próprio servidor de e-mail ou configurar um alerta complexo. Você receberá fora de caixa verificações de saúde e alertas de tempo de inatividade."
@@ -2652,6 +2899,8 @@
    "validPassword": "Senha válida",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Visualizar",
+    "configManaged": "Configuração Gerenciada",
    "connectedClient": "Cliente Conectado",
    "resourceBlocked": "Recurso bloqueado",
    "droppedByRule": "Derrubado pela regra",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Habilitar protocolo proxy",
    "proxyProtocolInfo": "Preservar endereços IP do cliente para backends TCP",
    "proxyProtocolVersion": "Versão do Protocolo Proxy",
-    "version1": " Versão 1 (recomendado)",
+    "version1": "Versão 1 (Recomendado)",
    "version2": "Versão 2",
-    "versionDescription": "A versão 1 é baseada em texto e amplamente suportada. A versão 2 é binária e mais eficiente, mas menos compatível.",
+    "version1Description": "Baseado em texto e amplamente suportado. Certifique-se de que o transporte dos servidores seja adicionado à configuração dinâmica.",
+    "version2Description": "Binário e mais eficiente, mas menos compatível. Certifique-se de que o transporte do servidor seja adicionado à configuração dinâmica.",
    "warning": "ATENÇÃO",
    "proxyProtocolWarning": "A aplicação de backend deve ser configurada para aceitar conexões de protocolo proxy. Se o seu backend não suporta o Protocolo de Proxy, habilitando isto quebrará todas as conexões, então só habilite isso se você souber o que está fazendo. Certifique-se de configurar seu backend para confiar nos cabeçalhos do protocolo proxy no Traefik.",
    "restarting": "Reiniciando...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Inserir confirmação",
    "blueprintViewDetails": "Detalhes",
    "defaultIdentityProvider": "Provedor de Identidade Padrão",
-    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
+    "defaultIdentityProviderDescription": "O usuário será redirecionado automaticamente para este provedor de identidade para autenticação.",
    "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
    "editInternalResourceDialogAccessPolicy": "Política de Acesso",
    "editInternalResourceDialogAddRoles": "Adicionar Funções",
@@ -2919,11 +3169,12 @@
    "learnMore": "Saiba mais",
    "backToHome": "Voltar para a página inicial",
    "needToSignInToOrg": "Precisa usar o provedor de identidade da sua organização?",
-    "maintenanceMode": "Modo de Manutenção",
+    "maintenanceMode": "Página de Manutenção",
    "maintenanceModeDescription": "Exibir uma página de manutenção para os visitantes",
    "maintenanceModeType": "Tipo de Modo de Manutenção",
    "showMaintenancePage": "Mostrar uma página de manutenção para os visitantes",
    "enableMaintenanceMode": "Ativar Modo de Manutenção",
+    "enableMaintenanceModeDescription": "Quando ativado, os visitantes verãos uma página de manutenção em vez do seu recurso.",
    "automatic": "Automático",
    "automaticModeDescription": "Exibir página de manutenção apenas quando todos os destinos de back-end estiverem inativos ou não saudáveis. Seu recurso continua funcionando normalmente desde que pelo menos um destino esteja saudável.",
    "forced": "Forçado",
@@ -2931,6 +3182,8 @@
    "warning:": "Aviso:",
    "forcedeModeWarning": "Todo o tráfego será direcionado para a página de manutenção. Seus recursos de back-end não receberão nenhuma solicitação.",
    "pageTitle": "Título da Página",
+    "maintenancePageContentSubsection": "Conteúdo da Página",
+    "maintenancePageContentSubsectionDescription": "Personalize o conteúdo exibido na página de manutenção",
    "pageTitleDescription": "O título principal exibido na página de manutenção",
    "maintenancePageMessage": "Mensagem de Manutenção",
    "maintenancePageMessagePlaceholder": "Voltaremos em breve! Nosso site está passando por manutenção programada.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Conclusão Estimada:",
    "createInternalResourceDialogDestinationRequired": "Destino é obrigatório",
    "available": "Disponível",
+    "disabledResourceDescription": "Quando desativado, o recurso ficará inacessível para todos.",
    "archived": "Arquivado",
    "noArchivedDevices": "Nenhum dispositivo arquivado encontrado",
    "deviceArchived": "Dispositivo arquivado",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Encaminha eventos diretamente para a sua conta no Datadog. Em breve.",
    "streamingTypePickerDescription": "Escolha um tipo de destino para começar.",
-    "streamingFailedToLoad": "Falha ao carregar destinos",
+    "streamingLastSyncError": "Ocorreu um erro na última sincronização",
    "streamingUnexpectedError": "Ocorreu um erro inesperado.",
    "streamingFailedToUpdate": "Falha ao atualizar destino",
    "streamingDeletedSuccess": "Destino apagado com sucesso",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Editar Destino",
    "S3DestAddTitle": "Adicionar Destino S3",
    "S3DestEditDescription": "Atualize a configuração para este destino de streaming de eventos S3.",
-    "S3DestAddDescription": "Configure um novo endpoint S3 para receber os eventos da sua organização.",
+    "S3DestAddDescription": "Configure um novo bucket Amazon S3 (ou compatível com S3) para receber os eventos da sua organização.",
+    "s3DestTabSettings": "Configurações",
+    "s3DestTabFormat": "Formato",
+    "s3DestNameLabel": "Nome",
+    "s3DestNamePlaceholder": "Meu destino S3",
+    "s3DestAccessKeyIdLabel": "ID da Chave de Acesso AWS",
+    "s3DestSecretAccessKeyLabel": "Chave de Acesso Secreta AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Sua chave de acesso secreta AWS",
+    "s3DestRegionLabel": "Região AWS",
+    "s3DestBucketLabel": "Nome do Bucket",
+    "s3DestPrefixLabel": "Prefixo da Chave (opcional)",
+    "s3DestPrefixDescription": "Prefixo de caminho opcional adicionado a cada chave de objeto. Os objetos são armazenados em {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Endpoint Personalizado (opcional)",
+    "s3DestEndpointDescription": "Substitua o endpoint S3 por armazenamento compatível com S3, como MinIO ou Cloudflare R2. Deixe em branco para o padrão AWS S3.",
+    "s3DestGzipLabel": "Compressão Gzip",
+    "s3DestGzipDescription": "Comprime cada objeto carregado com gzip. Reduz custos de armazenamento e tamanho de upload.",
+    "s3DestFormatTitle": "Formato de Arquivo",
+    "s3DestFormatDescription": "Como os eventos são serializados dentro de cada objeto carregado.",
+    "s3DestFormatJsonArrayDescription": "Cada objeto é um array JSON de registros de eventos. Compatível com a maioria das ferramentas de análise.",
+    "s3DestFormatNdjsonDescription": "Cada objeto contém um registro JSON por linha (JSON delimitado por nova linha). Compatível com Athena, BigQuery e Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Cada objeto é um arquivo CSV RFC-4180 com uma linha de cabeçalho. Nomes de colunas são derivados dos campos de dados do evento.",
+    "s3DestSaveChanges": "Salvar Alterações",
+    "s3DestCreateDestination": "Criar Destino",
+    "s3DestUpdatedSuccess": "Destino atualizado com sucesso",
+    "s3DestCreatedSuccess": "Destino criado com sucesso",
+    "s3DestUpdateFailed": "Falha ao atualizar destino",
+    "s3DestCreateFailed": "Falha ao criar destino",
    "datadogDestEditTitle": "Editar Destino",
    "datadogDestAddTitle": "Adicionar Destino Datadog",
    "datadogDestEditDescription": "Atualize a configuração para este destino de streaming de eventos Datadog.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Tem certeza de que deseja desassociar este provedor de identidade desta organização?",
    "idpUnassociateDescription": "Todos os usuários associados a este provedor de identidade serão removidos desta organização, mas o provedor de identidade continuará a existir para outras organizações associadas.",
    "idpUnassociateConfirm": "Confirmar Desassociação do Provedor de Identidade",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETAR E REMOVER-ME DA ORGANIZAÇÃO",
+    "idpUnassociateAndRemoveMeFromOrg": "DESASSOCIAR E REMOVER-ME DA ORGANIZAÇÃO",
    "idpUnassociateWarning": "Isso não pode ser desfeito para esta organização.",
    "idpUnassociatedDescription": "Provedor de identidade desassociado desta organização com sucesso",
    "idpUnassociateMenu": "Desassociar",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Recurso Desativado",
    "memberPortalShowingResources": "Mostrando {start}-{end} de {total} recursos",
    "memberPortalPrevious": "Anterior",
-    "memberPortalNext": "Próximo"
+    "memberPortalNext": "Próximo",
+    "httpSettings": "Configurações HTTP",
+    "tcpSettings": "Configurações TCP",
+    "udpSettings": "Configurações UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Estabelecendo uma conexão segura…",
+    "sshConnecting": "A conectar…",
+    "sshInitializing": "A iniciar…",
+    "sshSignInTitle": "Entrar no SSH",
+    "sshSignInDescription": "Digite suas credenciais SSH para conectar",
+    "sshPasswordTab": "Palavra-passe",
+    "sshPrivateKeyTab": "Chave Privada",
+    "sshPrivateKeyField": "Chave Privada",
+    "sshPrivateKeyDisclaimer": "Sua chave privada não é armazenada ou visível para Pangolin. Alternativamente, você pode usar certificados de curta duração para autenticação perfeita usando sua identidade Pangolin existente.",
+    "sshLearnMore": "Saiba mais",
+    "sshPrivateKeyFile": "Arquivo de Chave Privada",
+    "sshAuthenticate": "Conectar",
+    "sshTerminate": "Terminar",
+    "sshPoweredBy": "Desenvolvido por",
+    "sshErrorNoTarget": "Nenhum alvo especificado",
+    "sshErrorWebSocket": "Falha na conexão WebSocket",
+    "sshErrorAuthFailed": "Falha na autenticação",
+    "sshErrorConnectionClosed": "Conexão encerrada antes de concluir a autenticação",
+    "sitePangolinSshDescription": "Permitir acesso SSH aos recursos deste site. Isso pode ser alterado mais tarde.",
+    "browserGatewayNoResourceForDomain": "Nenhum recurso encontrado para este domínio",
+    "browserGatewayNoTarget": "Sem alvo",
+    "browserGatewayConnect": "Conectar",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Falha ao assinar a chave SSH para autenticação PAM push. Você se conectou como um usuário?",
+    "sshTerminalError": "Erro: {error}",
+    "sshConnectionClosedCode": "Conexão encerrada (código {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Chave privada é necessária",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Digite sua senha VNC para conectar",
+    "vncPasswordOptional": "Senha (opcional)",
+    "vncNoResourceTarget": "Nenhum alvo de recurso disponível",
+    "vncFailedToLoadNovnc": "Falha ao carregar noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Colar conteúdo da área de transferência",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Conectar-se à Área de Trabalho Remota",
+    "rdpSignInDescription": "Digite as credenciais do Windows para conectar",
+    "rdpLoadingModule": "Carregando módulo...",
+    "rdpFailedToLoadModule": "Falha ao carregar módulo RDP",
+    "rdpNotReady": "Não está pronto",
+    "rdpModuleInitializing": "Módulo RDP ainda está inicializando",
+    "rdpDownloadingFiles": "Baixando {count} arquivo(s) do remoto…",
+    "rdpDownloadFailed": "Falha ao baixar: {fileName}",
+    "rdpUploaded": "Enviado: {fileName}",
+    "rdpNoConnectionTarget": "Nenhum alvo de conexão disponível",
+    "rdpConnectionFailed": "Conexão falhou",
+    "rdpFit": "Ajustar",
+    "rdpFull": "Completo",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload de arquivos",
+    "rdpFilesReadyToPaste": "Arquivos prontos para colar",
+    "rdpFilesReadyToPasteDescription": "{count} arquivo(s) copiado(s) para a área de transferência remota — pressione Ctrl+V na área de trabalho remota para colar.",
+    "rdpUploadFailed": "Falha no upload",
+    "rdpUnicodeKeyboardMode": "Modo de teclado Unicode",
+    "sessionToolbarShow": "Mostrar barra de ferramentas",
+    "sessionToolbarHide": "Ocultar barra de ferramentas"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Просмотр частных ресурсов",
    "siteInstallNewt": "Установить Newt",
    "siteInstallNewtDescription": "Запустите Newt в вашей системе",
+    "siteInstallKubernetesDocsDescription": "Для получения дополнительной информации об установке Kubernetes, см. <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "Для инструкций по установке модема Advantech, см. <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Конфигурация WireGuard",
    "WgConfigurationDescription": "Используйте следующую конфигурацию для подключения к сети",
    "operatingSystem": "Операционная система",
@@ -156,6 +158,10 @@
    "shareErrorDeleteMessage": "Произошла ошибка при удалении ссылки",
    "shareDeleted": "Ссылка удалена",
    "shareDeletedDescription": "Ссылка была успешно удалена",
+    "shareDelete": "Удалить общую ссылку",
+    "shareDeleteConfirm": "Подтвердить удаление общей ссылки",
+    "shareQuestionRemove": "Вы уверены, что хотите удалить эту общую ссылку?",
+    "shareMessageRemove": "После удаления ссылка перестанет работать, и все, кто ее использует, потеряют доступ к ресурсу.",
    "shareTokenDescription": "Токен доступа может быть передан двумя способами: как параметр запроса или в заголовках запроса. Они должны быть переданы от клиента по каждому запросу для аутентифицированного доступа.",
    "accessToken": "Токен доступа",
    "usageExamples": "Примеры использования",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Произошла ошибка при создании общей ссылки",
    "shareCreateDescription": "Любой, у кого есть эта ссылка, может получить доступ к ресурсу",
    "shareTitleOptional": "Заголовок (необязательно)",
+    "sharePathOptional": "Путь (необязательно)",
+    "sharePathDescription": "Ссылка перенаправит пользователей на этот путь после аутентификации.",
    "expireIn": "Срок действия",
    "neverExpire": "Бессрочный доступ",
    "shareExpireDescription": "Срок действия - это период, в течение которого ссылка будет работать и предоставлять доступ к ресурсу. После этого времени ссылка перестанет работать, и пользователи, использовавшие эту ссылку, потеряют доступ к ресурсу.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Пожалуйста, выберите ресурс",
    "proxyResourceTitle": "Управление публичными ресурсами",
    "proxyResourceDescription": "Создание и управление ресурсами, которые доступны через веб-браузер",
-    "proxyResourcesBannerTitle": "Общедоступный доступ через веб",
-    "proxyResourcesBannerDescription": "Общедоступные ресурсы - это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
+    "publicResourcesBannerTitle": "Веб-доступ к публичным ресурсам",
+    "publicResourcesBannerDescription": "Публичные ресурсы — это HTTPS-прокси, доступные для любого пользователя Интернета через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать в себя политики доступа, учитывающие идентичность и контекст.",
    "clientResourceTitle": "Управление приватными ресурсами",
    "clientResourceDescription": "Создание и управление ресурсами, которые доступны только через подключенный клиент",
    "privateResourcesBannerTitle": "Частный доступ с нулевым доверием",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Поиск ресурсов...",
    "resourceAdd": "Добавить ресурс",
    "resourceErrorDelte": "Ошибка при удалении ресурса",
+    "resourcePoliciesBannerTitle": "Повторное использование правил аутентификации и доступа",
+    "resourcePoliciesBannerDescription": "Политики общих ресурсов позволяют один раз определить методы аутентификации и правила доступа, а затем прикреплять их к нескольким публичным ресурсам. Когда вы обновляете политику, каждое связанное с ней наследует изменение автоматически.",
+    "resourcePoliciesBannerButtonText": "Узнать больше",
+    "resourcePoliciesTitle": "Управление политиками публичных ресурсов",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Ресурсы",
+    "resourcePoliciesAttachedResources": "{count} ресурс(ов)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# ресурс} few {# ресурса} many {# ресурсов} other {# ресурсов}}",
+    "resourcePoliciesAttachedResourcesEmpty": "нет ресурсов",
+    "resourcePoliciesDescription": "Создание и управление политиками аутентификации для контроля доступа к вашим публичным ресурсам",
+    "resourcePoliciesSearch": "Поиск политик...",
+    "resourcePoliciesAdd": "Добавить политику",
+    "resourcePoliciesDefaultBadgeText": "Политика по умолчанию",
+    "resourcePoliciesCreate": "Создать политику публичного ресурса",
+    "resourcePoliciesCreateDescription": "Следуйте шагам ниже, чтобы создать новую политику",
+    "resourcePolicyName": "Имя политики",
+    "resourcePolicyNameDescription": "Дайте этой политике имя для идентификации ее в ваших ресурсах",
+    "resourcePolicyNamePlaceholder": "например, Политика внутреннего доступа",
+    "resourcePoliciesSeeAll": "Просмотреть все политики",
+    "resourcePolicyAuthMethodAdd": "Добавить метод аутентификации",
+    "resourcePolicyOtpEmailAdd": "Добавить OTP на email",
+    "resourcePolicyRulesAdd": "Добавить правила",
+    "resourcePolicyAuthMethodsDescription": "Разрешить доступ к ресурсам через дополнительные методы аутентификации",
+    "resourcePolicyUsersRolesDescription": "Настройте, какие пользователи и роли могут посещать связанные ресурсы",
+    "rulesResourcePolicyDescription": "Настройте правила для управления доступом к ресурсам, связанным с этой политикой",
    "authentication": "Аутентификация",
    "protected": "Защищён",
    "notProtected": "Не защищён",
    "resourceMessageRemove": "После удаления ресурс больше не будет доступен. Все целевые узлы, связанные с ресурсом, также будут удалены.",
    "resourceQuestionRemove": "Вы уверены, что хотите удалить ресурс из организации?",
+    "resourcePolicyMessageRemove": "После удаления политика ресурса больше не будет доступна. Все ресурсы, связанные с ресурсом, будут отключены и останутся без аутентификации.",
+    "resourcePolicyQuestionRemove": "Вы уверены, что хотите удалить политику ресурса из организации?",
    "resourceHTTP": "HTTPS-ресурс",
    "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
    "resourceRaw": "Сырой TCP/UDP-ресурс",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Прокси запросы через необработанный TCP/UDP с использованием номера порта. Требуется подключение сайтов к удаленному узлу.",
    "resourceCreate": "Создание ресурса",
    "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
+    "resourceCreateGeneralDescription": "Настройте основные параметры ресурса, включая его имя и тип",
    "resourceSeeAll": "Посмотреть все ресурсы",
-    "resourceInfo": "Информация о ресурсе",
+    "resourceCreateGeneral": "Общие",
    "resourceNameDescription": "Отображаемое имя ресурса.",
    "siteSelect": "Выберите сайт",
    "siteSearch": "Поиск сайта",
@@ -227,12 +262,15 @@
    "noCountryFound": "Страна не найдена.",
    "siteSelectionDescription": "Этот сайт предоставит подключение к цели.",
    "resourceType": "Тип ресурса",
-    "resourceTypeDescription": "Определить как получить доступ к ресурсу",
+    "resourceTypeDescription": "Это контролирует протокол ресурса и то, как он будет отображаться в браузере. Это нельзя изменить позже.",
+    "resourceDomainDescription": "Ресурс будет предоставлен по этому полностью определенному доменному имени.",
    "resourceHTTPSSettings": "Настройки HTTPS",
    "resourceHTTPSSettingsDescription": "Настройка доступа к ресурсу по HTTPS",
+    "resourcePortDescription": "Внешний порт на экземпляре или узле Pangolin, где ресурс будет доступен.",
    "domainType": "Тип домена",
    "subdomain": "Поддомен",
    "baseDomain": "Базовый домен",
+    "configure": "Настроить",
    "subdomnainDescription": "Поддомен, в котором ресурс будет доступен.",
    "resourceRawSettings": "Настройки TCP/UDP",
    "resourceRawSettingsDescription": "Настройка доступа к ресурсу по TCP/UDP",
@@ -243,14 +281,35 @@
    "back": "Назад",
    "cancel": "Отмена",
    "resourceConfig": "Фрагменты конфигурации",
-    "resourceConfigDescription": "Скопируйте и вставьте эти сниппеты для настройки TCP/UDP ресурса",
+    "resourceConfigDescription": "Скопируйте и вставьте эти фрагменты конфигурации для настройки ресурса TCP/UDP.",
    "resourceAddEntrypoints": "Traefik: Добавить точки входа",
    "resourceExposePorts": "Gerbil: Открыть порты в Docker Compose",
    "resourceLearnRaw": "Узнайте, как настроить TCP/UDP-ресурсы",
    "resourceBack": "Назад к ресурсам",
    "resourceGoTo": "Перейти к ресурсу",
+    "resourcePolicyDelete": "Удалить политику ресурса",
+    "resourcePolicyDeleteConfirm": "Подтвердите удаление политики ресурса",
    "resourceDelete": "Удалить ресурс",
    "resourceDeleteConfirm": "Подтвердить удаление",
+    "labelDelete": "Удалить метку",
+    "labelAdd": "Добавить метку",
+    "labelCreateSuccessMessage": "Метка успешно создана",
+    "labelDuplicateError": "Повторяющаяся метка",
+    "labelDuplicateErrorDescription": "Метка с таким именем уже существует.",
+    "labelEditSuccessMessage": "Метка успешно изменена",
+    "labelNameField": "Название метки",
+    "labelColorField": "Цвет метки",
+    "labelPlaceholder": "Напр.: homelab",
+    "labelCreate": "Создать метку",
+    "createLabelDialogTitle": "Создать метку",
+    "createLabelDialogDescription": "Создайте новую метку, которая может быть прикреплена к этой организации",
+    "labelEdit": "Редактировать метку",
+    "editLabelDialogTitle": "Обновить метку",
+    "editLabelDialogDescription": "Измените новую метку, которую можно прикрепить к этой организации",
+    "labelDeleteConfirm": "Подтвердите удаление метки",
+    "labelErrorDelete": "Не удалось удалить метку",
+    "labelMessageRemove": "Это действие необратимо. Все сайты, ресурсы и клиенты, помеченные этой меткой, будут разметены.",
+    "labelQuestionRemove": "Вы уверены, что хотите удалить метку из организации?",
    "visibility": "Видимость",
    "enabled": "Включено",
    "disabled": "Отключено",
@@ -261,6 +320,8 @@
    "rules": "Правила",
    "resourceSettingDescription": "Настройка параметров ресурса",
    "resourceSetting": "Настройки {resourceName}",
+    "resourcePolicySettingDescription": "Настройте параметры этой политики публичного ресурса",
+    "resourcePolicySetting": "Настройки {policyName}",
    "alwaysAllow": "Авторизация байпасса",
    "alwaysDeny": "Блокировать доступ",
    "passToAuth": "Переход к аутентификации",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "После удаления этот пользователь больше не будет иметь доступ к организации. Вы всегда можете пригласить его заново, но ему нужно будет снова принять приглашение.",
    "userRemoveOrgConfirm": "Подтвердить удаление пользователя",
    "userRemoveOrg": "Удалить пользователя из организации",
+    "userQuestionOrgRemoveSelf": "Вы уверены, что хотите удалить себя из этой организации?",
+    "userMessageOrgRemoveSelf": "Вы немедленно потеряете доступ. Администратор сможет снова пригласить вас позже, но вам нужно будет принять новое приглашение.",
+    "userRemoveOrgConfirmSelf": "Подтвердите удаление себя",
+    "userRemoveOrgSelf": "Удалите себя из организации",
+    "userRemoveOrgSelfWarning": "Вы немедленно потеряете доступ к этой организации.",
+    "userRemoveOrgConfirmPhraseSelf": "Удалить себя из организации",
    "users": "Пользователи",
    "accessRoleMember": "Участник",
    "accessRoleOwner": "Владелец",
@@ -531,6 +598,11 @@
    "emailInvalid": "Неверный адрес Email",
    "inviteValidityDuration": "Пожалуйста, выберите продолжительность",
    "accessRoleSelectPlease": "Пожалуйста, выберите роль",
+    "removeOwnAdminRoleConfirmTitle": "Удалить доступ администратора?",
+    "removeOwnAdminRoleConfirmDescription": "После сохранения у вас больше не будет прав администратора в этой организации. Другой администратор может восстановить доступ, если это необходимо.",
+    "removeOwnAdminRoleConfirmButton": "Удалить мой доступ администратора",
+    "removeOwnAdminRoleConfirmPhrase": "УДАЛИТЬ МОЙ ДОСТУП АДМИНИСТРАТОРА",
+    "ownerMustRetainAdminRole": "Владелец организации должен сохранить по крайней мере одну роль администратора.",
    "usernameRequired": "Имя пользователя обязательно",
    "idpSelectPlease": "Пожалуйста, выберите Identity Provider",
    "idpGenericOidc": "Обычный OAuth2/OIDC provider.",
@@ -615,7 +687,7 @@
    "createdAt": "Создано в",
    "proxyErrorInvalidHeader": "Неверное значение пользовательского заголовка Host. Используйте формат доменного имени или оставьте пустым для сброса пользовательского заголовка Host.",
    "proxyErrorTls": "Неверное имя TLS сервера. Используйте формат доменного имени или оставьте пустым для удаления имени TLS сервера.",
-    "proxyEnableSSL": "Включить SSL",
+    "proxyEnableSSL": "Включить TLS",
    "proxyEnableSSLDescription": "Включить шифрование SSL/TLS для безопасных HTTPS соединений с целями.",
    "target": "Target",
    "configureTarget": "Настроить адресаты",
@@ -656,8 +728,9 @@
    "targetSubmit": "Добавить цель",
    "targetNoOne": "Этот ресурс не имеет никаких целей. Добавьте цель для настройки, где отправлять запросы в бэкэнд.",
    "targetNoOneDescription": "Добавление более одной цели выше включит балансировку нагрузки.",
-    "targetsSubmit": "Сохранить цели",
+    "targetsSubmit": "Сохранить настройки",
    "addTarget": "Добавить цель",
+    "proxyMultiSiteRoundRobinNodeHelp": "Роутинг с балансировкой нагрузки не будет работать между сайтами, не подключенными к одному и тому же узлу, но подмена будет работать.",
    "targetErrorInvalidIp": "Неверный IP-адрес",
    "targetErrorInvalidIpDescription": "Пожалуйста, введите действительный IP адрес или имя хоста",
    "targetErrorInvalidPort": "Неверный порт",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Дублирующее правило",
    "rulesErrorDuplicateDescription": "Правило с такими настройками уже существует",
    "rulesErrorInvalidIpAddressRange": "Неверный CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Пожалуйста, введите корректное значение CIDR",
-    "rulesErrorInvalidUrl": "Неверный URL путь",
-    "rulesErrorInvalidUrlDescription": "Пожалуйста, введите корректное значение URL пути",
-    "rulesErrorInvalidIpAddress": "Неверный IP",
-    "rulesErrorInvalidIpAddressDescription": "Пожалуйста, введите корректный IP адрес",
+    "rulesErrorInvalidIpAddressRangeDescription": "Введите действительный диапазон CIDR (например, 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Неверный путь",
+    "rulesErrorInvalidUrlDescription": "Введите действительный URL-путь или шаблон (например, /api/*).",
+    "rulesErrorInvalidIpAddress": "Недействительный IP адрес",
+    "rulesErrorInvalidIpAddressDescription": "Введите действительный адрес IPv4 или IPv6.",
    "rulesErrorUpdate": "Не удалось обновить правила",
    "rulesErrorUpdateDescription": "Произошла ошибка при обновлении правил",
    "rulesUpdated": "Включить правила",
@@ -702,14 +775,23 @@
    "rulesMatchIpAddress": "Введите IP адрес (например, 103.21.244.12)",
    "rulesMatchUrl": "Введите URL путь или шаблон (например, /api/v1/todos или /api/v1/*)",
    "rulesErrorInvalidPriority": "Неверный приоритет",
-    "rulesErrorInvalidPriorityDescription": "Пожалуйста, введите корректный приоритет",
-    "rulesErrorDuplicatePriority": "Дублирующие приоритеты",
-    "rulesErrorDuplicatePriorityDescription": "Пожалуйста, введите уникальные приоритеты",
+    "rulesErrorInvalidPriorityDescription": "Введите целое число 1 или больше.",
+    "rulesErrorDuplicatePriority": "Повторяющиеся приоритеты",
+    "rulesErrorDuplicatePriorityDescription": "Каждое правило должно иметь уникальный номер приоритета.",
+    "rulesErrorValidation": "Неверные правила",
+    "rulesErrorValidationRuleDescription": "Правило {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Выберите действительный тип совпадения (путь, IP, CIDR, страна, регион или ASN).",
+    "rulesErrorValueRequired": "Введите значение для этого правила.",
+    "rulesErrorInvalidCountry": "Недействительная страна",
+    "rulesErrorInvalidCountryDescription": "Выберите правильную страну.",
+    "rulesErrorInvalidAsn": "Недействительный ASN",
+    "rulesErrorInvalidAsnDescription": "Введите действительный ASN (например, AS15169).",
    "ruleUpdated": "Правила обновлены",
    "ruleUpdatedDescription": "Правила успешно обновлены",
    "ruleErrorUpdate": "Операция не удалась",
    "ruleErrorUpdateDescription": "Произошла ошибка во время операции сохранения",
    "rulesPriority": "Приоритет",
+    "rulesReorderDragHandle": "Перетащите, чтобы изменить приоритет правила",
    "rulesAction": "Действие",
    "rulesMatchType": "Тип совпадения",
    "value": "Значение",
@@ -728,9 +810,60 @@
    "rulesResource": "Конфигурация правил ресурса",
    "rulesResourceDescription": "Настройка правил для контроля доступа к ресурсу",
    "ruleSubmit": "Добавить правило",
-    "rulesNoOne": "Нет правил. Добавьте правило с помощью формы.",
+    "rulesNoOne": "Пока нет правил.",
    "rulesOrder": "Правила оцениваются по приоритету в возрастающем порядке.",
    "rulesSubmit": "Сохранить правила",
+    "policyErrorCreate": "Ошибка создания политики",
+    "policyErrorCreateDescription": "Произошла ошибка при создании политики",
+    "policyErrorCreateMessageDescription": "Произошла неожиданная ошибка",
+    "policyErrorUpdate": "Ошибка обновления политики",
+    "policyErrorUpdateDescription": "Произошла ошибка при обновлении политики",
+    "policyErrorUpdateMessageDescription": "Произошла неожиданная ошибка",
+    "policyCreatedSuccess": "Политика ресурса успешно создана",
+    "policyUpdatedSuccess": "Политика ресурса успешно обновлена",
+    "authMethodsSave": "Сохранить настройки",
+    "policyAuthStackTitle": "Аутентификация",
+    "policyAuthStackDescription": "Контроль, какие методы аутентификации требуются для доступа к этому ресурсу",
+    "policyAuthOrLogicTitle": "Несколько методов аутентификации активны",
+    "policyAuthOrLogicBanner": "Посетители могут аутентифицироваться, используя любой из активных методов ниже. Им не нужно выполнять все.",
+    "policyAuthMethodActive": "Активно",
+    "policyAuthMethodOff": "Отключено",
+    "policyAuthSsoTitle": "Платформа SSO",
+    "policyAuthSsoDescription": "Требуется войти через поставщика удостоверений вашей организации",
+    "policyAuthSsoSummary": "{idp} · {users} пользователей, {roles} ролей",
+    "policyAuthSsoDefaultIdp": "Поставщик по умолчанию",
+    "policyAuthAddDefaultIdentityProvider": "Добавить поставщика удостоверений по умолчанию",
+    "policyAuthOtherMethodsTitle": "Другие методы",
+    "policyAuthOtherMethodsDescription": "Дополнительные методы, которые посетители могут использовать вместо или вместе с платформой SSO",
+    "policyAuthPasscodeTitle": "Пароль",
+    "policyAuthPasscodeDescription": "Требуется общий буквенно-цифровой пароль для доступа к ресурсу",
+    "policyAuthPasscodeSummary": "Пароль установлен",
+    "policyAuthPincodeTitle": "ПИН-код",
+    "policyAuthPincodeDescription": "Краткий числовой код, необходимый для доступа к ресурсу",
+    "policyAuthPincodeSummary": "Установлен 6-значный PIN-код",
+    "policyAuthEmailTitle": "Белый список email",
+    "policyAuthEmailDescription": "Разрешить перечисленные email-адреса с одноразовыми паролями",
+    "policyAuthEmailSummary": "Разрешено адресов: {count}",
+    "policyAuthEmailOtpCallout": "Включение белого списка email отправляет одноразовый пароль на email посетителя при входе.",
+    "policyAuthHeaderAuthTitle": "Базовая аутентификация заголовка",
+    "policyAuthHeaderAuthDescription": "Проверка пользовательского имени и значения HTTP-заголовка для каждого запроса",
+    "policyAuthHeaderAuthSummary": "Заголовок настроен",
+    "policyAuthHeaderName": "Имя заголовка",
+    "policyAuthHeaderValue": "Ожидаемое значение",
+    "policyAuthSetPasscode": "Установить пароль",
+    "policyAuthSetPincode": "Установить ПИН-код",
+    "policyAuthSetEmailWhitelist": "Установить белый список email",
+    "policyAuthSetHeaderAuth": "Установить базовую аутентификацию заголовка",
+    "policyAccessRulesTitle": "Правила доступа",
+    "policyAccessRulesEnableDescription": "При включении правила оцениваются в порядке убывания до тех пор, пока одно из них не оценивается как истинное.",
+    "policyAccessRulesFirstMatch": "Правила оцениваются сверху вниз. Первое совпадающее правило определяет результат.",
+    "policyAccessRulesHowItWorks": "Правила сопоставляют запросы по пути, IP-адресу, местоположению или другим критериям. Каждое правило применяет действие: обойти аутентификацию, заблокировать доступ или передать для аутентификации. Если правило не подписано, трафик продолжается для аутентификации.",
+    "policyAccessRulesFallthroughOff": "Когда правила отключены, весь трафик проходит для аутентификации.",
+    "policyAccessRulesFallthroughOn": "Когда правило не совпадает, трафик проходит для аутентификации.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Сохранить правила",
    "resourceErrorCreate": "Ошибка при создании ресурса",
    "resourceErrorCreateDescription": "Произошла ошибка при создании ресурса",
    "resourceErrorCreateMessage": "Ошибка создания ресурса:",
@@ -794,6 +927,17 @@
    "pincodeAdd": "Добавить PIN-код",
    "pincodeRemove": "Удалить PIN-код",
    "resourceAuthMethods": "Методы аутентификации",
+    "resourcePolicyAuthMethodsEmpty": "Нет метода аутентификации",
+    "resourcePolicyOtpEmpty": "Нет одноразового пароля",
+    "resourcePolicyReadOnly": "Эта политика только для чтения",
+    "resourcePolicyReadOnlyDescription": "Эта политика ресурса разделяется между несколькими ресурсами, вы не можете улучшить ее на этой странице.",
+    "editSharedPolicy": "Редактировать общую политику",
+    "resourcePolicyTypeSave": "Сохранить тип ресурса",
+    "resourcePolicySelect": "Выберите политику ресурса",
+    "resourcePolicySelectError": "Выберите политику ресурса",
+    "resourcePolicyNotFound": "Политика не найдена",
+    "resourcePolicySearch": "Поиск политик",
+    "resourcePolicyRulesEmpty": "Нет правил аутентификации",
    "resourceAuthMethodsDescriptions": "Разрешить доступ к ресурсу через дополнительные методы аутентификации",
    "resourceAuthSettingsSave": "Успешно сохранено",
    "resourceAuthSettingsSaveDescription": "Настройки аутентификации сохранены",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Установить PIN-код",
    "resourcePincodeSetupTitleDescription": "Установите PIN-код для защиты этого ресурса",
    "resourceRoleDescription": "Администраторы всегда имеют доступ к этому ресурсу.",
+    "resourcePolicySelectTitle": "Политика доступа к ресурсам",
+    "resourcePolicySelectDescription": "Выберите тип политики ресурса для аутентификации",
+    "resourcePolicyTypeLabel": "Тип политики",
+    "resourcePolicyLabel": "Политика ресурса",
+    "resourcePolicyInline": "Политика ресурса на месте",
+    "resourcePolicyInlineDescription": "Политика доступа ограничена только этим ресурсом",
+    "resourcePolicyShared": "Общая политика ресурса",
+    "resourcePolicySharedDescription": "Этот ресурс использует общую политику.",
+    "sharedPolicy": "Общая политика",
+    "sharedPolicyNoneDescription": "У этого ресурса есть своя политика.",
+    "resourceSharedPolicyOwnDescription": "У этого ресурса есть собственные средства управления аутентификацией и правилами доступа.",
+    "resourceSharedPolicyInheritedDescription": "Этот ресурс наследует от <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "Этот ресурс использует общую политику. Некоторые настройки аутентификации можно изменить в этом ресурсе, чтобы добавить их в политику. Чтобы изменить основную политику, отредактируйте <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "Этот ресурс использует общую политику. Некоторые правила доступа могут быть отредактированы для этого ресурса. Чтобы изменить основную политику, вы должны отредактировать <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Контроль доступа",
    "resourceUsersRolesDescription": "Выберите пользователей и роли с доступом к этому ресурсу",
    "resourceUsersRolesSubmit": "Сохранить контроль доступа",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Видимость",
    "resourceVisibilityTitleDescription": "Включите или отключите видимость ресурса",
    "resourceGeneral": "Общие настройки",
-    "resourceGeneralDescription": "Настройте общие параметры этого ресурса",
+    "resourceGeneralDescription": "Настройте имя, адрес и политику доступа для этого ресурса.",
+    "resourceGeneralDetailsSubsection": "Детали ресурса",
+    "resourceGeneralDetailsSubsectionDescription": "Установите отображаемое имя, идентификатор и публично доступный домен для этого ресурса.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Установите отображаемое имя, идентификатор и публичный порт для этого ресурса.",
+    "resourceGeneralPublicAddressSubsection": "Публичный адрес",
+    "resourceGeneralPublicAddressSubsectionDescription": "Настройте, как пользователи будут получать доступ к этому ресурсу.",
+    "resourceGeneralAuthenticationAccessSubsection": "Аутентификация и доступ",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Выберите, будет ли этот ресурс использовать собственную политику или наследовать от общей политики.",
    "resourceEnable": "Ресурс активен",
    "resourceTransfer": "Перенести ресурс",
    "resourceTransferDescription": "Перенесите этот ресурс на другой сайт",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "Возникла проблема при подключении к {name}. Пожалуйста, свяжитесь с вашим администратором.",
    "idpErrorNotFound": "IdP не найден",
    "inviteInvalid": "Недействительное приглашение",
+    "labels": "Метки",
+    "orgLabelsDescription": "Управление метками в этой организации.",
+    "addLabels": "Добавить метки",
+    "siteLabelsTab": "Метки",
+    "siteLabelsDescription": "Управляйте метками, связанными с этим сайтом.",
+    "labelsNotFound": "Метки не найдены.",
+    "labelsEmptyCreateHint": "Начните печатать выше, чтобы создать метку.",
+    "labelSearch": "Поиск меток",
+    "labelSearchOrCreate": "Найти или создать метку",
+    "accessLabelFilterCount": "{count, plural, one {# метка} few {# метки} many {# меток} other {# меток}}",
+    "labelOverflowCount": "+{count, plural, one {# метка} few {# метки} many {# меток} other {# меток}}",
+    "accessLabelFilterClear": "Очистить фильтры меток",
+    "accessFilterClear": "Очистить фильтры",
+    "selectColor": "Выберите цвет",
+    "createNewLabel": "Создать новую метку организации \"{label}\"",
    "inviteInvalidDescription": "Ссылка на приглашение недействительна.",
    "inviteErrorWrongUser": "Приглашение не для этого пользователя",
    "inviteErrorUserNotExists": "Пользователь не существует. Пожалуйста, сначала создайте учетную запись.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Ресурсы",
    "sidebarProxyResources": "Публичный",
    "sidebarClientResources": "Приватный",
+    "sidebarPolicies": "Общие политики",
+    "sidebarResourcePolicies": "Публичные ресурсы",
    "sidebarAccessControl": "Контроль доступа",
    "sidebarLogsAndAnalytics": "Журналы и аналитика",
    "sidebarTeam": "Команда",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Админ",
    "sidebarInvitations": "Приглашения",
    "sidebarRoles": "Роли",
-    "sidebarShareableLinks": "Ссылки",
+    "sidebarShareableLinks": "Общие ссылки",
    "sidebarApiKeys": "API ключи",
    "sidebarProvisioning": "Подготовка",
    "sidebarSettings": "Настройки",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Сайт {id}",
    "standaloneHcFilterResourceIdFallback": "Ресурс {id}",
    "blueprints": "Чертежи",
-    "blueprintsDescription": "Применить декларирующие конфигурации и просмотреть предыдущие запуски",
+    "blueprintsLog": "Журнал чертежей",
+    "blueprintsDescription": "Просмотреть предыдущие приложения с чертежами и их результаты или применить новый чертеж",
    "blueprintAdd": "Добавить чертёж",
    "blueprintGoBack": "Посмотреть все чертежи",
    "blueprintCreate": "Создать чертёж",
@@ -1559,7 +1742,17 @@
    "contents": "Содержание",
    "parsedContents": "Переработанное содержимое (только для чтения)",
    "enableDockerSocket": "Включить чертёж Docker",
-    "enableDockerSocketDescription": "Включить scraping ярлыка Docker Socket для ярлыков чертежей. Путь к сокету должен быть предоставлен в Newt.",
+    "enableDockerSocketDescription": "Включить сбор меток Docker Socket для чертежей. Путь сокета должен быть предоставлен подключателю сайта. Прочтите о том, как это работает, в <docsLink>документации</docsLink>.",
+    "newtAutoUpdate": "Включить автообновление сайта",
+    "newtAutoUpdateDescription": "При включении разъемы сайта автоматически загрузят последнюю версию и перезапустятся. Это можно переопределить на уровне каждого сайта.",
+    "siteAutoUpdate": "Автообновление сайта",
+    "siteAutoUpdateLabel": "Включить автообновление",
+    "siteAutoUpdateDescription": "При включении разъем этого сайта автоматически скачает последнюю версию и перезапустится.",
+    "siteAutoUpdateOrgDefault": "Значение по умолчанию для организации: {state}",
+    "siteAutoUpdateOverriding": "Переопределение настройки организации",
+    "siteAutoUpdateResetToOrg": "Сброс до значения по умолчанию для организации",
+    "siteAutoUpdateEnabled": "включено",
+    "siteAutoUpdateDisabled": "отключено",
    "viewDockerContainers": "Просмотр контейнеров Docker",
    "containersIn": "Контейнеры в {siteName}",
    "selectContainerDescription": "Выберите любой контейнер для использования в качестве имени хоста для этой цели. Нажмите на порт, чтобы использовать порт.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Сертификат",
    "certificateStatusAutoRefreshHint": "Статус обновляется автоматически.",
    "loading": "Загрузка",
+    "loadingEllipsis": "Загрузка...",
    "loadingAnalytics": "Загрузка аналитики",
    "restart": "Перезагрузка",
    "domains": "Домены",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Настройка аккаунта завершена! Добро пожаловать в Pangolin!",
    "documentation": "Документация",
    "saveAllSettings": "Сохранить все настройки",
-    "saveResourceTargets": "Сохранить цели",
-    "saveResourceHttp": "Сохранить настройки прокси",
-    "saveProxyProtocol": "Сохранить настройки прокси-протокола",
+    "saveResourceTargets": "Сохранить настройки",
+    "saveResourceHttp": "Сохранить настройки",
+    "saveProxyProtocol": "Сохранить настройки",
    "settingsUpdated": "Настройки обновлены",
    "settingsUpdatedDescription": "Настройки успешно обновлены",
    "settingsErrorUpdate": "Не удалось обновить настройки",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Управление подпиской на платные лицензионные ключи собственного хостинга",
    "billingCurrentKeys": "Текущие ключи",
    "billingModifyCurrentPlan": "Изменить текущий план",
+    "billingManageLicenseSubscriptionDescription": "Управление вашей подпиской на платные ключи лицензии для самостоятельной установки и загрузка счетов.",
    "billingConfirmUpgrade": "Подтвердить обновление",
    "billingConfirmDowngrade": "Подтверждение понижения",
    "billingConfirmUpgradeDescription": "Вы собираетесь обновить тарифный план. Проверьте новые лимиты и цены ниже.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Неизвестно",
    "healthCheck": "Проверка здоровья",
    "configureHealthCheck": "Настроить проверку здоровья",
-    "configureHealthCheckDescription": "Настройте мониторинг состояния для {target}",
+    "configureHealthCheckDescription": "Настройте мониторинг вашего ресурса, чтобы обеспечить его постоянную доступность",
    "enableHealthChecks": "Включить проверки здоровья",
    "healthCheckDisabledStateDescription": "Когда отключен, сайт не будет выполнять проверки состояния и состояние будет считаться неизвестным.",
    "enableHealthChecksDescription": "Мониторинг здоровья этой цели. При необходимости можно контролировать другую конечную точку.",
    "healthScheme": "Метод",
    "healthSelectScheme": "Выберите метод",
-    "healthCheckPortInvalid": "Порт проверки здоровья должен быть от 1 до 65535",
+    "healthCheckPortInvalid": "Порт должен быть в диапазоне от 1 до 65535",
    "healthCheckPath": "Путь",
    "healthHostname": "IP / хост",
    "healthPort": "Порт",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Время указано в секундах",
    "requireDeviceApproval": "Требовать подтверждения устройства",
    "requireDeviceApprovalDescription": "Пользователям с этой ролью нужны новые устройства, одобренные администратором, прежде чем они смогут подключаться и получать доступ к ресурсам.",
-    "sshAccess": "SSH доступ",
+    "sshSettings": "Настройки SSH",
+    "sshAccess": "Доступ по SSH",
+    "rdpSettings": "Настройки RDP",
+    "vncSettings": "Настройки VNC",
+    "sshServer": "SSH сервер",
+    "rdpServer": "RDP сервер",
+    "vncServer": "VNC сервер",
+    "sshServerDescription": "Настройка метода аутентификации, местоположения демона и пункта назначения сервера",
+    "rdpServerDescription": "Настройте пункт назначения и порт RDP-сервера",
+    "vncServerDescription": "Настройте пункт назначения и порт VNC-сервера",
+    "sshServerMode": "Режим",
+    "sshServerModeStandard": "Стандартный SSH-сервер",
+    "sshServerModePangolin": "SSH Pangolin",
+    "sshServerModeStandardDescription": "Маршрутизация команд по сети к SSH-серверу, такому как OpenSSH.",
+    "sshServerModeNative": "Родной SSH-сервер",
+    "sshServerModeNativeDescription": "Выполняет команды напрямую на хосте через сайт-коннектор. Настройка сети не требуется.",
+    "sshAuthenticationMethod": "Метод аутентификации",
+    "sshAuthMethodManual": "Ручная аутентификация",
+    "sshAuthMethodManualDescription": "Требуется наличие существующих учетных данных хоста. Обходит автоматическое предоставление.",
+    "sshAuthMethodAutomated": "Автоматизированное предоставление",
+    "sshAuthMethodAutomatedDescription": "Автоматически создает пользователей, группы и разрешения sudo на хосте.",
+    "sshAuthDaemonLocation": "Местоположение демона аутентификации",
+    "sshDaemonLocationSiteDescription": "Выполняется локально на машине, размещающей сайт-коннектор.",
+    "sshDaemonLocationRemote": "На удаленном хосте",
+    "sshDaemonLocationRemoteDescription": "Выполняется на отдельной целевой машине в той же сети.",
+    "sshDaemonDisclaimer": "Убедитесь, что целевой хост правильно настроен для запуска демона аутентификации перед завершением этой настройки, иначе предоставление не удастся.",
+    "sshDaemonPort": "Порт демона",
+    "sshServerDestination": "Пункт назначения сервера",
+    "sshServerDestinationDescription": "Настройте адрес сервера SSH",
+    "destination": "Пункт назначения",
+    "destinationRequired": "Требуется указание пункта назначения.",
+    "domainRequired": "Требуется домен.",
+    "proxyPortRequired": "Требуется порт.",
+    "invalidPathConfiguration": "Недействительная конфигурация пути.",
+    "invalidRewritePathConfiguration": "Недействительная конфигурация пути переписывания.",
+    "bgTargetMultiSiteDisclaimer": "Выбор нескольких сайтов включает в себя устойчивую маршрутизацию и автоматический отказ для обеспечения высокой доступности.",
    "roleAllowSsh": "Разрешить SSH",
    "roleAllowSshAllow": "Разрешить",
    "roleAllowSshDisallow": "Запретить",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Пользователь может запускать только указанные команды с помощью sudo.",
    "sshSudo": "Разрешить sudo",
    "sshSudoCommands": "Sudo Команды",
-    "sshSudoCommandsDescription": "Список команд, разделенных запятыми, которые пользователю разрешено запускать с помощью sudo.",
+    "sshSudoCommandsDescription": "Список команд, которые пользователь может запускать с sudo, разделенный запятыми, пробелами или новыми строками. Должны использоваться абсолютные пути.",
    "sshCreateHomeDir": "Создать домашний каталог",
    "sshUnixGroups": "Unix группы",
-    "sshUnixGroupsDescription": "Группы Unix через запятую, чтобы добавить пользователя на целевой хост.",
+    "sshUnixGroupsDescription": "Группы Unix, к которым пользователь добавляется на целевом хосте, разделяются запятыми, пробелами или новыми строками.",
+    "roleTextFieldPlaceholder": "Введите значения или перетащите файл .txt или .csv",
+    "roleTextImportTitle": "Импорт из файла",
+    "roleTextImportDescription": "Импортирую {fileName} в {fieldLabel}.",
+    "roleTextImportSkipHeader": "Пропустить первую строку (заголовок)",
+    "roleTextImportOverride": "Заменить существующее",
+    "roleTextImportAppend": "Добавить к существующему",
+    "roleTextImportMode": "Режим импорта",
+    "roleTextImportPreview": "Предпросмотр",
+    "roleTextImportItemCount": "{count, plural, =0 {Нет элементов для импорта} one {# элемент для импорта} few {# элемента для импорта} many {# элементов для импорта} other {# элементов для импорта}}",
+    "roleTextImportTotalCount": "{existing} существующих + {imported} импортированных = {total} всего",
+    "roleTextImportConfirm": "Импортировать",
+    "roleTextImportInvalidFile": "Неподдерживаемый тип файла",
+    "roleTextImportInvalidFileDescription": "Поддерживаются только файлы .txt и .csv.",
+    "roleTextImportEmpty": "Элементы в файле не найдены",
+    "roleTextImportEmptyDescription": "Файл не содержит элементов, которые можно импортировать.",
    "retryAttempts": "Количество попыток повторного запроса",
    "expectedResponseCodes": "Ожидаемые коды ответов",
    "expectedResponseCodesDescription": "HTTP-код состояния, указывающий на здоровое состояние. Если оставить пустым, 200-300 считается здоровым.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "СИДР",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Схема",
-    "editInternalResourceDialogEnableSsl": "Включить SSL",
+    "editInternalResourceDialogEnableSsl": "Включить TLS",
    "editInternalResourceDialogEnableSslDescription": "Включите шифрование SSL/TLS для защищенных HTTPS соединений с конечной точкой.",
    "editInternalResourceDialogDestination": "Пункт назначения",
    "editInternalResourceDialogDestinationHostDescription": "IP адрес или имя хоста ресурса в сети сайта.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "СИДР",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Схема",
    "createInternalResourceDialogScheme": "Схема",
-    "createInternalResourceDialogEnableSsl": "Включить SSL",
+    "createInternalResourceDialogEnableSsl": "Включить TLS",
    "createInternalResourceDialogEnableSslDescription": "Включите SSL/TLS шифрование для защищенных HTTPS соединений с конечной точкой.",
    "createInternalResourceDialogDestination": "Пункт назначения",
    "createInternalResourceDialogDestinationHostDescription": "IP адрес или имя хоста ресурса в сети сайта.",
@@ -2217,7 +2464,7 @@
        "description": "Более надежный и низко обслуживаемый сервер Pangolin с дополнительными колокольнями и свистками",
        "introTitle": "Управляемый Само-Хост Панголина",
        "introDescription": "- это вариант развертывания, предназначенный для людей, которые хотят простоты и надёжности, сохраняя при этом свои данные конфиденциальными и самостоятельными.",
-        "introDetail": "С помощью этой опции вы по-прежнему используете узел Pangolin - туннели, SSL, и весь остающийся на вашем сервере. Разница заключается в том, что управление и мониторинг осуществляются через нашу панель инструментов из облака, которая открывает ряд преимуществ:",
+        "introDetail": "С помощью этой опции вы по-прежнему используете узел Pangolin - ваши туннели, завершение TLS и трафик остаются на вашем сервере. Разница заключается в том, что управление и мониторинг осуществляются через наш облачный интерфейс, что открывает ряд преимуществ:",
        "benefitSimplerOperations": {
            "title": "Более простые операции",
            "description": "Не нужно запускать свой собственный почтовый сервер или настроить комплексное оповещение. Вы будете получать проверки состояния здоровья и оповещения о неисправностях из коробки."
@@ -2652,6 +2899,8 @@
    "validPassword": "Допустимый пароль",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Просмотр",
+    "configManaged": "Конфигурация управляется",
    "connectedClient": "Подключенный клиент",
    "resourceBlocked": "Ресурс заблокирован",
    "droppedByRule": "Отброшено по правилам",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Включить Прокси Протокол",
    "proxyProtocolInfo": "Сохранять IP-адреса клиента для backend'ов TCP",
    "proxyProtocolVersion": "Версия протокола прокси",
-    "version1": " Версия 1 (рекомендуется)",
+    "version1": "Версия 1 (рекомендуется)",
    "version2": "Версия 2",
-    "versionDescription": "Версия 1 основана на тексте и широко поддерживается. Версия 2 является бинарной и более эффективной, но менее совместимой.",
+    "version1Description": "Основано на тексте и широко поддерживается. Убедитесь, что транспорт сервера добавлен в динамическую конфигурацию.",
+    "version2Description": "Бинарная и более эффективная, но менее совместимая. Убедитесь, что транспорт сервера добавлен в динамическую конфигурацию.",
    "warning": "Предупреждение",
    "proxyProtocolWarning": "Бэкэнд приложение должно быть настроено на принятие соединений прокси-протокола. Если ваш бэкэнд не поддерживает Прокси-протокол, то включение этой опции прервет все подключения, поэтому включите это только если вы знаете, что вы делаете. Обязательно настройте вашего бэкэнда на доверие заголовкам Proxy Protocol от Traefik.",
    "restarting": "Перезапуск...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Введите подтверждение",
    "blueprintViewDetails": "Подробности",
    "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
-    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
+    "defaultIdentityProviderDescription": "Пользователь будет автоматически перенаправлен к этому поставщику удостоверений для аутентификации.",
    "editInternalResourceDialogNetworkSettings": "Настройки сети",
    "editInternalResourceDialogAccessPolicy": "Политика доступа",
    "editInternalResourceDialogAddRoles": "Добавить роли",
@@ -2919,11 +3169,12 @@
    "learnMore": "Узнать больше",
    "backToHome": "Вернуться домой",
    "needToSignInToOrg": "Нужно использовать провайдера идентификаций вашей организации?",
-    "maintenanceMode": "Режим обслуживания",
+    "maintenanceMode": "Страница обслуживания",
    "maintenanceModeDescription": "Показать страницу обслуживания посетителям",
    "maintenanceModeType": "Тип режима обслуживания",
    "showMaintenancePage": "Показать страницу обслуживания посетителям",
    "enableMaintenanceMode": "Включить режим обслуживания",
+    "enableMaintenanceModeDescription": "Когда включено, посетители увидят страницу обслуживания вместо вашего ресурса.",
    "automatic": "Автоматический",
    "automaticModeDescription": "Показывать страницу обслуживания только когда все цели бэкэнда недоступны или неисправны. Ваш ресурс продолжит работать нормально, пока хотя бы одна цель здорова.",
    "forced": "Принудительно",
@@ -2931,6 +3182,8 @@
    "warning:": "Предупреждение:",
    "forcedeModeWarning": "Весь трафик будет направлен на страницу обслуживания. Ваши бекэнд ресурсы не будут получать никакие запросы.",
    "pageTitle": "Заголовок страницы",
+    "maintenancePageContentSubsection": "Содержимое страницы",
+    "maintenancePageContentSubsectionDescription": "Настройте содержимое, отображаемое на странице обслуживания",
    "pageTitleDescription": "Основной заголовок, отображаемый на странице обслуживания",
    "maintenancePageMessage": "Сообщение об обслуживании",
    "maintenancePageMessagePlaceholder": "Мы скоро вернемся! Наш сайт в настоящее время проходит плановое техническое обслуживание.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Предполагаемое завершение:",
    "createInternalResourceDialogDestinationRequired": "Укажите адрес назначения. Это может быть имя хоста или IP-адрес.",
    "available": "Доступно",
+    "disabledResourceDescription": "Когда отключено, ресурс будет недоступен для всех.",
    "archived": "Архивировано",
    "noArchivedDevices": "Архивные устройства не найдены",
    "deviceArchived": "Устройство архивировано",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Перенаправлять события непосредственно на ваш аккаунт в Datadog. Скоро будет доступно.",
    "streamingTypePickerDescription": "Выберите тип назначения, чтобы начать.",
-    "streamingFailedToLoad": "Не удалось загрузить места назначения",
+    "streamingLastSyncError": "Во время последней синхронизации произошла ошибка",
    "streamingUnexpectedError": "Произошла непредвиденная ошибка.",
    "streamingFailedToUpdate": "Не удалось обновить место назначения",
    "streamingDeletedSuccess": "Адрес назначения успешно удален",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Редактировать пункт назначения",
    "S3DestAddTitle": "Добавить S3 пункт назначения",
    "S3DestEditDescription": "Обновите конфигурацию для этого S3 пункта назначения потоковых событий.",
-    "S3DestAddDescription": "Настройте новую S3 конечную точку для получения событий вашей организации.",
+    "S3DestAddDescription": "Настройте новый Amazon S3 (или совместимое S3) хранилище для получения событий вашей организации.",
+    "s3DestTabSettings": "Настройки",
+    "s3DestTabFormat": "Формат",
+    "s3DestNameLabel": "Имя",
+    "s3DestNamePlaceholder": "Моя S3 конечная точка",
+    "s3DestAccessKeyIdLabel": "Идентификатор ключа доступа AWS",
+    "s3DestSecretAccessKeyLabel": "Секретный ключ доступа AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Ваш секретный ключ доступа AWS",
+    "s3DestRegionLabel": "Регион AWS",
+    "s3DestBucketLabel": "Имя хранилища",
+    "s3DestPrefixLabel": "Префикс ключа (по желанию)",
+    "s3DestPrefixDescription": "Необязательный префикс пути, добавляется к каждому ключу объекта. Объекты хранятся в {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Пользовательская конечная точка (по желанию)",
+    "s3DestEndpointDescription": "Переопределите конечную точку S3 для совместимого хранилища, такого как MinIO или Cloudflare R2. Оставьте пустым для стандартного AWS S3.",
+    "s3DestGzipLabel": "Сжатие Gzip",
+    "s3DestGzipDescription": "Сжимайте каждый загруженный объект с помощью gzip. Уменьшает стоимость хранения и размер загрузки.",
+    "s3DestFormatTitle": "Формат файла",
+    "s3DestFormatDescription": "Как события сериализуются внутри каждого загруженного объекта.",
+    "s3DestFormatJsonArrayDescription": "Каждый объект — это JSON массив записей событий. Совместим с большинством аналитических инструментов.",
+    "s3DestFormatNdjsonDescription": "Каждый объект содержит одну запись JSON на строку (JSON, разделённый новой строкой). Совместим с Athena, BigQuery и Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Каждый объект представляет собой CSV файл по стандарту RFC-4180 с заголовочной строкой. Имена столбцов выведены из полей данных событий.",
+    "s3DestSaveChanges": "Сохранить изменения",
+    "s3DestCreateDestination": "Создать конечную точку",
+    "s3DestUpdatedSuccess": "Конечная точка успешно обновлена",
+    "s3DestCreatedSuccess": "Конечная точка успешно создана",
+    "s3DestUpdateFailed": "Не удалось обновить конечную точку",
+    "s3DestCreateFailed": "Не удалось создать конечную точку",
    "datadogDestEditTitle": "Редактировать пункт назначения",
    "datadogDestAddTitle": "Добавить пункт назначения Datadog",
    "datadogDestEditDescription": "Обновите конфигурацию для этого пункта назначения потоковых событий Datadog.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Вы уверены, что хотите рассоединить этого поставщика удостоверений с этой организацией?",
    "idpUnassociateDescription": "Все пользователи, связанные с этим поставщиком удостоверений, будут удалены из этой организации, но поставщик удостоверений будет продолжать существовать для других связанных организаций.",
    "idpUnassociateConfirm": "Подтвердите рассоединение поставщика удостоверений",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "УДАЛИТЬ И ИЗВЛЕЧЬ МЕНЯ ИЗ ОРГАНИЗАЦИИ",
+    "idpUnassociateAndRemoveMeFromOrg": "РАЗОРВАТЬ СВЯЗЬ И УДАЛИТЬ МЕНЯ ИЗ ОРГАНИЗАЦИИ",
    "idpUnassociateWarning": "Это не может быть отменено для этой организации.",
    "idpUnassociatedDescription": "Поставщик удостоверений успешно рассоединен с этой организацией",
    "idpUnassociateMenu": "Рассоединить",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Ресурс отключён",
    "memberPortalShowingResources": "Показаны {start}-{end} из {total} ресурсов",
    "memberPortalPrevious": "Предыдущий",
-    "memberPortalNext": "Следующий"
+    "memberPortalNext": "Следующий",
+    "httpSettings": "Настройки HTTP",
+    "tcpSettings": "Настройки TCP",
+    "udpSettings": "Настройки UDP",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Установление защищенного соединения…",
+    "sshConnecting": "Подключение…",
+    "sshInitializing": "Инициализация…",
+    "sshSignInTitle": "Вход в SSH",
+    "sshSignInDescription": "Введите свои учетные данные SSH для подключения",
+    "sshPasswordTab": "Пароль",
+    "sshPrivateKeyTab": "Закрытый ключ",
+    "sshPrivateKeyField": "Закрытый ключ",
+    "sshPrivateKeyDisclaimer": "Ваш закрытый ключ не хранится и не виден для Pangolin. Вместо этого вы можете использовать краткосрочные сертификаты для бесшовной аутентификации с использованием вашей текущей идентификации Pangolin.",
+    "sshLearnMore": "Узнать больше",
+    "sshPrivateKeyFile": "Файл закрытого ключа",
+    "sshAuthenticate": "Подключиться",
+    "sshTerminate": "Завершить",
+    "sshPoweredBy": "Разработано",
+    "sshErrorNoTarget": "Цель не указана",
+    "sshErrorWebSocket": "Подключение WebSocket не удалось",
+    "sshErrorAuthFailed": "Ошибка аутентификации",
+    "sshErrorConnectionClosed": "Подключение закрыто до завершения аутентификации",
+    "sitePangolinSshDescription": "Разрешить доступ по SSH к ресурсам на этом сайте. Это можно изменить позже.",
+    "browserGatewayNoResourceForDomain": "Ресурс для этого домена не найден",
+    "browserGatewayNoTarget": "Нет цели",
+    "browserGatewayConnect": "Подключиться",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Не удалось подписать ключ SSH для аутентификации через PAM push. Проверьте, вошли ли вы как пользователь?",
+    "sshTerminalError": "Ошибка: {error}",
+    "sshConnectionClosedCode": "Соединение закрыто (код {code})",
+    "sshPrivateKeyPlaceholder": "-----НАЧАЛО ЛИЧНОГО КЛЮЧА OPENSSH-----",
+    "sshPrivateKeyRequired": "Требуется личный ключ",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Введите пароль VNC для подключения",
+    "vncPasswordOptional": "Пароль (необязательно)",
+    "vncNoResourceTarget": "Отсутствует целевой ресурс",
+    "vncFailedToLoadNovnc": "Не удалось загрузить noVNC",
+    "vncAuthFailedStatus": "Статус {status}",
+    "vncPasteClipboard": "Вставить из буфера обмена",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Вход в удаленный рабочий стол",
+    "rdpSignInDescription": "Введите учетные данные Windows для подключения",
+    "rdpLoadingModule": "Загрузка модуля...",
+    "rdpFailedToLoadModule": "Не удалось загрузить модуль RDP",
+    "rdpNotReady": "Не готово",
+    "rdpModuleInitializing": "Модуль RDP все еще инициализируется",
+    "rdpDownloadingFiles": "Загрузка {count} файлов с удалённого сервера…",
+    "rdpDownloadFailed": "Ошибка загрузки: {fileName}",
+    "rdpUploaded": "Загружено: {fileName}",
+    "rdpNoConnectionTarget": "Доступная цель подключения отсутствует",
+    "rdpConnectionFailed": "Ошибка соединения",
+    "rdpFit": "Подгонка",
+    "rdpFull": "Полный",
+    "rdpReal": "Настоящий",
+    "rdpMeta": "Метаданные",
+    "rdpUploadFiles": "Загрузить файлы",
+    "rdpFilesReadyToPaste": "Файлы готовы к вставке",
+    "rdpFilesReadyToPasteDescription": "{count, plural, one {# файл скопирован в удалённый буфер обмена — нажмите Ctrl+V на удалённом рабочем столе, чтобы вставить.} few {# файла скопированы в удалённый буфер обмена — нажмите Ctrl+V на удалённом рабочем столе, чтобы вставить.} many {# файлов скопированы в удалённый буфер обмена — нажмите Ctrl+V на удалённом рабочем столе, чтобы вставить.} other {# файла скопированы в удалённый буфер обмена — нажмите Ctrl+V на удалённом рабочем столе, чтобы вставить.}}",
+    "rdpUploadFailed": "Ошибка загрузки",
+    "rdpUnicodeKeyboardMode": "Режим клавиатуры Unicode",
+    "sessionToolbarShow": "Показать панель инструментов",
+    "sessionToolbarHide": "Скрыть панель инструментов"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Özel Kaynakları Görüntüle",
    "siteInstallNewt": "Newt Yükle",
    "siteInstallNewtDescription": "Newt'i sisteminizde çalıştırma",
+    "siteInstallKubernetesDocsDescription": "Daha fazla ve güncel Kubernetes kurulum bilgileri için <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink> adresini inceleyin.",
+    "siteInstallAdvantechDocsDescription": "Advantech modem kurulum talimatları için <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink> adresini inceleyin.",
    "WgConfiguration": "WireGuard Yapılandırması",
    "WgConfigurationDescription": "Ağınıza bağlanmak için aşağıdaki yapılandırmayı kullanın",
    "operatingSystem": "İşletim Sistemi",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "Yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyaladığınızdan emin olun.",
    "siteInfo": "Site Bilgilendirmesi",
    "status": "Durum",
-    "shareTitle": "Paylaşım Bağlantılarını Yönet",
+    "shareTitle": "Paylaşılabilir Bağlantıları Yönet",
    "shareDescription": "Kaynaklarınıza geçici veya kalıcı erişim sağlamak için paylaşılabilir bağlantılar oluşturun",
-    "shareSearch": "Paylaşım bağlantılarını ara...",
-    "shareCreate": "Paylaşım Bağlantısı Oluştur",
+    "shareSearch": "Paylaşılabilir bağlantıları ara...",
+    "shareCreate": "Paylaşılabilir Bağlantı Oluştur",
    "shareErrorDelete": "Bağlantı silinirken hata oluştu",
    "shareErrorDeleteMessage": "Bağlantı silinirken bir hata oluştu",
    "shareDeleted": "Bağlantı silindi",
    "shareDeletedDescription": "Bağlantı silindi",
+    "shareDelete": "Paylaşılabilir Bağlantıyı Sil",
+    "shareDeleteConfirm": "Paylaşılabilir Bağlantıyı Silmeyi Onayla",
+    "shareQuestionRemove": "Bu paylaşım bağlantısını silmek istediğinizden emin misiniz?",
+    "shareMessageRemove": "Silindikten sonra, bağlantı artık çalışmayacak ve kullanan herkes kaynağa erişimini kaybedecek.",
    "shareTokenDescription": "Erişim jetonunuz iki şekilde iletilebilir: sorgu parametresi olarak veya istek başlıklarında. Kimlik doğrulanmış erişim için her istekten müşteri tarafından iletilmelidir.",
    "accessToken": "Erişim Jetonu",
    "usageExamples": "Kullanım Örnekleri",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "Paylaşım bağlantısı oluşturulurken bir hata oluştu",
    "shareCreateDescription": "Bu bağlantıya sahip olan herkes kaynağa erişebilir",
    "shareTitleOptional": "Başlık (isteğe bağlı)",
+    "sharePathOptional": "Yol (isteğe bağlı)",
+    "sharePathDescription": "Bağlantıdan sonra kullanıcıları bu yola yönlendirecek bağlantıyı tanımlayın.",
    "expireIn": "Süresi Dolacak",
    "neverExpire": "Hiçbir Zaman Sona Ermez",
    "shareExpireDescription": "Son kullanma süresi, bağlantının kullanılabilir ve kaynağa erişim sağlayacak süresidir. Bu süreden sonra bağlantı çalışmayı durduracak ve bu bağlantıyı kullanan kullanıcılar kaynağa erişimini kaybedecektir.",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "Lütfen bir kaynak seçin",
    "proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
    "proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
-    "proxyResourcesBannerTitle": "Web Tabanlı Genel Erişim",
-    "proxyResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
+    "publicResourcesBannerTitle": "Web tabanlı Açık Erişim",
+    "publicResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla internette herkesin erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine istemci tarafı yazılım gerektirmezler ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
    "clientResourceTitle": "Özel Kaynakları Yönet",
    "clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
    "privateResourcesBannerTitle": "Sıfır Güven Özel Erişim",
@@ -204,11 +212,37 @@
    "resourcesSearch": "Kaynakları ara...",
    "resourceAdd": "Kaynak Ekle",
    "resourceErrorDelte": "Kaynak silinirken hata",
+    "resourcePoliciesBannerTitle": "Kimlik Doğrulama ve Erişim Kurallarını Yeniden Kullan",
+    "resourcePoliciesBannerDescription": "Paylaşılan kaynak politikaları, kimlik doğrulama yöntemlerini ve erişim kurallarını bir kez tanımlamanıza ve ardından bunları birden fazla genel kaynağa bağlamanıza olanak tanır. Bir politikayı güncellediğinizde, bağlı her kaynak değişikliği otomatik olarak devralır.",
+    "resourcePoliciesBannerButtonText": "Daha fazla bilgi",
+    "resourcePoliciesTitle": "Herkese Açık Kaynak Politikalarını Yönetin",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Kaynaklar",
+    "resourcePoliciesAttachedResources": "{count} kaynak",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# kaynak} other {# kaynaklar}}",
+    "resourcePoliciesAttachedResourcesEmpty": "hiçbir kaynak",
+    "resourcePoliciesDescription": "Genel kaynaklarınıza erişimi kontrol etmek için kimlik doğrulama politikalarını oluşturun ve yönetin",
+    "resourcePoliciesSearch": "Politikaları ara...",
+    "resourcePoliciesAdd": "Politika Ekle",
+    "resourcePoliciesDefaultBadgeText": "Varsayılan politika",
+    "resourcePoliciesCreate": "Genel Kaynak Politikası Oluştur",
+    "resourcePoliciesCreateDescription": "Yeni bir politika oluşturmak için aşağıdaki adımları izleyin",
+    "resourcePolicyName": "Politika Adı",
+    "resourcePolicyNameDescription": "Bu politikaya kaynaklarınız arasında kolayca tanımlayabilmek için bir ad verin",
+    "resourcePolicyNamePlaceholder": "örneğin: İç Erişim Politikası",
+    "resourcePoliciesSeeAll": "Tüm Politikaları Gör",
+    "resourcePolicyAuthMethodAdd": "Kimlik Doğrulama Yöntemi Ekle",
+    "resourcePolicyOtpEmailAdd": "OTP e-postaları ekle",
+    "resourcePolicyRulesAdd": "Kurallar Ekle",
+    "resourcePolicyAuthMethodsDescription": "Ek kimlik doğrulama yöntemleri aracılığıyla kaynaklara erişime izin verin",
+    "resourcePolicyUsersRolesDescription": "Hangi kullanıcılar ve rollerin ilgili kaynakları ziyaret edebileceğini yapılandırın",
+    "rulesResourcePolicyDescription": "Bu politikayla ilişkilendirilmiş erişim kaynaklarını kontrol etmek için kuralları yapılandırın",
    "authentication": "Kimlik Doğrulama",
    "protected": "Korunan",
    "notProtected": "Korunmayan",
    "resourceMessageRemove": "Kaldırıldıktan sonra kaynak artık erişilebilir olmayacaktır. Kaynakla ilişkili tüm hedefler de kaldırılacaktır.",
    "resourceQuestionRemove": "Kaynağı organizasyondan kaldırmak istediğinizden emin misiniz?",
+    "resourcePolicyMessageRemove": "Kaldırıldıktan sonra kaynak politikası artık erişilebilir olmayacak. Kaynakla ilişkili tüm öğeler bağlantıları koparılacak ve kimlik doğrulaması olmadan bırakılacaktır.",
+    "resourcePolicyQuestionRemove": "Kaynak politikasını organizasyondan kaldırmak istediğinizden emin misiniz?",
    "resourceHTTP": "HTTPS Kaynağı",
    "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
    "resourceRaw": "Ham TCP/UDP Kaynağı",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "Proxy isteklerini bir port numarası kullanarak ham TCP/UDP üzerinden yapın. Sitelerin uzak bir düğüme bağlanması gereklidir.",
    "resourceCreate": "Kaynak Oluştur",
    "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
+    "resourceCreateGeneralDescription": "Adı ve türü dahil temel kaynak ayarlarını yapılandırın",
    "resourceSeeAll": "Tüm Kaynakları Gör",
-    "resourceInfo": "Kaynak Bilgilendirmesi",
+    "resourceCreateGeneral": "Genel",
    "resourceNameDescription": "Bu, kaynak için görünen addır.",
    "siteSelect": "Site seç",
    "siteSearch": "Site ara",
@@ -227,12 +262,15 @@
    "noCountryFound": "Ülke bulunamadı.",
    "siteSelectionDescription": "Bu site hedefe bağlantı sağlayacaktır.",
    "resourceType": "Kaynak Türü",
-    "resourceTypeDescription": "Kaynağınıza nasıl erişmek istediğinizi belirleyin",
+    "resourceTypeDescription": "Bu, kaynak protokolünü ve tarayıcıda nasıl görüntüleneceğini kontrol eder. Bu daha sonra değiştirilemez.",
+    "resourceDomainDescription": "Kaynak bu tam etki alanı adıyla sunulacak.",
    "resourceHTTPSSettings": "HTTPS Ayarları",
    "resourceHTTPSSettingsDescription": "Kaynağınıza HTTPS üzerinden erişimin nasıl sağlanacağını yapılandırın",
+    "resourcePortDescription": "Kaynağa erişilebilecek Pangolin örneği veya düğüm üzerindeki harici bağlantı noktası.",
    "domainType": "Alan Türü",
    "subdomain": "Alt Alan Adı",
    "baseDomain": "Temel Alan Adı",
+    "configure": "Yapılandır",
    "subdomnainDescription": "Kaynağınızın erişilebileceği alt alan adı.",
    "resourceRawSettings": "TCP/UDP Ayarları",
    "resourceRawSettingsDescription": "Kaynaklara TCP/UDP üzerinden nasıl erişileceğini yapılandırın",
@@ -243,14 +281,35 @@
    "back": "Geri",
    "cancel": "İptal",
    "resourceConfig": "Yapılandırma Parçaları",
-    "resourceConfigDescription": "TCP/UDP kaynağınızı kurmak için bu yapılandırma parçalarını kopyalayıp yapıştırın",
+    "resourceConfigDescription": "TCP/UDP kaynağınızı kurmak için bu yapılandırma parçalarını kopyalayıp yapıştırın.",
    "resourceAddEntrypoints": "Traefik: Başlangıç Noktaları Ekleyin",
    "resourceExposePorts": "Gerbil: Docker Compose'da Portları Açın",
    "resourceLearnRaw": "TCP/UDP kaynaklarını nasıl yapılandıracağınızı öğrenin",
    "resourceBack": "Kaynaklara Geri Dön",
    "resourceGoTo": "Kaynağa Git",
+    "resourcePolicyDelete": "Kaynak Politikasını Sil",
+    "resourcePolicyDeleteConfirm": "Kaynak Politikasının Silinmesini Onayla",
    "resourceDelete": "Kaynağı Sil",
    "resourceDeleteConfirm": "Kaynak Silmeyi Onayla",
+    "labelDelete": "Etiketi Sil",
+    "labelAdd": "Etiket Ekle",
+    "labelCreateSuccessMessage": "Etiket Başarıyla Oluşturuldu",
+    "labelDuplicateError": "Yinelenen Etiket",
+    "labelDuplicateErrorDescription": "Bu isimle bir etiket zaten var.",
+    "labelEditSuccessMessage": "Etiket Başarıyla Değiştirildi",
+    "labelNameField": "Etiket Adı",
+    "labelColorField": "Etiket Rengi",
+    "labelPlaceholder": "Örn: homelab",
+    "labelCreate": "Etiket Oluştur",
+    "createLabelDialogTitle": "Etiket Oluştur",
+    "createLabelDialogDescription": "Bu kuruluşa eklenebilecek yeni bir etiket oluşturun",
+    "labelEdit": "Etiketi Düzenle",
+    "editLabelDialogTitle": "Etiketi Güncelle",
+    "editLabelDialogDescription": "Bu kuruluşa eklenebilecek yeni bir etiketi düzenleyin",
+    "labelDeleteConfirm": "Etiketi Silmeyi Onayla",
+    "labelErrorDelete": "Etiket silinirken hata oluştu",
+    "labelMessageRemove": "Bu işlem kalıcıdır. Bu etiket ile etiketlenmiş tüm siteler, kaynaklar ve kullanıcılar etiketsiz kalacaktır.",
+    "labelQuestionRemove": "Etiketi organizasyondan kaldırmak istediğinizden emin misiniz?",
    "visibility": "Görünürlük",
    "enabled": "Etkin",
    "disabled": "Devre Dışı",
@@ -261,6 +320,8 @@
    "rules": "Kurallar",
    "resourceSettingDescription": "Kaynağınızdaki ayarları yapılandırın",
    "resourceSetting": "{resourceName} Ayarları",
+    "resourcePolicySettingDescription": "Bu açık kaynak politikasının ayarlarını yapılandırın",
+    "resourcePolicySetting": "{policyName} Ayarları",
    "alwaysAllow": "Kimlik Doğrulamayı Atla",
    "alwaysDeny": "Erişimi Engelle",
    "passToAuth": "Kimlik Doğrulamasına Geç",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "Kaldırıldığında, bu kullanıcı organizasyona artık erişim sağlayamayacak. Kullanıcı tekrar davet edilebilir, ancak daveti kabul etmesi gerekecek.",
    "userRemoveOrgConfirm": "Kullanıcıyı Kaldırmayı Onayla",
    "userRemoveOrg": "Kullanıcıyı Organizasyondan Kaldır",
+    "userQuestionOrgRemoveSelf": "Bu organizasyondan kendinizi kaldırmak istediğinizden emin misiniz?",
+    "userMessageOrgRemoveSelf": "Erişiminizi hemen kaybedeceksiniz. Bir yönetici daha sonra sizi tekrar davet edebilir, ancak yeni bir daveti kabul etmeniz gerekecek.",
+    "userRemoveOrgConfirmSelf": "Kendimi Kaldırmayı Onayla",
+    "userRemoveOrgSelf": "Kendinizi organizasyondan kaldırın",
+    "userRemoveOrgSelfWarning": "Bu organizasyona erişiminizi anında kaybedeceksiniz.",
+    "userRemoveOrgConfirmPhraseSelf": "KENDİMİ ORGANİZASYONDAN KALDIR",
    "users": "Kullanıcılar",
    "accessRoleMember": "Üye",
    "accessRoleOwner": "Sahip",
@@ -531,6 +598,11 @@
    "emailInvalid": "Geçersiz e-posta adresi",
    "inviteValidityDuration": "Lütfen bir süre seçin",
    "accessRoleSelectPlease": "Lütfen bir rol seçin",
+    "removeOwnAdminRoleConfirmTitle": "Yönetici erişiminizi kaldırmak istiyor musunuz?",
+    "removeOwnAdminRoleConfirmDescription": "Kaydettikten sonra, bu organizasyonda artık yönetici izinleriniz olmayacak. Gerekirse başka bir yönetici erişimi geri yükleyebilir.",
+    "removeOwnAdminRoleConfirmButton": "Yönetici Erişimi Kaldır",
+    "removeOwnAdminRoleConfirmPhrase": "YÖNETİCİ ERİŞİMİMİ KALDIR",
+    "ownerMustRetainAdminRole": "Organizasyon sahibi en az bir yönetici rolü bulundurmalıdır.",
    "usernameRequired": "Kullanıcı adı gereklidir",
    "idpSelectPlease": "Lütfen bir kimlik sağlayıcı seçin",
    "idpGenericOidc": "Genel OAuth2/OIDC sağlayıcısı.",
@@ -615,7 +687,7 @@
    "createdAt": "Oluşturulma Tarihi",
    "proxyErrorInvalidHeader": "Geçersiz özel Ana Bilgisayar Başlığı değeri. Alan adı formatını kullanın veya özel Ana Bilgisayar Başlığını ayarlamak için boş bırakın.",
    "proxyErrorTls": "Geçersiz TLS Sunucu Adı. Alan adı formatını kullanın veya TLS Sunucu Adını kaldırmak için boş bırakılsın.",
-    "proxyEnableSSL": "SSL Etkinleştir",
+    "proxyEnableSSL": "TLS'yi Etkinleştir",
    "proxyEnableSSLDescription": "Hedeflere güvenli HTTPS bağlantıları için SSL/TLS şifrelemesini etkinleştirin.",
    "target": "Hedef",
    "configureTarget": "Hedefleri Yapılandır",
@@ -656,8 +728,9 @@
    "targetSubmit": "Hedef Ekle",
    "targetNoOne": "Bu kaynağın hedefleri yok. Arka uca gönderilecek istekleri yapılandırmak için bir hedef ekleyin.",
    "targetNoOneDescription": "Yukarıdaki birden fazla hedef ekleyerek yük dengeleme etkinleştirilecektir.",
-    "targetsSubmit": "Hedefleri Kaydet",
+    "targetsSubmit": "Ayarları Kaydet",
    "addTarget": "Hedef Ekle",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round robin yönlendirme, aynı düğüme bağlı olmayan siteler arasında çalışmayacaktır, ancak failover çalışacaktır.",
    "targetErrorInvalidIp": "Geçersiz IP adresi",
    "targetErrorInvalidIpDescription": "Lütfen geçerli bir IP adresi veya host adı girin",
    "targetErrorInvalidPort": "Geçersiz port",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "Yinelenen kural",
    "rulesErrorDuplicateDescription": "Bu ayarlara sahip bir kural zaten mevcut",
    "rulesErrorInvalidIpAddressRange": "Geçersiz CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Lütfen geçerli bir CIDR değeri girin",
-    "rulesErrorInvalidUrl": "Geçersiz URL yolu",
-    "rulesErrorInvalidUrlDescription": "Lütfen geçerli bir URL yolu değeri girin",
-    "rulesErrorInvalidIpAddress": "Geçersiz IP",
-    "rulesErrorInvalidIpAddressDescription": "Lütfen geçerli bir IP adresi girin",
+    "rulesErrorInvalidIpAddressRangeDescription": "Geçerli bir CIDR aralığı girin (örneğin, 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Geçersiz yol",
+    "rulesErrorInvalidUrlDescription": "Geçerli bir URL yolu veya deseni girin (örneğin, /api/*).",
+    "rulesErrorInvalidIpAddress": "Geçersiz IP adresi",
+    "rulesErrorInvalidIpAddressDescription": "Geçerli bir IPv4 veya IPv6 adresi girin.",
    "rulesErrorUpdate": "Kurallar güncellenemedi",
    "rulesErrorUpdateDescription": "Kurallar güncellenirken bir hata oluştu",
    "rulesUpdated": "Kuralları Etkinleştir",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "CIDR formatında bir adres girin (örneğin, 103.21.244.0/22)",
    "rulesMatchIpAddress": "Bir IP adresi girin (örneğin, 103.21.244.12)",
    "rulesMatchUrl": "Bir URL yolu veya deseni girin (örneğin, /api/v1/todos veya /api/v1/*)",
-    "rulesErrorInvalidPriority": "Geçersiz Öncelik",
-    "rulesErrorInvalidPriorityDescription": "Lütfen geçerli bir öncelik girin",
-    "rulesErrorDuplicatePriority": "Yinelenen Öncelikler",
-    "rulesErrorDuplicatePriorityDescription": "Lütfen benzersiz öncelikler girin",
+    "rulesErrorInvalidPriority": "Geçersiz öncelik",
+    "rulesErrorInvalidPriorityDescription": "1 veya daha büyük bir tamsayı girin.",
+    "rulesErrorDuplicatePriority": "Yinelenen öncelikler",
+    "rulesErrorDuplicatePriorityDescription": "Her kuralın benzersiz bir öncelik numarası olmalıdır.",
+    "rulesErrorValidation": "Geçersiz kurallar",
+    "rulesErrorValidationRuleDescription": "Kural {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Geçerli bir eşleşme türünü seçin (yol, IP, CIDR, ülke, bölge veya ASN).",
+    "rulesErrorValueRequired": "Bu kural için bir değer girin.",
+    "rulesErrorInvalidCountry": "Geçersiz ülke",
+    "rulesErrorInvalidCountryDescription": "Geçerli bir ülke seçin.",
+    "rulesErrorInvalidAsn": "Geçersiz ASN",
+    "rulesErrorInvalidAsnDescription": "Geçerli bir ASN girin (örneğin, AS15169).",
    "ruleUpdated": "Kurallar güncellendi",
    "ruleUpdatedDescription": "Kurallar başarıyla güncellendi",
    "ruleErrorUpdate": "Operasyon başarısız oldu",
    "ruleErrorUpdateDescription": "Kaydetme operasyonu sırasında bir hata oluştu",
    "rulesPriority": "Öncelik",
+    "rulesReorderDragHandle": "Kural önceliğini yeniden sıralamak için sürükleyin",
    "rulesAction": "Aksiyon",
    "rulesMatchType": "Eşleşme Türü",
    "value": "Değer",
@@ -728,9 +810,60 @@
    "rulesResource": "Kaynak Kuralları Yapılandırması",
    "rulesResourceDescription": "Kaynağa erişimi kontrol etmek için kuralları yapılandırın",
    "ruleSubmit": "Kural Ekle",
-    "rulesNoOne": "Kural yok. Formu kullanarak bir kural ekleyin.",
+    "rulesNoOne": "Henüz kural yok.",
    "rulesOrder": "Kurallar, artan öncelik sırasına göre değerlendirilir.",
    "rulesSubmit": "Kuralları Kaydet",
+    "policyErrorCreate": "Politika oluşturulurken hata oluştu",
+    "policyErrorCreateDescription": "Politikayı oluştururken bir hata oluştu",
+    "policyErrorCreateMessageDescription": "Beklenmeyen bir hata oluştu",
+    "policyErrorUpdate": "Politika güncellenirken hata oluştu",
+    "policyErrorUpdateDescription": "Policayı güncellerken bir hata oluştu",
+    "policyErrorUpdateMessageDescription": "Beklenmeyen bir hata oluştu",
+    "policyCreatedSuccess": "Kaynak politikası başarıyla oluşturuldu",
+    "policyUpdatedSuccess": "Kaynak politikası başarıyla güncellendi",
+    "authMethodsSave": "Ayarları Kaydet",
+    "policyAuthStackTitle": "Kimlik Doğrulama",
+    "policyAuthStackDescription": "Bu kaynağa erişim için hangi kimlik doğrulama yöntemlerinin gerekli olduğuna karar verin",
+    "policyAuthOrLogicTitle": "Birden fazla kimlik doğrulama yöntemi etkin",
+    "policyAuthOrLogicBanner": "Ziyaretçiler aşağıdaki etkin yöntemlerden herhangi birini kullanarak kimlik doğrulaması yapabilirler. Hepsini tamamlamaları gerekmez.",
+    "policyAuthMethodActive": "Etkin",
+    "policyAuthMethodOff": "Kapalı",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Organizasyonunuzun kimlik sağlayıcısı üzerinden oturum açmayı zorunlu kılın",
+    "policyAuthSsoSummary": "{idp} · {users} kullanıcısı, {roles} rolü",
+    "policyAuthSsoDefaultIdp": "Varsayılan sağlayıcı",
+    "policyAuthAddDefaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı Ekle",
+    "policyAuthOtherMethodsTitle": "Diğer Yöntemler",
+    "policyAuthOtherMethodsDescription": "Ziyaretçilerin platform SSO yerine veya yanı sıra kullanabileceği isteğe bağlı yöntemler",
+    "policyAuthPasscodeTitle": "Şifre",
+    "policyAuthPasscodeDescription": "Kaynağa erişim için paylaşılan bir alfasayısal şifre gerektir",
+    "policyAuthPasscodeSummary": "Şifre ayarlandı",
+    "policyAuthPincodeTitle": "PIN Kodu",
+    "policyAuthPincodeDescription": "Kaynağa erişim için kısa bir sayısal kod gereklidir",
+    "policyAuthPincodeSummary": "6 haneli PIN ayarlandı",
+    "policyAuthEmailTitle": "E-posta Beyaz Listesi",
+    "policyAuthEmailDescription": "Listelenen e-posta adreslerine tek kullanımlık parolalarla izin verin",
+    "policyAuthEmailSummary": "{count} adres izinli",
+    "policyAuthEmailOtpCallout": "E-posta beyaz listesinin etkinleştirilmesiyle ziyaretçinin girişinde bir kereye mahsus parola e-postasına gönderilecektir.",
+    "policyAuthHeaderAuthTitle": "Temel Başlık Kimlik Doğrulama",
+    "policyAuthHeaderAuthDescription": "Her istekte özel bir HTTP başlık adını ve değerini doğrulayın",
+    "policyAuthHeaderAuthSummary": "Başlık yapılandırıldı",
+    "policyAuthHeaderName": "Başlık adı",
+    "policyAuthHeaderValue": "Beklenen değer",
+    "policyAuthSetPasscode": "Şifreyi Ayarla",
+    "policyAuthSetPincode": "PIN Kodunu Ayarla",
+    "policyAuthSetEmailWhitelist": "E-posta Beyaz Listesini Ayarla",
+    "policyAuthSetHeaderAuth": "Temel Başlık Kimlik Doğrulamasını Ayarla",
+    "policyAccessRulesTitle": "Erişim Kuralları",
+    "policyAccessRulesEnableDescription": "Etkinleştirildiğinde, kurallar azalan sırayla değerlendirilecektir ve biri doğru olarak değerlendirildiğinde diğerine geçilecektir.",
+    "policyAccessRulesFirstMatch": "Kurallar yukarıdan aşağıya doğru değerlendirilir. İlk eşleşen kural sonucu belirler.",
+    "policyAccessRulesHowItWorks": "Kurallar, yol, IP adresi, konum veya başka kriterlere göre talepleri eşleştirir. Her kural bir eylem uygular: kimlik doğrulamayı atla, erişimi engelle veya kimlik doğrulaması için geçici olarak geç.",
+    "policyAccessRulesFallthroughOff": "Kurallar devre dışı bırakıldığında, tüm trafik kimlik doğrulamasına geçer.",
+    "policyAccessRulesFallthroughOn": "Herhangi bir kural eşleşmediğinde trafik kimlik doğrulamasına geçer.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "Kuralları Kaydet",
    "resourceErrorCreate": "Kaynak oluşturma hatası",
    "resourceErrorCreateDescription": "Kaynak oluşturulurken bir hata oluştu",
    "resourceErrorCreateMessage": "Kaynak oluşturma hatası:",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Kaynak güncellenirken bir hata oluştu",
    "access": "Erişim",
    "accessControl": "Erişim Kontrolü",
-    "shareLink": "{resource} Paylaşım Bağlantısı",
+    "shareLink": "{resource} Paylaşılabilir Bağlantı",
    "resourceSelect": "Kaynak seçin",
-    "shareLinks": "Paylaşım Bağlantıları",
+    "shareLinks": "Paylaşılabilir Bağlantılar",
    "share": "Paylaşılabilir Bağlantılar",
    "shareDescription2": "Kaynaklarınıza geçici veya sınırsız erişim sağlamak için paylaşılabilir bağlantılar oluşturun. Bağlantı oluştururken sona erme süresini yapılandırabilirsiniz.",
    "shareEasyCreate": "Kolayca oluştur ve paylaş",
@@ -794,6 +927,17 @@
    "pincodeAdd": "PIN Kodu Ekle",
    "pincodeRemove": "PIN Kodu Kaldır",
    "resourceAuthMethods": "Kimlik Doğrulama Yöntemleri",
+    "resourcePolicyAuthMethodsEmpty": "Kimlik doğrulama yöntemi yok",
+    "resourcePolicyOtpEmpty": "Tek seferlik parola yok",
+    "resourcePolicyReadOnly": "Bu politika yalnızca okumalıdır",
+    "resourcePolicyReadOnlyDescription": "Bu kaynak politikası birden fazla kaynakla paylaşılmaktadır, bu sayfada düzenleyemezsiniz.",
+    "editSharedPolicy": "Paylaşılan Politikayı Düzenle",
+    "resourcePolicyTypeSave": "Kaynak türünü kaydet",
+    "resourcePolicySelect": "Kaynak politikasını seçin",
+    "resourcePolicySelectError": "Bir kaynak politikası seçin",
+    "resourcePolicyNotFound": "Politika bulunamadı",
+    "resourcePolicySearch": "Politikaları ara",
+    "resourcePolicyRulesEmpty": "Kimlik doğrulama kuralı yok",
    "resourceAuthMethodsDescriptions": "Ek kimlik doğrulama yöntemleriyle kaynağa erişime izin verin",
    "resourceAuthSettingsSave": "Başarıyla kaydedildi",
    "resourceAuthSettingsSaveDescription": "Kimlik doğrulama ayarları kaydedildi",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "Pincode Ayarla",
    "resourcePincodeSetupTitleDescription": "Bu kaynağı korumak için bir pincode ayarlayın",
    "resourceRoleDescription": "Yöneticiler her zaman bu kaynağa erişebilir.",
+    "resourcePolicySelectTitle": "Kaynak Erişim Politikası",
+    "resourcePolicySelectDescription": "Kimlik doğrulama için kaynak politika türünü seçin",
+    "resourcePolicyTypeLabel": "Politika türü",
+    "resourcePolicyLabel": "Kaynak politikası",
+    "resourcePolicyInline": "Satır İçi Kaynak Politikası",
+    "resourcePolicyInlineDescription": "Erişim Politikası sadece bu kaynağa yönelik",
+    "resourcePolicyShared": "Paylaşılan Kaynak Politikası",
+    "resourcePolicySharedDescription": "Bu kaynak bir paylaşılan politika kullanıyor.",
+    "sharedPolicy": "Paylaşılan Politika",
+    "sharedPolicyNoneDescription": "Bu kaynağın kendi politikası var.",
+    "resourceSharedPolicyOwnDescription": "Bu kaynak, kendi kimlik doğrulama ve erişim kuralları denetimlerine sahiptir.",
+    "resourceSharedPolicyInheritedDescription": "Bu kaynak <policyLink>{policyName}</policyLink>'dan devralmaktadır.",
+    "resourceSharedPolicyAuthenticationNotice": "Bu kaynak bir ortak politika kullanıyor. Politikayı eklemek için kimlik doğrulama ayarlarını bu kaynakta düzenleyebilirsiniz. Altta yatan politikayı değiştirmek için <policyLink>{policyName}</policyLink> düzenlemelisiniz.",
+    "resourceSharedPolicyRulesNotice": "Bu kaynak bir paylaşılan politika kullanıyor. Bazı erişim kuralları bu kaynakta düzenlenebilir. Temel politikayı değiştirmek için, <policyLink>{policyName}</policyLink> düzenlemeniz gerekecektir.",
    "resourceUsersRoles": "Erişim Kontrolleri",
    "resourceUsersRolesDescription": "Bu kaynağı kimlerin ziyaret edebileceği kullanıcıları ve rolleri yapılandırın",
    "resourceUsersRolesSubmit": "Erişim Kontrollerini Kaydet",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "Görünürlük",
    "resourceVisibilityTitleDescription": "Kaynak görünürlüğünü tamamen etkinleştirin veya devre dışı bırakın",
    "resourceGeneral": "Genel Ayarlar",
-    "resourceGeneralDescription": "Bu kaynak için genel ayarları yapılandırın",
+    "resourceGeneralDescription": "Bu kaynak için ad, adres ve erişim politikası yapılandırın.",
+    "resourceGeneralDetailsSubsection": "Kaynak Detayları",
+    "resourceGeneralDetailsSubsectionDescription": "Bu kaynak için görüntülenen adı, tanıtıcıyı ve herkesin erişebileceği alan adını belirleyin.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Bu kaynak için görüntülenen adı, tanıtıcıyı ve halka açık portu ayarlayın.",
+    "resourceGeneralPublicAddressSubsection": "Genel Adres",
+    "resourceGeneralPublicAddressSubsectionDescription": "Kullanıcıların bu kaynağa nasıl ulaşacağını yapılandırın.",
+    "resourceGeneralAuthenticationAccessSubsection": "Kimlik Doğrulama ve Erişim",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Bu kaynağın kendi politikasını mı yoksa ortak bir politikadan mı devralacağını seçin.",
    "resourceEnable": "Kaynağı Etkinleştir",
    "resourceTransfer": "Kaynağı Aktar",
    "resourceTransferDescription": "Bu kaynağı farklı bir siteye aktarın",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "{name} ile bağlantı kurarken bir sorun meydana geldi. Lütfen yöneticiye danışın.",
    "idpErrorNotFound": "IdP bulunamadı",
    "inviteInvalid": "Geçersiz Davet",
+    "labels": "Etiketler",
+    "orgLabelsDescription": "Bu organizasyondaki etiketleri yönetin.",
+    "addLabels": "Etiketler ekle",
+    "siteLabelsTab": "Etiketler",
+    "siteLabelsDescription": "Bu siteyle ilişkili etiketleri yönetin.",
+    "labelsNotFound": "Etiket bulunamadı.",
+    "labelsEmptyCreateHint": "Etiket oluşturmak için yukarıdan yazmaya başlayın.",
+    "labelSearch": "Etiket ara",
+    "labelSearchOrCreate": "Etiket arayın veya oluşturun",
+    "accessLabelFilterCount": "{count, plural, one {# etiket} other {# etiketler}}",
+    "labelOverflowCount": "+{count, plural, one {# etiket} other {# etiketler}}",
+    "accessLabelFilterClear": "Etiket filtrelerini temizle",
+    "accessFilterClear": "Filtreleri temizle",
+    "selectColor": "Renk seç",
+    "createNewLabel": "Yeni kuruluş etiketi \"{label}\" oluştur",
    "inviteInvalidDescription": "Davet bağlantısı geçersiz.",
    "inviteErrorWrongUser": "Davet bu kullanıcı için değil",
    "inviteErrorUserNotExists": "Kullanıcı mevcut değil. Lütfen önce bir hesap oluşturun.",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "Kaynaklar",
    "sidebarProxyResources": "Herkese Açık",
    "sidebarClientResources": "Özel",
+    "sidebarPolicies": "Paylaşılan Politikalar",
+    "sidebarResourcePolicies": "Açık Kaynaklar",
    "sidebarAccessControl": "Erişim Kontrolü",
    "sidebarLogsAndAnalytics": "Kayıtlar & Analitik",
    "sidebarTeam": "Ekip",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "Yönetici",
    "sidebarInvitations": "Davetiye",
    "sidebarRoles": "Roller",
-    "sidebarShareableLinks": "Bağlantılar",
+    "sidebarShareableLinks": "Paylaşılabilir Bağlantılar",
    "sidebarApiKeys": "API Anahtarları",
    "sidebarProvisioning": "Tedarik",
    "sidebarSettings": "Ayarlar",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Kaynak {id}",
    "blueprints": "Planlar",
-    "blueprintsDescription": "Deklaratif yapılandırmaları uygulayın ve önceki çalışmaları görüntüleyin",
+    "blueprintsLog": "Şablonlar Günlüğü",
+    "blueprintsDescription": "Geçmiş plan uygulamalarını ve sonuçlarını görüntüleyin veya yeni bir plan uygulayın",
    "blueprintAdd": "Plan Ekle",
    "blueprintGoBack": "Tüm Planları Gör",
    "blueprintCreate": "Plan Oluştur",
@@ -1559,7 +1742,17 @@
    "contents": "İçerik",
    "parsedContents": "Verilerin Ayrıştırılmış İçeriği (Salt Okunur)",
    "enableDockerSocket": "Docker Soketini Etkinleştir",
-    "enableDockerSocketDescription": "Plan etiketleri için Docker Socket etiket toplamasını etkinleştirin. Newt'e soket yolu sağlanmalıdır.",
+    "enableDockerSocketDescription": "Plan etiketleri için Docker Socket etiket toplamasını etkinleştirin. Site bağlantısına soket yolu sağlanmalıdır. Bunun nasıl çalıştığını <docsLink>belgelemede</docsLink> okuyun.",
+    "newtAutoUpdate": "Site Otomatik-Güncellemesini Etkinleştir",
+    "newtAutoUpdateDescription": "Etkinleştirildiğinde, site konektörleri en son versiyonu otomatik olarak indirir ve yeniden başlar. Bu, site bazında geçersiz kılınabilir.",
+    "siteAutoUpdate": "Site Otomatik-Güncellemesi",
+    "siteAutoUpdateLabel": "Otomatik Güncellemeyi Etkinleştir",
+    "siteAutoUpdateDescription": "Etkinleştirildiğinde, bu sitenin konektörü en son versiyonu otomatik olarak indirir ve kendini yeniden başlatır.",
+    "siteAutoUpdateOrgDefault": "Kuruluş varsayılanı: {state}",
+    "siteAutoUpdateOverriding": "Kuruluş ayarını geçersiz kılıyor",
+    "siteAutoUpdateResetToOrg": "Kuruluş Varsayılanına Sıfırla",
+    "siteAutoUpdateEnabled": "etkin",
+    "siteAutoUpdateDisabled": "devre dışı",
    "viewDockerContainers": "Docker Konteynerlerini Görüntüle",
    "containersIn": "{siteName} içindeki konteynerler",
    "selectContainerDescription": "Bu hedef için bir ana bilgisayar adı olarak kullanmak üzere herhangi bir konteyner seçin. Bir bağlantı noktası kullanmak için bir bağlantı noktasına tıklayın.",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "Sertifika",
    "certificateStatusAutoRefreshHint": "Durum otomatik olarak yenilenir.",
    "loading": "Yükleniyor",
+    "loadingEllipsis": "Yükleniyor...",
    "loadingAnalytics": "Analiz Yükleniyor",
    "restart": "Yeniden Başlat",
    "domains": "Alan Adları",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "Hesap kurulumu tamamlandı! Pangolin'e hoş geldiniz!",
    "documentation": "Dokümantasyon",
    "saveAllSettings": "Tüm Ayarları Kaydet",
-    "saveResourceTargets": "Hedefleri Kaydet",
-    "saveResourceHttp": "Proxy Ayarlarını Kaydet",
-    "saveProxyProtocol": "Proxy protokol ayarlarını kaydet",
+    "saveResourceTargets": "Ayarları Kaydet",
+    "saveResourceHttp": "Ayarları Kaydet",
+    "saveProxyProtocol": "Ayarları Kaydet",
    "settingsUpdated": "Ayarlar güncellendi",
    "settingsUpdatedDescription": "Ayarlar başarıyla güncellendi",
    "settingsErrorUpdate": "Ayarlar güncellenemedi",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "Kendi barındırdığınız ücretli lisans anahtarları için aboneliğinizi yönetin",
    "billingCurrentKeys": "Mevcut Anahtarlar",
    "billingModifyCurrentPlan": "Mevcut Planı Düzenle",
+    "billingManageLicenseSubscriptionDescription": "Ücretli kendi barındırdığı lisans anahtarları için aboneliğinizi yönetin ve faturaları indirin.",
    "billingConfirmUpgrade": "Yükseltmeyi Onayla",
    "billingConfirmDowngrade": "Düşürmeyi Onayla",
    "billingConfirmUpgradeDescription": "Planınızı yükseltmek üzeresiniz. Yeni limitleri ve fiyatları aşağıda inceleyin.",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "Bilinmiyor",
    "healthCheck": "Sağlık Kontrolü",
    "configureHealthCheck": "Sağlık Kontrolünü Yapılandır",
-    "configureHealthCheckDescription": "{hedef} için sağlık izleme kurun",
+    "configureHealthCheckDescription": "Kaynağınızın her zaman erişilebilir olduğundan emin olmak için izleme kurun",
    "enableHealthChecks": "Sağlık Kontrollerini Etkinleştir",
    "healthCheckDisabledStateDescription": "Devre dışı bırakıldığında, site sağlık kontrolleri yapmaz ve durum bilinmeyen olarak kabul edilecektir.",
    "enableHealthChecksDescription": "Bu hedefin sağlığını izleyin. Gerekirse hedef dışındaki bir son noktayı izleyebilirsiniz.",
    "healthScheme": "Yöntem",
    "healthSelectScheme": "Yöntem Seç",
-    "healthCheckPortInvalid": "Sağlık Kontrolü portu 1 ile 65535 arasında olmalıdır",
+    "healthCheckPortInvalid": "Bağlantı noktası 1 ile 65535 arasında olmalıdır",
    "healthCheckPath": "Yol",
    "healthHostname": "IP / Hostname",
    "healthPort": "Bağlantı Noktası",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "Zaman saniye cinsindendir",
    "requireDeviceApproval": "Cihaz Onaylarını Gerektir",
    "requireDeviceApprovalDescription": "Bu role sahip kullanıcıların yeni cihazlarının bağlanabilmesi ve kaynaklara erişebilmesi için bir yönetici tarafından onaylanması gerekiyor.",
+    "sshSettings": "SSH Ayarları",
    "sshAccess": "SSH Erişimi",
+    "rdpSettings": "RDP Ayarları",
+    "vncSettings": "VNC Ayarları",
+    "sshServer": "SSH Sunucusu",
+    "rdpServer": "RDP Sunucusu",
+    "vncServer": "VNC Sunucusu",
+    "sshServerDescription": "Kimlik doğrulama yöntemi, daemon konumu ve sunucu hedefini ayarlayın",
+    "rdpServerDescription": "RDP sunucusunun hedefini ve bağlantı noktasını yapılandırın",
+    "vncServerDescription": "VNC sunucusunun hedefini ve bağlantı noktasını yapılandırın",
+    "sshServerMode": "Mod",
+    "sshServerModeStandard": "Standart SSH Sunucusu",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Ağ üzerinden OpenSSH gibi bir SSH sunucusuna komutlar gönderir.",
+    "sshServerModeNative": "Yerel SSH Sunucusu",
+    "sshServerModeNativeDescription": "Site Bağlayıcısı üzerinden doğrudan ana bilgisayarda komutları çalıştırır. Ağ yapılandırması gerekmez.",
+    "sshAuthenticationMethod": "Kimlik Doğrulama Yöntemi",
+    "sshAuthMethodManual": "Manuel Kimlik Doğrulama",
+    "sshAuthMethodManualDescription": "Mevcut ana bilgisayar kimlik bilgileri gerektiriyor. Otomatik sağlama işlemini atlar.",
+    "sshAuthMethodAutomated": "Otomatik Sağlama",
+    "sshAuthMethodAutomatedDescription": "Ana bilgisayarda otomatik olarak kullanıcılar, gruplar ve sudo izinleri oluşturur.",
+    "sshAuthDaemonLocation": "Kimlik Doğrulama Daemon Konumu",
+    "sshDaemonLocationSiteDescription": "Site bağdaştırıcısını misafir eden makinada yerel olarak çalıştırır.",
+    "sshDaemonLocationRemote": "Uzak Ana Bilgisayarda",
+    "sshDaemonLocationRemoteDescription": "Aynı ağda ayrı bir hedef makinede çalıştırır.",
+    "sshDaemonDisclaimer": "Bu kurulumu tamamlamadan önce hedef ana bilgisayarınızın kimlik doğrulama daemonunu çalıştıracak şekilde düzgün yapılandırıldığından emin olun, aksi takdirde sağlama başarısız olur.",
+    "sshDaemonPort": "Daemon Bağlantı Noktası",
+    "sshServerDestination": "Sunucu Hedefi",
+    "sshServerDestinationDescription": "SSH sunucusunun hedefini yapılandırın",
+    "destination": "Hedef",
+    "destinationRequired": "Hedef gereklidir.",
+    "domainRequired": "Alan adı gereklidir.",
+    "proxyPortRequired": "Bağlantı noktası gereklidir.",
+    "invalidPathConfiguration": "Geçersiz yol yapılandırması.",
+    "invalidRewritePathConfiguration": "Geçersiz yol yeniden yazma yapılandırması.",
+    "bgTargetMultiSiteDisclaimer": "Birden fazla site seçmek, yüksek erişilebilirlik için dayanıklı yönlendirme ve failover sağlar.",
    "roleAllowSsh": "SSH'a İzin Ver",
    "roleAllowSshAllow": "İzin Ver",
    "roleAllowSshDisallow": "İzin Verme",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Kullanıcı sadece belirtilen komutları sudo ile çalıştırabilir.",
    "sshSudo": "Sudo'ya izin ver",
    "sshSudoCommands": "Sudo Komutları",
-    "sshSudoCommandsDescription": "Kullanıcının sudo ile çalıştırmasına izin verilen komutların virgülle ayrılmış listesi.",
+    "sshSudoCommandsDescription": "Kullanıcının 'sudo' ile çalıştırmasına izin verilen komutlar listesi noktalı virgülle, boşluk veya yeni satırla ayrılmalıdır. Mutlak yollar kullanılmalıdır.",
    "sshCreateHomeDir": "Ev Dizini Oluştur",
    "sshUnixGroups": "Unix Grupları",
-    "sshUnixGroupsDescription": "Hedef konakta kullanıcıya eklenecek Unix gruplarının virgülle ayrılmış listesi.",
+    "sshUnixGroupsDescription": "Hedef ana bilgisayardaki kullanıcıya eklemek için Unix grupları, noktalı virgülle, boşluk veya yeni satırla ayrılmalıdır.",
+    "roleTextFieldPlaceholder": "Değerleri girin veya bir .txt veya .csv dosyası bırakın",
+    "roleTextImportTitle": "Dosyadan İçe Aktar",
+    "roleTextImportDescription": "{fileName} dosyası {fieldLabel} alanına içe aktarılıyor.",
+    "roleTextImportSkipHeader": "İlk Satırı Atla (Başlık)",
+    "roleTextImportOverride": "Mevcut Olanın Yerine Yaz",
+    "roleTextImportAppend": "Mevcut olana Ekle",
+    "roleTextImportMode": "İçe Aktarma Modu",
+    "roleTextImportPreview": "Seçilen Dosya",
+    "roleTextImportItemCount": "{count, plural, =0 {İçe aktarılacak öğe yok} one {İçe aktarılacak 1 öğe} other {İçe aktarılacak # öğe}}",
+    "roleTextImportTotalCount": "{existing} mevcut + {imported} ithal = {total} toplam",
+    "roleTextImportConfirm": "İçe Aktar",
+    "roleTextImportInvalidFile": "Desteklenmeyen dosya türü",
+    "roleTextImportInvalidFileDescription": "Yalnızca .txt ve .csv dosyaları desteklenir.",
+    "roleTextImportEmpty": "Dosyada öğe bulunamadı",
+    "roleTextImportEmptyDescription": "Dosya, içe aktarılabilir öğe içermiyor.",
    "retryAttempts": "Tekrar Deneme Girişimleri",
    "expectedResponseCodes": "Beklenen Yanıt Kodları",
    "expectedResponseCodesDescription": "Sağlıklı durumu gösteren HTTP durum kodu. Boş bırakılırsa, 200-300 arası sağlıklı kabul edilir.",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Şema",
-    "editInternalResourceDialogEnableSsl": "SSL'i Etkinleştir",
+    "editInternalResourceDialogEnableSsl": "TLS'yi Etkinleştir",
    "editInternalResourceDialogEnableSslDescription": "Hedefe güvenli HTTPS bağlantıları için SSL/TLS şifrelemeyi etkinleştirin.",
    "editInternalResourceDialogDestination": "Hedef",
    "editInternalResourceDialogDestinationHostDescription": "Site ağındaki kaynağın IP adresi veya ana bilgisayar adı.",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Şema",
    "createInternalResourceDialogScheme": "Şema",
-    "createInternalResourceDialogEnableSsl": "SSL'i Etkinleştir",
+    "createInternalResourceDialogEnableSsl": "TLS'yi Etkinleştir",
    "createInternalResourceDialogEnableSslDescription": "Hedefe güvenli HTTPS bağlantıları için SSL/TLS şifrelemeyi etkinleştirin.",
    "createInternalResourceDialogDestination": "Hedef",
    "createInternalResourceDialogDestinationHostDescription": "Site ağındaki kaynağın IP adresi veya ana bilgisayar adı.",
@@ -2217,7 +2464,7 @@
        "description": "Daha güvenilir ve düşük bakım gerektiren, ekstra özelliklere sahip kendi kendine barındırabileceğiniz Pangolin sunucusu",
        "introTitle": "Yönetilen Kendi Kendine Barındırılan Pangolin",
        "introDescription": "Bu, basitlik ve ekstra güvenilirlik arayan, ancak verilerini gizli tutmak ve kendi sunucularında barındırmak isteyen kişiler için tasarlanmış bir dağıtım seçeneğidir.",
-        "introDetail": "Bu seçenekle, kendi Pangolin düğümünüzü çalıştırmaya devam edersiniz - tünelleriniz, SSL bitişiniz ve trafiğiniz tamamen sunucunuzda kalır. Fark, yönetim ve izlemeyi bulut panomuz üzerinden gerçekleştiririz, bu da bir dizi avantaj sağlar:",
+        "introDetail": "Bu seçenekle, kendi Pangolin düğümünüzü çalıştırmaya devam edersiniz - tünelleriniz, TLS bitişiniz ve trafiğiniz tamamen sunucunuzda kalır. Fark, yönetim ve izlemeyi bulut panomuz üzerinden gerçekleştiririz, bu da bir dizi avantaj sağlar:",
        "benefitSimplerOperations": {
            "title": "Daha basit işlemler",
            "description": "Kendi e-posta sunucunuzu çalıştırmanıza veya karmaşık uyarılar kurmanıza gerek yok. Sağlık kontrolleri ve kesinti uyarılarını kutudan çıktığı gibi alırsınız."
@@ -2652,6 +2899,8 @@
    "validPassword": "Geçerli Şifre",
    "validEmail": "Geçerli E-posta",
    "validSSO": "Geçerli SSO",
+    "view": "Görüntüle",
+    "configManaged": "Yapılandırma Yönetildi",
    "connectedClient": "Bağlı İstemci",
    "resourceBlocked": "Kaynak Engellendi",
    "droppedByRule": "Kurallara Göre Çıkartıldı",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "Proxy Protokolünü Etkinleştir",
    "proxyProtocolInfo": "TCP ara yüzlerini koruyarak istemci IP adreslerini saklayın",
    "proxyProtocolVersion": "Proxy Protokol Versiyonu",
-    "version1": " Versiyon 1 (Önerilen)",
+    "version1": "Versiyon 1 (Önerilen)",
    "version2": "Versiyon 2",
-    "versionDescription": "Versiyon 1 metin tabanlı ve yaygın olarak desteklenir. Versiyon 2 ise ikili ve daha verimlidir ama daha az uyumludur.",
+    "version1Description": "Metin tabanlı ve yaygın olarak desteklenmektedir. Sunucu taşımacılığının dinamik yapılandırmaya eklenmiş olduğundan emin olun.",
+    "version2Description": "İkili ve daha verimli ama daha az uyumlu. Sunucu taşımasının dinamik yapılandırmaya eklendiğinden emin olun.",
    "warning": "Uyarı",
    "proxyProtocolWarning": "Arka uç uygulamanız, Proxy Protokol bağlantılarını kabul etmek üzere yapılandırılmalıdır. Arka ucunuz Proxy Protokolünü desteklemiyorsa, bunu etkinleştirmek tüm bağlantıları koparır. Traefik'ten gelen Proxy Protokol başlıklarına güvenecek şekilde arka ucunuzu yapılandırdığınızdan emin olun.",
    "restarting": "Yeniden Başlatılıyor...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "Onayı girin",
    "blueprintViewDetails": "Detaylar",
    "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
-    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
+    "defaultIdentityProviderDescription": "Kullanıcı, kimlik doğrulama için bu kimlik sağlayıcısına otomatik olarak yönlendirilecektir.",
    "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
    "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
    "editInternalResourceDialogAddRoles": "Roller Ekle",
@@ -2919,11 +3169,12 @@
    "learnMore": "Daha fazla bilgi",
    "backToHome": "Ana sayfaya geri dön",
    "needToSignInToOrg": "Kuruluşunuzun kimlik sağlayıcısını kullanmanız mı gerekiyor?",
-    "maintenanceMode": "Bakım Modu",
+    "maintenanceMode": "Bakım Sayfası",
    "maintenanceModeDescription": "Ziyaretçilere bir bakım sayfası gösterin",
    "maintenanceModeType": "Bakım Modu Türü",
    "showMaintenancePage": "Ziyaretçilere bir bakım sayfası gösterin",
    "enableMaintenanceMode": "Bakım Modunu Etkinleştir",
+    "enableMaintenanceModeDescription": "Etkinleştirildiğinde, ziyaretçiler kaynak yerine bir bakım sayfası görecekler.",
    "automatic": "Otomatik",
    "automaticModeDescription": "Tüm arka uç hedefleri kapalı veya sağlıksız olduğunda yalnızca bakım sayfasını gösterin. Sağlıklı en az bir hedef olduğu sürece kaynağınız normal şekilde çalışmaya devam eder.",
    "forced": "Zorunlu",
@@ -2931,6 +3182,8 @@
    "warning:": "Uyarı:",
    "forcedeModeWarning": "Tüm trafik bakım sayfasına yönlendirilecek. Arka plan kaynaklarınız herhangi bir isteği almayacaktır.",
    "pageTitle": "Sayfa Başlığı",
+    "maintenancePageContentSubsection": "Sayfa İçeriği",
+    "maintenancePageContentSubsectionDescription": "Bakım sayfasında gösterilen içeriği özelleştirin",
    "pageTitleDescription": "Bakım sayfasında gösterilen ana başlık",
    "maintenancePageMessage": "Bakım Mesajı",
    "maintenancePageMessagePlaceholder": "Yakında geri döneceğiz! Sitemiz şu anda planlı bakım altındadır.",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "Tahmini Tamamlama:",
    "createInternalResourceDialogDestinationRequired": "Hedef gereklidir",
    "available": "Mevcut",
+    "disabledResourceDescription": "Devre dışı bırakıldığında, kaynağa herkes erişemez.",
    "archived": "Arşivlenmiş",
    "noArchivedDevices": "Arşivlenmiş cihaz bulunamadı",
    "deviceArchived": "Cihaz arşivlendi",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Olayları doğrudan Datadog hesabınıza iletin. Yakında gelicek.",
    "streamingTypePickerDescription": "Başlamak için bir hedef türü seçin.",
-    "streamingFailedToLoad": "Hedefler yüklenemedi",
+    "streamingLastSyncError": "Son senkronizasyonda bir hata oluştu",
    "streamingUnexpectedError": "Beklenmeyen bir hata oluştu.",
    "streamingFailedToUpdate": "Hedef güncellenemedi",
    "streamingDeletedSuccess": "Hedef başarıyla silindi",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "Hedefi Düzenle",
    "S3DestAddTitle": "S3 Hedefi Ekle",
    "S3DestEditDescription": "Bu S3 olay akışı hedefi için yapılandırmayı güncelleyin.",
-    "S3DestAddDescription": "Kuruluşunuzun olaylarını almak için yeni bir S3 uç noktası yapılandırın.",
+    "S3DestAddDescription": "Kuruluşunuzun etkinliklerini almak için yeni bir Amazon S3 (veya S3-uyumlu) kovası yapılandırın.",
+    "s3DestTabSettings": "Ayarlar",
+    "s3DestTabFormat": "Biçim",
+    "s3DestNameLabel": "Ad",
+    "s3DestNamePlaceholder": "Benim S3 hedefim",
+    "s3DestAccessKeyIdLabel": "AWS Erişim Anahtar Kimliği",
+    "s3DestSecretAccessKeyLabel": "AWS Gizli Erişim Anahtarı",
+    "s3DestSecretAccessKeyPlaceholder": "AWS gizli erişim anahtarınız",
+    "s3DestRegionLabel": "AWS Bölgesi",
+    "s3DestBucketLabel": "Kova Adı",
+    "s3DestPrefixLabel": "Anahtar Ön Eki (isteğe bağlı)",
+    "s3DestPrefixDescription": "Her nesne anahtarının önüne eklenen isteğe bağlı yol öneki. Nesneler {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename} konumunda saklanır.",
+    "s3DestEndpointLabel": "Özel Uç Nokta (isteğe bağlı)",
+    "s3DestEndpointDescription": "MinIO veya Cloudflare R2 gibi S3-uyumlu depolama için S3 uç noktasını geçersiz kılın. Standart AWS S3 için boş bırakın.",
+    "s3DestGzipLabel": "Gzip sıkıştırması",
+    "s3DestGzipDescription": "Her yüklü nesneyi gzip ile sıkıştırın. Depolama maliyetlerini ve yükleme boyutunu azaltır.",
+    "s3DestFormatTitle": "Dosya Biçimi",
+    "s3DestFormatDescription": "Etkinliklerin her yüklendiği nesne içinde nasıl serileştirildiği.",
+    "s3DestFormatJsonArrayDescription": "Her nesne bir olay kayıtlarının JSON dizisidir. Çoğu analiz aracıyla uyumludur.",
+    "s3DestFormatNdjsonDescription": "Her nesne satır başına bir JSON kaydı içerir (yeni satır ile ayrılmış JSON). Athena, BigQuery ve Spark ile uyumludur.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Her nesne, bir başlık satırı ile birlikte RFC-4180 CSV dosyasıdır. Sütun isimleri olay verileri alanlarından türetilmiştir.",
+    "s3DestSaveChanges": "Değişiklikleri Kaydet",
+    "s3DestCreateDestination": "Hedef Oluştur",
+    "s3DestUpdatedSuccess": "Hedef başarıyla güncellendi",
+    "s3DestCreatedSuccess": "Hedef başarıyla oluşturuldu",
+    "s3DestUpdateFailed": "Hedef güncellenemedi",
+    "s3DestCreateFailed": "Hedef oluşturulamadı",
    "datadogDestEditTitle": "Hedefi Düzenle",
    "datadogDestAddTitle": "Datadog Hedefi Ekle",
    "datadogDestEditDescription": "Bu Datadog olay akışı hedefi için yapılandırmayı güncelleyin.",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "Bu kimlik sağlayıcının bu kuruluştan ilişiğini kesmek istediğinizden emin misiniz?",
    "idpUnassociateDescription": "Bu kimlik sağlayıcı ile ilişkilendirilen tüm kullanıcılar bu kuruluştan kaldırılacaktır, ancak kimlik sağlayıcı diğer ilişkilendirilen kuruluşlar için var olmaya devam edecektir.",
    "idpUnassociateConfirm": "Kimlik Sağlayıcının İlişkisinin Kesilmesini Onayla",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "BENİ SİL VE ORGANİZASYONDAN ÇIKAR",
+    "idpUnassociateAndRemoveMeFromOrg": "BENİ İLİŞKİLENDİRMEYİ BIRAK VE ORGANİZASYONDAN ÇIKAR",
    "idpUnassociateWarning": "Bu işlem bu kuruluş için geri alınamaz.",
    "idpUnassociatedDescription": "Kimlik sağlayıcı bu kuruluştan başarıyla ayrıldı",
    "idpUnassociateMenu": "İlişkiyi Kes",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "Kaynak Devre Dışı",
    "memberPortalShowingResources": "{total} kaynaktan {start}-{end} gösteriliyor",
    "memberPortalPrevious": "Önceki",
-    "memberPortalNext": "Sonraki"
+    "memberPortalNext": "Sonraki",
+    "httpSettings": "HTTP Ayarları",
+    "tcpSettings": "TCP Ayarları",
+    "udpSettings": "UDP Ayarları",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Güvenli bir bağlantı kuruluyor…",
+    "sshConnecting": "Bağlanılıyor…",
+    "sshInitializing": "Başlatılıyor…",
+    "sshSignInTitle": "SSH'a Giriş Yap",
+    "sshSignInDescription": "Bağlanmak için SSH kimlik bilgilerinizi girin",
+    "sshPasswordTab": "Şifre",
+    "sshPrivateKeyTab": "Özel Anahtar",
+    "sshPrivateKeyField": "Özel Anahtar",
+    "sshPrivateKeyDisclaimer": "Özel anahtarınız Pangolin'de saklanmaz veya görünmez. Alternatif olarak, mevcut Pangolin kimliğinizle sorunsuz kimlik doğrulama için kısa ömürlü sertifikalar kullanabilirsiniz.",
+    "sshLearnMore": "Daha fazla bilgi",
+    "sshPrivateKeyFile": "Özel Anahtar Dosyası",
+    "sshAuthenticate": "Bağlan",
+    "sshTerminate": "Sonlandır",
+    "sshPoweredBy": "Tarafından sağlanmaktadır",
+    "sshErrorNoTarget": "Belirtilen hedef yok",
+    "sshErrorWebSocket": "WebSocket bağlantısı başarısız oldu",
+    "sshErrorAuthFailed": "Kimlik doğrulama başarısız",
+    "sshErrorConnectionClosed": "Kimlik doğrulama tamamlanmadan bağlantı kapandı",
+    "sitePangolinSshDescription": "Bu site üzerindeki kaynaklara SSH erişimine izin verin. Bu ayar sonradan değiştirilebilir.",
+    "browserGatewayNoResourceForDomain": "Bu etki alanı için kaynak bulunamadı",
+    "browserGatewayNoTarget": "Hedef Yok",
+    "browserGatewayConnect": "Bağlan",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "PAM itmeli kimlik doğrulama için SSH anahtarı imzalanamadı. Kullanıcı olarak oturum açtınız mı?",
+    "sshTerminalError": "Hata: {error}",
+    "sshConnectionClosedCode": "Bağlantı kapandı (kod {code})",
+    "sshPrivateKeyPlaceholder": "-----BAŞLANGIÇ OPENSSH ÖZEL ANAHTARI-----",
+    "sshPrivateKeyRequired": "Özel anahtar gereklidir",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Bağlanmak için VNC parolanızı girin",
+    "vncPasswordOptional": "Parola (isteğe bağlı)",
+    "vncNoResourceTarget": "Kaynak hedefi mevcut değil",
+    "vncFailedToLoadNovnc": "NoVNC yüklenemedi",
+    "vncAuthFailedStatus": "Durum {status}",
+    "vncPasteClipboard": "Panoya yapıştır",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Uzak Masaüstü'ne Giriş Yap",
+    "rdpSignInDescription": "Bağlanmak için Windows kimlik bilgilerinizi girin",
+    "rdpLoadingModule": "Modül yükleniyor...",
+    "rdpFailedToLoadModule": "RDP modülü yüklenemedi",
+    "rdpNotReady": "Hazır değil",
+    "rdpModuleInitializing": "RDP modülü hala başlatılıyor",
+    "rdpDownloadingFiles": "Uzak {count, plural, one {dosya} other {dosya}} indiriliyor...",
+    "rdpDownloadFailed": "İndirme başarısız: {fileName}",
+    "rdpUploaded": "Yüklendi: {fileName}",
+    "rdpNoConnectionTarget": "Bağlantı hedefi yok",
+    "rdpConnectionFailed": "Bağlantı başarısız oldu",
+    "rdpFit": "Sığdır",
+    "rdpFull": "Tam",
+    "rdpReal": "Gerçek",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Dosya yükle",
+    "rdpFilesReadyToPaste": "Yapıştırmak üzere dosyalar hazır",
+    "rdpFilesReadyToPasteDescription": "{count} dosya uzak panoya kopyalandı — yapıştırmak için uzak masaüstünde Ctrl+V tuşlarına basın.",
+    "rdpUploadFailed": "Yükleme başarısız",
+    "rdpUnicodeKeyboardMode": "Unicode klavye modu",
+    "sessionToolbarShow": "Araç çubuğunu göster",
+    "sessionToolbarHide": "Araç çubuğunu gizle"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -32,7 +32,7 @@
    "trialActive": "免费试用中",
    "trialExpired": "试用到期",
    "trialHasEnded": "您的试用已结束。",
-    "trialDaysRemaining": "{count, plural, one {# day remaining} other {# days remaining}}",
+    "trialDaysRemaining": "{count, plural, other {# 天剩余}}",
    "trialDaysLeftShort": "试用期剩余 {days} 天",
    "trialGoToBilling": "转到账单页面",
    "subscriptionViolationViewBilling": "查看计费",
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "查看私有资源",
    "siteInstallNewt": "安装 Newt",
    "siteInstallNewtDescription": "在您的系统中运行 Newt",
+    "siteInstallKubernetesDocsDescription": "有关最新的 Kubernetes 安装信息，请参阅<docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>。",
+    "siteInstallAdvantechDocsDescription": "有关 Advantech 调制解调器安装说明，请参阅<docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>。",
    "WgConfiguration": "WireGuard 配置",
    "WgConfigurationDescription": "使用以下配置连接到网络",
    "operatingSystem": "操作系统",
@@ -148,14 +150,18 @@
    "siteCredentialsSaveDescription": "您只能看到一次。请确保将其复制并保存到一个安全的地方。",
    "siteInfo": "站点信息",
    "status": "状态",
-    "shareTitle": "管理共享链接",
+    "shareTitle": "管理可共享链接",
    "shareDescription": "创建可共享的链接，允许临时或永久访问代理资源",
-    "shareSearch": "搜索共享链接...",
-    "shareCreate": "创建共享链接",
+    "shareSearch": "搜索可共享链接……",
+    "shareCreate": "创建可共享链接",
    "shareErrorDelete": "删除链接失败",
    "shareErrorDeleteMessage": "删除链接时出错",
    "shareDeleted": "链接已删除",
    "shareDeletedDescription": "链接已删除",
+    "shareDelete": "删除可共享链接",
+    "shareDeleteConfirm": "确认删除可共享链接",
+    "shareQuestionRemove": "您确定要删除这个共享链接吗？",
+    "shareMessageRemove": "删除后，该链接将不再可用，使用它的任何人将失去对资源的访问权限。",
    "shareTokenDescription": "访问令牌可以通过两种方式传递：作为查询参数或请求标题。 每次验证访问请求都必须从客户端传递。",
    "accessToken": "访问令牌",
    "usageExamples": "用法示例",
@@ -172,6 +178,8 @@
    "shareErrorCreateDescription": "创建共享链接时出错",
    "shareCreateDescription": "任何具有此链接的人都可以访问资源",
    "shareTitleOptional": "标题 (可选)",
+    "sharePathOptional": "路径（可选）",
+    "sharePathDescription": "认证后，链接将把用户重定向到此路径。",
    "expireIn": "过期时间",
    "neverExpire": "永不过期",
    "shareExpireDescription": "过期时间是链接可以使用并提供对资源的访问时间。 此时间后，链接将不再工作，使用此链接的用户将失去对资源的访问。",
@@ -195,8 +203,8 @@
    "shareErrorSelectResource": "请选择一个资源",
    "proxyResourceTitle": "管理公共资源",
    "proxyResourceDescription": "创建和管理可通过 Web 浏览器公开访问的资源",
-    "proxyResourcesBannerTitle": "基于Web的公共访问",
-    "proxyResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同，它们不需要客户端软件，并且可以包含身份和上下文感知访问策略。",
+    "publicResourcesBannerTitle": "基于 Web 的公共访问",
+    "publicResourcesBannerDescription": "公共资源是 HTTPS 代理，可以通过网络浏览器在互联网上的任何人访问。与私人资源不同，它们不需要客户端软件，并且可以包含身份和上下文感知的访问策略。",
    "clientResourceTitle": "管理私有资源",
    "clientResourceDescription": "创建和管理只能通过连接客户端访问的资源",
    "privateResourcesBannerTitle": "零信任的私人访问",
@@ -204,11 +212,37 @@
    "resourcesSearch": "搜索资源...",
    "resourceAdd": "添加资源",
    "resourceErrorDelte": "删除资源时出错",
+    "resourcePoliciesBannerTitle": "重用身份验证和访问规则",
+    "resourcePoliciesBannerDescription": "共享资源策略可让您定义身份验证方法和访问规则，然后将其应用到多个公共资源。当您更新策略时，每个链接的资源都会自动继承更改。",
+    "resourcePoliciesBannerButtonText": "了解更多",
+    "resourcePoliciesTitle": "管理公共资源策略",
+    "resourcePoliciesAttachedResourcesColumnTitle": "资源",
+    "resourcePoliciesAttachedResources": "{count} 个资源",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, other {# 个资源}}",
+    "resourcePoliciesAttachedResourcesEmpty": "没有资源",
+    "resourcePoliciesDescription": "创建和管理身份验证策略以控制对公共资源的访问",
+    "resourcePoliciesSearch": "搜索策略……",
+    "resourcePoliciesAdd": "添加策略",
+    "resourcePoliciesDefaultBadgeText": "默认策略",
+    "resourcePoliciesCreate": "创建公共资源策略",
+    "resourcePoliciesCreateDescription": "按照以下步骤创建新策略",
+    "resourcePolicyName": "策略名称",
+    "resourcePolicyNameDescription": "给此策略命名，以便在您的资源中识别它",
+    "resourcePolicyNamePlaceholder": "例如：内部访问策略",
+    "resourcePoliciesSeeAll": "查看所有策略",
+    "resourcePolicyAuthMethodAdd": "添加身份验证方法",
+    "resourcePolicyOtpEmailAdd": "添加 OTP 电子邮件",
+    "resourcePolicyRulesAdd": "添加规则",
+    "resourcePolicyAuthMethodsDescription": "通过额外的认证方法允许访问资源",
+    "resourcePolicyUsersRolesDescription": "配置哪些用户和角色可以访问关联的资源",
+    "rulesResourcePolicyDescription": "配置规则以控制与此策略关联的访问资源",
    "authentication": "认证",
    "protected": "受到保护",
    "notProtected": "未受到保护",
    "resourceMessageRemove": "一旦删除，资源将不再可访问。与该资源相关的所有目标也将被删除。",
    "resourceQuestionRemove": "您确定要从组织中删除资源吗？",
+    "resourcePolicyMessageRemove": "一旦删除，资源策略将不再可访问。所有与资源关联的资源将取消关联，并且没有身份验证。",
+    "resourcePolicyQuestionRemove": "您确定要从组织中删除资源策略吗？",
    "resourceHTTP": "HTTPS 资源",
    "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
    "resourceRaw": "TCP/UDP 资源",
@@ -216,8 +250,9 @@
    "resourceRawDescriptionCloud": "正在使用端口号使用 TCP/UDP 代理请求。需要站点连接到远程节点。",
    "resourceCreate": "创建资源",
    "resourceCreateDescription": "按照下面的步骤创建新资源",
+    "resourceCreateGeneralDescription": "配置基本资源设置，包括名称和类型",
    "resourceSeeAll": "查看所有资源",
-    "resourceInfo": "资源信息",
+    "resourceCreateGeneral": "概览",
    "resourceNameDescription": "这是资源的显示名称。",
    "siteSelect": "选择站点",
    "siteSearch": "搜索站点",
@@ -227,12 +262,15 @@
    "noCountryFound": "找不到国家。",
    "siteSelectionDescription": "此站点将为目标提供连接。",
    "resourceType": "资源类型",
-    "resourceTypeDescription": "确定如何访问资源",
+    "resourceTypeDescription": "这会控制资源协议及其在浏览器中的渲染方式。之后不能更改。",
+    "resourceDomainDescription": "资源将在此完全限定的域名上提供。",
    "resourceHTTPSSettings": "HTTPS 设置",
    "resourceHTTPSSettingsDescription": "配置如何通过 HTTPS 访问资源",
+    "resourcePortDescription": "在 Pangolin 实例或节点上资源可访问的外部端口。",
    "domainType": "域类型",
    "subdomain": "子域名",
    "baseDomain": "根域名",
+    "configure": "配置",
    "subdomnainDescription": "可访问资源的子域。",
    "resourceRawSettings": "TCP/UDP 设置",
    "resourceRawSettingsDescription": "配置如何通过 TCP/UDP 访问资源",
@@ -243,14 +281,35 @@
    "back": "后退",
    "cancel": "取消",
    "resourceConfig": "配置片段",
-    "resourceConfigDescription": "复制并粘贴这些配置片段以设置 TCP/UDP 资源",
+    "resourceConfigDescription": "复制并粘贴这些配置片段以设置 TCP/UDP 资源。",
    "resourceAddEntrypoints": "Traefik: 添加入口点",
    "resourceExposePorts": "Gerbil：在 Docker Compose 中显示端口",
    "resourceLearnRaw": "学习如何配置 TCP/UDP 资源",
    "resourceBack": "返回资源",
    "resourceGoTo": "转到资源",
+    "resourcePolicyDelete": "删除资源策略",
+    "resourcePolicyDeleteConfirm": "确认删除资源策略",
    "resourceDelete": "删除资源",
    "resourceDeleteConfirm": "确认删除资源",
+    "labelDelete": "删除标签",
+    "labelAdd": "添加标签",
+    "labelCreateSuccessMessage": "标签创建成功",
+    "labelDuplicateError": "标签重复",
+    "labelDuplicateErrorDescription": "已存在具有该名称的标签。",
+    "labelEditSuccessMessage": "标签修改成功",
+    "labelNameField": "标签名称",
+    "labelColorField": "标签颜色",
+    "labelPlaceholder": "例：homelab",
+    "labelCreate": "创建标签",
+    "createLabelDialogTitle": "创建标签",
+    "createLabelDialogDescription": "创建一个可以附加到此组织的新标签",
+    "labelEdit": "编辑标签",
+    "editLabelDialogTitle": "更新标签",
+    "editLabelDialogDescription": "编辑一个可以附加到此组织的标签",
+    "labelDeleteConfirm": "确认删除标签",
+    "labelErrorDelete": "删除标签失败",
+    "labelMessageRemove": "此操作是永久性的。所有用此标签标记的网站、资源和客户端将取消标记。",
+    "labelQuestionRemove": "您确定要将标签从组织中移除吗？",
    "visibility": "可见性",
    "enabled": "已启用",
    "disabled": "已禁用",
@@ -261,6 +320,8 @@
    "rules": "规则",
    "resourceSettingDescription": "配置资源上的设置",
    "resourceSetting": "{resourceName} 设置",
+    "resourcePolicySettingDescription": "配置此公共资源策略上的设置",
+    "resourcePolicySetting": "{policyName} 设置",
    "alwaysAllow": "旁路认证",
    "alwaysDeny": "屏蔽访问",
    "passToAuth": "传递至认证",
@@ -303,7 +364,7 @@
    "accessUserManage": "管理用户",
    "accessUsersDescription": "邀请和管理访问此组织的用户",
    "accessUsersSearch": "搜索用户...",
-    "accessUsersRoleFilterCount": "{count, plural, one {# role} other {# roles}}",
+    "accessUsersRoleFilterCount": "{count, plural, other {# 角色}}",
    "accessUsersRoleFilterClear": "清除角色过滤器",
    "accessUserCreate": "创建用户",
    "accessUserRemove": "删除用户",
@@ -523,6 +584,12 @@
    "userMessageOrgRemove": "一旦删除，这个用户将不再能够访问组织。 你总是可以稍后重新邀请他们，但他们需要再次接受邀请。",
    "userRemoveOrgConfirm": "确认删除用户",
    "userRemoveOrg": "从组织中删除用户",
+    "userQuestionOrgRemoveSelf": "你确定要将自己从这个组织中移除吗？",
+    "userMessageOrgRemoveSelf": "你将立即失去访问权限。管理员稍后可以再次邀请你，但你需要接受新的邀请。",
+    "userRemoveOrgConfirmSelf": "确认删除我自己",
+    "userRemoveOrgSelf": "将自己从组织中移除",
+    "userRemoveOrgSelfWarning": "你将立即失去对此组织的访问权限。",
+    "userRemoveOrgConfirmPhraseSelf": "从组织中移除我自己",
    "users": "用户",
    "accessRoleMember": "成员",
    "accessRoleOwner": "所有者",
@@ -531,6 +598,11 @@
    "emailInvalid": "无效的电子邮件地址",
    "inviteValidityDuration": "请选择持续时间",
    "accessRoleSelectPlease": "请选择一个角色",
+    "removeOwnAdminRoleConfirmTitle": "移除你的管理员权限？",
+    "removeOwnAdminRoleConfirmDescription": "保存后，你将不再拥有该组织的管理员权限。如果需要，其他管理员可以恢复访问。",
+    "removeOwnAdminRoleConfirmButton": "移除我的管理员访问权限",
+    "removeOwnAdminRoleConfirmPhrase": "移除我的管理员访问",
+    "ownerMustRetainAdminRole": "组织所有者必须保留至少一个管理员角色。",
    "usernameRequired": "必须输入用户名",
    "idpSelectPlease": "请选择身份提供商",
    "idpGenericOidc": "通用的 OAuth2/OIDC 提供商。",
@@ -615,7 +687,7 @@
    "createdAt": "创建于",
    "proxyErrorInvalidHeader": "无效的自定义主机头值。使用域名格式，或将空保存为取消自定义主机头。",
    "proxyErrorTls": "无效的 TLS 服务器名称。使用域名格式，或保存空以删除 TLS 服务器名称。",
-    "proxyEnableSSL": "启用 SSL",
+    "proxyEnableSSL": "启用 TLS",
    "proxyEnableSSLDescription": "启用 SSL/TLS 加密以确保目标的 HTTPS 连接。",
    "target": "Target",
    "configureTarget": "配置目标",
@@ -656,8 +728,9 @@
    "targetSubmit": "添加目标",
    "targetNoOne": "此资源没有任何目标。添加目标来配置向后端发送请求的位置。",
    "targetNoOneDescription": "在上面添加多个目标将启用负载平衡。",
-    "targetsSubmit": "保存目标",
+    "targetsSubmit": "保存设置",
    "addTarget": "添加目标",
+    "proxyMultiSiteRoundRobinNodeHelp": "轮询路由在未连接到相同节点的站点之间将不起作用，但故障转移会生效。",
    "targetErrorInvalidIp": "无效的 IP 地址",
    "targetErrorInvalidIpDescription": "请输入有效的IP地址或主机名",
    "targetErrorInvalidPort": "无效的端口",
@@ -689,11 +762,11 @@
    "rulesErrorDuplicate": "复制规则",
    "rulesErrorDuplicateDescription": "带有这些设置的规则已存在",
    "rulesErrorInvalidIpAddressRange": "无效的 CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "请输入一个有效的 CIDR 值",
-    "rulesErrorInvalidUrl": "无效的 URL 路径",
-    "rulesErrorInvalidUrlDescription": "请输入一个有效的 URL 路径值",
-    "rulesErrorInvalidIpAddress": "无效的 IP",
-    "rulesErrorInvalidIpAddressDescription": "请输入一个有效的IP地址",
+    "rulesErrorInvalidIpAddressRangeDescription": "输入有效的 CIDR 范围（例如，10.0.0.0/8）。",
+    "rulesErrorInvalidUrl": "无效路径",
+    "rulesErrorInvalidUrlDescription": "输入有效的 URL 路径或模式（例如，/api/*）。",
+    "rulesErrorInvalidIpAddress": "无效 IP 地址",
+    "rulesErrorInvalidIpAddressDescription": "输入有效的 IPv4 或 IPv6 地址。",
    "rulesErrorUpdate": "更新规则失败",
    "rulesErrorUpdateDescription": "更新规则时出错",
    "rulesUpdated": "启用规则",
@@ -701,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "以 CIDR 格式输入地址(如：103.21.244.0/22)",
    "rulesMatchIpAddress": "输入IP地址(例如，103.21.244.12)",
    "rulesMatchUrl": "输入一个 URL 路径或模式(例如/api/v1/todos 或 /api/v1/*)",
-    "rulesErrorInvalidPriority": "无效的优先级",
-    "rulesErrorInvalidPriorityDescription": "请输入一个有效的优先级",
-    "rulesErrorDuplicatePriority": "重复的优先级",
-    "rulesErrorDuplicatePriorityDescription": "请输入唯一的优先级",
+    "rulesErrorInvalidPriority": "优先级无效",
+    "rulesErrorInvalidPriorityDescription": "输入一个大于或等于 1 的整数。",
+    "rulesErrorDuplicatePriority": "优先级重复",
+    "rulesErrorDuplicatePriorityDescription": "每条规则必须拥有唯一的优先级号。",
+    "rulesErrorValidation": "规则无效",
+    "rulesErrorValidationRuleDescription": "规则 {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "选择有效的匹配类型（路径、IP、CIDR、国家、地区或 ASN）。",
+    "rulesErrorValueRequired": "为此规则输入一个值。",
+    "rulesErrorInvalidCountry": "国家无效",
+    "rulesErrorInvalidCountryDescription": "选择一个有效的国家。",
+    "rulesErrorInvalidAsn": "ASN 无效",
+    "rulesErrorInvalidAsnDescription": "输入有效的 ASN（例如，AS15169）。",
    "ruleUpdated": "规则已更新",
    "ruleUpdatedDescription": "规则更新成功",
    "ruleErrorUpdate": "操作失败",
    "ruleErrorUpdateDescription": "保存过程中发生错误",
    "rulesPriority": "优先权",
+    "rulesReorderDragHandle": "拖动以重新排序规则优先级",
    "rulesAction": "行为",
    "rulesMatchType": "匹配类型",
    "value": "值",
@@ -728,9 +810,60 @@
    "rulesResource": "资源规则配置",
    "rulesResourceDescription": "配置规则来控制对资源的访问",
    "ruleSubmit": "添加规则",
-    "rulesNoOne": "没有规则。使用表单添加规则。",
+    "rulesNoOne": "尚无规则。",
    "rulesOrder": "规则按优先顺序评定。",
    "rulesSubmit": "保存规则",
+    "policyErrorCreate": "创建策略时出错",
+    "policyErrorCreateDescription": "创建策略时发生错误",
+    "policyErrorCreateMessageDescription": "发生意外错误",
+    "policyErrorUpdate": "更新策略时出错",
+    "policyErrorUpdateDescription": "更新策略时发生错误",
+    "policyErrorUpdateMessageDescription": "发生意外错误",
+    "policyCreatedSuccess": "资源策略创建成功",
+    "policyUpdatedSuccess": "资源策略更新成功",
+    "authMethodsSave": "保存设置",
+    "policyAuthStackTitle": "身份验证",
+    "policyAuthStackDescription": "控制哪些身份验证方法需由用户执行才能访问资源",
+    "policyAuthOrLogicTitle": "多种身份验证方法处于激活状态",
+    "policyAuthOrLogicBanner": "访问者可以使用下列任意激活的方法进行身份验证。无需完成全部过程。",
+    "policyAuthMethodActive": "激活",
+    "policyAuthMethodOff": "关闭",
+    "policyAuthSsoTitle": "平台单点登录 SSO",
+    "policyAuthSsoDescription": "要求通过您组织的身份提供商登录",
+    "policyAuthSsoSummary": "{idp} · {users} 个用户, {roles} 个角色",
+    "policyAuthSsoDefaultIdp": "默认提供商",
+    "policyAuthAddDefaultIdentityProvider": "添加默认身份提供商",
+    "policyAuthOtherMethodsTitle": "其他方法",
+    "policyAuthOtherMethodsDescription": "访问者可以使用以下备用或联合平台 SSO 的方法",
+    "policyAuthPasscodeTitle": "密码",
+    "policyAuthPasscodeDescription": "要求使用共享字母数字密码以访资源问",
+    "policyAuthPasscodeSummary": "密码已设定",
+    "policyAuthPincodeTitle": "PIN 码",
+    "policyAuthPincodeDescription": "要求使用短数字代码以访问资源",
+    "policyAuthPincodeSummary": "6 位数字 PIN 码已设定",
+    "policyAuthEmailTitle": "电子邮件白名单",
+    "policyAuthEmailDescription": "允许列出的电子邮件地址使用一次性密码",
+    "policyAuthEmailSummary": "允许 {count} 个地址",
+    "policyAuthEmailOtpCallout": "启用电子邮件白名单将在登录时向访问者的电子邮件发送一次性密码。",
+    "policyAuthHeaderAuthTitle": "基础标题认证",
+    "policyAuthHeaderAuthDescription": "在每次请求上验证自定义 HTTP 标头名称和值",
+    "policyAuthHeaderAuthSummary": "标头已配置",
+    "policyAuthHeaderName": "标头名称",
+    "policyAuthHeaderValue": "预期值",
+    "policyAuthSetPasscode": "设定密码",
+    "policyAuthSetPincode": "设置 PIN 码",
+    "policyAuthSetEmailWhitelist": "设置电子邮件白名单",
+    "policyAuthSetHeaderAuth": "设置基础标题认证",
+    "policyAccessRulesTitle": "访问规则",
+    "policyAccessRulesEnableDescription": "启用后，规则将按下降顺序进行评估，直到某条规则评估结果为真。",
+    "policyAccessRulesFirstMatch": "规则将自上而下进行评估。首次匹配的规则决定结果。",
+    "policyAccessRulesHowItWorks": "规则通过路径、IP 地址、位置或其他标准匹配请求。每个规则都会应用操作：绕过身份验证、阻止访问或通过身份验证。如果没有规则匹配，流量将继续通过身份验证。",
+    "policyAccessRulesFallthroughOff": "禁用规则后，所有流量将通过身份验证。",
+    "policyAccessRulesFallthroughOn": "没有规则匹配时，流量将通过身份验证。",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
+    "rulesSave": "保存规则",
    "resourceErrorCreate": "创建资源时出错",
    "resourceErrorCreateDescription": "创建资源时出错",
    "resourceErrorCreateMessage": "创建资源时发生错误：",
@@ -750,9 +883,9 @@
    "resourcesErrorUpdateDescription": "更新资源时出错",
    "access": "访问权限",
    "accessControl": "访问控制",
-    "shareLink": "{resource} 的分享链接",
+    "shareLink": "{resource} 可共享链接",
    "resourceSelect": "选择资源",
-    "shareLinks": "分享链接",
+    "shareLinks": "可共享链接",
    "share": "分享链接",
    "shareDescription2": "创建资源的可共享链接。链接提供了对您资源的临时或无限制访问。 当您创建链接时，您可以配置链接的到期时间。",
    "shareEasyCreate": "轻松创建和分享",
@@ -794,6 +927,17 @@
    "pincodeAdd": "添加 PIN 码",
    "pincodeRemove": "移除 PIN 码",
    "resourceAuthMethods": "身份验证方法",
+    "resourcePolicyAuthMethodsEmpty": "无身份验证方法",
+    "resourcePolicyOtpEmpty": "没有一次性密码",
+    "resourcePolicyReadOnly": "此策略是只读的",
+    "resourcePolicyReadOnlyDescription": "此资源策略跨多个资源共享，您无法在此页面上编辑。",
+    "editSharedPolicy": "编辑共享策略",
+    "resourcePolicyTypeSave": "保存资源类型",
+    "resourcePolicySelect": "选择资源策略",
+    "resourcePolicySelectError": "选择资源策略",
+    "resourcePolicyNotFound": "找不到策略",
+    "resourcePolicySearch": "搜索策略",
+    "resourcePolicyRulesEmpty": "无身份验证规则",
    "resourceAuthMethodsDescriptions": "允许通过额外的认证方法访问资源",
    "resourceAuthSettingsSave": "保存成功",
    "resourceAuthSettingsSaveDescription": "已保存身份验证设置",
@@ -829,6 +973,20 @@
    "resourcePincodeSetupTitle": "设置 PIN 码",
    "resourcePincodeSetupTitleDescription": "设置 PIN 码来保护此资源",
    "resourceRoleDescription": "管理员总是可以访问此资源。",
+    "resourcePolicySelectTitle": "资源访问策略",
+    "resourcePolicySelectDescription": "选择用于认证的资源策略类型",
+    "resourcePolicyTypeLabel": "策略类型",
+    "resourcePolicyLabel": "资源策略",
+    "resourcePolicyInline": "内联资源策略",
+    "resourcePolicyInlineDescription": "仅限于此资源的访问策略",
+    "resourcePolicyShared": "共享资源策略",
+    "resourcePolicySharedDescription": "此资源使用共享策略。",
+    "sharedPolicy": "共享策略",
+    "sharedPolicyNoneDescription": "此资源有自己的策略。",
+    "resourceSharedPolicyOwnDescription": "此资源具有自己的身份验证和访问规则控制。",
+    "resourceSharedPolicyInheritedDescription": "此资源继承自<policyLink>{policyName}</policyLink>。",
+    "resourceSharedPolicyAuthenticationNotice": "此资源使用共享策略。一些身份验证设置可以在此资源上编辑以添加到策略。要更改基础策略，您必须编辑<policyLink>{policyName}</policyLink>。",
+    "resourceSharedPolicyRulesNotice": "此资源正在使用一个共享策略。某些访问规则可以在此资源上编辑。要更改基础策略，您必须编辑<policyLink>{policyName}</policyLink>。",
    "resourceUsersRoles": "访问控制",
    "resourceUsersRolesDescription": "配置用户和角色可以访问此资源",
    "resourceUsersRolesSubmit": "保存访问控制",
@@ -853,7 +1011,14 @@
    "resourceVisibilityTitle": "可见性",
    "resourceVisibilityTitleDescription": "完全启用或禁用资源可见性",
    "resourceGeneral": "常规设置",
-    "resourceGeneralDescription": "配置此资源的常规设置",
+    "resourceGeneralDescription": "配置资源的名称、地址和访问策略。",
+    "resourceGeneralDetailsSubsection": "资源详情",
+    "resourceGeneralDetailsSubsectionDescription": "设置资源的显示名称、标识符和公共访问域名。",
+    "resourceGeneralDetailsSubsectionPortDescription": "设置资源的显示名称、标识符和公共端口。",
+    "resourceGeneralPublicAddressSubsection": "公共地址",
+    "resourceGeneralPublicAddressSubsectionDescription": "配置用户如何访问该资源。",
+    "resourceGeneralAuthenticationAccessSubsection": "身份验证与访问",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "选择该资源是使用其自己的策略还是从共享策略继承。",
    "resourceEnable": "启用资源",
    "resourceTransfer": "转移资源",
    "resourceTransferDescription": "将此资源转移到另一个站点",
@@ -1124,6 +1289,21 @@
    "idpErrorConnectingTo": "无法连接到 {name}，请联系管理员协助处理。",
    "idpErrorNotFound": "找不到 IdP",
    "inviteInvalid": "无效邀请",
+    "labels": "标签",
+    "orgLabelsDescription": "管理此组织的标签。",
+    "addLabels": "添加标签",
+    "siteLabelsTab": "标签",
+    "siteLabelsDescription": "管理与此网站相关的标签。",
+    "labelsNotFound": "未找到标签。",
+    "labelsEmptyCreateHint": "在上方输入以创建标签。",
+    "labelSearch": "搜索标签",
+    "labelSearchOrCreate": "搜索或创建标签",
+    "accessLabelFilterCount": "{count, plural, other {# 标签}}",
+    "labelOverflowCount": "+{count, plural, other {# 标签}}",
+    "accessLabelFilterClear": "清除标签过滤器",
+    "accessFilterClear": "清除筛选器",
+    "selectColor": "选择颜色",
+    "createNewLabel": "创建新的组织标签 \"{label}\"",
    "inviteInvalidDescription": "邀请链接无效。",
    "inviteErrorWrongUser": "邀请不是该用户的",
    "inviteErrorUserNotExists": "用户不存在。请先创建帐户。",
@@ -1358,6 +1538,8 @@
    "sidebarResources": "资源",
    "sidebarProxyResources": "公开的",
    "sidebarClientResources": "非公开的",
+    "sidebarPolicies": "共享策略",
+    "sidebarResourcePolicies": "公共资源",
    "sidebarAccessControl": "访问控制",
    "sidebarLogsAndAnalytics": "日志与分析",
    "sidebarTeam": "团队",
@@ -1365,7 +1547,7 @@
    "sidebarAdmin": "管理员",
    "sidebarInvitations": "邀请",
    "sidebarRoles": "角色",
-    "sidebarShareableLinks": "链接",
+    "sidebarShareableLinks": "可共享链接",
    "sidebarApiKeys": "API密钥",
    "sidebarProvisioning": "置备中",
    "sidebarSettings": "设置",
@@ -1499,7 +1681,7 @@
    "alertingGraphCanvasTitle": "规则流程",
    "alertingGraphCanvasDescription": "源、触发器和操作的视觉概况。选择一个节点，在面板上进行编辑。",
    "alertingNodeNotConfigured": "尚未配置",
-    "alertingNodeActionsCount": "{count, plural, one {# action} other {# actions}}",
+    "alertingNodeActionsCount": "{count, plural, other {# 操作}}",
    "alertingNodeRoleSource": "来源",
    "alertingNodeRoleTrigger": "触发",
    "alertingNodeRoleAction": "行为",
@@ -1541,7 +1723,8 @@
    "standaloneHcFilterSiteIdFallback": "站点 {id}",
    "standaloneHcFilterResourceIdFallback": "资源 {id}",
    "blueprints": "蓝图",
-    "blueprintsDescription": "应用声明配置并查看先前运行的",
+    "blueprintsLog": "蓝图日志",
+    "blueprintsDescription": "查看过去的蓝图应用及其结果或应用一个新的蓝图",
    "blueprintAdd": "添加蓝图",
    "blueprintGoBack": "查看所有蓝图",
    "blueprintCreate": "创建蓝图",
@@ -1559,7 +1742,17 @@
    "contents": "目录",
    "parsedContents": "解析内容 (只读)",
    "enableDockerSocket": "启用 Docker 蓝图",
-    "enableDockerSocketDescription": "启用 Docker Socket 标签擦除蓝图标签。套接字路径必须提供给新的。",
+    "enableDockerSocketDescription": "启用用于蓝图标签的 Docker 套接字标签擦除。必须为站点连接器提供套接字路径。阅读<docsLink>文档</docsLink>以了解相关工作原理。",
+    "newtAutoUpdate": "启用站点自动更新",
+    "newtAutoUpdateDescription": "启用后，站点连接器将自动下载最新版本并重新启动。可以针对每个站点进行覆盖。",
+    "siteAutoUpdate": "站点自动更新",
+    "siteAutoUpdateLabel": "启用自动更新",
+    "siteAutoUpdateDescription": "启用后，该站点的连接器将自动下载最新版本并重新启动。",
+    "siteAutoUpdateOrgDefault": "组织默认设置：{state}",
+    "siteAutoUpdateOverriding": "覆盖组织设置",
+    "siteAutoUpdateResetToOrg": "重置为组织默认设置",
+    "siteAutoUpdateEnabled": "已启用",
+    "siteAutoUpdateDisabled": "已禁用",
    "viewDockerContainers": "查看停靠容器",
    "containersIn": "{siteName} 中的容器",
    "selectContainerDescription": "选择任何容器作为目标的主机名。点击端口使用端口。",
@@ -1604,6 +1797,7 @@
    "certificateStatus": "证书",
    "certificateStatusAutoRefreshHint": "状态自动刷新。",
    "loading": "加载中",
+    "loadingEllipsis": "加载中……",
    "loadingAnalytics": "加载分析",
    "restart": "重启",
    "domains": "域",
@@ -1651,9 +1845,9 @@
    "accountSetupSuccess": "账号设置完成！欢迎来到 Pangolin！",
    "documentation": "文档",
    "saveAllSettings": "保存所有设置",
-    "saveResourceTargets": "保存目标",
-    "saveResourceHttp": "保存代理设置",
-    "saveProxyProtocol": "保存代理协议设置",
+    "saveResourceTargets": "保存设置",
+    "saveResourceHttp": "保存设置",
+    "saveProxyProtocol": "保存设置",
    "settingsUpdated": "设置已更新",
    "settingsUpdatedDescription": "设置更新成功",
    "settingsErrorUpdate": "设置更新失败",
@@ -1830,6 +2024,7 @@
    "billingManageLicenseSubscription": "管理您对付费的自托管许可证密钥的订阅",
    "billingCurrentKeys": "当前密钥",
    "billingModifyCurrentPlan": "修改当前计划",
+    "billingManageLicenseSubscriptionDescription": "管理付费的自托管许可证密钥订阅并下载发票。",
    "billingConfirmUpgrade": "确认升级",
    "billingConfirmDowngrade": "确认降级",
    "billingConfirmUpgradeDescription": "您即将升级您的计划。请检查下面的新限额和定价。",
@@ -1909,13 +2104,13 @@
    "healthCheckUnknown": "未知",
    "healthCheck": "健康检查",
    "configureHealthCheck": "配置健康检查",
-    "configureHealthCheckDescription": "为 {target} 设置健康监控",
+    "configureHealthCheckDescription": "为您的资源设置监控以确保其始终可用",
    "enableHealthChecks": "启用健康检查",
    "healthCheckDisabledStateDescription": "禁用后，站点不会进行健康检查，状态将被视为未知。",
    "enableHealthChecksDescription": "监视此目标的健康状况。如果需要，您可以监视一个不同的终点。",
    "healthScheme": "方法",
    "healthSelectScheme": "选择方法",
-    "healthCheckPortInvalid": "健康检查端口必须介于 1 到 65535 之间",
+    "healthCheckPortInvalid": "端口必须在 1 和 65535 之间",
    "healthCheckPath": "路径",
    "healthHostname": "IP / 主机",
    "healthPort": "端口",
@@ -1927,7 +2122,42 @@
    "timeIsInSeconds": "时间以秒为单位",
    "requireDeviceApproval": "需要设备批准",
    "requireDeviceApprovalDescription": "具有此角色的用户需要管理员批准的新设备才能连接和访问资源。",
+    "sshSettings": "SSH 设置",
    "sshAccess": "SSH 访问",
+    "rdpSettings": "RDP 设置",
+    "vncSettings": "VNC 设置",
+    "sshServer": "SSH 服务器",
+    "rdpServer": "RDP 服务器",
+    "vncServer": "VNC 服务器",
+    "sshServerDescription": "设置身份验证方法、守护程序位置和服务器目标",
+    "rdpServerDescription": "配置 RDP 服务器的目标和端口",
+    "vncServerDescription": "配置 VNC 服务器的目标和端口",
+    "sshServerMode": "模式",
+    "sshServerModeStandard": "标准 SSH 服务器",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "将命令通过网络路由到 SSH 服务器，例如 OpenSSH。",
+    "sshServerModeNative": "本地 SSH 服务器",
+    "sshServerModeNativeDescription": "通过站点连接器直接在主机上执行命令。无需网络配置。",
+    "sshAuthenticationMethod": "身份验证方法",
+    "sshAuthMethodManual": "手动身份验证",
+    "sshAuthMethodManualDescription": "需要现有的主机凭据。绕过自动配置。",
+    "sshAuthMethodAutomated": "自动配置",
+    "sshAuthMethodAutomatedDescription": "在主机上自动创建用户、组和sudo权限。",
+    "sshAuthDaemonLocation": "认证守护程序位置",
+    "sshDaemonLocationSiteDescription": "在托管站点连接器的机器上本地执行。",
+    "sshDaemonLocationRemote": "在远程主机上",
+    "sshDaemonLocationRemoteDescription": "在同一网络的独立目标机器上执行。",
+    "sshDaemonDisclaimer": "在完成本设置之前，请确保您的目标主机已经正确配置以运行身份验证守护程序，否则配置将失败。",
+    "sshDaemonPort": "守护程序端口",
+    "sshServerDestination": "服务器目标",
+    "sshServerDestinationDescription": "配置 SSH 服务器的目的地",
+    "destination": "目标",
+    "destinationRequired": "需要目的地。",
+    "domainRequired": "需要域。",
+    "proxyPortRequired": "需要端口。",
+    "invalidPathConfiguration": "路径配置无效。",
+    "invalidRewritePathConfiguration": "重写路径配置无效。",
+    "bgTargetMultiSiteDisclaimer": "选择多个站点可实现高可用性的弹性路由和故障转移。",
    "roleAllowSsh": "允许 SSH",
    "roleAllowSshAllow": "允许",
    "roleAllowSshDisallow": "不允许",
@@ -1941,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "用户只能用 sudo 运行指定的命令。",
    "sshSudo": "允许Sudo",
    "sshSudoCommands": "Sudo 命令",
-    "sshSudoCommandsDescription": "逗号分隔的用户允许使用 sudo 运行的命令列表。",
+    "sshSudoCommandsDescription": "用户可以使用 sudo 运行的命令列表，以逗号、空格或新行分隔。必须使用绝对路径。",
    "sshCreateHomeDir": "创建主目录",
    "sshUnixGroups": "Unix 组",
-    "sshUnixGroupsDescription": "用逗号分隔了Unix组，将用户添加到目标主机上。",
+    "sshUnixGroupsDescription": "在目标主机上将用户添加到的 Unix 组，以逗号、空格或新行分隔。",
+    "roleTextFieldPlaceholder": "输入值，或放入 .txt 或 .csv 文件",
+    "roleTextImportTitle": "从文件导入",
+    "roleTextImportDescription": "将 {fileName} 导入到 {fieldLabel}。",
+    "roleTextImportSkipHeader": "跳过第一行（标题）",
+    "roleTextImportOverride": "替换现有",
+    "roleTextImportAppend": "附加到现有",
+    "roleTextImportMode": "导入模式",
+    "roleTextImportPreview": "预览",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} 个现有 + {imported} 个导入 = {total} 个总计",
+    "roleTextImportConfirm": "导入",
+    "roleTextImportInvalidFile": "不支持的文件类型",
+    "roleTextImportInvalidFileDescription": "仅支持 .txt 和 .csv 文件。",
+    "roleTextImportEmpty": "文件中未找到项目",
+    "roleTextImportEmptyDescription": "文件不包含任何可导入的项目。",
    "retryAttempts": "重试次数",
    "expectedResponseCodes": "期望响应代码",
    "expectedResponseCodesDescription": "HTTP 状态码表示健康状态。如留空，200-300 被视为健康。",
@@ -2033,8 +2278,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "方案",
-    "editInternalResourceDialogEnableSsl": "启用 SSL",
+    "editInternalResourceDialogEnableSsl": "启用 TLS",
    "editInternalResourceDialogEnableSslDescription": "为目标的安全 HTTPS 连接启用 SSL/TLS 加密。",
    "editInternalResourceDialogDestination": "目标",
    "editInternalResourceDialogDestinationHostDescription": "站点网络上资源的 IP 地址或主机名。",
@@ -2051,7 +2297,7 @@
    "createInternalResourceDialogName": "名称",
    "createInternalResourceDialogSite": "站点",
    "selectSite": "选择站点...",
-    "multiSitesSelectorSitesCount": "{count, plural, one {# site} other {# sites}}",
+    "multiSitesSelectorSitesCount": "{count, plural, other {# 个网站}}",
    "noSitesFound": "未找到站点。",
    "createInternalResourceDialogProtocol": "协议",
    "createInternalResourceDialogTcp": "TCP",
@@ -2082,9 +2328,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "方案",
    "createInternalResourceDialogScheme": "方案",
-    "createInternalResourceDialogEnableSsl": "启用 SSL",
+    "createInternalResourceDialogEnableSsl": "启用 TLS",
    "createInternalResourceDialogEnableSslDescription": "为目标的安全 HTTPS 连接启用 SSL/TLS 加密。",
    "createInternalResourceDialogDestination": "目标",
    "createInternalResourceDialogDestinationHostDescription": "站点网络上资源的 IP 地址或主机名。",
@@ -2217,7 +2464,7 @@
        "description": "更可靠和低维护自我托管的 Pangolin 服务器，带有额外的铃声和告密器",
        "introTitle": "托管自托管的潘戈林公司",
        "introDescription": "这是一种部署选择，为那些希望简洁和额外可靠的人设计，同时仍然保持他们的数据的私密性和自我托管性。",
-        "introDetail": "通过此选项，您仍然运行您自己的 Pangolin 节点 - - 您的隧道、SSL 终止，并且流量在您的服务器上保持所有状态。 不同之处在于，管理和监测是通过我们的云层仪表板进行的，该仪表板开启了一些好处：",
+        "introDetail": "通过此选项，您仍然运行您自己的 Pangolin 节点 - 您的隧道、TLS 终止，并且流量在您的服务器上保持所有状态。不同之处在于，管理和监测是通过我们的云层仪表板进行的，该仪表板开启了一些好处：",
        "benefitSimplerOperations": {
            "title": "简单的操作",
            "description": "无需运行您自己的邮件服务器或设置复杂的警报。您将从方框中获得健康检查和下限提醒。"
@@ -2652,6 +2899,8 @@
    "validPassword": "有效密码",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "查看",
+    "configManaged": "配置已管理",
    "connectedClient": "已连接客户端",
    "resourceBlocked": "资源被阻止",
    "droppedByRule": "被规则删除",
@@ -2724,9 +2973,10 @@
    "enableProxyProtocol": "启用代理协议",
    "proxyProtocolInfo": "为TCP后端保留客户端IP地址",
    "proxyProtocolVersion": "代理协议版本",
-    "version1": " 版本 1 (推荐)",
+    "version1": "版本 1（推荐）",
    "version2": "版本 2",
-    "versionDescription": "版本 1 是基于文本和广泛支持的版本。版本 2 是二进制和更有效率但不那么兼容。",
+    "version1Description": "基于文本和广泛支持。确保服务器传输添加到动态配置。",
+    "version2Description": "二进制且更有效率但兼容性较低。确保服务器传输添加到动态配置。",
    "warning": "警告",
    "proxyProtocolWarning": "后端应用程序必须配置为接受代理协议连接。 如果您的后端不支持代理协议，启用此功能将会中断所有连接，只有当您知道自己在做什么时才能启用此功能。 请务必从Traefik配置您的后端到信任代理协议标题。",
    "restarting": "正在重启...",
@@ -2883,7 +3133,7 @@
    "enterConfirmation": "输入确认",
    "blueprintViewDetails": "详细信息",
    "defaultIdentityProvider": "默认身份提供商",
-    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
+    "defaultIdentityProviderDescription": "用户将自动重定向到此身份提供者进行身份验证。",
    "editInternalResourceDialogNetworkSettings": "网络设置",
    "editInternalResourceDialogAccessPolicy": "访问策略",
    "editInternalResourceDialogAddRoles": "添加角色",
@@ -2919,11 +3169,12 @@
    "learnMore": "了解更多",
    "backToHome": "返回首页",
    "needToSignInToOrg": "需要使用您组织的身份提供商吗？",
-    "maintenanceMode": "维护模式",
+    "maintenanceMode": "维护页面",
    "maintenanceModeDescription": "向访客显示维护页面",
    "maintenanceModeType": "维护模式类型",
    "showMaintenancePage": "只在所有后端目标都故障或不健康时显示维护页面。只要至少一个目标健康，您的资源将正常工作。",
    "enableMaintenanceMode": "启用维护模式",
+    "enableMaintenanceModeDescription": "启用后，访问者将看到维护页面而不是您的资源。",
    "automatic": "自动",
    "automaticModeDescription": "如果所有后端目标都故障或不健康，则仅显示维护页面。只要至少一个目标健康，您的资源将正常工作。",
    "forced": "强制",
@@ -2931,6 +3182,8 @@
    "warning:": "警告：",
    "forcedeModeWarning": "所有流量将被引导到维护页面。您的后端资源不会收到任何请求。",
    "pageTitle": "页面标题",
+    "maintenancePageContentSubsection": "页面内容",
+    "maintenancePageContentSubsectionDescription": "自定义维护页面上显示的内容",
    "pageTitleDescription": "维护页面显示的主标题",
    "maintenancePageMessage": "维护信息",
    "maintenancePageMessagePlaceholder": "我们很快回来！ 我们的网站目前正在进行计划中的维护。",
@@ -2949,6 +3202,7 @@
    "maintenanceScreenEstimatedCompletion": "预计完成时间：",
    "createInternalResourceDialogDestinationRequired": "需要目标地址",
    "available": "可用",
+    "disabledResourceDescription": "禁用后，所有人都不可访问此资源。",
    "archived": "已存档",
    "noArchivedDevices": "未找到存档设备",
    "deviceArchived": "设备已存档",
@@ -3062,7 +3316,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "直接转发事件到您的Datadog 帐户。即将推出。",
    "streamingTypePickerDescription": "选择要开始的目标类型。",
-    "streamingFailedToLoad": "加载目的地失败",
+    "streamingLastSyncError": "最后一次同步时发生错误",
    "streamingUnexpectedError": "发生意外错误.",
    "streamingFailedToUpdate": "更新目标失败",
    "streamingDeletedSuccess": "目标删除成功",
@@ -3079,7 +3333,34 @@
    "S3DestEditTitle": "编辑目的地",
    "S3DestAddTitle": "添加 S3 目的地",
    "S3DestEditDescription": "更新此 S3 事件流目的地的配置。",
-    "S3DestAddDescription": "配置新的 S3 终端以接收您的组织事件。",
+    "S3DestAddDescription": "配置一个新的 Amazon S3（或兼容 S3 的）存储桶以接收您的组织事件。",
+    "s3DestTabSettings": "设置",
+    "s3DestTabFormat": "格式",
+    "s3DestNameLabel": "名称",
+    "s3DestNamePlaceholder": "我的 S3 目的地",
+    "s3DestAccessKeyIdLabel": "AWS 访问密钥 ID",
+    "s3DestSecretAccessKeyLabel": "AWS 秘密访问密钥",
+    "s3DestSecretAccessKeyPlaceholder": "您的 AWS 密钥",
+    "s3DestRegionLabel": "AWS 地区",
+    "s3DestBucketLabel": "存储桶名称",
+    "s3DestPrefixLabel": "密钥前缀（可选）",
+    "s3DestPrefixDescription": "每个对象密钥前加的可选路径前缀。对象存储在 {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}。",
+    "s3DestEndpointLabel": "自定义端点（可选）",
+    "s3DestEndpointDescription": "替代 S3 端点用于 MinIO 或 Cloudflare R2 等兼容 S3 的存储。标准 AWS S3 留空。",
+    "s3DestGzipLabel": "Gzip 压缩",
+    "s3DestGzipDescription": "使用 gzip 压缩每个上传的对象。减少存储成本和上传大小。",
+    "s3DestFormatTitle": "文件格式",
+    "s3DestFormatDescription": "事件在每个上传对象内的序列化方式。",
+    "s3DestFormatJsonArrayDescription": "每个对象是事件记录的 JSON 数组。兼容大多数分析工具。",
+    "s3DestFormatNdjsonDescription": "每个对象每行包含一个 JSON 记录（换行分隔的 JSON）。兼容 Athena、BigQuery 和 Spark。",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "每个对象是带有标题行的 RFC-4180 CSV 文件。列名来自事件数据字段。",
+    "s3DestSaveChanges": "保存更改",
+    "s3DestCreateDestination": "创建目的地",
+    "s3DestUpdatedSuccess": "目的地更新成功",
+    "s3DestCreatedSuccess": "目的地创建成功",
+    "s3DestUpdateFailed": "更新目的地失败",
+    "s3DestCreateFailed": "创建目的地失败",
    "datadogDestEditTitle": "编辑目的地",
    "datadogDestAddTitle": "添加 Datadog 目的地",
    "datadogDestEditDescription": "更新此 Datadog 事件流目的地的配置。",
@@ -3167,6 +3448,8 @@
    "idpUnassociateQuestion": "您确定要将此身份提供者从此组织中取消关联吗？",
    "idpUnassociateDescription": "与此身份提供者关联的所有用户将从该组织中移除，但身份提供者仍会继续存在于关联的其他组织中。",
    "idpUnassociateConfirm": "确认取消关联身份提供者",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "删除并将我从组织中移除",
+    "idpUnassociateAndRemoveMeFromOrg": "解除关联并将我从组织中移除",
    "idpUnassociateWarning": "此操作无法对该组织撤销。",
    "idpUnassociatedDescription": "身份提供者已成功从该组织中取消关联",
    "idpUnassociateMenu": "取消关联",
@@ -3251,5 +3534,67 @@
    "memberPortalResourceDisabled": "资源已禁用",
    "memberPortalShowingResources": "显示 {start}-{end} 共 {total} 个资源",
    "memberPortalPrevious": "上一页",
-    "memberPortalNext": "下一页"
+    "memberPortalNext": "下一页",
+    "httpSettings": "HTTP 设置",
+    "tcpSettings": "TCP 设置",
+    "udpSettings": "UDP 设置",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "正在建立安全连接…",
+    "sshConnecting": "正在连接…",
+    "sshInitializing": "初始化中…",
+    "sshSignInTitle": "登录 SSH",
+    "sshSignInDescription": "输入您的 SSH 凭据以进行连接",
+    "sshPasswordTab": "密码",
+    "sshPrivateKeyTab": "私钥",
+    "sshPrivateKeyField": "私钥",
+    "sshPrivateKeyDisclaimer": "您的私钥不会被 Pangolin 存储或显示。或者，您可以使用短期证书，使用您现有的 Pangolin 身份无缝认证。",
+    "sshLearnMore": "了解更多",
+    "sshPrivateKeyFile": "私钥文件",
+    "sshAuthenticate": "连接",
+    "sshTerminate": "终止",
+    "sshPoweredBy": "支持者",
+    "sshErrorNoTarget": "未指定目标",
+    "sshErrorWebSocket": "WebSocket 连接失败",
+    "sshErrorAuthFailed": "身份验证失败",
+    "sshErrorConnectionClosed": "认证完成前连接已关闭",
+    "sitePangolinSshDescription": "允许对该站点的资源进行 SSH 访问。可稍后更改。",
+    "browserGatewayNoResourceForDomain": "未找到该域的资源",
+    "browserGatewayNoTarget": "没有目标",
+    "browserGatewayConnect": "连接",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "签署 SSH 密钥以进行 PAM 推送身份验证失败。您以用户身份登录了吗？",
+    "sshTerminalError": "错误: {error}",
+    "sshConnectionClosedCode": "连接关闭 (代码 {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "需要私钥",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "输入您的 VNC 密码以连接",
+    "vncPasswordOptional": "密码 (可选)",
+    "vncNoResourceTarget": "没有可用的资源目标",
+    "vncFailedToLoadNovnc": "加载 noVNC 失败",
+    "vncAuthFailedStatus": "状态 {status}",
+    "vncPasteClipboard": "粘贴剪贴板",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "登录到远程桌面",
+    "rdpSignInDescription": "输入 Windows 凭据以连接",
+    "rdpLoadingModule": "加载模块中……",
+    "rdpFailedToLoadModule": "加载 RDP 模块失败",
+    "rdpNotReady": "未准备好",
+    "rdpModuleInitializing": "RDP 模块仍在初始化中",
+    "rdpDownloadingFiles": "正在从远程下载 {count} 个文件...",
+    "rdpDownloadFailed": "下载失败: {fileName}",
+    "rdpUploaded": "已上传: {fileName}",
+    "rdpNoConnectionTarget": "没有可用的连接目标",
+    "rdpConnectionFailed": "连接失败",
+    "rdpFit": "适合",
+    "rdpFull": "完整",
+    "rdpReal": "真实",
+    "rdpMeta": "元数据",
+    "rdpUploadFiles": "上传文件",
+    "rdpFilesReadyToPaste": "文件准备好粘贴",
+    "rdpFilesReadyToPasteDescription": "已将 {count} 个文件复制到远程剪贴板——在远程桌面上按 Ctrl+V 进行粘贴",
+    "rdpUploadFailed": "上传失败",
+    "rdpUnicodeKeyboardMode": "Unicode 键盘模式",
+    "sessionToolbarShow": "显示工具栏",
+    "sessionToolbarHide": "隐藏工具栏"
 }
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -152,8 +152,8 @@
    "shareErrorSelectResource": "請選擇一個資源",
    "proxyResourceTitle": "管理公開資源",
    "proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
-    "proxyResourcesBannerTitle": "基於網頁的公開存取",
-    "proxyResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
+    "publicResourcesBannerTitle": "基於網頁的公開存取",
+    "publicResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
    "clientResourceTitle": "管理私有資源",
    "clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
    "privateResourcesBannerTitle": "零信任私有存取",
@@ -489,7 +489,7 @@
    "createdAt": "創建於",
    "proxyErrorInvalidHeader": "無效的自訂主機 Header。使用域名格式，或將空保存為取消自訂 Header。",
    "proxyErrorTls": "無效的 TLS 伺服器名稱。使用域名格式，或保存空以刪除 TLS 伺服器名稱。",
-    "proxyEnableSSL": "啟用 SSL",
+    "proxyEnableSSL": "啟用 TLS",
    "proxyEnableSSLDescription": "啟用 SSL/TLS 加密以確保您目標的 HTTPS 連接。",
    "target": "目標",
    "configureTarget": "配置目標",
@@ -1763,7 +1763,7 @@
        "description": "更可靠、維護成本更低的自架 Pangolin 伺服器，並附帶額外的附加功能",
        "introTitle": "託管式自架 Pangolin",
        "introDescription": "這是一種部署選擇，為那些希望簡潔和額外可靠的人設計，同時仍然保持他們的數據的私密性和自我託管性。",
-        "introDetail": "通過此選項，您仍然運行您自己的 Pangolin 節點 - - 您的隧道、SSL 終止，並且流量在您的伺服器上保持所有狀態。 不同之處在於，管理和監測是通過我們的雲層儀錶板進行的，該儀錶板開啟了一些好處：",
+        "introDetail": "通過此選項，您仍然運行您自己的 Pangolin 節點 - - 您的隧道、TLS 終止，並且流量在您的伺服器上保持所有狀態。 不同之處在於，管理和監測是通過我們的雲層儀錶板進行的，該儀錶板開啟了一些好處：",
        "benefitSimplerOperations": {
            "title": "簡單的操作",
            "description": "無需運行您自己的郵件伺服器或設置複雜的警報。您將從方框中獲得健康檢查和下限提醒。"
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,17 +1,42 @@
 import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";
+import fs from "fs";
+import path from "path";

 const withNextIntl = createNextIntlPlugin();
+// read allowedDevOrigins.json if it exists
+let allowedDevOrigins: string[] = [];
+const allowedDevOriginsPath = path.join(
+    process.cwd(),
+    "allowedDevOrigins.json"
+);
+if (fs.existsSync(allowedDevOriginsPath)) {
+    try {
+        const data = fs.readFileSync(allowedDevOriginsPath, "utf-8");
+        allowedDevOrigins = JSON.parse(data);
+    } catch {}
+}

 const nextConfig: NextConfig = {
    reactStrictMode: false,
-    eslint: {
-        ignoreDuringBuilds: true
-    },
-    experimental: {
-        reactCompiler: true
-    },
-    output: "standalone"
+    reactCompiler: true,
+    transpilePackages: ["@novnc/novnc"],
+    output: "standalone",
+    allowedDevOrigins,
+    async redirects() {
+        return [
+            {
+                source: "/:orgId/settings/resources/proxy/:path*",
+                destination: "/:orgId/settings/resources/public/:path*",
+                permanent: true
+            },
+            {
+                source: "/:orgId/settings/resources/client/:path*",
+                destination: "/:orgId/settings/resources/private/:path*",
+                permanent: true
+            }
+        ];
+    }
 };

 export default withNextIntl(nextConfig);
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -32,13 +32,15 @@
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.1011.0",
-        "@faker-js/faker": "10.3.0",
-        "@headlessui/react": "2.2.9",
-        "@hookform/resolvers": "5.2.2",
+        "@asteasolutions/zod-to-openapi": "8.5.0",
+        "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+        "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
+        "@aws-sdk/client-s3": "3.1056.0",
+        "@headlessui/react": "2.2.10",
+        "@hookform/resolvers": "5.4.0",
        "@monaco-editor/react": "4.7.0",
        "@node-rs/argon2": "2.0.2",
+        "@novnc/novnc": "^1.7.0",
        "@oslojs/crypto": "1.0.1",
        "@oslojs/encoding": "1.1.0",
        "@radix-ui/react-avatar": "1.1.11",
@@ -59,16 +61,20 @@
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.8",
-        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "2.0.5",
+        "@react-email/body": "0.3.0",
+        "@react-email/components": "1.0.12",
+        "@react-email/render": "2.0.8",
+        "@react-email/tailwind": "2.0.7",
        "@simplewebauthn/browser": "13.3.0",
-        "@simplewebauthn/server": "13.3.0",
+        "@simplewebauthn/server": "13.3.1",
        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.21",
+        "@tanstack/react-query": "5.100.14",
        "@tanstack/react-table": "8.21.3",
+        "@xterm/addon-fit": "^0.11.0",
+        "@xterm/addon-web-links": "^0.12.0",
+        "@xterm/xterm": "^6.0.0",
        "arctic": "3.7.0",
-        "axios": "1.15.0",
+        "axios": "1.16.1",
        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
        "class-variance-authority": "0.7.1",
@@ -80,77 +86,76 @@
        "d3": "7.9.0",
        "drizzle-orm": "0.45.2",
        "express": "5.2.1",
-        "express-rate-limit": "8.3.0",
+        "express-rate-limit": "8.5.2",
        "glob": "13.0.6",
-        "helmet": "8.1.0",
+        "helmet": "8.2.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
-        "ioredis": "5.10.0",
+        "ioredis": "5.11.0",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.577.0",
-        "maxmind": "5.0.5",
+        "lucide-react": "1.17.0",
+        "maxmind": "5.0.6",
        "moment": "2.30.1",
-        "next": "15.5.15",
-        "next-intl": "4.8.3",
+        "next": "16.2.6",
+        "next-intl": "4.13.0",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "nodemailer": "8.0.5",
+        "nodemailer": "8.0.9",
        "oslo": "1.2.1",
-        "pg": "8.20.0",
-        "posthog-node": "5.28.0",
+        "pg": "8.21.0",
+        "posthog-node": "5.35.6",
        "qrcode.react": "4.2.0",
-        "react": "19.2.4",
+        "react": "19.2.6",
        "react-day-picker": "9.14.0",
-        "react-dom": "19.2.4",
+        "react-dom": "19.2.6",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.71.2",
+        "react-hook-form": "7.76.1",
        "react-icons": "5.6.0",
-        "recharts": "2.15.4",
+        "recharts": "3.8.1",
        "reodotdev": "1.1.0",
-        "resend": "6.9.2",
-        "semver": "7.7.4",
+        "semver": "7.8.1",
        "sshpk": "1.18.0",
-        "stripe": "20.4.1",
+        "stripe": "22.2.0",
        "swagger-ui-express": "5.0.1",
-        "tailwind-merge": "3.5.0",
+        "tailwind-merge": "3.6.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
-        "use-debounce": "10.1.0",
-        "uuid": "13.0.0",
+        "use-debounce": "10.1.1",
+        "uuid": "14.0.0",
        "vaul": "1.1.2",
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.19.0",
-        "yaml": "2.8.3",
+        "ws": "8.21.0",
+        "yaml": "2.9.0",
        "yargs": "18.0.0",
-        "zod": "4.3.6",
+        "zod": "4.4.3",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.54.1",
+        "@dotenvx/dotenvx": "1.69.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "5.2.10",
-        "@tailwindcss/postcss": "4.2.2",
-        "@tanstack/react-query-devtools": "5.91.3",
+        "@react-email/ui": "^6.5.0",
+        "@tailwindcss/postcss": "4.3.0",
+        "@tanstack/react-query-devtools": "5.100.14",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
        "@types/crypto-js": "4.2.2",
        "@types/d3": "7.4.3",
        "@types/express": "5.0.6",
-        "@types/express-session": "1.18.2",
+        "@types/express-session": "1.19.0",
        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.3.5",
-        "@types/nodemailer": "7.0.11",
+        "@types/node": "25.9.1",
+        "@types/nodemailer": "8.0.0",
        "@types/nprogress": "0.2.3",
-        "@types/pg": "8.18.0",
-        "@types/react": "19.2.14",
+        "@types/pg": "8.20.0",
+        "@types/react": "19.2.15",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
        "@types/sshpk": "1.17.4",
@@ -160,21 +165,22 @@
        "@types/yargs": "17.0.35",
        "babel-plugin-react-compiler": "1.0.0",
        "drizzle-kit": "0.31.10",
-        "esbuild": "0.27.4",
-        "esbuild-node-externals": "1.20.1",
-        "eslint": "10.0.3",
-        "eslint-config-next": "16.1.7",
-        "postcss": "8.5.8",
-        "prettier": "3.8.1",
-        "react-email": "5.2.10",
-        "tailwindcss": "4.2.2",
-        "tsc-alias": "1.8.16",
-        "tsx": "4.21.0",
-        "typescript": "5.9.3",
-        "typescript-eslint": "8.56.1"
+        "esbuild": "0.28.0",
+        "esbuild-node-externals": "1.22.0",
+        "eslint": "10.4.0",
+        "eslint-config-next": "16.2.6",
+        "postcss": "8.5.15",
+        "prettier": "3.8.3",
+        "react-email": "6.5.0",
+        "tailwindcss": "4.3.0",
+        "tsc-alias": "1.8.17",
+        "tsx": "4.22.3",
+        "typescript": "6.0.3",
+        "typescript-eslint": "8.60.0"
    },
    "overrides": {
-        "esbuild": "0.27.4",
-        "dompurify": "3.3.2"
+        "esbuild": "0.28.0",
+        "dompurify": "3.4.0",
+        "postcss": "8.5.15"
    }
 }
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -5,6 +5,7 @@ import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import logger from "@server/logger";

 export enum ActionsEnum {
    createOrgUser = "createOrgUser",
@@ -148,11 +149,36 @@ export enum ActionsEnum {
    updateAlertRule = "updateAlertRule",
    deleteAlertRule = "deleteAlertRule",
    listAlertRules = "listAlertRules",
+    listOrgLabels = "listOrgLabels",
+    createOrgLabel = "createOrgLabel",
+    updateOrgLabel = "updateOrgLabel",
+    deleteOrgLabel = "deleteOrgLabel",
+    attachLabelToItem = "attachLabelToItem",
+    detachLabelFromItem = "detachLabelFromItem",
    getAlertRule = "getAlertRule",
    createHealthCheck = "createHealthCheck",
    updateHealthCheck = "updateHealthCheck",
    deleteHealthCheck = "deleteHealthCheck",
-    listHealthChecks = "listHealthChecks"
+    listHealthChecks = "listHealthChecks",
+    createBrowserGatewayTarget = "createBrowserGatewayTarget",
+    updateBrowserGatewayTarget = "updateBrowserGatewayTarget",
+    deleteBrowserGatewayTarget = "deleteBrowserGatewayTarget",
+    getBrowserGatewayTarget = "getBrowserGatewayTarget",
+    listBrowserGatewayTargets = "listBrowserGatewayTargets",
+    listResourcePolicies = "listResourcePolicies",
+    getResourcePolicy = "getResourcePolicy",
+    createResourcePolicy = "createResourcePolicy",
+    updateResourcePolicy = "updateResourcePolicy",
+    deleteResourcePolicy = "deleteResourcePolicy",
+    listResourcePolicyRoles = "listResourcePolicyRoles",
+    setResourcePolicyRoles = "setResourcePolicyRoles",
+    listResourcePolicyUsers = "listResourcePolicyUsers",
+    setResourcePolicyUsers = "setResourcePolicyUsers",
+    setResourcePolicyPassword = "setResourcePolicyPassword",
+    setResourcePolicyPincode = "setResourcePolicyPincode",
+    setResourcePolicyHeaderAuth = "setResourcePolicyHeaderAuth",
+    setResourcePolicyWhitelist = "setResourcePolicyWhitelist",
+    setResourcePolicyRules = "setResourcePolicyRules"
 }

 export async function checkUserActionPermission(
@@ -185,6 +211,23 @@ export async function checkUserActionPermission(
            }
        }

+        // If no direct permission, check role-based permission (any of user's roles)
+        const roleActionPermission = await db
+            .select()
+            .from(roleActions)
+            .where(
+                and(
+                    eq(roleActions.actionId, actionId),
+                    inArray(roleActions.roleId, userOrgRoleIds),
+                    eq(roleActions.orgId, req.userOrgId!)
+                )
+            )
+            .limit(1);
+
+        if (roleActionPermission.length > 0) {
+            return true;
+        }
+
        // Check if the user has direct permission for the action in the current org
        const userActionPermission = await db
            .select()
@@ -202,20 +245,7 @@ export async function checkUserActionPermission(
            return true;
        }

-        // If no direct permission, check role-based permission (any of user's roles)
-        const roleActionPermission = await db
-            .select()
-            .from(roleActions)
-            .where(
-                and(
-                    eq(roleActions.actionId, actionId),
-                    inArray(roleActions.roleId, userOrgRoleIds),
-                    eq(roleActions.orgId, req.userOrgId!)
-                )
-            )
-            .limit(1);
-
-        return roleActionPermission.length > 0;
+        return false;
    } catch (error) {
        console.error("Error checking user action permission:", error);
        throw createHttpError(
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,6 +1,12 @@
 import { db } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
-import { roleResources, userResources } from "@server/db";
+import { and, eq, inArray, isNull, or } from "drizzle-orm";
+import {
+    rolePolicies,
+    roleResources,
+    resources,
+    userPolicies,
+    userResources
+} from "@server/db";

 export async function canUserAccessResource({
    userId,
@@ -11,9 +17,14 @@ export async function canUserAccessResource({
    resourceId: number;
    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess =
+    const [
+        roleResourceAccess,
+        rolePolicyAccess,
+        userResourceAccess,
+        userPolicyAccess
+    ] = await Promise.all([
        roleIds.length > 0
-            ? await db
+            ? db
                  .select()
                  .from(roleResources)
                  .where(
@@ -23,26 +34,87 @@ export async function canUserAccessResource({
                      )
                  )
                  .limit(1)
-            : [];
-
-    if (roleResourceAccess.length > 0) {
-        return true;
-    }
-
-    const userResourceAccess = await db
-        .select()
-        .from(userResources)
-        .where(
-            and(
-                eq(userResources.userId, userId),
-                eq(userResources.resourceId, resourceId)
+            : [],
+        roleIds.length > 0
+            ? db
+                  .select({
+                      roleId: rolePolicies.roleId,
+                      resourcePolicyId: rolePolicies.resourcePolicyId
+                  })
+                  .from(rolePolicies)
+                  .innerJoin(
+                      resources,
+                      // Shared policy wins; only use default policy when no shared
+                      // policy is assigned to the resource.
+                      or(
+                          eq(
+                              resources.resourcePolicyId,
+                              rolePolicies.resourcePolicyId
+                          ),
+                          and(
+                              isNull(resources.resourcePolicyId),
+                              eq(
+                                  resources.defaultResourcePolicyId,
+                                  rolePolicies.resourcePolicyId
+                              )
+                          )
+                      )
+                  )
+                  .where(
+                      and(
+                          eq(resources.resourceId, resourceId),
+                          inArray(rolePolicies.roleId, roleIds)
+                      )
+                  )
+                  .limit(1)
+            : [],
+        db
+            .select()
+            .from(userResources)
+            .where(
+                and(
+                    eq(userResources.userId, userId),
+                    eq(userResources.resourceId, resourceId)
+                )
            )
-        )
-        .limit(1);
+            .limit(1),
+        db
+            .select({
+                userId: userPolicies.userId,
+                resourcePolicyId: userPolicies.resourcePolicyId
+            })
+            .from(userPolicies)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        userPolicies.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            userPolicies.resourcePolicyId
+                        )
+                    )
+                )
+            )
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(userPolicies.userId, userId)
+                )
+            )
+            .limit(1)
+    ]);

-    if (userResourceAccess.length > 0) {
-        return true;
-    }
-
-    return false;
+    return (
+        roleResourceAccess.length > 0 ||
+        rolePolicyAccess.length > 0 ||
+        userResourceAccess.length > 0 ||
+        userPolicyAccess.length > 0
+    );
 }
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -19,6 +19,9 @@ export async function createResourceSession(opts: {
    userSessionId?: string | null;
    whitelistId?: number | null;
    accessTokenId?: string | null;
+    policyPasswordId?: number | null;
+    policyPincodeId?: number | null;
+    policyWhitelistId?: number | null;
    doNotExtend?: boolean;
    expiresAt?: number | null;
    sessionLength?: number | null;
@@ -28,7 +31,10 @@ export async function createResourceSession(opts: {
        !opts.pincodeId &&
        !opts.whitelistId &&
        !opts.accessTokenId &&
-        !opts.userSessionId
+        !opts.userSessionId &&
+        !opts.policyPasswordId &&
+        !opts.policyPincodeId &&
+        !opts.policyWhitelistId
    ) {
        throw new Error("Auth method must be provided");
    }
@@ -49,6 +55,9 @@ export async function createResourceSession(opts: {
        whitelistId: opts.whitelistId || null,
        doNotExtend: opts.doNotExtend || false,
        accessTokenId: opts.accessTokenId || null,
+        policyPasswordId: opts.policyPasswordId || null,
+        policyPincodeId: opts.policyPincodeId || null,
+        policyWhitelistId: opts.policyWhitelistId || null,
        isRequestToken: opts.isRequestToken || false,
        userSessionId: opts.userSessionId || null,
        issuedAt: new Date().getTime()
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,12 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { clients, db, resources, siteResources } from "@server/db";
+import {
+    clients,
+    db,
+    resourcePolicies,
+    resources,
+    siteResources
+} from "@server/db";
 import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -107,6 +113,35 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
    }
 }

+export async function getUniqueResourcePolicyName(
+    orgId: string
+): Promise<string> {
+    let loops = 0;
+    while (true) {
+        if (loops > 100) {
+            throw new Error("Could not generate a unique name");
+        }
+
+        const name = generateName();
+        const policyCount = await db
+            .select({
+                niceId: resourcePolicies.niceId,
+                orgId: resourcePolicies.orgId
+            })
+            .from(resourcePolicies)
+            .where(
+                and(
+                    eq(resourcePolicies.niceId, name),
+                    eq(resourcePolicies.orgId, orgId)
+                )
+            );
+        if (policyCount.length === 0) {
+            return name;
+        }
+        loops++;
+    }
+}
+
 export async function getUniqueSiteResourceName(
    orgId: string
 ): Promise<string> {
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -87,7 +87,7 @@ function createDb() {

 export const db = createDb();
 export default db;
-export const primaryDb = db.$primary;
+export const primaryDb = db.$primary as typeof db; // is this typeof a problem - technically they are different types
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/db/pg/index.ts
+++ b/server/db/pg/index.ts
@@ -4,3 +4,4 @@ export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
+export { alias } from "drizzle-orm/pg-core";
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -2,7 +2,7 @@ import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
-import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { db as mainDb } from "./driver";
 import { createPool } from "./poolConfig";

 function createLogsDb() {
@@ -63,8 +63,7 @@ function createLogsDb() {
            })
        );
    } else {
-        const maxReplicaConnections =
-            poolConfig?.max_replica_connections || 20;
+        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
            const replicaPool = createPool(
                conn.connection_string,
@@ -91,4 +90,4 @@ function createLogsDb() {

 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/poolConfig.ts
+++ b/server/db/pg/poolConfig.ts
@@ -1,5 +1,4 @@
 import { Pool, PoolConfig } from "pg";
-import logger from "@server/logger";

 export function createPoolConfig(
    connectionString: string,
@@ -27,7 +26,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
    pool.on("error", (err) => {
        // This catches errors on idle clients in the pool. Without this
        // handler an unexpected disconnect would crash the process.
-        logger.error(
+        console.error(
            `Unexpected error on idle ${label} database client: ${err.message}`
        );
    });
@@ -36,7 +35,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
        // Set a statement timeout on every new connection so a single slow
        // query can't block the pool forever
        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
-            logger.warn(
+            console.warn(
                `Failed to set statement_timeout on ${label} client: ${err.message}`
            );
        });
@@ -60,4 +59,4 @@ export function createPool(
    );
    attachPoolErrorHandlers(pool, label);
    return pool;
-}
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -332,6 +332,7 @@ export const connectionAuditLog = pgTable(
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
+        clientEndpoint: text("clientEndpoint"),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
@@ -439,6 +440,8 @@ export const eventStreamingDestinations = pgTable(
        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
        config: text("config").notNull(), // JSON string with the configuration for the destination
        enabled: boolean("enabled").notNull().default(true),
+        lastError: text("lastError"), // last send error message, null if healthy
+        lastErrorAt: bigint("lastErrorAt", { mode: "number" }), // epoch ms of last error, null if healthy
        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
    }
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -65,7 +65,12 @@ export const orgs = pgTable("orgs", {
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: boolean("isBillingOrg"),
-    billingOrgId: varchar("billingOrgId")
+    billingOrgId: varchar("billingOrgId"),
+    settingsEnableGlobalNewtAutoUpdate: boolean(
+        "settingsEnableGlobalNewtAutoUpdate"
+    )
+        .notNull()
+        .default(false)
 });

 export const orgDomains = pgTable("orgDomains", {
@@ -103,6 +108,10 @@ export const sites = pgTable("sites", {
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    autoUpdateEnabled: boolean("autoUpdateEnabled").notNull().default(false),
+    autoUpdateOverrideOrg: boolean("autoUpdateOverrideOrg")
+        .notNull()
+        .default(false),
    status: varchar("status")
        .$type<"pending" | "approved">()
        .default("approved")
@@ -110,6 +119,16 @@ export const sites = pgTable("sites", {

 export const resources = pgTable("resources", {
    resourceId: serial("resourceId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
    resourceGuid: varchar("resourceGuid", { length: 36 })
        .unique()
        .notNull()
@@ -128,14 +147,10 @@ export const resources = pgTable("resources", {
    }),
    ssl: boolean("ssl").notNull().default(false),
    blockAccess: boolean("blockAccess").notNull().default(false),
-    sso: boolean("sso").notNull().default(true),
-    http: boolean("http").notNull().default(true),
-    protocol: varchar("protocol").notNull(),
    proxyPort: integer("proxyPort"),
-    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
-        .notNull()
-        .default(false),
-    applyRules: boolean("applyRules").notNull().default(false),
+    sso: boolean("sso"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled"),
+    applyRules: boolean("applyRules"),
    enabled: boolean("enabled").notNull().default(true),
    stickySession: boolean("stickySession").notNull().default(false),
    tlsServerName: varchar("tlsServerName"),
@@ -147,7 +162,6 @@ export const resources = pgTable("resources", {
    headers: text("headers"), // comma-separated list of headers to add to the request
    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
        .notNull()
        .default(false),
@@ -159,9 +173,100 @@ export const resources = pgTable("resources", {
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath"),
    health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: boolean("wildcard").notNull().default(false)
+    wildcard: boolean("wildcard").notNull().default(false),
+    mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });

+export const labels = pgTable("labels", {
+    labelId: serial("labelId").primaryKey(),
+    name: varchar("name").notNull(),
+    color: varchar("color").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = pgTable(
+    "siteLabels",
+    {
+        siteLabelId: serial("siteLabelId").primaryKey(),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = pgTable(
+    "resourceLabels",
+    {
+        resourceLabelId: serial("resourceLabelId").primaryKey(),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = pgTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: serial("siteResourceLabelId").primaryKey(),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = pgTable(
+    "clientLabels",
+    {
+        clientLabelId: serial("clientLabelId").primaryKey(),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = pgTable("targets", {
    targetId: serial("targetId").primaryKey(),
    resourceId: integer("resourceId")
@@ -183,7 +288,12 @@ export const targets = pgTable("targets", {
    pathMatchType: text("pathMatchType"), // exact, prefix, regex
    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
-    priority: integer("priority").notNull().default(100)
+    priority: integer("priority").notNull().default(100),
+    mode: varchar("mode")
+        .$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
+        .notNull()
+        .default("http"),
+    authToken: varchar("authToken")
 });

 export const targetHealthCheck = pgTable("targetHealthCheck", {
@@ -196,9 +306,11 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
            onDelete: "cascade"
        })
        .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
    name: varchar("name"),
    hcEnabled: boolean("hcEnabled").notNull().default(false),
    hcPath: varchar("hcPath"),
@@ -254,11 +366,11 @@ export const siteResources = pgTable("siteResources", {
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
    ssl: boolean("ssl").notNull().default(false),
-    mode: varchar("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
+    mode: varchar("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
    scheme: varchar("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
-    destination: varchar("destination").notNull(), // ip, cidr, hostname; validate against the mode
+    destination: varchar("destination"), // ip, cidr, hostname; validate against the mode
    enabled: boolean("enabled").notNull().default(true),
    alias: varchar("alias"),
    aliasAddress: varchar("aliasAddress"),
@@ -266,8 +378,11 @@ export const siteResources = pgTable("siteResources", {
    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
    disableIcmp: boolean("disableIcmp").notNull().default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
    authDaemonMode: varchar("authDaemonMode", { length: 32 })
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
        .default("site"),
    domainId: varchar("domainId").references(() => domains.domainId, {
        onDelete: "set null"
@@ -521,6 +636,38 @@ export const userResources = pgTable("userResources", {
        .references(() => resources.resourceId, { onDelete: "cascade" })
 });

+export const rolePolicies = pgTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = pgTable("userPolicies", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = pgTable("resourcePolicyWhitelist", {
+    whitelistId: serial("id").primaryKey(),
+    email: varchar("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const userInvites = pgTable("userInvites", {
    inviteId: varchar("inviteId").primaryKey(),
    orgId: varchar("orgId")
@@ -586,6 +733,40 @@ export const resourceHeaderAuthExtendedCompatibility = pgTable(
    }
 );

+export const resourcePolicyPincode = pgTable("resourcePolicyPincode", {
+    pincodeId: serial("pincodeId").primaryKey(),
+    pincodeHash: varchar("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = pgTable("resourcePolicyPassword", {
+    passwordId: serial("passwordId").primaryKey(),
+    passwordHash: varchar("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = pgTable("resourcePolicyHeaderAuth", {
+    headerAuthId: serial("headerAuthId").primaryKey(),
+    headerAuthHash: varchar("headerAuthHash").notNull(),
+    extendedCompatibility: boolean("extendedCompatibility")
+        .notNull()
+        .default(true),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const resourceAccessToken = pgTable("resourceAccessToken", {
    accessTokenId: varchar("accessTokenId").primaryKey(),
    orgId: varchar("orgId")
@@ -594,6 +775,7 @@ export const resourceAccessToken = pgTable("resourceAccessToken", {
    resourceId: integer("resourceId")
        .notNull()
        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    path: varchar("path"),
    tokenHash: varchar("tokenHash").notNull(),
    sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
    expiresAt: bigint("expiresAt", { mode: "number" }),
@@ -641,6 +823,24 @@ export const resourceSessions = pgTable("resourceSessions", {
            onDelete: "cascade"
        }
    ),
+    policyPasswordId: integer("policyPasswordId").references(
+        () => resourcePolicyPassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyPincodeId: integer("policyPincodeId").references(
+        () => resourcePolicyPincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyWhitelistId: integer("policyWhitelistId").references(
+        () => resourcePolicyWhiteList.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
    issuedAt: bigint("issuedAt", { mode: "number" })
 });

@@ -679,6 +879,45 @@ export const resourceRules = pgTable("resourceRules", {
    value: varchar("value").notNull()
 });

+export const resourcePolicyRules = pgTable("resourcePolicyRules", {
+    ruleId: serial("ruleId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: boolean("enabled").notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: varchar("match")
+        .$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
+        .notNull(),
+    value: varchar("value").notNull()
+});
+
+export const resourcePolicies = pgTable("resourcePolicies", {
+    resourcePolicyId: serial("resourcePolicyId").primaryKey(),
+    sso: boolean("sso").notNull().default(true),
+    applyRules: boolean("applyRules").notNull().default(false),
+    scope: varchar("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
+        .notNull()
+        .default(false),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    niceId: text("niceId").notNull(),
+    name: varchar("name").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = pgTable("supporterKey", {
    keyId: serial("keyId").primaryKey(),
    key: varchar("key").notNull(),
@@ -1097,19 +1336,30 @@ export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
    complete: boolean("complete").notNull().default(false)
 });

-export const statusHistory = pgTable("statusHistory", {
-    id: serial("id").primaryKey(),
-    entityType: varchar("entityType").notNull(),
-    entityId: integer("entityId").notNull(),
-    orgId: varchar("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: varchar("status").notNull(),
-    timestamp: integer("timestamp").notNull(),
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = pgTable(
+    "statusHistory",
+    {
+        id: serial("id").primaryKey(),
+        entityType: varchar("entityType").notNull(),
+        entityId: integer("entityId").notNull(),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: varchar("status").notNull(),
+        timestamp: integer("timestamp").notNull()
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);

 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1147,6 +1397,16 @@ export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
+export type ResourcePolicyPincode = InferSelectModel<
+    typeof resourcePolicyPincode
+>;
+export type ResourcePolicyPassword = InferSelectModel<
+    typeof resourcePolicyPassword
+>;
+export type ResourcePolicyHeaderAuth = InferSelectModel<
+    typeof resourcePolicyHeaderAuth
+>;
+
 export type VersionMigration = InferSelectModel<typeof versionMigrations>;
 export type ResourceRule = InferSelectModel<typeof resourceRules>;
 export type Domain = InferSelectModel<typeof domains>;
@@ -1179,3 +1439,7 @@ export type RoundTripMessageTracker = InferSelectModel<
 >;
 export type Network = InferSelectModel<typeof networks>;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -17,22 +17,37 @@ import {
    resourceHeaderAuth,
    ResourceHeaderAuth,
    resourceRules,
+    resourcePolicyRules,
    resources,
    roleResources,
+    rolePolicies,
    sessions,
    userResources,
+    userPolicies,
    users,
    ResourceHeaderAuthExtendedCompatibility,
-    resourceHeaderAuthExtendedCompatibility
+    resourceHeaderAuthExtendedCompatibility,
+    resourcePolicies,
+    resourcePolicyPincode,
+    ResourcePolicyPincode,
+    resourcePolicyPassword,
+    ResourcePolicyPassword,
+    resourcePolicyHeaderAuth,
+    ResourcePolicyHeaderAuth
 } from "@server/db";
-import { and, eq, inArray, or, sql } from "drizzle-orm";
+import { alias } from "@server/db";
+import { and, eq, inArray, isNull, or, sql } from "drizzle-orm";
+import logger from "@server/logger";

 export type ResourceWithAuth = {
    resource: Resource | null;
-    pincode: ResourcePincode | null;
-    password: ResourcePassword | null;
-    headerAuth: ResourceHeaderAuth | null;
+    pincode: ResourcePincode | ResourcePolicyPincode | null;
+    password: ResourcePassword | ResourcePolicyPassword | null;
+    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
+    applyRules: boolean | null;
+    sso: boolean | null;
+    emailWhitelistEnabled: boolean | null;
    org: Org;
 };

@@ -57,6 +72,33 @@ export async function getResourceByDomain(
        wildcardCandidates.push(`*.${parts.slice(i).join(".")}`);
    }

+    const sharedPolicy = alias(resourcePolicies, "sharedPolicy");
+    const defaultPolicy = alias(resourcePolicies, "defaultPolicy");
+    const sharedPolicyPincode = alias(
+        resourcePolicyPincode,
+        "sharedPolicyPincode"
+    );
+    const defaultPolicyPincode = alias(
+        resourcePolicyPincode,
+        "defaultPolicyPincode"
+    );
+    const sharedPolicyPassword = alias(
+        resourcePolicyPassword,
+        "sharedPolicyPassword"
+    );
+    const defaultPolicyPassword = alias(
+        resourcePolicyPassword,
+        "defaultPolicyPassword"
+    );
+    const sharedPolicyHeaderAuth = alias(
+        resourcePolicyHeaderAuth,
+        "sharedPolicyHeaderAuth"
+    );
+    const defaultPolicyHeaderAuth = alias(
+        resourcePolicyHeaderAuth,
+        "defaultPolicyHeaderAuth"
+    );
+
    const potentialResults = await db
        .select()
        .from(resources)
@@ -79,6 +121,59 @@ export async function getResourceByDomain(
                resources.resourceId
            )
        )
+        .leftJoin(
+            sharedPolicy,
+            eq(sharedPolicy.resourcePolicyId, resources.resourcePolicyId)
+        )
+        .leftJoin(
+            sharedPolicyPincode,
+            eq(
+                sharedPolicyPincode.resourcePolicyId,
+                sharedPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            sharedPolicyPassword,
+            eq(
+                sharedPolicyPassword.resourcePolicyId,
+                sharedPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            sharedPolicyHeaderAuth,
+            eq(
+                sharedPolicyHeaderAuth.resourcePolicyId,
+                sharedPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicy,
+            eq(
+                defaultPolicy.resourcePolicyId,
+                resources.defaultResourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicyPincode,
+            eq(
+                defaultPolicyPincode.resourcePolicyId,
+                defaultPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicyPassword,
+            eq(
+                defaultPolicyPassword.resourcePolicyId,
+                defaultPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicyHeaderAuth,
+            eq(
+                defaultPolicyHeaderAuth.resourcePolicyId,
+                defaultPolicy.resourcePolicyId
+            )
+        )
        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
        .where(
            or(
@@ -108,13 +203,51 @@ export async function getResourceByDomain(
        return null;
    }

+    // If a shared (custom) policy is assigned to the resource, use ONLY
+    // its values — do not fall back to the default policy. The default
+    // policy is only consulted when no shared policy is assigned at all.
+    const hasSharedPolicy = result.sharedPolicy !== null;
+
+    const effectivePolicyPincode = hasSharedPolicy
+        ? result.sharedPolicyPincode
+        : (result.defaultPolicyPincode ?? null);
+    const effectivePolicyPassword = hasSharedPolicy
+        ? result.sharedPolicyPassword
+        : (result.defaultPolicyPassword ?? null);
+    const effectivePolicyHeaderAuth = hasSharedPolicy
+        ? result.sharedPolicyHeaderAuth
+        : (result.defaultPolicyHeaderAuth ?? null);
+    const selectedPolicy = hasSharedPolicy
+        ? result.sharedPolicy
+        : result.defaultPolicy;
+    const effectiveApplyRules =
+        selectedPolicy?.applyRules ?? result.resources.applyRules;
+    const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
+    const effectiveEmailWhitelistEnabled =
+        selectedPolicy?.emailWhitelistEnabled ??
+        result.resources.emailWhitelistEnabled;
+
    return {
-        resource: result.resources,
-        pincode: result.resourcePincode,
-        password: result.resourcePassword,
-        headerAuth: result.resourceHeaderAuth,
-        headerAuthExtendedCompatibility:
-            result.resourceHeaderAuthExtendedCompatibility,
+        resource: {
+            ...result.resources,
+            applyRules: effectiveApplyRules,
+            sso: effectiveSSO,
+            emailWhitelistEnabled: effectiveEmailWhitelistEnabled
+        }, // doing this for backward compatability so the remote nodes get the value as part of the resource struct
+        pincode: effectivePolicyPincode ?? result.resourcePincode,
+        password: effectivePolicyPassword ?? result.resourcePassword,
+        headerAuth: effectivePolicyHeaderAuth ?? result.resourceHeaderAuth,
+        headerAuthExtendedCompatibility: effectivePolicyHeaderAuth
+            ? ({
+                  headerAuthExtendedCompatibilityId: 0,
+                  resourceId: result.resources.resourceId,
+                  extendedCompatibilityIsActivated:
+                      effectivePolicyHeaderAuth.extendedCompatibility
+              } as ResourceHeaderAuthExtendedCompatibility)
+            : result.resourceHeaderAuthExtendedCompatibility,
+        applyRules: effectiveApplyRules,
+        sso: effectiveSSO,
+        emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
        org: result.orgs
    };
 }
@@ -154,58 +287,165 @@ export async function getRoleName(roleId: number): Promise<string | null> {
 }

 /**
- * Check if role has access to resource
+ * Check if role has access to resource (direct or via resource policy)
 */
 export async function getRoleResourceAccess(
    resourceId: number,
    roleIds: number[]
 ) {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                inArray(roleResources.roleId, roleIds)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(roleResources)
+            .where(
+                and(
+                    eq(roleResources.resourceId, resourceId),
+                    inArray(roleResources.roleId, roleIds)
+                )
+            ),
+        db
+            .select({
+                roleId: rolePolicies.roleId,
+                resourcePolicyId: rolePolicies.resourcePolicyId
+            })
+            .from(rolePolicies)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        rolePolicies.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            rolePolicies.resourcePolicyId
+                        )
+                    )
+                )
            )
-        );
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    inArray(rolePolicies.roleId, roleIds)
+                )
+            )
+    ]);

-    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
+    const combined = [...direct, ...viaPolicies];
+    return combined.length > 0 ? combined : null;
 }

 /**
- * Check if user has direct access to resource
+ * Check if user has access to resource (direct or via resource policy)
 */
 export async function getUserResourceAccess(
    userId: string,
    resourceId: number
 ) {
-    const userResourceAccess = await db
-        .select()
-        .from(userResources)
-        .where(
-            and(
-                eq(userResources.userId, userId),
-                eq(userResources.resourceId, resourceId)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(userResources)
+            .where(
+                and(
+                    eq(userResources.userId, userId),
+                    eq(userResources.resourceId, resourceId)
+                )
            )
-        )
-        .limit(1);
+            .limit(1),
+        db
+            .select({
+                userId: userPolicies.userId,
+                resourcePolicyId: userPolicies.resourcePolicyId
+            })
+            .from(userPolicies)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        userPolicies.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            userPolicies.resourcePolicyId
+                        )
+                    )
+                )
+            )
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(userPolicies.userId, userId)
+                )
+            )
+            .limit(1)
+    ]);

-    return userResourceAccess.length > 0 ? userResourceAccess[0] : null;
+    return direct[0] ?? viaPolicies[0] ?? null;
 }

 /**
- * Get resource rules for a given resource
+ * Get resource rules for a given resource (direct and via resource policy)
 */
 export async function getResourceRules(
    resourceId: number
 ): Promise<ResourceRule[]> {
-    const rules = await db
-        .select()
-        .from(resourceRules)
-        .where(eq(resourceRules.resourceId, resourceId));
+    const [directRules, policyRules] = await Promise.all([
+        db
+            .select()
+            .from(resourceRules)
+            .where(eq(resourceRules.resourceId, resourceId)),
+        db
+            .select({
+                ruleId: resourcePolicyRules.ruleId,
+                resourceId: sql<number>`${resourceId}`,
+                enabled: resourcePolicyRules.enabled,
+                priority: resourcePolicyRules.priority,
+                action: resourcePolicyRules.action,
+                match: resourcePolicyRules.match,
+                value: resourcePolicyRules.value
+            })
+            .from(resourcePolicyRules)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        resourcePolicyRules.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            resourcePolicyRules.resourcePolicyId
+                        )
+                    )
+                )
+            )
+            .where(eq(resources.resourceId, resourceId))
+    ]);

-    return rules;
+    const maxDirectPriority = directRules.reduce(
+        (max, r) => Math.max(max, r.priority),
+        0
+    );
+    const offsetPolicyRules = policyRules.map((r) => ({
+        ...r,
+        priority: maxDirectPriority + r.priority
+    }));
+
+    return [...directRules, ...offsetPolicyRules] as ResourceRule[];
 }

 /**
--- a/server/db/sqlite/index.ts
+++ b/server/db/sqlite/index.ts
@@ -4,3 +4,4 @@ export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
+export { alias } from "drizzle-orm/sqlite-core";
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -332,6 +332,7 @@ export const connectionAuditLog = sqliteTable(
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
+        clientEndpoint: text("clientEndpoint"),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
@@ -445,6 +446,8 @@ export const eventStreamingDestinations = sqliteTable(
        enabled: integer("enabled", { mode: "boolean" })
            .notNull()
            .default(true),
+        lastError: text("lastError"), // last send error message, null if healthy
+        lastErrorAt: integer("lastErrorAt"), // epoch ms of last error, null if healthy
        createdAt: integer("createdAt").notNull(),
        updatedAt: integer("updatedAt").notNull()
    }
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -62,7 +62,13 @@ export const orgs = sqliteTable("orgs", {
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
-    billingOrgId: text("billingOrgId")
+    billingOrgId: text("billingOrgId"),
+    settingsEnableGlobalNewtAutoUpdate: integer(
+        "settingsEnableGlobalNewtAutoUpdate",
+        { mode: "boolean" }
+    )
+        .notNull()
+        .default(false)
 });

 export const userDomains = sqliteTable("userDomains", {
@@ -116,11 +122,29 @@ export const sites = sqliteTable("sites", {
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
        .default(true),
+    autoUpdateEnabled: integer("autoUpdateEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdateOverrideOrg: integer("autoUpdateOverrideOrg", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
    status: text("status").$type<"pending" | "approved">().default("approved")
 });

 export const resources = sqliteTable("resources", {
    resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
    resourceGuid: text("resourceGuid", { length: 36 })
        .unique()
        .notNull()
@@ -141,16 +165,12 @@ export const resources = sqliteTable("resources", {
    blockAccess: integer("blockAccess", { mode: "boolean" })
        .notNull()
        .default(false),
-    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
-    http: integer("http", { mode: "boolean" }).notNull().default(true),
-    protocol: text("protocol").notNull(),
    proxyPort: integer("proxyPort"),
-    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
-        .notNull()
-        .default(false),
-    applyRules: integer("applyRules", { mode: "boolean" })
-        .notNull()
-        .default(false),
+    sso: integer("sso", { mode: "boolean" }),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", {
+        mode: "boolean"
+    }),
+    applyRules: integer("applyRules", { mode: "boolean" }),
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    stickySession: integer("stickySession", { mode: "boolean" })
        .notNull()
@@ -166,7 +186,6 @@ export const resources = sqliteTable("resources", {
        .notNull()
        .default(false),
    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
        mode: "boolean"
    })
@@ -180,9 +199,106 @@ export const resources = sqliteTable("resources", {
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath"),
    health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false)
+    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
+    mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });

+export const labels = sqliteTable("labels", {
+    labelId: integer("labelId").primaryKey({ autoIncrement: true }),
+    name: text("name").notNull(),
+    color: text("color").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = sqliteTable(
+    "siteLabels",
+    {
+        siteLabelId: integer("siteLabelId").primaryKey({ autoIncrement: true }),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = sqliteTable(
+    "resourceLabels",
+    {
+        resourceLabelId: integer("resourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = sqliteTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: integer("siteResourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = sqliteTable(
+    "clientLabels",
+    {
+        clientLabelId: integer("clientLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = sqliteTable("targets", {
    targetId: integer("targetId").primaryKey({ autoIncrement: true }),
    resourceId: integer("resourceId")
@@ -204,7 +320,12 @@ export const targets = sqliteTable("targets", {
    pathMatchType: text("pathMatchType"), // exact, prefix, regex
    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
-    priority: integer("priority").notNull().default(100)
+    priority: integer("priority").notNull().default(100),
+    mode: text("mode")
+        .$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
+        .notNull()
+        .default("http"),
+    authToken: text("authToken")
 });

 export const targetHealthCheck = sqliteTable("targetHealthCheck", {
@@ -219,9 +340,11 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
            onDelete: "cascade"
        })
        .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
    name: text("name"),
    hcEnabled: integer("hcEnabled", { mode: "boolean" })
        .notNull()
@@ -281,11 +404,11 @@ export const siteResources = sqliteTable("siteResources", {
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
    ssl: integer("ssl", { mode: "boolean" }).notNull().default(false),
-    mode: text("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
+    mode: text("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
    scheme: text("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
-    destination: text("destination").notNull(), // ip, cidr, hostname
+    destination: text("destination"), // ip, cidr, hostname
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    alias: text("alias"),
    aliasAddress: text("aliasAddress"),
@@ -295,8 +418,11 @@ export const siteResources = sqliteTable("siteResources", {
        .notNull()
        .default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
    authDaemonMode: text("authDaemonMode")
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
        .default("site"),
    domainId: text("domainId").references(() => domains.domainId, {
        onDelete: "set null"
@@ -909,6 +1035,47 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
    headerAuthHash: text("headerAuthHash").notNull()
 });

+export const resourcePolicyPincode = sqliteTable("resourcePolicyPincode", {
+    pincodeId: integer("pincodeId").primaryKey({ autoIncrement: true }),
+    pincodeHash: text("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = sqliteTable("resourcePolicyPassword", {
+    passwordId: integer("passwordId").primaryKey({ autoIncrement: true }),
+    passwordHash: text("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = sqliteTable(
+    "resourcePolicyHeaderAuth",
+    {
+        headerAuthId: integer("headerAuthId").primaryKey({
+            autoIncrement: true
+        }),
+        headerAuthHash: text("headerAuthHash").notNull(),
+        extendedCompatibility: integer("extendedCompatibility", {
+            mode: "boolean"
+        })
+            .notNull()
+            .default(true),
+        resourcePolicyId: integer("resourcePolicyId")
+            .notNull()
+            .references(() => resourcePolicies.resourcePolicyId, {
+                onDelete: "cascade"
+            })
+    }
+);
+
 export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
    "resourceHeaderAuthExtendedCompatibility",
    {
@@ -937,6 +1104,7 @@ export const resourceAccessToken = sqliteTable("resourceAccessToken", {
    resourceId: integer("resourceId")
        .notNull()
        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    path: text("path"),
    tokenHash: text("tokenHash").notNull(),
    sessionLength: integer("sessionLength").notNull(),
    expiresAt: integer("expiresAt"),
@@ -983,6 +1151,24 @@ export const resourceSessions = sqliteTable("resourceSessions", {
            onDelete: "cascade"
        }
    ),
+    policyPasswordId: integer("policyPasswordId").references(
+        () => resourcePolicyPassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyPincodeId: integer("policyPincodeId").references(
+        () => resourcePolicyPincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyWhitelistId: integer("policyWhitelistId").references(
+        () => resourcePolicyWhiteList.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
    issuedAt: integer("issuedAt")
 });

@@ -1023,6 +1209,79 @@ export const resourceRules = sqliteTable("resourceRules", {
    value: text("value").notNull()
 });

+export const rolePolicies = sqliteTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = sqliteTable("userPolicies", {
+    userId: text("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = sqliteTable("resourcePolicyWhitelist", {
+    whitelistId: integer("id").primaryKey({ autoIncrement: true }),
+    email: text("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
+    ruleId: integer("ruleId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: text("match")
+        .$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
+        .notNull(),
+    value: text("value").notNull()
+});
+
+export const resourcePolicies = sqliteTable("resourcePolicies", {
+    resourcePolicyId: integer("resourcePolicyId").primaryKey(),
+    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
+    applyRules: integer("applyRules", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    scope: text("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    niceId: text("niceId").notNull(),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    name: text("name").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = sqliteTable("supporterKey", {
    keyId: integer("keyId").primaryKey({ autoIncrement: true }),
    key: text("key").notNull(),
@@ -1196,19 +1455,30 @@ export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
 });

-export const statusHistory = sqliteTable("statusHistory", {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    entityType: text("entityType").notNull(), // "site" | "healthCheck"
-    entityId: integer("entityId").notNull(),  // siteId or targetHealthCheckId
-    orgId: text("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
-    timestamp: integer("timestamp").notNull(), // unix epoch seconds
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = sqliteTable(
+    "statusHistory",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        entityType: text("entityType").notNull(), // "site" | "healthCheck"
+        entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
+        timestamp: integer("timestamp").notNull() // unix epoch seconds
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);

 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1278,3 +1548,16 @@ export type RoundTripMessageTracker = InferSelectModel<
    typeof roundTripMessageTracker
 >;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type ResourcePolicyPincode = InferSelectModel<
+    typeof resourcePolicyPincode
+>;
+export type ResourcePolicyPassword = InferSelectModel<
+    typeof resourcePolicyPassword
+>;
+export type ResourcePolicyHeaderAuth = InferSelectModel<
+    typeof resourcePolicyHeaderAuth
+>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/index.ts
+++ b/server/index.ts
@@ -1,5 +1,5 @@
 #! /usr/bin/env node
-import "./extendZod.ts";
+import "./extendZod";

 import { runSetupFunctions } from "./setup";
 import { createApiServer } from "./apiServer";
--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -152,11 +152,19 @@ function getOpenApiDocumentation() {

            if (!hasExistingResponses) {
                def.route.responses = {
-                    "*": {
-                        description: "",
+                    "200": {
+                        description: "Successful response",
                        content: {
                            "application/json": {
-                                schema: z.object({})
+                                schema: z.object({
+                                    data: z
+                                        .record(z.string(), z.any())
+                                        .nullable(),
+                                    success: z.boolean(),
+                                    error: z.boolean(),
+                                    message: z.string(),
+                                    status: z.number()
+                                })
                            }
                        }
                    }
--- a/server/lib/alerts/events/healthCheckEvents.ts
+++ b/server/lib/alerts/events/healthCheckEvents.ts
@@ -221,10 +221,18 @@ async function handleResource(
        )
        .where(eq(targets.resourceId, resource.resourceId));

+    const monitoredTargets = otherTargets.filter(
+        (t) => t.hcHealth !== "unknown"
+    );
+
    let health = "healthy";
-    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
-    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
-    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
+    const allUnknown = monitoredTargets.length === 0;
+    const allHealthy = monitoredTargets.every(
+        (t) => t.hcHealth === "healthy"
+    );
+    const allUnhealthy = monitoredTargets.every(
+        (t) => t.hcHealth === "unhealthy"
+    );

    if (allUnknown) {
        logger.debug(
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -16,18 +16,22 @@ export enum TierFeature {
    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
    AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam",
    FullRbac = "fullRbac",
    SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
    SIEM = "siem", // handle downgrade by disabling SIEM integrations
-    HTTPPrivateResources = "httpPrivateResources", // handle downgrade by disabling HTTP private resources
    DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
    StandaloneHealthChecks = "standaloneHealthChecks",
    AlertingRules = "alertingRules",
-    WildcardSubdomain = "wildcardSubdomain"
+    WildcardSubdomain = "wildcardSubdomain",
+    Labels = "labels",
+    NewtAutoUpdate = "newtAutoUpdate",
+    ResourcePolicies = "resourcePolicies",
+    AdvancedPublicResources = "advancedPublicResources",
+    AdvancedPrivateResources = "advancedPrivateResources"
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
+    [TierFeature.Labels]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
@@ -58,13 +62,15 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "enterprise"
    ],
    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
    [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
    [TierFeature.SIEM]: ["enterprise"],
-    [TierFeature.HTTPPrivateResources]: ["tier3", "enterprise"],
    [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
    [TierFeature.AlertingRules]: ["tier3", "enterprise"],
-    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
+    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
+    [TierFeature.AdvancedPublicResources]: ["tier3", "enterprise"],
+    [TierFeature.AdvancedPrivateResources]: ["tier3", "enterprise"]
 };
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -10,20 +10,26 @@ import {
    clientSiteResources
 } from "@server/db";
 import { Config, ConfigSchema } from "./types";
-import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
+import {
+    PublicResourcesResults,
+    updatePublicResources
+} from "./publicResources";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { sites } from "@server/db";
 import { eq, and, isNotNull } from "drizzle-orm";
-import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
-import { addTargets as addClientTargets } from "@server/routers/client/targets";
+import {
+    addTargets as addProxyTargets,
+    sendBrowserGatewayTargets
+} from "@server/routers/newt/targets";
 import {
    ClientResourcesResults,
-    updateClientResources
-} from "./clientResources";
+    updatePrivateResources
+} from "./privateResources";
+import { updateResourcePolicies } from "./resourcePolicies";
 import { BlueprintSource } from "@server/routers/blueprints/types";
 import { stringify as stringifyYaml } from "yaml";
-import { faker } from "@faker-js/faker";
+import { generateName } from "@server/db/names";
 import { handleMessagingForUpdatedSiteResource } from "@server/routers/siteResource";
 import { rebuildClientAssociationsFromSiteResource } from "../rebuildClientAssociations";

@@ -54,16 +60,18 @@ export async function applyBlueprint({
    let error: any | null = null;

    try {
-        let proxyResourcesResults: ProxyResourcesResults = [];
+        let proxyResourcesResults: PublicResourcesResults = [];
        let clientResourcesResults: ClientResourcesResults = [];
        await db.transaction(async (trx) => {
-            proxyResourcesResults = await updateProxyResources(
+            await updateResourcePolicies(orgId, config, trx);
+
+            proxyResourcesResults = await updatePublicResources(
                orgId,
                config,
                trx,
                siteId
            );
-            clientResourcesResults = await updateClientResources(
+            clientResourcesResults = await updatePrivateResources(
                orgId,
                config,
                trx,
@@ -102,13 +110,27 @@ export async function applyBlueprint({
                                (hc) => hc.targetId === target.targetId
                            );

-                        await addProxyTargets(
-                            site.newt.newtId,
-                            [target],
-                            matchingHealthcheck ? [matchingHealthcheck] : [],
-                            result.proxyResource.protocol,
-                            site.newt.version
-                        );
+                        if (["http", "tcp", "udp"].includes(target.mode)) {
+                            await addProxyTargets(
+                                site.newt.newtId,
+                                [target],
+                                matchingHealthcheck
+                                    ? [matchingHealthcheck]
+                                    : [],
+                                result.proxyResource.mode === "udp"
+                                    ? "udp"
+                                    : "tcp",
+                                site.newt.version
+                            );
+                        } else if (
+                            ["ssh", "rdp", "vnc"].includes(target.mode)
+                        ) {
+                            await sendBrowserGatewayTargets(
+                                site.newt.newtId,
+                                [target],
+                                site.newt.version
+                            );
+                        }
                    }
                }
            }
@@ -291,9 +313,7 @@ export async function applyBlueprint({
            .insert(blueprints)
            .values({
                orgId,
-                name:
-                    name ??
-                    `${faker.word.adjective()}-${faker.word.adjective()}-${faker.word.noun()}`,
+                name: name ?? generateName(),
                contents: stringifyYaml(configData),
                createdAt: Math.floor(Date.now() / 1000),
                succeeded: blueprintSucceeded,
--- a/server/lib/blueprints/applyNewtDockerBlueprint.ts
+++ b/server/lib/blueprints/applyNewtDockerBlueprint.ts
@@ -1,10 +1,56 @@
 import { sendToClient } from "#dynamic/routers/ws";
 import { processContainerLabels } from "./parseDockerContainers";
 import { applyBlueprint } from "./applyBlueprint";
+import { PrivateResourceSchema, PublicResourceSchema } from "./types";
 import { db, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";

+type BlueprintResult = ReturnType<typeof processContainerLabels>;
+
+function filterInvalidResources(blueprint: BlueprintResult): {
+    skippedCount: number;
+    skippedKeys: string[];
+} {
+    const skippedKeys: string[] = [];
+
+    for (const section of ["proxy-resources", "public-resources"] as const) {
+        const resources = blueprint[section];
+        for (const [key, value] of Object.entries(resources)) {
+            const result = PublicResourceSchema.safeParse(value);
+            if (!result.success) {
+                const errors = result.error.issues
+                    .map((i) => `${i.path.join(".")}: ${i.message}`)
+                    .join("; ");
+                logger.warn(
+                    `Skipping invalid Docker ${section} "${key}": ${errors}`
+                );
+                delete resources[key];
+                skippedKeys.push(`${section}.${key}`);
+            }
+        }
+    }
+
+    for (const section of ["client-resources", "private-resources"] as const) {
+        const resources = blueprint[section];
+        for (const [key, value] of Object.entries(resources)) {
+            const result = PrivateResourceSchema.safeParse(value);
+            if (!result.success) {
+                const errors = result.error.issues
+                    .map((i) => `${i.path.join(".")}: ${i.message}`)
+                    .join("; ");
+                logger.warn(
+                    `Skipping invalid Docker ${section} "${key}": ${errors}`
+                );
+                delete resources[key];
+                skippedKeys.push(`${section}.${key}`);
+            }
+        }
+    }
+
+    return { skippedCount: skippedKeys.length, skippedKeys };
+}
+
 export async function applyNewtDockerBlueprint(
    siteId: number,
    newtId: string,
@@ -21,17 +67,27 @@ export async function applyNewtDockerBlueprint(
        return;
    }

-    // logger.debug(`Applying Docker blueprint to site: ${siteId}`);
-    // logger.debug(`Containers: ${JSON.stringify(containers, null, 2)}`);
+    let skippedCount = 0;
+    let skippedKeys: string[] = [];

    try {
-        const blueprint = processContainerLabels(containers);
+        // Some Newt clients can report null/undefined containers when Docker
+        // labels are unavailable. Treat that as an empty blueprint payload.
+        const safeContainers = Array.isArray(containers) ? containers : [];
+        const blueprint = processContainerLabels(safeContainers);

-        logger.debug(`Received Docker blueprint: ${JSON.stringify(blueprint)}`);
+        logger.debug(
+            `Received Docker blueprint with ${Object.keys(blueprint["proxy-resources"]).length} proxy, ${Object.keys(blueprint["client-resources"]).length} client resource(s)`
+        );

-        // make sure this is not an empty object
-        if (isEmptyObject(blueprint)) {
-            return;
+        const filterResult = filterInvalidResources(blueprint);
+        skippedCount = filterResult.skippedCount;
+        skippedKeys = filterResult.skippedKeys;
+
+        if (skippedCount > 0) {
+            logger.warn(
+                `Filtered ${skippedCount} invalid resource(s) from Docker blueprint: ${skippedKeys.join(", ")}`
+            );
        }

        if (
@@ -40,6 +96,15 @@ export async function applyNewtDockerBlueprint(
            isEmptyObject(blueprint["public-resources"]) &&
            isEmptyObject(blueprint["private-resources"])
        ) {
+            if (skippedCount > 0) {
+                await sendToClient(newtId, {
+                    type: "newt/blueprint/results",
+                    data: {
+                        success: false,
+                        message: `All resources were invalid and skipped: ${skippedKeys.join(", ")}`
+                    }
+                });
+            }
            return;
        }

@@ -66,7 +131,10 @@ export async function applyNewtDockerBlueprint(
        type: "newt/blueprint/results",
        data: {
            success: true,
-            message: "Config updated successfully"
+            message:
+                skippedCount > 0
+                    ? `Config updated successfully. Skipped ${skippedCount} invalid resource(s): ${skippedKeys.join(", ")}`
+                    : "Config updated successfully"
        }
    });
 }
--- a/server/lib/blueprints/privateResources.ts
+++ b/server/lib/blueprints/privateResources.ts
@@ -3,6 +3,7 @@ import {
    clientSiteResources,
    domains,
    orgDomains,
+    roleActions,
    roles,
    roleSiteResources,
    Site,
@@ -19,8 +20,11 @@ import { sites } from "@server/db";
 import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { tierMatrix } from "../billing/tierMatrix";

 async function getDomainForSiteResource(
    siteResourceId: number | undefined,
@@ -101,7 +105,7 @@ export type ClientResourcesResults = {
    oldSites: { siteId: number }[];
 }[];

-export async function updateClientResources(
+export async function updatePrivateResources(
    orgId: string,
    config: Config,
    trx: Transaction,
@@ -112,6 +116,30 @@ export async function updateClientResources(
    for (const [resourceNiceId, resourceData] of Object.entries(
        config["client-resources"]
    )) {
+        if (resourceData.mode === "http") {
+            const hasHttpFeature = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.advancedPrivateResources
+            );
+            if (!hasHttpFeature) {
+                throw new Error(
+                    "HTTP private resources are not included in your current plan. Please upgrade."
+                );
+            }
+        }
+
+        if (resourceData.mode === "ssh") {
+            const hasSshFeature = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.advancedPrivateResources
+            );
+            if (!hasSshFeature) {
+                throw new Error(
+                    "SSH private resources are not included in your current plan. Please upgrade."
+                );
+            }
+        }
+
        const [existingResource] = await trx
            .select()
            .from(siteResources)
@@ -225,7 +253,11 @@ export async function updateClientResources(
                            : resourceData["udp-ports"],
                    fullDomain: resourceData["full-domain"] || null,
                    subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                })
                .where(
                    eq(
@@ -332,8 +364,7 @@ export async function updateClientResources(
            }

            if (resourceData.roles.length > 0) {
-                // Re-add specified roles but we need to get the roleIds from the role name in the array
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                    .select()
                    .from(roles)
                    .where(
@@ -343,7 +374,30 @@ export async function updateClientResources(
                        )
                    );

-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(
+                        `Auto-created role "${name}" in org ${orgId} from blueprint`
+                    );
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);

                await trx
                    .insert(roleSiteResources)
@@ -360,8 +414,18 @@ export async function updateClientResources(
            });
        } else {
            let aliasAddress: string | null = null;
-            if (resourceData.mode === "host" || resourceData.mode === "http") {
-                aliasAddress = await getNextAvailableAliasAddress(orgId, trx);
+            let releaseAliasLock: (() => Promise<void>) | null = null;
+            if (
+                resourceData.mode === "host" ||
+                resourceData.mode === "http" ||
+                resourceData.mode === "ssh"
+            ) {
+                const { value, release } = await getNextAvailableAliasAddress(
+                    orgId,
+                    trx
+                );
+                aliasAddress = value;
+                releaseAliasLock = release;
            }

            let domainInfo:
@@ -415,10 +479,16 @@ export async function updateClientResources(
                            : resourceData["udp-ports"],
                    fullDomain: resourceData["full-domain"] || null,
                    subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                })
                .returning();

+            await releaseAliasLock?.();
+
            const siteResourceId = newResource.siteResourceId;

            for (const site of allSites) {
@@ -444,8 +514,7 @@ export async function updateClientResources(
            });

            if (resourceData.roles.length > 0) {
-                // get roleIds from role names
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                    .select()
                    .from(roles)
                    .where(
@@ -455,7 +524,30 @@ export async function updateClientResources(
                        )
                    );

-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(
+                        `Auto-created role "${name}" in org ${orgId} from blueprint`
+                    );
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);

                await trx
                    .insert(roleSiteResources)
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
--- a/server/lib/blueprints/publicResources.ts
+++ b/server/lib/blueprints/publicResources.ts
--- a/server/lib/blueprints/resourcePolicies.ts
+++ b/server/lib/blueprints/resourcePolicies.ts
@@ -0,0 +1,653 @@
+import {
+    db,
+    idp,
+    idpOrg,
+    resourcePolicies,
+    resourcePolicyHeaderAuth,
+    resourcePolicyPassword,
+    resourcePolicyPincode,
+    resourcePolicyRules,
+    resourcePolicyWhiteList,
+    rolePolicies,
+    roles,
+    Transaction,
+    userOrgs,
+    userPolicies,
+    users
+} from "@server/db";
+import { eq, and, or } from "drizzle-orm";
+import { Config, ResourcePolicyData } from "./types";
+import logger from "@server/logger";
+import { getUniqueResourcePolicyName } from "@server/db/names";
+import { hashPassword } from "@server/auth/password";
+import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { tierMatrix } from "../billing/tierMatrix";
+
+export type ResourcePoliciesResults = {
+    resourcePolicyId: number;
+    niceId: string;
+}[];
+
+export async function updateResourcePolicies(
+    orgId: string,
+    config: Config,
+    trx: Transaction
+): Promise<ResourcePoliciesResults> {
+    const results: ResourcePoliciesResults = [];
+
+    for (const [policyNiceId, policyData] of Object.entries(
+        config["public-policies"]
+    )) {
+        const isLicensed = await isLicensedOrSubscribed(
+            orgId,
+            tierMatrix.resourcePolicies
+        );
+        if (!isLicensed) {
+            throw new Error(
+                "Your current subscription does not support shared resource policies. Please upgrade to access this feature."
+            );
+        }
+
+        // Validate rules
+        for (const rule of policyData.rules) {
+            if (rule.match === "cidr" && !isValidCIDR(rule.value)) {
+                throw new Error(
+                    `Invalid CIDR provided in resource policy '${policyNiceId}': ${rule.value}`
+                );
+            } else if (rule.match === "ip" && !isValidIP(rule.value)) {
+                throw new Error(
+                    `Invalid IP provided in resource policy '${policyNiceId}': ${rule.value}`
+                );
+            } else if (
+                rule.match === "path" &&
+                !isValidUrlGlobPattern(rule.value)
+            ) {
+                throw new Error(
+                    `Invalid URL glob pattern provided in resource policy '${policyNiceId}': ${rule.value}`
+                );
+            }
+        }
+
+        // Validate auto-login-idp if provided
+        if (policyData["auto-login-idp"]) {
+            const [provider] = await trx
+                .select()
+                .from(idp)
+                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
+                .where(
+                    and(
+                        eq(idp.idpId, policyData["auto-login-idp"]),
+                        eq(idpOrg.orgId, orgId)
+                    )
+                )
+                .limit(1);
+
+            if (!provider) {
+                throw new Error(
+                    `Identity provider not found for policy '${policyNiceId}' in this organization`
+                );
+            }
+        }
+
+        // Look up the admin role
+        const [adminRole] = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (!adminRole) {
+            throw new Error("Admin role not found");
+        }
+
+        // Find existing policy by niceId and orgId
+        const [existingPolicy] = await trx
+            .select()
+            .from(resourcePolicies)
+            .where(
+                and(
+                    eq(resourcePolicies.niceId, policyNiceId),
+                    eq(resourcePolicies.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        let resourcePolicyId: number;
+
+        if (existingPolicy) {
+            // Update the existing policy
+            await trx
+                .update(resourcePolicies)
+                .set({
+                    name: policyData.name,
+                    sso: policyData.sso ?? true,
+                    idpId: policyData["auto-login-idp"] ?? null,
+                    emailWhitelistEnabled:
+                        policyData["email-whitelist-enabled"] ??
+                        policyData["whitelist-users"].length > 0,
+                    applyRules:
+                        policyData["apply-rules"] || policyData.rules.length > 0
+                })
+                .where(
+                    eq(
+                        resourcePolicies.resourcePolicyId,
+                        existingPolicy.resourcePolicyId
+                    )
+                );
+
+            resourcePolicyId = existingPolicy.resourcePolicyId;
+
+            // Sync password
+            await trx
+                .delete(resourcePolicyPassword)
+                .where(
+                    eq(
+                        resourcePolicyPassword.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+            if (policyData.password) {
+                const passwordHash = await hashPassword(policyData.password);
+                await trx.insert(resourcePolicyPassword).values({
+                    resourcePolicyId,
+                    passwordHash
+                });
+            }
+
+            // Sync pincode
+            await trx
+                .delete(resourcePolicyPincode)
+                .where(
+                    eq(resourcePolicyPincode.resourcePolicyId, resourcePolicyId)
+                );
+            if (policyData.pincode) {
+                const pincodeHash = await hashPassword(policyData.pincode);
+                await trx.insert(resourcePolicyPincode).values({
+                    resourcePolicyId,
+                    pincodeHash,
+                    digitLength: 6
+                });
+            }
+
+            // Sync header auth
+            await trx
+                .delete(resourcePolicyHeaderAuth)
+                .where(
+                    eq(
+                        resourcePolicyHeaderAuth.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+            if (policyData["basic-auth"]) {
+                const basicAuth = policyData["basic-auth"];
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(
+                        `${basicAuth.user}:${basicAuth.password}`
+                    ).toString("base64")
+                );
+                await trx.insert(resourcePolicyHeaderAuth).values({
+                    resourcePolicyId,
+                    headerAuthHash,
+                    extendedCompatibility:
+                        basicAuth["extended-compatibility"] ?? true
+                });
+            }
+
+            // Sync SSO roles
+            await syncRolePolicies(
+                resourcePolicyId,
+                policyData["sso-roles"],
+                orgId,
+                adminRole.roleId,
+                trx
+            );
+
+            // Sync SSO users
+            await syncUserPolicies(
+                resourcePolicyId,
+                policyData["sso-users"],
+                orgId,
+                trx
+            );
+
+            // Sync whitelist users
+            await syncWhitelistPolicyUsers(
+                resourcePolicyId,
+                policyData["whitelist-users"],
+                trx
+            );
+
+            // Sync rules
+            await syncPolicyRules(resourcePolicyId, policyData.rules, trx);
+
+            logger.debug(
+                `Updated resource policy ${resourcePolicyId} (${policyNiceId})`
+            );
+        } else {
+            // Create a new policy
+            const [newPolicy] = await trx
+                .insert(resourcePolicies)
+                .values({
+                    niceId: policyNiceId,
+                    orgId,
+                    name: policyData.name,
+                    sso: policyData.sso ?? true,
+                    idpId: policyData["auto-login-idp"] ?? null,
+                    emailWhitelistEnabled:
+                        policyData["email-whitelist-enabled"] ??
+                        policyData["whitelist-users"].length > 0,
+                    applyRules:
+                        policyData["apply-rules"] ||
+                        policyData.rules.length > 0,
+                    scope: "global"
+                })
+                .returning();
+
+            resourcePolicyId = newPolicy.resourcePolicyId;
+
+            // Always add admin role
+            await trx.insert(rolePolicies).values({
+                roleId: adminRole.roleId,
+                resourcePolicyId
+            });
+
+            // Add SSO roles
+            await addRolePolicies(
+                resourcePolicyId,
+                policyData["sso-roles"],
+                orgId,
+                adminRole.roleId,
+                trx
+            );
+
+            // Add SSO users
+            await addUserPolicies(
+                resourcePolicyId,
+                policyData["sso-users"],
+                orgId,
+                trx
+            );
+
+            // Add password
+            if (policyData.password) {
+                const passwordHash = await hashPassword(policyData.password);
+                await trx.insert(resourcePolicyPassword).values({
+                    resourcePolicyId,
+                    passwordHash
+                });
+            }
+
+            // Add pincode
+            if (policyData.pincode) {
+                const pincodeHash = await hashPassword(policyData.pincode);
+                await trx.insert(resourcePolicyPincode).values({
+                    resourcePolicyId,
+                    pincodeHash,
+                    digitLength: 6
+                });
+            }
+
+            // Add header auth
+            if (policyData["basic-auth"]) {
+                const basicAuth = policyData["basic-auth"];
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(
+                        `${basicAuth.user}:${basicAuth.password}`
+                    ).toString("base64")
+                );
+                await trx.insert(resourcePolicyHeaderAuth).values({
+                    resourcePolicyId,
+                    headerAuthHash,
+                    extendedCompatibility:
+                        basicAuth["extended-compatibility"] ?? true
+                });
+            }
+
+            // Add whitelist users
+            if (policyData["whitelist-users"].length > 0) {
+                await trx.insert(resourcePolicyWhiteList).values(
+                    policyData["whitelist-users"].map((email) => ({
+                        email,
+                        resourcePolicyId
+                    }))
+                );
+            }
+
+            // Add rules
+            if (policyData.rules.length > 0) {
+                await trx.insert(resourcePolicyRules).values(
+                    policyData.rules.map((rule, index) => ({
+                        resourcePolicyId,
+                        action: getRuleAction(rule.action),
+                        match: getRuleMatch(rule.match),
+                        value: rule.value,
+                        priority: rule.priority ?? index + 1,
+                        enabled: rule.enabled ?? true
+                    }))
+                );
+            }
+
+            logger.debug(
+                `Created resource policy ${resourcePolicyId} (${policyNiceId})`
+            );
+        }
+
+        results.push({ resourcePolicyId, niceId: policyNiceId });
+    }
+
+    return results;
+}
+
+function getRuleAction(input: string): "ACCEPT" | "DROP" | "PASS" {
+    if (input === "allow") return "ACCEPT";
+    if (input === "deny") return "DROP";
+    return "PASS";
+}
+
+function getRuleMatch(
+    input: string
+): "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION" {
+    return input.toUpperCase() as
+        | "CIDR"
+        | "IP"
+        | "PATH"
+        | "COUNTRY"
+        | "ASN"
+        | "REGION";
+}
+
+async function syncRolePolicies(
+    policyId: number,
+    ssoRoles: string[],
+    orgId: string,
+    adminRoleId: number,
+    trx: Transaction
+) {
+    const existingRolePolicies = await trx
+        .select()
+        .from(rolePolicies)
+        .where(eq(rolePolicies.resourcePolicyId, policyId));
+
+    for (const roleName of ssoRoles) {
+        const [role] = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (!role) {
+            logger.warn(
+                `Role '${roleName}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        if (role.isAdmin) {
+            continue; // admin role is always included, skip
+        }
+
+        const alreadyExists = existingRolePolicies.some(
+            (rp) => rp.roleId === role.roleId
+        );
+
+        if (!alreadyExists) {
+            await trx.insert(rolePolicies).values({
+                roleId: role.roleId,
+                resourcePolicyId: policyId
+            });
+        }
+    }
+
+    // Remove roles no longer in the list (except admin)
+    for (const existingRolePolicy of existingRolePolicies) {
+        if (existingRolePolicy.roleId === adminRoleId) {
+            continue;
+        }
+
+        const [role] = await trx
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, existingRolePolicy.roleId))
+            .limit(1);
+
+        if (role?.isAdmin) {
+            continue;
+        }
+
+        if (role && !ssoRoles.includes(role.name)) {
+            await trx
+                .delete(rolePolicies)
+                .where(
+                    and(
+                        eq(rolePolicies.resourcePolicyId, policyId),
+                        eq(rolePolicies.roleId, existingRolePolicy.roleId)
+                    )
+                );
+        }
+    }
+}
+
+async function addRolePolicies(
+    policyId: number,
+    ssoRoles: string[],
+    orgId: string,
+    adminRoleId: number,
+    trx: Transaction
+) {
+    for (const roleName of ssoRoles) {
+        const [role] = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (!role) {
+            logger.warn(
+                `Role '${roleName}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        if (role.isAdmin) {
+            continue; // admin already added
+        }
+
+        await trx.insert(rolePolicies).values({
+            roleId: role.roleId,
+            resourcePolicyId: policyId
+        });
+    }
+}
+
+async function syncUserPolicies(
+    policyId: number,
+    ssoUsers: string[],
+    orgId: string,
+    trx: Transaction
+) {
+    const existingUserPolicies = await trx
+        .select()
+        .from(userPolicies)
+        .where(eq(userPolicies.resourcePolicyId, policyId));
+
+    for (const username of ssoUsers) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(
+                and(
+                    or(eq(users.username, username), eq(users.email, username)),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!user) {
+            logger.warn(
+                `User '${username}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        const alreadyExists = existingUserPolicies.some(
+            (up) => up.userId === user.user.userId
+        );
+
+        if (!alreadyExists) {
+            await trx.insert(userPolicies).values({
+                userId: user.user.userId,
+                resourcePolicyId: policyId
+            });
+        }
+    }
+
+    // Remove users no longer in the list
+    for (const existingUserPolicy of existingUserPolicies) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(
+                and(
+                    eq(users.userId, existingUserPolicy.userId),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (
+            user &&
+            user.user.username &&
+            !ssoUsers.includes(user.user.username) &&
+            !ssoUsers.includes(user.user.email ?? "")
+        ) {
+            await trx
+                .delete(userPolicies)
+                .where(
+                    and(
+                        eq(userPolicies.resourcePolicyId, policyId),
+                        eq(userPolicies.userId, existingUserPolicy.userId)
+                    )
+                );
+        }
+    }
+}
+
+async function addUserPolicies(
+    policyId: number,
+    ssoUsers: string[],
+    orgId: string,
+    trx: Transaction
+) {
+    for (const username of ssoUsers) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(
+                and(
+                    or(eq(users.username, username), eq(users.email, username)),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!user) {
+            logger.warn(
+                `User '${username}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        await trx.insert(userPolicies).values({
+            userId: user.user.userId,
+            resourcePolicyId: policyId
+        });
+    }
+}
+
+async function syncWhitelistPolicyUsers(
+    policyId: number,
+    whitelistUsers: string[],
+    trx: Transaction
+) {
+    const existingWhitelist = await trx
+        .select()
+        .from(resourcePolicyWhiteList)
+        .where(eq(resourcePolicyWhiteList.resourcePolicyId, policyId));
+
+    for (const email of whitelistUsers) {
+        const alreadyExists = existingWhitelist.some((w) => w.email === email);
+
+        if (!alreadyExists) {
+            await trx.insert(resourcePolicyWhiteList).values({
+                email,
+                resourcePolicyId: policyId
+            });
+        }
+    }
+
+    for (const existingEntry of existingWhitelist) {
+        if (!whitelistUsers.includes(existingEntry.email)) {
+            await trx
+                .delete(resourcePolicyWhiteList)
+                .where(
+                    and(
+                        eq(resourcePolicyWhiteList.resourcePolicyId, policyId),
+                        eq(resourcePolicyWhiteList.email, existingEntry.email)
+                    )
+                );
+        }
+    }
+}
+
+async function syncPolicyRules(
+    policyId: number,
+    rules: ResourcePolicyData["rules"],
+    trx: Transaction
+) {
+    const existingRules = await trx
+        .select()
+        .from(resourcePolicyRules)
+        .where(eq(resourcePolicyRules.resourcePolicyId, policyId))
+        .orderBy(resourcePolicyRules.priority);
+
+    for (const [index, rule] of rules.entries()) {
+        const intendedPriority = rule.priority ?? index + 1;
+        const existingRule = existingRules[index];
+
+        if (existingRule) {
+            await trx
+                .update(resourcePolicyRules)
+                .set({
+                    action: getRuleAction(rule.action),
+                    match: getRuleMatch(rule.match),
+                    value: rule.value,
+                    priority: intendedPriority,
+                    enabled: rule.enabled ?? true
+                })
+                .where(eq(resourcePolicyRules.ruleId, existingRule.ruleId));
+        } else {
+            await trx.insert(resourcePolicyRules).values({
+                resourcePolicyId: policyId,
+                action: getRuleAction(rule.action),
+                match: getRuleMatch(rule.match),
+                value: rule.value,
+                priority: intendedPriority,
+                enabled: rule.enabled ?? true
+            });
+        }
+    }
+
+    // Remove extra rules
+    if (existingRules.length > rules.length) {
+        const rulesToDelete = existingRules.slice(rules.length);
+        for (const rule of rulesToDelete) {
+            await trx
+                .delete(resourcePolicyRules)
+                .where(eq(resourcePolicyRules.ruleId, rule.ruleId));
+        }
+    }
+}
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,8 +1,23 @@
 import { z } from "zod";
+import { existsSync } from "node:fs";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
 import { isValidRegionId } from "@server/db/regions";
 import { wildcardSubdomainSchema } from "@server/lib/schemas";
+import config from "@server/lib/config";
+
+const maxmindDbPath = config.getRawConfig().server.maxmind_db_path;
+const maxmindAsnPath = config.getRawConfig().server.maxmind_asn_path;
+
+const hasMaxmindCountryDb =
+    typeof maxmindDbPath === "string" &&
+    maxmindDbPath.length > 0 &&
+    existsSync(maxmindDbPath);
+
+const hasMaxmindAsnDb =
+    typeof maxmindAsnPath === "string" &&
+    maxmindAsnPath.length > 0 &&
+    existsSync(maxmindAsnPath);

 export const SiteSchema = z.object({
    name: z.string().min(1).max(100),
@@ -82,8 +97,9 @@ export const RuleSchema = z
    .object({
        action: z.enum(["allow", "deny", "pass"]),
        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
-        value: z.string(),
-        priority: z.int().optional()
+        value: z.coerce.string(),
+        priority: z.int().optional(),
+        enabled: z.boolean().optional().default(true)
    })
    .refine(
        (rule) => {
@@ -116,6 +132,9 @@ export const RuleSchema = z
    .refine(
        (rule) => {
            if (rule.match === "country") {
+                if (!hasMaxmindCountryDb) {
+                    return false;
+                }
                // Check if it's a valid 2-letter country code or "ALL"
                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
            }
@@ -124,12 +143,15 @@ export const RuleSchema = z
        {
            path: ["value"],
            message:
-                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
+                "Country rules require a valid existing server.maxmind_db_path and value must be a 2-letter country code or 'ALL'"
        }
    )
    .refine(
        (rule) => {
            if (rule.match === "asn") {
+                if (!hasMaxmindCountryDb || !hasMaxmindAsnDb) {
+                    return false;
+                }
                // Check if it's either AS<number> format or "ALL"
                const asNumberPattern = /^AS\d+$/i;
                return asNumberPattern.test(rule.value) || rule.value === "ALL";
@@ -139,7 +161,7 @@ export const RuleSchema = z
        {
            path: ["value"],
            message:
-                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
+                "ASN rules require valid existing server.maxmind_db_path and server.maxmind_asn_path, and value must be 'AS<number>' format or 'ALL'"
        }
    )
    .refine(
@@ -161,11 +183,34 @@ export const HeaderSchema = z.object({
    value: z.string().min(1)
 });

+export const AuthDaemonSchema = z
+    .object({
+        pam: z.enum(["passthrough", "push"]).optional().default("passthrough"),
+        mode: z.enum(["site", "remote", "native"]).optional().default("site"),
+        port: z.int().min(1).max(65535).optional()
+    })
+    .refine(
+        (data) => {
+            if (data.mode === "remote") {
+                return data.port !== undefined;
+            }
+            return true;
+        },
+        {
+            path: ["port"],
+            message: "port is required when auth-daemon mode is 'remote'"
+        }
+    );
+
 // Schema for individual resource
-export const ResourceSchema = z
+export const PublicResourceSchema = z
    .object({
        name: z.string().optional(),
-        protocol: z.enum(["http", "tcp", "udp"]).optional(),
+        protocol: z
+            .enum(["http", "tcp", "udp", "ssh", "rdp", "vnc"])
+            .optional(), // this was the old one and is now DEPRECATED in favor of the mode
+        mode: z.enum(["http", "tcp", "udp", "ssh", "rdp", "vnc"]).optional(),
+        policy: z.string().optional(),
        ssl: z.boolean().optional(),
        scheme: z.enum(["http", "https"]).optional(),
        "full-domain": z.string().optional(),
@@ -177,7 +222,10 @@ export const ResourceSchema = z
        "tls-server-name": z.string().optional(),
        headers: z.array(HeaderSchema).optional(),
        rules: z.array(RuleSchema).optional(),
-        maintenance: MaintenanceSchema.optional()
+        maintenance: MaintenanceSchema.optional(),
+        "auth-daemon": AuthDaemonSchema.optional(),
+        "proxy-protocol": z.boolean().optional(),
+        "proxy-protocol-version": z.int().min(1).optional()
    })
    .refine(
        (resource) => {
@@ -185,9 +233,10 @@ export const ResourceSchema = z
                return true;
            }

-            // Otherwise, require name and protocol for full resource definition
+            // Otherwise, require name and protocol/mode for full resource definition
            return (
-                resource.name !== undefined && resource.protocol !== undefined
+                resource.name !== undefined &&
+                (resource.mode !== undefined || resource.protocol !== undefined)
            );
        },
        {
@@ -201,8 +250,8 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is http, all targets must have method field
-            if (resource.protocol === "http") {
+            // If protocol/mode is http, all targets must have method field
+            if ((resource.mode ?? resource.protocol) === "http") {
                return resource.targets.every(
                    (target) => target == null || target.method !== undefined
                );
@@ -220,8 +269,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, no target should have method field
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, no target should have method field
+            const effectiveProtocol1 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol1 === "tcp" || effectiveProtocol1 === "udp") {
                return resource.targets.every(
                    (target) => target == null || target.method === undefined
                );
@@ -239,8 +289,37 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is http, it must have a full-domain
-            if (resource.protocol === "http") {
+            const effectiveProtocol = resource.mode ?? resource.protocol;
+            if (effectiveProtocol !== "ssh") {
+                return true;
+            }
+
+            const authDaemonMode = resource["auth-daemon"]?.mode;
+            if (authDaemonMode !== "native" && authDaemonMode !== "site") {
+                return true;
+            }
+
+            return (
+                resource.targets.filter((target) => target != null).length <= 1
+            );
+        },
+        {
+            path: ["targets"],
+            error: "When protocol is 'ssh' and auth-daemon mode is 'native' or 'site', only one target/site is allowed"
+        }
+    )
+    .refine(
+        (resource) => {
+            if (isTargetsOnlyResource(resource)) {
+                return true;
+            }
+
+            // If protocol/mode is http, ssh, rdp, or vnc, it must have a full-domain
+            const effectiveProtocol = resource.mode ?? resource.protocol;
+            if (
+                effectiveProtocol !== undefined &&
+                ["http", "ssh", "rdp", "vnc"].includes(effectiveProtocol)
+            ) {
                return (
                    resource["full-domain"] !== undefined &&
                    resource["full-domain"].length > 0
@@ -250,7 +329,7 @@ export const ResourceSchema = z
        },
        {
            path: ["full-domain"],
-            error: "When protocol is 'http', a 'full-domain' must be provided"
+            error: "When protocol is 'http', 'ssh', 'rdp', or 'vnc', a 'full-domain' must be provided"
        }
    )
    .refine(
@@ -259,8 +338,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, it must have both proxy-port
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, it must have both proxy-port
+            const effectiveProtocol2 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol2 === "tcp" || effectiveProtocol2 === "udp") {
                return resource["proxy-port"] !== undefined;
            }
            return true;
@@ -277,8 +357,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, it must not have auth
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, it must not have auth
+            const effectiveProtocol3 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol3 === "tcp" || effectiveProtocol3 === "udp") {
                return resource.auth === undefined;
            }
            return true;
@@ -340,7 +421,8 @@ export const ResourceSchema = z
            if (parts.includes("*", 1)) return false; // no further wildcards
            if (parts.length < 3) return false; // need at least *.label.tld

-            const labelRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
+            const labelRegex =
+                /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
            return parts.slice(1).every((label) => labelRegex.test(label));
        },
        {
@@ -348,22 +430,46 @@ export const ResourceSchema = z
            message:
                'Wildcard full-domain must have "*" as the leftmost label only, followed by at least two valid hostname labels (e.g. "*.example.com" or "*.level1.example.com"). Patterns like "*example.com" or "level2.*.example.com" are not supported.'
        }
-    );
+    )
+    .refine(
+        (resource) => {
+            const effectiveMode = resource.mode ?? resource.protocol;
+            if (effectiveMode !== "tcp") {
+                return (
+                    resource["proxy-protocol"] === undefined &&
+                    resource["proxy-protocol-version"] === undefined
+                );
+            }
+            return true;
+        },
+        {
+            path: ["proxy-protocol"],
+            message:
+                "'proxy-protocol' and 'proxy-protocol-version' can only be set when mode is 'tcp'"
+        }
+    )
+    .transform((resource) => {
+        // Normalize: prefer mode, fall back to protocol for backwards compatibility
+        if (resource.mode === undefined && resource.protocol !== undefined) {
+            resource.mode = resource.protocol;
+        }
+        return resource;
+    });

 export function isTargetsOnlyResource(resource: any): boolean {
    return Object.keys(resource).length === 1 && resource.targets;
 }

-export const ClientResourceSchema = z
+export const PrivateResourceSchema = z
    .object({
        name: z.string().min(1).max(255),
-        mode: z.enum(["host", "cidr", "http"]),
+        mode: z.enum(["host", "cidr", "http", "ssh"]),
        site: z.string().optional(), // DEPRECATED IN FAVOR OF sites
        sites: z.array(z.string()).optional().default([]),
        // protocol: z.enum(["tcp", "udp"]).optional(),
        // proxyPort: z.int().positive().optional(),
        "destination-port": z.int().positive().optional(),
-        destination: z.string().min(1),
+        destination: z.string().min(1).optional(),
        // enabled: z.boolean().default(true),
        "tcp-ports": portRangeStringSchema.optional().default("*"),
        "udp-ports": portRangeStringSchema.optional().default("*"),
@@ -386,11 +492,31 @@ export const ClientResourceSchema = z
                error: "Admin role cannot be included in roles"
            }),
        users: z.array(z.string()).optional().default([]),
-        machines: z.array(z.string()).optional().default([])
+        machines: z.array(z.string()).optional().default([]),
+        "auth-daemon": AuthDaemonSchema.optional()
    })
+    .refine(
+        (data) => {
+            // destination is optional only for ssh+native; required for everything else
+            const isNativeSSH =
+                data.mode === "ssh" &&
+                (data["auth-daemon"] === undefined ||
+                    data["auth-daemon"].mode === "native");
+            if (!isNativeSSH && !data.destination) {
+                return false;
+            }
+            return true;
+        },
+        {
+            path: ["destination"],
+            message:
+                "destination is required unless mode is 'ssh' with auth-daemon mode 'native'"
+        }
+    )
    .refine(
        (data) => {
            if (data.mode === "host") {
+                if (!data.destination) return true; // caught by the destination-required refine
                // Check if it's a valid IP address using zod (v4 or v6)
                const isValidIP = z
                    .union([z.ipv4(), z.ipv6()])
@@ -418,6 +544,7 @@ export const ClientResourceSchema = z
    .refine(
        (data) => {
            if (data.mode === "cidr") {
+                if (!data.destination) return true; // caught by the destination-required refine
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
@@ -429,25 +556,112 @@ export const ClientResourceSchema = z
        {
            message: "Destination must be a valid CIDR notation for cidr mode"
        }
-    );
+    )
+    .refine(
+        (data) => {
+            if (data.mode !== "ssh") {
+                return true;
+            }
+
+            const authDaemonMode = data["auth-daemon"]?.mode;
+            if (authDaemonMode !== "native" && authDaemonMode !== "site") {
+                return true;
+            }
+
+            const uniqueSites = new Set<string>();
+            if (data.site) {
+                uniqueSites.add(data.site);
+            }
+            for (const site of data.sites) {
+                uniqueSites.add(site);
+            }
+
+            return uniqueSites.size <= 1;
+        },
+        {
+            path: ["sites"],
+            message:
+                "When mode is 'ssh' and auth-daemon mode is 'native' or 'site', only one site/target is allowed"
+        }
+    )
+    .transform((data) => {
+        if (
+            data.mode === "ssh" &&
+            data.destination !== undefined &&
+            data["destination-port"] === undefined
+        ) {
+            data["destination-port"] = 22;
+        }
+        return data;
+    });
+
+export const ResourcePolicyRuleSchema = RuleSchema;
+
+export const ResourcePolicySchema = z.object({
+    name: z.string().min(1).max(255),
+    sso: z.boolean().optional().default(true),
+    "auto-login-idp": z.int().positive().optional().nullable(),
+    "sso-roles": z
+        .array(z.string())
+        .optional()
+        .default([])
+        .refine((roles) => !roles.includes("Admin"), {
+            error: "Admin role cannot be included in sso-roles"
+        }),
+    "sso-users": z.array(z.string()).optional().default([]),
+    password: z.string().min(4).max(100).optional().nullable(),
+    pincode: z
+        .string()
+        .regex(/^\d{6}$/)
+        .optional()
+        .nullable(),
+    "basic-auth": z
+        .object({
+            user: z.string().min(4).max(100),
+            password: z.string().min(4).max(100),
+            "extended-compatibility": z.boolean().default(true)
+        })
+        .optional()
+        .nullable(),
+    "email-whitelist-enabled": z.boolean().optional().default(false),
+    "whitelist-users": z
+        .array(
+            z.email().or(
+                z.string().regex(/^\*@[\w.-]+\.[a-zA-Z]{2,}$/, {
+                    error: "Invalid email address. Wildcard (*) must be the entire local part."
+                })
+            )
+        )
+        .max(50)
+        .transform((v) => v.map((e) => e.toLowerCase()))
+        .optional()
+        .default([]),
+    "apply-rules": z.boolean().optional().default(false),
+    rules: z.array(ResourcePolicyRuleSchema).optional().default([])
+});
+export type ResourcePolicyData = z.infer<typeof ResourcePolicySchema>;

 // Schema for the entire configuration object
 export const ConfigSchema = z
    .object({
        "proxy-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
            .optional()
            .prefault({}),
        "public-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
            .optional()
            .prefault({}),
        "client-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
        "private-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
+            .optional()
+            .prefault({}),
+        "public-policies": z
+            .record(z.string(), ResourcePolicySchema)
            .optional()
            .prefault({}),
        sites: z.record(z.string(), SiteSchema).optional().prefault({})
@@ -472,10 +686,17 @@ export const ConfigSchema = z
        }

        return data as {
-            "proxy-resources": Record<string, z.infer<typeof ResourceSchema>>;
+            "proxy-resources": Record<
+                string,
+                z.infer<typeof PublicResourceSchema>
+            >;
            "client-resources": Record<
                string,
-                z.infer<typeof ClientResourceSchema>
+                z.infer<typeof PrivateResourceSchema>
+            >;
+            "public-policies": Record<
+                string,
+                z.infer<typeof ResourcePolicySchema>
            >;
            sites: Record<string, z.infer<typeof SiteSchema>>;
        };
@@ -614,5 +835,6 @@ export const ConfigSchema = z
 // Type inference from the schema
 export type Site = z.infer<typeof SiteSchema>;
 export type Target = z.infer<typeof TargetSchema>;
-export type Resource = z.infer<typeof ResourceSchema>;
+export type Resource = z.infer<typeof PublicResourceSchema>;
 export type Config = z.infer<typeof ConfigSchema>;
+export type BlueprintResourcePolicy = z.infer<typeof ResourcePolicySchema>;
--- a/server/lib/cache.ts
+++ b/server/lib/cache.ts
@@ -154,8 +154,19 @@ class AdaptiveCache {
    keys(): string[] {
        return localCache.keys();
    }
+
+    /**
+     * Get keys with a specific prefix
+     * @param prefix - Key prefix to match
+     * @returns Array of matching keys
+     */
+    async keysWithPrefix(prefix: string): Promise<string[]> {
+        const allKeys = localCache.keys();
+        return allKeys.filter((key) => key.startsWith(prefix));
+    }
 }

 // Export singleton instance
 export const cache = new AdaptiveCache();
+export const regionalCache = cache; // Alias for compatability with the private version
 export default cache;
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -25,9 +25,9 @@ import { tierMatrix } from "./billing/tierMatrix";

 export async function calculateUserClientsForOrgs(
    userId: string,
-    trx?: Transaction
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    const execute = async (transaction: Transaction) => {
+    const execute = async (transaction: Transaction | typeof db) => {
        const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
        const adminRoleCache = new Map<
            string,
@@ -331,16 +331,8 @@ export async function calculateUserClientsForOrgs(
                    ];

                // Get next available subnet
-                const newSubnet = await getNextAvailableClientSubnet(
-                    orgId,
-                    transaction
-                );
-                if (!newSubnet) {
-                    logger.warn(
-                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): no available subnet found`
-                    );
-                    continue;
-                }
+                const { value: newSubnet, release: releaseSubnetLock } =
+                    await getNextAvailableClientSubnet(orgId, transaction);

                const subnet = newSubnet.split("/")[0];
                const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`;
@@ -370,6 +362,7 @@ export async function calculateUserClientsForOrgs(
                    .insert(clients)
                    .values(newClientData)
                    .returning();
+                await releaseSubnetLock();
                existingClientCache.set(
                    getOrgOlmKey(orgId, olm.olmId),
                    newClient
@@ -437,7 +430,7 @@ export async function calculateUserClientsForOrgs(

 async function cleanupOrphanedClients(
    userId: string,
-    trx: Transaction,
+    trx: Transaction | typeof db,
    userOrgIds: string[] = []
 ): Promise<void> {
    // Find all OLM clients for this user that should be deleted
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.18.3";
+export const APP_VERSION = "1.19.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -327,127 +327,145 @@ export function doCidrsOverlap(cidr1: string, cidr2: string): boolean {
 export async function getNextAvailableClientSubnet(
    orgId: string,
    transaction: Transaction | typeof db = db
-): Promise<string> {
-    return await lockManager.withLock(
-        `client-subnet-allocation:${orgId}`,
-        async () => {
-            const [org] = await transaction
-                .select()
-                .from(orgs)
-                .where(eq(orgs.orgId, orgId));
+): Promise<{ value: string; release: () => Promise<void> }> {
+    const lockKey = `client-subnet-allocation:${orgId}`;
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);

-            if (!org) {
-                throw new Error(`Organization with ID ${orgId} not found`);
-            }
+    try {
+        const [org] = await transaction
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));

-            if (!org.subnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no subnet defined`
-                );
-            }
-
-            const existingAddressesSites = await transaction
-                .select({
-                    address: sites.address
-                })
-                .from(sites)
-                .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
-
-            const existingAddressesClients = await transaction
-                .select({
-                    address: clients.subnet
-                })
-                .from(clients)
-                .where(
-                    and(isNotNull(clients.subnet), eq(clients.orgId, orgId))
-                );
-
-            const addresses = [
-                ...existingAddressesSites.map(
-                    (site) => `${site.address?.split("/")[0]}/32`
-                ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
-                ...existingAddressesClients.map(
-                    (client) => `${client.address.split("/")}/32`
-                )
-            ].filter((address) => address !== null) as string[];
-
-            const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
-            if (!subnet) {
-                throw new Error("No available subnets remaining in space");
-            }
-
-            return subnet;
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
-    );
+
+        if (!org.subnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no subnet defined`
+            );
+        }
+
+        const existingAddressesSites = await transaction
+            .select({
+                address: sites.address
+            })
+            .from(sites)
+            .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
+
+        const existingAddressesClients = await transaction
+            .select({
+                address: clients.subnet
+            })
+            .from(clients)
+            .where(and(isNotNull(clients.subnet), eq(clients.orgId, orgId)));
+
+        const addresses = [
+            ...existingAddressesSites.map(
+                (site) => `${site.address?.split("/")[0]}/32`
+            ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
+            ...existingAddressesClients.map(
+                (client) => `${client.address.split("/")[0]}/32`
+            )
+        ].filter((address) => address !== null) as string[];
+
+        const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }
+
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

 export async function getNextAvailableAliasAddress(
    orgId: string,
    trx: Transaction | typeof db = db
-): Promise<string> {
-    return await lockManager.withLock(
-        `alias-address-allocation:${orgId}`,
-        async () => {
-            const [org] = await trx
-                .select()
-                .from(orgs)
-                .where(eq(orgs.orgId, orgId));
+): Promise<{ value: string; release: () => Promise<void> }> {
+    const lockKey = `alias-address-allocation:${orgId}`;
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);

-            if (!org) {
-                throw new Error(`Organization with ID ${orgId} not found`);
-            }
+    try {
+        const [org] = await trx
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));

-            if (!org.subnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no subnet defined`
-                );
-            }
-
-            if (!org.utilitySubnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no utility subnet defined`
-                );
-            }
-
-            const existingAddresses = await trx
-                .select({
-                    aliasAddress: siteResources.aliasAddress
-                })
-                .from(siteResources)
-                .where(
-                    and(
-                        isNotNull(siteResources.aliasAddress),
-                        eq(siteResources.orgId, orgId)
-                    )
-                );
-
-            const addresses = [
-                ...existingAddresses.map(
-                    (site) => `${site.aliasAddress?.split("/")[0]}/32`
-                ),
-                // reserve a /29 for the dns server and other stuff
-                `${org.utilitySubnet.split("/")[0]}/29`
-            ].filter((address) => address !== null) as string[];
-
-            let subnet = findNextAvailableCidr(
-                addresses,
-                32,
-                org.utilitySubnet
-            );
-            if (!subnet) {
-                throw new Error("No available subnets remaining in space");
-            }
-
-            // remove the cidr
-            subnet = subnet.split("/")[0];
-
-            return subnet;
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
-    );
+
+        if (!org.subnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no subnet defined`
+            );
+        }
+
+        if (!org.utilitySubnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no utility subnet defined`
+            );
+        }
+
+        const existingAddresses = await trx
+            .select({
+                aliasAddress: siteResources.aliasAddress
+            })
+            .from(siteResources)
+            .where(
+                and(
+                    isNotNull(siteResources.aliasAddress),
+                    eq(siteResources.orgId, orgId)
+                )
+            );
+
+        const addresses = [
+            ...existingAddresses.map(
+                (site) => `${site.aliasAddress?.split("/")[0]}/32`
+            ),
+            // reserve a /29 for the dns server and other stuff
+            `${org.utilitySubnet.split("/")[0]}/29`
+        ].filter((address) => address !== null) as string[];
+
+        let subnet = findNextAvailableCidr(addresses, 32, org.utilitySubnet);
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }
+
+        // remove the cidr
+        subnet = subnet.split("/")[0];
+
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

-export async function getNextAvailableOrgSubnet(): Promise<string> {
-    return await lockManager.withLock("org-subnet-allocation", async () => {
+export async function getNextAvailableOrgSubnet(): Promise<{
+    value: string;
+    release: () => Promise<void>;
+}> {
+    const lockKey = "org-subnet-allocation";
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);
+
+    try {
        const existingAddresses = await db
            .select({
                subnet: orgs.subnet
@@ -466,8 +484,11 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
            throw new Error("No available subnets remaining in space");
        }

-        return subnet;
-    });
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

 export function generateRemoteSubnets(
@@ -475,13 +496,15 @@ export function generateRemoteSubnets(
 ): string[] {
    const remoteSubnets = allSiteResources
        .filter((sr) => {
+            if (!sr.destination) return false;
+
            if (sr.mode === "cidr") {
                // check if its a valid CIDR using zod
                const cidrSchema = z.union([z.cidrv4(), z.cidrv6()]);
                const parseResult = cidrSchema.safeParse(sr.destination);
                return parseResult.success;
            }
-            if (sr.mode === "host") {
+            if (sr.mode === "host" || sr.mode === "ssh") {
                // check if its a valid IP using zod
                const ipSchema = z.union([z.ipv4(), z.ipv6()]);
                const parseResult = ipSchema.safeParse(sr.destination);
@@ -491,12 +514,12 @@ export function generateRemoteSubnets(
        })
        .map((sr) => {
            if (sr.mode === "cidr") return sr.destination;
-            if (sr.mode === "host") {
+            if (sr.mode === "host" || sr.mode === "ssh") {
                return `${sr.destination}/32`;
            }
            return ""; // This should never be reached due to filtering, but satisfies TypeScript
        })
-        .filter((subnet) => subnet !== ""); // Remove empty strings just to be safe
+        .filter((subnet): subnet is string => subnet !== "" && subnet !== null); // Remove invalid values just to be safe
    // remove duplicates
    return Array.from(new Set(remoteSubnets));
 }
@@ -508,7 +531,7 @@ export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
        .filter(
            (sr) =>
                sr.aliasAddress &&
-                ((sr.alias && sr.mode == "host") ||
+                ((sr.alias && (sr.mode == "host" || sr.mode == "ssh")) ||
                    (sr.fullDomain && sr.mode == "http"))
        )
        .map((sr) => ({
@@ -554,6 +577,10 @@ export function generateSubnetProxyTargets(
            continue;
        }

+        if (!siteResource.destination) {
+            continue;
+        }
+
        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
        const portRange = [
            ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -561,7 +588,7 @@ export function generateSubnetProxyTargets(
        ];
        const disableIcmp = siteResource.disableIcmp ?? false;

-        if (siteResource.mode == "host") {
+        if (siteResource.mode == "host" || siteResource.mode == "ssh") {
            let destination = siteResource.destination;
            // check if this is a valid ip
            const ipSchema = z.union([z.ipv4(), z.ipv6()]);
@@ -581,7 +608,7 @@ export function generateSubnetProxyTargets(
                targets.push({
                    sourcePrefix: clientPrefix,
                    destPrefix: `${siteResource.aliasAddress}/32`,
-                    rewriteTo: destination,
+                    rewriteTo: destination!,
                    portRange,
                    disableIcmp
                });
@@ -589,7 +616,7 @@ export function generateSubnetProxyTargets(
        } else if (siteResource.mode == "cidr") {
            targets.push({
                sourcePrefix: clientPrefix,
-                destPrefix: siteResource.destination,
+                destPrefix: siteResource.destination!,
                portRange,
                disableIcmp
            });
@@ -642,7 +669,12 @@ export async function generateSubnetProxyTargetV2(
        return;
    }

-    let targets: SubnetProxyTargetV2[] = [];
+    if (!siteResource.destination) {
+        // ssh can have no destination
+        return;
+    }
+
+    const targets: SubnetProxyTargetV2[] = [];

    const portRange = [
        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -650,7 +682,7 @@ export async function generateSubnetProxyTargetV2(
    ];
    const disableIcmp = siteResource.disableIcmp ?? false;

-    if (siteResource.mode == "host") {
+    if (siteResource.mode == "host" || siteResource.mode == "ssh") {
        let destination = siteResource.destination;
        // check if this is a valid ip
        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
@@ -671,7 +703,7 @@ export async function generateSubnetProxyTargetV2(
            targets.push({
                sourcePrefixes: [],
                destPrefix: `${siteResource.aliasAddress}/32`,
-                rewriteTo: destination,
+                rewriteTo: destination!,
                portRange,
                disableIcmp,
                resourceId: siteResource.siteResourceId
@@ -680,7 +712,7 @@ export async function generateSubnetProxyTargetV2(
    } else if (siteResource.mode == "cidr") {
        targets.push({
            sourcePrefixes: [],
-            destPrefix: siteResource.destination,
+            destPrefix: siteResource.destination!,
            portRange,
            disableIcmp,
            resourceId: siteResource.siteResourceId
@@ -738,7 +770,7 @@ export async function generateSubnetProxyTargetV2(
            protocol: siteResource.ssl ? "https" : "http",
            httpTargets: [
                {
-                    destAddr: siteResource.destination,
+                    destAddr: siteResource.destination!,
                    destPort: siteResource.destinationPort,
                    scheme: siteResource.scheme
                }
@@ -873,7 +905,13 @@ export const portRangeStringSchema = z
            message:
                'Port range must be "*" for all ports, or a comma-separated list of ports and ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535, and ranges must have start <= end.'
        }
-    );
+    )
+    .openapi({
+        type: "string",
+        description:
+            'Port range string. Use "*" for all ports, a comma-separated list of ports, or ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535.',
+        example: "80,443,8000-9000"
+    });

 /**
 * Parses a port range string into an array of port range objects
--- a/server/lib/openapi/createApiResponseSchema.ts
+++ b/server/lib/openapi/createApiResponseSchema.ts
@@ -0,0 +1,11 @@
+import { z } from "zod";
+
+export function createApiResponseSchema<T extends z.ZodTypeAny>(dataSchema: T) {
+    return z.object({
+        data: dataSchema.nullable(),
+        success: z.boolean(),
+        error: z.boolean(),
+        message: z.string(),
+        status: z.number()
+    });
+}
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -18,11 +18,9 @@ import {
    userOrgRoles,
    userSiteResources
 } from "@server/db";
-import { and, eq, inArray, ne } from "drizzle-orm";
+import { and, count, eq, inArray, ne } from "drizzle-orm";

-import {
-    deletePeer as newtDeletePeer
-} from "@server/routers/newt/peers";
+import { deletePeer as newtDeletePeer } from "@server/routers/newt/peers";
 import {
    initPeerAddHandshake,
    deletePeer as olmDeletePeer
@@ -33,7 +31,7 @@ import {
    generateAliasConfig,
    generateRemoteSubnets,
    generateSubnetProxyTargetV2,
-    parseEndpoint,
+    parseEndpoint
 } from "@server/lib/ip";
 import {
    addPeerData,
@@ -41,6 +39,11 @@ import {
    removePeerData,
    removeTargets as removeSubnetProxyTargets
 } from "@server/routers/client/targets";
+import { lockManager } from "#dynamic/lib/lock";
+
+// TTL for rebuild-association locks. These functions can fan out into many
+// peer/proxy updates, so give them a generous window.
+const REBUILD_ASSOCIATIONS_LOCK_TTL_MS = 120000;

 export async function getClientSiteResourceAccess(
    siteResource: SiteResource,
@@ -51,10 +54,7 @@ export async function getClientSiteResourceAccess(
        ? await trx
              .select()
              .from(sites)
-              .innerJoin(
-                  siteNetworks,
-                  eq(siteNetworks.siteId, sites.siteId)
-              )
+              .innerJoin(siteNetworks, eq(siteNetworks.siteId, sites.siteId))
              .where(eq(siteNetworks.networkId, siteResource.networkId))
              .then((rows) => rows.map((row) => row.sites))
        : [];
@@ -166,6 +166,23 @@ export async function rebuildClientAssociationsFromSiteResource(
        pubKey: string | null;
        subnet: string | null;
    }[];
+}> {
+    return await lockManager.withLock(
+        `rebuild-client-associations:site-resource:${siteResource.siteResourceId}`,
+        () => rebuildClientAssociationsFromSiteResourceImpl(siteResource, trx),
+        REBUILD_ASSOCIATIONS_LOCK_TTL_MS
+    );
+}
+
+async function rebuildClientAssociationsFromSiteResourceImpl(
+    siteResource: SiteResource,
+    trx: Transaction | typeof db = db
+): Promise<{
+    mergedAllClients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[];
 }> {
    logger.debug(
        `rebuildClientAssociations: [rebuildClientAssociationsFromSiteResource] START siteResourceId=${siteResource.siteResourceId} networkId=${siteResource.networkId} orgId=${siteResource.orgId}`
@@ -362,7 +379,8 @@ export async function rebuildClientAssociationsFromSiteResource(
                      .where(inArray(clients.clientId, existingClientSiteIds))
                : [];

-        const otherResourceClientIds = clientsFromOtherResourcesBySite.get(siteId) ?? new Set<number>();
+        const otherResourceClientIds =
+            clientsFromOtherResourcesBySite.get(siteId) ?? new Set<number>();

        logger.debug(
            `rebuildClientAssociations: [rebuildClientAssociationsFromSiteResource] siteId=${siteId} otherResourceClientIds=[${[...otherResourceClientIds].join(", ")}] mergedAllClientIds=[${mergedAllClientIds.join(", ")}]`
@@ -543,6 +561,29 @@ async function handleMessagesForSiteClients(
        }
    }

+    // get the number of sites on each of these clients so we can log it and make decisions about whether to send messages based on it
+    const clientSiteCounts: Record<number, number> = {};
+    if (clientsToProcess.size > 0) {
+        const clientIdsToProcess = Array.from(clientsToProcess.keys());
+        const siteCounts = await trx
+            .select({
+                clientId: clientSitesAssociationsCache.clientId,
+                siteCount: count(clientSitesAssociationsCache.siteId)
+            })
+            .from(clientSitesAssociationsCache)
+            .where(
+                inArray(
+                    clientSitesAssociationsCache.clientId,
+                    clientIdsToProcess
+                )
+            )
+            .groupBy(clientSitesAssociationsCache.clientId);
+
+        for (const row of siteCounts) {
+            clientSiteCounts[row.clientId] = Number(row.siteCount);
+        }
+    }
+
    for (const client of clientsToProcess.values()) {
        // UPDATE THE NEWT
        if (!client.subnet || !client.pubKey) {
@@ -586,7 +627,14 @@ async function handleMessagesForSiteClients(
        }

        if (isAdd) {
-            // TODO: if we are in jit mode here should we really be sending this?
+            if (clientSiteCounts[client.clientId] > 250) {
+                // skip adding the peer if we have more than 250 sites because we are in jit mode anyway
+                logger.info(
+                    `rebuildClientAssociations: Client ${client.clientId} has ${clientSiteCounts[client.clientId]} sites so skipping adding peer to newt and olm because it is likely in jit mode`
+                );
+                continue;
+            }
+
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -604,9 +652,24 @@ async function handleMessagesForSiteClients(
        exitNodeJobs.push(updateClientSiteDestinations(client, trx));
    }

-    await Promise.all(exitNodeJobs);
-    await Promise.all(newtJobs); // do the servers first to make sure they are ready?
-    await Promise.all(olmJobs);
+    Promise.all(exitNodeJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating client site destinations for site ${site.siteId}:`,
+            error
+        );
+    });
+    Promise.all(newtJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Newt peers for site ${site.siteId}:`,
+            error
+        );
+    });
+    Promise.all(olmJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Olm peers for site ${site.siteId}:`,
+            error
+        );
+    });
 }

 interface PeerDestination {
@@ -709,7 +772,7 @@ export async function updateClientSiteDestinations(
            sourcePort: destination.sourcePort,
            destinations: destination.destinations
        };
-        logger.info(
+        logger.debug(
            `Payload for update-destinations: ${JSON.stringify(payload, null, 2)}`
        );

@@ -827,6 +890,9 @@ async function handleSubnetProxyTargetUpdates(
                }

                for (const client of removedClients) {
+                    if (!siteResource.destination) {
+                        continue;
+                    }
                    // Check if this client still has access to another resource
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
@@ -889,6 +955,17 @@ async function handleSubnetProxyTargetUpdates(
 export async function rebuildClientAssociationsFromClient(
    client: Client,
    trx: Transaction | typeof db = db
+): Promise<void> {
+    return await lockManager.withLock(
+        `rebuild-client-associations:client:${client.clientId}`,
+        () => rebuildClientAssociationsFromClientImpl(client, trx),
+        REBUILD_ASSOCIATIONS_LOCK_TTL_MS
+    );
+}
+
+async function rebuildClientAssociationsFromClientImpl(
+    client: Client,
+    trx: Transaction | typeof db = db
 ): Promise<void> {
    let newSiteResourceIds: number[] = [];

@@ -1161,6 +1238,12 @@ async function handleMessagesForClientSites(
    const olmJobs: Promise<any>[] = [];
    const exitNodeJobs: Promise<any>[] = [];

+    const totalSitesOnClient = await trx
+        .select({ count: count(clientSitesAssociationsCache.siteId) })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId))
+        .then((rows) => Number(rows[0].count));
+
    for (const siteData of sitesData) {
        const site = siteData.sites;
        const exitNode = siteData.exitNodes;
@@ -1221,7 +1304,14 @@ async function handleMessagesForClientSites(
                continue;
            }

-            // TODO: if we are in jit mode here should we really be sending this?
+            if (totalSitesOnClient > 250) {
+                // skip adding the site if we have more than 250 because we are in jit mode anyway
+                logger.info(
+                    `rebuildClientAssociations: Client ${client.clientId} has ${totalSitesOnClient} sites so skipping adding peer to newt and olm because it is likely in jit mode`
+                );
+                continue;
+            }
+
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -1249,9 +1339,24 @@ async function handleMessagesForClientSites(
        );
    }

-    await Promise.all(exitNodeJobs);
-    await Promise.all(newtJobs);
-    await Promise.all(olmJobs);
+    Promise.all(exitNodeJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating client site destinations for client ${client.clientId}:`,
+            error
+        );
+    });
+    Promise.all(newtJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Newt peers for client ${client.clientId}:`,
+            error
+        );
+    });
+    Promise.all(olmJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Olm peers for client ${client.clientId}:`,
+            error
+        );
+    });
 }

 async function handleMessagesForClientResources(
@@ -1461,6 +1566,9 @@ async function handleMessagesForClientResources(
                }

                try {
+                    if (!resource.destination) {
+                        continue;
+                    }
                    // Check if this client still has access to another resource
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
@@ -1532,3 +1640,269 @@ async function handleMessagesForClientResources(

    await Promise.all([...proxyJobs, ...olmJobs]);
 }
+
+export type ClientAssociationsCacheVerification = {
+    clientId: number;
+    consistent: boolean;
+    // What permissions say the cache should contain
+    expectedSiteResourceIds: number[];
+    expectedSiteIds: number[];
+    // What the cache currently contains
+    actualSiteResourceIds: number[];
+    actualSiteIds: number[];
+    // Diff
+    missingSiteResourceIds: number[]; // present in expected, missing from cache
+    extraSiteResourceIds: number[]; // present in cache, not in expected
+    missingSiteIds: number[];
+    extraSiteIds: number[];
+};
+
+// verifyClientAssociationsCache walks the same permission-derivation logic as
+// rebuildClientAssociationsFromClient but does NOT modify the database. It
+// returns the expected vs actual cache contents and a boolean indicating
+// whether the cache is in sync with what permissions imply.
+export async function verifyClientAssociationsCache(
+    client: Client,
+    trx: Transaction | typeof db = db
+): Promise<ClientAssociationsCacheVerification> {
+    let newSiteResourceIds: number[] = [];
+
+    // 1. Direct client associations
+    const directSiteResources = await trx
+        .select({ siteResourceId: clientSiteResources.siteResourceId })
+        .from(clientSiteResources)
+        .innerJoin(
+            siteResources,
+            eq(siteResources.siteResourceId, clientSiteResources.siteResourceId)
+        )
+        .where(
+            and(
+                eq(clientSiteResources.clientId, client.clientId),
+                eq(siteResources.orgId, client.orgId)
+            )
+        );
+
+    newSiteResourceIds.push(
+        ...directSiteResources.map((r) => r.siteResourceId)
+    );
+
+    // 2. User-based and role-based access (if client has a userId)
+    if (client.userId) {
+        const userSiteResourceIds = await trx
+            .select({ siteResourceId: userSiteResources.siteResourceId })
+            .from(userSiteResources)
+            .innerJoin(
+                siteResources,
+                eq(
+                    siteResources.siteResourceId,
+                    userSiteResources.siteResourceId
+                )
+            )
+            .where(
+                and(
+                    eq(userSiteResources.userId, client.userId),
+                    eq(siteResources.orgId, client.orgId)
+                )
+            );
+
+        newSiteResourceIds.push(
+            ...userSiteResourceIds.map((r) => r.siteResourceId)
+        );
+
+        const roleIds = await trx
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
+                )
+            )
+            .then((rows) => rows.map((row) => row.roleId));
+
+        if (roleIds.length > 0) {
+            const roleSiteResourceIds = await trx
+                .select({ siteResourceId: roleSiteResources.siteResourceId })
+                .from(roleSiteResources)
+                .innerJoin(
+                    siteResources,
+                    eq(
+                        siteResources.siteResourceId,
+                        roleSiteResources.siteResourceId
+                    )
+                )
+                .where(
+                    and(
+                        inArray(roleSiteResources.roleId, roleIds),
+                        eq(siteResources.orgId, client.orgId)
+                    )
+                );
+
+            newSiteResourceIds.push(
+                ...roleSiteResourceIds.map((r) => r.siteResourceId)
+            );
+        }
+    }
+
+    newSiteResourceIds = Array.from(new Set(newSiteResourceIds));
+
+    const newSiteResources =
+        newSiteResourceIds.length > 0
+            ? await trx
+                  .select()
+                  .from(siteResources)
+                  .where(
+                      inArray(siteResources.siteResourceId, newSiteResourceIds)
+                  )
+            : [];
+
+    const networkIds = Array.from(
+        new Set(
+            newSiteResources
+                .map((sr) => sr.networkId)
+                .filter((id): id is number => id !== null)
+        )
+    );
+    const newSiteIds =
+        networkIds.length > 0
+            ? await trx
+                  .select({ siteId: siteNetworks.siteId })
+                  .from(siteNetworks)
+                  .where(inArray(siteNetworks.networkId, networkIds))
+                  .then((rows) =>
+                      Array.from(new Set(rows.map((r) => r.siteId)))
+                  )
+            : [];
+
+    // Read the existing cache state
+    const existingResourceAssociations = await trx
+        .select({
+            siteResourceId: clientSiteResourcesAssociationsCache.siteResourceId
+        })
+        .from(clientSiteResourcesAssociationsCache)
+        .where(
+            eq(clientSiteResourcesAssociationsCache.clientId, client.clientId)
+        );
+    const existingSiteResourceIds = existingResourceAssociations.map(
+        (r) => r.siteResourceId
+    );
+
+    const existingSiteAssociations = await trx
+        .select({ siteId: clientSitesAssociationsCache.siteId })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
+    const existingSiteIds = existingSiteAssociations.map((s) => s.siteId);
+
+    const expectedSiteResourceSet = new Set(newSiteResourceIds);
+    const actualSiteResourceSet = new Set(existingSiteResourceIds);
+    const expectedSiteSet = new Set(newSiteIds);
+    const actualSiteSet = new Set(existingSiteIds);
+
+    const missingSiteResourceIds = newSiteResourceIds.filter(
+        (id) => !actualSiteResourceSet.has(id)
+    );
+    const extraSiteResourceIds = existingSiteResourceIds.filter(
+        (id) => !expectedSiteResourceSet.has(id)
+    );
+    const missingSiteIds = newSiteIds.filter((id) => !actualSiteSet.has(id));
+    const extraSiteIds = existingSiteIds.filter(
+        (id) => !expectedSiteSet.has(id)
+    );
+
+    const consistent =
+        missingSiteResourceIds.length === 0 &&
+        extraSiteResourceIds.length === 0 &&
+        missingSiteIds.length === 0 &&
+        extraSiteIds.length === 0;
+
+    return {
+        clientId: client.clientId,
+        consistent,
+        expectedSiteResourceIds: Array.from(expectedSiteResourceSet).sort(
+            (a, b) => a - b
+        ),
+        expectedSiteIds: Array.from(expectedSiteSet).sort((a, b) => a - b),
+        actualSiteResourceIds: Array.from(actualSiteResourceSet).sort(
+            (a, b) => a - b
+        ),
+        actualSiteIds: Array.from(actualSiteSet).sort((a, b) => a - b),
+        missingSiteResourceIds: missingSiteResourceIds.sort((a, b) => a - b),
+        extraSiteResourceIds: extraSiteResourceIds.sort((a, b) => a - b),
+        missingSiteIds: missingSiteIds.sort((a, b) => a - b),
+        extraSiteIds: extraSiteIds.sort((a, b) => a - b)
+    };
+}
+
+// cleanupSiteAssociations efficiently removes all client associations for a
+// site that is being deleted. Instead of calling
+// rebuildClientAssociationsFromSiteResource once per site resource (which is
+// O(resources) in DB round-trips and message fan-out), this function performs
+// a single bulk lookup of affected clients and site resources, deletes all
+// cache rows at once, and fires all peer/proxy removal messages in parallel.
+//
+// The caller is responsible for deleting the site row itself (and for sending
+// the newt/wg/terminate signal to the newt process).
+export async function cleanupSiteAssociations(
+    site: Site,
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    const siteId = site.siteId;
+
+    logger.debug(`cleanupSiteAssociations: START siteId=${siteId}`);
+
+    // 1. Find every client currently cached against this site.
+    const cachedSiteClientRows = await trx
+        .select({ clientId: clientSitesAssociationsCache.clientId })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    const cachedClientIds = cachedSiteClientRows.map((r) => r.clientId);
+
+    // 2. Load full client details (needed for WireGuard public-key references).
+    const allClients =
+        cachedClientIds.length > 0
+            ? await trx
+                  .select({
+                      clientId: clients.clientId,
+                      pubKey: clients.pubKey,
+                      subnet: clients.subnet
+                  })
+                  .from(clients)
+                  .where(inArray(clients.clientId, cachedClientIds))
+            : [];
+
+    // 6. Bulk-delete all cache entries for this site.  Do this before sending
+    //    destination-update messages so updateClientSiteDestinations computes
+    //    the correct (post-deletion) set of destinations.
+    await trx
+        .delete(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    logger.debug(
+        `cleanupSiteAssociations: siteId=${siteId} cache cleared. clients=${allClients.length}`
+    );
+
+    // 7. Fire all removal messages in parallel.
+    const jobs: Promise<any>[] = [];
+
+    for (const client of allClients) {
+        // Tell each olm to drop the site's WireGuard peer.
+        if (site.publicKey) {
+            jobs.push(olmDeletePeer(client.clientId, siteId, site.publicKey));
+        }
+
+        // Recompute and push updated relay destinations (now excluding this site).
+        if (client.pubKey && client.subnet) {
+            jobs.push(updateClientSiteDestinations(client, trx));
+        }
+    }
+
+    await Promise.all(jobs).catch((error) => {
+        logger.error(
+            `cleanupSiteAssociations: error sending cleanup messages for siteId=${siteId}:`,
+            error
+        );
+    });
+
+    logger.debug(`cleanupSiteAssociations: DONE siteId=${siteId}`);
+}
--- a/server/lib/requestParams.ts
+++ b/server/lib/requestParams.ts
@@ -0,0 +1,11 @@
+export function getFirstString(value: unknown): string | undefined {
+    if (typeof value === "string") {
+        return value;
+    }
+
+    if (Array.isArray(value) && typeof value[0] === "string") {
+        return value[0];
+    }
+
+    return undefined;
+}
--- a/server/lib/statusHistory.ts
+++ b/server/lib/statusHistory.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";
 import { db, logsDb, statusHistory } from "@server/db";
 import { and, eq, gte, asc } from "drizzle-orm";
-import cache from "@server/lib/cache";
+import { regionalCache as cache } from "#dynamic/lib/cache";

 const STATUS_HISTORY_CACHE_TTL = 60; // seconds

@@ -66,7 +66,7 @@ export async function invalidateStatusHistoryCache(
    entityId: number
 ): Promise<void> {
    const prefix = `statusHistory:${entityType}:${entityId}:`;
-    const keys = cache.keys().filter((k) => k.startsWith(prefix));
+    const keys = await cache.keysWithPrefix(prefix);
    if (keys.length > 0) {
        await cache.del(keys);
    }
@@ -124,7 +124,7 @@ export function computeBuckets(
    let totalDowntime = 0;

    for (let d = 0; d < days; d++) {
-        const dayStartSec = todayMidnightSec - (days - d) * 86400;
+        const dayStartSec = todayMidnightSec - (days - 1 - d) * 86400;
        const dayEndSec = dayStartSec + 86400;

        const dayEvents = events.filter(
--- a/server/lib/telemetry.ts
+++ b/server/lib/telemetry.ts
@@ -2,7 +2,14 @@ import { PostHog } from "posthog-node";
 import config from "./config";
 import { getHostMeta } from "./hostMeta";
 import logger from "@server/logger";
-import { alertRules, apiKeys, blueprints, db, roles, siteResources } from "@server/db";
+import {
+    alertRules,
+    apiKeys,
+    blueprints,
+    db,
+    roles,
+    siteResources
+} from "@server/db";
 import { sites, users, orgs, resources, clients, idp } from "@server/db";
 import { eq, count, notInArray, and, isNotNull, isNull } from "drizzle-orm";
 import { APP_VERSION } from "./consts";
@@ -143,8 +150,7 @@ class TelemetryClient {
                .select({
                    name: resources.name,
                    sso: resources.sso,
-                    protocol: resources.protocol,
-                    http: resources.http
+                    mode: resources.mode
                })
                .from(resources);

@@ -175,6 +181,7 @@ class TelemetryClient {
            let numPrivResourceHosts = 0;
            let numPrivResourceCidr = 0;
            let numPrivResourceHttp = 0;
+            let numPrivResourceSsh = 0;
            for (const res of allPrivateResources) {
                if (res.mode === "host") {
                    numPrivResourceHosts += 1;
@@ -182,6 +189,8 @@ class TelemetryClient {
                    numPrivResourceCidr += 1;
                } else if (res.mode === "http") {
                    numPrivResourceHttp += 1;
+                } else if (res.mode === "ssh") {
+                    numPrivResourceSsh += 1;
                }

                if (res.alias) {
@@ -201,6 +210,7 @@ class TelemetryClient {
                numPrivateResourceHosts: numPrivResourceHosts,
                numPrivateResourceCidr: numPrivResourceCidr,
                numPrivateResourceHttp: numPrivResourceHttp,
+                numPrivateResourceSsh: numPrivResourceSsh,
                numAlertRules: numAlertRules.count,
                numUserDevices: userDevicesCount.count,
                numMachineClients: machineClients.count,
@@ -311,7 +321,7 @@ class TelemetryClient {
                        (r) => r.sso
                    ).length,
                    num_resources_non_http: stats.resources.filter(
-                        (r) => !r.http
+                        (r) => r.mode !== "http"
                    ).length,
                    num_newt_sites: stats.sites.filter((s) => s.type === "newt")
                        .length,
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -520,7 +520,8 @@ export class TraefikConfigManager {
                build != "oss", // generate the login pages on the cloud and hybrid,
                build == "saas"
                    ? false
-                    : config.getRawConfig().traefik.allow_raw_resources // dont allow raw resources on saas otherwise use config
+                    : config.getRawConfig().traefik.allow_raw_resources, // dont allow raw resources on saas otherwise use config
+                build != "oss" // generate browser gateway targets on cloud and enterprise
            );

            const domains = new Set<string>();
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -44,7 +44,8 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
    allowRawResources = true,
-    allowMaintenancePage = true // UNUSED BUT USED IN PRIVATE
+    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
+    allowBrowserGatewayResources = true
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -55,9 +56,7 @@ export async function getTraefikConfig(
            resourceName: resources.name,
            fullDomain: resources.fullDomain,
            ssl: resources.ssl,
-            http: resources.http,
            proxyPort: resources.proxyPort,
-            protocol: resources.protocol,
            subdomain: resources.subdomain,
            domainId: resources.domainId,
            enabled: resources.enabled,
@@ -68,6 +67,7 @@ export async function getTraefikConfig(
            headers: resources.headers,
            proxyProtocol: resources.proxyProtocol,
            proxyProtocolVersion: resources.proxyProtocolVersion,
+            mode: resources.mode,

            // Target fields
            targetId: targets.targetId,
@@ -115,8 +115,8 @@ export async function getTraefikConfig(
                ),
                inArray(sites.type, siteTypes),
                allowRawResources
-                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
-                    : eq(resources.http, true)
+                    ? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
+                    : eq(resources.mode, "http")
            )
        )
        .orderBy(desc(targets.priority), targets.targetId); // stable ordering
@@ -166,9 +166,8 @@ export async function getTraefikConfig(
                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
-                http: row.http,
+                mode: row.mode,
                proxyPort: row.proxyPort,
-                protocol: row.protocol,
                subdomain: row.subdomain,
                domainId: row.domainId,
                enabled: row.enabled,
@@ -242,7 +241,7 @@ export async function getTraefikConfig(
            continue;
        }

-        if (resource.http) {
+        if (resource.mode === "http") {
            if (!resource.domainId || !resource.fullDomain) {
                continue;
            }
@@ -574,13 +573,13 @@ export async function getTraefikConfig(
                    serviceName
                ].loadBalancer.serversTransport = transportName;
            }
-        } else {
+        } else if (resource.mode === "tcp" || resource.mode === "udp") {
            // Non-HTTP (TCP/UDP) configuration
            if (!resource.enableProxy || !resource.proxyPort) {
                continue;
            }

-            const protocol = resource.protocol.toLowerCase();
+            const protocol = resource.mode === "udp" ? "udp" : "tcp"; // all of the other ones are tcp
            const port = resource.proxyPort;

            if (!port) {
--- a/server/lib/validators.test.ts
+++ b/server/lib/validators.test.ts
@@ -244,4 +244,5 @@ try {
    runTests();
 } catch (error) {
    console.error("Test failed:", error);
+    process.exit(1);
 }
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -1,5 +1,7 @@
 import z from "zod";
 import ipaddr from "ipaddr.js";
+import { COUNTRIES } from "@server/db/countries";
+import { isValidRegionId } from "@server/db/regions";

 export function isValidCIDR(cidr: string): boolean {
    return (
@@ -67,6 +69,45 @@ export function isValidUrlGlobPattern(pattern: string): boolean {
    return true;
 }

+export const RESOURCE_RULE_MATCH_TYPES = [
+    "CIDR",
+    "IP",
+    "PATH",
+    "COUNTRY",
+    "ASN",
+    "REGION"
+] as const;
+
+export type ResourceRuleMatchType = (typeof RESOURCE_RULE_MATCH_TYPES)[number];
+
+export function getResourceRuleValueValidationError(
+    match: ResourceRuleMatchType,
+    value: string
+): string | null {
+    switch (match) {
+        case "CIDR":
+            return isValidCIDR(value) ? null : "Invalid CIDR provided";
+        case "IP":
+            return isValidIP(value) ? null : "Invalid IP provided";
+        case "PATH":
+            return isValidUrlGlobPattern(value)
+                ? null
+                : "Invalid URL glob pattern provided";
+        case "REGION":
+            return isValidRegionId(value) ? null : "Invalid region ID provided";
+        case "COUNTRY":
+            return COUNTRIES.some((country) => country.code === value)
+                ? null
+                : "Invalid country code provided";
+        case "ASN":
+            return /^AS\d+$/i.test(value.trim())
+                ? null
+                : "Invalid ASN provided";
+        default:
+            return "Invalid rule match type provided";
+    }
+}
+
 export function isUrlValid(url: string | undefined) {
    if (!url) return true; // the link is optional in the schema so if it's empty it's valid
    var pattern = new RegExp(
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -28,7 +28,9 @@ export * from "./verifyApiKeyAccess";
 export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
+export * from "./verifyUserFromResourceSession";
 export * from "./verifySiteResourceAccess";
 export * from "./logActionAudit";
 export * from "./verifyOlmAccess";
 export * from "./verifyLimits";
+export * from "./verifyResourcePolicyAccess";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -16,3 +16,4 @@ export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
 export * from "./verifyApiKeyIdpAccess";
 export * from "./verifyApiKeyDomainAccess";
+export * from "./verifyApiKeyResourcePolicyAccess";
--- a/server/middlewares/integration/verifyAccessTokenAccess.ts
+++ b/server/middlewares/integration/verifyAccessTokenAccess.ts
@@ -4,6 +4,7 @@ import { resourceAccessToken, resources, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyAccessTokenAccess(
    req: Request,
@@ -12,7 +13,7 @@ export async function verifyApiKeyAccessTokenAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const accessTokenId = req.params.accessTokenId;
+        const accessTokenId = getFirstString(req.params.accessTokenId);

        if (!apiKey) {
            return next(
@@ -20,6 +21,12 @@ export async function verifyApiKeyAccessTokenAccess(
            );
        }

+        if (!accessTokenId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid access token ID")
+            );
+        }
+
        const [accessToken] = await db
            .select()
            .from(resourceAccessToken)
--- a/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
@@ -4,6 +4,7 @@ import { apiKeys, apiKeyOrg } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyApiKeyAccess(
    req: Request,
@@ -14,8 +15,10 @@ export async function verifyApiKeyApiKeyAccess(
        const { apiKey: callerApiKey } = req;

        const apiKeyId =
-            req.params.apiKeyId || req.body.apiKeyId || req.query.apiKeyId;
-        const orgId = req.params.orgId;
+            getFirstString(req.params.apiKeyId) ||
+            getFirstString(req.body.apiKeyId) ||
+            getFirstString(req.query.apiKeyId);
+        const orgId = getFirstString(req.params.orgId);

        if (!callerApiKey) {
            return next(
--- a/server/middlewares/integration/verifyApiKeyDomainAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyDomainAccess.ts
@@ -3,6 +3,7 @@ import { db, domains, orgDomains, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyDomainAccess(
    req: Request,
@@ -12,8 +13,10 @@ export async function verifyApiKeyDomainAccess(
    try {
        const apiKey = req.apiKey;
        const domainId =
-            req.params.domainId || req.body.domainId || req.query.domainId;
-        const orgId = req.params.orgId;
+            getFirstString(req.params.domainId) ||
+            getFirstString(req.body.domainId) ||
+            getFirstString(req.query.domainId);
+        const orgId = getFirstString(req.params.orgId);

        if (!apiKey) {
            return next(
@@ -27,6 +30,12 @@ export async function verifyApiKeyDomainAccess(
            );
        }

+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
        if (apiKey.isRoot) {
            // Root keys can access any domain in any org
            return next();
--- a/server/middlewares/integration/verifyApiKeyIdpAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyIdpAccess.ts
@@ -4,6 +4,7 @@ import { idp, idpOrg, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyIdpAccess(
    req: Request,
@@ -12,8 +13,12 @@ export async function verifyApiKeyIdpAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
-        const orgId = req.params.orgId;
+        const idpIdRaw =
+            getFirstString(req.params.idpId) ||
+            getFirstString(req.body.idpId) ||
+            getFirstString(req.query.idpId);
+        const idpId = Number.parseInt(idpIdRaw ?? "", 10);
+        const orgId = getFirstString(req.params.orgId);

        if (!apiKey) {
            return next(
@@ -27,7 +32,7 @@ export async function verifyApiKeyIdpAccess(
            );
        }

-        if (!idpId) {
+        if (Number.isNaN(idpId)) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
            );
--- a/server/middlewares/integration/verifyApiKeyOrgAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyOrgAccess.ts
@@ -4,6 +4,7 @@ import { apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyOrgAccess(
    req: Request,
@@ -12,7 +13,7 @@ export async function verifyApiKeyOrgAccess(
 ) {
    try {
        const apiKeyId = req.apiKey?.apiKeyId;
-        const orgId = req.params.orgId;
+        const orgId = getFirstString(req.params.orgId);

        if (!apiKeyId) {
            return next(
@@ -45,7 +46,7 @@ export async function verifyApiKeyOrgAccess(
        }

        if (!req.apiKeyOrg) {
-            next(
+            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Key does not have access to this organization"
--- a/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
@@ -0,0 +1,92 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, apiKeyOrg } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const apiKey = req.apiKey;
+    const resourcePolicyId =
+        req.params.resourcePolicyId ||
+        req.body.resourcePolicyId ||
+        req.query.resourcePolicyId;
+
+    if (!apiKey) {
+        return next(
+            createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+        );
+    }
+
+    try {
+        // Retrieve the resource policy
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any resource policy in any org
+            return next();
+        }
+
+        if (!policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Resource policy with ID ${resourcePolicyId} does not have an organization ID`
+                )
+            );
+        }
+
+        // Verify that the API key is linked to the resource policy's organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgResult = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+
+            if (apiKeyOrgResult.length > 0) {
+                req.apiKeyOrg = apiKeyOrgResult[0];
+            }
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}
--- a/server/middlewares/integration/verifyApiKeySiteResourceAccess.ts
+++ b/server/middlewares/integration/verifyApiKeySiteResourceAccess.ts
@@ -4,6 +4,7 @@ import { siteResources, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeySiteResourceAccess(
    req: Request,
@@ -12,7 +13,8 @@ export async function verifyApiKeySiteResourceAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const siteResourceId = parseInt(req.params.siteResourceId);
+        const siteResourceIdRaw = getFirstString(req.params.siteResourceId);
+        const siteResourceId = Number.parseInt(siteResourceIdRaw ?? "", 10);

        if (!apiKey) {
            return next(
@@ -20,7 +22,7 @@ export async function verifyApiKeySiteResourceAccess(
            );
        }

-        if (!siteResourceId) {
+        if (Number.isNaN(siteResourceId)) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
--- a/server/middlewares/integration/verifyApiKeyTargetAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyTargetAccess.ts
@@ -4,6 +4,7 @@ import { resources, targets, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyTargetAccess(
    req: Request,
@@ -12,7 +13,8 @@ export async function verifyApiKeyTargetAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const targetId = parseInt(req.params.targetId);
+        const targetIdRaw = getFirstString(req.params.targetId);
+        const targetId = Number.parseInt(targetIdRaw ?? "", 10);

        if (!apiKey) {
            return next(
@@ -20,7 +22,7 @@ export async function verifyApiKeyTargetAccess(
            );
        }

-        if (isNaN(targetId)) {
+        if (Number.isNaN(targetId)) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid target ID")
            );
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -7,6 +7,7 @@ import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyAccessTokenAccess(
    req: Request,
@@ -14,7 +15,7 @@ export async function verifyAccessTokenAccess(
    next: NextFunction
 ) {
    const userId = req.user!.userId;
-    const accessTokenId = req.params.accessTokenId;
+    const accessTokenId = getFirstString(req.params.accessTokenId);

    if (!userId) {
        return next(
@@ -22,6 +23,12 @@ export async function verifyAccessTokenAccess(
        );
    }

+    if (!accessTokenId) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "Invalid access token ID")
+        );
+    }
+
    const [accessToken] = await db
        .select()
        .from(resourceAccessToken)
@@ -87,7 +94,7 @@ export async function verifyAccessTokenAccess(
        }

        if (!req.userOrg) {
-            next(
+            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyAccess(
    req: Request,
@@ -14,9 +15,24 @@ export async function verifyApiKeyAccess(
 ) {
    try {
        const userId = req.user!.userId;
-        const apiKeyId =
-            req.params.apiKeyId || req.body.apiKeyId || req.query.apiKeyId;
-        const orgId = req.params.orgId;
+        const apiKeyIdFromParams = getFirstString(req.params?.apiKeyId);
+        const apiKeyIdFromBody = getFirstString(req.body?.apiKeyId);
+
+        if (
+            apiKeyIdFromParams &&
+            apiKeyIdFromBody &&
+            apiKeyIdFromParams !== apiKeyIdFromBody
+        ) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "API key ID provided in both URL and body with different values"
+                )
+            );
+        }
+
+        const apiKeyId = apiKeyIdFromParams || apiKeyIdFromBody;
+        const orgId = getFirstString(req.params.orgId);

        if (!userId) {
            return next(
@@ -104,10 +120,7 @@ export async function verifyApiKeyAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            orgId
-        );
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);

        return next();
    } catch (error) {
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyDomainAccess(
    req: Request,
@@ -14,9 +15,8 @@ export async function verifyDomainAccess(
 ) {
    try {
        const userId = req.user!.userId;
-        const domainId =
-            req.params.domainId;
-        const orgId = req.params.orgId;
+        const domainId = getFirstString(req.params.domainId);
+        const orgId = getFirstString(req.params.orgId);

        if (!userId) {
            return next(
@@ -62,10 +62,7 @@ export async function verifyDomainAccess(
                .select()
                .from(userOrgs)
                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, orgId)
-                    )
+                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
                )
                .limit(1);
            req.userOrg = userOrgRole[0];
--- a/server/middlewares/verifyLimits.ts
+++ b/server/middlewares/verifyLimits.ts
@@ -3,6 +3,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { usageService } from "@server/lib/billing/usageService";
 import { build } from "@server/build";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyLimits(
    req: Request,
@@ -13,7 +14,10 @@ export async function verifyLimits(
        return next();
    }

-    const orgId = req.userOrgId || req.apiKeyOrg?.orgId || req.params.orgId;
+    const orgId =
+        req.userOrgId ||
+        req.apiKeyOrg?.orgId ||
+        getFirstString(req.params.orgId);

    if (!orgId) {
        return next(); // its fine if we silently fail here because this is not critical to operation or security and its better user experience if we dont fail
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyOrgAccess(
    req: Request,
@@ -13,7 +14,7 @@ export async function verifyOrgAccess(
    next: NextFunction
 ) {
    const userId = req.user!.userId;
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);

    if (!userId) {
        return next(
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,11 +1,15 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
-import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { resources, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import {
+    getRoleResourceAccess,
+    getUserResourceAccess
+} from "@server/db/queries/verifySessionQueries";

 export async function verifyResourceAccess(
    req: Request,
@@ -116,37 +120,22 @@ export async function verifyResourceAccess(

        const roleResourceAccess =
            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleResources)
-                      .where(
-                          and(
-                              eq(roleResources.resourceId, resource.resourceId),
-                              inArray(
-                                  roleResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+                ? await getRoleResourceAccess(
+                      resource.resourceId,
+                      req.userOrgRoleIds!
+                  )
+                : null;

-        if (roleResourceAccess.length > 0) {
+        if (roleResourceAccess) {
            return next();
        }

-        const userResourceAccess = await db
-            .select()
-            .from(userResources)
-            .where(
-                and(
-                    eq(userResources.userId, userId),
-                    eq(userResources.resourceId, resource.resourceId)
-                )
-            )
-            .limit(1);
+        const userResourceAccess = await getUserResourceAccess(
+            userId,
+            resource.resourceId
+        );

-        if (userResourceAccess.length > 0) {
+        if (userResourceAccess) {
            return next();
        }

--- a/Show More
+++ b/Show More