Add labels input

Add basic resources input on the remote node
Make alias cross compatable
2026-06-04 14:39:51 +00:00 · 2026-06-03 21:02:17 -07:00 · 2026-06-03 21:02:17 -07:00 · 2026-06-03 17:58:59 -07:00 · 2026-06-03 17:41:56 -07:00 · 2026-06-03 16:53:39 -07:00
525 changed files with 44215 additions and 16085 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -34,3 +34,4 @@ build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
+allowedDevOrigins.json
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: [fosrl]
--- a/.github/ISSUE_TEMPLATE/1.bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1.bug_report.yml
@@ -14,12 +14,13 @@ body:
          label: Environment
          description: Please fill out the relevant details below for your environment.
          value: |
-              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - OS Type & Version:
              - Pangolin Version:
+              - Edition (Community or Enterprise):
              - Gerbil Version:
              - Traefik Version:
              - Newt Version:
-              - Olm Version: (if applicable)
+              - Client Version:
      validations:
          required: true

--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -77,7 +77,7 @@ jobs:
                  fi

            - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                  fi

            - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -407,7 +407,7 @@ jobs:
              shell: bash

            - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
@@ -415,7 +415,9 @@ jobs:

            - name: Install cosign
              # cosign is used to sign container images using keyless (OIDC) signing
-              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+              uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+              with:
+                cosign-release: v3.0.6

            - name: Sign (GHCR, keyless)
              # Sign each GHCR image by digest using keyless (OIDC) signing via Sigstore/Rekor.
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,7 +24,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: Set up Node.js
-              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
              with:
                node-version: '24'

--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
          skopeo --version

      - name: Install cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

      - name: Input check
        run: |
--- a/.github/workflows/restart-runners.yml
+++ b/.github/workflows/restart-runners.yml
@@ -1,39 +0,0 @@
-name: Restart Runners
-
-on:
-  schedule:
-    - cron: '0 0 */7 * *'
-
-permissions:
-    id-token: write
-    contents: read
-
-jobs:
-  ec2-maintenance-prod:
-    runs-on: ubuntu-latest
-    permissions: write-all
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
-          role-duration-seconds: 3600
-          aws-region: ${{ secrets.AWS_REGION }}
-
-      - name: Verify AWS identity
-        run: aws sts get-caller-identity
-
-      - name: Start EC2 instance
-        run: |
-          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
-          echo "EC2 instances started"
-
-      - name: Wait
-        run: sleep 600
-
-      - name: Stop EC2 instance
-        run: |
-          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
-          echo "EC2 instances stopped"
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -1,160 +0,0 @@
-name: SAAS Pipeline
-
-# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
-# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
-
-permissions:
-  contents: read
-  packages: write      # for GHCR push
-  id-token: write      # for Cosign Keyless (OIDC) Signing
-
-on:
-    push:
-        tags:
-            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
-
-concurrency:
-  group: ${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-    pre-run:
-        runs-on: ubuntu-latest
-        permissions: write-all
-        steps:
-            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
-              with:
-                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
-                  role-duration-seconds: 3600
-                  aws-region: ${{ secrets.AWS_REGION }}
-
-            - name: Verify AWS identity
-              run: aws sts get-caller-identity
-
-            - name: Start EC2 instances
-              run: |
-                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-                  echo "EC2 instances started"
-
-
-    release-arm:
-        name: Build and Release (ARM64)
-        runs-on: [self-hosted, linux, arm64, us-east-1]
-        needs: [pre-run]
-        if: >-
-            ${{
-                needs.pre-run.result == 'success'
-            }}
-        # Job-level timeout to avoid runaway or stuck runs
-        timeout-minutes: 120
-        env:
-          # Target images
-          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
-
-        steps:
-            - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-            - name: Download MaxMind GeoLite2 databases
-              env:
-                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
-              run: |
-                echo "Downloading MaxMind GeoLite2 databases..."
-
-                # Download GeoLite2-Country
-                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
-                  -o GeoLite2-Country.tar.gz
-
-                # Download GeoLite2-ASN
-                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
-                  -o GeoLite2-ASN.tar.gz
-
-                # Extract the .mmdb files
-                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
-                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
-
-                # Verify files exist
-                if [ ! -f "GeoLite2-Country.mmdb" ]; then
-                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
-                  exit 1
-                fi
-
-                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
-                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
-                  exit 1
-                fi
-
-                # Clean up tar files
-                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
-
-                echo "MaxMind databases downloaded successfully"
-                ls -lh GeoLite2-*.mmdb
-
-            - name: Monitor storage space
-              run: |
-                  THRESHOLD=75
-                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
-                  echo "Used space: $USED_SPACE%"
-                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
-                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
-                      echo y | docker system prune -a
-                  else
-                      echo "Storage space is above the threshold. No action needed."
-                  fi
-
-            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
-              with:
-                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
-                  role-duration-seconds: 3600
-                  aws-region: ${{ secrets.AWS_REGION }}
-
-            - name: Login to Amazon ECR
-              id: login-ecr
-              uses: aws-actions/amazon-ecr-login@v2
-
-            - name: Extract tag name
-              id: get-tag
-              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-              shell: bash
-
-            - name: Update version in package.json
-              run: |
-                  TAG=${{ env.TAG }}
-                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
-                  cat server/lib/consts.ts
-              shell: bash
-
-            - name: Build and push Docker images (Docker Hub - ARM64)
-              run: |
-                  TAG=${{ env.TAG }}
-                  make build-saas tag=$TAG
-                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
-              shell: bash
-
-    post-run:
-        needs: [pre-run, release-arm]
-        if: >-
-            ${{
-                always() &&
-                needs.pre-run.result == 'success' &&
-                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
-            }}
-        runs-on: ubuntu-latest
-        permissions: write-all
-        steps:
-            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v6
-              with:
-                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
-                  role-duration-seconds: 3600
-                  aws-region: ${{ secrets.AWS_REGION }}
-
-            - name: Verify AWS identity
-              run: aws sts get-caller-identity
-
-            - name: Stop EC2 instances
-              run: |
-                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
-                  echo "EC2 instances stopped"
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -14,7 +14,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
        with:
          days-before-stale: 14
          days-before-close: 14
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '24'

--- a/.gitignore
+++ b/.gitignore
@@ -17,9 +17,9 @@ yarn-error.log*
 *.tsbuildinfo
 next-env.d.ts
 *.db
-*.sqlite
+*.sqlite*
 !Dockerfile.sqlite
-*.sqlite3
+*.sqlite3*
 *.log
 .machinelogs*.json
 *-audit.json
@@ -54,3 +54,5 @@ hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
+solo.yml
+allowedDevOrigins.json
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ the docs to illustrate some basic ideas.

 ## Licensing

-Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
+Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).

 ## Contributions

--- a/cli/commands/disableUser2fa.ts
+++ b/cli/commands/disableUser2fa.ts
@@ -0,0 +1,60 @@
+import { CommandModule } from "yargs";
+import { db, users } from "@server/db";
+import { eq } from "drizzle-orm";
+
+/**
+ * Disable 2FA for a user by email address.
+ */
+type DisableUser2faArgs = {
+    email: string;
+};
+
+export const disableUser2fa: CommandModule<{}, DisableUser2faArgs> = {
+    command: "disable-user-2fa",
+    describe: "Disable 2FA for a user (sets twoFactorEnabled=false, clears secret)",
+    builder: (yargs) => {
+        return yargs.option("email", {
+            type: "string",
+            demandOption: true,
+            describe: "User email address"
+        });
+    },
+    handler: async (argv: { email: string }) => {
+        try {
+            const { email } = argv;
+            console.log(`Looking for user with email: ${email}`);
+
+            // Find the user by email
+            const [user] = await db
+                .select()
+                .from(users)
+                .where(eq(users.email, email))
+                .limit(1);
+
+            if (!user) {
+                console.error(`User with email '${email}' not found`);
+                process.exit(1);
+            }
+
+            if (!user.twoFactorEnabled) {
+                console.log(`2FA is already disabled for user '${email}'.`);
+                process.exit(0);
+            }
+
+            // Update user: disable 2FA and clear secret
+            await db.update(users)
+                .set({
+                    twoFactorEnabled: false,
+                    twoFactorSecret: null,
+                    twoFactorSetupRequested: false
+                })
+                .where(eq(users.userId, user.userId));
+
+            console.log(`2FA disabled for user '${email}'.`);
+            process.exit(0);
+        } catch (error) {
+            console.error("Error disabling 2FA:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/commands/setServerAdmin.ts
+++ b/cli/commands/setServerAdmin.ts
@@ -0,0 +1,51 @@
+import { CommandModule } from "yargs";
+import { db, users } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type SetServerAdminArgs = {
+    email: string;
+};
+
+export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
+    command: "set-server-admin",
+    describe: "Mark any user as a server admin by email address",
+    builder: (yargs) => {
+        return yargs.option("email", {
+            type: "string",
+            demandOption: true,
+            describe: "User email address"
+        });
+    },
+    handler: async (argv: { email: string }) => {
+        try {
+            const email = argv.email.trim().toLowerCase();
+
+            const [user] = await db
+                .select()
+                .from(users)
+                .where(eq(users.email, email))
+                .limit(1);
+
+            if (!user) {
+                console.error(`User with email '${email}' not found`);
+                process.exit(1);
+            }
+
+            if (user.serverAdmin) {
+                console.log(`User '${email}' is already a server admin`);
+                process.exit(0);
+            }
+
+            await db
+                .update(users)
+                .set({ serverAdmin: true })
+                .where(eq(users.userId, user.userId));
+
+            console.log(`User '${email}' has been marked as a server admin`);
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -10,6 +10,8 @@ import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
 import { clearCertificates } from "./commands/clearCertificates";
+import { disableUser2fa } from "./commands/disableUser2fa";
+import { setServerAdmin } from "./commands/setServerAdmin";

 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -21,5 +23,7 @@ yargs(hideBin(process.argv))
    .command(deleteClient)
    .command(generateOrgCaKeys)
    .command(clearCertificates)
+    .command(disableUser2fa)
+    .command(setServerAdmin)
    .demandCommand()
    .help().argv;
--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -1,54 +1,47 @@
 api:
  insecure: true
  dashboard: true
-
 providers:
  http:
-    endpoint: "http://pangolin:3001/api/v1/traefik-config"
-    pollInterval: "5s"
+    endpoint: http://pangolin:3001/api/v1/traefik-config
+    pollInterval: 5s
  file:
-    filename: "/etc/traefik/dynamic_config.yml"
-
+    filename: /etc/traefik/dynamic_config.yml
 experimental:
  plugins:
    badger:
-      moduleName: "github.com/fosrl/badger"
-      version: "{{.BadgerVersion}}"
-
+      moduleName: github.com/fosrl/badger
+      version: v1.4.1
 log:
-  level: "INFO"
-  format: "common"
+  level: INFO
+  format: common
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true
-
 certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web
-      email: "{{.LetsEncryptEmail}}"
-      storage: "/letsencrypt/acme.json"
-      caServer: "https://acme-v02.api.letsencrypt.org/directory"
-
+      email: '{{.LetsEncryptEmail}}'
+      storage: /letsencrypt/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
 entryPoints:
  web:
-    address: ":80"
+    address: ':80'
  websecure:
-    address: ":443"
+    address: ':443'
    transport:
      respondingTimeouts:
-        readTimeout: "30m"
+        readTimeout: 30m
    http:
      tls:
-        certResolver: "letsencrypt"
+        certResolver: letsencrypt
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
-
 serversTransport:
  insecureSkipVerify: true
-
 ping:
-  entryPoint: "web"
+  entryPoint: web
--- a/drizzle.sqlite.config.ts
+++ b/drizzle.sqlite.config.ts
@@ -1,4 +1,4 @@
-import { APP_PATH } from "@server/lib/consts";
+import { APP_PATH } from "./server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";

--- a/install/config/config.yml
+++ b/install/config/config.yml
@@ -22,7 +22,8 @@ server:
        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
        allowed_headers: ["X-CSRF-Token", "Content-Type"]
        credentials: false
-    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_asn_path: "./config/GeoLite2-ASN.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
    smtp_host: "{{.EmailSMTPHost}}"
@@ -36,3 +37,8 @@ flags:
    disable_signup_without_invite: true
    disable_user_create_org: false
    allow_raw_resources: true
+
+{{if .IsPostgreSQL}}
+postgres:
+  connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin
+{{end}}
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -1,7 +1,7 @@
 name: pangolin
 services:
  pangolin:
-    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{if .IsPostgreSQL}}postgresql-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    deploy:
@@ -10,6 +10,20 @@ services:
          memory: 1g
        reservations:
          memory: 256m
+{{if or .IsPostgreSQL .IsRedis}}
+    depends_on:
+    {{if .IsPostgreSQL}}
+      postgres:
+        condition: service_healthy
+    {{end}}
+    {{if .IsRedis}}
+      redis:
+        condition: service_healthy
+    {{end}}
+    networks:
+      - default
+      - backend
+{{end}}
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -60,8 +74,56 @@ services:
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs

+{{if .IsPostgreSQL}}
+  postgres:
+    image: postgres:18
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: pangolin
+      POSTGRES_PASSWORD: {{.IsPostgreSQLPass}}
+      POSTGRES_DB: pangolin
+    volumes:
+      - ./postgres18:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U pangolin"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - backend
+{{end}}
+
+{{if .IsRedis}}
+  redis:
+    image: redis:8-trixie
+    container_name: redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --save 3600 1000
+      --appendonly yes
+      --requirepass {{.IsRedisPass}}
+    volumes:
+      - ./redis8:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "{{.IsRedisPass}}", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+    networks:
+      - backend
+{{end}}
+
 networks:
  default:
    driver: bridge
-    name: pangolin
+    name: pangolin_frontend
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
+{{if or .IsPostgreSQL .IsRedis}}
+  backend:
+    driver: bridge
+    name: pangolin_backend
+    internal: true
+{{end}}
--- a/install/config/privateConfig.yml
+++ b/install/config/privateConfig.yml
@@ -0,0 +1,6 @@
+{{if .IsRedis}}
+redis:
+  host: "redis"
+  port: 6379
+  password: "{{.IsRedisPass}}"
+{{end}}
--- a/install/go.mod
+++ b/install/go.mod
@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.42.0
+	golang.org/x/term v0.43.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
--- a/install/main.go
+++ b/install/main.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"embed"
 	"encoding/base64"
+	"flag"
 	"fmt"
 	"io"
 	"io/fs"
@@ -53,9 +54,13 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
-	EnableGeoblocking         bool
+	EnableMaxMind             bool
 	Secret                    string
 	IsEnterprise              bool
+    IsPostgreSQL              bool
+	IsPostgreSQLPass          string
+    IsRedis                   bool
+	IsRedisPass               string
 }

 type SupportedContainer string
@@ -68,6 +73,9 @@ const (

 func main() {

+	crowdsecFlag := flag.Bool("crowdsec", false, "Enable the CrowdSec installation prompt")
+	flag.Parse()
+
 	// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking

 	fmt.Println("Welcome to the Pangolin installer!")
@@ -119,11 +127,11 @@ func main() {

 		fmt.Println("\nConfiguration files created successfully!")

-		// Download MaxMind database if requested
-		if config.EnableGeoblocking {
-			fmt.Println("\n=== Downloading MaxMind Database ===")
+		// Download MaxMind Country / ASN database if requested
+		if config.EnableMaxMind {
+			fmt.Println("\n=== Downloading MaxMind Country and ASN Databases ===")
 			if err := downloadMaxMindDatabase(); err != nil {
-				fmt.Printf("Error downloading MaxMind database: %v\n", err)
+				fmt.Printf("Error downloading MaxMind databases: %v\n", err)
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
@@ -184,15 +192,15 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind databases (Country and ASN) to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
 				}
 			}
 		} else {
-			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			fmt.Println("MaxMind GeoLite2 Country and ASN databases not found.")
+			if readBool("Would you like to download the MaxMind GeoLite2 databases for blocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
@@ -200,13 +208,15 @@ func main() {
 				// Now you need to update your config file accordingly to enable geoblocking
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
-				fmt.Println("Add the following line under the 'server' section:")
+				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
+				fmt.Println("Add the following lines under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
+				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
 			}
 		}
 	}

-	if !checkIsCrowdsecInstalledInCompose() {
+	if *crowdsecFlag && !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
 		if readBool("Would you like to install CrowdSec?", false) {
@@ -480,6 +490,17 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Basic Configuration ===")

 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+    if config.IsEnterprise {
+        config.IsRedis = readBool("Do you want to run the Redis containers locally? Required for HA.")
+        if config.IsRedis {
+            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
+        }
+    }
+
+    config.IsPostgreSQL = readBool("Do you want to run the PostgreSQL containers locally? Otherwise, default to the local SQLite database only.", false)
+	if config.IsPostgreSQL {
+		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
+	}

 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")

@@ -523,7 +544,7 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")

 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
+	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)

 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -776,29 +797,42 @@ func checkPortsAvailable(port int) error {
 }

 func downloadMaxMindDatabase() error {
-	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
+	fmt.Println("Downloading MaxMind GeoLite2 Country and ASN databases...")

-	// Download the GeoLite2 Country database
+	// Download the GeoLite2 Country databases
 	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to download GeoLite2 Country database: %v", err)
+	}
+	if err := run("curl", "-L", "-o", "GeoLite2-ASN.tar.gz",
+		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
 	}

-	// Extract the database
+	// Extract the Country database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
+	}
+	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
 	}

 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
-		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
+		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
+	}
+	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
+		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
 	}

 	// Clean up the downloaded files
-	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
-		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
+	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
+	}
+	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
 	}

-	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
+	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
 	return nil
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Възникна грешка при изтриване на връзката",
    "shareDeleted": "Връзката беше изтрита",
    "shareDeletedDescription": "Връзката беше премахната",
+    "shareDelete": "Изтрийте споделената връзка",
+    "shareDeleteConfirm": "Потвърдете изтриването на споделената връзка",
+    "shareQuestionRemove": "Сигурни ли сте, че искате да изтриете тази споделена връзка?",
+    "shareMessageRemove": "След изтриване връзката вече няма да работи и всеки, който я използва, ще загуби достъп до ресурса.",
    "shareTokenDescription": "Достъпният токен може да бъде предаван по два начина: като параметър или в хедърите на заявките. Те трябва да бъдат предавани от клиента при всяка заявка за удостоверен достъп.",
    "accessToken": "Достъп Токен",
    "usageExamples": "Примери за използване",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "След като бъде премахнат, този потребител няма да има достъп до организацията. Винаги можете да го поканите отново по-късно, но той ще трябва да приеме отново поканата.",
    "userRemoveOrgConfirm": "Потвърдете премахването на потребителя",
    "userRemoveOrg": "Премахване на потребителя от организацията",
+    "userQuestionOrgRemoveSelf": "Сигурни ли сте, че искате да премахнете себе си от тази организация?",
+    "userMessageOrgRemoveSelf": "Ще загубите достъп незабавно. Администратор може да ви покани отново по-късно, но ще трябва да приемете нова покана.",
+    "userRemoveOrgConfirmSelf": "Потвърдете премахването на себе си",
+    "userRemoveOrgSelf": "Премахнете себе си от организацията",
+    "userRemoveOrgSelfWarning": "Ще загубите достъп до тази организация незабавно.",
+    "userRemoveOrgConfirmPhraseSelf": "ПРЕМАХНЕТЕ МЕ ОТ ОРГАНИЗАЦИЯТА",
    "users": "Потребители",
    "accessRoleMember": "Член",
    "accessRoleOwner": "Собственик",
@@ -531,6 +541,11 @@
    "emailInvalid": "Невалиден имейл адрес",
    "inviteValidityDuration": "Моля, изберете продължителност",
    "accessRoleSelectPlease": "Моля, изберете роля",
+    "removeOwnAdminRoleConfirmTitle": "Премахване на административния ви достъп?",
+    "removeOwnAdminRoleConfirmDescription": "След записване няма да имате повече администраторски права в тази организация. Друг администратор може да възстанови достъпа, ако е необходимо.",
+    "removeOwnAdminRoleConfirmButton": "Премахнете административния ми достъп",
+    "removeOwnAdminRoleConfirmPhrase": "ПРЕМАХНЕТЕ АДМИНИСТРАТИВНИЯ МИ ДОСТЪП",
+    "ownerMustRetainAdminRole": "Собственикът на организацията трябва да запази поне една администраторска роля.",
    "usernameRequired": "Необходимо е потребителско име",
    "idpSelectPlease": "Моля, изберете доставчик на идентичност",
    "idpGenericOidc": "Основен OAuth2/OIDC доставчик.",
@@ -615,7 +630,7 @@
    "createdAt": "Създаден на",
    "proxyErrorInvalidHeader": "Невалидна стойност за заглавие на хоста. Използвайте формат на име на домейн, или оставете празно поле за да премахнете персонализирано заглавие на хост.",
    "proxyErrorTls": "Невалидно име на TLS сървър. Използвайте формат на име на домейн, или оставете празно за да премахнете името на TLS сървъра.",
-    "proxyEnableSSL": "Активиране на SSL",
+    "proxyEnableSSL": "Активиране на TLS",
    "proxyEnableSSLDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целите.",
    "target": "Цел",
    "configureTarget": "Конфигуриране на цели",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Добавянето на повече от една цел ще активира натоварването на баланса.",
    "targetsSubmit": "Запазване на целите",
    "addTarget": "Добавете цел",
+    "proxyMultiSiteRoundRobinNodeHelp": "Роунд Робин маршрутизирането няма да работи между сайтове, които не са свързани към един и същ възел, но автоматичното превключване ще работи.",
    "targetErrorInvalidIp": "Невалиден IP адрес",
    "targetErrorInvalidIpDescription": "Моля, въведете валиден IP адрес или име на хост",
    "targetErrorInvalidPort": "Невалиден порт",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Метод",
-    "editInternalResourceDialogEnableSsl": "Активирайте SSL",
+    "editInternalResourceDialogEnableSsl": "Активирайте TLS",
    "editInternalResourceDialogEnableSslDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целта.",
    "editInternalResourceDialogDestination": "Дестинация",
    "editInternalResourceDialogDestinationHostDescription": "IP адресът или името на хоста на ресурса в мрежата на сайта.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Метод",
    "createInternalResourceDialogScheme": "Метод",
-    "createInternalResourceDialogEnableSsl": "Активирайте SSL",
+    "createInternalResourceDialogEnableSsl": "Активирайте TLS",
    "createInternalResourceDialogEnableSslDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целта.",
    "createInternalResourceDialogDestination": "Дестинация",
    "createInternalResourceDialogDestinationHostDescription": "IP адресът или името на хоста на ресурса в мрежата на сайта.",
@@ -2217,7 +2235,7 @@
        "description": "По-надежден и по-нисък поддръжка на Самостоятелно-хостван Панголиин сървър с допълнителни екстри",
        "introTitle": "Управлявано Самостоятелно-хостван Панголиин",
        "introDescription": "е опция за внедряване, предназначена за хора, които искат простота и допълнителна надеждност, като същевременно запазят данните си частни и самостоятелно-хоствани.",
-        "introDetail": "С тази опция все още управлявате свой собствен Панголиин възел - вашите тунели, SSL терминатора и трафик остават на вашия сървър. Разликата е, че управлението и мониторингът се обработват чрез нашия облачен панел за контрол, който отключва редица предимства:",
+        "introDetail": "С тази опция все още управлявате свой собствен Панголиин възел - вашите тунели, TLS терминатора и трафик остават на вашия сървър. Разликата е, че управлението и мониторингът се обработват чрез нашия облачен панел за контрол, който отключва редица предимства:",
        "benefitSimplerOperations": {
            "title": "По-прости операции",
            "description": "Няма нужда да управлявате свой собствен имейл сървър или да настройвате сложни аларми. Ще получите проверки и предупреждения при прекъсване от самото начало."
@@ -2652,6 +2670,8 @@
    "validPassword": "Валидна парола",
    "validEmail": "Валиден имейл",
    "validSSO": "Валидно SSO",
+    "view": "Преглед",
+    "configManaged": "Управлявана конфигурация",
    "connectedClient": "Свързан клиент",
    "resourceBlocked": "Блокирани ресурси",
    "droppedByRule": "Прекратено от правило",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Пресочвайте събития директно към вашият акаунт в Datadog. Очаквайте скоро.",
    "streamingTypePickerDescription": "Изберете вид на дестинацията, за да започнете.",
-    "streamingFailedToLoad": "Неуспешно зареждане на дестинации",
+    "streamingLastSyncError": "Възникна грешка при последната синхронизация",
    "streamingUnexpectedError": "Възникна неочаквана грешка.",
    "streamingFailedToUpdate": "Неуспешно актуализиране на дестинация",
    "streamingDeletedSuccess": "Дестинацията беше изтрита успешно",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Редактиране на дестинацията",
    "S3DestAddTitle": "Добавете S3 дестинация",
    "S3DestEditDescription": "Актуализирайте конфигурацията за тази S3 дестинация за предаване на събития.",
-    "S3DestAddDescription": "Конфигурирайте нов крайна точка на S3, за да получавате събития на вашата организация.",
+    "S3DestAddDescription": "Конфигурирайте ново хранилище Amazon S3 (или съвместимо с S3), за да получавате събития на вашата организация.",
+    "s3DestTabSettings": "Настройки",
+    "s3DestTabFormat": "Формат",
+    "s3DestNameLabel": "Име",
+    "s3DestNamePlaceholder": "Моята S3 дестинация",
+    "s3DestAccessKeyIdLabel": "Идентификатор на достъп за AWS Key ID",
+    "s3DestSecretAccessKeyLabel": "Тайният ключ за достъп на AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Вашият таен ключ за достъп за AWS",
+    "s3DestRegionLabel": "AWS Регион",
+    "s3DestBucketLabel": "Име на хранилище",
+    "s3DestPrefixLabel": "Префикс на ключ (по избор)",
+    "s3DestPrefixDescription": "По избор пътеводен префикс, добавен към всеки обектен ключ. Обектите се съхраняват в {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Потребителски крайна точка (по избор)",
+    "s3DestEndpointDescription": "Заместете крайната точка на S3 за съвместимо с S3 хранилище като MinIO или Cloudflare R2. Оставете празно за стандартното AWS S3.",
+    "s3DestGzipLabel": "Gzip компресия",
+    "s3DestGzipDescription": "Компресирайте всеки качен обект с gzip. Намалява разходите за съхранение и размера на качването.",
+    "s3DestFormatTitle": "Формат на файл",
+    "s3DestFormatDescription": "Как събитията са сериализирани вътре във всеки качен обект.",
+    "s3DestFormatJsonArrayDescription": "Всеки обект е JSON масив от записи на събития. Съвместим с повечето аналитични инструменти.",
+    "s3DestFormatNdjsonDescription": "Всеки обект съдържа един JSON запис на ред (форматиран JSON с нов ред). Съвместим с Athena, BigQuery и Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Всеки обект е RFC-4180 CSV файл с ред заглавие. Имената на колоните са извлечени от полетата на данните за събитията.",
+    "s3DestSaveChanges": "Запази промените",
+    "s3DestCreateDestination": "Създаване на дестинация",
+    "s3DestUpdatedSuccess": "Дестинацията е актуализирана успешно",
+    "s3DestCreatedSuccess": "Дестинацията е създадена успешно",
+    "s3DestUpdateFailed": "Неуспешно актуализиране на дестинацията",
+    "s3DestCreateFailed": "Неуспешно създаване на дестинация",
    "datadogDestEditTitle": "Редактиране на дестинация",
    "datadogDestAddTitle": "Добавяне на Datadog дестинация",
    "datadogDestEditDescription": "Актуализирайте конфигурацията за тази Datadog дестинация за предаване на събития.",
@@ -3091,7 +3138,7 @@
    "httpDestNamePlaceholder": "Моята HTTP дестинация",
    "httpDestUrlLabel": "Дестинация URL",
    "httpDestUrlErrorHttpRequired": "URL адресът трябва да използва http или https",
-    "httpDestUrlErrorHttpsRequired": "SSL е необходимо за облачни инсталации",
+    "httpDestUrlErrorHttpsRequired": "HTTPS е необходимо за облачни инсталации",
    "httpDestUrlErrorInvalid": "Въведете валиден URL (напр. https://example.com/webhook)",
    "httpDestAuthTitle": "Удостоверяване",
    "httpDestAuthDescription": "Изберете как заявленията ви се удостоверяват.",
@@ -3174,7 +3221,7 @@
    "publicIpEndpoint": "Крайна точка",
    "lastTriggeredAt": "Последен тригер",
    "reject": "Отхвърляне",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "преди {count} дни",
    "uptimeToday": "Днес",
    "uptimeNoDataAvailable": "Няма налични данни",
    "uptimeSuffix": "време без прекъсване",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Došlo k chybě při odstraňování odkazu",
    "shareDeleted": "Odkaz odstraněn",
    "shareDeletedDescription": "Odkaz byl odstraněn",
+    "shareDelete": "Smazat odkaz ke sdílení",
+    "shareDeleteConfirm": "Potvrdit smazání odkazu ke sdílení",
+    "shareQuestionRemove": "Jste si jisti, že chcete smazat tento odkaz ke sdílení?",
+    "shareMessageRemove": "Jakmile bude smazán, odkaz přestane fungovat a všichni, kdo jej používají, ztratí přístup k prostředku.",
    "shareTokenDescription": "Přístupový token může být předán dvěma způsoby: jako parametr dotazu nebo v záhlaví požadavku. Tyto údaje musí být předány klientovi na každé žádosti o ověřený přístup.",
    "accessToken": "Přístupový token",
    "usageExamples": "Příklady použití",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Po odstranění tohoto uživatele již nebude mít přístup k organizaci. Vždy je můžete znovu pozvat později, ale budou muset pozvání znovu přijmout.",
    "userRemoveOrgConfirm": "Potvrdit odebrání uživatele",
    "userRemoveOrg": "Odebrat uživatele z organizace",
+    "userQuestionOrgRemoveSelf": "Jste si jisti, že se chcete odstranit z této organizace?",
+    "userMessageOrgRemoveSelf": "Okamžitě ztratíte přístup. Administrátor vás může později znovu pozvat, ale budete muset přijmout nové pozvání.",
+    "userRemoveOrgConfirmSelf": "Potvrdit odstranění sebe",
+    "userRemoveOrgSelf": "Odstranit se z organizace",
+    "userRemoveOrgSelfWarning": "Okamžitě ztratíte přístup k této organizaci.",
+    "userRemoveOrgConfirmPhraseSelf": "ODSTRANIT SE Z ORGANIZACE",
    "users": "Uživatelé",
    "accessRoleMember": "Člen",
    "accessRoleOwner": "Vlastník",
@@ -531,6 +541,11 @@
    "emailInvalid": "Neplatná e-mailová adresa",
    "inviteValidityDuration": "Zvolte prosím dobu trvání",
    "accessRoleSelectPlease": "Vyberte prosím roli",
+    "removeOwnAdminRoleConfirmTitle": "Odebrat přístup správce?",
+    "removeOwnAdminRoleConfirmDescription": "Po uložení již nebudete mít oprávnění správce v této organizaci. Další administrátor vám může přístup obnovit, pokud bude potřeba.",
+    "removeOwnAdminRoleConfirmButton": "Odebrat mé administrátorské oprávnění",
+    "removeOwnAdminRoleConfirmPhrase": "ODEBRAT MÉ ADMINISTRÁTORSKÉ OPRÁVNĚNÍ",
+    "ownerMustRetainAdminRole": "Vlastník organizace musí zachovat alespoň jednu roli správce.",
    "usernameRequired": "Uživatelské jméno je povinné",
    "idpSelectPlease": "Vyberte poskytovatele identity",
    "idpGenericOidc": "Generic OAuth2/OIDC provider.",
@@ -615,7 +630,7 @@
    "createdAt": "Vytvořeno v",
    "proxyErrorInvalidHeader": "Neplatná hodnota hlavičky hostitele. Použijte formát názvu domény, nebo uložte prázdné pro zrušení vlastního hlavičky hostitele.",
    "proxyErrorTls": "Neplatné jméno TLS serveru. Použijte formát doménového jména nebo uložte prázdné pro odstranění názvu TLS serveru.",
-    "proxyEnableSSL": "Povolit SSL",
+    "proxyEnableSSL": "Povolit TLS",
    "proxyEnableSSLDescription": "Povolit šifrování SSL/TLS pro zabezpečená připojení HTTPS k cílům.",
    "target": "Target",
    "configureTarget": "Konfigurace cílů",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Přidáním více než jednoho cíle se umožní vyvážení zatížení.",
    "targetsSubmit": "Uložit cíle",
    "addTarget": "Add Target",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing nebude fungovat mezi lokalitami, které nejsou připojeny ke stejnému uzlu, ale failover bude fungovat.",
    "targetErrorInvalidIp": "Neplatná IP adresa",
    "targetErrorInvalidIpDescription": "Zadejte prosím platnou IP adresu nebo název hostitele",
    "targetErrorInvalidPort": "Neplatný port",
@@ -2033,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schéma",
    "editInternalResourceDialogEnableSsl": "Povolit SSL",
    "editInternalResourceDialogEnableSslDescription": "Povolit šifrování SSL/TLS pro zabezpečené HTTPS připojení k cíli.",
@@ -2082,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schéma",
    "createInternalResourceDialogScheme": "Schéma",
    "createInternalResourceDialogEnableSsl": "Povolit SSL",
@@ -2652,6 +2670,8 @@
    "validPassword": "Platné heslo",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Zobrazit",
+    "configManaged": "Správa konfigurace",
    "connectedClient": "Připojený klient",
    "resourceBlocked": "Zablokované zdroje",
    "droppedByRule": "Zrušeno pravidlem",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Přeposlat události přímo do vašeho účtu Datadog účtu. Brzy přijde.",
    "streamingTypePickerDescription": "Vyberte cílový typ pro začátek.",
-    "streamingFailedToLoad": "Nepodařilo se načíst destinace",
+    "streamingLastSyncError": "Došlo k chybě při poslední synchronizaci",
    "streamingUnexpectedError": "Došlo k neočekávané chybě.",
    "streamingFailedToUpdate": "Nepodařilo se aktualizovat cíl",
    "streamingDeletedSuccess": "Cíl byl úspěšně odstraněn",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Upravit cíl",
    "S3DestAddTitle": "Přidat S3 cíl",
    "S3DestEditDescription": "Aktualizujte konfiguraci tohoto S3 cíle pro streamování událostí.",
-    "S3DestAddDescription": "Konfigurujte nový S3 koncový bod pro přijímání událostí vaší organizace.",
+    "S3DestAddDescription": "Nakonfigurujte nový Amazon S3 (nebo S3-kompatibilní) bucket, aby přijímal události vaší organizace.",
+    "s3DestTabSettings": "Nastavení",
+    "s3DestTabFormat": "Formát",
+    "s3DestNameLabel": "Jméno",
+    "s3DestNamePlaceholder": "Moje cílové S3",
+    "s3DestAccessKeyIdLabel": "ID přístupového klíče AWS",
+    "s3DestSecretAccessKeyLabel": "Tajný přístupový klíč AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Váš tajný přístupový klíč AWS",
+    "s3DestRegionLabel": "Oblast AWS",
+    "s3DestBucketLabel": "Název bucketu",
+    "s3DestPrefixLabel": "Předpona klíče (volitelné)",
+    "s3DestPrefixDescription": "Volitelná cesta předpony přidaná ke každému objektovému klíči. Objekty jsou uloženy na {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Vlastní koncový bod (volitelné)",
+    "s3DestEndpointDescription": "Přepište koncový bod S3 pro S3-kompatibilní úložiště, jako je MinIO nebo Cloudflare R2. Nechte prázdné pro standardní AWS S3.",
+    "s3DestGzipLabel": "Komprese Gzip",
+    "s3DestGzipDescription": "Komprimujte každý nahraný objekt pomocí gzip. Snižuje náklady na uložení a velikost nahrávání.",
+    "s3DestFormatTitle": "Formát souboru",
+    "s3DestFormatDescription": "Jak jsou události serializovány v každém nahraném objektu.",
+    "s3DestFormatJsonArrayDescription": "Každý objekt je pole JSON záznamů událostí. Kompatibilní s většinou analytických nástrojů.",
+    "s3DestFormatNdjsonDescription": "Každý objekt obsahuje jeden JSON záznam na řádku (newline-delimited JSON). Kompatibilní s Athena, BigQuery a Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Každý objekt je soubor CSV podle RFC-4180 s řádkem záhlaví. Názvy sloupců jsou odvozeny z polí dat událostí.",
+    "s3DestSaveChanges": "Uložit změny",
+    "s3DestCreateDestination": "Vytvořit destinaci",
+    "s3DestUpdatedSuccess": "Destinace úspěšně aktualizována",
+    "s3DestCreatedSuccess": "Destinace úspěšně vytvořena",
+    "s3DestUpdateFailed": "Aktualizace destinace se nezdařila",
+    "s3DestCreateFailed": "Vytvoření destinace se nezdařilo",
    "datadogDestEditTitle": "Upravit cíl",
    "datadogDestAddTitle": "Přidat Datadog cíl",
    "datadogDestEditDescription": "Aktualizujte konfiguraci tohoto Datadog cíle pro streamování událostí.",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -22,11 +22,11 @@
    "componentsMember": "Du bist Mitglied von {count, plural, =0 {keiner Organisation} one {einer Organisation} other {# Organisationen}}.",
    "componentsInvalidKey": "Ungültige oder abgelaufene Lizenzschlüssel erkannt. Beachte die Lizenzbedingungen, um alle Funktionen weiterhin zu nutzen.",
    "dismiss": "Verwerfen",
-    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Webseiten, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
+    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Standorte, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
    "trialBannerMessage": "Ihre Testversion läuft in {countdown} ab. Upgraden, um den Zugriff zu behalten.",
    "trialBannerExpired": "Ihre Testversion ist abgelaufen. Jetzt upgraden, um den Zugriff wiederherzustellen.",
    "billingTrialBannerTitle": "Kostenlose Testversion aktiv",
-    "billingTrialBannerDescription": "Sie nutzen derzeit eine kostenlose Testversion auf der Geschäftsstufe. Wenn die Testversion endet, wird Ihr Konto automatisch auf die Funktionen und Beschränkungen der Basisstufe zurückgesetzt. Upgraden Sie jederzeit, um weiterhin Zugriff auf die Funktionen Ihres aktuellen Plans zu behalten.",
+    "billingTrialBannerDescription": "Sie nutzen derzeit eine kostenlose Testversion auf der Business-Tarif. Wenn die Testversion endet, wird Ihr Konto automatisch auf die Funktionen und Beschränkungen der Basis-Tarif zurückgesetzt. Upgraden Sie jederzeit, um weiterhin Zugriff auf die Funktionen Ihres aktuellen Plans zu behalten.",
    "billingTrialBannerUpgrade": "Jetzt upgraden",
    "billingTrialBadge": "Kostenlose Testversion",
    "trialActive": "Kostenlose Testversion aktiv",
@@ -34,8 +34,8 @@
    "trialHasEnded": "Ihre Testversion ist beendet.",
    "trialDaysRemaining": "{count, plural, one {# Tag übrig} other {# Tage übrig}}",
    "trialDaysLeftShort": "Noch {days}d in der Testversion",
-    "trialGoToBilling": "Zur Rechnungsseite gehen",
-    "subscriptionViolationViewBilling": "Rechnung anzeigen",
+    "trialGoToBilling": "Zur Abrechnung gehen",
+    "subscriptionViolationViewBilling": "Abrechnung anzeigen",
    "componentsLicenseViolation": "Lizenzverstoß: Dieser Server benutzt {usedSites} Standorte, was das Lizenzlimit von {maxSites} Standorten überschreitet. Beachte die Lizenzbedingungen, um alle Funktionen weiterhin zu nutzen.",
    "componentsSupporterMessage": "Vielen Dank für die Unterstützung von Pangolin als {tier}!",
    "inviteErrorNotValid": "Es tut uns leid, aber es sieht so aus, als wäre die Einladung, auf die du zugreifen möchtest, entweder nicht angenommen worden oder nicht mehr gültig.",
@@ -67,7 +67,7 @@
    "edit": "Bearbeiten",
    "siteConfirmDelete": "Löschen des Standorts bestätigen",
    "siteDelete": "Standort löschen",
-    "siteMessageRemove": "Sobald der Standort entfernt ist, wird sie nicht mehr zugänglich sein. Alle mit dem Standort verbundenen Ziele werden ebenfalls entfernt.",
+    "siteMessageRemove": "Sobald der Standort entfernt ist, wird er nicht mehr zugänglich sein. Alle mit dem Standort verbundenen Ziele werden ebenfalls entfernt.",
    "siteQuestionRemove": "Sind Sie sicher, dass Sie den Standort aus der Organisation entfernen möchten?",
    "siteManageSites": "Standorte verwalten",
    "siteDescription": "Erstellen und Verwalten von Standorten, um die Verbindung zu privaten Netzwerken zu ermöglichen",
@@ -117,20 +117,20 @@
    "siteGeneralDescription": "Allgemeine Einstellungen für diesen Standort konfigurieren",
    "siteSettingDescription": "Standorteinstellungen konfigurieren",
    "siteResourcesTab": "Ressourcen",
-    "siteResourcesNoneOnSite": "Diese Seite hat noch keine öffentlichen oder privaten Ressourcen.",
+    "siteResourcesNoneOnSite": "Dieser Standort hat noch keine öffentlichen oder privaten Ressourcen",
    "siteResourcesSectionPublic": "Öffentliche Ressourcen",
    "siteResourcesSectionPrivate": "Private Ressourcen",
    "siteResourcesSectionPublicDescription": "Ressourcen, die extern über Domains oder Ports bereitgestellt werden.",
-    "siteResourcesSectionPrivateDescription": "Ressourcen, die in Ihrem privaten Netzwerk über die Seite verfügbar sind.",
+    "siteResourcesSectionPrivateDescription": "Ressourcen, die in Ihrem privaten Netzwerk über den Standort verfügbar sind.",
    "siteResourcesViewAllPublic": "Alle Ressourcen anzeigen",
    "siteResourcesViewAllPrivate": "Alle Ressourcen anzeigen",
-    "siteResourcesDialogDescription": "Überblick über öffentliche und private Ressourcen, die mit dieser Seite verbunden sind.",
+    "siteResourcesDialogDescription": "Überblick über öffentliche und private Ressourcen, die mit diesem Standort verbunden sind.",
    "siteResourcesShowMore": "Mehr anzeigen",
    "siteResourcesPermissionDenied": "Sie haben keine Berechtigung, diese Ressourcen aufzulisten.",
-    "siteResourcesEmptyPublic": "Noch sind keine öffentlichen Ressourcen für diese Seite vorhanden.",
-    "siteResourcesEmptyPrivate": "Noch sind keine privaten Ressourcen mit dieser Seite verbunden.",
+    "siteResourcesEmptyPublic": "Noch sind keine öffentlichen Ressourcen für diesen Standort vorhanden.",
+    "siteResourcesEmptyPrivate": "Noch sind keine privaten Ressourcen mit diesem Standort verbunden.",
    "siteResourcesHowToAccess": "Zugriffsmöglichkeiten",
-    "siteResourcesTargetsOnSite": "Ziele auf dieser Seite",
+    "siteResourcesTargetsOnSite": "Ziele an diesem Standort",
    "siteSetting": "{siteName} Einstellungen",
    "siteNewtTunnel": "Newt Standort (empfohlen)",
    "siteNewtTunnelDescription": "Einfachster Weg, einen Einstiegspunkt in jedes Netzwerk zu erstellen. Keine zusätzliche Einrichtung.",
@@ -148,16 +148,20 @@
    "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
    "siteInfo": "Standortinformationen",
    "status": "Status",
-    "shareTitle": "Links zum Teilen verwalten",
+    "shareTitle": "Freigabelinks verwalten",
    "shareDescription": "Erstelle teilbare Links, um temporären oder permanenten Zugriff auf Proxy-Ressourcen zu gewähren",
-    "shareSearch": "Freigabe-Links suchen...",
-    "shareCreate": "Link erstellen",
+    "shareSearch": "Freigabelinks suchen...",
+    "shareCreate": "Freigabelink erstellen",
    "shareErrorDelete": "Link konnte nicht gelöscht werden",
    "shareErrorDeleteMessage": "Fehler beim Löschen des Links",
    "shareDeleted": "Link gelöscht",
    "shareDeletedDescription": "Der Link wurde gelöscht",
+    "shareDelete": "Freigabelink löschen",
+    "shareDeleteConfirm": "Löschen des Freigabelinks bestätigen",
+    "shareQuestionRemove": "Sind Sie sicher, dass Sie diesen Freigabelink löschen möchten?",
+    "shareMessageRemove": "Nach dem Löschen funktioniert der Link nicht mehr, und jeder, der ihn nutzt, verliert den Zugriff auf die Ressource.",
    "shareTokenDescription": "Das Zugriffstoken kann auf zwei Arten übergeben werden: als Abfrageparameter oder in den Request-Headern. Diese müssen vom Client auf jeder Anfrage für authentifizierten Zugriff weitergegeben werden.",
-    "accessToken": "Zugangs-Token",
+    "accessToken": "Zugriffstoken",
    "usageExamples": "Nutzungsbeispiele",
    "tokenId": "Token-ID",
    "requestHeades": "Anfrage-Header",
@@ -168,12 +172,12 @@
    "shareTokenSecurety": "Bewahren Sie das Zugriffstoken sicher. Teilen Sie es nicht in öffentlich zugänglichen Bereichen oder Client-seitigem Code.",
    "shareErrorFetchResource": "Fehler beim Abrufen der Ressourcen",
    "shareErrorFetchResourceDescription": "Beim Abrufen der Ressourcen ist ein Fehler aufgetreten",
-    "shareErrorCreate": "Fehler beim Erstellen des Teilen-Links",
-    "shareErrorCreateDescription": "Beim Erstellen des Teilen-Links ist ein Fehler aufgetreten",
+    "shareErrorCreate": "Fehler beim Erstellen des Freigabelinks",
+    "shareErrorCreateDescription": "Beim Erstellen des Freigabelinks ist ein Fehler aufgetreten",
    "shareCreateDescription": "Jeder mit diesem Link kann auf die Ressource zugreifen",
    "shareTitleOptional": "Titel (optional)",
-    "expireIn": "Verfällt in",
-    "neverExpire": "Nie ablaufen",
+    "expireIn": "Läuft ab in",
+    "neverExpire": "Läuft nie ab",
    "shareExpireDescription": "Ablaufzeit ist, wie lange der Link verwendet werden kann und bietet Zugriff auf die Ressource. Nach dieser Zeit wird der Link nicht mehr funktionieren und Benutzer, die diesen Link benutzt haben, verlieren den Zugriff auf die Ressource.",
    "shareSeeOnce": "Sie können diesen Link nur einmal sehen. Bitte kopieren Sie ihn.",
    "shareAccessHint": "Jeder mit diesem Link kann auf die Ressource zugreifen. Teilen Sie sie mit Vorsicht.",
@@ -182,7 +186,7 @@
    "resourcesNotFound": "Keine Ressourcen gefunden",
    "resourceSearch": "Suche Ressourcen",
    "machineSearch": "Maschinen suchen",
-    "machinesSearch": "Suche Maschinen-Klienten...",
+    "machinesSearch": "Maschinen-Clients suchen",
    "machineNotFound": "Keine Maschinen gefunden",
    "userDeviceSearch": "Benutzergeräte durchsuchen",
    "userDevicesSearch": "Benutzergeräte durchsuchen...",
@@ -199,7 +203,7 @@
    "proxyResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
    "clientResourceTitle": "Private Ressourcen verwalten",
    "clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
-    "privateResourcesBannerTitle": "Zero-Trust Privater Zugang",
+    "privateResourcesBannerTitle": "Zero-Trust-Zugriff auf private Ressourcen",
    "privateResourcesBannerDescription": "Private Ressourcen nutzen Zero-Trust und stellen sicher, dass Benutzer und Maschinen nur auf Ressourcen zugreifen können, die Sie explizit gewähren. Verbinden Sie Benutzergeräte oder Maschinen-Clients, um auf diese Ressourcen über ein sicheres virtuelles privates Netzwerk zuzugreifen.",
    "resourcesSearch": "Suche Ressourcen...",
    "resourceAdd": "Ressource hinzufügen",
@@ -261,7 +265,7 @@
    "rules": "Regeln",
    "resourceSettingDescription": "Einstellungen für die Ressource konfigurieren",
    "resourceSetting": "{resourceName} Einstellungen",
-    "alwaysAllow": "Auth umgehen",
+    "alwaysAllow": "Authentifizierung umgehen",
    "alwaysDeny": "Zugriff blockieren",
    "passToAuth": "Weiterleiten zur Authentifizierung",
    "orgSettingsDescription": "Organisationseinstellungen konfigurieren",
@@ -270,7 +274,7 @@
    "saveGeneralSettings": "Allgemeine Einstellungen speichern",
    "saveSettings": "Einstellungen speichern",
    "orgDangerZone": "Gefahrenzone",
-    "orgDangerZoneDescription": "Sobald Sie diesen Org löschen, gibt es kein Zurück mehr. Bitte seien Sie vorsichtig.",
+    "orgDangerZoneDescription": "Sobald Sie diese Organisation löschen, gibt es kein Zurück mehr. Bitte seien Sie vorsichtig.",
    "orgDelete": "Organisation löschen",
    "orgDeleteConfirm": "Organisation löschen bestätigen",
    "orgMessageRemove": "Diese Aktion ist unwiderruflich und löscht alle zugehörigen Daten.",
@@ -319,7 +323,7 @@
    "accessApprovalsManage": "Genehmigungen verwalten",
    "accessApprovalsDescription": "Zeige und verwalte ausstehende Genehmigungen für den Zugriff auf diese Organisation",
    "description": "Beschreibung",
-    "inviteTitle": "Einladungen öffnen",
+    "inviteTitle": "Offene Einladungen",
    "inviteDescription": "Einladungen für andere Benutzer verwalten, der Organisation beizutreten",
    "inviteSearch": "Einladungen suchen...",
    "minutes": "Minuten",
@@ -366,12 +370,12 @@
    "apiKeysDescription": "API-Schlüssel werden zur Authentifizierung mit der Integrations-API verwendet",
    "provisioningKeysTitle": "Bereitstellungsschlüssel",
    "provisioningKeysManage": "Bereitstellungsschlüssel verwalten",
-    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Seiten für Ihr Unternehmen zu authentifizieren.",
+    "provisioningKeysDescription": "Bereitstellungsschlüssel werden verwendet, um die automatisierte Bereitstellung von Standorten für Ihr Unternehmen zu authentifizieren.",
    "provisioningManage": "Bereitstellung",
-    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Seiten prüfen, die noch auf Genehmigung warten.",
-    "pendingSites": "Ausstehende Seiten",
-    "siteApproveSuccess": "Site erfolgreich freigegeben",
-    "siteApproveError": "Fehler beim Bestätigen der Seite",
+    "provisioningDescription": "Bereitstellungsschlüssel verwalten und ausstehende Standorte prüfen, die noch auf Genehmigung warten.",
+    "pendingSites": "Ausstehende Standorte",
+    "siteApproveSuccess": "Standort erfolgreich freigegeben",
+    "siteApproveError": "Fehler beim Genehmigen des Standorts",
    "provisioningKeys": "Bereitstellungsschlüssel",
    "searchProvisioningKeys": "Bereitstellungsschlüssel suchen...",
    "provisioningKeysAdd": "Bereitstellungsschlüssel generieren",
@@ -401,7 +405,7 @@
    "provisioningKeysNeverUsed": "Nie",
    "provisioningKeysEdit": "Bereitstellungsschlüssel bearbeiten",
    "provisioningKeysEditDescription": "Aktualisieren Sie die maximale Batch-Größe und Ablaufzeit für diesen Schlüssel.",
-    "provisioningKeysApproveNewSites": "Neue Seiten genehmigen",
+    "provisioningKeysApproveNewSites": "Neuen Standort genehmigen",
    "provisioningKeysApproveNewSitesDescription": "Sites, die sich mit diesem Schlüssel registrieren, automatisch freigeben.",
    "provisioningKeysUpdateError": "Fehler beim Aktualisieren des Bereitstellungsschlüssels",
    "provisioningKeysUpdated": "Bereitstellungsschlüssel aktualisiert",
@@ -409,8 +413,8 @@
    "provisioningKeysBannerTitle": "Website-Bereitstellungsschlüssel",
    "provisioningKeysBannerDescription": "Generieren Sie einen Bereitstellungsschlüssel und verwenden Sie ihn mit dem Newt-Connector, um Standorte beim ersten Start automatisch zu erstellen - keine Notwendigkeit, separate Anmeldedaten für jede Seite einzurichten.",
    "provisioningKeysBannerButtonText": "Mehr erfahren",
-    "pendingSitesBannerTitle": "Ausstehende Seiten",
-    "pendingSitesBannerDescription": "Websites, die mit einem Bereitstellungsschlüssel verbunden sind, erscheinen hier zur Überprüfung.",
+    "pendingSitesBannerTitle": "Ausstehende Standorte",
+    "pendingSitesBannerDescription": "Standorte, die mit einem Bereitstellungsschlüssel verbunden sind, erscheinen hier zur Überprüfung.",
    "pendingSitesBannerButtonText": "Mehr erfahren",
    "apiKeysSettings": "{apiKeyName} Einstellungen",
    "userTitle": "Alle Benutzer verwalten",
@@ -457,7 +461,7 @@
    "licenseActivateKeyDescription": "Geben Sie einen Lizenzschlüssel ein, um ihn zu aktivieren.",
    "licenseActivate": "Lizenz aktivieren",
    "licenseAgreement": "Durch Ankreuzung dieses Kästchens bestätigen Sie, dass Sie die Lizenzbedingungen gelesen und akzeptiert haben, die mit dem Lizenzschlüssel in Verbindung stehen.",
-    "fossorialLicense": "Fossorial Gewerbelizenz & Abonnementbedingungen anzeigen",
+    "fossorialLicense": "Kommerzielle Fossorial-Lizenz und Abonnementbedingungen anzeigen",
    "licenseMessageRemove": "Dadurch werden der Lizenzschlüssel und alle zugehörigen Berechtigungen entfernt.",
    "licenseMessageConfirm": "Um zu bestätigen, geben Sie bitte den Lizenzschlüssel unten ein.",
    "licenseQuestionRemove": "Sind Sie sicher, dass Sie den Lizenzschlüssel löschen möchten?",
@@ -477,7 +481,7 @@
    "licensePurchaseSites": "Zusätzliche Standorte kaufen\n",
    "licenseSitesUsedMax": "{usedSites} von {maxSites} Standorten verwendet",
    "licenseSitesUsed": "{count, plural, =0 {# Standorte} one {# Standort} other {# Standorte}} im System.",
-    "licensePurchaseDescription": "Wähle aus, für wieviele Seiten du möchtest {selectedMode, select, license {kaufe eine Lizenz. Du kannst später immer weitere Seiten hinzufügen.} other {Füge zu deiner bestehenden Lizenz hinzu.}}",
+    "licensePurchaseDescription": "Wähle aus, für wie viele Standorte du möchtest {selectedMode, select, license {kaufe eine Lizenz. Du kannst später immer weitere Standorte hinzufügen.} other {Füge zu deiner bestehenden Lizenz hinzu.}}",
    "licenseFee": "Lizenzgebühr",
    "licensePriceSite": "Preis pro Standort",
    "total": "Gesamt",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Nach dem Entfernen hat dieser Benutzer keinen Zugriff mehr auf die Organisation. Sie können ihn später jederzeit wieder einladen, aber er muss die Einladung erneut annehmen.",
    "userRemoveOrgConfirm": "Entfernen des Benutzers bestätigen",
    "userRemoveOrg": "Benutzer aus der Organisation entfernen",
+    "userQuestionOrgRemoveSelf": "Sind Sie sicher, dass Sie sich aus dieser Organisation entfernen möchten?",
+    "userMessageOrgRemoveSelf": "Sie verlieren sofort den Zugriff. Ein Administrator kann Sie später erneut einladen, aber Sie müssen eine neue Einladung annehmen.",
+    "userRemoveOrgConfirmSelf": "Entfernung bestätigen",
+    "userRemoveOrgSelf": "Sich selbst aus der Organisation entfernen",
+    "userRemoveOrgSelfWarning": "Sie verlieren sofort den Zugriff auf diese Organisation.",
+    "userRemoveOrgConfirmPhraseSelf": "MICH SELBST AUS DER ORGANISATION ENTFERNEN",
    "users": "Benutzer",
    "accessRoleMember": "Mitglied",
    "accessRoleOwner": "Eigentümer",
@@ -531,6 +541,11 @@
    "emailInvalid": "Ungültige E-Mail-Adresse",
    "inviteValidityDuration": "Bitte wählen Sie eine Dauer",
    "accessRoleSelectPlease": "Bitte wählen Sie eine Rolle",
+    "removeOwnAdminRoleConfirmTitle": "Möchten Sie Ihren Administratorzugriff entfernen?",
+    "removeOwnAdminRoleConfirmDescription": "Nach dem Speichern haben Sie keine Administratorrechte mehr in dieser Organisation. Ein anderer Administrator kann den Zugriff bei Bedarf wiederherstellen.",
+    "removeOwnAdminRoleConfirmButton": "Meinen Administratorzugriff entfernen",
+    "removeOwnAdminRoleConfirmPhrase": "NIMM MEINEN ADMIN-ZUGRIFF WEG",
+    "ownerMustRetainAdminRole": "Der Organisationsinhaber muss mindestens eine Administratorrolle behalten.",
    "usernameRequired": "Benutzername ist erforderlich",
    "idpSelectPlease": "Bitte wählen Sie einen Identitätsanbieter",
    "idpGenericOidc": "Generischer OAuth2/OIDC-Anbieter.",
@@ -615,7 +630,7 @@
    "createdAt": "Erstellt am",
    "proxyErrorInvalidHeader": "Ungültiger benutzerdefinierter Host-Header-Wert. Verwenden Sie das Domain-Namensformat oder speichern Sie leer, um den benutzerdefinierten Host-Header zu deaktivieren.",
    "proxyErrorTls": "Ungültiger TLS-Servername. Verwenden Sie das Domain-Namensformat oder speichern Sie leer, um den TLS-Servernamen zu entfernen.",
-    "proxyEnableSSL": "SSL aktivieren",
+    "proxyEnableSSL": "TLS aktivieren",
    "proxyEnableSSLDescription": "Aktiviere SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zu den Zielen.",
    "target": "Ziel",
    "configureTarget": "Ziele konfigurieren",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Das Hinzufügen von mehr als einem Ziel aktiviert den Lastausgleich.",
    "targetsSubmit": "Ziele speichern",
    "addTarget": "Ziel hinzufügen",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round-Robin-Routing funktioniert nicht zwischen Standorten, die nicht mit demselben Knoten verbunden sind, aber Failover funktioniert.",
    "targetErrorInvalidIp": "Ungültige IP-Adresse",
    "targetErrorInvalidIpDescription": "Bitte geben Sie eine gültige IP-Adresse oder einen Hostnamen ein",
    "targetErrorInvalidPort": "Ungültiger Port",
@@ -1695,11 +1711,11 @@
    "regionSelectorComingSoon": "Kommt bald",
    "billingLoadingSubscription": "Abonnement wird geladen...",
    "billingFreeTier": "Kostenlose Stufe",
-    "billingWarningOverLimit": "Warnung: Sie haben ein oder mehrere Nutzungslimits überschritten. Ihre Webseiten werden nicht verbunden, bis Sie Ihr Abonnement ändern oder Ihren Verbrauch anpassen.",
+    "billingWarningOverLimit": "Warnung: Sie haben ein oder mehrere Nutzungslimits überschritten. Ihre Standorte werden nicht verbunden, bis Sie Ihr Abonnement ändern oder Ihren Verbrauch anpassen.",
    "billingUsageLimitsOverview": "Übersicht über Nutzungsgrenzen",
    "billingMonitorUsage": "Überwachen Sie Ihren Verbrauch im Vergleich zu konfigurierten Grenzwerten. Wenn Sie eine Erhöhung der Limits benötigen, kontaktieren Sie uns bitte support@pangolin.net.",
    "billingDataUsage": "Datenverbrauch",
-    "billingSites": "Seiten",
+    "billingSites": "Standorte",
    "billingUsers": "Benutzergeräte",
    "billingDomains": "Domänen",
    "billingOrganizations": "Orden",
@@ -1727,7 +1743,7 @@
    "billingCheckoutError": "Checkout-Fehler",
    "billingFailedToGetPortalUrl": "Fehler beim Abrufen der Portal-URL",
    "billingPortalError": "Portalfehler",
-    "billingDataUsageInfo": "Wenn Sie mit der Cloud verbunden sind, werden alle Daten über Ihre sicheren Tunnel belastet. Dies schließt eingehenden und ausgehenden Datenverkehr über alle Ihre Websites ein. Wenn Sie Ihr Limit erreichen, werden Ihre Seiten die Verbindung trennen, bis Sie Ihr Paket upgraden oder die Nutzung verringern. Daten werden nicht belastet, wenn Sie Knoten verwenden.",
+    "billingDataUsageInfo": "Wenn Sie mit der Cloud verbunden sind, werden alle Daten über Ihre sicheren Tunnel belastet. Dies schließt eingehenden und ausgehenden Datenverkehr über alle Ihre Standorte ein. Wenn Sie Ihr Limit erreichen, werden Ihre Standorte die Verbindung trennen, bis Sie Ihr Paket upgraden oder die Nutzung verringern. Daten werden nicht belastet, wenn Sie Knoten verwenden.",
    "billingSInfo": "Anzahl der Sites die Sie verwenden können",
    "billingUsersInfo": "Wie viele Benutzer Sie verwenden können",
    "billingDomainInfo": "Wie viele Domains Sie verwenden können",
@@ -1911,7 +1927,7 @@
    "configureHealthCheck": "Gesundheits-Check konfigurieren",
    "configureHealthCheckDescription": "Richten Sie die Gesundheitsüberwachung für {target} ein",
    "enableHealthChecks": "Gesundheits-Checks aktivieren",
-    "healthCheckDisabledStateDescription": "Wenn deaktiviert, führt die Seite keine Gesundheitsprüfungen durch und der Zustand wird als unbekannt betrachtet.",
+    "healthCheckDisabledStateDescription": "Wenn deaktiviert, führt der Standort keine Gesundheitsprüfungen durch und der Zustand wird als unbekannt betrachtet.",
    "enableHealthChecksDescription": "Überwachen Sie die Gesundheit dieses Ziels. Bei Bedarf können Sie einen anderen Endpunkt als das Ziel überwachen.",
    "healthScheme": "Methode",
    "healthSelectScheme": "Methode auswählen",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schema",
-    "editInternalResourceDialogEnableSsl": "SSL aktivieren",
+    "editInternalResourceDialogEnableSsl": "TLS aktivieren",
    "editInternalResourceDialogEnableSslDescription": "SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zum Ziel aktivieren.",
    "editInternalResourceDialogDestination": "Ziel",
    "editInternalResourceDialogDestinationHostDescription": "Die IP-Adresse oder der Hostname der Ressource im Netzwerk der Website.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schema",
    "createInternalResourceDialogScheme": "Schema",
-    "createInternalResourceDialogEnableSsl": "SSL aktivieren",
+    "createInternalResourceDialogEnableSsl": "TLS aktivieren",
    "createInternalResourceDialogEnableSslDescription": "SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zum Ziel aktivieren.",
    "createInternalResourceDialogDestination": "Ziel",
    "createInternalResourceDialogDestinationHostDescription": "Die IP-Adresse oder der Hostname der Ressource im Netzwerk der Website.",
@@ -2171,8 +2189,8 @@
        }
    },
    "remoteExitNodeSelection": "Knotenauswahl",
-    "remoteExitNodeSelectionDescription": "Wählen Sie einen Knoten aus, durch den Traffic für diese lokale Seite geleitet werden soll",
-    "remoteExitNodeRequired": "Ein Knoten muss für lokale Seiten ausgewählt sein",
+    "remoteExitNodeSelectionDescription": "Wählen Sie einen Knoten aus, durch den Traffic für diesen lokalen Standort geleitet werden soll",
+    "remoteExitNodeRequired": "Ein Knoten muss für lokale Standorte ausgewählt sein",
    "noRemoteExitNodesAvailable": "Keine Knoten verfügbar",
    "noRemoteExitNodesAvailableDescription": "Für diese Organisation sind keine Knoten verfügbar. Erstellen Sie zuerst einen Knoten, um lokale Standorte zu verwenden.",
    "exitNode": "Exit-Node",
@@ -2217,7 +2235,7 @@
        "description": "Zuverlässiger und wartungsarmer Pangolin Server mit zusätzlichen Glocken und Pfeifen",
        "introTitle": "Verwalteter selbstgehosteter Pangolin",
        "introDescription": "ist eine Deployment-Option, die für Personen konzipiert wurde, die Einfachheit und zusätzliche Zuverlässigkeit wünschen, während sie ihre Daten privat und selbstgehostet halten.",
-        "introDetail": "Mit dieser Option haben Sie immer noch Ihren eigenen Pangolin-Knoten – Ihre Tunnel, SSL-Terminierung und Traffic bleiben auf Ihrem Server. Der Unterschied besteht darin, dass Verwaltung und Überwachung über unser Cloud-Dashboard abgewickelt werden, das eine Reihe von Vorteilen freischaltet:",
+        "introDetail": "Mit dieser Option haben Sie immer noch Ihren eigenen Pangolin-Knoten – Ihre Tunnel, TLS-Terminierung und Traffic bleiben auf Ihrem Server. Der Unterschied besteht darin, dass Verwaltung und Überwachung über unser Cloud-Dashboard abgewickelt werden, das eine Reihe von Vorteilen freischaltet:",
        "benefitSimplerOperations": {
            "title": "Einfachere Operationen",
            "description": "Sie brauchen keinen eigenen Mail-Server auszuführen oder komplexe Warnungen einzurichten. Sie erhalten Gesundheitschecks und Ausfallwarnungen aus dem Box."
@@ -2652,6 +2670,8 @@
    "validPassword": "Gültiges Passwort",
    "validEmail": "Gültige E-Mail-Adresse",
    "validSSO": "Gültige SSO-Anmeldung",
+    "view": "Ansehen",
+    "configManaged": "Konfiguration verwaltet",
    "connectedClient": "Verbundenes Gerät",
    "resourceBlocked": "Ressource blockiert",
    "droppedByRule": "Abgelegt durch Regel",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Events direkt an Ihr Datadog Konto weiterleiten. Kommen Sie bald.",
    "streamingTypePickerDescription": "Wählen Sie einen Zieltyp aus, um loszulegen.",
-    "streamingFailedToLoad": "Fehler beim Laden der Ziele",
+    "streamingLastSyncError": "Beim letzten Synchronisieren ist ein Fehler aufgetreten.",
    "streamingUnexpectedError": "Ein unerwarteter Fehler ist aufgetreten.",
    "streamingFailedToUpdate": "Fehler beim Aktualisieren des Ziels",
    "streamingDeletedSuccess": "Ziel erfolgreich gelöscht",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Ziel bearbeiten",
    "S3DestAddTitle": "S3-Ziel hinzufügen",
    "S3DestEditDescription": "Konfiguration für dieses S3-Ereignis-Streamingziel aktualisieren.",
-    "S3DestAddDescription": "Neuen S3-Endpunkt konfigurieren, um die Ereignisse Ihrer Organisation zu erhalten.",
+    "S3DestAddDescription": "Konfigurieren Sie einen neuen Amazon S3 (oder S3-kompatiblen) Bucket, um die Ereignisse Ihrer Organisation zu empfangen.",
+    "s3DestTabSettings": "Einstellungen",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Name",
+    "s3DestNamePlaceholder": "Mein S3-Ziel",
+    "s3DestAccessKeyIdLabel": "AWS-Zugriffsschlüssel-ID",
+    "s3DestSecretAccessKeyLabel": "AWS-Geheimzugriffsschlüssel",
+    "s3DestSecretAccessKeyPlaceholder": "Ihr AWS-Geheimzugriffsschlüssel",
+    "s3DestRegionLabel": "AWS-Region",
+    "s3DestBucketLabel": "Bucket-Name",
+    "s3DestPrefixLabel": "Schlüssel-Präfix (optional)",
+    "s3DestPrefixDescription": "Optionales Pfadpräfix, das jedem Objektschlüssel vorangestellt wird. Objekte werden unter {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename} gespeichert.",
+    "s3DestEndpointLabel": "Benutzerdefinierter Endpunkt (optional)",
+    "s3DestEndpointDescription": "Überschreiben Sie den S3-Endpunkt für S3-kompatiblen Speicher wie MinIO oder Cloudflare R2. Lassen Sie das Feld leer für standardmäßiges AWS S3.",
+    "s3DestGzipLabel": "Gzip-Komprimierung",
+    "s3DestGzipDescription": "Jedes hochgeladene Objekt mit Gzip komprimieren. Reduziert die Speicherkosten und die Upload-Größe.",
+    "s3DestFormatTitle": "Dateiformat",
+    "s3DestFormatDescription": "Wie Ereignisse in jedem hochgeladenen Objekt serialisiert werden.",
+    "s3DestFormatJsonArrayDescription": "Jedes Objekt ist ein JSON-Array von Ereignisdaten. Kompatibel mit den meisten Analysetools.",
+    "s3DestFormatNdjsonDescription": "Jedes Objekt enthält einen JSON-Datensatz pro Zeile (newline-delimited JSON). Kompatibel mit Athena, BigQuery und Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Jedes Objekt ist eine RFC-4180 CSV-Datei mit einer Kopfzeile. Spaltennamen werden aus den Ereignisdatenfeldern abgeleitet.",
+    "s3DestSaveChanges": "Änderungen speichern",
+    "s3DestCreateDestination": "Ziel erstellen",
+    "s3DestUpdatedSuccess": "Ziel erfolgreich aktualisiert",
+    "s3DestCreatedSuccess": "Ziel erfolgreich erstellt",
+    "s3DestUpdateFailed": "Fehler beim Aktualisieren des Ziels",
+    "s3DestCreateFailed": "Fehler beim Erstellen des Ziels",
    "datadogDestEditTitle": "Ziel bearbeiten",
    "datadogDestAddTitle": "Datadog-Ziel hinzufügen",
    "datadogDestEditDescription": "Konfiguration für dieses Datadog-Ereignis-Streamingziel aktualisieren.",
@@ -3190,7 +3237,7 @@
    "uptimeAddAlert": "Warnmeldung hinzufügen",
    "uptimeViewAlerts": "Warnungen anzeigen",
    "uptimeCreateEmailAlert": "E-Mail Alarm erstellen",
-    "uptimeAlertDescriptionSite": "Werde per E-Mail benachrichtigt, wenn diese Seite offline oder wieder online ist.",
+    "uptimeAlertDescriptionSite": "Werde per E-Mail benachrichtigt, wenn dieser Standort offline oder wieder online ist.",
    "uptimeAlertDescriptionResource": "Werde per E-Mail benachrichtigt, wenn diese Ressource offline oder wieder online ist.",
    "uptimeAlertNamePlaceholder": "Alarmname",
    "uptimeAdditionalEmails": "Zusätzliche E-Mails",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "An error occurred deleting link",
    "shareDeleted": "Link deleted",
    "shareDeletedDescription": "The link has been deleted",
+    "shareDelete": "Delete Share Link",
+    "shareDeleteConfirm": "Confirm Delete Share Link",
+    "shareQuestionRemove": "Are you sure you want to delete this share link?",
+    "shareMessageRemove": "Once deleted, the link will no longer work and anyone using it will lose access to the resource.",
    "shareTokenDescription": "The access token can be passed in two ways: as a query parameter or in the request headers. These must be passed from the client on every request for authenticated access.",
    "accessToken": "Access Token",
    "usageExamples": "Usage Examples",
@@ -172,6 +176,7 @@
    "shareErrorCreateDescription": "An error occurred while creating the share link",
    "shareCreateDescription": "Anyone with this link can access the resource",
    "shareTitleOptional": "Title (optional)",
+    "sharePathOptional": "Path (optional)",
    "expireIn": "Expire In",
    "neverExpire": "Never expire",
    "shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
@@ -204,11 +209,33 @@
    "resourcesSearch": "Search resources...",
    "resourceAdd": "Add Resource",
    "resourceErrorDelte": "Error deleting resource",
+    "resourcePoliciesTitle": "Manage Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Attached resources",
+    "resourcePoliciesAttachedResources": "{count} resource(s)",
+    "resourcePoliciesAttachedResourcesEmpty": "no resources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your resources",
+    "resourcePoliciesSearch": "Search policies...",
+    "resourcePoliciesAdd": "Add Policy",
+    "resourcePoliciesDefaultBadgeText": "Default policy",
+    "resourcePoliciesCreate": "Create Resource Policy",
+    "resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
+    "resourcePolicyName": "Policy Name",
+    "resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
+    "resourcePolicyNamePlaceholder": "e.g. Internal Access Policy",
+    "resourcePoliciesSeeAll": "See All Policies",
+    "resourcePolicyAuthMethodAdd": "Add Authentication Method",
+    "resourcePolicyOtpEmailAdd": "Add OTP emails",
+    "resourcePolicyRulesAdd": "Add Rules",
+    "resourcePolicyAuthMethodsDescription": "Allow access to resources via additional auth methods",
+    "resourcePolicyUsersRolesDescription": "Configure which users and roles can visit associated resources",
+    "rulesResourcePolicyDescription": "Configure rules to control access resources associated to this policy",
    "authentication": "Authentication",
    "protected": "Protected",
    "notProtected": "Not Protected",
    "resourceMessageRemove": "Once removed, the resource will no longer be accessible. All targets associated with the resource will also be removed.",
    "resourceQuestionRemove": "Are you sure you want to remove the resource from the organization?",
+    "resourcePolicyMessageRemove": "Once removed, the resource policy will no longer be accessible. All resources associated with the resource will be unlinked and left without authentication.",
+    "resourcePolicyQuestionRemove": "Are you sure you want to remove the resource policy from the organization?",
    "resourceHTTP": "HTTPS Resource",
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
@@ -216,8 +243,9 @@
    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
+    "resourceCreateGeneralDescription": "Configure the basic resource settings including the name and the type",
    "resourceSeeAll": "See All Resources",
-    "resourceInfo": "Resource Information",
+    "resourceCreateGeneral": "General",
    "resourceNameDescription": "This is the display name for the resource.",
    "siteSelect": "Select site",
    "siteSearch": "Search site",
@@ -227,12 +255,15 @@
    "noCountryFound": "No country found.",
    "siteSelectionDescription": "This site will provide connectivity to the target.",
    "resourceType": "Resource Type",
-    "resourceTypeDescription": "Determine how to access the resource",
+    "resourceTypeDescription": "This controls the resource protocol and how it will be rendered in the browser. This can’t be changed later.",
+    "resourceDomainDescription": "The resource will be served at this fully qualified domain name.",
    "resourceHTTPSSettings": "HTTPS Settings",
    "resourceHTTPSSettingsDescription": "Configure how the resource will be accessed over HTTPS",
+    "resourcePortDescription": "The external port on the Pangolin instance or node where the resource will be accessible.",
    "domainType": "Domain Type",
    "subdomain": "Subdomain",
    "baseDomain": "Base Domain",
+    "configure": "Configure",
    "subdomnainDescription": "The subdomain where the resource will be accessible.",
    "resourceRawSettings": "TCP/UDP Settings",
    "resourceRawSettingsDescription": "Configure how the resource will be accessed over TCP/UDP",
@@ -249,8 +280,27 @@
    "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
    "resourceBack": "Back to Resources",
    "resourceGoTo": "Go to Resource",
+    "resourcePolicyDelete": "Delete Resource Policy",
+    "resourcePolicyDeleteConfirm": "Confirm Delete Resource Policy",
    "resourceDelete": "Delete Resource",
    "resourceDeleteConfirm": "Confirm Delete Resource",
+    "labelDelete": "Delete Label",
+    "labelAdd": "Add Label",
+    "labelCreateSuccessMessage": "Label Created Successfully",
+    "labelEditSuccessMessage": "Label Modified Successfully",
+    "labelNameField": "Label Name",
+    "labelColorField": "Label Color",
+    "labelPlaceholder": "Ex: homelab",
+    "labelCreate": "Create Label",
+    "createLabelDialogTitle": "Create Label",
+    "createLabelDialogDescription": "Create a new label that can be attached to this organization",
+    "labelEdit": "Edit Label",
+    "editLabelDialogTitle": "Update Label",
+    "editLabelDialogDescription": "Edit a new label that can be attached to this organization",
+    "labelDeleteConfirm": "Confirm Delete Label",
+    "labelErrorDelete": "Failed to delete label",
+    "labelMessageRemove": "This action is permanent. All sites, resources, and clients tagged with this label will be untagged.",
+    "labelQuestionRemove": "Are you sure you want to remove the label from the organization?",
    "visibility": "Visibility",
    "enabled": "Enabled",
    "disabled": "Disabled",
@@ -261,6 +311,8 @@
    "rules": "Rules",
    "resourceSettingDescription": "Configure the settings on the resource",
    "resourceSetting": "{resourceName} Settings",
+    "resourcePolicySettingDescription": "Configure the settings on the resource policy",
+    "resourcePolicySetting": "{policyName} Settings",
    "alwaysAllow": "Bypass Auth",
    "alwaysDeny": "Block Access",
    "passToAuth": "Pass to Auth",
@@ -523,6 +575,12 @@
    "userMessageOrgRemove": "Once removed, this user will no longer have access to the organization. You can always re-invite them later, but they will need to accept the invitation again.",
    "userRemoveOrgConfirm": "Confirm Remove User",
    "userRemoveOrg": "Remove User from Organization",
+    "userQuestionOrgRemoveSelf": "Are you sure you want to remove yourself from this organization?",
+    "userMessageOrgRemoveSelf": "You will lose access immediately. An administrator can invite you again later, but you will need to accept a new invitation.",
+    "userRemoveOrgConfirmSelf": "Confirm Remove Myself",
+    "userRemoveOrgSelf": "Remove yourself from the organization",
+    "userRemoveOrgSelfWarning": "You will lose access to this organization immediately.",
+    "userRemoveOrgConfirmPhraseSelf": "REMOVE MYSELF FROM ORG",
    "users": "Users",
    "accessRoleMember": "Member",
    "accessRoleOwner": "Owner",
@@ -531,6 +589,11 @@
    "emailInvalid": "Invalid email address",
    "inviteValidityDuration": "Please select a duration",
    "accessRoleSelectPlease": "Please select a role",
+    "removeOwnAdminRoleConfirmTitle": "Remove your administrator access?",
+    "removeOwnAdminRoleConfirmDescription": "You will no longer have administrator permissions in this organization after saving. Another administrator can restore access if needed.",
+    "removeOwnAdminRoleConfirmButton": "Remove My Administrator Access",
+    "removeOwnAdminRoleConfirmPhrase": "REMOVE MY ADMIN ACCESS",
+    "ownerMustRetainAdminRole": "The organization owner must keep at least one administrator role.",
    "usernameRequired": "Username is required",
    "idpSelectPlease": "Please select an identity provider",
    "idpGenericOidc": "Generic OAuth2/OIDC provider.",
@@ -615,7 +678,7 @@
    "createdAt": "Created At",
    "proxyErrorInvalidHeader": "Invalid custom Host Header value. Use domain name format, or save empty to unset custom Host Header.",
    "proxyErrorTls": "Invalid TLS Server Name. Use domain name format, or save empty to remove the TLS Server Name.",
-    "proxyEnableSSL": "Enable SSL",
+    "proxyEnableSSL": "Enable TLS",
    "proxyEnableSSLDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the targets.",
    "target": "Target",
    "configureTarget": "Configure Targets",
@@ -658,6 +721,7 @@
    "targetNoOneDescription": "Adding more than one target above will enable load balancing.",
    "targetsSubmit": "Save Targets",
    "addTarget": "Add Target",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing will not work between sites that are not connected to the same node, but failover will work.",
    "targetErrorInvalidIp": "Invalid IP address",
    "targetErrorInvalidIpDescription": "Please enter a valid IP address or hostname",
    "targetErrorInvalidPort": "Invalid port",
@@ -731,6 +795,16 @@
    "rulesNoOne": "No rules. Add a rule using the form.",
    "rulesOrder": "Rules are evaluated by priority in ascending order.",
    "rulesSubmit": "Save Rules",
+    "policyErrorCreate": "Error creating policy",
+    "policyErrorCreateDescription": "An error occurred when creating the policy",
+    "policyErrorCreateMessageDescription": "An unexpected error occurred",
+    "policyErrorUpdate": "Error updating policy",
+    "policyErrorUpdateDescription": "An error occurred when updating the policy",
+    "policyErrorUpdateMessageDescription": "An unexpected error occurred",
+    "policyCreatedSuccess": "Resource policy succesfully created",
+    "policyUpdatedSuccess": "Resource policy succesfully updated",
+    "authMethodsSave": "Save auth methods",
+    "rulesSave": "Save Rules",
    "resourceErrorCreate": "Error creating resource",
    "resourceErrorCreateDescription": "An error occurred when creating the resource",
    "resourceErrorCreateMessage": "Error creating resource:",
@@ -794,6 +868,17 @@
    "pincodeAdd": "Add PIN Code",
    "pincodeRemove": "Remove PIN Code",
    "resourceAuthMethods": "Authentication Methods",
+    "resourcePolicyAuthMethodsEmpty": "No authentication method",
+    "resourcePolicyOtpEmpty": "No one time password",
+    "resourcePolicyReadOnly": "This policy is Read only",
+    "resourcePolicyReadOnlyDescription": "This resource policy is shared accross multiple resources, you cannot edit it on this page.",
+    "editSharedPolicy": "Edit Shared Policy",
+    "resourcePolicyTypeSave": "Save Resource type",
+    "resourcePolicySelect": "Select resource policy",
+    "resourcePolicySelectError": "Select a resource policy",
+    "resourcePolicyNotFound": "Policy not found",
+    "resourcePolicySearch": "Search policies",
+    "resourcePolicyRulesEmpty": "No authentication rules",
    "resourceAuthMethodsDescriptions": "Allow access to the resource via additional auth methods",
    "resourceAuthSettingsSave": "Saved successfully",
    "resourceAuthSettingsSaveDescription": "Authentication settings have been saved",
@@ -829,6 +914,12 @@
    "resourcePincodeSetupTitle": "Set Pincode",
    "resourcePincodeSetupTitleDescription": "Set a pincode to protect this resource",
    "resourceRoleDescription": "Admins can always access this resource.",
+    "resourcePolicySelectTitle": "Resource Access Policy",
+    "resourcePolicySelectDescription": "Select the resource policy type for authentication",
+    "resourcePolicyInline": "Inline Resource Policy",
+    "resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
+    "resourcePolicyShared": "Shared Resource Policy",
+    "resourcePolicySharedDescription": "This resource uses a shared policy. Policy-level settings (auth methods, email whitelist) are locked. You can add resource-specific rules, roles, and users below.",
    "resourceUsersRoles": "Access Controls",
    "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
    "resourceUsersRolesSubmit": "Save Access Controls",
@@ -1124,6 +1215,18 @@
    "idpErrorConnectingTo": "There was a problem connecting to {name}. Please contact your administrator.",
    "idpErrorNotFound": "IdP not found",
    "inviteInvalid": "Invalid Invite",
+    "labels": "Labels",
+    "orgLabelsDescription": "Manage labels in this organization.",
+    "addLabels": "Add labels",
+    "siteLabelsTab": "Labels",
+    "siteLabelsDescription": "Manage labels associated with this site.",
+    "labelsNotFound": "Labels not found",
+    "labelSearch": "Search labels",
+    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
+    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
+    "accessLabelFilterClear": "Clear label filters",
+    "selectColor": "Select color",
+    "createNewLabel": "Create new org label \"{label}\"",
    "inviteInvalidDescription": "The invite link is invalid.",
    "inviteErrorWrongUser": "Invite is not for this user",
    "inviteErrorUserNotExists": "User does not exist. Please create an account first.",
@@ -1358,6 +1461,8 @@
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
+    "sidebarPolicies": "Policies",
+    "sidebarResourcePolicies": "Resources",
    "sidebarAccessControl": "Access Control",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1541,7 +1646,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Resource {id}",
    "blueprints": "Blueprints",
-    "blueprintsDescription": "Apply declarative configurations and view previous runs",
+    "blueprintsLog": "Blueprints Log",
+    "blueprintsDescription": "View past blueprint applications and their results",
    "blueprintAdd": "Add Blueprint",
    "blueprintGoBack": "See all Blueprints",
    "blueprintCreate": "Create Blueprint",
@@ -1559,7 +1665,17 @@
    "contents": "Contents",
    "parsedContents": "Parsed Contents (Read Only)",
    "enableDockerSocket": "Enable Docker Blueprint",
-    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to Newt. Read about how this works in <docsLink>the documentation</docsLink>.",
+    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
+    "newtAutoUpdate": "Enable Site Auto-Update",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically update to the latest version when a new release is available.",
+    "siteAutoUpdate": "Site Auto-Update",
+    "siteAutoUpdateLabel": "Enable Auto-Update",
+    "siteAutoUpdateDescription": "Control whether this site's connector automatically downloads the latest version.",
+    "siteAutoUpdateOrgDefault": "Organization default: {state}",
+    "siteAutoUpdateOverriding": "Overriding organization setting",
+    "siteAutoUpdateResetToOrg": "Reset to Organization Default",
+    "siteAutoUpdateEnabled": "enabled",
+    "siteAutoUpdateDisabled": "disabled",
    "viewDockerContainers": "View Docker Containers",
    "containersIn": "Containers in {siteName}",
    "selectContainerDescription": "Select any container to use as a hostname for this target. Click a port to use a port.",
@@ -1604,6 +1720,7 @@
    "certificateStatus": "Certificate",
    "certificateStatusAutoRefreshHint": "Status refreshes automatically.",
    "loading": "Loading",
+    "loadingEllipsis": "Loading...",
    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
    "domains": "Domains",
@@ -1830,6 +1947,7 @@
    "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
    "billingCurrentKeys": "Current Keys",
    "billingModifyCurrentPlan": "Modify Current Plan",
+    "billingManageLicenseSubscriptionDescription": "Manage your subscription for paid self-hosted license keys and download invoices.",
    "billingConfirmUpgrade": "Confirm Upgrade",
    "billingConfirmDowngrade": "Confirm Downgrade",
    "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
@@ -1927,7 +2045,36 @@
    "timeIsInSeconds": "Time is in seconds",
    "requireDeviceApproval": "Require Device Approvals",
    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
-    "sshAccess": "SSH Access",
+    "sshSettings": "SSH Settings",
+    "rdpSettings": "RDP Settings",
+    "vncSettings": "VNC Settings",
+    "sshServer": "SSH Server",
+    "rdpServer": "RDP Server",
+    "vncServer": "VNC Server",
+    "sshServerDescription": "Set up the authentication method, daemon location, and server destination",
+    "rdpServerDescription": "Configure the destination and port of the RDP server",
+    "vncServerDescription": "Configure the destination and port of the VNC server",
+    "sshServerMode": "Mode",
+    "sshServerModeStandard": "Standard SSH Server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Routes commands over network to an SSH server such as OpenSSH.",
+    "sshServerModeNative": "Native SSH Server",
+    "sshServerModeNativeDescription": "Executes commands directly on the host via the Site Connector. No network config required.",
+    "sshAuthenticationMethod": "Authentication Method",
+    "sshAuthMethodManual": "Manual Authentication",
+    "sshAuthMethodManualDescription": "Requires existing host credentials. Bypasses automatic provisioning.",
+    "sshAuthMethodAutomated": "Automated Provisioning",
+    "sshAuthMethodAutomatedDescription": "Automatically creates users, groups, and sudo permissions on host.",
+    "sshAuthDaemonLocation": "Auth Daemon Location",
+    "sshDaemonLocationSiteDescription": "Executes locally on the machine hosting the site connector.",
+    "sshDaemonLocationRemote": "On Remote Host",
+    "sshDaemonLocationRemoteDescription": "Executes on a separate target machine on the same network.",
+    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
+    "sshDaemonPort": "Daemon Port",
+    "sshServerDestination": "Server Destination",
+    "sshServerDestinationDescription": "Configure the destination and port of the SSH server",
+    "destination": "Destination",
+    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
    "roleAllowSsh": "Allow SSH",
    "roleAllowSshAllow": "Allow",
    "roleAllowSshDisallow": "Disallow",
@@ -1941,7 +2088,7 @@
    "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
    "sshSudo": "Allow sudo",
    "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo.",
+    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo. Absolute paths must be used.",
    "sshCreateHomeDir": "Create Home Directory",
    "sshUnixGroups": "Unix Groups",
    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
@@ -2033,8 +2180,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Scheme",
-    "editInternalResourceDialogEnableSsl": "Enable SSL",
+    "editInternalResourceDialogEnableSsl": "Enable TLS",
    "editInternalResourceDialogEnableSslDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the destination.",
    "editInternalResourceDialogDestination": "Destination",
    "editInternalResourceDialogDestinationHostDescription": "The IP address or hostname of the resource on the site's network.",
@@ -2082,9 +2230,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Scheme",
    "createInternalResourceDialogScheme": "Scheme",
-    "createInternalResourceDialogEnableSsl": "Enable SSL",
+    "createInternalResourceDialogEnableSsl": "Enable TLS",
    "createInternalResourceDialogEnableSslDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the destination.",
    "createInternalResourceDialogDestination": "Destination",
    "createInternalResourceDialogDestinationHostDescription": "The IP address or hostname of the resource on the site's network.",
@@ -2217,7 +2366,7 @@
        "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
        "introTitle": "Managed Self-Hosted Pangolin",
        "introDescription": "is a deployment option designed for people who want simplicity and extra reliability while still keeping their data private and self-hosted.",
-        "introDetail": "With this option, you still run your own Pangolin node - your tunnels, SSL termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of benefits:",
+        "introDetail": "With this option, you still run your own Pangolin node - your tunnels, TLS termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of benefits:",
        "benefitSimplerOperations": {
            "title": "Simpler operations",
            "description": "No need to run your own mail server or set up complex alerting. You'll get health checks and downtime alerts out of the box."
@@ -2652,6 +2801,8 @@
    "validPassword": "Valid Password",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "View",
+    "configManaged": "Config Managed",
    "connectedClient": "Connected Client",
    "resourceBlocked": "Resource Blocked",
    "droppedByRule": "Dropped by Rule",
@@ -2919,7 +3070,7 @@
    "learnMore": "Learn more",
    "backToHome": "Go back to home",
    "needToSignInToOrg": "Need to use your organization's identity provider?",
-    "maintenanceMode": "Maintenance Mode",
+    "maintenanceMode": "Maintenance Page",
    "maintenanceModeDescription": "Display a maintenance page to visitors",
    "maintenanceModeType": "Maintenance Mode Type",
    "showMaintenancePage": "Show a maintenance page to visitors",
@@ -2949,6 +3100,7 @@
    "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
    "createInternalResourceDialogDestinationRequired": "Destination is required",
    "available": "Available",
+    "disabledResourceDescription": "When disabled, the resource will be inaccessible by everyone.",
    "archived": "Archived",
    "noArchivedDevices": "No archived devices found",
    "deviceArchived": "Device archived",
@@ -3062,7 +3214,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Forward events directly to your Datadog account.",
    "streamingTypePickerDescription": "Choose a destination type to get started.",
-    "streamingFailedToLoad": "Failed to load destinations",
+    "streamingLastSyncError": "An error occurred on the last sync",
    "streamingUnexpectedError": "An unexpected error occurred.",
    "streamingFailedToUpdate": "Failed to update destination",
    "streamingDeletedSuccess": "Destination deleted successfully",
@@ -3079,7 +3231,34 @@
    "S3DestEditTitle": "Edit Destination",
    "S3DestAddTitle": "Add S3 Destination",
    "S3DestEditDescription": "Update the configuration for this S3 event streaming destination.",
-    "S3DestAddDescription": "Configure a new S3 endpoint to receive your organization's events.",
+    "S3DestAddDescription": "Configure a new Amazon S3 (or S3-compatible) bucket to receive your organization's events.",
+    "s3DestTabSettings": "Settings",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Name",
+    "s3DestNamePlaceholder": "My S3 destination",
+    "s3DestAccessKeyIdLabel": "AWS Access Key ID",
+    "s3DestSecretAccessKeyLabel": "AWS Secret Access Key",
+    "s3DestSecretAccessKeyPlaceholder": "Your AWS secret access key",
+    "s3DestRegionLabel": "AWS Region",
+    "s3DestBucketLabel": "Bucket Name",
+    "s3DestPrefixLabel": "Key Prefix (optional)",
+    "s3DestPrefixDescription": "Optional path prefix prepended to every object key. Objects are stored at {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Custom Endpoint (optional)",
+    "s3DestEndpointDescription": "Override the S3 endpoint for S3-compatible storage such as MinIO or Cloudflare R2. Leave blank for standard AWS S3.",
+    "s3DestGzipLabel": "Gzip compression",
+    "s3DestGzipDescription": "Compress each uploaded object with gzip. Reduces storage costs and upload size.",
+    "s3DestFormatTitle": "File Format",
+    "s3DestFormatDescription": "How events are serialised inside each uploaded object.",
+    "s3DestFormatJsonArrayDescription": "Each object is a JSON array of event records. Compatible with most analytics tools.",
+    "s3DestFormatNdjsonDescription": "Each object contains one JSON record per line (newline-delimited JSON). Compatible with Athena, BigQuery, and Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Each object is an RFC-4180 CSV file with a header row. Column names are derived from the event data fields.",
+    "s3DestSaveChanges": "Save Changes",
+    "s3DestCreateDestination": "Create Destination",
+    "s3DestUpdatedSuccess": "Destination updated successfully",
+    "s3DestCreatedSuccess": "Destination created successfully",
+    "s3DestUpdateFailed": "Failed to update destination",
+    "s3DestCreateFailed": "Failed to create destination",
    "datadogDestEditTitle": "Edit Destination",
    "datadogDestAddTitle": "Add Datadog Destination",
    "datadogDestEditDescription": "Update the configuration for this Datadog event streaming destination.",
@@ -3251,5 +3430,27 @@
    "memberPortalResourceDisabled": "Resource Disabled",
    "memberPortalShowingResources": "Showing {start}-{end} of {total} resources",
    "memberPortalPrevious": "Previous",
-    "memberPortalNext": "Next"
+    "memberPortalNext": "Next",
+    "httpSettings": "HTTP Settings",
+    "tcpSettings": "TCP Settings",
+    "udpSettings": "UDP Settings",
+    "sshTitle": "SSH",
+    "sshConnectingDescription": "Establishing a secure connection…",
+    "sshConnecting": "Connecting…",
+    "sshInitializing": "Initializing…",
+    "sshSignInTitle": "Sign in to SSH",
+    "sshSignInDescription": "Enter your SSH credentials",
+    "sshPasswordTab": "Password",
+    "sshPrivateKeyTab": "Private Key",
+    "sshPrivateKeyField": "Private Key",
+    "sshPrivateKeyDisclaimer": "Your private key is not stored or visible to Pangolin. Alternatively, you can use short-lived certificates for seamless authentication using your existing Pangolin identity.",
+    "sshLearnMore": "Learn more",
+    "sshPrivateKeyFile": "Private Key File",
+    "sshAuthenticate": "Authenticate",
+    "sshTerminate": "Terminate",
+    "sshPoweredBy": "Powered by",
+    "sshErrorNoTarget": "No target specified",
+    "sshErrorWebSocket": "WebSocket connection failed",
+    "sshErrorAuthFailed": "Authentication failed",
+    "sshErrorConnectionClosed": "Connection closed before authentication completed"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Se ha producido un error al eliminar el enlace",
    "shareDeleted": "Enlace eliminado",
    "shareDeletedDescription": "El enlace ha sido eliminado",
+    "shareDelete": "Borrar Enlace Compartido",
+    "shareDeleteConfirm": "Confirmar Borrado del Enlace Compartido",
+    "shareQuestionRemove": "¿Está seguro de que desea borrar este enlace compartido?",
+    "shareMessageRemove": "Una vez borrado, el enlace dejará de funcionar y cualquier persona que lo use perderá acceso al recurso.",
    "shareTokenDescription": "El token de acceso puede ser pasado de dos maneras: como parámetro de consulta o en las cabeceras de solicitud. Estos deben ser pasados del cliente en cada solicitud de acceso autenticado.",
    "accessToken": "Token de acceso",
    "usageExamples": "Ejemplos de uso",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Una vez eliminado, este usuario ya no tendrá acceso a la organización. Siempre puede volver a invitarlos más tarde, pero tendrán que aceptar la invitación de nuevo.",
    "userRemoveOrgConfirm": "Confirmar eliminar usuario",
    "userRemoveOrg": "Eliminar usuario de la organización",
+    "userQuestionOrgRemoveSelf": "¿Está seguro de que desea eliminarse de esta organización?",
+    "userMessageOrgRemoveSelf": "Perderá acceso inmediatamente. Un administrador puede invitarlo de nuevo más tarde, pero necesitará aceptar una nueva invitación.",
+    "userRemoveOrgConfirmSelf": "Confirmar Eliminarme",
+    "userRemoveOrgSelf": "Eliminarse de la organización",
+    "userRemoveOrgSelfWarning": "Perderá acceso a esta organización inmediatamente.",
+    "userRemoveOrgConfirmPhraseSelf": "ELIMINARME DE LA ORGANIZACIÓN",
    "users": "Usuarios",
    "accessRoleMember": "Miembro",
    "accessRoleOwner": "Propietario",
@@ -531,6 +541,11 @@
    "emailInvalid": "Dirección de correo inválida",
    "inviteValidityDuration": "Por favor, seleccione una duración",
    "accessRoleSelectPlease": "Por favor, seleccione un rol",
+    "removeOwnAdminRoleConfirmTitle": "¿Eliminar su acceso de administrador?",
+    "removeOwnAdminRoleConfirmDescription": "Ya no tendrá permisos de administrador en esta organización después de guardar. Otro administrador puede restaurar el acceso si es necesario.",
+    "removeOwnAdminRoleConfirmButton": "Eliminar Mi Acceso de Administrador",
+    "removeOwnAdminRoleConfirmPhrase": "ELIMINAR MI ACCESO DE ADMINISTRADOR",
+    "ownerMustRetainAdminRole": "El propietario de la organización debe mantener al menos un rol de administrador.",
    "usernameRequired": "Nombre de usuario requerido",
    "idpSelectPlease": "Por favor, seleccione un proveedor de identidad",
    "idpGenericOidc": "Proveedor OAuth2/OIDC genérico.",
@@ -615,7 +630,7 @@
    "createdAt": "Creado el",
    "proxyErrorInvalidHeader": "Valor de cabecera de host personalizado no válido. Utilice el formato de nombre de dominio, o guarde en blanco para desestablecer cabecera de host personalizada.",
    "proxyErrorTls": "Nombre de servidor TLS inválido. Utilice el formato de nombre de dominio o guarde en blanco para eliminar el nombre de servidor TLS.",
-    "proxyEnableSSL": "Activar SSL",
+    "proxyEnableSSL": "Activar TLS",
    "proxyEnableSSLDescription": "Habilita el cifrado SSL/TLS para conexiones seguras HTTPS a los objetivos.",
    "target": "Target",
    "configureTarget": "Configurar objetivos",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Si se añade más de un objetivo anterior se activará el balance de carga.",
    "targetsSubmit": "Guardar objetivos",
    "addTarget": "Añadir destino",
+    "proxyMultiSiteRoundRobinNodeHelp": "El enrutamiento de turnos no funcionará entre sitios que no están conectados al mismo nodo, pero el failover funcionará.",
    "targetErrorInvalidIp": "Dirección IP inválida",
    "targetErrorInvalidIpDescription": "Por favor, introduzca una dirección IP válida o nombre de host",
    "targetErrorInvalidPort": "Puerto inválido",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Esquema",
-    "editInternalResourceDialogEnableSsl": "Activar SSL",
+    "editInternalResourceDialogEnableSsl": "Activar TLS",
    "editInternalResourceDialogEnableSslDescription": "Habilitar cifrado SSL/TLS para conexiones HTTPS seguras al destino.",
    "editInternalResourceDialogDestination": "Destino",
    "editInternalResourceDialogDestinationHostDescription": "La dirección IP o nombre de host del recurso en la red del sitio.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Esquema",
    "createInternalResourceDialogScheme": "Esquema",
-    "createInternalResourceDialogEnableSsl": "Activar SSL",
+    "createInternalResourceDialogEnableSsl": "Activar TLS",
    "createInternalResourceDialogEnableSslDescription": "Habilitar cifrado SSL/TLS para conexiones HTTPS seguras al destino.",
    "createInternalResourceDialogDestination": "Destino",
    "createInternalResourceDialogDestinationHostDescription": "La dirección IP o nombre de host del recurso en la red del sitio.",
@@ -2217,7 +2235,7 @@
        "description": "Servidor Pangolin autoalojado más fiable y de bajo mantenimiento con campanas y silbidos extra",
        "introTitle": "Pangolin autogestionado",
        "introDescription": "es una opción de despliegue diseñada para personas que quieren simplicidad y fiabilidad extra mientras mantienen sus datos privados y autoalojados.",
-        "introDetail": "Con esta opción, todavía ejecuta su propio nodo Pangolin, sus túneles, terminación SSL y tráfico permanecen en su servidor. La diferencia es que la gestión y el control se gestionan a través de nuestro panel de control en la nube, que desbloquea una serie de ventajas:",
+        "introDetail": "Con esta opción, todavía ejecuta su propio nodo Pangolin, sus túneles, terminación TLS y tráfico permanecen en su servidor. La diferencia es que la gestión y el control se gestionan a través de nuestro panel de control en la nube, que desbloquea una serie de ventajas:",
        "benefitSimplerOperations": {
            "title": "Operaciones simples",
            "description": "No necesitas ejecutar tu propio servidor de correo o configurar alertas complejas. Recibirás cheques de salud y alertas de tiempo de inactividad."
@@ -2652,6 +2670,8 @@
    "validPassword": "Contraseña válida",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Ver",
+    "configManaged": "Configuración Gestionada",
    "connectedClient": "Cliente conectado",
    "resourceBlocked": "Recurso bloqueado",
    "droppedByRule": "Soltado por regla",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Reenviar eventos directamente a tu cuenta de Datadog. Próximamente.",
    "streamingTypePickerDescription": "Elija un tipo de destino para empezar.",
-    "streamingFailedToLoad": "Error al cargar destinos",
+    "streamingLastSyncError": "Ocurrió un error en la última sincronización.",
    "streamingUnexpectedError": "Se ha producido un error inesperado.",
    "streamingFailedToUpdate": "Error al actualizar destino",
    "streamingDeletedSuccess": "Destino eliminado correctamente",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Editar destino",
    "S3DestAddTitle": "Añadir destino S3",
    "S3DestEditDescription": "Actualice la configuración para este destino de transmisión de eventos S3.",
-    "S3DestAddDescription": "Configure un nuevo punto final S3 para recibir los eventos de su organización.",
+    "S3DestAddDescription": "Configura un nuevo bucket de Amazon S3 (o compatible con S3) para recibir los eventos de tu organización.",
+    "s3DestTabSettings": "Ajustes",
+    "s3DestTabFormat": "Formato",
+    "s3DestNameLabel": "Nombre",
+    "s3DestNamePlaceholder": "Mi destino S3",
+    "s3DestAccessKeyIdLabel": "ID de clave de acceso de AWS",
+    "s3DestSecretAccessKeyLabel": "Clave de acceso secreta de AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Tu clave de acceso secreta de AWS",
+    "s3DestRegionLabel": "Región de AWS",
+    "s3DestBucketLabel": "Nombre del bucket",
+    "s3DestPrefixLabel": "Prefijo clave (opcional)",
+    "s3DestPrefixDescription": "Prefijo de ruta opcional preanexado a cada clave de objeto. Los objetos se almacenan en {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Punto final personalizado (opcional)",
+    "s3DestEndpointDescription": "Sobrescribe el punto final de S3 para almacenamiento compatible con S3 como MinIO o Cloudflare R2. Deja en blanco para el estándar AWS S3.",
+    "s3DestGzipLabel": "Compresión Gzip",
+    "s3DestGzipDescription": "Comprime cada objeto subido con gzip. Reduce costos de almacenamiento y tamaño de carga.",
+    "s3DestFormatTitle": "Formato de archivo",
+    "s3DestFormatDescription": "Cómo se serializan los eventos dentro de cada objeto cargado.",
+    "s3DestFormatJsonArrayDescription": "Cada objeto es un arreglo JSON de registros de eventos. Compatible con la mayoría de las herramientas de analítica.",
+    "s3DestFormatNdjsonDescription": "Cada objeto contiene un registro JSON por línea (JSON delimitado por nueva línea). Compatible con Athena, BigQuery y Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Cada objeto es un archivo CSV conforme a RFC-4180 con una fila de encabezado. Los nombres de columna se derivan de los campos de datos del evento.",
+    "s3DestSaveChanges": "Guardar cambios",
+    "s3DestCreateDestination": "Crear destino",
+    "s3DestUpdatedSuccess": "Destino actualizado con éxito",
+    "s3DestCreatedSuccess": "Destino creado con éxito",
+    "s3DestUpdateFailed": "No se pudo actualizar el destino",
+    "s3DestCreateFailed": "No se pudo crear el destino",
    "datadogDestEditTitle": "Editar destino",
    "datadogDestAddTitle": "Añadir destino Datadog",
    "datadogDestEditDescription": "Actualice la configuración para este destino de transmisión de eventos Datadog.",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Une erreur s'est produite lors de la suppression du lien",
    "shareDeleted": "Lien supprimé",
    "shareDeletedDescription": "Le lien a été supprimé",
+    "shareDelete": "Supprimer le lien de partage",
+    "shareDeleteConfirm": "Confirmer la suppression du lien de partage",
+    "shareQuestionRemove": "Êtes-vous sûr de vouloir supprimer ce lien de partage ?",
+    "shareMessageRemove": "Une fois supprimé, le lien ne fonctionnera plus et toute personne l'utilisant perdra l'accès à la ressource.",
    "shareTokenDescription": "Le jeton d'accès peut être passé de deux façons : en tant que paramètre de requête ou dans les en-têtes de la requête. Elles doivent être transmises par le client à chaque demande d'accès authentifié.",
    "accessToken": "Jeton d'accès",
    "usageExamples": "Exemples d'utilisation",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Une fois retiré, cet utilisateur n'aura plus accès à l'organisation. Vous pouvez toujours le réinviter plus tard, mais il devra accepter l'invitation à nouveau.",
    "userRemoveOrgConfirm": "Confirmer la suppression de l'utilisateur",
    "userRemoveOrg": "Retirer l'utilisateur de l'organisation",
+    "userQuestionOrgRemoveSelf": "Êtes-vous sûr de vouloir vous retirer de cette organisation ?",
+    "userMessageOrgRemoveSelf": "Vous perdrez immédiatement l'accès. Un administrateur pourra vous inviter à nouveau plus tard, mais vous devrez accepter une nouvelle invitation.",
+    "userRemoveOrgConfirmSelf": "Confirmer la suppression de moi-même",
+    "userRemoveOrgSelf": "Se retirer de l'organisation",
+    "userRemoveOrgSelfWarning": "Vous perdrez immédiatement l'accès à cette organisation.",
+    "userRemoveOrgConfirmPhraseSelf": "SUPPRIMER MOI-MÊME DE L'ORG",
    "users": "Utilisateurs",
    "accessRoleMember": "Membre",
    "accessRoleOwner": "Propriétaire",
@@ -531,6 +541,11 @@
    "emailInvalid": "Adresse e-mail invalide",
    "inviteValidityDuration": "Veuillez sélectionner une durée",
    "accessRoleSelectPlease": "Veuillez sélectionner un rôle",
+    "removeOwnAdminRoleConfirmTitle": "Retirer votre accès administrateur ?",
+    "removeOwnAdminRoleConfirmDescription": "Vous n'aurez plus de droits d'administrateur dans cette organisation après avoir enregistré. Un autre administrateur pourra restaurer cet accès si nécessaire.",
+    "removeOwnAdminRoleConfirmButton": "Retirer mon accès administrateur",
+    "removeOwnAdminRoleConfirmPhrase": "RETIRER MON ACCÈS ADMIN",
+    "ownerMustRetainAdminRole": "Le propriétaire de l'organisation doit conserver au moins un rôle d'administrateur.",
    "usernameRequired": "Le nom d'utilisateur est requis",
    "idpSelectPlease": "Veuillez sélectionner un fournisseur d'identité",
    "idpGenericOidc": "Fournisseur OAuth2/OIDC générique.",
@@ -615,7 +630,7 @@
    "createdAt": "Créé le",
    "proxyErrorInvalidHeader": "Valeur d'en-tête Host personnalisée invalide. Utilisez le format de nom de domaine, ou laissez vide pour désactiver l'en-tête Host personnalisé.",
    "proxyErrorTls": "Nom de serveur TLS invalide. Utilisez le format de nom de domaine, ou laissez vide pour supprimer le nom de serveur TLS.",
-    "proxyEnableSSL": "Activer SSL",
+    "proxyEnableSSL": "Activer TLS",
    "proxyEnableSSLDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers les cibles.",
    "target": "Cible",
    "configureTarget": "Configurer les cibles",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "L'ajout de plus d'une cible ci-dessus activera l'équilibrage de charge.",
    "targetsSubmit": "Enregistrer les cibles",
    "addTarget": "Ajouter une cible",
+    "proxyMultiSiteRoundRobinNodeHelp": "Le routage en tourniquet n'opérera pas entre des sites qui ne sont pas connectés au même nœud, mais le basculement fonctionnera.",
    "targetErrorInvalidIp": "Adresse IP invalide",
    "targetErrorInvalidIpDescription": "Veuillez entrer une adresse IP ou un nom d'hôte valide",
    "targetErrorInvalidPort": "Port invalide",
@@ -1356,7 +1372,7 @@
    "sidebarSites": "Nœuds",
    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
-    "sidebarProxyResources": "Publiques",
+    "sidebarProxyResources": "Publique",
    "sidebarClientResources": "Privé",
    "sidebarAccessControl": "Contrôle d'accès",
    "sidebarLogsAndAnalytics": "Journaux & Analytiques",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Méthode HTTP",
-    "editInternalResourceDialogEnableSsl": "Activer SSL",
+    "editInternalResourceDialogEnableSsl": "Activer TLS",
    "editInternalResourceDialogEnableSslDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers la destination.",
    "editInternalResourceDialogDestination": "Destination",
    "editInternalResourceDialogDestinationHostDescription": "L'adresse IP ou le nom d'hôte de la ressource sur le réseau du site.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Méthode HTTP",
    "createInternalResourceDialogScheme": "Méthode HTTP",
-    "createInternalResourceDialogEnableSsl": "Activer SSL",
+    "createInternalResourceDialogEnableSsl": "Activer TLS",
    "createInternalResourceDialogEnableSslDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers la destination.",
    "createInternalResourceDialogDestination": "Destination",
    "createInternalResourceDialogDestinationHostDescription": "L'adresse IP ou le nom d'hôte de la ressource sur le réseau du site.",
@@ -2217,7 +2235,7 @@
        "description": "Serveur Pangolin auto-hébergé avec des cloches et des sifflets supplémentaires",
        "introTitle": "Pangolin auto-hébergé géré",
        "introDescription": "est une option de déploiement conçue pour les personnes qui veulent de la simplicité et de la fiabilité tout en gardant leurs données privées et auto-hébergées.",
-        "introDetail": "Avec cette option, vous exécutez toujours votre propre nœud Pangolin - vos tunnels, la terminaison SSL et le trafic restent sur votre serveur. La différence est que la gestion et la surveillance sont gérées via notre tableau de bord du cloud, qui déverrouille un certain nombre d'avantages :",
+        "introDetail": "Avec cette option, vous exécutez toujours votre propre nœud Pangolin - vos tunnels, la terminaison TLS et le trafic restent sur votre serveur. La différence est que la gestion et la surveillance sont gérées via notre tableau de bord du cloud, qui déverrouille un certain nombre d'avantages :",
        "benefitSimplerOperations": {
            "title": "Opérations plus simples",
            "description": "Pas besoin de faire tourner votre propre serveur de messagerie ou de configurer des alertes complexes. Vous obtiendrez des contrôles de santé et des alertes de temps d'arrêt par la suite."
@@ -2458,8 +2476,8 @@
    "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
    "downloadClientBannerTitle": "Télécharger le client Pangolin",
    "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
-    "manageMachineClients": "Gérer les machines",
-    "manageMachineClientsDescription": "Créer et gérer les clients que les serveurs et systèmes utilisent pour se connecter en privé aux ressources",
+    "manageMachineClients": "Gérer les clients de la machine",
+    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
    "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
    "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
    "machineClientsBannerPangolinCLI": "Pangolin CLI",
@@ -2652,6 +2670,8 @@
    "validPassword": "Mot de passe valide",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Afficher",
+    "configManaged": "Configuration gérée",
    "connectedClient": "Client connecté",
    "resourceBlocked": "Ressource bloquée",
    "droppedByRule": "Abandonné par la règle",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Transférer des événements directement sur votre compte Datadog. Prochainement.",
    "streamingTypePickerDescription": "Choisissez un type de destination pour commencer.",
-    "streamingFailedToLoad": "Impossible de charger les destinations",
+    "streamingLastSyncError": "Une erreur s'est produite lors de la dernière synchronisation",
    "streamingUnexpectedError": "Une erreur inattendue s'est produite.",
    "streamingFailedToUpdate": "Impossible de mettre à jour la destination",
    "streamingDeletedSuccess": "Destination supprimée avec succès",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Modifier la destination",
    "S3DestAddTitle": "Ajouter une destination S3",
    "S3DestEditDescription": "Mettre à jour la configuration de cette destination de diffusion d'événements S3.",
-    "S3DestAddDescription": "Configurer un nouveau point de terminaison S3 pour recevoir les événements de votre organisation.",
+    "S3DestAddDescription": "Configurez un nouveau bucket Amazon S3 (ou compatible S3) pour recevoir les événements de votre organisation.",
+    "s3DestTabSettings": "Réglages",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Nom",
+    "s3DestNamePlaceholder": "Ma destination S3",
+    "s3DestAccessKeyIdLabel": "ID de clé d'accès AWS",
+    "s3DestSecretAccessKeyLabel": "Clé d'accès secrète AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Votre clé d'accès secrète AWS",
+    "s3DestRegionLabel": "Région AWS",
+    "s3DestBucketLabel": "Nom du bucket",
+    "s3DestPrefixLabel": "Préfixe clé (facultatif)",
+    "s3DestPrefixDescription": "Préfixe de chemin facultatif préfixé à chaque clé d'objet. Les objets sont stockés à {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Point de terminaison personnalisé (facultatif)",
+    "s3DestEndpointDescription": "Modifiez le point de terminaison S3 pour un stockage compatible S3 tel que MinIO ou Cloudflare R2. Laissez vide pour l'AWS S3 standard.",
+    "s3DestGzipLabel": "Compression Gzip",
+    "s3DestGzipDescription": "Compressez chaque objet téléchargé avec gzip. Réduit les coûts de stockage et la taille de téléchargement.",
+    "s3DestFormatTitle": "Format de fichier",
+    "s3DestFormatDescription": "Comment les événements sont sérialisés dans chaque objet téléchargé.",
+    "s3DestFormatJsonArrayDescription": "Chaque objet est un tableau JSON des enregistrements d'événements. Compatible avec la plupart des outils d'analyse.",
+    "s3DestFormatNdjsonDescription": "Chaque objet contient un enregistrement JSON par ligne (JSON délimité par saut de ligne). Compatible avec Athena, BigQuery et Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Chaque objet est un fichier CSV RFC-4180 avec une ligne d'en-tête. Les noms de colonne sont dérivés des champs de données de l'événement.",
+    "s3DestSaveChanges": "Enregistrer les modifications",
+    "s3DestCreateDestination": "Créer une destination",
+    "s3DestUpdatedSuccess": "Destination mise à jour avec succès",
+    "s3DestCreatedSuccess": "Destination créée avec succès",
+    "s3DestUpdateFailed": "Échec de la mise à jour de la destination",
+    "s3DestCreateFailed": "Échec de la création de la destination",
    "datadogDestEditTitle": "Modifier la destination",
    "datadogDestAddTitle": "Ajouter une destination Datadog",
    "datadogDestEditDescription": "Mettre à jour la configuration de cette destination de diffusion d'événements Datadog.",
@@ -3154,7 +3201,6 @@
    "healthCheckTabAdvanced": "Avancé",
    "healthCheckStrategyNotAvailable": "Cette stratégie n'est pas disponible. Veuillez contacter le service commercial pour activer cette fonctionnalité.",
    "uptime30d": "Disponibilité (30j)",
-    "uptimeNoData": "Aucune donnée",
    "idpAddActionCreateNew": "Créer un nouveau fournisseur d'identité",
    "idpAddActionImportFromOrg": "Importer d'une autre organisation",
    "idpImportDialogTitle": "Importer le fournisseur d'identité",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Si è verificato un errore durante l'eliminazione del link",
    "shareDeleted": "Link eliminato",
    "shareDeletedDescription": "Il link è stato eliminato",
+    "shareDelete": "Elimina Link di Condivisione",
+    "shareDeleteConfirm": "Conferma Eliminazione Link di Condivisione",
+    "shareQuestionRemove": "Sei sicuro di voler eliminare questo link di condivisione?",
+    "shareMessageRemove": "Una volta eliminato, il link non funzionerà più e chiunque lo utilizzi perderà l'accesso alla risorsa.",
    "shareTokenDescription": "Il token di accesso può essere passato in due modi: come parametro di interrogazione o nelle intestazioni della richiesta. Questi devono essere passati dal client su ogni richiesta di accesso autenticato.",
    "accessToken": "Token Di Accesso",
    "usageExamples": "Esempi Di Utilizzo",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Una volta rimosso questo utente non avrà più accesso all'organizzazione. Puoi sempre reinvitarlo in seguito, ma dovrà accettare nuovamente l'invito.",
    "userRemoveOrgConfirm": "Conferma Rimozione Utente",
    "userRemoveOrg": "Rimuovi Utente dall'Organizzazione",
+    "userQuestionOrgRemoveSelf": "Sei sicuro di voler rimuovere te stesso da questa organizzazione?",
+    "userMessageOrgRemoveSelf": "Perderai immediatamente l'accesso. Un amministratore può invitarti nuovamente in seguito, ma dovrai accettare un nuovo invito.",
+    "userRemoveOrgConfirmSelf": "Conferma Rimozione Me Stesso",
+    "userRemoveOrgSelf": "Rimuoviti dall'organizzazione",
+    "userRemoveOrgSelfWarning": "Perderai immediatamente l'accesso a questa organizzazione.",
+    "userRemoveOrgConfirmPhraseSelf": "RIMUOVITI DALL'ORGANIZZAZIONE",
    "users": "Utenti",
    "accessRoleMember": "Membro",
    "accessRoleOwner": "Proprietario",
@@ -531,6 +541,11 @@
    "emailInvalid": "Indirizzo email non valido",
    "inviteValidityDuration": "Seleziona una durata",
    "accessRoleSelectPlease": "Seleziona un ruolo",
+    "removeOwnAdminRoleConfirmTitle": "Rimuovere il tuo accesso amministrativo?",
+    "removeOwnAdminRoleConfirmDescription": "Non avrai più i permessi di amministratore in questa organizzazione dopo il salvataggio. Un altro amministratore può ripristinare l'accesso se necessario.",
+    "removeOwnAdminRoleConfirmButton": "Rimuovere il Mio Accesso Amministrativo",
+    "removeOwnAdminRoleConfirmPhrase": "RIMUOVERE IL MIO ACCESSO AMMINISTRATIVO",
+    "ownerMustRetainAdminRole": "Il proprietario dell'organizzazione deve mantenere almeno un ruolo di amministratore.",
    "usernameRequired": "Username richiesto",
    "idpSelectPlease": "Seleziona un provider di identità",
    "idpGenericOidc": "Provider OAuth2/OIDC generico.",
@@ -615,7 +630,7 @@
    "createdAt": "Creato Il",
    "proxyErrorInvalidHeader": "Valore dell'intestazione Host personalizzata non valido. Usa il formato nome dominio o salva vuoto per rimuovere l'intestazione Host personalizzata.",
    "proxyErrorTls": "Nome Server TLS non valido. Usa il formato nome dominio o salva vuoto per rimuovere il Nome Server TLS.",
-    "proxyEnableSSL": "Abilita SSL",
+    "proxyEnableSSL": "Abilita TLS",
    "proxyEnableSSLDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alle risorse interne target.",
    "target": "Target",
    "configureTarget": "Configura Risorse Interne",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "L'aggiunta di più di un target abiliterà il bilanciamento del carico.",
    "targetsSubmit": "Salva Target",
    "addTarget": "Aggiungi Target",
+    "proxyMultiSiteRoundRobinNodeHelp": "Il routing round robin non funzionerà tra siti che non sono connessi allo stesso nodo, ma il failover funzionerà.",
    "targetErrorInvalidIp": "Indirizzo IP non valido",
    "targetErrorInvalidIpDescription": "Inserisci un indirizzo IP o un hostname valido",
    "targetErrorInvalidPort": "Porta non valida",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Metodo HTTP",
-    "editInternalResourceDialogEnableSsl": "Abilitare SSL",
+    "editInternalResourceDialogEnableSsl": "Abilitare TLS",
    "editInternalResourceDialogEnableSslDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alla destinazione.",
    "editInternalResourceDialogDestination": "Destinazione",
    "editInternalResourceDialogDestinationHostDescription": "L'indirizzo IP o il nome host della risorsa nella rete del sito.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Metodo HTTP",
    "createInternalResourceDialogScheme": "Metodo HTTP",
-    "createInternalResourceDialogEnableSsl": "Abilitare SSL",
+    "createInternalResourceDialogEnableSsl": "Abilitare TLS",
    "createInternalResourceDialogEnableSslDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alla destinazione.",
    "createInternalResourceDialogDestination": "Destinazione",
    "createInternalResourceDialogDestinationHostDescription": "L'indirizzo IP o il nome host della risorsa nella rete del sito.",
@@ -2217,7 +2235,7 @@
        "description": "Server Pangolin self-hosted più affidabile e a bassa manutenzione con campanelli e fischietti extra",
        "introTitle": "Managed Self-Hosted Pangolin",
        "introDescription": "è un'opzione di distribuzione progettata per le persone che vogliono la semplicità e l'affidabilità extra mantenendo i loro dati privati e self-hosted.",
-        "introDetail": "Con questa opzione, esegui ancora il tuo nodo Pangolin - i tunnel, la terminazione SSL e il traffico rimangono tutti sul tuo server. La differenza è che la gestione e il monitoraggio sono gestiti attraverso il nostro cruscotto cloud, che sblocca una serie di vantaggi:",
+        "introDetail": "Con questa opzione, esegui ancora il tuo nodo Pangolin - i tunnel, la terminazione TLS e il traffico rimangono tutti sul tuo server. La differenza è che la gestione e il monitoraggio sono gestiti attraverso il nostro cruscotto cloud, che sblocca una serie di vantaggi:",
        "benefitSimplerOperations": {
            "title": "Operazioni più semplici",
            "description": "Non è necessario eseguire il proprio server di posta o impostare un avviso complesso. Otterrai controlli di salute e avvisi di inattività fuori dalla casella."
@@ -2652,6 +2670,8 @@
    "validPassword": "Password Valida",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Visualizza",
+    "configManaged": "Gestione Configurazione",
    "connectedClient": "Cliente Connesso",
    "resourceBlocked": "Risorsa Bloccata",
    "droppedByRule": "Eliminato dalla regola",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Inoltra gli eventi direttamente al tuo account Datadog. In arrivo.",
    "streamingTypePickerDescription": "Scegli un tipo di destinazione per iniziare.",
-    "streamingFailedToLoad": "Impossibile caricare le destinazioni",
+    "streamingLastSyncError": "Si è verificato un errore durante l'ultima sincronizzazione",
    "streamingUnexpectedError": "Si è verificato un errore imprevisto.",
    "streamingFailedToUpdate": "Impossibile aggiornare la destinazione",
    "streamingDeletedSuccess": "Destinazione eliminata con successo",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Modifica Destinazione",
    "S3DestAddTitle": "Aggiungi Destinazione S3",
    "S3DestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming eventi S3.",
-    "S3DestAddDescription": "Configura un nuovo endpoint S3 per ricevere gli eventi della tua organizzazione.",
+    "S3DestAddDescription": "Configura un nuovo bucket Amazon S3 (o compatibile con S3) per ricevere gli eventi della tua organizzazione.",
+    "s3DestTabSettings": "Impostazioni",
+    "s3DestTabFormat": "Formato",
+    "s3DestNameLabel": "Nome",
+    "s3DestNamePlaceholder": "La mia destinazione S3",
+    "s3DestAccessKeyIdLabel": "ID Chiave Accesso AWS",
+    "s3DestSecretAccessKeyLabel": "Chiave Segreta Accesso AWS",
+    "s3DestSecretAccessKeyPlaceholder": "La tua chiave segreta di accesso AWS",
+    "s3DestRegionLabel": "Regione AWS",
+    "s3DestBucketLabel": "Nome Bucket",
+    "s3DestPrefixLabel": "Prefisso Chiave (facoltativo)",
+    "s3DestPrefixDescription": "Prefisso percorso facoltativo anteposto a ogni chiave oggetto. Gli oggetti vengono archiviati in {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Endpoint personalizzato (facoltativo)",
+    "s3DestEndpointDescription": "Sostituisci l'endpoint S3 per lo storage compatibile con S3 come MinIO o Cloudflare R2. Lasciare vuoto per l'AWS S3 standard.",
+    "s3DestGzipLabel": "Compressione Gzip",
+    "s3DestGzipDescription": "Comprimi ogni oggetto caricato con gzip. Riduce i costi di archiviazione e la dimensione di caricamento.",
+    "s3DestFormatTitle": "Formato del File",
+    "s3DestFormatDescription": "Come gli eventi sono serializzati all'interno di ciascun oggetto caricato.",
+    "s3DestFormatJsonArrayDescription": "Ogni oggetto è un array JSON di record di eventi. Compatibile con la maggior parte degli strumenti analitici.",
+    "s3DestFormatNdjsonDescription": "Ogni oggetto contiene un record JSON per linea (JSON delimitato da newline). Compatibile con Athena, BigQuery e Spark.",
+    "s3DestFormatCsvTitle": "\"CSV\"",
+    "s3DestFormatCsvDescription": "Ogni oggetto è un file CSV RFC-4180 con una riga di intestazione. I nomi delle colonne sono derivati dai campi dei dati degli eventi.",
+    "s3DestSaveChanges": "Salva modifiche",
+    "s3DestCreateDestination": "Crea destinazione",
+    "s3DestUpdatedSuccess": "Destinazione aggiornata con successo",
+    "s3DestCreatedSuccess": "Destinazione creata con successo",
+    "s3DestUpdateFailed": "Aggiornamento della destinazione fallito",
+    "s3DestCreateFailed": "Creazione della destinazione fallita",
    "datadogDestEditTitle": "Modifica Destinazione",
    "datadogDestAddTitle": "Aggiungi Destinazione Datadog",
    "datadogDestEditDescription": "Aggiorna la configurazione per questa destinazione di streaming eventi Datadog.",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "링크 삭제 중 오류가 발생했습니다.",
    "shareDeleted": "링크가 삭제되었습니다.",
    "shareDeletedDescription": "링크가 삭제되었습니다.",
+    "shareDelete": "공유 링크 삭제",
+    "shareDeleteConfirm": "공유 링크 삭제 확인",
+    "shareQuestionRemove": "이 공유 링크를 삭제하시겠습니까?",
+    "shareMessageRemove": "삭제되면 링크가 더 이상 작동하지 않으며, 이를 사용하는 모든 사용자는 자원에 대한 접근을 잃게 됩니다.",
    "shareTokenDescription": "액세스 토큰은 쿼리 매개변수 또는 요청 헤더의 두 가지 방법으로 전달될 수 있습니다. 이는 인증된 액세스를 위해 클라이언트에서 모든 요청마다 전달되어야 합니다.",
    "accessToken": "액세스 토큰",
    "usageExamples": "사용 예",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "이 사용자가 제거되면 더 이상 조직에 접근할 수 없습니다. 나중에 다시 초대할 수 있지만, 초대를 다시 수락해야 합니다.",
    "userRemoveOrgConfirm": "사용자 제거 확인",
    "userRemoveOrg": "조직에서 사용자 제거",
+    "userQuestionOrgRemoveSelf": "이 조직에서 자신을 제거하시겠습니까?",
+    "userMessageOrgRemoveSelf": "귀하는 즉시 접근 권한을 잃게 됩니다. 관리자가 나중에 다시 초대할 수 있지만, 새 초대를 수락해야 합니다.",
+    "userRemoveOrgConfirmSelf": "내 제거 확인",
+    "userRemoveOrgSelf": "조직에서 자신을 제거하십시오",
+    "userRemoveOrgSelfWarning": "귀하는 이 조직에 대한 접근 권한을 즉시 상실합니다.",
+    "userRemoveOrgConfirmPhraseSelf": "조직에서 나를 제거",
    "users": "사용자",
    "accessRoleMember": "회원",
    "accessRoleOwner": "소유자",
@@ -531,6 +541,11 @@
    "emailInvalid": "유효하지 않은 이메일 주소입니다.",
    "inviteValidityDuration": "지속 시간을 선택하십시오.",
    "accessRoleSelectPlease": "역할을 선택하세요",
+    "removeOwnAdminRoleConfirmTitle": "관리자 권한을 제거하시겠습니까?",
+    "removeOwnAdminRoleConfirmDescription": "저장 후 이 조직에 대한 관리자 권한이 없어집니다. 필요한 경우 다른 관리자가 접근 권한을 복구할 수 있습니다.",
+    "removeOwnAdminRoleConfirmButton": "내 관리자 권한 제거",
+    "removeOwnAdminRoleConfirmPhrase": "내 관리자 권한 제거",
+    "ownerMustRetainAdminRole": "조직 소유자는 최소한 하나의 관리자 역할을 유지해야 합니다.",
    "usernameRequired": "사용자 이름은 필수입니다.",
    "idpSelectPlease": "신원 제공자를 선택하십시오",
    "idpGenericOidc": "일반 OAuth2/OIDC 공급자.",
@@ -615,7 +630,7 @@
    "createdAt": "생성일",
    "proxyErrorInvalidHeader": "잘못된 사용자 정의 호스트 헤더 값입니다. 도메인 이름 형식을 사용하거나 사용자 정의 호스트 헤더를 해제하려면 비워 두십시오.",
    "proxyErrorTls": "유효하지 않은 TLS 서버 이름입니다. 도메인 이름 형식을 사용하거나 비워 두어 TLS 서버 이름을 제거하십시오.",
-    "proxyEnableSSL": "SSL 활성화",
+    "proxyEnableSSL": "TLS 활성화",
    "proxyEnableSSLDescription": "타겟과의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화를 활성화하세요.",
    "target": "대상",
    "configureTarget": "대상 구성",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "위에 하나 이상의 대상을 추가하면 로드 밸런싱이 활성화됩니다.",
    "targetsSubmit": "대상 저장",
    "addTarget": "대상 추가",
+    "proxyMultiSiteRoundRobinNodeHelp": "라운드 로빈 라우팅은 동일한 노드에 연결되지 않은 사이트 간에는 작동하지 않으나, 대체 라우팅은 작동합니다.",
    "targetErrorInvalidIp": "유효하지 않은 IP 주소",
    "targetErrorInvalidIpDescription": "유효한 IP 주소 또는 호스트 이름을 입력하세요.",
    "targetErrorInvalidPort": "유효하지 않은 포트",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "스킴",
-    "editInternalResourceDialogEnableSsl": "SSL 활성화",
+    "editInternalResourceDialogEnableSsl": "TLS 활성화",
    "editInternalResourceDialogEnableSslDescription": "목적지로의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화 활성화.",
    "editInternalResourceDialogDestination": "대상지",
    "editInternalResourceDialogDestinationHostDescription": "사이트 네트워크의 자원 IP 주소입니다.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "스킴",
    "createInternalResourceDialogScheme": "스킴",
-    "createInternalResourceDialogEnableSsl": "SSL 활성화",
+    "createInternalResourceDialogEnableSsl": "TLS 활성화",
    "createInternalResourceDialogEnableSslDescription": "목적지로의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화 활성화.",
    "createInternalResourceDialogDestination": "대상지",
    "createInternalResourceDialogDestinationHostDescription": "사이트 네트워크의 자원 IP 주소입니다.",
@@ -2217,7 +2235,7 @@
        "description": "더 신뢰할 수 있고 낮은 유지보수의 자체 호스팅 팡골린 서버, 추가 기능 포함",
        "introTitle": "관리 자체 호스팅 팡골린",
        "introDescription": "는 자신의 데이터를 프라이빗하고 자체 호스팅을 유지하면서 더 간단하고 추가적인 신뢰성을 원하는 사람들을 위한 배포 옵션입니다.",
-        "introDetail": "이 옵션을 사용하면 여전히 자신의 팡골린 노드를 운영하고 - 터널, SSL 종료 및 트래픽 모두 서버에 유지됩니다. 차이점은 관리 및 모니터링이 클라우드 대시보드를 통해 처리되어 여러 혜택을 제공합니다.",
+        "introDetail": "이 옵션을 사용하면 여전히 자신의 팡골린 노드를 운영하고 - 터널, TLS 종료 및 트래픽 모두 서버에 유지됩니다. 차이점은 관리 및 모니터링이 클라우드 대시보드를 통해 처리되어 여러 혜택을 제공합니다.",
        "benefitSimplerOperations": {
            "title": "더 간단한 운영",
            "description": "자체 메일 서버를 운영하거나 복잡한 경고를 설정할 필요가 없습니다. 기본적으로 상태 점검 및 다운타임 경고를 받을 수 있습니다."
@@ -2652,6 +2670,8 @@
    "validPassword": "유효한 비밀번호",
    "validEmail": "유효한 이메일",
    "validSSO": "유효한 SSO",
+    "view": "보기",
+    "configManaged": "구성 관리됨",
    "connectedClient": "연결된 클라이언트",
    "resourceBlocked": "리소스 차단됨",
    "droppedByRule": "룰에 의해 드롭됨",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "데이터독",
    "streamingDatadogDescription": "이벤트를 직접 Datadog 계정으로 전달합니다. 곧 제공됩니다.",
    "streamingTypePickerDescription": "목표 유형을 선택하여 시작합니다.",
-    "streamingFailedToLoad": "대상 로드에 실패했습니다",
+    "streamingLastSyncError": "마지막 동기화에서 오류가 발생했습니다.",
    "streamingUnexpectedError": "예기치 않은 오류가 발생했습니다.",
    "streamingFailedToUpdate": "대상지를 업데이트하는 데 실패했습니다",
    "streamingDeletedSuccess": "대상지가 성공적으로 삭제되었습니다",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "대상지 수정",
    "S3DestAddTitle": "S3 대상지 추가",
    "S3DestEditDescription": "이 S3 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
-    "S3DestAddDescription": "조직의 이벤트를 받기 위한 새로운 S3 엔드포인트를 구성하세요.",
+    "S3DestAddDescription": "조직의 이벤트를 수신할 새로운 Amazon S3(또는 S3 호환) 버킷을 구성하세요.",
+    "s3DestTabSettings": "설정",
+    "s3DestTabFormat": "형식",
+    "s3DestNameLabel": "이름",
+    "s3DestNamePlaceholder": "내 S3 대상",
+    "s3DestAccessKeyIdLabel": "AWS 액세스 키 ID",
+    "s3DestSecretAccessKeyLabel": "AWS 비밀 액세스 키",
+    "s3DestSecretAccessKeyPlaceholder": "귀하의 AWS 비밀 액세스 키",
+    "s3DestRegionLabel": "AWS 지역",
+    "s3DestBucketLabel": "버킷 이름",
+    "s3DestPrefixLabel": "키 접두사(선택 사항)",
+    "s3DestPrefixDescription": "하나의 객체 키 앞에 붙이는 선택적 경로 접두사입니다. 객체는 {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}에 저장됩니다.",
+    "s3DestEndpointLabel": "사용자 정의 엔드포인트(선택 사항)",
+    "s3DestEndpointDescription": "MinIO 또는 Cloudflare R2와 같은 S3 호환 저장소에 대한 S3 엔드포인트를 재정의합니다. 표준 AWS S3의 경우 비워 두십시오.",
+    "s3DestGzipLabel": "Gzip 압축",
+    "s3DestGzipDescription": "각 업로드된 객체를 gzip으로 압축합니다. 저장 비용과 업로드 크기를 줄입니다.",
+    "s3DestFormatTitle": "파일 형식",
+    "s3DestFormatDescription": "업로드된 각 객체 내에서 이벤트가 직렬화되는 방식입니다.",
+    "s3DestFormatJsonArrayDescription": "각 객체는 이벤트 기록의 JSON 배열입니다. 대부분의 분석 도구와 호환됩니다.",
+    "s3DestFormatNdjsonDescription": "각 객체는 한 줄당 하나의 JSON 레코드를 포함합니다(새 줄로 구분된 JSON). Athena, BigQuery, Spark와 호환됩니다.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "각 객체는 헤더 행이 있는 RFC-4180 CSV 파일입니다. 열 이름은 이벤트 데이터 필드에서 파생됩니다.",
+    "s3DestSaveChanges": "변경 사항 저장",
+    "s3DestCreateDestination": "대상 생성",
+    "s3DestUpdatedSuccess": "대상이 성공적으로 업데이트되었습니다",
+    "s3DestCreatedSuccess": "대상이 성공적으로 생성되었습니다",
+    "s3DestUpdateFailed": "대상 업데이트에 실패했습니다",
+    "s3DestCreateFailed": "대상 생성에 실패했습니다",
    "datadogDestEditTitle": "대상지 수정",
    "datadogDestAddTitle": "Datadog 대상지 추가",
    "datadogDestEditDescription": "이 Datadog 이벤트 스트리밍 대상지의 구성을 업데이트하세요.",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "En feil oppstod ved sletting av lenke",
    "shareDeleted": "Lenke slettet",
    "shareDeletedDescription": "Lenken har blitt slettet",
+    "shareDelete": "Slett delingslenke",
+    "shareDeleteConfirm": "Bekreft sletting av delingslenke",
+    "shareQuestionRemove": "Er du sikker på at du vil slette denne delingslenken?",
+    "shareMessageRemove": "Når slettet, vil lenken ikke lenger fungere, og alle som bruker den vil miste tilgang til ressursen.",
    "shareTokenDescription": "Adgangstoken kan sendes på to måter: som en spørringsparameter eller i forespørselsoverskriftene. Disse må sendes fra klienten på hver forespørsel om autentisert tilgang.",
    "accessToken": "Tilgangsnøkkel",
    "usageExamples": "Brukseksempler",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Når denne brukeren er fjernet, vil de ikke lenger ha tilgang til organisasjonen. Du kan alltid invitere dem på nytt senere, men de vil måtte godta invitasjonen på nytt.",
    "userRemoveOrgConfirm": "Bekreft fjerning av bruker",
    "userRemoveOrg": "Fjern bruker fra organisasjon",
+    "userQuestionOrgRemoveSelf": "Er du sikker på at du vil fjerne deg selv fra denne organisasjonen?",
+    "userMessageOrgRemoveSelf": "Du vil miste tilgang umiddelbart. En administrator kan invitere deg igjen senere, men du må godta en ny invitasjon.",
+    "userRemoveOrgConfirmSelf": "Bekreft fjerning av meg selv",
+    "userRemoveOrgSelf": "Fjern deg selv fra organisasjonen",
+    "userRemoveOrgSelfWarning": "Du vil miste tilgangen til denne organisasjonen umiddelbart.",
+    "userRemoveOrgConfirmPhraseSelf": "FJERN MEG SELV FRA ORG",
    "users": "Brukere",
    "accessRoleMember": "Medlem",
    "accessRoleOwner": "Eier",
@@ -531,6 +541,11 @@
    "emailInvalid": "Ugyldig e-postadresse",
    "inviteValidityDuration": "Vennligst velg en varighet",
    "accessRoleSelectPlease": "Vennligst velg en rolle",
+    "removeOwnAdminRoleConfirmTitle": "Fjern din administratoradgang?",
+    "removeOwnAdminRoleConfirmDescription": "Du vil ikke lenger ha administratorrettigheter i denne organisasjonen etter lagring. En annen administrator kan gjenopprette tilgang hvis nødvendig.",
+    "removeOwnAdminRoleConfirmButton": "Fjern min administratoradgang",
+    "removeOwnAdminRoleConfirmPhrase": "FJERN MIN ADMINISTRATORADGANG",
+    "ownerMustRetainAdminRole": "Organisasjonseier må beholde minst én administratorrolle.",
    "usernameRequired": "Brukernavn er påkrevd",
    "idpSelectPlease": "Vennligst velg en identitetsleverandør",
    "idpGenericOidc": "Generisk OAuth2/OIDC-leverandør.",
@@ -615,7 +630,7 @@
    "createdAt": "Opprettet",
    "proxyErrorInvalidHeader": "Ugyldig verdi for egendefinert vertsoverskrift. Bruk domenenavnformat, eller lagre tomt for å fjerne den egendefinerte vertsoverskriften.",
    "proxyErrorTls": "Ugyldig TLS-servernavn. Bruk domenenavnformat, eller la stå tomt for å fjerne TLS-servernavnet.",
-    "proxyEnableSSL": "Aktiver SSL",
+    "proxyEnableSSL": "Aktiver TLS",
    "proxyEnableSSLDescription": "Aktivere SSL/TLS-kryptering for sikker HTTPS tilkobling til målene.",
    "target": "Target",
    "configureTarget": "Konfigurer mål",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Å legge til mer enn ett mål ovenfor vil aktivere lastbalansering.",
    "targetsSubmit": "Lagre mål",
    "addTarget": "Legg til mål",
+    "proxyMultiSiteRoundRobinNodeHelp": "Rundkjøringrutefordeling vil ikke fungere mellom steder som ikke er koblet til samme node, men failover vil fungere.",
    "targetErrorInvalidIp": "Ugyldig IP-adresse",
    "targetErrorInvalidIpDescription": "Skriv inn en gyldig IP-adresse eller vertsnavn",
    "targetErrorInvalidPort": "Ugyldig port",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Skjema",
-    "editInternalResourceDialogEnableSsl": "Aktiver SSL",
+    "editInternalResourceDialogEnableSsl": "Aktiver TLS",
    "editInternalResourceDialogEnableSslDescription": "Aktiver SSL/TLS-kryptering for sikre HTTPS-tilkoblinger til destinasjonen.",
    "editInternalResourceDialogDestination": "Destinasjon",
    "editInternalResourceDialogDestinationHostDescription": "IP-adressen eller vertsnavnet til ressursen på nettstedets nettverk.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Skjema",
    "createInternalResourceDialogScheme": "Skjema",
-    "createInternalResourceDialogEnableSsl": "Aktiver SSL",
+    "createInternalResourceDialogEnableSsl": "Aktiver TLS",
    "createInternalResourceDialogEnableSslDescription": "Aktiver SSL/TLS-kryptering for sikre HTTPS-tilkoblinger til destinasjonen.",
    "createInternalResourceDialogDestination": "Destinasjon",
    "createInternalResourceDialogDestinationHostDescription": "IP-adressen eller vertsnavnet til ressursen på nettstedets nettverk.",
@@ -2217,7 +2235,7 @@
        "description": "Sikre og lavvedlikeholdsservere, selvbetjente Pangolin med ekstra klokker, og understell",
        "introTitle": "Administrert Self-Hosted Pangolin",
        "introDescription": "er et alternativ for bruk utviklet for personer som ønsker enkel og ekstra pålitelighet mens de fortsatt holder sine data privat og selvdrevne.",
-        "introDetail": "Med dette valget kjører du fortsatt din egen Pangolin-node - tunneler, SSL-terminering og trafikken ligger på serveren din. Forskjellen er at behandling og overvåking håndteres gjennom vårt skydashbord, som låser opp en rekke fordeler:",
+        "introDetail": "Med dette valget kjører du fortsatt din egen Pangolin-node - tunneler, TLS-terminering og trafikken ligger på serveren din. Forskjellen er at behandling og overvåking håndteres gjennom vårt skydashbord, som låser opp en rekke fordeler:",
        "benefitSimplerOperations": {
            "title": "Enklere operasjoner",
            "description": "Ingen grunn til å kjøre din egen e-postserver eller sette opp kompleks varsling. Du vil få helsesjekk og nedetid varsler ut av boksen."
@@ -2652,6 +2670,8 @@
    "validPassword": "Gyldig passord",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Vis",
+    "configManaged": "Konfigurasjon administrert",
    "connectedClient": "Tilkoblet klient",
    "resourceBlocked": "Ressurs blokkert",
    "droppedByRule": "Legg i regelen",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Videresend arrangementer direkte til din Datadog-konto. Kommer snart.",
    "streamingTypePickerDescription": "Velg en måltype for å komme i gang.",
-    "streamingFailedToLoad": "Kan ikke laste inn destinasjoner",
+    "streamingLastSyncError": "Det oppstod en feil under siste synkronisering",
    "streamingUnexpectedError": "En uventet feil oppstod.",
    "streamingFailedToUpdate": "Kunne ikke oppdatere destinasjon",
    "streamingDeletedSuccess": "Målet ble slettet",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Rediger destinasjon",
    "S3DestAddTitle": "Legg til S3 destinasjon",
    "S3DestEditDescription": "Oppdatere konfigurasjonen for denne S3-hendelsesstrømmingsdestinasjonen.",
-    "S3DestAddDescription": "Konfigurer et nytt S3-endepunkt for å motta organisasjonens hendelser.",
+    "S3DestAddDescription": "Konfigurer en ny Amazon S3 (eller S3-kompatibel) bucket for å motta din organisasjons hendelser.",
+    "s3DestTabSettings": "Innstillinger",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Navn",
+    "s3DestNamePlaceholder": "Min S3-destinasjon",
+    "s3DestAccessKeyIdLabel": "AWS tilgangsnøkkel-ID",
+    "s3DestSecretAccessKeyLabel": "AWS hemmelige tilgangsnøkkel",
+    "s3DestSecretAccessKeyPlaceholder": "Din AWS secret access key",
+    "s3DestRegionLabel": "AWS-region",
+    "s3DestBucketLabel": "Bucket-navn",
+    "s3DestPrefixLabel": "Nøkkelprefiks (valgfritt)",
+    "s3DestPrefixDescription": "Valgfritt bane-prefiks lagt til hver objektnøkkel. Objekter er lagret på {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Egendefinert endepunkt (valgfritt)",
+    "s3DestEndpointDescription": "Overstyr S3-endepunktet for S3-kompatibel lagring som MinIO eller Cloudflare R2. La stå tomt for standard AWS S3.",
+    "s3DestGzipLabel": "Gzip-komprimering",
+    "s3DestGzipDescription": "Komprimer hvert opplastede objekt med gzip. Reduserer lagringskostnader og opplastingsstørrelse.",
+    "s3DestFormatTitle": "Filformat",
+    "s3DestFormatDescription": "Hvordan hendelser er serialisert inni hvert opplastede objekt.",
+    "s3DestFormatJsonArrayDescription": "Hvert objekt er et JSON-array av hendelsesposter. Kompatibel med de fleste analyseverktøy.",
+    "s3DestFormatNdjsonDescription": "Hvert objekt inneholder en JSON-post per linje (nylinje-delt JSON). Kompatibel med Athena, BigQuery, og Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Hvert objekt er en RFC-4180 CSV-fil med en overskriftsrad. Kolonnenavn er avledet fra hendelsesdatafeltene.",
+    "s3DestSaveChanges": "Lagre endringer",
+    "s3DestCreateDestination": "Opprett destinasjon",
+    "s3DestUpdatedSuccess": "Destinasjon oppdatert vellykket",
+    "s3DestCreatedSuccess": "Destinasjon opprettet vellykket",
+    "s3DestUpdateFailed": "Kunne ikke oppdatere destinasjon",
+    "s3DestCreateFailed": "Kunne ikke opprette destinasjon",
    "datadogDestEditTitle": "Rediger destinasjon",
    "datadogDestAddTitle": "Legg til Datadog destinasjon",
    "datadogDestEditDescription": "Oppdatere konfigurasjonen for denne Datadog-hendelsesstrømmingsdestinasjonen.",
@@ -3174,7 +3221,7 @@
    "publicIpEndpoint": "Endepunkt",
    "lastTriggeredAt": "Siste utløste",
    "reject": "Avvis",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "{count} dager siden",
    "uptimeToday": "I dag",
    "uptimeNoDataAvailable": "Ingen data tilgjengelig",
    "uptimeSuffix": "oppetid",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Fout opgetreden tijdens het verwijderen link",
    "shareDeleted": "Link verwijderd",
    "shareDeletedDescription": "De link is verwijderd",
+    "shareDelete": "Verwijder Deel Link",
+    "shareDeleteConfirm": "Bevestig verwijdering van Deel Link",
+    "shareQuestionRemove": "Weet u zeker dat u deze deel link wilt verwijderen?",
+    "shareMessageRemove": "Zodra verwijderd, zal de link niet meer werken en zal iedereen die het gebruikt de toegang tot de bron verliezen.",
    "shareTokenDescription": "De toegangstoken kan op twee manieren worden doorgegeven: als queryparameter of in de aanvraagheaders. Deze moeten worden doorgegeven van de client op elk verzoek voor geverifieerde toegang.",
    "accessToken": "Toegangs-token",
    "usageExamples": "Voorbeelden van gebruik",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Eenmaal verwijderd, heeft deze gebruiker geen toegang meer tot de organisatie. Je kunt ze later altijd opnieuw uitnodigen, maar ze zullen de uitnodiging opnieuw moeten accepteren.",
    "userRemoveOrgConfirm": "Bevestig verwijderen gebruiker",
    "userRemoveOrg": "Gebruiker uit organisatie verwijderen",
+    "userQuestionOrgRemoveSelf": "Weet u zeker dat u zichzelf uit deze organisatie wilt verwijderen?",
+    "userMessageOrgRemoveSelf": "U verliest onmiddellijk toegang. Een beheerder kan u later opnieuw uitnodigen, maar u moet een nieuwe uitnodiging accepteren.",
+    "userRemoveOrgConfirmSelf": "Bevestig Verwijder Mijn Persoon",
+    "userRemoveOrgSelf": "Verwijder uzelf uit de organisatie",
+    "userRemoveOrgSelfWarning": "U verliest onmiddellijk toegang tot deze organisatie.",
+    "userRemoveOrgConfirmPhraseSelf": "VERWIJDER MIJ UIT ORGANISATIE",
    "users": "Gebruikers",
    "accessRoleMember": "Lid",
    "accessRoleOwner": "Eigenaar",
@@ -531,6 +541,11 @@
    "emailInvalid": "Ongeldig e-mailadres",
    "inviteValidityDuration": "Selecteer een tijdsduur",
    "accessRoleSelectPlease": "Selecteer een rol",
+    "removeOwnAdminRoleConfirmTitle": "Uw beheerderstoegang verwijderen?",
+    "removeOwnAdminRoleConfirmDescription": "U zult na het opslaan geen beheerdersrechten meer hebben in deze organisatie. Een andere beheerder kan de toegang indien nodig herstellen.",
+    "removeOwnAdminRoleConfirmButton": "Verwijder Mijn Beheerderstoegang",
+    "removeOwnAdminRoleConfirmPhrase": "VERWIJDER MIJN BEHEERDERSTOEGANG",
+    "ownerMustRetainAdminRole": "De organisatie-eigenaar moet minstens één beheerdersrol behouden.",
    "usernameRequired": "Gebruikersnaam is verplicht",
    "idpSelectPlease": "Selecteer een identiteitsprovider",
    "idpGenericOidc": "Algemene OAuth2/OIDC provider.",
@@ -615,7 +630,7 @@
    "createdAt": "Aangemaakt op",
    "proxyErrorInvalidHeader": "Ongeldige aangepaste Header waarde. Gebruik het domeinnaam formaat, of sla leeg op om de aangepaste Host header ongedaan te maken.",
    "proxyErrorTls": "Ongeldige TLS servernaam. Gebruik de domeinnaam of sla leeg op om de TLS servernaam te verwijderen.",
-    "proxyEnableSSL": "SSL inschakelen",
+    "proxyEnableSSL": "TLS inschakelen",
    "proxyEnableSSLDescription": "SSL/TLS-versleuteling inschakelen voor beveiligde HTTPS-verbindingen naar de doelen.",
    "target": "Target",
    "configureTarget": "Doelstellingen configureren",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Het toevoegen van meer dan één doel hierboven zal de load balancering mogelijk maken.",
    "targetsSubmit": "Doelstellingen opslaan",
    "addTarget": "Doelwit toevoegen",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round-robin routering werkt niet tussen locaties die niet met hetzelfde knooppunt zijn verbonden, maar failover werkt wel.",
    "targetErrorInvalidIp": "Ongeldig IP-adres",
    "targetErrorInvalidIpDescription": "Voer een geldig IP-adres of hostnaam in",
    "targetErrorInvalidPort": "Ongeldige poort",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schema",
-    "editInternalResourceDialogEnableSsl": "SSL inschakelen",
+    "editInternalResourceDialogEnableSsl": "TLS inschakelen",
    "editInternalResourceDialogEnableSslDescription": "Schakel SSL/TLS-encryptie in voor beveiligde HTTPS-verbindingen met de bestemming.",
    "editInternalResourceDialogDestination": "Bestemming",
    "editInternalResourceDialogDestinationHostDescription": "Het IP-adres of de hostnaam van de bron op het netwerk van de site.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schema",
    "createInternalResourceDialogScheme": "Schema",
-    "createInternalResourceDialogEnableSsl": "SSL inschakelen",
+    "createInternalResourceDialogEnableSsl": "TLS inschakelen",
    "createInternalResourceDialogEnableSslDescription": "Schakel SSL/TLS-encryptie in voor beveiligde HTTPS-verbindingen met de bestemming.",
    "createInternalResourceDialogDestination": "Bestemming",
    "createInternalResourceDialogDestinationHostDescription": "Het IP-adres of de hostnaam van de bron op het netwerk van de site.",
@@ -2217,7 +2235,7 @@
        "description": "betrouwbaardere en slecht onderhouden Pangolin server met extra klokken en klokkenluiders",
        "introTitle": "Beheerde zelfgehoste pangolin",
        "introDescription": "is een implementatieoptie ontworpen voor mensen die eenvoud en extra betrouwbaarheid willen, terwijl hun gegevens privé en zelf georganiseerd blijven.",
-        "introDetail": "Met deze optie beheert u nog steeds uw eigen Pangolin node - uw tunnels, SSL-verbinding en verkeer alles op uw server. Het verschil is dat beheer en monitoring worden behandeld via onze cloud dashboard, wat een aantal voordelen oplevert:",
+        "introDetail": "Met deze optie beheert u nog steeds uw eigen Pangolin node - uw tunnels, TLS-verbinding en verkeer alles op uw server. Het verschil is dat beheer en monitoring worden behandeld via onze cloud dashboard, wat een aantal voordelen oplevert:",
        "benefitSimplerOperations": {
            "title": "Simpler operaties",
            "description": "Je hoeft geen eigen mailserver te draaien of complexe waarschuwingen in te stellen. Je krijgt gezondheidscontroles en downtime meldingen uit de box."
@@ -2652,6 +2670,8 @@
    "validPassword": "Geldig wachtwoord",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Bekijk",
+    "configManaged": "Configuratie Beheerd",
    "connectedClient": "Verbonden Client",
    "resourceBlocked": "Bron geblokkeerd",
    "droppedByRule": "Achtergelaten door regel",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Stuur gebeurtenissen rechtstreeks door naar je Datadog account. Binnenkort beschikbaar.",
    "streamingTypePickerDescription": "Kies een bestemmingstype om te beginnen.",
-    "streamingFailedToLoad": "Laden van bestemmingen mislukt",
+    "streamingLastSyncError": "Er is een fout opgetreden bij de laatste synchronisatie",
    "streamingUnexpectedError": "Er is een onverwachte fout opgetreden.",
    "streamingFailedToUpdate": "Bijwerken bestemming mislukt",
    "streamingDeletedSuccess": "Bestemming succesvol verwijderd",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Bestemming bewerken",
    "S3DestAddTitle": "S3-bestemming toevoegen",
    "S3DestEditDescription": "Werk de configuratie bij voor deze S3-gebeurtenisstreamingbestemming.",
-    "S3DestAddDescription": "Configureer een nieuw S3-eindpunt om de gebeurtenissen van uw organisatie te ontvangen.",
+    "S3DestAddDescription": "Configureer een nieuwe Amazon S3 (of S3-compatibele) bucket om de gebeurtenissen van uw organisatie te ontvangen.",
+    "s3DestTabSettings": "Instellingen",
+    "s3DestTabFormat": "Formaat",
+    "s3DestNameLabel": "Naam",
+    "s3DestNamePlaceholder": "Mijn S3-bestemming",
+    "s3DestAccessKeyIdLabel": "AWS-toegangssleutel-ID",
+    "s3DestSecretAccessKeyLabel": "AWS Geheime Toegangssleutel",
+    "s3DestSecretAccessKeyPlaceholder": "Uw AWS geheime toegangssleutel",
+    "s3DestRegionLabel": "AWS-regio",
+    "s3DestBucketLabel": "Bucketnaam",
+    "s3DestPrefixLabel": "Sleutelvoorvoegsel (optioneel)",
+    "s3DestPrefixDescription": "Optioneel padvoorvoegsel dat aan elke object sleutel wordt toegevoegd. Objecten worden opgeslagen op {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Aangepast Eindpunt (optioneel)",
+    "s3DestEndpointDescription": "Overschrijf het S3-eindpunt voor S3-compatibele opslag zoals MinIO of Cloudflare R2. Laat leeg voor standaard AWS S3.",
+    "s3DestGzipLabel": "Gzip-compressie",
+    "s3DestGzipDescription": "Comprimeer elk geüpload object met gzip. Verlaagt opslagkosten en uploadgrootte.",
+    "s3DestFormatTitle": "Bestandsformaat",
+    "s3DestFormatDescription": "Hoe gebeurtenissen binnen elk geüpload object worden geserialiseerd.",
+    "s3DestFormatJsonArrayDescription": "Elk object is een JSON-array van gebeurtenisrecords. Compatibel met de meeste analysetools.",
+    "s3DestFormatNdjsonDescription": "Elk object bevat één JSON-record per regel (nieuwregel-gescheiden JSON). Compatibel met Athena, BigQuery en Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Elk object is een RFC-4180 CSV-bestand met een kopregel. Kolomnamen zijn afgeleid van de gebeurtenis gegevensvelden.",
+    "s3DestSaveChanges": "Wijzigingen opslaan",
+    "s3DestCreateDestination": "Bestemming maken",
+    "s3DestUpdatedSuccess": "Bestemming succesvol bijgewerkt",
+    "s3DestCreatedSuccess": "Bestemming succesvol gecreëerd",
+    "s3DestUpdateFailed": "Bijwerken bestemming mislukt",
+    "s3DestCreateFailed": "Aanmaken bestemming mislukt",
    "datadogDestEditTitle": "Bestemming bewerken",
    "datadogDestAddTitle": "Datadog-bestemming toevoegen",
    "datadogDestEditDescription": "Werk de configuratie bij voor deze Datadog-gebeurtenisstreamingbestemming.",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Wystąpił błąd podczas usuwania linku",
    "shareDeleted": "Link usunięty",
    "shareDeletedDescription": "Link został usunięty",
+    "shareDelete": "Usuń link udostępniania",
+    "shareDeleteConfirm": "Potwierdź usunięcie linku udostępniania",
+    "shareQuestionRemove": "Czy na pewno chcesz usunąć ten link udostępniania?",
+    "shareMessageRemove": "Po usunięciu, link przestanie działać i wszyscy korzystający z niego stracą dostęp do zasobu.",
    "shareTokenDescription": "Token dostępu może być przekazywany na dwa sposoby: jako parametr zapytania lub w nagłówkach żądania. Muszą być przekazywane z klienta na każde żądanie uwierzytelnionego dostępu.",
    "accessToken": "Token dostępu",
    "usageExamples": "Przykłady użycia",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Po usunięciu ten użytkownik nie będzie miał już dostępu do organizacji. Zawsze możesz ponownie go zaprosić później, ale będzie musiał ponownie zaakceptować zaproszenie.",
    "userRemoveOrgConfirm": "Potwierdź usunięcie użytkownika",
    "userRemoveOrg": "Usuń użytkownika z organizacji",
+    "userQuestionOrgRemoveSelf": "Czy na pewno chcesz usunąć się z tej organizacji?",
+    "userMessageOrgRemoveSelf": "Stracisz dostęp natychmiastowo. Administrator może cię ponownie zaprosić, ale będziesz musiał przyjąć nowe zaproszenie.",
+    "userRemoveOrgConfirmSelf": "Potwierdź usunięcie siebie",
+    "userRemoveOrgSelf": "Usuń siebie z organizacji",
+    "userRemoveOrgSelfWarning": "Natychmiast stracisz dostęp do tej organizacji.",
+    "userRemoveOrgConfirmPhraseSelf": "USUŃ SIEBIE Z ORGANIZACJI",
    "users": "Użytkownicy",
    "accessRoleMember": "Członek",
    "accessRoleOwner": "Właściciel",
@@ -531,6 +541,11 @@
    "emailInvalid": "Nieprawidłowy adres e-mail",
    "inviteValidityDuration": "Proszę wybrać okres ważności",
    "accessRoleSelectPlease": "Proszę wybrać rolę",
+    "removeOwnAdminRoleConfirmTitle": "Usunąć dostęp administratora?",
+    "removeOwnAdminRoleConfirmDescription": "Po zapisaniu nie będziesz już posiadał uprawnień administratora w tej organizacji. Inny administrator może przywrócić dostęp, jeśli to konieczne.",
+    "removeOwnAdminRoleConfirmButton": "Usuń mój dostęp administratora",
+    "removeOwnAdminRoleConfirmPhrase": "USUŃ MÓJ DOSTĘP ADMINISTRATORA",
+    "ownerMustRetainAdminRole": "Właściciel organizacji musi zachować co najmniej jedną rolę administratora.",
    "usernameRequired": "Nazwa użytkownika jest wymagana",
    "idpSelectPlease": "Proszę wybrać dostawcę tożsamości",
    "idpGenericOidc": "Ogólny dostawca OAuth2/OIDC.",
@@ -615,7 +630,7 @@
    "createdAt": "Utworzono",
    "proxyErrorInvalidHeader": "Nieprawidłowa wartość niestandardowego nagłówka hosta. Użyj formatu nazwy domeny lub zapisz pusty, aby usunąć niestandardowy nagłówek hosta.",
    "proxyErrorTls": "Nieprawidłowa nazwa serwera TLS. Użyj formatu nazwy domeny lub zapisz pusty, aby usunąć nazwę serwera TLS.",
-    "proxyEnableSSL": "Włącz SSL",
+    "proxyEnableSSL": "Włącz TLS",
    "proxyEnableSSLDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z celami.",
    "target": "Target",
    "configureTarget": "Konfiguruj Targety",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Dodanie więcej niż jednego celu powyżej włączy równoważenie obciążenia.",
    "targetsSubmit": "Zapisz cele",
    "addTarget": "Dodaj cel",
+    "proxyMultiSiteRoundRobinNodeHelp": "Trasowanie round-robin nie będzie działać między witrynami, które nie są połączone z tym samym węzłem, ale przełączanie awaryjne będzie działać.",
    "targetErrorInvalidIp": "Nieprawidłowy adres IP",
    "targetErrorInvalidIpDescription": "Wprowadź prawidłowy adres IP lub nazwę hosta",
    "targetErrorInvalidPort": "Nieprawidłowy port",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schemat",
-    "editInternalResourceDialogEnableSsl": "Włącz SSL",
+    "editInternalResourceDialogEnableSsl": "Włącz TLS",
    "editInternalResourceDialogEnableSslDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z miejscem docelowym.",
    "editInternalResourceDialogDestination": "Miejsce docelowe",
    "editInternalResourceDialogDestinationHostDescription": "Adres IP lub nazwa hosta zasobu w sieci witryny.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schemat",
    "createInternalResourceDialogScheme": "Schemat",
-    "createInternalResourceDialogEnableSsl": "Włącz SSL",
+    "createInternalResourceDialogEnableSsl": "Włącz TLS",
    "createInternalResourceDialogEnableSslDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z miejscem docelowym.",
    "createInternalResourceDialogDestination": "Miejsce docelowe",
    "createInternalResourceDialogDestinationHostDescription": "Adres IP lub nazwa hosta zasobu w sieci witryny.",
@@ -2217,7 +2235,7 @@
        "description": "Większa niezawodność i niska konserwacja serwera Pangolin z dodatkowymi dzwonkami i sygnałami",
        "introTitle": "Zarządzany samowystarczalny Pangolin",
        "introDescription": "jest opcją wdrażania zaprojektowaną dla osób, które chcą prostoty i dodatkowej niezawodności, przy jednoczesnym utrzymaniu swoich danych prywatnych i samodzielnych.",
-        "introDetail": "Z tą opcją nadal obsługujesz swój własny węzeł Pangolin - tunele, zakończenie SSL i ruch na Twoim serwerze. Różnica polega na tym, że zarządzanie i monitorowanie odbywa się za pomocą naszej tablicy rozdzielczej, która odblokowuje szereg korzyści:",
+        "introDetail": "Z tą opcją nadal obsługujesz swój własny węzeł Pangolin - tunele, zakończenie TLS i ruch na Twoim serwerze. Różnica polega na tym, że zarządzanie i monitorowanie odbywa się za pomocą naszej tablicy rozdzielczej, która odblokowuje szereg korzyści:",
        "benefitSimplerOperations": {
            "title": "Uproszczone operacje",
            "description": "Nie ma potrzeby uruchamiania własnego serwera pocztowego lub ustawiania skomplikowanych powiadomień. Będziesz mieć kontrolę zdrowia i powiadomienia o przestoju."
@@ -2652,6 +2670,8 @@
    "validPassword": "Prawidłowe hasło",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Zobacz",
+    "configManaged": "Konfiguracja zarządzana",
    "connectedClient": "Połączony Klient",
    "resourceBlocked": "Zasób zablokowany",
    "droppedByRule": "Upuszczone przez regułę",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Przekaż wydarzenia bezpośrednio do Twojego konta Datadog. Już wkrótce.",
    "streamingTypePickerDescription": "Wybierz typ docelowy, aby rozpocząć.",
-    "streamingFailedToLoad": "Nie udało się załadować miejsc docelowych",
+    "streamingLastSyncError": "Wystąpił błąd podczas ostatniej synchronizacji",
    "streamingUnexpectedError": "Wystąpił nieoczekiwany błąd.",
    "streamingFailedToUpdate": "Nie udało się zaktualizować miejsca docelowego",
    "streamingDeletedSuccess": "Cel usunięty pomyślnie",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Edytuj Miejsce Docelowe",
    "S3DestAddTitle": "Dodaj Miejsce Docelowe S3",
    "S3DestEditDescription": "Zaktualizuj konfigurację dla tego miejsca docelowego strumieniowego zdarzeń S3.",
-    "S3DestAddDescription": "Skonfiguruj nowy punkt końcowy S3, aby odbierać zdarzenia Twojej organizacji.",
+    "S3DestAddDescription": "Skonfiguruj nowy zasobnik Amazon S3 (lub zgodny z S3), aby otrzymywać zdarzenia twojej organizacji.",
+    "s3DestTabSettings": "Ustawienia",
+    "s3DestTabFormat": "Format",
+    "s3DestNameLabel": "Nazwa",
+    "s3DestNamePlaceholder": "Moje miejsce docelowe S3",
+    "s3DestAccessKeyIdLabel": "AWS Access Key ID",
+    "s3DestSecretAccessKeyLabel": "AWS Secret Access Key",
+    "s3DestSecretAccessKeyPlaceholder": "Twój AWS Secret Access Key",
+    "s3DestRegionLabel": "Region AWS",
+    "s3DestBucketLabel": "Nazwa kubła",
+    "s3DestPrefixLabel": "Prefiks klucza (opcjonalnie)",
+    "s3DestPrefixDescription": "Opcjonalny prefiks ścieżki dołączony do każdego klucza obiektu. Obiekty są przechowywane w {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Niestandardowy punkt końcowy (opcjonalnie)",
+    "s3DestEndpointDescription": "Nadpisz punkt końcowy S3 dla zgodnego przechowywania danych, takiego jak MinIO lub Cloudflare R2. Pozostaw puste dla standardowego AWS S3.",
+    "s3DestGzipLabel": "Kompresja Gzip",
+    "s3DestGzipDescription": "Skompresuj każdy przesłany obiekt za pomocą gzip. Zmniejsza koszty przechowywania i rozmiar przesyłu.",
+    "s3DestFormatTitle": "Format pliku",
+    "s3DestFormatDescription": "Jak zdarzenia są serializowane w każdym przesłanym obiekcie.",
+    "s3DestFormatJsonArrayDescription": "Każdy obiekt to tablica JSON z rekordami zdarzeń. Zgodne z większością narzędzi analitycznych.",
+    "s3DestFormatNdjsonDescription": "Każdy obiekt zawiera jeden rekord JSON na linię (nowa linia-dzielone JSON). Zgodne z Athena, BigQuery i Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Każdy obiekt to plik CSV zgodny z RFC-4180 z wierszem nagłówka. Nazwy kolumn pochodzą z pól danych zdarzeń.",
+    "s3DestSaveChanges": "Zapisz zmiany",
+    "s3DestCreateDestination": "Utwórz miejsce docelowe",
+    "s3DestUpdatedSuccess": "Miejsce docelowe zaktualizowane pomyślnie",
+    "s3DestCreatedSuccess": "Miejsce docelowe utworzone pomyślnie",
+    "s3DestUpdateFailed": "Nie udało się zaktualizować miejsca docelowego",
+    "s3DestCreateFailed": "Nie udało się utworzyć miejsca docelowego",
    "datadogDestEditTitle": "Edytuj Miejsce Docelowe",
    "datadogDestAddTitle": "Dodaj Miejsce Docelowe Datadog",
    "datadogDestEditDescription": "Zaktualizuj konfigurację dla tego miejsca docelowego strumieniowego zdarzeń Datadog.",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Ocorreu um erro ao apagar o link",
    "shareDeleted": "Link excluído",
    "shareDeletedDescription": "O link foi eliminado",
+    "shareDelete": "Excluir Link de Compartilhamento",
+    "shareDeleteConfirm": "Confirmar Exclusão de Link de Compartilhamento",
+    "shareQuestionRemove": "Tem certeza de que deseja excluir este link de compartilhamento?",
+    "shareMessageRemove": "Uma vez excluído, o link não funcionará mais e qualquer pessoa que o utilizar perderá o acesso ao recurso.",
    "shareTokenDescription": "O token de acesso pode ser passado de duas maneiras: como um parâmetro de consulta ou nos cabeçalhos da solicitação. Estes devem ser passados do cliente em todas as solicitações para acesso autenticado.",
    "accessToken": "Token de acesso",
    "usageExamples": "Exemplos de uso",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Uma vez removido, este utilizador não terá mais acesso à organização. Você sempre pode reconvidá-lo depois, mas eles precisarão aceitar o convite novamente.",
    "userRemoveOrgConfirm": "Confirmar Remoção do Usuário",
    "userRemoveOrg": "Remover Usuário da Organização",
+    "userQuestionOrgRemoveSelf": "Tem certeza de que deseja se remover desta organização?",
+    "userMessageOrgRemoveSelf": "Você perderá o acesso imediatamente. Um administrador poderá convidá-lo novamente mais tarde, mas você precisará aceitar um novo convite.",
+    "userRemoveOrgConfirmSelf": "Confirmar a Remoção de Mim Mesmo",
+    "userRemoveOrgSelf": "Remover-se da organização",
+    "userRemoveOrgSelfWarning": "Você perderá o acesso a esta organização imediatamente.",
+    "userRemoveOrgConfirmPhraseSelf": "REMOVER-ME DA ORG",
    "users": "Utilizadores",
    "accessRoleMember": "Membro",
    "accessRoleOwner": "Proprietário",
@@ -531,6 +541,11 @@
    "emailInvalid": "Endereço de email inválido",
    "inviteValidityDuration": "Por favor, selecione uma duração",
    "accessRoleSelectPlease": "Por favor, selecione uma função",
+    "removeOwnAdminRoleConfirmTitle": "Remover seu acesso de administrador?",
+    "removeOwnAdminRoleConfirmDescription": "Você não terá mais permissões de administrador nesta organização após salvar. Outro administrador pode restaurar seu acesso, se necessário.",
+    "removeOwnAdminRoleConfirmButton": "Remover Meu Acesso de Administrador",
+    "removeOwnAdminRoleConfirmPhrase": "REMOVER MEU ACESSO DE ADMIN",
+    "ownerMustRetainAdminRole": "O proprietário da organização deve manter pelo menos um papel de administrador.",
    "usernameRequired": "Nome de utilizador é obrigatório",
    "idpSelectPlease": "Por favor, selecione um provedor de identidade",
    "idpGenericOidc": "Provedor genérico OAuth2/OIDC.",
@@ -615,7 +630,7 @@
    "createdAt": "Criado Em",
    "proxyErrorInvalidHeader": "Valor do cabeçalho Host personalizado inválido. Use o formato de nome de domínio ou salve vazio para remover o cabeçalho Host personalizado.",
    "proxyErrorTls": "Nome do Servidor TLS inválido. Use o formato de nome de domínio ou salve vazio para remover o Nome do Servidor TLS.",
-    "proxyEnableSSL": "Habilitar SSL",
+    "proxyEnableSSL": "Habilitar TLS",
    "proxyEnableSSLDescription": "Habilitar criptografia SSL/TLS para conexões HTTPS seguras aos alvos.",
    "target": "Target",
    "configureTarget": "Configurar Alvos",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Adicionar mais de um alvo acima habilitará o balanceamento de carga.",
    "targetsSubmit": "Guardar Alvos",
    "addTarget": "Adicionar Alvo",
+    "proxyMultiSiteRoundRobinNodeHelp": "O roteamento round robin não funcionará entre sites que não estão conectados ao mesmo nó, mas o failover funcionará.",
    "targetErrorInvalidIp": "Endereço IP inválido",
    "targetErrorInvalidIpDescription": "Por favor, insira um endereço IP ou nome de host válido",
    "targetErrorInvalidPort": "Porta inválida",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Esquema",
-    "editInternalResourceDialogEnableSsl": "Ativar SSL",
+    "editInternalResourceDialogEnableSsl": "Ativar TLS",
    "editInternalResourceDialogEnableSslDescription": "Ativar criptografia SSL/TLS para conexões HTTPS seguras com o destino.",
    "editInternalResourceDialogDestination": "Destino",
    "editInternalResourceDialogDestinationHostDescription": "O endereço IP ou o nome do host do recurso na rede do site.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Esquema",
    "createInternalResourceDialogScheme": "Esquema",
-    "createInternalResourceDialogEnableSsl": "Ativar SSL",
+    "createInternalResourceDialogEnableSsl": "Ativar TLS",
    "createInternalResourceDialogEnableSslDescription": "Ativar criptografia SSL/TLS para conexões HTTPS seguras com o destino.",
    "createInternalResourceDialogDestination": "Destino",
    "createInternalResourceDialogDestinationHostDescription": "O endereço IP ou o nome do host do recurso na rede do site.",
@@ -2217,7 +2235,7 @@
        "description": "Servidor Pangolin auto-hospedado mais confiável e com baixa manutenção com sinos extras e assobiamentos",
        "introTitle": "Pangolin Auto-Hospedado Gerenciado",
        "introDescription": "é uma opção de implantação projetada para pessoas que querem simplicidade e confiança adicional, mantendo os seus dados privados e auto-hospedados.",
-        "introDetail": "Com esta opção, você ainda roda seu próprio nó Pangolin - seus túneis, terminação SSL e tráfego todos permanecem no seu servidor. A diferença é que a gestão e a monitorização são geridos através do nosso painel de nuvem, que desbloqueia vários benefícios:",
+        "introDetail": "Com esta opção, você ainda roda seu próprio nó Pangolin - seus túneis, terminação TLS e tráfego todos permanecem no seu servidor. A diferença é que a gestão e a monitorização são geridos através do nosso painel de nuvem, que desbloqueia vários benefícios:",
        "benefitSimplerOperations": {
            "title": "Operações simples",
            "description": "Não é necessário executar o seu próprio servidor de e-mail ou configurar um alerta complexo. Você receberá fora de caixa verificações de saúde e alertas de tempo de inatividade."
@@ -2652,6 +2670,8 @@
    "validPassword": "Senha válida",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Visualizar",
+    "configManaged": "Configuração Gerenciada",
    "connectedClient": "Cliente Conectado",
    "resourceBlocked": "Recurso bloqueado",
    "droppedByRule": "Derrubado pela regra",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Encaminha eventos diretamente para a sua conta no Datadog. Em breve.",
    "streamingTypePickerDescription": "Escolha um tipo de destino para começar.",
-    "streamingFailedToLoad": "Falha ao carregar destinos",
+    "streamingLastSyncError": "Ocorreu um erro na última sincronização",
    "streamingUnexpectedError": "Ocorreu um erro inesperado.",
    "streamingFailedToUpdate": "Falha ao atualizar destino",
    "streamingDeletedSuccess": "Destino apagado com sucesso",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Editar Destino",
    "S3DestAddTitle": "Adicionar Destino S3",
    "S3DestEditDescription": "Atualize a configuração para este destino de streaming de eventos S3.",
-    "S3DestAddDescription": "Configure um novo endpoint S3 para receber os eventos da sua organização.",
+    "S3DestAddDescription": "Configure um novo bucket Amazon S3 (ou compatível com S3) para receber os eventos da sua organização.",
+    "s3DestTabSettings": "Configurações",
+    "s3DestTabFormat": "Formato",
+    "s3DestNameLabel": "Nome",
+    "s3DestNamePlaceholder": "Meu destino S3",
+    "s3DestAccessKeyIdLabel": "ID da Chave de Acesso AWS",
+    "s3DestSecretAccessKeyLabel": "Chave de Acesso Secreta AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Sua chave de acesso secreta AWS",
+    "s3DestRegionLabel": "Região AWS",
+    "s3DestBucketLabel": "Nome do Bucket",
+    "s3DestPrefixLabel": "Prefixo da Chave (opcional)",
+    "s3DestPrefixDescription": "Prefixo de caminho opcional adicionado a cada chave de objeto. Os objetos são armazenados em {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Endpoint Personalizado (opcional)",
+    "s3DestEndpointDescription": "Substitua o endpoint S3 por armazenamento compatível com S3, como MinIO ou Cloudflare R2. Deixe em branco para o padrão AWS S3.",
+    "s3DestGzipLabel": "Compressão Gzip",
+    "s3DestGzipDescription": "Comprime cada objeto carregado com gzip. Reduz custos de armazenamento e tamanho de upload.",
+    "s3DestFormatTitle": "Formato de Arquivo",
+    "s3DestFormatDescription": "Como os eventos são serializados dentro de cada objeto carregado.",
+    "s3DestFormatJsonArrayDescription": "Cada objeto é um array JSON de registros de eventos. Compatível com a maioria das ferramentas de análise.",
+    "s3DestFormatNdjsonDescription": "Cada objeto contém um registro JSON por linha (JSON delimitado por nova linha). Compatível com Athena, BigQuery e Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Cada objeto é um arquivo CSV RFC-4180 com uma linha de cabeçalho. Nomes de colunas são derivados dos campos de dados do evento.",
+    "s3DestSaveChanges": "Salvar Alterações",
+    "s3DestCreateDestination": "Criar Destino",
+    "s3DestUpdatedSuccess": "Destino atualizado com sucesso",
+    "s3DestCreatedSuccess": "Destino criado com sucesso",
+    "s3DestUpdateFailed": "Falha ao atualizar destino",
+    "s3DestCreateFailed": "Falha ao criar destino",
    "datadogDestEditTitle": "Editar Destino",
    "datadogDestAddTitle": "Adicionar Destino Datadog",
    "datadogDestEditDescription": "Atualize a configuração para este destino de streaming de eventos Datadog.",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Произошла ошибка при удалении ссылки",
    "shareDeleted": "Ссылка удалена",
    "shareDeletedDescription": "Ссылка была успешно удалена",
+    "shareDelete": "Удалить общую ссылку",
+    "shareDeleteConfirm": "Подтвердите удаление общей ссылки",
+    "shareQuestionRemove": "Вы уверены, что хотите удалить эту общую ссылку?",
+    "shareMessageRemove": "После удаления ссылка перестанет работать, и все, кто ее использует, потеряют доступ к ресурсу.",
    "shareTokenDescription": "Токен доступа может быть передан двумя способами: как параметр запроса или в заголовках запроса. Они должны быть переданы от клиента по каждому запросу для аутентифицированного доступа.",
    "accessToken": "Токен доступа",
    "usageExamples": "Примеры использования",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "После удаления этот пользователь больше не будет иметь доступ к организации. Вы всегда можете пригласить его заново, но ему нужно будет снова принять приглашение.",
    "userRemoveOrgConfirm": "Подтвердить удаление пользователя",
    "userRemoveOrg": "Удалить пользователя из организации",
+    "userQuestionOrgRemoveSelf": "Вы уверены, что хотите удалить себя из этой организации?",
+    "userMessageOrgRemoveSelf": "Вы немедленно потеряете доступ. Администратор сможет снова пригласить вас позже, но вам нужно будет принять новое приглашение.",
+    "userRemoveOrgConfirmSelf": "Подтвердите удаление себя",
+    "userRemoveOrgSelf": "Удалите себя из организации",
+    "userRemoveOrgSelfWarning": "Вы немедленно потеряете доступ к этой организации.",
+    "userRemoveOrgConfirmPhraseSelf": "Удалить себя из организации",
    "users": "Пользователи",
    "accessRoleMember": "Участник",
    "accessRoleOwner": "Владелец",
@@ -531,6 +541,11 @@
    "emailInvalid": "Неверный адрес Email",
    "inviteValidityDuration": "Пожалуйста, выберите продолжительность",
    "accessRoleSelectPlease": "Пожалуйста, выберите роль",
+    "removeOwnAdminRoleConfirmTitle": "Удалить доступ администратора?",
+    "removeOwnAdminRoleConfirmDescription": "После сохранения у вас больше не будет прав администратора в этой организации. Другой администратор может восстановить доступ, если это необходимо.",
+    "removeOwnAdminRoleConfirmButton": "Удалить мой доступ администратора",
+    "removeOwnAdminRoleConfirmPhrase": "УДАЛИТЬ МОЙ ДОСТУП АДМИНИСТРАТОРА",
+    "ownerMustRetainAdminRole": "Владелец организации должен сохранить по крайней мере одну роль администратора.",
    "usernameRequired": "Имя пользователя обязательно",
    "idpSelectPlease": "Пожалуйста, выберите Identity Provider",
    "idpGenericOidc": "Обычный OAuth2/OIDC provider.",
@@ -615,7 +630,7 @@
    "createdAt": "Создано в",
    "proxyErrorInvalidHeader": "Неверное значение пользовательского заголовка Host. Используйте формат доменного имени или оставьте пустым для сброса пользовательского заголовка Host.",
    "proxyErrorTls": "Неверное имя TLS сервера. Используйте формат доменного имени или оставьте пустым для удаления имени TLS сервера.",
-    "proxyEnableSSL": "Включить SSL",
+    "proxyEnableSSL": "Включить TLS",
    "proxyEnableSSLDescription": "Включить шифрование SSL/TLS для безопасных HTTPS соединений с целями.",
    "target": "Target",
    "configureTarget": "Настроить адресаты",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Добавление более одной цели выше включит балансировку нагрузки.",
    "targetsSubmit": "Сохранить цели",
    "addTarget": "Добавить цель",
+    "proxyMultiSiteRoundRobinNodeHelp": "Роутинг с балансировкой нагрузки не будет работать между сайтами, не подключенными к одному и тому же узлу, но подмена будет работать.",
    "targetErrorInvalidIp": "Неверный IP-адрес",
    "targetErrorInvalidIpDescription": "Пожалуйста, введите действительный IP адрес или имя хоста",
    "targetErrorInvalidPort": "Неверный порт",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "СИДР",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Схема",
-    "editInternalResourceDialogEnableSsl": "Включить SSL",
+    "editInternalResourceDialogEnableSsl": "Включить TLS",
    "editInternalResourceDialogEnableSslDescription": "Включите шифрование SSL/TLS для защищенных HTTPS соединений с конечной точкой.",
    "editInternalResourceDialogDestination": "Пункт назначения",
    "editInternalResourceDialogDestinationHostDescription": "IP адрес или имя хоста ресурса в сети сайта.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "СИДР",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Схема",
    "createInternalResourceDialogScheme": "Схема",
-    "createInternalResourceDialogEnableSsl": "Включить SSL",
+    "createInternalResourceDialogEnableSsl": "Включить TLS",
    "createInternalResourceDialogEnableSslDescription": "Включите SSL/TLS шифрование для защищенных HTTPS соединений с конечной точкой.",
    "createInternalResourceDialogDestination": "Пункт назначения",
    "createInternalResourceDialogDestinationHostDescription": "IP адрес или имя хоста ресурса в сети сайта.",
@@ -2217,7 +2235,7 @@
        "description": "Более надежный и низко обслуживаемый сервер Pangolin с дополнительными колокольнями и свистками",
        "introTitle": "Управляемый Само-Хост Панголина",
        "introDescription": "- это вариант развертывания, предназначенный для людей, которые хотят простоты и надёжности, сохраняя при этом свои данные конфиденциальными и самостоятельными.",
-        "introDetail": "С помощью этой опции вы по-прежнему используете узел Pangolin - туннели, SSL, и весь остающийся на вашем сервере. Разница заключается в том, что управление и мониторинг осуществляются через нашу панель инструментов из облака, которая открывает ряд преимуществ:",
+        "introDetail": "С помощью этой опции вы по-прежнему используете узел Pangolin - туннели, TLS, и весь остающийся на вашем сервере. Разница заключается в том, что управление и мониторинг осуществляются через нашу панель инструментов из облака, которая открывает ряд преимуществ:",
        "benefitSimplerOperations": {
            "title": "Более простые операции",
            "description": "Не нужно запускать свой собственный почтовый сервер или настроить комплексное оповещение. Вы будете получать проверки состояния здоровья и оповещения о неисправностях из коробки."
@@ -2652,6 +2670,8 @@
    "validPassword": "Допустимый пароль",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "Просмотр",
+    "configManaged": "Конфигурация управляется",
    "connectedClient": "Подключенный клиент",
    "resourceBlocked": "Ресурс заблокирован",
    "droppedByRule": "Отброшено по правилам",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Перенаправлять события непосредственно на ваш аккаунт в Datadog. Скоро будет доступно.",
    "streamingTypePickerDescription": "Выберите тип назначения, чтобы начать.",
-    "streamingFailedToLoad": "Не удалось загрузить места назначения",
+    "streamingLastSyncError": "Во время последней синхронизации произошла ошибка",
    "streamingUnexpectedError": "Произошла непредвиденная ошибка.",
    "streamingFailedToUpdate": "Не удалось обновить место назначения",
    "streamingDeletedSuccess": "Адрес назначения успешно удален",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Редактировать пункт назначения",
    "S3DestAddTitle": "Добавить S3 пункт назначения",
    "S3DestEditDescription": "Обновите конфигурацию для этого S3 пункта назначения потоковых событий.",
-    "S3DestAddDescription": "Настройте новую S3 конечную точку для получения событий вашей организации.",
+    "S3DestAddDescription": "Настройте новый Amazon S3 (или совместимое S3) хранилище для получения событий вашей организации.",
+    "s3DestTabSettings": "Настройки",
+    "s3DestTabFormat": "Формат",
+    "s3DestNameLabel": "Имя",
+    "s3DestNamePlaceholder": "Моя S3 конечная точка",
+    "s3DestAccessKeyIdLabel": "Идентификатор ключа доступа AWS",
+    "s3DestSecretAccessKeyLabel": "Секретный ключ доступа AWS",
+    "s3DestSecretAccessKeyPlaceholder": "Ваш секретный ключ доступа AWS",
+    "s3DestRegionLabel": "Регион AWS",
+    "s3DestBucketLabel": "Имя хранилища",
+    "s3DestPrefixLabel": "Префикс ключа (по желанию)",
+    "s3DestPrefixDescription": "Необязательный префикс пути, добавляется к каждому ключу объекта. Объекты хранятся в {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}.",
+    "s3DestEndpointLabel": "Пользовательская конечная точка (по желанию)",
+    "s3DestEndpointDescription": "Переопределите конечную точку S3 для совместимого хранилища, такого как MinIO или Cloudflare R2. Оставьте пустым для стандартного AWS S3.",
+    "s3DestGzipLabel": "Сжатие Gzip",
+    "s3DestGzipDescription": "Сжимайте каждый загруженный объект с помощью gzip. Уменьшает стоимость хранения и размер загрузки.",
+    "s3DestFormatTitle": "Формат файла",
+    "s3DestFormatDescription": "Как события сериализуются внутри каждого загруженного объекта.",
+    "s3DestFormatJsonArrayDescription": "Каждый объект — это JSON массив записей событий. Совместим с большинством аналитических инструментов.",
+    "s3DestFormatNdjsonDescription": "Каждый объект содержит одну запись JSON на строку (JSON, разделённый новой строкой). Совместим с Athena, BigQuery и Spark.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Каждый объект представляет собой CSV файл по стандарту RFC-4180 с заголовочной строкой. Имена столбцов выведены из полей данных событий.",
+    "s3DestSaveChanges": "Сохранить изменения",
+    "s3DestCreateDestination": "Создать конечную точку",
+    "s3DestUpdatedSuccess": "Конечная точка успешно обновлена",
+    "s3DestCreatedSuccess": "Конечная точка успешно создана",
+    "s3DestUpdateFailed": "Не удалось обновить конечную точку",
+    "s3DestCreateFailed": "Не удалось создать конечную точку",
    "datadogDestEditTitle": "Редактировать пункт назначения",
    "datadogDestAddTitle": "Добавить пункт назначения Datadog",
    "datadogDestEditDescription": "Обновите конфигурацию для этого пункта назначения потоковых событий Datadog.",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "Bağlantı silinirken bir hata oluştu",
    "shareDeleted": "Bağlantı silindi",
    "shareDeletedDescription": "Bağlantı silindi",
+    "shareDelete": "Paylaşım Bağlantısını Sil",
+    "shareDeleteConfirm": "Paylaşım Bağlantısının Silinmesini Onayla",
+    "shareQuestionRemove": "Bu paylaşım bağlantısını silmek istediğinizden emin misiniz?",
+    "shareMessageRemove": "Silindikten sonra, bağlantı artık çalışmayacak ve kullanan herkes kaynağa erişimini kaybedecek.",
    "shareTokenDescription": "Erişim jetonunuz iki şekilde iletilebilir: sorgu parametresi olarak veya istek başlıklarında. Kimlik doğrulanmış erişim için her istekten müşteri tarafından iletilmelidir.",
    "accessToken": "Erişim Jetonu",
    "usageExamples": "Kullanım Örnekleri",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "Kaldırıldığında, bu kullanıcı organizasyona artık erişim sağlayamayacak. Kullanıcı tekrar davet edilebilir, ancak daveti kabul etmesi gerekecek.",
    "userRemoveOrgConfirm": "Kullanıcıyı Kaldırmayı Onayla",
    "userRemoveOrg": "Kullanıcıyı Organizasyondan Kaldır",
+    "userQuestionOrgRemoveSelf": "Bu organizasyondan kendinizi kaldırmak istediğinizden emin misiniz?",
+    "userMessageOrgRemoveSelf": "Erişiminizi hemen kaybedeceksiniz. Bir yönetici daha sonra sizi tekrar davet edebilir, ancak yeni bir daveti kabul etmeniz gerekecek.",
+    "userRemoveOrgConfirmSelf": "Kendimi Kaldırmayı Onayla",
+    "userRemoveOrgSelf": "Kendinizi organizasyondan kaldırın",
+    "userRemoveOrgSelfWarning": "Bu organizasyona erişiminizi anında kaybedeceksiniz.",
+    "userRemoveOrgConfirmPhraseSelf": "KENDİMİ ORGANİZASYONDAN KALDIR",
    "users": "Kullanıcılar",
    "accessRoleMember": "Üye",
    "accessRoleOwner": "Sahip",
@@ -531,6 +541,11 @@
    "emailInvalid": "Geçersiz e-posta adresi",
    "inviteValidityDuration": "Lütfen bir süre seçin",
    "accessRoleSelectPlease": "Lütfen bir rol seçin",
+    "removeOwnAdminRoleConfirmTitle": "Yönetici erişiminizi kaldırmak istiyor musunuz?",
+    "removeOwnAdminRoleConfirmDescription": "Kaydettikten sonra, bu organizasyonda artık yönetici izinleriniz olmayacak. Gerekirse başka bir yönetici erişimi geri yükleyebilir.",
+    "removeOwnAdminRoleConfirmButton": "Yönetici Erişimi Kaldır",
+    "removeOwnAdminRoleConfirmPhrase": "YÖNETİCİ ERİŞİMİMİ KALDIR",
+    "ownerMustRetainAdminRole": "Organizasyon sahibi en az bir yönetici rolü bulundurmalıdır.",
    "usernameRequired": "Kullanıcı adı gereklidir",
    "idpSelectPlease": "Lütfen bir kimlik sağlayıcı seçin",
    "idpGenericOidc": "Genel OAuth2/OIDC sağlayıcısı.",
@@ -615,7 +630,7 @@
    "createdAt": "Oluşturulma Tarihi",
    "proxyErrorInvalidHeader": "Geçersiz özel Ana Bilgisayar Başlığı değeri. Alan adı formatını kullanın veya özel Ana Bilgisayar Başlığını ayarlamak için boş bırakın.",
    "proxyErrorTls": "Geçersiz TLS Sunucu Adı. Alan adı formatını kullanın veya TLS Sunucu Adını kaldırmak için boş bırakılsın.",
-    "proxyEnableSSL": "SSL Etkinleştir",
+    "proxyEnableSSL": "TLS Etkinleştir",
    "proxyEnableSSLDescription": "Hedeflere güvenli HTTPS bağlantıları için SSL/TLS şifrelemesini etkinleştirin.",
    "target": "Hedef",
    "configureTarget": "Hedefleri Yapılandır",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "Yukarıdaki birden fazla hedef ekleyerek yük dengeleme etkinleştirilecektir.",
    "targetsSubmit": "Hedefleri Kaydet",
    "addTarget": "Hedef Ekle",
+    "proxyMultiSiteRoundRobinNodeHelp": "Round robin yönlendirme, aynı düğüme bağlı olmayan siteler arasında çalışmayacaktır, ancak failover çalışacaktır.",
    "targetErrorInvalidIp": "Geçersiz IP adresi",
    "targetErrorInvalidIpDescription": "Lütfen geçerli bir IP adresi veya host adı girin",
    "targetErrorInvalidPort": "Geçersiz port",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Şema",
-    "editInternalResourceDialogEnableSsl": "SSL'i Etkinleştir",
+    "editInternalResourceDialogEnableSsl": "TLS Etkinleştir",
    "editInternalResourceDialogEnableSslDescription": "Hedefe güvenli HTTPS bağlantıları için SSL/TLS şifrelemeyi etkinleştirin.",
    "editInternalResourceDialogDestination": "Hedef",
    "editInternalResourceDialogDestinationHostDescription": "Site ağındaki kaynağın IP adresi veya ana bilgisayar adı.",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Şema",
    "createInternalResourceDialogScheme": "Şema",
-    "createInternalResourceDialogEnableSsl": "SSL'i Etkinleştir",
+    "createInternalResourceDialogEnableSsl": "TLS'yi Etkinleştir",
    "createInternalResourceDialogEnableSslDescription": "Hedefe güvenli HTTPS bağlantıları için SSL/TLS şifrelemeyi etkinleştirin.",
    "createInternalResourceDialogDestination": "Hedef",
    "createInternalResourceDialogDestinationHostDescription": "Site ağındaki kaynağın IP adresi veya ana bilgisayar adı.",
@@ -2217,7 +2235,7 @@
        "description": "Daha güvenilir ve düşük bakım gerektiren, ekstra özelliklere sahip kendi kendine barındırabileceğiniz Pangolin sunucusu",
        "introTitle": "Yönetilen Kendi Kendine Barındırılan Pangolin",
        "introDescription": "Bu, basitlik ve ekstra güvenilirlik arayan, ancak verilerini gizli tutmak ve kendi sunucularında barındırmak isteyen kişiler için tasarlanmış bir dağıtım seçeneğidir.",
-        "introDetail": "Bu seçenekle, kendi Pangolin düğümünüzü çalıştırmaya devam edersiniz - tünelleriniz, SSL bitişiniz ve trafiğiniz tamamen sunucunuzda kalır. Fark, yönetim ve izlemeyi bulut panomuz üzerinden gerçekleştiririz, bu da bir dizi avantaj sağlar:",
+        "introDetail": "Bu seçenekle, kendi Pangolin düğümünüzü çalıştırmaya devam edersiniz - tünelleriniz, TLS bitişiniz ve trafiğiniz tamamen sunucunuzda kalır. Fark, yönetim ve izlemeyi bulut panomuz üzerinden gerçekleştiririz, bu da bir dizi avantaj sağlar:",
        "benefitSimplerOperations": {
            "title": "Daha basit işlemler",
            "description": "Kendi e-posta sunucunuzu çalıştırmanıza veya karmaşık uyarılar kurmanıza gerek yok. Sağlık kontrolleri ve kesinti uyarılarını kutudan çıktığı gibi alırsınız."
@@ -2652,6 +2670,8 @@
    "validPassword": "Geçerli Şifre",
    "validEmail": "Geçerli E-posta",
    "validSSO": "Geçerli SSO",
+    "view": "Görüntüle",
+    "configManaged": "Yapılandırma Yönetildi",
    "connectedClient": "Bağlı İstemci",
    "resourceBlocked": "Kaynak Engellendi",
    "droppedByRule": "Kurallara Göre Çıkartıldı",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Olayları doğrudan Datadog hesabınıza iletin. Yakında gelicek.",
    "streamingTypePickerDescription": "Başlamak için bir hedef türü seçin.",
-    "streamingFailedToLoad": "Hedefler yüklenemedi",
+    "streamingLastSyncError": "Son senkronizasyonda bir hata oluştu",
    "streamingUnexpectedError": "Beklenmeyen bir hata oluştu.",
    "streamingFailedToUpdate": "Hedef güncellenemedi",
    "streamingDeletedSuccess": "Hedef başarıyla silindi",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "Hedefi Düzenle",
    "S3DestAddTitle": "S3 Hedefi Ekle",
    "S3DestEditDescription": "Bu S3 olay akışı hedefi için yapılandırmayı güncelleyin.",
-    "S3DestAddDescription": "Kuruluşunuzun olaylarını almak için yeni bir S3 uç noktası yapılandırın.",
+    "S3DestAddDescription": "Kuruluşunuzun etkinliklerini almak için yeni bir Amazon S3 (veya S3-uyumlu) kovası yapılandırın.",
+    "s3DestTabSettings": "Ayarlar",
+    "s3DestTabFormat": "Biçim",
+    "s3DestNameLabel": "Ad",
+    "s3DestNamePlaceholder": "Benim S3 hedefim",
+    "s3DestAccessKeyIdLabel": "AWS Erişim Anahtar Kimliği",
+    "s3DestSecretAccessKeyLabel": "AWS Gizli Erişim Anahtarı",
+    "s3DestSecretAccessKeyPlaceholder": "AWS gizli erişim anahtarınız",
+    "s3DestRegionLabel": "AWS Bölgesi",
+    "s3DestBucketLabel": "Kova Adı",
+    "s3DestPrefixLabel": "Anahtar Ön Eki (isteğe bağlı)",
+    "s3DestPrefixDescription": "Her nesne anahtarının önüne eklenen isteğe bağlı yol öneki. Nesneler {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename} konumunda saklanır.",
+    "s3DestEndpointLabel": "Özel Uç Nokta (isteğe bağlı)",
+    "s3DestEndpointDescription": "MinIO veya Cloudflare R2 gibi S3-uyumlu depolama için S3 uç noktasını geçersiz kılın. Standart AWS S3 için boş bırakın.",
+    "s3DestGzipLabel": "Gzip sıkıştırması",
+    "s3DestGzipDescription": "Her yüklü nesneyi gzip ile sıkıştırın. Depolama maliyetlerini ve yükleme boyutunu azaltır.",
+    "s3DestFormatTitle": "Dosya Biçimi",
+    "s3DestFormatDescription": "Etkinliklerin her yüklendiği nesne içinde nasıl serileştirildiği.",
+    "s3DestFormatJsonArrayDescription": "Her nesne bir olay kayıtlarının JSON dizisidir. Çoğu analiz aracıyla uyumludur.",
+    "s3DestFormatNdjsonDescription": "Her nesne satır başına bir JSON kaydı içerir (yeni satır ile ayrılmış JSON). Athena, BigQuery ve Spark ile uyumludur.",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "Her nesne, bir başlık satırı ile birlikte RFC-4180 CSV dosyasıdır. Sütun isimleri olay verileri alanlarından türetilmiştir.",
+    "s3DestSaveChanges": "Değişiklikleri Kaydet",
+    "s3DestCreateDestination": "Hedef Oluştur",
+    "s3DestUpdatedSuccess": "Hedef başarıyla güncellendi",
+    "s3DestCreatedSuccess": "Hedef başarıyla oluşturuldu",
+    "s3DestUpdateFailed": "Hedef güncellenemedi",
+    "s3DestCreateFailed": "Hedef oluşturulamadı",
    "datadogDestEditTitle": "Hedefi Düzenle",
    "datadogDestAddTitle": "Datadog Hedefi Ekle",
    "datadogDestEditDescription": "Bu Datadog olay akışı hedefi için yapılandırmayı güncelleyin.",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -32,7 +32,7 @@
    "trialActive": "免费试用中",
    "trialExpired": "试用到期",
    "trialHasEnded": "您的试用已结束。",
-    "trialDaysRemaining": "{count, plural, one {# day remaining} other {# days remaining}}",
+    "trialDaysRemaining": "{count, plural, other {# 天剩余}}",
    "trialDaysLeftShort": "试用期剩余 {days} 天",
    "trialGoToBilling": "转到账单页面",
    "subscriptionViolationViewBilling": "查看计费",
@@ -156,6 +156,10 @@
    "shareErrorDeleteMessage": "删除链接时出错",
    "shareDeleted": "链接已删除",
    "shareDeletedDescription": "链接已删除",
+    "shareDelete": "删除共享链接",
+    "shareDeleteConfirm": "确认删除共享链接",
+    "shareQuestionRemove": "您确定要删除这个共享链接吗？",
+    "shareMessageRemove": "删除后，该链接将不再可用，使用它的任何人将失去对资源的访问权限。",
    "shareTokenDescription": "访问令牌可以通过两种方式传递：作为查询参数或请求标题。 每次验证访问请求都必须从客户端传递。",
    "accessToken": "访问令牌",
    "usageExamples": "用法示例",
@@ -303,7 +307,7 @@
    "accessUserManage": "管理用户",
    "accessUsersDescription": "邀请和管理访问此组织的用户",
    "accessUsersSearch": "搜索用户...",
-    "accessUsersRoleFilterCount": "{count, plural, one {# role} other {# roles}}",
+    "accessUsersRoleFilterCount": "{count, plural, other {# 角色}}",
    "accessUsersRoleFilterClear": "清除角色过滤器",
    "accessUserCreate": "创建用户",
    "accessUserRemove": "删除用户",
@@ -523,6 +527,12 @@
    "userMessageOrgRemove": "一旦删除，这个用户将不再能够访问组织。 你总是可以稍后重新邀请他们，但他们需要再次接受邀请。",
    "userRemoveOrgConfirm": "确认删除用户",
    "userRemoveOrg": "从组织中删除用户",
+    "userQuestionOrgRemoveSelf": "你确定要将自己从这个组织中移除吗？",
+    "userMessageOrgRemoveSelf": "你将立即失去访问权限。管理员稍后可以再次邀请你，但你需要接受新的邀请。",
+    "userRemoveOrgConfirmSelf": "确认删除我自己",
+    "userRemoveOrgSelf": "将自己从组织中移除",
+    "userRemoveOrgSelfWarning": "你将立即失去对此组织的访问权限。",
+    "userRemoveOrgConfirmPhraseSelf": "从组织中移除我自己",
    "users": "用户",
    "accessRoleMember": "成员",
    "accessRoleOwner": "所有者",
@@ -531,6 +541,11 @@
    "emailInvalid": "无效的电子邮件地址",
    "inviteValidityDuration": "请选择持续时间",
    "accessRoleSelectPlease": "请选择一个角色",
+    "removeOwnAdminRoleConfirmTitle": "移除你的管理员权限？",
+    "removeOwnAdminRoleConfirmDescription": "保存后，你将不再拥有该组织的管理员权限。如果需要，其他管理员可以恢复访问。",
+    "removeOwnAdminRoleConfirmButton": "移除我的管理员访问权限",
+    "removeOwnAdminRoleConfirmPhrase": "移除我的管理员访问",
+    "ownerMustRetainAdminRole": "组织所有者必须保留至少一个管理员角色。",
    "usernameRequired": "必须输入用户名",
    "idpSelectPlease": "请选择身份提供商",
    "idpGenericOidc": "通用的 OAuth2/OIDC 提供商。",
@@ -615,7 +630,7 @@
    "createdAt": "创建于",
    "proxyErrorInvalidHeader": "无效的自定义主机头值。使用域名格式，或将空保存为取消自定义主机头。",
    "proxyErrorTls": "无效的 TLS 服务器名称。使用域名格式，或保存空以删除 TLS 服务器名称。",
-    "proxyEnableSSL": "启用 SSL",
+    "proxyEnableSSL": "启用 TLS",
    "proxyEnableSSLDescription": "启用 SSL/TLS 加密以确保目标的 HTTPS 连接。",
    "target": "Target",
    "configureTarget": "配置目标",
@@ -658,6 +673,7 @@
    "targetNoOneDescription": "在上面添加多个目标将启用负载平衡。",
    "targetsSubmit": "保存目标",
    "addTarget": "添加目标",
+    "proxyMultiSiteRoundRobinNodeHelp": "轮询路由在未连接到相同节点的站点之间将不起作用，但故障转移会生效。",
    "targetErrorInvalidIp": "无效的 IP 地址",
    "targetErrorInvalidIpDescription": "请输入有效的IP地址或主机名",
    "targetErrorInvalidPort": "无效的端口",
@@ -1499,7 +1515,7 @@
    "alertingGraphCanvasTitle": "规则流程",
    "alertingGraphCanvasDescription": "源、触发器和操作的视觉概况。选择一个节点，在面板上进行编辑。",
    "alertingNodeNotConfigured": "尚未配置",
-    "alertingNodeActionsCount": "{count, plural, one {# action} other {# actions}}",
+    "alertingNodeActionsCount": "{count, plural, other {# 操作}}",
    "alertingNodeRoleSource": "来源",
    "alertingNodeRoleTrigger": "触发",
    "alertingNodeRoleAction": "行为",
@@ -2033,8 +2049,9 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "方案",
-    "editInternalResourceDialogEnableSsl": "启用 SSL",
+    "editInternalResourceDialogEnableSsl": "启用 TLS",
    "editInternalResourceDialogEnableSslDescription": "为目标的安全 HTTPS 连接启用 SSL/TLS 加密。",
    "editInternalResourceDialogDestination": "目标",
    "editInternalResourceDialogDestinationHostDescription": "站点网络上资源的 IP 地址或主机名。",
@@ -2051,7 +2068,7 @@
    "createInternalResourceDialogName": "名称",
    "createInternalResourceDialogSite": "站点",
    "selectSite": "选择站点...",
-    "multiSitesSelectorSitesCount": "{count, plural, one {# site} other {# sites}}",
+    "multiSitesSelectorSitesCount": "{count, plural, other {# 个网站}}",
    "noSitesFound": "未找到站点。",
    "createInternalResourceDialogProtocol": "协议",
    "createInternalResourceDialogTcp": "TCP",
@@ -2082,9 +2099,10 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "方案",
    "createInternalResourceDialogScheme": "方案",
-    "createInternalResourceDialogEnableSsl": "启用 SSL",
+    "createInternalResourceDialogEnableSsl": "启用 TLS",
    "createInternalResourceDialogEnableSslDescription": "为目标的安全 HTTPS 连接启用 SSL/TLS 加密。",
    "createInternalResourceDialogDestination": "目标",
    "createInternalResourceDialogDestinationHostDescription": "站点网络上资源的 IP 地址或主机名。",
@@ -2217,7 +2235,7 @@
        "description": "更可靠和低维护自我托管的 Pangolin 服务器，带有额外的铃声和告密器",
        "introTitle": "托管自托管的潘戈林公司",
        "introDescription": "这是一种部署选择，为那些希望简洁和额外可靠的人设计，同时仍然保持他们的数据的私密性和自我托管性。",
-        "introDetail": "通过此选项，您仍然运行您自己的 Pangolin 节点 - - 您的隧道、SSL 终止，并且流量在您的服务器上保持所有状态。 不同之处在于，管理和监测是通过我们的云层仪表板进行的，该仪表板开启了一些好处：",
+        "introDetail": "通过此选项，您仍然运行您自己的 Pangolin 节点 - - 您的隧道、TLS 终止，并且流量在您的服务器上保持所有状态。 不同之处在于，管理和监测是通过我们的云层仪表板进行的，该仪表板开启了一些好处：",
        "benefitSimplerOperations": {
            "title": "简单的操作",
            "description": "无需运行您自己的邮件服务器或设置复杂的警报。您将从方框中获得健康检查和下限提醒。"
@@ -2652,6 +2670,8 @@
    "validPassword": "有效密码",
    "validEmail": "Valid email",
    "validSSO": "Valid SSO",
+    "view": "查看",
+    "configManaged": "配置已管理",
    "connectedClient": "已连接客户端",
    "resourceBlocked": "资源被阻止",
    "droppedByRule": "被规则删除",
@@ -3062,7 +3082,7 @@
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "直接转发事件到您的Datadog 帐户。即将推出。",
    "streamingTypePickerDescription": "选择要开始的目标类型。",
-    "streamingFailedToLoad": "加载目的地失败",
+    "streamingLastSyncError": "最后一次同步时发生错误",
    "streamingUnexpectedError": "发生意外错误.",
    "streamingFailedToUpdate": "更新目标失败",
    "streamingDeletedSuccess": "目标删除成功",
@@ -3079,7 +3099,34 @@
    "S3DestEditTitle": "编辑目的地",
    "S3DestAddTitle": "添加 S3 目的地",
    "S3DestEditDescription": "更新此 S3 事件流目的地的配置。",
-    "S3DestAddDescription": "配置新的 S3 终端以接收您的组织事件。",
+    "S3DestAddDescription": "配置一个新的 Amazon S3（或兼容 S3 的）存储桶以接收您的组织事件。",
+    "s3DestTabSettings": "设置",
+    "s3DestTabFormat": "格式",
+    "s3DestNameLabel": "名称",
+    "s3DestNamePlaceholder": "我的 S3 目的地",
+    "s3DestAccessKeyIdLabel": "AWS 访问密钥 ID",
+    "s3DestSecretAccessKeyLabel": "AWS 秘密访问密钥",
+    "s3DestSecretAccessKeyPlaceholder": "您的 AWS 密钥",
+    "s3DestRegionLabel": "AWS 地区",
+    "s3DestBucketLabel": "存储桶名称",
+    "s3DestPrefixLabel": "密钥前缀（可选）",
+    "s3DestPrefixDescription": "每个对象密钥前加的可选路径前缀。对象存储在 {prefix}/{logType}/{YYYY}/{MM}/{DD}/{filename}。",
+    "s3DestEndpointLabel": "自定义端点（可选）",
+    "s3DestEndpointDescription": "替代 S3 端点用于 MinIO 或 Cloudflare R2 等兼容 S3 的存储。标准 AWS S3 留空。",
+    "s3DestGzipLabel": "Gzip 压缩",
+    "s3DestGzipDescription": "使用 gzip 压缩每个上传的对象。减少存储成本和上传大小。",
+    "s3DestFormatTitle": "文件格式",
+    "s3DestFormatDescription": "事件在每个上传对象内的序列化方式。",
+    "s3DestFormatJsonArrayDescription": "每个对象是事件记录的 JSON 数组。兼容大多数分析工具。",
+    "s3DestFormatNdjsonDescription": "每个对象每行包含一个 JSON 记录（换行分隔的 JSON）。兼容 Athena、BigQuery 和 Spark。",
+    "s3DestFormatCsvTitle": "CSV",
+    "s3DestFormatCsvDescription": "每个对象是带有标题行的 RFC-4180 CSV 文件。列名来自事件数据字段。",
+    "s3DestSaveChanges": "保存更改",
+    "s3DestCreateDestination": "创建目的地",
+    "s3DestUpdatedSuccess": "目的地更新成功",
+    "s3DestCreatedSuccess": "目的地创建成功",
+    "s3DestUpdateFailed": "更新目的地失败",
+    "s3DestCreateFailed": "创建目的地失败",
    "datadogDestEditTitle": "编辑目的地",
    "datadogDestAddTitle": "添加 Datadog 目的地",
    "datadogDestEditDescription": "更新此 Datadog 事件流目的地的配置。",
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -489,7 +489,7 @@
    "createdAt": "創建於",
    "proxyErrorInvalidHeader": "無效的自訂主機 Header。使用域名格式，或將空保存為取消自訂 Header。",
    "proxyErrorTls": "無效的 TLS 伺服器名稱。使用域名格式，或保存空以刪除 TLS 伺服器名稱。",
-    "proxyEnableSSL": "啟用 SSL",
+    "proxyEnableSSL": "啟用 TLS",
    "proxyEnableSSLDescription": "啟用 SSL/TLS 加密以確保您目標的 HTTPS 連接。",
    "target": "目標",
    "configureTarget": "配置目標",
@@ -1763,7 +1763,7 @@
        "description": "更可靠、維護成本更低的自架 Pangolin 伺服器，並附帶額外的附加功能",
        "introTitle": "託管式自架 Pangolin",
        "introDescription": "這是一種部署選擇，為那些希望簡潔和額外可靠的人設計，同時仍然保持他們的數據的私密性和自我託管性。",
-        "introDetail": "通過此選項，您仍然運行您自己的 Pangolin 節點 - - 您的隧道、SSL 終止，並且流量在您的伺服器上保持所有狀態。 不同之處在於，管理和監測是通過我們的雲層儀錶板進行的，該儀錶板開啟了一些好處：",
+        "introDetail": "通過此選項，您仍然運行您自己的 Pangolin 節點 - - 您的隧道、TLS 終止，並且流量在您的伺服器上保持所有狀態。 不同之處在於，管理和監測是通過我們的雲層儀錶板進行的，該儀錶板開啟了一些好處：",
        "benefitSimplerOperations": {
            "title": "簡單的操作",
            "description": "無需運行您自己的郵件伺服器或設置複雜的警報。您將從方框中獲得健康檢查和下限提醒。"
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,17 +1,42 @@
 import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";
+import fs from "fs";
+import path from "path";

 const withNextIntl = createNextIntlPlugin();
+// read allowedDevOrigins.json if it exists
+let allowedDevOrigins: string[] = [];
+const allowedDevOriginsPath = path.join(
+    process.cwd(),
+    "allowedDevOrigins.json"
+);
+if (fs.existsSync(allowedDevOriginsPath)) {
+    try {
+        const data = fs.readFileSync(allowedDevOriginsPath, "utf-8");
+        allowedDevOrigins = JSON.parse(data);
+    } catch {}
+}

 const nextConfig: NextConfig = {
    reactStrictMode: false,
-    eslint: {
-        ignoreDuringBuilds: true
-    },
-    experimental: {
-        reactCompiler: true
-    },
-    output: "standalone"
+    reactCompiler: true,
+    transpilePackages: ["@novnc/novnc"],
+    output: "standalone",
+    allowedDevOrigins,
+    async redirects() {
+        return [
+            {
+                source: "/:orgId/settings/resources/proxy/:path*",
+                destination: "/:orgId/settings/resources/public/:path*",
+                permanent: true
+            },
+            {
+                source: "/:orgId/settings/resources/client/:path*",
+                destination: "/:orgId/settings/resources/private/:path*",
+                permanent: true
+            }
+        ];
+    }
 };

 export default withNextIntl(nextConfig);
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -32,13 +32,15 @@
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.1011.0",
-        "@faker-js/faker": "10.3.0",
-        "@headlessui/react": "2.2.9",
-        "@hookform/resolvers": "5.2.2",
+        "@asteasolutions/zod-to-openapi": "8.5.0",
+        "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+        "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
+        "@aws-sdk/client-s3": "3.1056.0",
+        "@headlessui/react": "2.2.10",
+        "@hookform/resolvers": "5.4.0",
        "@monaco-editor/react": "4.7.0",
        "@node-rs/argon2": "2.0.2",
+        "@novnc/novnc": "^1.7.0",
        "@oslojs/crypto": "1.0.1",
        "@oslojs/encoding": "1.1.0",
        "@radix-ui/react-avatar": "1.1.11",
@@ -59,16 +61,20 @@
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.8",
-        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "2.0.5",
+        "@react-email/body": "0.3.0",
+        "@react-email/components": "1.0.12",
+        "@react-email/render": "2.0.8",
+        "@react-email/tailwind": "2.0.7",
        "@simplewebauthn/browser": "13.3.0",
-        "@simplewebauthn/server": "13.3.0",
+        "@simplewebauthn/server": "13.3.1",
        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.21",
+        "@tanstack/react-query": "5.100.14",
        "@tanstack/react-table": "8.21.3",
+        "@xterm/addon-fit": "^0.11.0",
+        "@xterm/addon-web-links": "^0.12.0",
+        "@xterm/xterm": "^6.0.0",
        "arctic": "3.7.0",
-        "axios": "1.15.0",
+        "axios": "1.16.1",
        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
        "class-variance-authority": "0.7.1",
@@ -80,77 +86,76 @@
        "d3": "7.9.0",
        "drizzle-orm": "0.45.2",
        "express": "5.2.1",
-        "express-rate-limit": "8.3.0",
+        "express-rate-limit": "8.5.2",
        "glob": "13.0.6",
-        "helmet": "8.1.0",
+        "helmet": "8.2.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
-        "ioredis": "5.10.0",
+        "ioredis": "5.11.0",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.577.0",
-        "maxmind": "5.0.5",
+        "lucide-react": "1.17.0",
+        "maxmind": "5.0.6",
        "moment": "2.30.1",
-        "next": "15.5.15",
-        "next-intl": "4.8.3",
+        "next": "16.2.6",
+        "next-intl": "4.13.0",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "nodemailer": "8.0.5",
+        "nodemailer": "8.0.9",
        "oslo": "1.2.1",
-        "pg": "8.20.0",
-        "posthog-node": "5.28.0",
+        "pg": "8.21.0",
+        "posthog-node": "5.35.6",
        "qrcode.react": "4.2.0",
-        "react": "19.2.4",
+        "react": "19.2.6",
        "react-day-picker": "9.14.0",
-        "react-dom": "19.2.4",
+        "react-dom": "19.2.6",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.71.2",
+        "react-hook-form": "7.76.1",
        "react-icons": "5.6.0",
-        "recharts": "2.15.4",
+        "recharts": "3.8.1",
        "reodotdev": "1.1.0",
-        "resend": "6.9.2",
-        "semver": "7.7.4",
+        "semver": "7.8.1",
        "sshpk": "1.18.0",
-        "stripe": "20.4.1",
+        "stripe": "22.2.0",
        "swagger-ui-express": "5.0.1",
-        "tailwind-merge": "3.5.0",
+        "tailwind-merge": "3.6.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
-        "use-debounce": "10.1.0",
-        "uuid": "13.0.0",
+        "use-debounce": "10.1.1",
+        "uuid": "14.0.0",
        "vaul": "1.1.2",
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.19.0",
-        "yaml": "2.8.3",
+        "ws": "8.21.0",
+        "yaml": "2.9.0",
        "yargs": "18.0.0",
-        "zod": "4.3.6",
+        "zod": "4.4.3",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.54.1",
+        "@dotenvx/dotenvx": "1.69.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "5.2.10",
-        "@tailwindcss/postcss": "4.2.2",
-        "@tanstack/react-query-devtools": "5.91.3",
+        "@react-email/ui": "^6.5.0",
+        "@tailwindcss/postcss": "4.3.0",
+        "@tanstack/react-query-devtools": "5.100.14",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
        "@types/crypto-js": "4.2.2",
        "@types/d3": "7.4.3",
        "@types/express": "5.0.6",
-        "@types/express-session": "1.18.2",
+        "@types/express-session": "1.19.0",
        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.3.5",
-        "@types/nodemailer": "7.0.11",
+        "@types/node": "25.9.1",
+        "@types/nodemailer": "8.0.0",
        "@types/nprogress": "0.2.3",
-        "@types/pg": "8.18.0",
-        "@types/react": "19.2.14",
+        "@types/pg": "8.20.0",
+        "@types/react": "19.2.15",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
        "@types/sshpk": "1.17.4",
@@ -160,21 +165,22 @@
        "@types/yargs": "17.0.35",
        "babel-plugin-react-compiler": "1.0.0",
        "drizzle-kit": "0.31.10",
-        "esbuild": "0.27.4",
-        "esbuild-node-externals": "1.20.1",
-        "eslint": "10.0.3",
-        "eslint-config-next": "16.1.7",
-        "postcss": "8.5.8",
-        "prettier": "3.8.1",
-        "react-email": "5.2.10",
-        "tailwindcss": "4.2.2",
-        "tsc-alias": "1.8.16",
-        "tsx": "4.21.0",
-        "typescript": "5.9.3",
-        "typescript-eslint": "8.56.1"
+        "esbuild": "0.28.0",
+        "esbuild-node-externals": "1.22.0",
+        "eslint": "10.4.0",
+        "eslint-config-next": "16.2.6",
+        "postcss": "8.5.15",
+        "prettier": "3.8.3",
+        "react-email": "6.5.0",
+        "tailwindcss": "4.3.0",
+        "tsc-alias": "1.8.17",
+        "tsx": "4.22.3",
+        "typescript": "6.0.3",
+        "typescript-eslint": "8.60.0"
    },
    "overrides": {
-        "esbuild": "0.27.4",
-        "dompurify": "3.3.2"
+        "esbuild": "0.28.0",
+        "dompurify": "3.4.0",
+        "postcss": "8.5.15"
    }
 }
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -5,6 +5,7 @@ import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import logger from "@server/logger";

 export enum ActionsEnum {
    createOrgUser = "createOrgUser",
@@ -148,11 +149,36 @@ export enum ActionsEnum {
    updateAlertRule = "updateAlertRule",
    deleteAlertRule = "deleteAlertRule",
    listAlertRules = "listAlertRules",
+    listOrgLabels = "listOrgLabels",
+    createOrgLabel = "createOrgLabel",
+    updateOrgLabel = "updateOrgLabel",
+    deleteOrgLabel = "deleteOrgLabel",
+    attachLabelToItem = "attachLabelToItem",
+    detachLabelFromItem = "detachLabelFromItem",
    getAlertRule = "getAlertRule",
    createHealthCheck = "createHealthCheck",
    updateHealthCheck = "updateHealthCheck",
    deleteHealthCheck = "deleteHealthCheck",
-    listHealthChecks = "listHealthChecks"
+    listHealthChecks = "listHealthChecks",
+    createBrowserGatewayTarget = "createBrowserGatewayTarget",
+    updateBrowserGatewayTarget = "updateBrowserGatewayTarget",
+    deleteBrowserGatewayTarget = "deleteBrowserGatewayTarget",
+    getBrowserGatewayTarget = "getBrowserGatewayTarget",
+    listBrowserGatewayTargets = "listBrowserGatewayTargets",
+    listResourcePolicies = "listResourcePolicies",
+    getResourcePolicy = "getResourcePolicy",
+    createResourcePolicy = "createResourcePolicy",
+    updateResourcePolicy = "updateResourcePolicy",
+    deleteResourcePolicy = "deleteResourcePolicy",
+    listResourcePolicyRoles = "listResourcePolicyRoles",
+    setResourcePolicyRoles = "setResourcePolicyRoles",
+    listResourcePolicyUsers = "listResourcePolicyUsers",
+    setResourcePolicyUsers = "setResourcePolicyUsers",
+    setResourcePolicyPassword = "setResourcePolicyPassword",
+    setResourcePolicyPincode = "setResourcePolicyPincode",
+    setResourcePolicyHeaderAuth = "setResourcePolicyHeaderAuth",
+    setResourcePolicyWhitelist = "setResourcePolicyWhitelist",
+    setResourcePolicyRules = "setResourcePolicyRules"
 }

 export async function checkUserActionPermission(
@@ -185,6 +211,23 @@ export async function checkUserActionPermission(
            }
        }

+        // If no direct permission, check role-based permission (any of user's roles)
+        const roleActionPermission = await db
+            .select()
+            .from(roleActions)
+            .where(
+                and(
+                    eq(roleActions.actionId, actionId),
+                    inArray(roleActions.roleId, userOrgRoleIds),
+                    eq(roleActions.orgId, req.userOrgId!)
+                )
+            )
+            .limit(1);
+
+        if (roleActionPermission.length > 0) {
+            return true;
+        }
+
        // Check if the user has direct permission for the action in the current org
        const userActionPermission = await db
            .select()
@@ -202,20 +245,7 @@ export async function checkUserActionPermission(
            return true;
        }

-        // If no direct permission, check role-based permission (any of user's roles)
-        const roleActionPermission = await db
-            .select()
-            .from(roleActions)
-            .where(
-                and(
-                    eq(roleActions.actionId, actionId),
-                    inArray(roleActions.roleId, userOrgRoleIds),
-                    eq(roleActions.orgId, req.userOrgId!)
-                )
-            )
-            .limit(1);
-
-        return roleActionPermission.length > 0;
+        return false;
    } catch (error) {
        console.error("Error checking user action permission:", error);
        throw createHttpError(
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -19,6 +19,9 @@ export async function createResourceSession(opts: {
    userSessionId?: string | null;
    whitelistId?: number | null;
    accessTokenId?: string | null;
+    policyPasswordId?: number | null;
+    policyPincodeId?: number | null;
+    policyWhitelistId?: number | null;
    doNotExtend?: boolean;
    expiresAt?: number | null;
    sessionLength?: number | null;
@@ -28,7 +31,10 @@ export async function createResourceSession(opts: {
        !opts.pincodeId &&
        !opts.whitelistId &&
        !opts.accessTokenId &&
-        !opts.userSessionId
+        !opts.userSessionId &&
+        !opts.policyPasswordId &&
+        !opts.policyPincodeId &&
+        !opts.policyWhitelistId
    ) {
        throw new Error("Auth method must be provided");
    }
@@ -49,6 +55,9 @@ export async function createResourceSession(opts: {
        whitelistId: opts.whitelistId || null,
        doNotExtend: opts.doNotExtend || false,
        accessTokenId: opts.accessTokenId || null,
+        policyPasswordId: opts.policyPasswordId || null,
+        policyPincodeId: opts.policyPincodeId || null,
+        policyWhitelistId: opts.policyWhitelistId || null,
        isRequestToken: opts.isRequestToken || false,
        userSessionId: opts.userSessionId || null,
        issuedAt: new Date().getTime()
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,12 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { clients, db, resources, siteResources } from "@server/db";
+import {
+    clients,
+    db,
+    resourcePolicies,
+    resources,
+    siteResources
+} from "@server/db";
 import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -107,6 +113,35 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
    }
 }

+export async function getUniqueResourcePolicyName(
+    orgId: string
+): Promise<string> {
+    let loops = 0;
+    while (true) {
+        if (loops > 100) {
+            throw new Error("Could not generate a unique name");
+        }
+
+        const name = generateName();
+        const policyCount = await db
+            .select({
+                niceId: resourcePolicies.niceId,
+                orgId: resourcePolicies.orgId
+            })
+            .from(resourcePolicies)
+            .where(
+                and(
+                    eq(resourcePolicies.niceId, name),
+                    eq(resourcePolicies.orgId, orgId)
+                )
+            );
+        if (policyCount.length === 0) {
+            return name;
+        }
+        loops++;
+    }
+}
+
 export async function getUniqueSiteResourceName(
    orgId: string
 ): Promise<string> {
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -87,7 +87,7 @@ function createDb() {

 export const db = createDb();
 export default db;
-export const primaryDb = db.$primary;
+export const primaryDb = db.$primary as typeof db; // is this typeof a problem - techincally they are different types
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/db/pg/index.ts
+++ b/server/db/pg/index.ts
@@ -4,3 +4,4 @@ export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
+export { alias } from "drizzle-orm/pg-core";
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -2,6 +2,7 @@ import {
    pgTable,
    serial,
    varchar,
+    unique,
    boolean,
    integer,
    bigint,
@@ -19,12 +20,13 @@ import {
    roles,
    users,
    exitNodes,
-    sessions,
-    clients,
    resources,
    siteResources,
    targetHealthCheck,
-    sites
+    sites,
+    clients,
+    sessions,
+    labels
 } from "./schema";

 export const certificates = pgTable("certificates", {
@@ -197,6 +199,42 @@ export const remoteExitNodes = pgTable("remoteExitNode", {
    })
 });

+export const remoteExitNodeResources = pgTable("remoteExitNodeResources", {
+    remoteExitNodeResourceId: serial("remoteExitNodeResourceId").primaryKey(),
+    remoteExitNodeId: varchar("remoteExitNodeId")
+        .notNull()
+        .references(() => remoteExitNodes.remoteExitNodeId, {
+            onDelete: "cascade"
+        }),
+    destination: varchar("destination").notNull() // a cidr range
+});
+
+export const remoteExitNodePreferenceLabels = pgTable(
+    // this controls what sites are enforced to connect to this node
+    "remoteExitNodePreferenceLabels",
+    {
+        remoteExitNodePreferenceLabelId: serial(
+            "remoteExitNodePreferenceLabelId"
+        ).primaryKey(),
+        remoteExitNode: integer("remoteExitNode")
+            .references(() => remoteExitNodes.remoteExitNodeId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [
+        unique("remote_exit_node_preference_label_uniq").on(
+            t.remoteExitNode,
+            t.labelId
+        )
+    ]
+);
+
 export const remoteExitNodeSessions = pgTable("remoteExitNodeSession", {
    sessionId: varchar("id").primaryKey(),
    remoteExitNodeId: varchar("remoteExitNodeId")
@@ -332,6 +370,7 @@ export const connectionAuditLog = pgTable(
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
+        clientEndpoint: text("clientEndpoint"),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
@@ -439,6 +478,8 @@ export const eventStreamingDestinations = pgTable(
        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
        config: text("config").notNull(), // JSON string with the configuration for the destination
        enabled: boolean("enabled").notNull().default(true),
+        lastError: text("lastError"), // last send error message, null if healthy
+        lastErrorAt: bigint("lastErrorAt", { mode: "number" }), // epoch ms of last error, null if healthy
        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
    }
@@ -577,6 +618,24 @@ export const trialNotifications = pgTable("trialNotifications", {
    sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });

+export const browserGatewayTarget = pgTable("browserGatewayTarget", {
+    browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: varchar("authToken").notNull(),
+    type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: varchar("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -624,3 +683,6 @@ export type AlertEmailRecipients = InferSelectModel<
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -65,7 +65,12 @@ export const orgs = pgTable("orgs", {
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: boolean("isBillingOrg"),
-    billingOrgId: varchar("billingOrgId")
+    billingOrgId: varchar("billingOrgId"),
+    settingsEnableGlobalNewtAutoUpdate: boolean(
+        "settingsEnableGlobalNewtAutoUpdate"
+    )
+        .notNull()
+        .default(false)
 });

 export const orgDomains = pgTable("orgDomains", {
@@ -103,6 +108,10 @@ export const sites = pgTable("sites", {
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    autoUpdateEnabled: boolean("autoUpdateEnabled").notNull().default(false),
+    autoUpdateOverrideOrg: boolean("autoUpdateOverrideOrg")
+        .notNull()
+        .default(false),
    status: varchar("status")
        .$type<"pending" | "approved">()
        .default("approved")
@@ -110,6 +119,16 @@ export const sites = pgTable("sites", {

 export const resources = pgTable("resources", {
    resourceId: serial("resourceId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
    resourceGuid: varchar("resourceGuid", { length: 36 })
        .unique()
        .notNull()
@@ -129,8 +148,6 @@ export const resources = pgTable("resources", {
    ssl: boolean("ssl").notNull().default(false),
    blockAccess: boolean("blockAccess").notNull().default(false),
    sso: boolean("sso").notNull().default(true),
-    http: boolean("http").notNull().default(true),
-    protocol: varchar("protocol").notNull(),
    proxyPort: integer("proxyPort"),
    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
        .notNull()
@@ -147,7 +164,6 @@ export const resources = pgTable("resources", {
    headers: text("headers"), // comma-separated list of headers to add to the request
    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
        .notNull()
        .default(false),
@@ -159,9 +175,100 @@ export const resources = pgTable("resources", {
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath"),
    health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: boolean("wildcard").notNull().default(false)
+    wildcard: boolean("wildcard").notNull().default(false),
+    mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });

+export const labels = pgTable("labels", {
+    labelId: serial("labelId").primaryKey(),
+    name: varchar("name").notNull(),
+    color: varchar("color").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = pgTable(
+    "siteLabels",
+    {
+        siteLabelId: serial("siteLabelId").primaryKey(),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = pgTable(
+    "resourceLabels",
+    {
+        resourceLabelId: serial("resourceLabelId").primaryKey(),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = pgTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: serial("siteResourceLabelId").primaryKey(),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = pgTable(
+    "clientLabels",
+    {
+        clientLabelId: serial("clientLabelId").primaryKey(),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = pgTable("targets", {
    targetId: serial("targetId").primaryKey(),
    resourceId: integer("resourceId")
@@ -196,9 +303,11 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
            onDelete: "cascade"
        })
        .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
    name: varchar("name"),
    hcEnabled: boolean("hcEnabled").notNull().default(false),
    hcPath: varchar("hcPath"),
@@ -254,11 +363,11 @@ export const siteResources = pgTable("siteResources", {
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
    ssl: boolean("ssl").notNull().default(false),
-    mode: varchar("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
+    mode: varchar("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
    scheme: varchar("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
-    destination: varchar("destination").notNull(), // ip, cidr, hostname; validate against the mode
+    destination: varchar("destination"), // ip, cidr, hostname; validate against the mode
    enabled: boolean("enabled").notNull().default(true),
    alias: varchar("alias"),
    aliasAddress: varchar("aliasAddress"),
@@ -266,8 +375,11 @@ export const siteResources = pgTable("siteResources", {
    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
    disableIcmp: boolean("disableIcmp").notNull().default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
    authDaemonMode: varchar("authDaemonMode", { length: 32 })
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
        .default("site"),
    domainId: varchar("domainId").references(() => domains.domainId, {
        onDelete: "set null"
@@ -521,6 +633,38 @@ export const userResources = pgTable("userResources", {
        .references(() => resources.resourceId, { onDelete: "cascade" })
 });

+export const rolePolicies = pgTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = pgTable("userPolicies", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = pgTable("resourcePolicyWhitelist", {
+    whitelistId: serial("id").primaryKey(),
+    email: varchar("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const userInvites = pgTable("userInvites", {
    inviteId: varchar("inviteId").primaryKey(),
    orgId: varchar("orgId")
@@ -586,6 +730,40 @@ export const resourceHeaderAuthExtendedCompatibility = pgTable(
    }
 );

+export const resourcePolicyPincode = pgTable("resourcePolicyPincode", {
+    pincodeId: serial("pincodeId").primaryKey(),
+    pincodeHash: varchar("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = pgTable("resourcePolicyPassword", {
+    passwordId: serial("passwordId").primaryKey(),
+    passwordHash: varchar("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = pgTable("resourcePolicyHeaderAuth", {
+    headerAuthId: serial("headerAuthId").primaryKey(),
+    headerAuthHash: varchar("headerAuthHash").notNull(),
+    extendedCompatibility: boolean("extendedCompatibility")
+        .notNull()
+        .default(true),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const resourceAccessToken = pgTable("resourceAccessToken", {
    accessTokenId: varchar("accessTokenId").primaryKey(),
    orgId: varchar("orgId")
@@ -594,6 +772,7 @@ export const resourceAccessToken = pgTable("resourceAccessToken", {
    resourceId: integer("resourceId")
        .notNull()
        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    path: varchar("path"),
    tokenHash: varchar("tokenHash").notNull(),
    sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
    expiresAt: bigint("expiresAt", { mode: "number" }),
@@ -641,6 +820,24 @@ export const resourceSessions = pgTable("resourceSessions", {
            onDelete: "cascade"
        }
    ),
+    policyPasswordId: integer("policyPasswordId").references(
+        () => resourcePolicyPassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyPincodeId: integer("policyPincodeId").references(
+        () => resourcePolicyPincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyWhitelistId: integer("policyWhitelistId").references(
+        () => resourcePolicyWhiteList.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
    issuedAt: bigint("issuedAt", { mode: "number" })
 });

@@ -679,6 +876,43 @@ export const resourceRules = pgTable("resourceRules", {
    value: varchar("value").notNull()
 });

+export const resourcePolicyRules = pgTable("resourcePolicyRules", {
+    ruleId: serial("ruleId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: boolean("enabled").notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: varchar("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    value: varchar("value").notNull()
+});
+
+export const resourcePolicies = pgTable("resourcePolicies", {
+    resourcePolicyId: serial("resourcePolicyId").primaryKey(),
+    sso: boolean("sso").notNull().default(true),
+    applyRules: boolean("applyRules").notNull().default(false),
+    scope: varchar("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
+        .notNull()
+        .default(false),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    niceId: text("niceId").notNull(),
+    name: varchar("name").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = pgTable("supporterKey", {
    keyId: serial("keyId").primaryKey(),
    key: varchar("key").notNull(),
@@ -1097,19 +1331,30 @@ export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
    complete: boolean("complete").notNull().default(false)
 });

-export const statusHistory = pgTable("statusHistory", {
-    id: serial("id").primaryKey(),
-    entityType: varchar("entityType").notNull(),
-    entityId: integer("entityId").notNull(),
-    orgId: varchar("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: varchar("status").notNull(),
-    timestamp: integer("timestamp").notNull(),
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = pgTable(
+    "statusHistory",
+    {
+        id: serial("id").primaryKey(),
+        entityType: varchar("entityType").notNull(),
+        entityId: integer("entityId").notNull(),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: varchar("status").notNull(),
+        timestamp: integer("timestamp").notNull()
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);

 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1147,6 +1392,16 @@ export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
+export type ResourcePolicyPincode = InferSelectModel<
+    typeof resourcePolicyPincode
+>;
+export type ResourcePolicyPassword = InferSelectModel<
+    typeof resourcePolicyPassword
+>;
+export type ResourcePolicyHeaderAuth = InferSelectModel<
+    typeof resourcePolicyHeaderAuth
+>;
+
 export type VersionMigration = InferSelectModel<typeof versionMigrations>;
 export type ResourceRule = InferSelectModel<typeof resourceRules>;
 export type Domain = InferSelectModel<typeof domains>;
@@ -1179,3 +1434,7 @@ export type RoundTripMessageTracker = InferSelectModel<
 >;
 export type Network = InferSelectModel<typeof networks>;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -17,22 +17,37 @@ import {
    resourceHeaderAuth,
    ResourceHeaderAuth,
    resourceRules,
+    resourcePolicyRules,
    resources,
    roleResources,
+    rolePolicies,
    sessions,
    userResources,
+    userPolicies,
    users,
    ResourceHeaderAuthExtendedCompatibility,
-    resourceHeaderAuthExtendedCompatibility
+    resourceHeaderAuthExtendedCompatibility,
+    resourcePolicies,
+    resourcePolicyPincode,
+    ResourcePolicyPincode,
+    resourcePolicyPassword,
+    ResourcePolicyPassword,
+    resourcePolicyHeaderAuth,
+    ResourcePolicyHeaderAuth
 } from "@server/db";
-import { and, eq, inArray, or, sql } from "drizzle-orm";
+import { alias } from "@server/db";
+import { and, eq, inArray, isNull, or, sql } from "drizzle-orm";
+import logger from "@server/logger";

 export type ResourceWithAuth = {
    resource: Resource | null;
-    pincode: ResourcePincode | null;
-    password: ResourcePassword | null;
-    headerAuth: ResourceHeaderAuth | null;
+    pincode: ResourcePincode | ResourcePolicyPincode | null;
+    password: ResourcePassword | ResourcePolicyPassword | null;
+    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
+    applyRules: boolean;
+    sso: boolean;
+    emailWhitelistEnabled: boolean;
    org: Org;
 };

@@ -57,6 +72,33 @@ export async function getResourceByDomain(
        wildcardCandidates.push(`*.${parts.slice(i).join(".")}`);
    }

+    const sharedPolicy = alias(resourcePolicies, "sharedPolicy");
+    const defaultPolicy = alias(resourcePolicies, "defaultPolicy");
+    const sharedPolicyPincode = alias(
+        resourcePolicyPincode,
+        "sharedPolicyPincode"
+    );
+    const defaultPolicyPincode = alias(
+        resourcePolicyPincode,
+        "defaultPolicyPincode"
+    );
+    const sharedPolicyPassword = alias(
+        resourcePolicyPassword,
+        "sharedPolicyPassword"
+    );
+    const defaultPolicyPassword = alias(
+        resourcePolicyPassword,
+        "defaultPolicyPassword"
+    );
+    const sharedPolicyHeaderAuth = alias(
+        resourcePolicyHeaderAuth,
+        "sharedPolicyHeaderAuth"
+    );
+    const defaultPolicyHeaderAuth = alias(
+        resourcePolicyHeaderAuth,
+        "defaultPolicyHeaderAuth"
+    );
+
    const potentialResults = await db
        .select()
        .from(resources)
@@ -79,6 +121,59 @@ export async function getResourceByDomain(
                resources.resourceId
            )
        )
+        .leftJoin(
+            sharedPolicy,
+            eq(sharedPolicy.resourcePolicyId, resources.resourcePolicyId)
+        )
+        .leftJoin(
+            sharedPolicyPincode,
+            eq(
+                sharedPolicyPincode.resourcePolicyId,
+                sharedPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            sharedPolicyPassword,
+            eq(
+                sharedPolicyPassword.resourcePolicyId,
+                sharedPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            sharedPolicyHeaderAuth,
+            eq(
+                sharedPolicyHeaderAuth.resourcePolicyId,
+                sharedPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicy,
+            eq(
+                defaultPolicy.resourcePolicyId,
+                resources.defaultResourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicyPincode,
+            eq(
+                defaultPolicyPincode.resourcePolicyId,
+                defaultPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicyPassword,
+            eq(
+                defaultPolicyPassword.resourcePolicyId,
+                defaultPolicy.resourcePolicyId
+            )
+        )
+        .leftJoin(
+            defaultPolicyHeaderAuth,
+            eq(
+                defaultPolicyHeaderAuth.resourcePolicyId,
+                defaultPolicy.resourcePolicyId
+            )
+        )
        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
        .where(
            or(
@@ -108,13 +203,51 @@ export async function getResourceByDomain(
        return null;
    }

+    // If a shared (custom) policy is assigned to the resource, use ONLY
+    // its values — do not fall back to the default policy. The default
+    // policy is only consulted when no shared policy is assigned at all.
+    const hasSharedPolicy = result.sharedPolicy !== null;
+
+    const effectivePolicyPincode = hasSharedPolicy
+        ? result.sharedPolicyPincode
+        : (result.defaultPolicyPincode ?? null);
+    const effectivePolicyPassword = hasSharedPolicy
+        ? result.sharedPolicyPassword
+        : (result.defaultPolicyPassword ?? null);
+    const effectivePolicyHeaderAuth = hasSharedPolicy
+        ? result.sharedPolicyHeaderAuth
+        : (result.defaultPolicyHeaderAuth ?? null);
+    const selectedPolicy = hasSharedPolicy
+        ? result.sharedPolicy
+        : result.defaultPolicy;
+    const effectiveApplyRules =
+        selectedPolicy?.applyRules ?? result.resources.applyRules;
+    const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
+    const effectiveEmailWhitelistEnabled =
+        selectedPolicy?.emailWhitelistEnabled ??
+        result.resources.emailWhitelistEnabled;
+
    return {
-        resource: result.resources,
-        pincode: result.resourcePincode,
-        password: result.resourcePassword,
-        headerAuth: result.resourceHeaderAuth,
-        headerAuthExtendedCompatibility:
-            result.resourceHeaderAuthExtendedCompatibility,
+        resource: {
+            ...result.resources,
+            applyRules: effectiveApplyRules,
+            sso: effectiveSSO,
+            emailWhitelistEnabled: effectiveEmailWhitelistEnabled
+        }, // doing this for backward compatability so the remote nodes get the value as part of the resource struct
+        pincode: effectivePolicyPincode ?? result.resourcePincode,
+        password: effectivePolicyPassword ?? result.resourcePassword,
+        headerAuth: effectivePolicyHeaderAuth ?? result.resourceHeaderAuth,
+        headerAuthExtendedCompatibility: effectivePolicyHeaderAuth
+            ? ({
+                  headerAuthExtendedCompatibilityId: 0,
+                  resourceId: result.resources.resourceId,
+                  extendedCompatibilityIsActivated:
+                      effectivePolicyHeaderAuth.extendedCompatibility
+              } as ResourceHeaderAuthExtendedCompatibility)
+            : result.resourceHeaderAuthExtendedCompatibility,
+        applyRules: effectiveApplyRules,
+        sso: effectiveSSO,
+        emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
        org: result.orgs
    };
 }
@@ -154,58 +287,165 @@ export async function getRoleName(roleId: number): Promise<string | null> {
 }

 /**
- * Check if role has access to resource
+ * Check if role has access to resource (direct or via resource policy)
 */
 export async function getRoleResourceAccess(
    resourceId: number,
    roleIds: number[]
 ) {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                inArray(roleResources.roleId, roleIds)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(roleResources)
+            .where(
+                and(
+                    eq(roleResources.resourceId, resourceId),
+                    inArray(roleResources.roleId, roleIds)
+                )
+            ),
+        db
+            .select({
+                roleId: rolePolicies.roleId,
+                resourcePolicyId: rolePolicies.resourcePolicyId
+            })
+            .from(rolePolicies)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        rolePolicies.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            rolePolicies.resourcePolicyId
+                        )
+                    )
+                )
            )
-        );
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    inArray(rolePolicies.roleId, roleIds)
+                )
+            )
+    ]);

-    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
+    const combined = [...direct, ...viaPolicies];
+    return combined.length > 0 ? combined : null;
 }

 /**
- * Check if user has direct access to resource
+ * Check if user has access to resource (direct or via resource policy)
 */
 export async function getUserResourceAccess(
    userId: string,
    resourceId: number
 ) {
-    const userResourceAccess = await db
-        .select()
-        .from(userResources)
-        .where(
-            and(
-                eq(userResources.userId, userId),
-                eq(userResources.resourceId, resourceId)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(userResources)
+            .where(
+                and(
+                    eq(userResources.userId, userId),
+                    eq(userResources.resourceId, resourceId)
+                )
            )
-        )
-        .limit(1);
+            .limit(1),
+        db
+            .select({
+                userId: userPolicies.userId,
+                resourcePolicyId: userPolicies.resourcePolicyId
+            })
+            .from(userPolicies)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        userPolicies.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            userPolicies.resourcePolicyId
+                        )
+                    )
+                )
+            )
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(userPolicies.userId, userId)
+                )
+            )
+            .limit(1)
+    ]);

-    return userResourceAccess.length > 0 ? userResourceAccess[0] : null;
+    return direct[0] ?? viaPolicies[0] ?? null;
 }

 /**
- * Get resource rules for a given resource
+ * Get resource rules for a given resource (direct and via resource policy)
 */
 export async function getResourceRules(
    resourceId: number
 ): Promise<ResourceRule[]> {
-    const rules = await db
-        .select()
-        .from(resourceRules)
-        .where(eq(resourceRules.resourceId, resourceId));
+    const [directRules, policyRules] = await Promise.all([
+        db
+            .select()
+            .from(resourceRules)
+            .where(eq(resourceRules.resourceId, resourceId)),
+        db
+            .select({
+                ruleId: resourcePolicyRules.ruleId,
+                resourceId: sql<number>`${resourceId}`,
+                enabled: resourcePolicyRules.enabled,
+                priority: resourcePolicyRules.priority,
+                action: resourcePolicyRules.action,
+                match: resourcePolicyRules.match,
+                value: resourcePolicyRules.value
+            })
+            .from(resourcePolicyRules)
+            .innerJoin(
+                resources,
+                // Shared policy wins; only use default policy when no shared
+                // policy is assigned to the resource.
+                or(
+                    eq(
+                        resources.resourcePolicyId,
+                        resourcePolicyRules.resourcePolicyId
+                    ),
+                    and(
+                        isNull(resources.resourcePolicyId),
+                        eq(
+                            resources.defaultResourcePolicyId,
+                            resourcePolicyRules.resourcePolicyId
+                        )
+                    )
+                )
+            )
+            .where(eq(resources.resourceId, resourceId))
+    ]);

-    return rules;
+    const maxDirectPriority = directRules.reduce(
+        (max, r) => Math.max(max, r.priority),
+        0
+    );
+    const offsetPolicyRules = policyRules.map((r) => ({
+        ...r,
+        priority: maxDirectPriority + r.priority
+    }));
+
+    return [...directRules, ...offsetPolicyRules] as ResourceRule[];
 }

 /**
--- a/server/db/sqlite/index.ts
+++ b/server/db/sqlite/index.ts
@@ -4,3 +4,4 @@ export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
+export { alias } from "drizzle-orm/sqlite-core";
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -12,6 +12,7 @@ import {
    clients,
    domains,
    exitNodes,
+    labels,
    orgs,
    resources,
    roles,
@@ -21,9 +22,6 @@ import {
    targetHealthCheck,
    users
 } from "./schema";
-import { serial, varchar } from "drizzle-orm/mysql-core";
-import { pgTable } from "drizzle-orm/pg-core";
-import { bigint } from "zod";

 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -195,6 +193,44 @@ export const remoteExitNodes = sqliteTable("remoteExitNode", {
    })
 });

+export const remoteExitNodeResources = sqliteTable("remoteExitNodeResources", {
+    remoteExitNodeResourceId: integer("remoteExitNodeResourceId").primaryKey({
+        autoIncrement: true
+    }),
+    remoteExitNodeId: text("remoteExitNodeId")
+        .notNull()
+        .references(() => remoteExitNodes.remoteExitNodeId, {
+            onDelete: "cascade"
+        }),
+    destination: text("destination").notNull() // a cidr range
+});
+
+export const remoteExitNodePreferenceLabels = sqliteTable(
+    // this controls what sites are enforced to connect to this node
+    "remoteExitNodePreferenceLabels",
+    {
+        remoteExitNodePreferenceLabelId: integer(
+            "remoteExitNodePreferenceLabelId"
+        ).primaryKey({ autoIncrement: true }),
+        remoteExitNodeId: text("remoteExitNodeId")
+            .references(() => remoteExitNodes.remoteExitNodeId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [
+        uniqueIndex("remote_exit_node_preference_label_uniq").on(
+            t.remoteExitNodeId,
+            t.labelId
+        )
+    ]
+);
+
 export const remoteExitNodeSessions = sqliteTable("remoteExitNodeSession", {
    sessionId: text("id").primaryKey(),
    remoteExitNodeId: text("remoteExitNodeId")
@@ -332,6 +368,7 @@ export const connectionAuditLog = sqliteTable(
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
+        clientEndpoint: text("clientEndpoint"),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
@@ -445,6 +482,8 @@ export const eventStreamingDestinations = sqliteTable(
        enabled: integer("enabled", { mode: "boolean" })
            .notNull()
            .default(true),
+        lastError: text("lastError"), // last send error message, null if healthy
+        lastErrorAt: integer("lastErrorAt"), // epoch ms of last error, null if healthy
        createdAt: integer("createdAt").notNull(),
        updatedAt: integer("updatedAt").notNull()
    }
@@ -585,6 +624,26 @@ export const trialNotifications = sqliteTable("trialNotifications", {
    sentAt: integer("sentAt").notNull()
 });

+export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
+    browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
+        autoIncrement: true
+    }),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: text("authToken").notNull(),
+    type: text("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: text("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -624,3 +683,6 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -62,7 +62,13 @@ export const orgs = sqliteTable("orgs", {
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
-    billingOrgId: text("billingOrgId")
+    billingOrgId: text("billingOrgId"),
+    settingsEnableGlobalNewtAutoUpdate: integer(
+        "settingsEnableGlobalNewtAutoUpdate",
+        { mode: "boolean" }
+    )
+        .notNull()
+        .default(false)
 });

 export const userDomains = sqliteTable("userDomains", {
@@ -116,11 +122,29 @@ export const sites = sqliteTable("sites", {
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
        .default(true),
+    autoUpdateEnabled: integer("autoUpdateEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdateOverrideOrg: integer("autoUpdateOverrideOrg", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
    status: text("status").$type<"pending" | "approved">().default("approved")
 });

 export const resources = sqliteTable("resources", {
    resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
    resourceGuid: text("resourceGuid", { length: 36 })
        .unique()
        .notNull()
@@ -142,8 +166,6 @@ export const resources = sqliteTable("resources", {
        .notNull()
        .default(false),
    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
-    http: integer("http", { mode: "boolean" }).notNull().default(true),
-    protocol: text("protocol").notNull(),
    proxyPort: integer("proxyPort"),
    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
        .notNull()
@@ -166,7 +188,6 @@ export const resources = sqliteTable("resources", {
        .notNull()
        .default(false),
    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
        mode: "boolean"
    })
@@ -180,9 +201,106 @@ export const resources = sqliteTable("resources", {
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath"),
    health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false)
+    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
+    mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });

+export const labels = sqliteTable("labels", {
+    labelId: integer("labelId").primaryKey({ autoIncrement: true }),
+    name: text("name").notNull(),
+    color: text("color").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = sqliteTable(
+    "siteLabels",
+    {
+        siteLabelId: integer("siteLabelId").primaryKey({ autoIncrement: true }),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = sqliteTable(
+    "resourceLabels",
+    {
+        resourceLabelId: integer("resourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = sqliteTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: integer("siteResourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = sqliteTable(
+    "clientLabels",
+    {
+        clientLabelId: integer("clientLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = sqliteTable("targets", {
    targetId: integer("targetId").primaryKey({ autoIncrement: true }),
    resourceId: integer("resourceId")
@@ -219,9 +337,11 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
            onDelete: "cascade"
        })
        .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
    name: text("name"),
    hcEnabled: integer("hcEnabled", { mode: "boolean" })
        .notNull()
@@ -281,11 +401,11 @@ export const siteResources = sqliteTable("siteResources", {
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
    ssl: integer("ssl", { mode: "boolean" }).notNull().default(false),
-    mode: text("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
+    mode: text("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
    scheme: text("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
-    destination: text("destination").notNull(), // ip, cidr, hostname
+    destination: text("destination"), // ip, cidr, hostname
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    alias: text("alias"),
    aliasAddress: text("aliasAddress"),
@@ -295,8 +415,11 @@ export const siteResources = sqliteTable("siteResources", {
        .notNull()
        .default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
    authDaemonMode: text("authDaemonMode")
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
        .default("site"),
    domainId: text("domainId").references(() => domains.domainId, {
        onDelete: "set null"
@@ -909,6 +1032,47 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
    headerAuthHash: text("headerAuthHash").notNull()
 });

+export const resourcePolicyPincode = sqliteTable("resourcePolicyPincode", {
+    pincodeId: integer("pincodeId").primaryKey({ autoIncrement: true }),
+    pincodeHash: text("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = sqliteTable("resourcePolicyPassword", {
+    passwordId: integer("passwordId").primaryKey({ autoIncrement: true }),
+    passwordHash: text("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = sqliteTable(
+    "resourcePolicyHeaderAuth",
+    {
+        headerAuthId: integer("headerAuthId").primaryKey({
+            autoIncrement: true
+        }),
+        headerAuthHash: text("headerAuthHash").notNull(),
+        extendedCompatibility: integer("extendedCompatibility", {
+            mode: "boolean"
+        })
+            .notNull()
+            .default(true),
+        resourcePolicyId: integer("resourcePolicyId")
+            .notNull()
+            .references(() => resourcePolicies.resourcePolicyId, {
+                onDelete: "cascade"
+            })
+    }
+);
+
 export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
    "resourceHeaderAuthExtendedCompatibility",
    {
@@ -937,6 +1101,7 @@ export const resourceAccessToken = sqliteTable("resourceAccessToken", {
    resourceId: integer("resourceId")
        .notNull()
        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    path: text("path"),
    tokenHash: text("tokenHash").notNull(),
    sessionLength: integer("sessionLength").notNull(),
    expiresAt: integer("expiresAt"),
@@ -983,6 +1148,24 @@ export const resourceSessions = sqliteTable("resourceSessions", {
            onDelete: "cascade"
        }
    ),
+    policyPasswordId: integer("policyPasswordId").references(
+        () => resourcePolicyPassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyPincodeId: integer("policyPincodeId").references(
+        () => resourcePolicyPincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyWhitelistId: integer("policyWhitelistId").references(
+        () => resourcePolicyWhiteList.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
    issuedAt: integer("issuedAt")
 });

@@ -1023,6 +1206,77 @@ export const resourceRules = sqliteTable("resourceRules", {
    value: text("value").notNull()
 });

+export const rolePolicies = sqliteTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = sqliteTable("userPolicies", {
+    userId: text("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = sqliteTable("resourcePolicyWhitelist", {
+    whitelistId: integer("id").primaryKey({ autoIncrement: true }),
+    email: text("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
+    ruleId: integer("ruleId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: text("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    value: text("value").notNull()
+});
+
+export const resourcePolicies = sqliteTable("resourcePolicies", {
+    resourcePolicyId: integer("resourcePolicyId").primaryKey(),
+    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
+    applyRules: integer("applyRules", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    scope: text("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    niceId: text("niceId").notNull(),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    name: text("name").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = sqliteTable("supporterKey", {
    keyId: integer("keyId").primaryKey({ autoIncrement: true }),
    key: text("key").notNull(),
@@ -1196,19 +1450,30 @@ export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
 });

-export const statusHistory = sqliteTable("statusHistory", {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    entityType: text("entityType").notNull(), // "site" | "healthCheck"
-    entityId: integer("entityId").notNull(),  // siteId or targetHealthCheckId
-    orgId: text("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
-    timestamp: integer("timestamp").notNull(), // unix epoch seconds
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = sqliteTable(
+    "statusHistory",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        entityType: text("entityType").notNull(), // "site" | "healthCheck"
+        entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
+        timestamp: integer("timestamp").notNull() // unix epoch seconds
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);

 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1278,3 +1543,16 @@ export type RoundTripMessageTracker = InferSelectModel<
    typeof roundTripMessageTracker
 >;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type ResourcePolicyPincode = InferSelectModel<
+    typeof resourcePolicyPincode
+>;
+export type ResourcePolicyPassword = InferSelectModel<
+    typeof resourcePolicyPassword
+>;
+export type ResourcePolicyHeaderAuth = InferSelectModel<
+    typeof resourcePolicyHeaderAuth
+>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/index.ts
+++ b/server/index.ts
@@ -1,5 +1,5 @@
 #! /usr/bin/env node
-import "./extendZod.ts";
+import "./extendZod";

 import { runSetupFunctions } from "./setup";
 import { createApiServer } from "./apiServer";
--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -152,11 +152,17 @@ function getOpenApiDocumentation() {

            if (!hasExistingResponses) {
                def.route.responses = {
-                    "*": {
-                        description: "",
+                    "200": {
+                        description: "Successful response",
                        content: {
                            "application/json": {
-                                schema: z.object({})
+                                schema: z.object({
+                                    data: z.unknown().nullable(),
+                                    success: z.boolean(),
+                                    error: z.boolean(),
+                                    message: z.string(),
+                                    status: z.number()
+                                })
                            }
                        }
                    }
--- a/server/lib/alerts/events/healthCheckEvents.ts
+++ b/server/lib/alerts/events/healthCheckEvents.ts
@@ -221,10 +221,18 @@ async function handleResource(
        )
        .where(eq(targets.resourceId, resource.resourceId));

+    const monitoredTargets = otherTargets.filter(
+        (t) => t.hcHealth !== "unknown"
+    );
+
    let health = "healthy";
-    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
-    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
-    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
+    const allUnknown = monitoredTargets.length === 0;
+    const allHealthy = monitoredTargets.every(
+        (t) => t.hcHealth === "healthy"
+    );
+    const allUnhealthy = monitoredTargets.every(
+        (t) => t.hcHealth === "unhealthy"
+    );

    if (allUnknown) {
        logger.debug(
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -16,18 +16,22 @@ export enum TierFeature {
    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
    AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
-    SshPam = "sshPam",
    FullRbac = "fullRbac",
    SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
    SIEM = "siem", // handle downgrade by disabling SIEM integrations
-    HTTPPrivateResources = "httpPrivateResources", // handle downgrade by disabling HTTP private resources
    DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
    StandaloneHealthChecks = "standaloneHealthChecks",
    AlertingRules = "alertingRules",
-    WildcardSubdomain = "wildcardSubdomain"
+    WildcardSubdomain = "wildcardSubdomain",
+    Labels = "labels",
+    NewtAutoUpdate = "newtAutoUpdate",
+    ResourcePolicies = "resourcePolicies",
+    AdvancedPublicResources = "advancedPublicResources",
+    AdvancedPrivateResources = "advancedPrivateResources"
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
+    [TierFeature.Labels]: ["tier2", "tier3", "enterprise"],
    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
@@ -58,13 +62,25 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "enterprise"
    ],
    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
-    [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
    [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
    [TierFeature.SIEM]: ["enterprise"],
-    [TierFeature.HTTPPrivateResources]: ["tier3", "enterprise"],
    [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
    [TierFeature.AlertingRules]: ["tier3", "enterprise"],
-    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
+    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
+    [TierFeature.AdvancedPublicResources]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ],
+    [TierFeature.AdvancedPrivateResources]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ]
 };
--- a/server/lib/billing/usageService.ts
+++ b/server/lib/billing/usageService.ts
@@ -22,7 +22,6 @@ export function noop() {
 }

 export class UsageService {
-
    constructor() {
        if (noop()) {
            return;
@@ -57,7 +56,10 @@ export class UsageService {
            try {
                let usage;
                if (transaction) {
-                    const orgIdToUse = await this.getBillingOrg(orgId, transaction);
+                    const orgIdToUse = await this.getBillingOrg(
+                        orgId,
+                        transaction
+                    );
                    usage = await this.internalAddUsage(
                        orgIdToUse,
                        featureId,
@@ -274,11 +276,12 @@ export class UsageService {
            return null;
        }

-        const orgIdToUse = await this.getBillingOrg(orgId, trx);
-
-        const usageId = `${orgIdToUse}-${featureId}`;
-
+        let orgIdToUse = orgId;
        try {
+            orgIdToUse = await this.getBillingOrg(orgId, trx);
+
+            const usageId = `${orgIdToUse}-${featureId}`;
+
            const [result] = await trx
                .select()
                .from(usage)
@@ -338,8 +341,12 @@ export class UsageService {
                `Failed to get usage for ${orgIdToUse}/${featureId}:`,
                error
            );
-            throw error;
+            if (process.env.NODE_ENV !== "development") {
+                throw error;
+            }
        }
+
+        return null;
    }

    public async getBillingOrg(
@@ -382,13 +389,13 @@ export class UsageService {
            return false;
        }

-        const orgIdToUse = await this.getBillingOrg(orgId, trx);
-
        // This method should check the current usage against the limits set for the organization
        // and kick out all of the sites on the org
        let hasExceededLimits = false;
-
+        let orgIdToUse = orgId;
        try {
+            orgIdToUse = await this.getBillingOrg(orgId, trx);
+
            let orgLimits: Limit[] = [];
            if (featureId) {
                // Get all limits set for this organization
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -16,14 +16,13 @@ import logger from "@server/logger";
 import { sites } from "@server/db";
 import { eq, and, isNotNull } from "drizzle-orm";
 import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
-import { addTargets as addClientTargets } from "@server/routers/client/targets";
 import {
    ClientResourcesResults,
    updateClientResources
 } from "./clientResources";
 import { BlueprintSource } from "@server/routers/blueprints/types";
 import { stringify as stringifyYaml } from "yaml";
-import { faker } from "@faker-js/faker";
+import { generateName } from "@server/db/names";
 import { handleMessagingForUpdatedSiteResource } from "@server/routers/siteResource";
 import { rebuildClientAssociationsFromSiteResource } from "../rebuildClientAssociations";

@@ -106,7 +105,7 @@ export async function applyBlueprint({
                            site.newt.newtId,
                            [target],
                            matchingHealthcheck ? [matchingHealthcheck] : [],
-                            result.proxyResource.protocol,
+                            result.proxyResource.mode === "udp" ? "udp" : "tcp",
                            site.newt.version
                        );
                    }
@@ -291,9 +290,7 @@ export async function applyBlueprint({
            .insert(blueprints)
            .values({
                orgId,
-                name:
-                    name ??
-                    `${faker.word.adjective()}-${faker.word.adjective()}-${faker.word.noun()}`,
+                name: name ?? generateName(),
                contents: stringifyYaml(configData),
                createdAt: Math.floor(Date.now() / 1000),
                succeeded: blueprintSucceeded,
--- a/server/lib/blueprints/applyNewtDockerBlueprint.ts
+++ b/server/lib/blueprints/applyNewtDockerBlueprint.ts
@@ -1,10 +1,56 @@
 import { sendToClient } from "#dynamic/routers/ws";
 import { processContainerLabels } from "./parseDockerContainers";
 import { applyBlueprint } from "./applyBlueprint";
+import { PrivateResourceSchema, PublicResourceSchema } from "./types";
 import { db, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";

+type BlueprintResult = ReturnType<typeof processContainerLabels>;
+
+function filterInvalidResources(blueprint: BlueprintResult): {
+    skippedCount: number;
+    skippedKeys: string[];
+} {
+    const skippedKeys: string[] = [];
+
+    for (const section of ["proxy-resources", "public-resources"] as const) {
+        const resources = blueprint[section];
+        for (const [key, value] of Object.entries(resources)) {
+            const result = PublicResourceSchema.safeParse(value);
+            if (!result.success) {
+                const errors = result.error.issues
+                    .map((i) => `${i.path.join(".")}: ${i.message}`)
+                    .join("; ");
+                logger.warn(
+                    `Skipping invalid Docker ${section} "${key}": ${errors}`
+                );
+                delete resources[key];
+                skippedKeys.push(`${section}.${key}`);
+            }
+        }
+    }
+
+    for (const section of ["client-resources", "private-resources"] as const) {
+        const resources = blueprint[section];
+        for (const [key, value] of Object.entries(resources)) {
+            const result = PrivateResourceSchema.safeParse(value);
+            if (!result.success) {
+                const errors = result.error.issues
+                    .map((i) => `${i.path.join(".")}: ${i.message}`)
+                    .join("; ");
+                logger.warn(
+                    `Skipping invalid Docker ${section} "${key}": ${errors}`
+                );
+                delete resources[key];
+                skippedKeys.push(`${section}.${key}`);
+            }
+        }
+    }
+
+    return { skippedCount: skippedKeys.length, skippedKeys };
+}
+
 export async function applyNewtDockerBlueprint(
    siteId: number,
    newtId: string,
@@ -21,17 +67,24 @@ export async function applyNewtDockerBlueprint(
        return;
    }

-    // logger.debug(`Applying Docker blueprint to site: ${siteId}`);
-    // logger.debug(`Containers: ${JSON.stringify(containers, null, 2)}`);
+    let skippedCount = 0;
+    let skippedKeys: string[] = [];

    try {
        const blueprint = processContainerLabels(containers);

-        logger.debug(`Received Docker blueprint: ${JSON.stringify(blueprint)}`);
+        logger.debug(
+            `Received Docker blueprint with ${Object.keys(blueprint["proxy-resources"]).length} proxy, ${Object.keys(blueprint["client-resources"]).length} client resource(s)`
+        );

-        // make sure this is not an empty object
-        if (isEmptyObject(blueprint)) {
-            return;
+        const filterResult = filterInvalidResources(blueprint);
+        skippedCount = filterResult.skippedCount;
+        skippedKeys = filterResult.skippedKeys;
+
+        if (skippedCount > 0) {
+            logger.warn(
+                `Filtered ${skippedCount} invalid resource(s) from Docker blueprint: ${skippedKeys.join(", ")}`
+            );
        }

        if (
@@ -40,6 +93,15 @@ export async function applyNewtDockerBlueprint(
            isEmptyObject(blueprint["public-resources"]) &&
            isEmptyObject(blueprint["private-resources"])
        ) {
+            if (skippedCount > 0) {
+                await sendToClient(newtId, {
+                    type: "newt/blueprint/results",
+                    data: {
+                        success: false,
+                        message: `All resources were invalid and skipped: ${skippedKeys.join(", ")}`
+                    }
+                });
+            }
            return;
        }

@@ -66,7 +128,10 @@ export async function applyNewtDockerBlueprint(
        type: "newt/blueprint/results",
        data: {
            success: true,
-            message: "Config updated successfully"
+            message:
+                skippedCount > 0
+                    ? `Config updated successfully. Skipped ${skippedCount} invalid resource(s): ${skippedKeys.join(", ")}`
+                    : "Config updated successfully"
        }
    });
 }
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -3,6 +3,7 @@ import {
    clientSiteResources,
    domains,
    orgDomains,
+    roleActions,
    roles,
    roleSiteResources,
    Site,
@@ -19,6 +20,7 @@ import { sites } from "@server/db";
 import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";

@@ -225,7 +227,11 @@ export async function updateClientResources(
                            : resourceData["udp-ports"],
                    fullDomain: resourceData["full-domain"] || null,
                    subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                })
                .where(
                    eq(
@@ -332,8 +338,7 @@ export async function updateClientResources(
            }

            if (resourceData.roles.length > 0) {
-                // Re-add specified roles but we need to get the roleIds from the role name in the array
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                    .select()
                    .from(roles)
                    .where(
@@ -343,7 +348,28 @@ export async function updateClientResources(
                        )
                    );

-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);

                await trx
                    .insert(roleSiteResources)
@@ -360,8 +386,14 @@ export async function updateClientResources(
            });
        } else {
            let aliasAddress: string | null = null;
+            let releaseAliasLock: (() => Promise<void>) | null = null;
            if (resourceData.mode === "host" || resourceData.mode === "http") {
-                aliasAddress = await getNextAvailableAliasAddress(orgId, trx);
+                const { value, release } = await getNextAvailableAliasAddress(
+                    orgId,
+                    trx
+                );
+                aliasAddress = value;
+                releaseAliasLock = release;
            }

            let domainInfo:
@@ -415,10 +447,16 @@ export async function updateClientResources(
                            : resourceData["udp-ports"],
                    fullDomain: resourceData["full-domain"] || null,
                    subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                })
                .returning();

+            await releaseAliasLock?.();
+
            const siteResourceId = newResource.siteResourceId;

            for (const site of allSites) {
@@ -444,8 +482,7 @@ export async function updateClientResources(
            });

            if (resourceData.roles.length > 0) {
-                // get roleIds from role names
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                    .select()
                    .from(roles)
                    .where(
@@ -455,7 +492,28 @@ export async function updateClientResources(
                        )
                    );

-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);

                await trx
                    .insert(roleSiteResources)
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -82,7 +82,7 @@ export const RuleSchema = z
    .object({
        action: z.enum(["allow", "deny", "pass"]),
        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
-        value: z.string(),
+        value: z.coerce.string(),
        priority: z.int().optional()
    })
    .refine(
@@ -161,11 +161,34 @@ export const HeaderSchema = z.object({
    value: z.string().min(1)
 });

+export const AuthDaemonSchema = z
+    .object({
+        pam: z.enum(["passthrough", "push"]).optional().default("passthrough"),
+        mode: z.enum(["site", "remote", "native"]).optional().default("site"),
+        port: z.int().min(1).max(65535).optional()
+    })
+    .refine(
+        (data) => {
+            if (data.mode === "remote") {
+                return data.port !== undefined;
+            }
+            return true;
+        },
+        {
+            path: ["port"],
+            message: "port is required when auth-daemon mode is 'remote'"
+        }
+    );
+
 // Schema for individual resource
-export const ResourceSchema = z
+export const PublicResourceSchema = z
    .object({
        name: z.string().optional(),
-        protocol: z.enum(["http", "tcp", "udp"]).optional(),
+        protocol: z
+            .enum(["http", "tcp", "udp", "ssh", "rdp", "vnc"])
+            .optional(), // this was the old one and is now DEPRECATED in favor of the mode
+        mode: z.enum(["http", "tcp", "udp", "ssh", "rdp", "vnc"]).optional(),
+        policy: z.string().optional(),
        ssl: z.boolean().optional(),
        scheme: z.enum(["http", "https"]).optional(),
        "full-domain": z.string().optional(),
@@ -177,7 +200,10 @@ export const ResourceSchema = z
        "tls-server-name": z.string().optional(),
        headers: z.array(HeaderSchema).optional(),
        rules: z.array(RuleSchema).optional(),
-        maintenance: MaintenanceSchema.optional()
+        maintenance: MaintenanceSchema.optional(),
+        "auth-daemon": AuthDaemonSchema.optional(),
+        "proxy-protocol": z.boolean().optional(),
+        "proxy-protocol-version": z.int().min(1).optional()
    })
    .refine(
        (resource) => {
@@ -185,9 +211,10 @@ export const ResourceSchema = z
                return true;
            }

-            // Otherwise, require name and protocol for full resource definition
+            // Otherwise, require name and protocol/mode for full resource definition
            return (
-                resource.name !== undefined && resource.protocol !== undefined
+                resource.name !== undefined &&
+                (resource.mode !== undefined || resource.protocol !== undefined)
            );
        },
        {
@@ -201,8 +228,8 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is http, all targets must have method field
-            if (resource.protocol === "http") {
+            // If protocol/mode is http, all targets must have method field
+            if ((resource.mode ?? resource.protocol) === "http") {
                return resource.targets.every(
                    (target) => target == null || target.method !== undefined
                );
@@ -220,8 +247,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, no target should have method field
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, no target should have method field
+            const effectiveProtocol1 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol1 === "tcp" || effectiveProtocol1 === "udp") {
                return resource.targets.every(
                    (target) => target == null || target.method === undefined
                );
@@ -239,8 +267,8 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is http, it must have a full-domain
-            if (resource.protocol === "http") {
+            // If protocol/mode is http, it must have a full-domain
+            if ((resource.mode ?? resource.protocol) === "http") {
                return (
                    resource["full-domain"] !== undefined &&
                    resource["full-domain"].length > 0
@@ -259,8 +287,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, it must have both proxy-port
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, it must have both proxy-port
+            const effectiveProtocol2 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol2 === "tcp" || effectiveProtocol2 === "udp") {
                return resource["proxy-port"] !== undefined;
            }
            return true;
@@ -277,8 +306,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, it must not have auth
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, it must not have auth
+            const effectiveProtocol3 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol3 === "tcp" || effectiveProtocol3 === "udp") {
                return resource.auth === undefined;
            }
            return true;
@@ -340,7 +370,8 @@ export const ResourceSchema = z
            if (parts.includes("*", 1)) return false; // no further wildcards
            if (parts.length < 3) return false; // need at least *.label.tld

-            const labelRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
+            const labelRegex =
+                /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
            return parts.slice(1).every((label) => labelRegex.test(label));
        },
        {
@@ -348,22 +379,46 @@ export const ResourceSchema = z
            message:
                'Wildcard full-domain must have "*" as the leftmost label only, followed by at least two valid hostname labels (e.g. "*.example.com" or "*.level1.example.com"). Patterns like "*example.com" or "level2.*.example.com" are not supported.'
        }
-    );
+    )
+    .refine(
+        (resource) => {
+            const effectiveMode = resource.mode ?? resource.protocol;
+            if (effectiveMode !== "tcp") {
+                return (
+                    resource["proxy-protocol"] === undefined &&
+                    resource["proxy-protocol-version"] === undefined
+                );
+            }
+            return true;
+        },
+        {
+            path: ["proxy-protocol"],
+            message:
+                "'proxy-protocol' and 'proxy-protocol-version' can only be set when mode is 'tcp'"
+        }
+    )
+    .transform((resource) => {
+        // Normalize: prefer mode, fall back to protocol for backwards compatibility
+        if (resource.mode === undefined && resource.protocol !== undefined) {
+            resource.mode = resource.protocol;
+        }
+        return resource;
+    });

 export function isTargetsOnlyResource(resource: any): boolean {
    return Object.keys(resource).length === 1 && resource.targets;
 }

-export const ClientResourceSchema = z
+export const PrivateResourceSchema = z
    .object({
        name: z.string().min(1).max(255),
-        mode: z.enum(["host", "cidr", "http"]),
+        mode: z.enum(["host", "cidr", "http", "ssh"]),
        site: z.string().optional(), // DEPRECATED IN FAVOR OF sites
        sites: z.array(z.string()).optional().default([]),
        // protocol: z.enum(["tcp", "udp"]).optional(),
        // proxyPort: z.int().positive().optional(),
        "destination-port": z.int().positive().optional(),
-        destination: z.string().min(1),
+        destination: z.string().min(1).optional(),
        // enabled: z.boolean().default(true),
        "tcp-ports": portRangeStringSchema.optional().default("*"),
        "udp-ports": portRangeStringSchema.optional().default("*"),
@@ -386,11 +441,31 @@ export const ClientResourceSchema = z
                error: "Admin role cannot be included in roles"
            }),
        users: z.array(z.string()).optional().default([]),
-        machines: z.array(z.string()).optional().default([])
+        machines: z.array(z.string()).optional().default([]),
+        "auth-daemon": AuthDaemonSchema.optional()
    })
+    .refine(
+        (data) => {
+            // destination is optional only for ssh+native; required for everything else
+            const isNativeSSH =
+                data.mode === "ssh" &&
+                (data["auth-daemon"] === undefined ||
+                    data["auth-daemon"].mode === "native");
+            if (!isNativeSSH && !data.destination) {
+                return false;
+            }
+            return true;
+        },
+        {
+            path: ["destination"],
+            message:
+                "destination is required unless mode is 'ssh' with auth-daemon mode 'native'"
+        }
+    )
    .refine(
        (data) => {
            if (data.mode === "host") {
+                if (!data.destination) return true; // caught by the destination-required refine
                // Check if it's a valid IP address using zod (v4 or v6)
                const isValidIP = z
                    .union([z.ipv4(), z.ipv6()])
@@ -418,6 +493,7 @@ export const ClientResourceSchema = z
    .refine(
        (data) => {
            if (data.mode === "cidr") {
+                if (!data.destination) return true; // caught by the destination-required refine
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
@@ -435,19 +511,19 @@ export const ClientResourceSchema = z
 export const ConfigSchema = z
    .object({
        "proxy-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
            .optional()
            .prefault({}),
        "public-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
            .optional()
            .prefault({}),
        "client-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
        "private-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
        sites: z.record(z.string(), SiteSchema).optional().prefault({})
@@ -472,10 +548,13 @@ export const ConfigSchema = z
        }

        return data as {
-            "proxy-resources": Record<string, z.infer<typeof ResourceSchema>>;
+            "proxy-resources": Record<
+                string,
+                z.infer<typeof PublicResourceSchema>
+            >;
            "client-resources": Record<
                string,
-                z.infer<typeof ClientResourceSchema>
+                z.infer<typeof PrivateResourceSchema>
            >;
            sites: Record<string, z.infer<typeof SiteSchema>>;
        };
@@ -614,5 +693,5 @@ export const ConfigSchema = z
 // Type inference from the schema
 export type Site = z.infer<typeof SiteSchema>;
 export type Target = z.infer<typeof TargetSchema>;
-export type Resource = z.infer<typeof ResourceSchema>;
+export type Resource = z.infer<typeof PublicResourceSchema>;
 export type Config = z.infer<typeof ConfigSchema>;
--- a/server/lib/cache.ts
+++ b/server/lib/cache.ts
@@ -154,8 +154,19 @@ class AdaptiveCache {
    keys(): string[] {
        return localCache.keys();
    }
+
+    /**
+     * Get keys with a specific prefix
+     * @param prefix - Key prefix to match
+     * @returns Array of matching keys
+     */
+    async keysWithPrefix(prefix: string): Promise<string[]> {
+        const allKeys = localCache.keys();
+        return allKeys.filter((key) => key.startsWith(prefix));
+    }
 }

 // Export singleton instance
 export const cache = new AdaptiveCache();
+export const regionalCache = cache; // Alias for compatability with the private version
 export default cache;
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -25,9 +25,9 @@ import { tierMatrix } from "./billing/tierMatrix";

 export async function calculateUserClientsForOrgs(
    userId: string,
-    trx?: Transaction
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    const execute = async (transaction: Transaction) => {
+    const execute = async (transaction: Transaction | typeof db) => {
        const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
        const adminRoleCache = new Map<
            string,
@@ -331,16 +331,8 @@ export async function calculateUserClientsForOrgs(
                    ];

                // Get next available subnet
-                const newSubnet = await getNextAvailableClientSubnet(
-                    orgId,
-                    transaction
-                );
-                if (!newSubnet) {
-                    logger.warn(
-                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): no available subnet found`
-                    );
-                    continue;
-                }
+                const { value: newSubnet, release: releaseSubnetLock } =
+                    await getNextAvailableClientSubnet(orgId, transaction);

                const subnet = newSubnet.split("/")[0];
                const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`;
@@ -370,6 +362,7 @@ export async function calculateUserClientsForOrgs(
                    .insert(clients)
                    .values(newClientData)
                    .returning();
+                await releaseSubnetLock();
                existingClientCache.set(
                    getOrgOlmKey(orgId, olm.olmId),
                    newClient
@@ -437,7 +430,7 @@ export async function calculateUserClientsForOrgs(

 async function cleanupOrphanedClients(
    userId: string,
-    trx: Transaction,
+    trx: Transaction | typeof db,
    userOrgIds: string[] = []
 ): Promise<void> {
    // Find all OLM clients for this user that should be deleted
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.18.3";
+export const APP_VERSION = "1.19.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -327,127 +327,145 @@ export function doCidrsOverlap(cidr1: string, cidr2: string): boolean {
 export async function getNextAvailableClientSubnet(
    orgId: string,
    transaction: Transaction | typeof db = db
-): Promise<string> {
-    return await lockManager.withLock(
-        `client-subnet-allocation:${orgId}`,
-        async () => {
-            const [org] = await transaction
-                .select()
-                .from(orgs)
-                .where(eq(orgs.orgId, orgId));
+): Promise<{ value: string; release: () => Promise<void> }> {
+    const lockKey = `client-subnet-allocation:${orgId}`;
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);

-            if (!org) {
-                throw new Error(`Organization with ID ${orgId} not found`);
-            }
+    try {
+        const [org] = await transaction
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));

-            if (!org.subnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no subnet defined`
-                );
-            }
-
-            const existingAddressesSites = await transaction
-                .select({
-                    address: sites.address
-                })
-                .from(sites)
-                .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
-
-            const existingAddressesClients = await transaction
-                .select({
-                    address: clients.subnet
-                })
-                .from(clients)
-                .where(
-                    and(isNotNull(clients.subnet), eq(clients.orgId, orgId))
-                );
-
-            const addresses = [
-                ...existingAddressesSites.map(
-                    (site) => `${site.address?.split("/")[0]}/32`
-                ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
-                ...existingAddressesClients.map(
-                    (client) => `${client.address.split("/")}/32`
-                )
-            ].filter((address) => address !== null) as string[];
-
-            const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
-            if (!subnet) {
-                throw new Error("No available subnets remaining in space");
-            }
-
-            return subnet;
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
-    );
+
+        if (!org.subnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no subnet defined`
+            );
+        }
+
+        const existingAddressesSites = await transaction
+            .select({
+                address: sites.address
+            })
+            .from(sites)
+            .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
+
+        const existingAddressesClients = await transaction
+            .select({
+                address: clients.subnet
+            })
+            .from(clients)
+            .where(and(isNotNull(clients.subnet), eq(clients.orgId, orgId)));
+
+        const addresses = [
+            ...existingAddressesSites.map(
+                (site) => `${site.address?.split("/")[0]}/32`
+            ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
+            ...existingAddressesClients.map(
+                (client) => `${client.address.split("/")[0]}/32`
+            )
+        ].filter((address) => address !== null) as string[];
+
+        const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }
+
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

 export async function getNextAvailableAliasAddress(
    orgId: string,
    trx: Transaction | typeof db = db
-): Promise<string> {
-    return await lockManager.withLock(
-        `alias-address-allocation:${orgId}`,
-        async () => {
-            const [org] = await trx
-                .select()
-                .from(orgs)
-                .where(eq(orgs.orgId, orgId));
+): Promise<{ value: string; release: () => Promise<void> }> {
+    const lockKey = `alias-address-allocation:${orgId}`;
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);

-            if (!org) {
-                throw new Error(`Organization with ID ${orgId} not found`);
-            }
+    try {
+        const [org] = await trx
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));

-            if (!org.subnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no subnet defined`
-                );
-            }
-
-            if (!org.utilitySubnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no utility subnet defined`
-                );
-            }
-
-            const existingAddresses = await trx
-                .select({
-                    aliasAddress: siteResources.aliasAddress
-                })
-                .from(siteResources)
-                .where(
-                    and(
-                        isNotNull(siteResources.aliasAddress),
-                        eq(siteResources.orgId, orgId)
-                    )
-                );
-
-            const addresses = [
-                ...existingAddresses.map(
-                    (site) => `${site.aliasAddress?.split("/")[0]}/32`
-                ),
-                // reserve a /29 for the dns server and other stuff
-                `${org.utilitySubnet.split("/")[0]}/29`
-            ].filter((address) => address !== null) as string[];
-
-            let subnet = findNextAvailableCidr(
-                addresses,
-                32,
-                org.utilitySubnet
-            );
-            if (!subnet) {
-                throw new Error("No available subnets remaining in space");
-            }
-
-            // remove the cidr
-            subnet = subnet.split("/")[0];
-
-            return subnet;
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
-    );
+
+        if (!org.subnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no subnet defined`
+            );
+        }
+
+        if (!org.utilitySubnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no utility subnet defined`
+            );
+        }
+
+        const existingAddresses = await trx
+            .select({
+                aliasAddress: siteResources.aliasAddress
+            })
+            .from(siteResources)
+            .where(
+                and(
+                    isNotNull(siteResources.aliasAddress),
+                    eq(siteResources.orgId, orgId)
+                )
+            );
+
+        const addresses = [
+            ...existingAddresses.map(
+                (site) => `${site.aliasAddress?.split("/")[0]}/32`
+            ),
+            // reserve a /29 for the dns server and other stuff
+            `${org.utilitySubnet.split("/")[0]}/29`
+        ].filter((address) => address !== null) as string[];
+
+        let subnet = findNextAvailableCidr(addresses, 32, org.utilitySubnet);
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }
+
+        // remove the cidr
+        subnet = subnet.split("/")[0];
+
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

-export async function getNextAvailableOrgSubnet(): Promise<string> {
-    return await lockManager.withLock("org-subnet-allocation", async () => {
+export async function getNextAvailableOrgSubnet(): Promise<{
+    value: string;
+    release: () => Promise<void>;
+}> {
+    const lockKey = "org-subnet-allocation";
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);
+
+    try {
        const existingAddresses = await db
            .select({
                subnet: orgs.subnet
@@ -466,8 +484,11 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
            throw new Error("No available subnets remaining in space");
        }

-        return subnet;
-    });
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

 export function generateRemoteSubnets(
@@ -475,6 +496,8 @@ export function generateRemoteSubnets(
 ): string[] {
    const remoteSubnets = allSiteResources
        .filter((sr) => {
+            if (!sr.destination) return false;
+
            if (sr.mode === "cidr") {
                // check if its a valid CIDR using zod
                const cidrSchema = z.union([z.cidrv4(), z.cidrv6()]);
@@ -496,7 +519,7 @@ export function generateRemoteSubnets(
            }
            return ""; // This should never be reached due to filtering, but satisfies TypeScript
        })
-        .filter((subnet) => subnet !== ""); // Remove empty strings just to be safe
+        .filter((subnet): subnet is string => subnet !== "" && subnet !== null); // Remove invalid values just to be safe
    // remove duplicates
    return Array.from(new Set(remoteSubnets));
 }
@@ -581,7 +604,7 @@ export function generateSubnetProxyTargets(
                targets.push({
                    sourcePrefix: clientPrefix,
                    destPrefix: `${siteResource.aliasAddress}/32`,
-                    rewriteTo: destination,
+                    rewriteTo: destination!,
                    portRange,
                    disableIcmp
                });
@@ -589,7 +612,7 @@ export function generateSubnetProxyTargets(
        } else if (siteResource.mode == "cidr") {
            targets.push({
                sourcePrefix: clientPrefix,
-                destPrefix: siteResource.destination,
+                destPrefix: siteResource.destination!,
                portRange,
                disableIcmp
            });
@@ -671,7 +694,7 @@ export async function generateSubnetProxyTargetV2(
            targets.push({
                sourcePrefixes: [],
                destPrefix: `${siteResource.aliasAddress}/32`,
-                rewriteTo: destination,
+                rewriteTo: destination!,
                portRange,
                disableIcmp,
                resourceId: siteResource.siteResourceId
@@ -680,7 +703,7 @@ export async function generateSubnetProxyTargetV2(
    } else if (siteResource.mode == "cidr") {
        targets.push({
            sourcePrefixes: [],
-            destPrefix: siteResource.destination,
+            destPrefix: siteResource.destination!,
            portRange,
            disableIcmp,
            resourceId: siteResource.siteResourceId
@@ -738,7 +761,7 @@ export async function generateSubnetProxyTargetV2(
            protocol: siteResource.ssl ? "https" : "http",
            httpTargets: [
                {
-                    destAddr: siteResource.destination,
+                    destAddr: siteResource.destination!,
                    destPort: siteResource.destinationPort,
                    scheme: siteResource.scheme
                }
@@ -873,7 +896,13 @@ export const portRangeStringSchema = z
            message:
                'Port range must be "*" for all ports, or a comma-separated list of ports and ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535, and ranges must have start <= end.'
        }
-    );
+    )
+    .openapi({
+        type: "string",
+        description:
+            'Port range string. Use "*" for all ports, a comma-separated list of ports, or ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535.',
+        example: "80,443,8000-9000"
+    });

 /**
 * Parses a port range string into an array of port range objects
--- a/server/lib/openapi/createApiResponseSchema.ts
+++ b/server/lib/openapi/createApiResponseSchema.ts
@@ -0,0 +1,11 @@
+import { z } from "zod";
+
+export function createApiResponseSchema<T extends z.ZodTypeAny>(dataSchema: T) {
+    return z.object({
+        data: dataSchema.nullable(),
+        success: z.boolean(),
+        error: z.boolean(),
+        message: z.string(),
+        status: z.number()
+    });
+}
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -18,11 +18,9 @@ import {
    userOrgRoles,
    userSiteResources
 } from "@server/db";
-import { and, eq, inArray, ne } from "drizzle-orm";
+import { and, count, eq, inArray, ne } from "drizzle-orm";

-import {
-    deletePeer as newtDeletePeer
-} from "@server/routers/newt/peers";
+import { deletePeer as newtDeletePeer } from "@server/routers/newt/peers";
 import {
    initPeerAddHandshake,
    deletePeer as olmDeletePeer
@@ -33,7 +31,7 @@ import {
    generateAliasConfig,
    generateRemoteSubnets,
    generateSubnetProxyTargetV2,
-    parseEndpoint,
+    parseEndpoint
 } from "@server/lib/ip";
 import {
    addPeerData,
@@ -41,6 +39,11 @@ import {
    removePeerData,
    removeTargets as removeSubnetProxyTargets
 } from "@server/routers/client/targets";
+import { lockManager } from "#dynamic/lib/lock";
+
+// TTL for rebuild-association locks. These functions can fan out into many
+// peer/proxy updates, so give them a generous window.
+const REBUILD_ASSOCIATIONS_LOCK_TTL_MS = 120000;

 export async function getClientSiteResourceAccess(
    siteResource: SiteResource,
@@ -51,10 +54,7 @@ export async function getClientSiteResourceAccess(
        ? await trx
              .select()
              .from(sites)
-              .innerJoin(
-                  siteNetworks,
-                  eq(siteNetworks.siteId, sites.siteId)
-              )
+              .innerJoin(siteNetworks, eq(siteNetworks.siteId, sites.siteId))
              .where(eq(siteNetworks.networkId, siteResource.networkId))
              .then((rows) => rows.map((row) => row.sites))
        : [];
@@ -166,6 +166,23 @@ export async function rebuildClientAssociationsFromSiteResource(
        pubKey: string | null;
        subnet: string | null;
    }[];
+}> {
+    return await lockManager.withLock(
+        `rebuild-client-associations:site-resource:${siteResource.siteResourceId}`,
+        () => rebuildClientAssociationsFromSiteResourceImpl(siteResource, trx),
+        REBUILD_ASSOCIATIONS_LOCK_TTL_MS
+    );
+}
+
+async function rebuildClientAssociationsFromSiteResourceImpl(
+    siteResource: SiteResource,
+    trx: Transaction | typeof db = db
+): Promise<{
+    mergedAllClients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[];
 }> {
    logger.debug(
        `rebuildClientAssociations: [rebuildClientAssociationsFromSiteResource] START siteResourceId=${siteResource.siteResourceId} networkId=${siteResource.networkId} orgId=${siteResource.orgId}`
@@ -362,7 +379,8 @@ export async function rebuildClientAssociationsFromSiteResource(
                      .where(inArray(clients.clientId, existingClientSiteIds))
                : [];

-        const otherResourceClientIds = clientsFromOtherResourcesBySite.get(siteId) ?? new Set<number>();
+        const otherResourceClientIds =
+            clientsFromOtherResourcesBySite.get(siteId) ?? new Set<number>();

        logger.debug(
            `rebuildClientAssociations: [rebuildClientAssociationsFromSiteResource] siteId=${siteId} otherResourceClientIds=[${[...otherResourceClientIds].join(", ")}] mergedAllClientIds=[${mergedAllClientIds.join(", ")}]`
@@ -543,6 +561,29 @@ async function handleMessagesForSiteClients(
        }
    }

+    // get the number of sites on each of these clients so we can log it and make decisions about whether to send messages based on it
+    const clientSiteCounts: Record<number, number> = {};
+    if (clientsToProcess.size > 0) {
+        const clientIdsToProcess = Array.from(clientsToProcess.keys());
+        const siteCounts = await trx
+            .select({
+                clientId: clientSitesAssociationsCache.clientId,
+                siteCount: count(clientSitesAssociationsCache.siteId)
+            })
+            .from(clientSitesAssociationsCache)
+            .where(
+                inArray(
+                    clientSitesAssociationsCache.clientId,
+                    clientIdsToProcess
+                )
+            )
+            .groupBy(clientSitesAssociationsCache.clientId);
+
+        for (const row of siteCounts) {
+            clientSiteCounts[row.clientId] = Number(row.siteCount);
+        }
+    }
+
    for (const client of clientsToProcess.values()) {
        // UPDATE THE NEWT
        if (!client.subnet || !client.pubKey) {
@@ -586,7 +627,14 @@ async function handleMessagesForSiteClients(
        }

        if (isAdd) {
-            // TODO: if we are in jit mode here should we really be sending this?
+            if (clientSiteCounts[client.clientId] > 250) {
+                // skip adding the peer if we have more than 250 sites because we are in jit mode anyway
+                logger.info(
+                    `rebuildClientAssociations: Client ${client.clientId} has ${clientSiteCounts[client.clientId]} sites so skipping adding peer to newt and olm because it is likely in jit mode`
+                );
+                continue;
+            }
+
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -604,9 +652,24 @@ async function handleMessagesForSiteClients(
        exitNodeJobs.push(updateClientSiteDestinations(client, trx));
    }

-    await Promise.all(exitNodeJobs);
-    await Promise.all(newtJobs); // do the servers first to make sure they are ready?
-    await Promise.all(olmJobs);
+    Promise.all(exitNodeJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating client site destinations for site ${site.siteId}:`,
+            error
+        );
+    });
+    Promise.all(newtJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Newt peers for site ${site.siteId}:`,
+            error
+        );
+    });
+    Promise.all(olmJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Olm peers for site ${site.siteId}:`,
+            error
+        );
+    });
 }

 interface PeerDestination {
@@ -709,7 +772,7 @@ export async function updateClientSiteDestinations(
            sourcePort: destination.sourcePort,
            destinations: destination.destinations
        };
-        logger.info(
+        logger.debug(
            `Payload for update-destinations: ${JSON.stringify(payload, null, 2)}`
        );

@@ -827,6 +890,9 @@ async function handleSubnetProxyTargetUpdates(
                }

                for (const client of removedClients) {
+                    if (!siteResource.destination) {
+                        continue;
+                    }
                    // Check if this client still has access to another resource
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
@@ -889,6 +955,17 @@ async function handleSubnetProxyTargetUpdates(
 export async function rebuildClientAssociationsFromClient(
    client: Client,
    trx: Transaction | typeof db = db
+): Promise<void> {
+    return await lockManager.withLock(
+        `rebuild-client-associations:client:${client.clientId}`,
+        () => rebuildClientAssociationsFromClientImpl(client, trx),
+        REBUILD_ASSOCIATIONS_LOCK_TTL_MS
+    );
+}
+
+async function rebuildClientAssociationsFromClientImpl(
+    client: Client,
+    trx: Transaction | typeof db = db
 ): Promise<void> {
    let newSiteResourceIds: number[] = [];

@@ -1161,6 +1238,12 @@ async function handleMessagesForClientSites(
    const olmJobs: Promise<any>[] = [];
    const exitNodeJobs: Promise<any>[] = [];

+    const totalSitesOnClient = await trx
+        .select({ count: count(clientSitesAssociationsCache.siteId) })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId))
+        .then((rows) => Number(rows[0].count));
+
    for (const siteData of sitesData) {
        const site = siteData.sites;
        const exitNode = siteData.exitNodes;
@@ -1221,7 +1304,14 @@ async function handleMessagesForClientSites(
                continue;
            }

-            // TODO: if we are in jit mode here should we really be sending this?
+            if (totalSitesOnClient > 250) {
+                // skip adding the site if we have more than 250 because we are in jit mode anyway
+                logger.info(
+                    `rebuildClientAssociations: Client ${client.clientId} has ${totalSitesOnClient} sites so skipping adding peer to newt and olm because it is likely in jit mode`
+                );
+                continue;
+            }
+
            await initPeerAddHandshake(
                // this will kick off the add peer process for the client
                client.clientId,
@@ -1249,9 +1339,24 @@ async function handleMessagesForClientSites(
        );
    }

-    await Promise.all(exitNodeJobs);
-    await Promise.all(newtJobs);
-    await Promise.all(olmJobs);
+    Promise.all(exitNodeJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating client site destinations for client ${client.clientId}:`,
+            error
+        );
+    });
+    Promise.all(newtJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Newt peers for client ${client.clientId}:`,
+            error
+        );
+    });
+    Promise.all(olmJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Olm peers for client ${client.clientId}:`,
+            error
+        );
+    });
 }

 async function handleMessagesForClientResources(
@@ -1461,6 +1566,9 @@ async function handleMessagesForClientResources(
                }

                try {
+                    if (!resource.destination) {
+                        continue;
+                    }
                    // Check if this client still has access to another resource
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
@@ -1532,3 +1640,269 @@ async function handleMessagesForClientResources(

    await Promise.all([...proxyJobs, ...olmJobs]);
 }
+
+export type ClientAssociationsCacheVerification = {
+    clientId: number;
+    consistent: boolean;
+    // What permissions say the cache should contain
+    expectedSiteResourceIds: number[];
+    expectedSiteIds: number[];
+    // What the cache currently contains
+    actualSiteResourceIds: number[];
+    actualSiteIds: number[];
+    // Diff
+    missingSiteResourceIds: number[]; // present in expected, missing from cache
+    extraSiteResourceIds: number[]; // present in cache, not in expected
+    missingSiteIds: number[];
+    extraSiteIds: number[];
+};
+
+// verifyClientAssociationsCache walks the same permission-derivation logic as
+// rebuildClientAssociationsFromClient but does NOT modify the database. It
+// returns the expected vs actual cache contents and a boolean indicating
+// whether the cache is in sync with what permissions imply.
+export async function verifyClientAssociationsCache(
+    client: Client,
+    trx: Transaction | typeof db = db
+): Promise<ClientAssociationsCacheVerification> {
+    let newSiteResourceIds: number[] = [];
+
+    // 1. Direct client associations
+    const directSiteResources = await trx
+        .select({ siteResourceId: clientSiteResources.siteResourceId })
+        .from(clientSiteResources)
+        .innerJoin(
+            siteResources,
+            eq(siteResources.siteResourceId, clientSiteResources.siteResourceId)
+        )
+        .where(
+            and(
+                eq(clientSiteResources.clientId, client.clientId),
+                eq(siteResources.orgId, client.orgId)
+            )
+        );
+
+    newSiteResourceIds.push(
+        ...directSiteResources.map((r) => r.siteResourceId)
+    );
+
+    // 2. User-based and role-based access (if client has a userId)
+    if (client.userId) {
+        const userSiteResourceIds = await trx
+            .select({ siteResourceId: userSiteResources.siteResourceId })
+            .from(userSiteResources)
+            .innerJoin(
+                siteResources,
+                eq(
+                    siteResources.siteResourceId,
+                    userSiteResources.siteResourceId
+                )
+            )
+            .where(
+                and(
+                    eq(userSiteResources.userId, client.userId),
+                    eq(siteResources.orgId, client.orgId)
+                )
+            );
+
+        newSiteResourceIds.push(
+            ...userSiteResourceIds.map((r) => r.siteResourceId)
+        );
+
+        const roleIds = await trx
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
+                )
+            )
+            .then((rows) => rows.map((row) => row.roleId));
+
+        if (roleIds.length > 0) {
+            const roleSiteResourceIds = await trx
+                .select({ siteResourceId: roleSiteResources.siteResourceId })
+                .from(roleSiteResources)
+                .innerJoin(
+                    siteResources,
+                    eq(
+                        siteResources.siteResourceId,
+                        roleSiteResources.siteResourceId
+                    )
+                )
+                .where(
+                    and(
+                        inArray(roleSiteResources.roleId, roleIds),
+                        eq(siteResources.orgId, client.orgId)
+                    )
+                );
+
+            newSiteResourceIds.push(
+                ...roleSiteResourceIds.map((r) => r.siteResourceId)
+            );
+        }
+    }
+
+    newSiteResourceIds = Array.from(new Set(newSiteResourceIds));
+
+    const newSiteResources =
+        newSiteResourceIds.length > 0
+            ? await trx
+                  .select()
+                  .from(siteResources)
+                  .where(
+                      inArray(siteResources.siteResourceId, newSiteResourceIds)
+                  )
+            : [];
+
+    const networkIds = Array.from(
+        new Set(
+            newSiteResources
+                .map((sr) => sr.networkId)
+                .filter((id): id is number => id !== null)
+        )
+    );
+    const newSiteIds =
+        networkIds.length > 0
+            ? await trx
+                  .select({ siteId: siteNetworks.siteId })
+                  .from(siteNetworks)
+                  .where(inArray(siteNetworks.networkId, networkIds))
+                  .then((rows) =>
+                      Array.from(new Set(rows.map((r) => r.siteId)))
+                  )
+            : [];
+
+    // Read the existing cache state
+    const existingResourceAssociations = await trx
+        .select({
+            siteResourceId: clientSiteResourcesAssociationsCache.siteResourceId
+        })
+        .from(clientSiteResourcesAssociationsCache)
+        .where(
+            eq(clientSiteResourcesAssociationsCache.clientId, client.clientId)
+        );
+    const existingSiteResourceIds = existingResourceAssociations.map(
+        (r) => r.siteResourceId
+    );
+
+    const existingSiteAssociations = await trx
+        .select({ siteId: clientSitesAssociationsCache.siteId })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
+    const existingSiteIds = existingSiteAssociations.map((s) => s.siteId);
+
+    const expectedSiteResourceSet = new Set(newSiteResourceIds);
+    const actualSiteResourceSet = new Set(existingSiteResourceIds);
+    const expectedSiteSet = new Set(newSiteIds);
+    const actualSiteSet = new Set(existingSiteIds);
+
+    const missingSiteResourceIds = newSiteResourceIds.filter(
+        (id) => !actualSiteResourceSet.has(id)
+    );
+    const extraSiteResourceIds = existingSiteResourceIds.filter(
+        (id) => !expectedSiteResourceSet.has(id)
+    );
+    const missingSiteIds = newSiteIds.filter((id) => !actualSiteSet.has(id));
+    const extraSiteIds = existingSiteIds.filter(
+        (id) => !expectedSiteSet.has(id)
+    );
+
+    const consistent =
+        missingSiteResourceIds.length === 0 &&
+        extraSiteResourceIds.length === 0 &&
+        missingSiteIds.length === 0 &&
+        extraSiteIds.length === 0;
+
+    return {
+        clientId: client.clientId,
+        consistent,
+        expectedSiteResourceIds: Array.from(expectedSiteResourceSet).sort(
+            (a, b) => a - b
+        ),
+        expectedSiteIds: Array.from(expectedSiteSet).sort((a, b) => a - b),
+        actualSiteResourceIds: Array.from(actualSiteResourceSet).sort(
+            (a, b) => a - b
+        ),
+        actualSiteIds: Array.from(actualSiteSet).sort((a, b) => a - b),
+        missingSiteResourceIds: missingSiteResourceIds.sort((a, b) => a - b),
+        extraSiteResourceIds: extraSiteResourceIds.sort((a, b) => a - b),
+        missingSiteIds: missingSiteIds.sort((a, b) => a - b),
+        extraSiteIds: extraSiteIds.sort((a, b) => a - b)
+    };
+}
+
+// cleanupSiteAssociations efficiently removes all client associations for a
+// site that is being deleted. Instead of calling
+// rebuildClientAssociationsFromSiteResource once per site resource (which is
+// O(resources) in DB round-trips and message fan-out), this function performs
+// a single bulk lookup of affected clients and site resources, deletes all
+// cache rows at once, and fires all peer/proxy removal messages in parallel.
+//
+// The caller is responsible for deleting the site row itself (and for sending
+// the newt/wg/terminate signal to the newt process).
+export async function cleanupSiteAssociations(
+    site: Site,
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    const siteId = site.siteId;
+
+    logger.debug(`cleanupSiteAssociations: START siteId=${siteId}`);
+
+    // 1. Find every client currently cached against this site.
+    const cachedSiteClientRows = await trx
+        .select({ clientId: clientSitesAssociationsCache.clientId })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    const cachedClientIds = cachedSiteClientRows.map((r) => r.clientId);
+
+    // 2. Load full client details (needed for WireGuard public-key references).
+    const allClients =
+        cachedClientIds.length > 0
+            ? await trx
+                  .select({
+                      clientId: clients.clientId,
+                      pubKey: clients.pubKey,
+                      subnet: clients.subnet
+                  })
+                  .from(clients)
+                  .where(inArray(clients.clientId, cachedClientIds))
+            : [];
+
+    // 6. Bulk-delete all cache entries for this site.  Do this before sending
+    //    destination-update messages so updateClientSiteDestinations computes
+    //    the correct (post-deletion) set of destinations.
+    await trx
+        .delete(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    logger.debug(
+        `cleanupSiteAssociations: siteId=${siteId} cache cleared. clients=${allClients.length}`
+    );
+
+    // 7. Fire all removal messages in parallel.
+    const jobs: Promise<any>[] = [];
+
+    for (const client of allClients) {
+        // Tell each olm to drop the site's WireGuard peer.
+        if (site.publicKey) {
+            jobs.push(olmDeletePeer(client.clientId, siteId, site.publicKey));
+        }
+
+        // Recompute and push updated relay destinations (now excluding this site).
+        if (client.pubKey && client.subnet) {
+            jobs.push(updateClientSiteDestinations(client, trx));
+        }
+    }
+
+    await Promise.all(jobs).catch((error) => {
+        logger.error(
+            `cleanupSiteAssociations: error sending cleanup messages for siteId=${siteId}:`,
+            error
+        );
+    });
+
+    logger.debug(`cleanupSiteAssociations: DONE siteId=${siteId}`);
+}
--- a/server/lib/requestParams.ts
+++ b/server/lib/requestParams.ts
@@ -0,0 +1,11 @@
+export function getFirstString(value: unknown): string | undefined {
+    if (typeof value === "string") {
+        return value;
+    }
+
+    if (Array.isArray(value) && typeof value[0] === "string") {
+        return value[0];
+    }
+
+    return undefined;
+}
--- a/server/lib/statusHistory.ts
+++ b/server/lib/statusHistory.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";
 import { db, logsDb, statusHistory } from "@server/db";
 import { and, eq, gte, asc } from "drizzle-orm";
-import cache from "@server/lib/cache";
+import { regionalCache as cache } from "#dynamic/lib/cache";

 const STATUS_HISTORY_CACHE_TTL = 60; // seconds

@@ -66,7 +66,7 @@ export async function invalidateStatusHistoryCache(
    entityId: number
 ): Promise<void> {
    const prefix = `statusHistory:${entityType}:${entityId}:`;
-    const keys = cache.keys().filter((k) => k.startsWith(prefix));
+    const keys = await cache.keysWithPrefix(prefix);
    if (keys.length > 0) {
        await cache.del(keys);
    }
@@ -124,7 +124,7 @@ export function computeBuckets(
    let totalDowntime = 0;

    for (let d = 0; d < days; d++) {
-        const dayStartSec = todayMidnightSec - (days - d) * 86400;
+        const dayStartSec = todayMidnightSec - (days - 1 - d) * 86400;
        const dayEndSec = dayStartSec + 86400;

        const dayEvents = events.filter(
--- a/server/lib/telemetry.ts
+++ b/server/lib/telemetry.ts
@@ -2,7 +2,14 @@ import { PostHog } from "posthog-node";
 import config from "./config";
 import { getHostMeta } from "./hostMeta";
 import logger from "@server/logger";
-import { alertRules, apiKeys, blueprints, db, roles, siteResources } from "@server/db";
+import {
+    alertRules,
+    apiKeys,
+    blueprints,
+    db,
+    roles,
+    siteResources
+} from "@server/db";
 import { sites, users, orgs, resources, clients, idp } from "@server/db";
 import { eq, count, notInArray, and, isNotNull, isNull } from "drizzle-orm";
 import { APP_VERSION } from "./consts";
@@ -143,8 +150,7 @@ class TelemetryClient {
                .select({
                    name: resources.name,
                    sso: resources.sso,
-                    protocol: resources.protocol,
-                    http: resources.http
+                    mode: resources.mode
                })
                .from(resources);

@@ -311,7 +317,7 @@ class TelemetryClient {
                        (r) => r.sso
                    ).length,
                    num_resources_non_http: stats.resources.filter(
-                        (r) => !r.http
+                        (r) => r.mode !== "http"
                    ).length,
                    num_newt_sites: stats.sites.filter((s) => s.type === "newt")
                        .length,
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -520,7 +520,8 @@ export class TraefikConfigManager {
                build != "oss", // generate the login pages on the cloud and hybrid,
                build == "saas"
                    ? false
-                    : config.getRawConfig().traefik.allow_raw_resources // dont allow raw resources on saas otherwise use config
+                    : config.getRawConfig().traefik.allow_raw_resources, // dont allow raw resources on saas otherwise use config
+                build != "oss" // generate browser gateway targets on cloud and enterprise
            );

            const domains = new Set<string>();
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -55,9 +55,7 @@ export async function getTraefikConfig(
            resourceName: resources.name,
            fullDomain: resources.fullDomain,
            ssl: resources.ssl,
-            http: resources.http,
            proxyPort: resources.proxyPort,
-            protocol: resources.protocol,
            subdomain: resources.subdomain,
            domainId: resources.domainId,
            enabled: resources.enabled,
@@ -68,6 +66,7 @@ export async function getTraefikConfig(
            headers: resources.headers,
            proxyProtocol: resources.proxyProtocol,
            proxyProtocolVersion: resources.proxyProtocolVersion,
+            mode: resources.mode,

            // Target fields
            targetId: targets.targetId,
@@ -115,8 +114,8 @@ export async function getTraefikConfig(
                ),
                inArray(sites.type, siteTypes),
                allowRawResources
-                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
-                    : eq(resources.http, true)
+                    ? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
+                    : eq(resources.mode, "http")
            )
        )
        .orderBy(desc(targets.priority), targets.targetId); // stable ordering
@@ -166,9 +165,8 @@ export async function getTraefikConfig(
                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
-                http: row.http,
+                mode: row.mode,
                proxyPort: row.proxyPort,
-                protocol: row.protocol,
                subdomain: row.subdomain,
                domainId: row.domainId,
                enabled: row.enabled,
@@ -580,7 +578,7 @@ export async function getTraefikConfig(
                continue;
            }

-            const protocol = resource.protocol.toLowerCase();
+            const protocol = resource.mode === "udp" ? "udp" : "tcp"; // all of the other ones are tcp
            const port = resource.proxyPort;

            if (!port) {
--- a/server/lib/validators.test.ts
+++ b/server/lib/validators.test.ts
@@ -244,4 +244,5 @@ try {
    runTests();
 } catch (error) {
    console.error("Test failed:", error);
+    process.exit(1);
 }
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -28,7 +28,9 @@ export * from "./verifyApiKeyAccess";
 export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
+export * from "./verifyUserFromResourceSession";
 export * from "./verifySiteResourceAccess";
 export * from "./logActionAudit";
 export * from "./verifyOlmAccess";
 export * from "./verifyLimits";
+export * from "./verifyResourcePolicyAccess";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -16,3 +16,4 @@ export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
 export * from "./verifyApiKeyIdpAccess";
 export * from "./verifyApiKeyDomainAccess";
+export * from "./verifyApiKeyResourcePolicyAccess";
--- a/server/middlewares/integration/verifyAccessTokenAccess.ts
+++ b/server/middlewares/integration/verifyAccessTokenAccess.ts
@@ -4,6 +4,7 @@ import { resourceAccessToken, resources, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyAccessTokenAccess(
    req: Request,
@@ -12,7 +13,7 @@ export async function verifyApiKeyAccessTokenAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const accessTokenId = req.params.accessTokenId;
+        const accessTokenId = getFirstString(req.params.accessTokenId);

        if (!apiKey) {
            return next(
@@ -20,6 +21,12 @@ export async function verifyApiKeyAccessTokenAccess(
            );
        }

+        if (!accessTokenId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid access token ID")
+            );
+        }
+
        const [accessToken] = await db
            .select()
            .from(resourceAccessToken)
--- a/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyApiKeyAccess.ts
@@ -4,6 +4,7 @@ import { apiKeys, apiKeyOrg } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyApiKeyAccess(
    req: Request,
@@ -14,8 +15,10 @@ export async function verifyApiKeyApiKeyAccess(
        const { apiKey: callerApiKey } = req;

        const apiKeyId =
-            req.params.apiKeyId || req.body.apiKeyId || req.query.apiKeyId;
-        const orgId = req.params.orgId;
+            getFirstString(req.params.apiKeyId) ||
+            getFirstString(req.body.apiKeyId) ||
+            getFirstString(req.query.apiKeyId);
+        const orgId = getFirstString(req.params.orgId);

        if (!callerApiKey) {
            return next(
--- a/server/middlewares/integration/verifyApiKeyDomainAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyDomainAccess.ts
@@ -3,6 +3,7 @@ import { db, domains, orgDomains, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyDomainAccess(
    req: Request,
@@ -12,8 +13,10 @@ export async function verifyApiKeyDomainAccess(
    try {
        const apiKey = req.apiKey;
        const domainId =
-            req.params.domainId || req.body.domainId || req.query.domainId;
-        const orgId = req.params.orgId;
+            getFirstString(req.params.domainId) ||
+            getFirstString(req.body.domainId) ||
+            getFirstString(req.query.domainId);
+        const orgId = getFirstString(req.params.orgId);

        if (!apiKey) {
            return next(
@@ -27,6 +30,12 @@ export async function verifyApiKeyDomainAccess(
            );
        }

+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
        if (apiKey.isRoot) {
            // Root keys can access any domain in any org
            return next();
--- a/server/middlewares/integration/verifyApiKeyIdpAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyIdpAccess.ts
@@ -4,6 +4,7 @@ import { idp, idpOrg, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyIdpAccess(
    req: Request,
@@ -12,8 +13,12 @@ export async function verifyApiKeyIdpAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
-        const orgId = req.params.orgId;
+        const idpIdRaw =
+            getFirstString(req.params.idpId) ||
+            getFirstString(req.body.idpId) ||
+            getFirstString(req.query.idpId);
+        const idpId = Number.parseInt(idpIdRaw ?? "", 10);
+        const orgId = getFirstString(req.params.orgId);

        if (!apiKey) {
            return next(
@@ -27,7 +32,7 @@ export async function verifyApiKeyIdpAccess(
            );
        }

-        if (!idpId) {
+        if (Number.isNaN(idpId)) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
            );
--- a/server/middlewares/integration/verifyApiKeyOrgAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyOrgAccess.ts
@@ -4,6 +4,7 @@ import { apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyOrgAccess(
    req: Request,
@@ -12,7 +13,7 @@ export async function verifyApiKeyOrgAccess(
 ) {
    try {
        const apiKeyId = req.apiKey?.apiKeyId;
-        const orgId = req.params.orgId;
+        const orgId = getFirstString(req.params.orgId);

        if (!apiKeyId) {
            return next(
@@ -45,7 +46,7 @@ export async function verifyApiKeyOrgAccess(
        }

        if (!req.apiKeyOrg) {
-            next(
+            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Key does not have access to this organization"
--- a/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
@@ -0,0 +1,92 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, apiKeyOrg } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const apiKey = req.apiKey;
+    const resourcePolicyId =
+        req.params.resourcePolicyId ||
+        req.body.resourcePolicyId ||
+        req.query.resourcePolicyId;
+
+    if (!apiKey) {
+        return next(
+            createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+        );
+    }
+
+    try {
+        // Retrieve the resource policy
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any resource policy in any org
+            return next();
+        }
+
+        if (!policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Resource policy with ID ${resourcePolicyId} does not have an organization ID`
+                )
+            );
+        }
+
+        // Verify that the API key is linked to the resource policy's organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgResult = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+
+            if (apiKeyOrgResult.length > 0) {
+                req.apiKeyOrg = apiKeyOrgResult[0];
+            }
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}
--- a/server/middlewares/integration/verifyApiKeySiteResourceAccess.ts
+++ b/server/middlewares/integration/verifyApiKeySiteResourceAccess.ts
@@ -4,6 +4,7 @@ import { siteResources, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeySiteResourceAccess(
    req: Request,
@@ -12,7 +13,8 @@ export async function verifyApiKeySiteResourceAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const siteResourceId = parseInt(req.params.siteResourceId);
+        const siteResourceIdRaw = getFirstString(req.params.siteResourceId);
+        const siteResourceId = Number.parseInt(siteResourceIdRaw ?? "", 10);

        if (!apiKey) {
            return next(
@@ -20,7 +22,7 @@ export async function verifyApiKeySiteResourceAccess(
            );
        }

-        if (!siteResourceId) {
+        if (Number.isNaN(siteResourceId)) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
--- a/server/middlewares/integration/verifyApiKeyTargetAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyTargetAccess.ts
@@ -4,6 +4,7 @@ import { resources, targets, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyTargetAccess(
    req: Request,
@@ -12,7 +13,8 @@ export async function verifyApiKeyTargetAccess(
 ) {
    try {
        const apiKey = req.apiKey;
-        const targetId = parseInt(req.params.targetId);
+        const targetIdRaw = getFirstString(req.params.targetId);
+        const targetId = Number.parseInt(targetIdRaw ?? "", 10);

        if (!apiKey) {
            return next(
@@ -20,7 +22,7 @@ export async function verifyApiKeyTargetAccess(
            );
        }

-        if (isNaN(targetId)) {
+        if (Number.isNaN(targetId)) {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid target ID")
            );
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -7,6 +7,7 @@ import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyAccessTokenAccess(
    req: Request,
@@ -14,7 +15,7 @@ export async function verifyAccessTokenAccess(
    next: NextFunction
 ) {
    const userId = req.user!.userId;
-    const accessTokenId = req.params.accessTokenId;
+    const accessTokenId = getFirstString(req.params.accessTokenId);

    if (!userId) {
        return next(
@@ -22,6 +23,12 @@ export async function verifyAccessTokenAccess(
        );
    }

+    if (!accessTokenId) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "Invalid access token ID")
+        );
+    }
+
    const [accessToken] = await db
        .select()
        .from(resourceAccessToken)
@@ -87,7 +94,7 @@ export async function verifyAccessTokenAccess(
        }

        if (!req.userOrg) {
-            next(
+            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyApiKeyAccess(
    req: Request,
@@ -14,9 +15,24 @@ export async function verifyApiKeyAccess(
 ) {
    try {
        const userId = req.user!.userId;
-        const apiKeyId =
-            req.params.apiKeyId || req.body.apiKeyId || req.query.apiKeyId;
-        const orgId = req.params.orgId;
+        const apiKeyIdFromParams = getFirstString(req.params?.apiKeyId);
+        const apiKeyIdFromBody = getFirstString(req.body?.apiKeyId);
+
+        if (
+            apiKeyIdFromParams &&
+            apiKeyIdFromBody &&
+            apiKeyIdFromParams !== apiKeyIdFromBody
+        ) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "API key ID provided in both URL and body with different values"
+                )
+            );
+        }
+
+        const apiKeyId = apiKeyIdFromParams || apiKeyIdFromBody;
+        const orgId = getFirstString(req.params.orgId);

        if (!userId) {
            return next(
@@ -104,10 +120,7 @@ export async function verifyApiKeyAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            orgId
-        );
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);

        return next();
    } catch (error) {
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyDomainAccess(
    req: Request,
@@ -14,9 +15,8 @@ export async function verifyDomainAccess(
 ) {
    try {
        const userId = req.user!.userId;
-        const domainId =
-            req.params.domainId;
-        const orgId = req.params.orgId;
+        const domainId = getFirstString(req.params.domainId);
+        const orgId = getFirstString(req.params.orgId);

        if (!userId) {
            return next(
@@ -62,10 +62,7 @@ export async function verifyDomainAccess(
                .select()
                .from(userOrgs)
                .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, orgId)
-                    )
+                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
                )
                .limit(1);
            req.userOrg = userOrgRole[0];
--- a/server/middlewares/verifyLimits.ts
+++ b/server/middlewares/verifyLimits.ts
@@ -3,6 +3,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { usageService } from "@server/lib/billing/usageService";
 import { build } from "@server/build";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyLimits(
    req: Request,
@@ -13,7 +14,10 @@ export async function verifyLimits(
        return next();
    }

-    const orgId = req.userOrgId || req.apiKeyOrg?.orgId || req.params.orgId;
+    const orgId =
+        req.userOrgId ||
+        req.apiKeyOrg?.orgId ||
+        getFirstString(req.params.orgId);

    if (!orgId) {
        return next(); // its fine if we silently fail here because this is not critical to operation or security and its better user experience if we dont fail
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyOrgAccess(
    req: Request,
@@ -13,7 +14,7 @@ export async function verifyOrgAccess(
    next: NextFunction
 ) {
    const userId = req.user!.userId;
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);

    if (!userId) {
        return next(
--- a/server/middlewares/verifyResourcePolicyAccess.ts
+++ b/server/middlewares/verifyResourcePolicyAccess.ts
@@ -0,0 +1,127 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+
+export async function verifyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const userId = req.user!.userId;
+    const resourcePolicyIdStr =
+        req.params?.resourcePolicyId ||
+        req.body?.resourcePolicyId ||
+        req.query?.resourcePolicyId;
+    const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
+    const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
+
+    try {
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        let policy: typeof resourcePolicies.$inferSelect | null = null;
+
+        if (orgId && niceId) {
+            const [policyRes] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(
+                    and(
+                        eq(resourcePolicies.niceId, niceId),
+                        eq(resourcePolicies.orgId, orgId)
+                    )
+                )
+                .limit(1);
+            policy = policyRes ?? null;
+        } else {
+            const resourcePolicyId = parseInt(resourcePolicyIdStr);
+            if (isNaN(resourcePolicyId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid resource policy ID"
+                    )
+                );
+            }
+            const [policyRes] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+                .limit(1);
+            policy = policyRes ?? null;
+        }
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyIdStr ?? niceId} not found`
+                )
+            );
+        }
+
+        if (!req.userOrg) {
+            const userOrgRes = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+            req.userOrg = userOrgRes[0];
+        }
+
+        if (!req.userOrg || req.userOrg.orgId !== policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            policy.orgId
+        );
+        req.userOrgId = policy.orgId;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}
--- a/server/middlewares/verifySiteProvisioningKeyAccess.ts
+++ b/server/middlewares/verifySiteProvisioningKeyAccess.ts
@@ -1,10 +1,16 @@
 import { Request, Response, NextFunction } from "express";
-import { db, userOrgs, siteProvisioningKeys, siteProvisioningKeyOrg } from "@server/db";
+import {
+    db,
+    userOrgs,
+    siteProvisioningKeys,
+    siteProvisioningKeyOrg
+} from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifySiteProvisioningKeyAccess(
    req: Request,
@@ -13,8 +19,10 @@ export async function verifySiteProvisioningKeyAccess(
 ) {
    try {
        const userId = req.user!.userId;
-        const siteProvisioningKeyId = req.params.siteProvisioningKeyId;
-        const orgId = req.params.orgId;
+        const siteProvisioningKeyId = getFirstString(
+            req.params.siteProvisioningKeyId
+        );
+        const orgId = getFirstString(req.params.orgId);

        if (!userId) {
            return next(
@@ -80,10 +88,7 @@ export async function verifySiteProvisioningKeyAccess(
                .where(
                    and(
                        eq(userOrgs.userId, userId),
-                        eq(
-                            userOrgs.orgId,
-                            row.siteProvisioningKeyOrg.orgId
-                        )
+                        eq(userOrgs.orgId, row.siteProvisioningKeyOrg.orgId)
                    )
                )
                .limit(1);
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -7,6 +7,7 @@ import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyTargetAccess(
    req: Request,
@@ -14,7 +15,8 @@ export async function verifyTargetAccess(
    next: NextFunction
 ) {
    const userId = req.user!.userId;
-    const targetId = parseInt(req.params.targetId);
+    const targetIdRaw = getFirstString(req.params.targetId);
+    const targetId = Number.parseInt(targetIdRaw ?? "", 10);

    if (!userId) {
        return next(
--- a/server/middlewares/verifyUserCanSetUserOrgRoles.ts
+++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
@@ -38,7 +38,7 @@ export function verifyUserCanSetUserOrgRoles() {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
-                    "User does not have permission perform this action"
+                    "User does not have permission to set user organization roles"
                )
            );
        } catch (error) {
--- a/server/middlewares/verifyUserFromResourceSession.ts
+++ b/server/middlewares/verifyUserFromResourceSession.ts
@@ -0,0 +1,102 @@
+import { Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourceSessions, users } from "@server/db";
+import { eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getUserSessionWithUser } from "@server/db/queries/verifySessionQueries";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";
+import config from "@server/lib/config";
+import logger from "@server/logger";
+
+export const verifyUserFromResourceSessionMiddleware = async (
+    req: any,
+    res: Response,
+    next: NextFunction
+) => {
+    if (!req.user) {
+        const sessionCookieName =
+            config.getRawConfig().server.session_cookie_name;
+
+        // Collect all resource session cookies (format: {name}[_s].{timestamp}=token)
+        const cookieHeader: string | undefined = req.headers.cookie;
+        const candidates: { timestamp: number; token: string }[] = [];
+
+        if (cookieHeader) {
+            for (const part of cookieHeader.split(";")) {
+                const trimmed = part.trim();
+                const eqIdx = trimmed.indexOf("=");
+                if (eqIdx === -1) continue;
+
+                const cookieName = trimmed.slice(0, eqIdx).trim();
+                const cookieValue = trimmed.slice(eqIdx + 1).trim();
+
+                // Match both secure (_s.timestamp) and non-secure (.timestamp) variants
+                const securePrefix = `${sessionCookieName}_s.`;
+                const httpPrefix = `${sessionCookieName}.`;
+
+                let timestampStr: string | null = null;
+                if (cookieName.startsWith(securePrefix)) {
+                    timestampStr = cookieName.slice(securePrefix.length);
+                } else if (cookieName.startsWith(httpPrefix)) {
+                    timestampStr = cookieName.slice(httpPrefix.length);
+                }
+
+                if (timestampStr !== null && /^\d+$/.test(timestampStr)) {
+                    candidates.push({
+                        timestamp: parseInt(timestampStr, 10),
+                        token: cookieValue
+                    });
+                }
+            }
+        }
+
+        // Pick the most recently issued session (highest timestamp)
+        candidates.sort((a, b) => b.timestamp - a.timestamp);
+        const best = candidates[0];
+
+        if (best) {
+            try {
+                const sessionId = encodeHexLowerCase(
+                    sha256(new TextEncoder().encode(best.token))
+                );
+
+                const [resourceSession] = await db
+                    .select()
+                    .from(resourceSessions)
+                    .where(eq(resourceSessions.sessionId, sessionId))
+                    .limit(1);
+
+                if (resourceSession && Date.now() < resourceSession.expiresAt) {
+                    if (resourceSession.userSessionId) {
+                        const result = await getUserSessionWithUser(
+                            resourceSession.userSessionId
+                        );
+
+                        if (result?.user && result?.session) {
+                            req.user = result.user;
+                            req.session = result.session;
+                        }
+                    }
+                }
+            } catch (e) {
+                logger.error(
+                    "verifyUserFromResourceSessionMiddleware: failed to validate resource session",
+                    e
+                );
+            }
+        }
+    }
+
+    // Populate userOrgRoleIds if an orgId is available in route params
+    if (req.user && req.params?.orgId && !req.userOrgRoleIds) {
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.user.userId,
+            req.params.orgId
+        );
+    }
+
+    next();
+};
--- a/server/middlewares/verifyUserIsOrgOwner.ts
+++ b/server/middlewares/verifyUserIsOrgOwner.ts
@@ -4,6 +4,7 @@ import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";

 export async function verifyUserIsOrgOwner(
    req: Request,
@@ -11,7 +12,7 @@ export async function verifyUserIsOrgOwner(
    next: NextFunction
 ) {
    const userId = req.user!.userId;
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);

    if (!userId) {
        return next(
--- a/server/openApi.ts
+++ b/server/openApi.ts
@@ -7,6 +7,7 @@ export enum OpenAPITags {
    Org = "Organization",
    PublicResource = "Public Resource",
    PrivateResource = "Private Resource",
+    Policy = "Policy",
    Role = "Role",
    User = "User",
    Invitation = "User Invitation",
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -485,6 +485,133 @@ async function syncAcmeCertsFromHttp(endpoint: string): Promise<void> {
    }
 }

+async function storeCertForDomain(
+    domain: string,
+    certPem: string,
+    keyPem: string,
+    validatedX509: crypto.X509Certificate
+): Promise<void> {
+    const wildcard = domain.startsWith("*.");
+
+    const existing = await db
+        .select()
+        .from(certificates)
+        .where(eq(certificates.domain, domain))
+        .limit(1);
+
+    let oldCertPem: string | null = null;
+    let oldKeyPem: string | null = null;
+
+    if (existing.length > 0 && existing[0].certFile) {
+        try {
+            const storedCertPem = decrypt(
+                existing[0].certFile,
+                config.getRawConfig().server.secret!
+            );
+            const wildcardUnchanged = existing[0].wildcard === wildcard;
+            if (storedCertPem === certPem && wildcardUnchanged) {
+                return;
+            }
+            oldCertPem = storedCertPem;
+            if (existing[0].keyFile) {
+                try {
+                    oldKeyPem = decrypt(
+                        existing[0].keyFile,
+                        config.getRawConfig().server.secret!
+                    );
+                } catch (keyErr) {
+                    logger.debug(
+                        `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
+                    );
+                }
+            }
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
+            );
+        }
+    }
+
+    let expiresAt: number | null = null;
+    try {
+        expiresAt = Math.floor(
+            new Date(validatedX509.validTo).getTime() / 1000
+        );
+    } catch (err) {
+        logger.debug(
+            `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
+        );
+    }
+
+    const encryptedCert = encrypt(
+        certPem,
+        config.getRawConfig().server.secret!
+    );
+    const encryptedKey = encrypt(keyPem, config.getRawConfig().server.secret!);
+    const now = Math.floor(Date.now() / 1000);
+
+    const domainId = await findDomainId(domain);
+    if (domainId) {
+        logger.debug(
+            `acmeCertSync: resolved domainId "${domainId}" for cert domain "${domain}"`
+        );
+    } else {
+        logger.debug(
+            `acmeCertSync: no matching domain record found for cert domain "${domain}"`
+        );
+    }
+
+    if (existing.length > 0) {
+        logger.debug(
+            `acmeCertSync: updating existing certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+        await db
+            .update(certificates)
+            .set({
+                certFile: encryptedCert,
+                keyFile: encryptedKey,
+                status: "valid",
+                expiresAt,
+                updatedAt: now,
+                wildcard,
+                ...(domainId !== null && { domainId })
+            })
+            .where(eq(certificates.domain, domain));
+
+        logger.debug(
+            `acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+
+        await pushCertUpdateToAffectedNewts(
+            domain,
+            domainId,
+            oldCertPem,
+            oldKeyPem
+        );
+    } else {
+        logger.debug(
+            `acmeCertSync: inserting new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+        await db.insert(certificates).values({
+            domain,
+            domainId,
+            certFile: encryptedCert,
+            keyFile: encryptedKey,
+            status: "valid",
+            expiresAt,
+            createdAt: now,
+            updatedAt: now,
+            wildcard
+        });
+
+        logger.debug(
+            `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+
+        await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
+    }
+}
+
 function findAcmeJsonFiles(dirPath: string): string[] {
    const results: string[] = [];
    let entries: fs.Dirent[];
@@ -575,18 +702,16 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
    }

    for (const cert of allCerts) {
-        const domain = cert?.domain?.main;
+        const mainDomain = cert?.domain?.main;

-        if (!domain || typeof domain !== "string") {
+        if (!mainDomain || typeof mainDomain !== "string") {
            logger.debug(`acmeCertSync: skipping cert with missing domain`);
            continue;
        }

-        const { wildcard } = detectWildcard(domain, cert.domain?.sans);
-
        if (!cert.certificate || !cert.key) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - empty certificate or key field`
+                `acmeCertSync: skipping cert for ${mainDomain} - empty certificate or key field`
            );
            continue;
        }
@@ -598,14 +723,14 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            keyPem = Buffer.from(cert.key, "base64").toString("utf8");
        } catch (err) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - failed to base64-decode cert/key: ${err}`
+                `acmeCertSync: skipping cert for ${mainDomain} - failed to base64-decode cert/key: ${err}`
            );
            continue;
        }

        if (!certPem.trim() || !keyPem.trim()) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - blank PEM after base64 decode`
+                `acmeCertSync: skipping cert for ${mainDomain} - blank PEM after base64 decode`
            );
            continue;
        }
@@ -616,7 +741,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
        const firstCertPemForValidation = extractFirstCert(certPem);
        if (!firstCertPemForValidation) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - no PEM certificate block found`
+                `acmeCertSync: skipping cert for ${mainDomain} - no PEM certificate block found`
            );
            continue;
        }
@@ -628,7 +753,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            );
        } catch (err) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - invalid X.509 certificate: ${err}`
+                `acmeCertSync: skipping cert for ${mainDomain} - invalid X.509 certificate: ${err}`
            );
            continue;
        }
@@ -638,139 +763,40 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            crypto.createPrivateKey(keyPem);
        } catch (err) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - invalid private key: ${err}`
+                `acmeCertSync: skipping cert for ${mainDomain} - invalid private key: ${err}`
            );
            continue;
        }

-        // Check if cert already exists in DB
-        const existing = await db
-            .select()
-            .from(certificates)
-            .where(and(eq(certificates.domain, domain)))
-            .limit(1);
-
-        let oldCertPem: string | null = null;
-        let oldKeyPem: string | null = null;
-
-        if (existing.length > 0 && existing[0].certFile) {
-            try {
-                const storedCertPem = decrypt(
-                    existing[0].certFile,
-                    config.getRawConfig().server.secret!
-                );
-                const wildcardUnchanged = existing[0].wildcard === wildcard;
-                if (storedCertPem === certPem && wildcardUnchanged) {
-                    // logger.debug(
-                    // `acmeCertSync: cert for ${domain} is unchanged, skipping`
-                    // );
-                    continue;
+        // Collect all domains covered by this cert: main + every SAN.
+        // Each domain gets its own row in the certificates table so that
+        // lookups by any hostname on the cert succeed independently.
+        const allDomains = new Set<string>([mainDomain]);
+        if (Array.isArray(cert.domain?.sans)) {
+            for (const san of cert.domain.sans) {
+                if (typeof san === "string" && san.trim()) {
+                    allDomains.add(san.trim());
                }
-                // Cert has changed; capture old values so we can send a correct
-                // update message to the newt after the DB write.
-                oldCertPem = storedCertPem;
-                if (existing[0].keyFile) {
-                    try {
-                        oldKeyPem = decrypt(
-                            existing[0].keyFile,
-                            config.getRawConfig().server.secret!
-                        );
-                    } catch (keyErr) {
-                        logger.debug(
-                            `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
-                        );
-                    }
-                }
-            } catch (err) {
-                // Decryption failure means we should proceed with the update
-                logger.debug(
-                    `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
-                );
            }
        }

-        // Parse cert expiry from the validated X.509 certificate
-        let expiresAt: number | null = null;
-        try {
-            expiresAt = Math.floor(
-                new Date(validatedX509.validTo).getTime() / 1000
-            );
-        } catch (err) {
-            logger.debug(
-                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
-            );
-        }
+        // logger.debug(
+        //     `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
+        // );

-        const encryptedCert = encrypt(
-            certPem,
-            config.getRawConfig().server.secret!
-        );
-        const encryptedKey = encrypt(
-            keyPem,
-            config.getRawConfig().server.secret!
-        );
-        const now = Math.floor(Date.now() / 1000);
-
-        const domainId = await findDomainId(domain);
-        if (domainId) {
-            logger.debug(
-                `acmeCertSync: resolved domainId "${domainId}" for cert domain "${domain}"`
-            );
-        } else {
-            logger.debug(
-                `acmeCertSync: no matching domain record found for cert domain "${domain}"`
-            );
-        }
-
-        if (existing.length > 0) {
-            logger.debug(
-                `acmeCertSync: updating existing certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-            await db
-                .update(certificates)
-                .set({
-                    certFile: encryptedCert,
-                    keyFile: encryptedKey,
-                    status: "valid",
-                    expiresAt,
-                    updatedAt: now,
-                    wildcard,
-                    ...(domainId !== null && { domainId })
-                })
-                .where(eq(certificates.domain, domain));
-
-            logger.debug(
-                `acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-
-            await pushCertUpdateToAffectedNewts(
-                domain,
-                domainId,
-                oldCertPem,
-                oldKeyPem
-            );
-        } else {
-            logger.debug(
-                `acmeCertSync: inserting new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-            await db.insert(certificates).values({
-                domain,
-                domainId,
-                certFile: encryptedCert,
-                keyFile: encryptedKey,
-                status: "valid",
-                expiresAt,
-                createdAt: now,
-                updatedAt: now,
-                wildcard
-            });
-
-            logger.debug(
-                `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-
-            // For a brand-new cert, push to any SSL resources that were waiting for it
-            await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
+        for (const domain of allDomains) {
+            try {
+                await storeCertForDomain(
+                    domain,
+                    certPem,
+                    keyPem,
+                    validatedX509
+                );
+            } catch (err) {
+                logger.error(
+                    `acmeCertSync: error storing cert for domain "${domain}": ${err}`
+                );
+            }
        }
    }
 }
@@ -837,9 +863,9 @@ export function initAcmeCertSync(): void {
                    );
                    return;
                }
-                logger.debug(
-                    `acmeCertSync: found ${files.length} acme.json file(s) in directory "${acmeJsonPath}"`
-                );
+                // logger.debug(
+                //     `acmeCertSync: found ${files.length} acme.json file(s) in directory "${acmeJsonPath}"`
+                // );
                for (const file of files) {
                    syncAcmeCerts(file).catch((err) => {
                        logger.error(
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -13,7 +13,7 @@

 import NodeCache from "node-cache";
 import logger from "@server/logger";
-import { redisManager } from "@server/private/lib/redis";
+import { redisManager, regionalRedisManager } from "@server/private/lib/redis";

 // Create local cache with maxKeys limit to prevent memory leaks
 // With ~10k requests/day and 5min TTL, 10k keys should be more than sufficient
@@ -298,3 +298,147 @@ class AdaptiveCache {
 // Export singleton instance
 export const cache = new AdaptiveCache();
 export default cache;
+
+/**
+ * Regional adaptive cache backed by the in-cluster Redis instance.
+ * Falls back to a local NodeCache when the regional Redis is unavailable.
+ * Use this for data that is regional in nature (e.g. status history) so
+ * reads are served from the same cluster the user is hitting.
+ */
+const regionalLocalCache = new NodeCache({
+    stdTTL: 3600,
+    checkperiod: 120,
+    maxKeys: 10000
+});
+
+class RegionalAdaptiveCache {
+    private useRedis(): boolean {
+        return (
+            regionalRedisManager.isRedisEnabled() &&
+            regionalRedisManager.getHealthStatus().isHealthy
+        );
+    }
+
+    async set(key: string, value: any, ttl?: number): Promise<boolean> {
+        const effectiveTtl = ttl === 0 ? undefined : ttl;
+        const redisTtl = ttl === 0 ? undefined : (ttl ?? 3600);
+
+        if (this.useRedis()) {
+            try {
+                const serialized = JSON.stringify(value);
+                const success = await regionalRedisManager.set(
+                    key,
+                    serialized,
+                    redisTtl
+                );
+                if (success) {
+                    logger.debug(`[regional] Set key in Redis: ${key}`);
+                    return true;
+                }
+            } catch (error) {
+                logger.error(
+                    `[regional] Redis set error for key ${key}:`,
+                    error
+                );
+            }
+        }
+
+        const success = regionalLocalCache.set(key, value, effectiveTtl || 0);
+        if (success) logger.debug(`[regional] Set key in local cache: ${key}`);
+        return success;
+    }
+
+    async get<T = any>(key: string): Promise<T | undefined> {
+        if (this.useRedis()) {
+            try {
+                const value = await regionalRedisManager.get(key);
+                if (value !== null) {
+                    logger.debug(`[regional] Cache hit in Redis: ${key}`);
+                    return JSON.parse(value) as T;
+                }
+                logger.debug(`[regional] Cache miss in Redis: ${key}`);
+                return undefined;
+            } catch (error) {
+                logger.error(
+                    `[regional] Redis get error for key ${key}:`,
+                    error
+                );
+            }
+        }
+
+        const value = regionalLocalCache.get<T>(key);
+        if (value !== undefined) {
+            logger.debug(`[regional] Cache hit in local cache: ${key}`);
+        } else {
+            logger.debug(`[regional] Cache miss in local cache: ${key}`);
+        }
+        return value;
+    }
+
+    async del(key: string | string[]): Promise<number> {
+        const keys = Array.isArray(key) ? key : [key];
+        let deletedCount = 0;
+
+        if (this.useRedis()) {
+            try {
+                for (const k of keys) {
+                    const success = await regionalRedisManager.del(k);
+                    if (success) {
+                        deletedCount++;
+                        logger.debug(`[regional] Deleted key from Redis: ${k}`);
+                    }
+                }
+                if (deletedCount === keys.length) return deletedCount;
+                deletedCount = 0;
+            } catch (error) {
+                logger.error(`[regional] Redis del error:`, error);
+                deletedCount = 0;
+            }
+        }
+
+        for (const k of keys) {
+            const count = regionalLocalCache.del(k);
+            if (count > 0) {
+                deletedCount++;
+                logger.debug(`[regional] Deleted key from local cache: ${k}`);
+            }
+        }
+        return deletedCount;
+    }
+
+    async has(key: string): Promise<boolean> {
+        if (this.useRedis()) {
+            try {
+                const value = await regionalRedisManager.get(key);
+                return value !== null;
+            } catch (error) {
+                logger.error(
+                    `[regional] Redis has error for key ${key}:`,
+                    error
+                );
+            }
+        }
+        return regionalLocalCache.has(key);
+    }
+
+    /**
+     * Returns keys matching the given prefix from whichever backend is active.
+     * Redis uses a KEYS scan; local cache filters in-memory keys.
+     */
+    async keysWithPrefix(prefix: string): Promise<string[]> {
+        if (this.useRedis()) {
+            try {
+                return await regionalRedisManager.keys(`${prefix}*`);
+            } catch (error) {
+                logger.error(`[regional] Redis keys error:`, error);
+            }
+        }
+        return regionalLocalCache.keys().filter((k) => k.startsWith(prefix));
+    }
+
+    getCurrentBackend(): "redis" | "local" {
+        return this.useRedis() ? "redis" : "local";
+    }
+}
+
+export const regionalCache = new RegionalAdaptiveCache();
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -36,8 +36,6 @@ export async function getValidCertificatesForDomains(
    domains: Set<string>,
    useCache: boolean = true
 ): Promise<Array<CertificateResult>> {
-
-
    const finalResults: CertificateResult[] = [];
    const domainsToQuery = new Set<string>();

@@ -49,7 +47,26 @@ export async function getValidCertificatesForDomains(
            if (cachedCert) {
                finalResults.push(cachedCert); // Valid cache hit
            } else {
-                domainsToQuery.add(domain); // Cache miss or expired
+                // Also check for a wildcard cache entry covering this domain's parent
+                const parts = domain.split(".");
+                let wildcardHit = false;
+                if (parts.length > 1) {
+                    const parentDomain = parts.slice(1).join(".");
+                    const wildcardCacheKey = `cert:*.${parentDomain}`;
+                    const cachedWildcard =
+                        await cache.get<CertificateResult>(wildcardCacheKey);
+                    if (cachedWildcard) {
+                        // Re-stamp queriedDomain so callers see the originally requested domain
+                        finalResults.push({
+                            ...cachedWildcard,
+                            queriedDomain: domain
+                        });
+                        wildcardHit = true;
+                    }
+                }
+                if (!wildcardHit) {
+                    domainsToQuery.add(domain); // Cache miss or expired
+                }
            }
        }
    } else {
@@ -59,7 +76,10 @@ export async function getValidCertificatesForDomains(

    // 2. If all domains were resolved from the cache, return early
    if (domainsToQuery.size === 0) {
-        const decryptedResults = decryptFinalResults(finalResults, config.getRawConfig().server.secret!);
+        const decryptedResults = decryptFinalResults(
+            finalResults,
+            config.getRawConfig().server.secret!
+        );
        return decryptedResults;
    }

@@ -78,7 +98,8 @@ export async function getValidCertificatesForDomains(
    const parentDomainsArray = Array.from(parentDomainsToQuery);

    // Build wildcard variants: for each parent domain "example.com", also query "*.example.com"
-    const wildcardPrefixedArray = build != "saas" ? parentDomainsArray.map((d) => `*.${d}`) : [];
+    const wildcardPrefixedArray =
+        build != "saas" ? parentDomainsArray.map((d) => `*.${d}`) : [];

    // 4. Build and execute a single, efficient Drizzle query
    // This query fetches all potential exact and wildcard matches in one database round-trip.
@@ -172,11 +193,24 @@ export async function getValidCertificatesForDomains(
            if (useCache) {
                const cacheKey = `cert:${domain}`;
                await cache.set(cacheKey, resultCert, 180);
+
+                // Also cache wildcard certs under a pattern key so other subdomains
+                // can find them without a DB round-trip
+                if (resultCert.wildcard) {
+                    const normalizedCertDomain = normalizeWildcardDomain(
+                        resultCert.domain
+                    );
+                    const wildcardCacheKey = `cert:*.${normalizedCertDomain}`;
+                    await cache.set(wildcardCacheKey, resultCert, 180);
+                }
            }
        }
    }

-    const decryptedResults = decryptFinalResults(finalResults, config.getRawConfig().server.secret!);
+    const decryptedResults = decryptFinalResults(
+        finalResults,
+        config.getRawConfig().server.secret!
+    );
    return decryptedResults;
 }

--- a/Show More
+++ b/Show More