New translations en-us.json (French)

[ci skip]
New translations en-us.json (Norwegian Bokmal)
2026-06-12 10:29:51 +00:00 · 2026-06-11 12:43:12 -07:00 · 2026-06-11 12:43:10 -07:00 · 2026-06-11 12:43:08 -07:00 · 2026-06-11 12:43:05 -07:00 · 2026-06-11 12:43:03 -07:00
353 changed files with 17344 additions and 16720 deletions
--- a/.cursor/rules/Button-loading-state.mdc
+++ b/.cursor/rules/Button-loading-state.mdc
@@ -1,5 +0,0 @@
---
-alwaysApply: true
---
-
-When adding submit buttons, don't change the text of the button during the loading state. Text should stay static and you should use the loading prop on the button.
--- a/.cursor/rules/Components.mdc
+++ b/.cursor/rules/Components.mdc
@@ -1,5 +0,0 @@
---
-alwaysApply: true
---
-
-When creating UI for popup dialogs or modals, use the Credenza componennt. This component is mobile responsive and works on desktop and wraps the dialog component and sheet into one.
--- a/.cursor/rules/TypeScript-rules.mdc
+++ b/.cursor/rules/TypeScript-rules.mdc
@@ -1,7 +0,0 @@
---
-alwaysApply: true
---
-
-When writing TypeScript:
-
-Prefer to use types instead of interfaces.
--- a/.cursor/rules/Use-React-form-and-Zod-schemas.mdc
+++ b/.cursor/rules/Use-React-form-and-Zod-schemas.mdc
@@ -1,5 +0,0 @@
---
-alwaysApply: true
---
-
-When creating forms, use React form for validation and use Zod schemas.
--- a/.dockerignore
+++ b/.dockerignore
@@ -34,5 +34,4 @@ build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
-allowedDevOrigins.json
-scratch/
+allowedDevOrigins.json
--- a/cli/commands/setServerAdmin.ts
+++ b/cli/commands/setServerAdmin.ts
@@ -4,26 +4,19 @@ import { eq } from "drizzle-orm";

 type SetServerAdminArgs = {
    email: string;
-    remove: boolean;
 };

 export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
    command: "set-server-admin",
-    describe: "Add or remove server admin by email address",
+    describe: "Mark any user as a server admin by email address",
    builder: (yargs) => {
-        return yargs
-            .option("email", {
-                type: "string",
-                demandOption: true,
-                describe: "User email address"
-            })
-            .option("remove", {
-                type: "boolean",
-                default: false,
-                describe: "Remove server admin status from the user"
-            });
+        return yargs.option("email", {
+            type: "string",
+            demandOption: true,
+            describe: "User email address"
+        });
    },
-    handler: async (argv: SetServerAdminArgs) => {
+    handler: async (argv: { email: string }) => {
        try {
            const email = argv.email.trim().toLowerCase();

@@ -38,33 +31,6 @@ export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
                process.exit(1);
            }

-            if (argv.remove) {
-                if (!user.serverAdmin) {
-                    console.log(`User '${email}' is not a server admin`);
-                    process.exit(0);
-                }
-
-                const serverAdmins = await db
-                    .select()
-                    .from(users)
-                    .where(eq(users.serverAdmin, true));
-
-                if (serverAdmins.length <= 1) {
-                    console.error(
-                        "Cannot remove server admin: at least one server admin must exist"
-                    );
-                    process.exit(1);
-                }
-
-                await db
-                    .update(users)
-                    .set({ serverAdmin: false })
-                    .where(eq(users.userId, user.userId));
-
-                console.log(`Server admin status removed from user '${email}'`);
-                process.exit(0);
-            }
-
            if (user.serverAdmin) {
                console.log(`User '${email}' is already a server admin`);
                process.exit(0);
--- a/install/config/config.yml
+++ b/install/config/config.yml
@@ -38,5 +38,7 @@ flags:
    disable_user_create_org: false
    allow_raw_resources: true

-{{if .IsPostgreSQL}}postgres:
-    connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin{{end}}
+{{if .IsPostgreSQL}}
+postgres:
+  connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin
+{{end}}
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -7,17 +7,23 @@ services:
    deploy:
      resources:
        limits:
-          memory: 2g
+          memory: 1g
        reservations:
-          memory: 512m
-    {{if or .IsPostgreSQL .IsRedis}}depends_on:
-      {{if .IsPostgreSQL}}postgres:
-          condition: service_healthy{{end}}
-      {{if .IsRedis}}redis:
-          condition: service_healthy{{end}}
+          memory: 256m
+{{if or .IsPostgreSQL .IsRedis}}
+    depends_on:
+    {{if .IsPostgreSQL}}
+      postgres:
+        condition: service_healthy
+    {{end}}
+    {{if .IsRedis}}
+      redis:
+        condition: service_healthy
+    {{end}}
    networks:
      - default
-      - backend{{end}}
+      - backend
+{{end}}
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -25,8 +31,8 @@ services:
      interval: "10s"
      timeout: "10s"
      retries: 15
-
-  {{if .InstallGerbil}}gerbil:
+{{if .InstallGerbil}}
+  gerbil:
    image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
    container_name: gerbil
    restart: unless-stopped
@@ -47,16 +53,17 @@ services:
      - 21820:21820/udp
      - 443:443
      - 443:443/udp # For http3 QUIC if desired
-      - 80:80{{end}}
-
+      - 80:80
+{{end}}
  traefik:
    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
-    {{if .InstallGerbil}}network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
+{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
    ports:
      - 443:443
-      - 80:80{{end}}
+      - 80:80
+{{end}}
    depends_on:
      pangolin:
        condition: service_healthy
@@ -67,7 +74,8 @@ services:
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs

-  {{if .IsPostgreSQL}}postgres:
+{{if .IsPostgreSQL}}
+  postgres:
    image: postgres:18
    container_name: postgres
    restart: unless-stopped
@@ -83,9 +91,11 @@ services:
      timeout: 5s
      retries: 5
    networks:
-      - backend{{end}}
+      - backend
+{{end}}

-  {{if .IsRedis}}redis:
+{{if .IsRedis}}
+  redis:
    image: redis:8-trixie
    container_name: redis
    restart: unless-stopped
@@ -103,14 +113,17 @@ services:
      retries: 3
      start_period: 10s
    networks:
-      - backend{{end}}
+      - backend
+{{end}}

 networks:
  default:
    driver: bridge
    name: pangolin_frontend
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
-{{if or .IsPostgreSQL .IsRedis}}  backend:
+{{if or .IsPostgreSQL .IsRedis}}
+  backend:
    driver: bridge
    name: pangolin_backend
-    internal: true{{end}}
+    internal: true
+{{end}}
--- a/install/config/privateConfig.yml
+++ b/install/config/privateConfig.yml
@@ -1,4 +1,6 @@
-{{if .IsRedis}}redis:
+{{if .IsRedis}}
+redis:
  host: "redis"
  port: 6379
-  password: "{{.IsRedisPass}}"{{end}}
+  password: "{{.IsRedisPass}}"
+{{end}}
--- a/install/main.go
+++ b/install/main.go
@@ -71,12 +71,9 @@ const (
 	Undefined SupportedContainer = "undefined"
 )

-var redisFlag *bool
-
 func main() {

 	crowdsecFlag := flag.Bool("crowdsec", false, "Enable the CrowdSec installation prompt")
-	redisFlag = flag.Bool("redis", false, "Install Redis as cacheing solution. Required for HA. Not required for the Enterprise version.")
 	flag.Parse()

 	// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking
@@ -494,13 +491,13 @@ func collectUserInput() Config {

 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
    if config.IsEnterprise {
-        if *redisFlag {
-			config.IsRedis = true
+        config.IsRedis = readBool("Do you want to run the Redis containers locally? Required for HA.")
+        if config.IsRedis {
            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
        }
    }

-    config.IsPostgreSQL = readBool("Do you want to use PostgreSQL (not recommended for most users)?", false)
+    config.IsPostgreSQL = readBool("Do you want to run the PostgreSQL containers locally? Otherwise, default to the local SQLite database only.", false)
 	if config.IsPostgreSQL {
 		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
 	}
@@ -547,7 +544,7 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")

 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ASN databases for blocking functionality?", true)
+	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)

 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Вижте частни ресурси",
    "siteInstallNewt": "Инсталирайте Newt",
    "siteInstallNewtDescription": "Пуснете Newt на вашата система",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard конфигурация",
    "WgConfigurationDescription": "Използвайте следната конфигурация, за да се свържете с мрежата",
    "operatingSystem": "Операционна система",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Ще можете да виждате това само веднъж. Уверете се да го копирате на сигурно място.",
    "siteInfo": "Информация за сайта",
    "status": "Статус",
-    "shareTitle": "Управление на връзки за споделяне",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Създайте споделими връзки, за да предоставите временен или постоянен достъп до прокси ресурсите",
-    "shareSearch": "Търсене на връзки за споделяне...",
-    "shareCreate": "Създайте връзка за споделяне",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Неуспешно изтриване на връзката",
    "shareErrorDeleteMessage": "Възникна грешка при изтриване на връзката",
    "shareDeleted": "Връзката беше изтрита",
    "shareDeletedDescription": "Връзката беше премахната",
-    "shareDelete": "Изтрийте споделената връзка",
-    "shareDeleteConfirm": "Потвърдете изтриването на споделената връзка",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Сигурни ли сте, че искате да изтриете тази споделена връзка?",
    "shareMessageRemove": "След изтриване връзката вече няма да работи и всеки, който я използва, ще загуби достъп до ресурса.",
    "shareTokenDescription": "Достъпният токен може да бъде предаван по два начина: като параметър или в хедърите на заявките. Те трябва да бъдат предавани от клиента при всяка заявка за удостоверен достъп.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Всеки с тази връзка може да получи достъп до ресурса",
    "shareTitleOptional": "Заглавие (по избор)",
    "sharePathOptional": "Път (по избор)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Изтече",
    "neverExpire": "Никога не изтича",
    "shareExpireDescription": "Времето на изтичане е колко дълго връзката ще бъде използваема и ще предоставя достъп до ресурса. След това време, връзката няма да работи и потребителите, които са я използвали, ще загубят достъп до ресурса.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Моля, изберете ресурс",
    "proxyResourceTitle": "Управление на обществени ресурси",
    "proxyResourceDescription": "Създайте и управлявайте ресурси, които са общодостъпни чрез уеб браузър.",
-    "publicResourcesBannerTitle": "Публичен достъп чрез уеб.",
-    "publicResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Управление на частни ресурси",
    "clientResourceDescription": "Създайте и управлявайте ресурси, които са достъпни само чрез свързан клиент.",
    "privateResourcesBannerTitle": "Достъп до частни ресурси с нулево доверие.",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Търсене на ресурси...",
    "resourceAdd": "Добавете ресурс",
    "resourceErrorDelte": "Грешка при изтриване на ресурс",
-    "resourcePoliciesTitle": "Управление на политики за ресурси",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Свързани ресурси",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} ресурс(а)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "няма ресурси",
-    "resourcePoliciesDescription": "Създавай и управлявай политики за автентикация, за да контролирате достъпа до вашите ресурси",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Търсене на политики...",
    "resourcePoliciesAdd": "Добавяне на политика",
    "resourcePoliciesDefaultBadgeText": "Стандартна политика",
-    "resourcePoliciesCreate": "Създаване на политика за ресурс",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Следвайте стъпките по-долу, за да създадете нова политика",
    "resourcePolicyName": "Име на политика",
    "resourcePolicyNameDescription": "Дайте на тази политика име, за да я идентифицирате в цялото ви ресурси",
@@ -274,7 +281,7 @@
    "back": "Назад",
    "cancel": "Отмяна",
    "resourceConfig": "Конфигурационни фрагменти",
-    "resourceConfigDescription": "Копирайте и поставете тези конфигурационни отрязъци, за да настроите TCP/UDP ресурса",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Добавете Входни точки",
    "resourceExposePorts": "Gerbil: Изложете портове в Docker Compose",
    "resourceLearnRaw": "Научете как да конфигурирате TCP/UDP ресурси",
@@ -287,6 +294,8 @@
    "labelDelete": "Изтриване на етикета",
    "labelAdd": "Добавяне на етикет",
    "labelCreateSuccessMessage": "Етикетът е създаден успешно",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Етикетът е променен успешно",
    "labelNameField": "Име на етикет",
    "labelColorField": "Цвят на етикет",
@@ -311,7 +320,7 @@
    "rules": "Правила",
    "resourceSettingDescription": "Конфигурирайте настройките на ресурса",
    "resourceSetting": "Настройки на {resourceName}",
-    "resourcePolicySettingDescription": "Конфигурирайте настройките на политиката за ресурс",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Настройки за {policyName}",
    "alwaysAllow": "Заобикаляне на Ауторизацията",
    "alwaysDeny": "Блокиране на Достъпа",
@@ -719,7 +728,7 @@
    "targetSubmit": "Добавяне на цел",
    "targetNoOne": "Този ресурс няма цели. Добавете цел, за да конфигурирате къде да се изпращат заявките към бекенда.",
    "targetNoOneDescription": "Добавянето на повече от една цел ще активира натоварването на баланса.",
-    "targetsSubmit": "Запазване на целите",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Добавете цел",
    "proxyMultiSiteRoundRobinNodeHelp": "Роунд Робин маршрутизирането няма да работи между сайтове, които не са свързани към един и същ възел, но автоматичното превключване ще работи.",
    "targetErrorInvalidIp": "Невалиден IP адрес",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Дубликат на правило",
    "rulesErrorDuplicateDescription": "Правило с тези настройки вече съществува",
    "rulesErrorInvalidIpAddressRange": "Невалиден CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Моля, въведете валидна стойност на CIDR",
-    "rulesErrorInvalidUrl": "Невалиден URL път",
-    "rulesErrorInvalidUrlDescription": "Моля, въведете валидна стойност за URL път",
-    "rulesErrorInvalidIpAddress": "Невалиден IP",
-    "rulesErrorInvalidIpAddressDescription": "Моля, въведете валиден IP адрес",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Неуспешно актуализиране на правилата",
    "rulesErrorUpdateDescription": "Възникна грешка при актуализиране на правилата",
    "rulesUpdated": "Активиране на правилата",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Въведете адрес във формат CIDR (напр. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Въведете IP адрес (напр. 103.21.244.12)",
    "rulesMatchUrl": "Въведете URL път или модел (напр. /api/v1/todos или /api/v1/*)",
-    "rulesErrorInvalidPriority": "Невалиден приоритет",
-    "rulesErrorInvalidPriorityDescription": "Моля, въведете валиден приоритет",
-    "rulesErrorDuplicatePriority": "Дублирани приоритети",
-    "rulesErrorDuplicatePriorityDescription": "Моля, въведете уникални приоритети",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Правилата са актуализирани",
    "ruleUpdatedDescription": "Правилата бяха успешно актуализирани",
    "ruleErrorUpdate": "Операцията не бе успешна",
    "ruleErrorUpdateDescription": "Възникна грешка по време на операцията за запис",
    "rulesPriority": "Приоритет",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Действие",
    "rulesMatchType": "Тип на съвпадение",
    "value": "Стойност",
@@ -792,7 +810,7 @@
    "rulesResource": "Конфигурация на правилата за ресурси",
    "rulesResourceDescription": "Конфигурирайте правила за контролиране на достъпа до ресурса",
    "ruleSubmit": "Добави правило",
-    "rulesNoOne": "Няма правила. Добавете правило чрез формуляра.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Правилата се оценяват по приоритет в нарастващ ред.",
    "rulesSubmit": "Запазване на правилата",
    "policyErrorCreate": "Грешка при създаване на политика",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Възникна неочаквана грешка",
    "policyCreatedSuccess": "Политиката за ресурс е създадена успешно",
    "policyUpdatedSuccess": "Политиката за ресурс е актуализирана успешно",
-    "authMethodsSave": "Запазете методите за идентификация",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Запазете правилата",
    "resourceErrorCreate": "Грешка при създаване на ресурс",
    "resourceErrorCreateDescription": "Възникна грешка при създаването на ресурса",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Възникна грешка при актуализиране на ресурса",
    "access": "Достъп",
    "accessControl": "Контрол на достъпа",
-    "shareLink": "{resource} Сподели връзка",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Изберете ресурс",
-    "shareLinks": "Споделени връзки",
+    "shareLinks": "Shareable Links",
    "share": "Споделени връзки",
    "shareDescription2": "Създайте връзки за достъп до ресурси. Връзките предоставят временен или неограничен достъп до вашия ресурс. Можете да конфигурирате продължителността на изтичане на връзката, когато я създавате.",
    "shareEasyCreate": "Лесно за създаване и споделяне",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Администраторите винаги могат да имат достъп до този ресурс.",
    "resourcePolicySelectTitle": "Политика за достъп до ресурс",
    "resourcePolicySelectDescription": "Изберете типа на политиката за ресурс за идентификация",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Инлайн Политика за Ресурс",
    "resourcePolicyInlineDescription": "Политика за достъп, ограничена само до този ресурс",
    "resourcePolicyShared": "Споделена Политика за Ресурс",
-    "resourcePolicySharedDescription": "Този ресурс използва споделена политика. Настройки на ниво политика (методи за идентификация, бял списък на имейли) са заключени. Можете да добавите правила за ресурса, роли и потребители по-долу.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Контроли за достъп",
    "resourceUsersRolesDescription": "Конфигурирайте кои потребители и роли могат да посещават този ресурс",
    "resourceUsersRolesSubmit": "Запазване на управлението на достъп.",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Видимост",
    "resourceVisibilityTitleDescription": "Напълно активирайте или деактивирайте видимостта на ресурса",
    "resourceGeneral": "Общи настройки",
-    "resourceGeneralDescription": "Конфигурирайте общите настройки за този ресурс",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Активирайте ресурс",
    "resourceTransfer": "Прехвърлете ресурс",
    "resourceTransferDescription": "Прехвърлете този ресурс към различен сайт",
@@ -1220,11 +1294,14 @@
    "addLabels": "Добавяне на етикети",
    "siteLabelsTab": "Етикети",
    "siteLabelsDescription": "Управление на етикети, свързани с този сайт.",
-    "labelsNotFound": "Етикети не са намерени",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Търсене на етикети",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# етикет} other {# етикети}}",
    "labelOverflowCount": "+{count, plural, one {# етикет} other {# етикети}}",
    "accessLabelFilterClear": "Изчисти филтрите за етикети",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Изберете цвят",
    "createNewLabel": "Създайте нов организационен етикет \"{label}\"",
    "inviteInvalidDescription": "Линкът към поканата е невалиден.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Ресурси",
    "sidebarProxyResources": "Публично",
    "sidebarClientResources": "Частно",
-    "sidebarPolicies": "Политики",
-    "sidebarResourcePolicies": "Ресурси",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Контрол на достъпа",
    "sidebarLogsAndAnalytics": "Дневници и анализи",
    "sidebarTeam": "Екип",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Администратор",
    "sidebarInvitations": "Покани",
    "sidebarRoles": "Роли",
-    "sidebarShareableLinks": "Връзки",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API ключове",
    "sidebarProvisioning": "Осигуряване",
    "sidebarSettings": "Настройки",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Ресурс {id}",
    "blueprints": "Чертежи",
    "blueprintsLog": "Регистър на скицописи",
-    "blueprintsDescription": "Вижте предишни приложения и техните резултати",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Добави Чертеж",
    "blueprintGoBack": "Виж всички Чертежи",
    "blueprintCreate": "Създай Чертеж",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Активиране на Docker Чернова",
    "enableDockerSocketDescription": "Активирайте изтегляне с етикети на Docker Socket за скицописи. Пътят на гнездото трябва да бъде предоставен на конектора на сайта. Прочетете как работи това в <docsLink>документацията</docsLink>.",
    "newtAutoUpdate": "Активиране на автоматично обновяване на сайта",
-    "newtAutoUpdateDescription": "Когато е активно, конекторите на сайта автоматично ще се актуализират до най-новата версия при наличието на ново издание.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Автоматично обновяване на сайта",
    "siteAutoUpdateLabel": "Активиране на автоматично обновяване",
-    "siteAutoUpdateDescription": "Управлявайте дали конекторът за този сайт автоматично изтегля последната версия.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "По подразбиране за организацията: {state}",
    "siteAutoUpdateOverriding": "Преодоляване на настройката на организацията",
    "siteAutoUpdateResetToOrg": "Възстановяване към организацията по подразбиране",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Настройката на профила завърши успешно! Добре дошли в Pangolin!",
    "documentation": "Документация",
    "saveAllSettings": "Запазване на всички настройки",
-    "saveResourceTargets": "Запазване на целеви ресурси.",
-    "saveResourceHttp": "Запазване на прокси настройките.",
-    "saveProxyProtocol": "Запазване на настройките на прокси протокола.",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Настройките са обновени",
    "settingsUpdatedDescription": "Настройките са успешно актуализирани.",
    "settingsErrorUpdate": "Неуспешно обновяване на настройките",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Неизвестен",
    "healthCheck": "Проверка на здравето",
    "configureHealthCheck": "Конфигуриране на проверка на здравето",
-    "configureHealthCheckDescription": "Настройте мониторинг на здравето за {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Разрешаване на проверки на здравето",
    "healthCheckDisabledStateDescription": "Когато е деактивиран, сайтът не изпълнява проверки и състоянието се счита за неизвестно.",
    "enableHealthChecksDescription": "Мониторинг на здравето на тази цел. Можете да наблюдавате различен краен пункт от целта, ако е необходимо.",
    "healthScheme": "Метод",
    "healthSelectScheme": "Избор на метод",
-    "healthCheckPortInvalid": "Портът за проверка на състоянието трябва да е между 1 и 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Път",
    "healthHostname": "IP / Хост",
    "healthPort": "Порт",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Изискват одобрение на устройства",
    "requireDeviceApprovalDescription": "Потребители с тази роля трябва да имат нови устройства одобрени от администратор преди да могат да се свържат и да имат достъп до ресурси.",
    "sshSettings": "Настройки за SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Настройки за RDP",
    "vncSettings": "Настройки за VNC",
    "sshServer": "SSH сървър",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Уверете се, че вашата целева хост машина е правилно конфигурирана за изпълнение на демона за идентификация преди завършване на тази настройка, в противен случай осигуряването ще се провали.",
    "sshDaemonPort": "Порт на демона",
    "sshServerDestination": "Дестинация на сървъра",
-    "sshServerDestinationDescription": "Конфигуриране на дестинацията и порта на SSH сървъра",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Дестинация",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Избиране на множество сайтове позволява устойчиво маршрутизиране и сокетно превключване за висока наличност.",
    "roleAllowSsh": "Разреши SSH",
    "roleAllowSshAllow": "Разреши",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Потребителят може да изпълнява само определени команди с sudo.",
    "sshSudo": "Разреши sudo",
    "sshSudoCommands": "Sudo команди",
-    "sshSudoCommandsDescription": "Списък с командите, разрешени да се изпълняват от потребителя с sudo. Трябва да се използват абсолютни пътища.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Създай начална директория",
    "sshUnixGroups": "Unix групи",
-    "sshUnixGroupsDescription": "Списък, разделен със запетаи, с Unix групи, към които да се добави потребителят на целевия хост.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Опити за повторно",
    "expectedResponseCodes": "Очаквани кодове за отговор",
    "expectedResponseCodesDescription": "HTTP статус код, указващ здравословно състояние. Ако бъде оставено празно, между 200-300 се счита за здравословно.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Активирайте прокси протокола",
    "proxyProtocolInfo": "Запазете IP адресите на клиентите за TCP бекендове",
    "proxyProtocolVersion": "Версия на прокси протокола",
-    "version1": "Версия 1 (Препоръчително)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Версия 2",
-    "versionDescription": "Версия 1 е текстово-базирана и широко поддържана. Версия 2 е бърна и по-ефективна, но по-малко съвместима.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Предупреждение",
    "proxyProtocolWarning": "Вашето бекенд приложение трябва да бъде конфигурирано да приема прокси протоколни връзки. Ако вашият бекенд не поддържа прокси протокол, активирането му ще прекъсне всички връзки. Уверете се, че сте конфигурирали вашия бекенд да се доверява на заглавията на прокси протокола от Traefik.",
    "restarting": "Рестартиране...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Въведете потвърждение.",
    "blueprintViewDetails": "Подробности.",
    "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
-    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
    "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
    "editInternalResourceDialogAddRoles": "Добавяне на роли.",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Тип режим на поддръжка.",
    "showMaintenancePage": "Показване на страницата за поддръжка на посетители.",
    "enableMaintenanceMode": "Активиране на режим на поддръжка.",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Автоматично.",
    "automaticModeDescription": "Показване на страницата за поддръжка само когато всички целеви подсистеми са неработоспособни или в лошо състояние. Вашият ресурс продължава да работи нормално, докато поне един целеви подсистемен елемент е в здравия диапазон.",
    "forced": "Наложително.",
@@ -3082,6 +3182,8 @@
    "warning:": "Предупреждение:",
    "forcedeModeWarning": "Целият трафик ще бъде пренасочен към страницата за поддръжка. Вашите подсистемни ресурси няма да получат никакви заявки.",
    "pageTitle": "Заглавие на страницата.",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Основното заглавие, показвано на страницата за поддръжка.",
    "maintenancePageMessage": "Съобщение за поддръжка.",
    "maintenancePageMessagePlaceholder": "Ще се върнем скоро! Нашият сайт понастоящем е в процес на планирана поддръжка.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Сигурни ли сте, че искате да отвържете този доставчик на самоличност от тази организация?",
    "idpUnassociateDescription": "Всички потребители, свързани с този доставчик на самоличност, ще бъдат премахнати от тази организация, но доставчика на самоличност ще продължи да съществува за други свързани организации.",
    "idpUnassociateConfirm": "Потвърдете отвързване на доставчика на самоличност",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Това не може да бъде отменено за тази организация.",
    "idpUnassociatedDescription": "Доставчика на самоличност е успешно отвързан от тази организация",
    "idpUnassociateMenu": "Отвързване",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Свързване…",
    "sshInitializing": "Инициализиране…",
    "sshSignInTitle": "Вход в SSH",
-    "sshSignInDescription": "Въведете данните за SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Парола",
    "sshPrivateKeyTab": "Частен ключ",
    "sshPrivateKeyField": "Частен ключ",
    "sshPrivateKeyDisclaimer": "Частният ви ключ не се съхранява или видима за Панголиин. Като алтернатива, можете да използвате краткотрайни сертификати за безпроблемна автентикация с вашата съществуваща идентичност в Панголиин.",
    "sshLearnMore": "Научете повече",
    "sshPrivateKeyFile": "Файл с частен ключ",
-    "sshAuthenticate": "Идентичност",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Прекратяване",
    "sshPoweredBy": "Подпомогнато от",
    "sshErrorNoTarget": "Няма посочена цел",
    "sshErrorWebSocket": "Неуспешно създаване на WebSocket връзка",
    "sshErrorAuthFailed": "Неуспешна идентификация",
-    "sshErrorConnectionClosed": "Връзката е затворена преди завършване на идентификацията"
+    "sshErrorConnectionClosed": "Връзката е затворена преди завършване на идентификацията",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Zobrazit soukromé zdroje",
    "siteInstallNewt": "Nainstalovat Newt",
    "siteInstallNewtDescription": "Spustit Newt na vašem systému",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Konfigurace WireGuard",
    "WgConfigurationDescription": "K připojení k síti použijte následující konfiguraci",
    "operatingSystem": "Operační systém",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Toto nastavení uvidíte pouze jednou. Ujistěte se, že jej zkopírujete na bezpečné místo.",
    "siteInfo": "Údaje o lokalitě",
    "status": "Stav",
-    "shareTitle": "Spravovat sdílení odkazů",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Vytvořit sdílitelné odkazy pro udělení dočasného nebo trvalého přístupu ke zdrojům proxy",
-    "shareSearch": "Hledat sdílené odkazy...",
-    "shareCreate": "Vytvořit odkaz",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Nepodařilo se odstranit odkaz",
    "shareErrorDeleteMessage": "Došlo k chybě při odstraňování odkazu",
    "shareDeleted": "Odkaz odstraněn",
    "shareDeletedDescription": "Odkaz byl odstraněn",
-    "shareDelete": "Smazat odkaz ke sdílení",
-    "shareDeleteConfirm": "Potvrdit smazání odkazu ke sdílení",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Jste si jisti, že chcete smazat tento odkaz ke sdílení?",
    "shareMessageRemove": "Jakmile bude smazán, odkaz přestane fungovat a všichni, kdo jej používají, ztratí přístup k prostředku.",
    "shareTokenDescription": "Přístupový token může být předán dvěma způsoby: jako parametr dotazu nebo v záhlaví požadavku. Tyto údaje musí být předány klientovi na každé žádosti o ověřený přístup.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Kdokoliv s tímto odkazem může přistupovat ke zdroji",
    "shareTitleOptional": "Název (volitelné)",
    "sharePathOptional": "Cesta (volitelně)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Platnost vyprší za",
    "neverExpire": "Nikdy nevyprší",
    "shareExpireDescription": "Doba platnosti určuje, jak dlouho bude odkaz použitelný a bude poskytovat přístup ke zdroji. Po této době odkaz již nebude fungovat a uživatelé kteří tento odkaz používali ztratí přístup ke zdroji.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Zvolte prosím zdroj",
    "proxyResourceTitle": "Spravovat veřejné zdroje",
    "proxyResourceDescription": "Vytváření a správa zdrojů, které jsou veřejně přístupné prostřednictvím webového prohlížeče",
-    "publicResourcesBannerTitle": "Veřejný přístup založený na webu",
-    "publicResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Spravovat soukromé zdroje",
    "clientResourceDescription": "Vytváření a správa zdrojů, které jsou přístupné pouze prostřednictvím připojeného klienta",
    "privateResourcesBannerTitle": "Zero-Trust soukromý přístup",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Prohledat zdroje...",
    "resourceAdd": "Přidat zdroj",
    "resourceErrorDelte": "Chyba při odstraňování zdroje",
-    "resourcePoliciesTitle": "Spravovat zásady zdrojů",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Připojené zdroje",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} zdroj(e/ů)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "žádné zdroje",
-    "resourcePoliciesDescription": "Vytvářejte a spravujte zásady ověřování k řízení přístupu ke svým zdrojům",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Hledat zásady...",
    "resourcePoliciesAdd": "Přidat zásadu",
    "resourcePoliciesDefaultBadgeText": "Výchozí zásada",
-    "resourcePoliciesCreate": "Vytvořit zásadu zdroje",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Postupujte podle následujících kroků k vytvoření nové zásady",
    "resourcePolicyName": "Název zásady",
    "resourcePolicyNameDescription": "Pojmenujte tuto zásadu, aby byla rozpoznatelná napříč vašimi zdroji",
@@ -274,7 +281,7 @@
    "back": "Zpět",
    "cancel": "Zrušit",
    "resourceConfig": "Konfigurační snippety",
-    "resourceConfigDescription": "Zkopírujte a vložte tyto konfigurační textové bloky pro nastavení TCP/UDP zdroje",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Přidat vstupní body",
    "resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
    "resourceLearnRaw": "Naučte se konfigurovat zdroje TCP/UDP",
@@ -287,6 +294,8 @@
    "labelDelete": "Smazat štítek",
    "labelAdd": "Přidat štítek",
    "labelCreateSuccessMessage": "Štítek byl úspěšně vytvořen",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Štítek byl úspěšně změněn",
    "labelNameField": "Název štítku",
    "labelColorField": "Barva štítku",
@@ -311,7 +320,7 @@
    "rules": "Pravidla",
    "resourceSettingDescription": "Konfigurace nastavení na zdroji",
    "resourceSetting": "Nastavení {resourceName}",
-    "resourcePolicySettingDescription": "Nakonfigurujte nastavení na zásadě zdroje",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Nastavení {policyName}",
    "alwaysAllow": "Obejít Auth",
    "alwaysDeny": "Blokovat přístup",
@@ -719,7 +728,7 @@
    "targetSubmit": "Add Target",
    "targetNoOne": "Tento zdroj nemá žádné cíle. Přidejte cíl pro konfiguraci kam poslat žádosti na backend.",
    "targetNoOneDescription": "Přidáním více než jednoho cíle se umožní vyvážení zatížení.",
-    "targetsSubmit": "Uložit cíle",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Add Target",
    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing nebude fungovat mezi lokalitami, které nejsou připojeny ke stejnému uzlu, ale failover bude fungovat.",
    "targetErrorInvalidIp": "Neplatná IP adresa",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Duplikovat pravidlo",
    "rulesErrorDuplicateDescription": "Pravidlo s těmito nastaveními již existuje",
    "rulesErrorInvalidIpAddressRange": "Neplatný CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Zadejte prosím platnou hodnotu CIDR",
-    "rulesErrorInvalidUrl": "Neplatná URL cesta",
-    "rulesErrorInvalidUrlDescription": "Zadejte platnou hodnotu URL cesty",
-    "rulesErrorInvalidIpAddress": "Neplatná IP adresa",
-    "rulesErrorInvalidIpAddressDescription": "Zadejte prosím platnou IP adresu",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Aktualizace pravidel se nezdařila",
    "rulesErrorUpdateDescription": "Při aktualizaci pravidel došlo k chybě",
    "rulesUpdated": "Povolit pravidla",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Zadejte adresu ve formátu CIDR (např. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Zadejte IP adresu (např. 103.21.244.12)",
    "rulesMatchUrl": "Zadejte URL cestu nebo vzor (např. /api/v1/todos nebo /api/v1/*)",
-    "rulesErrorInvalidPriority": "Neplatná Priorita",
-    "rulesErrorInvalidPriorityDescription": "Zadejte prosím platnou prioritu",
-    "rulesErrorDuplicatePriority": "Duplikovat priority",
-    "rulesErrorDuplicatePriorityDescription": "Zadejte prosím unikátní priority",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Pravidla byla aktualizována",
    "ruleUpdatedDescription": "Pravidla byla úspěšně aktualizována",
    "ruleErrorUpdate": "Operace selhala",
    "ruleErrorUpdateDescription": "Při ukládání došlo k chybě",
    "rulesPriority": "Priorita",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Akce",
    "rulesMatchType": "Typ shody",
    "value": "Hodnota",
@@ -792,7 +810,7 @@
    "rulesResource": "Konfigurace pravidel zdroje",
    "rulesResourceDescription": "Nastavit pravidla pro kontrolu přístupu ke zdroji",
    "ruleSubmit": "Přidat pravidlo",
-    "rulesNoOne": "Žádná pravidla. Přidejte pravidlo pomocí formuláře.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Pravidla jsou hodnocena podle priority vzestupně.",
    "rulesSubmit": "Uložit pravidla",
    "policyErrorCreate": "Chyba při vytváření zásady",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Došlo k neočekávané chybě",
    "policyCreatedSuccess": "Zásada zdroje byla úspěšně vytvořena",
    "policyUpdatedSuccess": "Zásada zdroje byla úspěšně aktualizována",
-    "authMethodsSave": "Uložit metody ověřování",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Uložit pravidla",
    "resourceErrorCreate": "Chyba při vytváření zdroje",
    "resourceErrorCreateDescription": "Při vytváření zdroje došlo k chybě",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Došlo k chybě při aktualizaci zdroje",
    "access": "Přístup",
    "accessControl": "Kontrola přístupu",
-    "shareLink": "{resource} Sdílet odkaz",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Vyberte zdroj",
-    "shareLinks": "Sdílet odkazy",
+    "shareLinks": "Shareable Links",
    "share": "Sdílené odkazy",
    "shareDescription2": "Vytvořte sdílitelné odkazy na zdroje. Odkazy poskytují dočasný nebo neomezený přístup k vašemu zdroji. Můžete nakonfigurovat dobu vypršení platnosti odkazu při jeho vytvoření.",
    "shareEasyCreate": "Snadné vytváření a sdílení",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Administrátoři mají vždy přístup k tomuto zdroji.",
    "resourcePolicySelectTitle": "Zásada přístupu ke zdrojům",
    "resourcePolicySelectDescription": "Vyberte typ zásady zdroje ověřování",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Inline Zásada Zdroje",
    "resourcePolicyInlineDescription": "Zásada přístupu se zaměřením pouze na tento zdroj",
    "resourcePolicyShared": "Sdílená Zásada Zdroje",
-    "resourcePolicySharedDescription": "Tento zdroj používá sdílenou zásadu. Nastavení na úrovni zásady (metody ověřování, seznam povolených emailů) jsou uzamčena. Níže můžete přidat pravidla, role a uživatele specifické pro zdroj.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Kontrola přístupu",
    "resourceUsersRolesDescription": "Nastavení, kteří uživatelé a role mohou navštívit tento zdroj",
    "resourceUsersRolesSubmit": "Uložit přístupové řízení",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Viditelnost",
    "resourceVisibilityTitleDescription": "Zcela povolit nebo zakázat viditelnost zdrojů",
    "resourceGeneral": "Obecná nastavení",
-    "resourceGeneralDescription": "Konfigurace obecných nastavení tohoto zdroje",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Povolit dokument",
    "resourceTransfer": "Přenos zdroje",
    "resourceTransferDescription": "Přenést tento zdroj na jiný web",
@@ -1220,11 +1294,14 @@
    "addLabels": "Přidat štítky",
    "siteLabelsTab": "Štítky",
    "siteLabelsDescription": "Spravujte štítky přiřazené k této lokalitě.",
-    "labelsNotFound": "Štítky nenalezeny",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Hledat štítky",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# štítek} few {# štítky} other {# štítků}}",
    "labelOverflowCount": "+{count, plural, one {# štítek} few {# štítky} other {# štítků}}",
    "accessLabelFilterClear": "Vymazat filtry štítků",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Vybrat barvu",
    "createNewLabel": "Vytvořit nový štítek organizace \"{label}\"",
    "inviteInvalidDescription": "Odkaz pro pozvání je neplatný.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Zdroje",
    "sidebarProxyResources": "Veřejnost",
    "sidebarClientResources": "Soukromé",
-    "sidebarPolicies": "Zásady",
-    "sidebarResourcePolicies": "Zdroje",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Kontrola přístupu",
    "sidebarLogsAndAnalytics": "Logy & Analytika",
    "sidebarTeam": "Tým",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Pozvánky",
    "sidebarRoles": "Role",
-    "sidebarShareableLinks": "Odkazy",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API klíče",
    "sidebarProvisioning": "Zajištění",
    "sidebarSettings": "Nastavení",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Zdroj {id}",
    "blueprints": "Plány",
    "blueprintsLog": "Protokol plánů",
-    "blueprintsDescription": "Prohlédněte si aplikace předchozích plánů a jejich výsledky",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Přidat plán",
    "blueprintGoBack": "Zobrazit všechny plány",
    "blueprintCreate": "Vytvořit plán",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Povolit Docker plán",
    "enableDockerSocketDescription": "Povolte seškrábání štítků pro Docker Socket pro štítky plánů. Před připojením na lokalitní konektor musí být uvedena cesta k soketu. Přečtěte si, jak to funguje <docsLink>v dokumentaci</docsLink>.",
    "newtAutoUpdate": "Povolit automatickou aktualizaci stránek",
-    "newtAutoUpdateDescription": "Když je zapnuto, konektory lokality se automaticky aktualizují na nejnovější verzi, když je k dispozici nové vydání.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Automatická aktualizace stránek",
    "siteAutoUpdateLabel": "Povolte automatickou aktualizaci",
-    "siteAutoUpdateDescription": "Ovládněte, zda bude konektor tohoto webu automaticky stahovat nejnovější verzi.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Výchozí organizace: {state}",
    "siteAutoUpdateOverriding": "Přepsání nastavení organizace",
    "siteAutoUpdateResetToOrg": "Obnovit na výchozí organizaci",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Nastavení účtu dokončeno! Vítejte v Pangolinu!",
    "documentation": "Dokumentace",
    "saveAllSettings": "Uložit všechna nastavení",
-    "saveResourceTargets": "Uložit cíle",
-    "saveResourceHttp": "Uložit nastavení proxy",
-    "saveProxyProtocol": "Uložit nastavení proxy protokolu",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Nastavení aktualizováno",
    "settingsUpdatedDescription": "Nastavení úspěšně aktualizována",
    "settingsErrorUpdate": "Aktualizace nastavení se nezdařila",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Neznámý",
    "healthCheck": "Kontrola stavu",
    "configureHealthCheck": "Konfigurace kontroly stavu",
-    "configureHealthCheckDescription": "Nastavit sledování zdravotního stavu pro {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Povolit kontrolu stavu",
    "healthCheckDisabledStateDescription": "Pokud je zakázáno, web nebude provádět zdravotní kontroly a stav bude považován za neznámý.",
    "enableHealthChecksDescription": "Sledujte zdraví tohoto cíle. V případě potřeby můžete sledovat jiný cílový bod, než je cíl.",
    "healthScheme": "Způsob",
    "healthSelectScheme": "Vybrat metodu",
-    "healthCheckPortInvalid": "Přístav kontroly stavu musí být mezi 1 a 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Cesta",
    "healthHostname": "IP / Hostitel",
    "healthPort": "Přístav",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Vyžadovat schválení zařízení",
    "requireDeviceApprovalDescription": "Uživatelé s touto rolí potřebují nová zařízení schválená správcem, než se mohou připojit a přistupovat ke zdrojům.",
    "sshSettings": "Nastavení SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Nastavení RDP",
    "vncSettings": "Nastavení VNC",
    "sshServer": "SSH server",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Ujistěte se, že váš cílový hostitel je správně nakonfigurován k přímu spuštění ověřovacího démona, jinak zřizování selže.",
    "sshDaemonPort": "Port démona",
    "sshServerDestination": "Cíl serveru",
-    "sshServerDestinationDescription": "Nakonfigurujte cíl a port SSH serveru",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Cíl",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Výběr více lokalit umožňuje odolné směrování a převzetí služeb při selhání pro vysokou dostupnost.",
    "roleAllowSsh": "Povolit SSH",
    "roleAllowSshAllow": "Povolit",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Uživatel může spustit pouze zadané příkazy s sudo.",
    "sshSudo": "Povolit sudo",
    "sshSudoCommands": "Sudo příkazy",
-    "sshSudoCommandsDescription": "Čárkami oddělený seznam příkazů, které je uživatel povolen spustit s sudo. Musí být použity absolutní cesty.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Vytvořit domovský adresář",
    "sshUnixGroups": "Unixové skupiny",
-    "sshUnixGroupsDescription": "Čárkou oddělené skupiny Unix přidají uživatele do cílového hostitele.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Opakovat pokusy",
    "expectedResponseCodes": "Očekávané kódy odezvy",
    "expectedResponseCodesDescription": "HTTP kód stavu, který označuje zdravý stav. Ponecháte-li prázdné, 200-300 je považováno za zdravé.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Povolit Proxy protokol",
    "proxyProtocolInfo": "Zachovat IP adresu klienta pro TCP zálohy",
    "proxyProtocolVersion": "Verze proxy protokolu",
-    "version1": " Verze 1 (doporučeno)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Verze 2",
-    "versionDescription": "Verze 1 je textová a široce podporovaná. Verze 2 je binární a efektivnější, ale méně kompatibilní.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Varování",
    "proxyProtocolWarning": "Aplikace backend musí být nakonfigurována, aby mohla přijímat připojení k Proxy protokolu. Pokud vaše backend nepodporuje Proxy protokol, povolením tohoto protokolu dojde k přerušení všech připojení, takže toto povolíte pouze pokud víte, co děláte. Ujistěte se, že nastavíte svou backend a důvěřujte hlavičkám Proxy protokolu z Traefik.",
    "restarting": "Restartování...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Zadejte potvrzení",
    "blueprintViewDetails": "Detaily",
    "defaultIdentityProvider": "Výchozí poskytovatel identity",
-    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
    "editInternalResourceDialogAccessPolicy": "Přístupová politika",
    "editInternalResourceDialogAddRoles": "Přidat role",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Typ režimu údržby",
    "showMaintenancePage": "Zobrazit stránku údržby návštěvníkům",
    "enableMaintenanceMode": "Povolit režim údržby",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatické",
    "automaticModeDescription": "Zobrazte stránku údržby pouze, když jsou všechny cílové servery uživatele nebo prostředku nefunkční nebo nezdravé. Vaše prostředky budou nadále fungovat normálně, pokud je alespoň jeden cíl v pořádku.",
    "forced": "Nucené",
@@ -3082,6 +3182,8 @@
    "warning:": "Varování:",
    "forcedeModeWarning": "Veškerý provoz bude směrován na stránku údržby. Vaše prostředky backendu neobdrží žádné žádosti.",
    "pageTitle": "Název stránky",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Hlavní titulek zobrazovaný na stránce údržby",
    "maintenancePageMessage": "Zpráva údržby",
    "maintenancePageMessagePlaceholder": "Vrátíme se brzy! Naše stránka právě prochází plánovanou údrbou.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Opravdu chcete odpojit tohoto poskytovatele identity od této organizace?",
    "idpUnassociateDescription": "Všichni uživatelé spojení s tímto poskytovatelem identity budou odstraněni z této organizace, ale poskytovatel identity zůstane nadále existovat pro ostatní přidružené organizace.",
    "idpUnassociateConfirm": "Potvrdit odpojení poskytovatele identity",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Toto nelze pro tuto organizaci vrátit.",
    "idpUnassociatedDescription": "Poskytovatel identity byl úspěšně odpojen od této organizace",
    "idpUnassociateMenu": "Odpojit",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Připojení…",
    "sshInitializing": "Inicializace…",
    "sshSignInTitle": "Přihlášení do SSH",
-    "sshSignInDescription": "Zadejte své SSH přihlašovací údaje",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Heslo",
    "sshPrivateKeyTab": "Soukromý klíč",
    "sshPrivateKeyField": "Soukromý klíč",
    "sshPrivateKeyDisclaimer": "Váš soukromý klíč není ukládán ani viditelný pro Pangolin. Alternativně můžete použít krátkodobé certifikáty pro bezproblémové ověřování pomocí vaší stávající identity Pangolin.",
    "sshLearnMore": "Přečtěte si více",
    "sshPrivateKeyFile": "Soubor soukromého klíče",
-    "sshAuthenticate": "Ověřit",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Ukončit",
    "sshPoweredBy": "Vytváří",
    "sshErrorNoTarget": "Cíl nebyl určen",
    "sshErrorWebSocket": "Chyba připojení WebSocketu",
    "sshErrorAuthFailed": "Ověření selhalo",
-    "sshErrorConnectionClosed": "Připojení bylo uzavřeno před dokončením ověřování"
+    "sshErrorConnectionClosed": "Připojení bylo uzavřeno před dokončením ověřování",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Private Ressourcen anzeigen",
    "siteInstallNewt": "Newt installieren",
    "siteInstallNewtDescription": "Installiere Newt auf deinem System.",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Konfiguration",
    "WgConfigurationDescription": "Verwenden Sie folgende Konfiguration, um sich mit dem Netzwerk zu verbinden",
    "operatingSystem": "Betriebssystem",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
    "siteInfo": "Standortinformationen",
    "status": "Status",
-    "shareTitle": "Freigabelinks verwalten",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Erstelle teilbare Links, um temporären oder permanenten Zugriff auf Proxy-Ressourcen zu gewähren",
-    "shareSearch": "Freigabelinks suchen...",
-    "shareCreate": "Freigabelink erstellen",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Link konnte nicht gelöscht werden",
    "shareErrorDeleteMessage": "Fehler beim Löschen des Links",
    "shareDeleted": "Link gelöscht",
    "shareDeletedDescription": "Der Link wurde gelöscht",
-    "shareDelete": "Freigabelink löschen",
-    "shareDeleteConfirm": "Löschen des Freigabelinks bestätigen",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Sind Sie sicher, dass Sie diesen Freigabelink löschen möchten?",
    "shareMessageRemove": "Nach dem Löschen funktioniert der Link nicht mehr, und jeder, der ihn nutzt, verliert den Zugriff auf die Ressource.",
    "shareTokenDescription": "Das Zugriffstoken kann auf zwei Arten übergeben werden: als Abfrageparameter oder in den Request-Headern. Diese müssen vom Client auf jeder Anfrage für authentifizierten Zugriff weitergegeben werden.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Jeder mit diesem Link kann auf die Ressource zugreifen",
    "shareTitleOptional": "Titel (optional)",
    "sharePathOptional": "Pfad (optional)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Läuft ab in",
    "neverExpire": "Läuft nie ab",
    "shareExpireDescription": "Ablaufzeit ist, wie lange der Link verwendet werden kann und bietet Zugriff auf die Ressource. Nach dieser Zeit wird der Link nicht mehr funktionieren und Benutzer, die diesen Link benutzt haben, verlieren den Zugriff auf die Ressource.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Bitte wählen Sie eine Ressource",
    "proxyResourceTitle": "Öffentliche Ressourcen verwalten",
    "proxyResourceDescription": "Erstelle und verwalte Ressourcen, die über einen Webbrowser öffentlich zugänglich sind",
-    "publicResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
-    "publicResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Private Ressourcen verwalten",
    "clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
    "privateResourcesBannerTitle": "Zero-Trust-Zugriff auf private Ressourcen",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Suche Ressourcen...",
    "resourceAdd": "Ressource hinzufügen",
    "resourceErrorDelte": "Fehler beim Löschen der Ressource",
-    "resourcePoliciesTitle": "Ressourcenrichtlinien verwalten",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Angehängte Ressourcen",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} Ressource(n)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "keine Ressourcen",
-    "resourcePoliciesDescription": "Erstellen und verwalten Sie Authentifizierungsrichtlinien, um den Zugang zu Ihren Ressourcen zu steuern",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Richtlinien suchen...",
    "resourcePoliciesAdd": "Richtlinie hinzufügen",
    "resourcePoliciesDefaultBadgeText": "Standardrichtlinie",
-    "resourcePoliciesCreate": "Ressourcenrichtlinie erstellen",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Befolgen Sie die unten stehenden Schritte, um eine neue Richtlinie zu erstellen",
    "resourcePolicyName": "Richtlinienname",
    "resourcePolicyNameDescription": "Geben Sie dieser Richtlinie einen Namen, um sie für Ihre Ressourcen zu identifizieren",
@@ -274,7 +281,7 @@
    "back": "Zurück",
    "cancel": "Abbrechen",
    "resourceConfig": "Konfiguration Snippets",
-    "resourceConfigDescription": "Kopieren und fügen Sie diese Konfigurations-Snippets ein, um die TCP/UDP Ressource einzurichten",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Einstiegspunkte hinzufügen",
    "resourceExposePorts": "Gerbil: Ports im Docker Compose freigeben",
    "resourceLearnRaw": "Lernen Sie, wie Sie TCP/UDP Ressourcen konfigurieren",
@@ -287,6 +294,8 @@
    "labelDelete": "Etikett löschen",
    "labelAdd": "Etikett hinzufügen",
    "labelCreateSuccessMessage": "Etikett erfolgreich erstellt",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etikett erfolgreich bearbeitet",
    "labelNameField": "Etikettenname",
    "labelColorField": "Etikettenfarbe",
@@ -311,7 +320,7 @@
    "rules": "Regeln",
    "resourceSettingDescription": "Einstellungen für die Ressource konfigurieren",
    "resourceSetting": "{resourceName} Einstellungen",
-    "resourcePolicySettingDescription": "Konfigurieren Sie die Einstellungen der Ressourcenrichtlinie",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} Einstellungen",
    "alwaysAllow": "Authentifizierung umgehen",
    "alwaysDeny": "Zugriff blockieren",
@@ -719,7 +728,7 @@
    "targetSubmit": "Ziel hinzufügen",
    "targetNoOne": "Diese Ressource hat keine Ziele. Fügen Sie ein Ziel hinzu, um zu konfigurieren, wo Anfragen an das Backend gesendet werden sollen.",
    "targetNoOneDescription": "Das Hinzufügen von mehr als einem Ziel aktiviert den Lastausgleich.",
-    "targetsSubmit": "Ziele speichern",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Ziel hinzufügen",
    "proxyMultiSiteRoundRobinNodeHelp": "Round-Robin-Routing funktioniert nicht zwischen Standorten, die nicht mit demselben Knoten verbunden sind, aber Failover funktioniert.",
    "targetErrorInvalidIp": "Ungültige IP-Adresse",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Doppelte Regel",
    "rulesErrorDuplicateDescription": "Eine Regel mit diesen Einstellungen existiert bereits",
    "rulesErrorInvalidIpAddressRange": "Ungültiger CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Bitte geben Sie einen gültigen CIDR-Wert ein",
-    "rulesErrorInvalidUrl": "Ungültiger URL-Pfad",
-    "rulesErrorInvalidUrlDescription": "Bitte geben Sie einen gültigen URL-Pfad-Wert ein",
-    "rulesErrorInvalidIpAddress": "Ungültige IP",
-    "rulesErrorInvalidIpAddressDescription": "Bitte geben Sie eine gültige IP-Adresse ein",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Fehler beim Aktualisieren der Regeln",
    "rulesErrorUpdateDescription": "Beim Aktualisieren der Regeln ist ein Fehler aufgetreten",
    "rulesUpdated": "Regeln aktivieren",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Geben Sie eine Adresse im CIDR-Format ein (z.B. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Geben Sie eine IP-Adresse ein (z.B. 103.21.244.12)",
    "rulesMatchUrl": "Geben Sie einen URL-Pfad oder -Muster ein (z.B. /api/v1/todos oder /api/v1/*)",
-    "rulesErrorInvalidPriority": "Ungültige Priorität",
-    "rulesErrorInvalidPriorityDescription": "Bitte geben Sie eine gültige Priorität ein",
-    "rulesErrorDuplicatePriority": "Doppelte Prioritäten",
-    "rulesErrorDuplicatePriorityDescription": "Bitte geben Sie eindeutige Prioritäten ein",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Regeln aktualisiert",
    "ruleUpdatedDescription": "Regeln erfolgreich aktualisiert",
    "ruleErrorUpdate": "Operation fehlgeschlagen",
    "ruleErrorUpdateDescription": "Während des Speichervorgangs ist ein Fehler aufgetreten",
    "rulesPriority": "Priorität",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Aktion",
    "rulesMatchType": "Übereinstimmungstyp",
    "value": "Wert",
@@ -792,7 +810,7 @@
    "rulesResource": "Ressourcen-Regelkonfiguration",
    "rulesResourceDescription": "Regeln konfigurieren, um den Zugriff auf die Ressource zu steuern",
    "ruleSubmit": "Regel hinzufügen",
-    "rulesNoOne": "Keine Regeln. Fügen Sie eine Regel über das Formular hinzu.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Regeln werden nach aufsteigender Priorität ausgewertet.",
    "rulesSubmit": "Regeln speichern",
    "policyErrorCreate": "Fehler beim Erstellen der Richtlinie",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Ein unerwarteter Fehler ist aufgetreten",
    "policyCreatedSuccess": "Ressourcenrichtlinie erfolgreich erstellt",
    "policyUpdatedSuccess": "Ressourcenrichtlinie erfolgreich aktualisiert",
-    "authMethodsSave": "Authentifizierungsmethoden speichern",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Regeln speichern",
    "resourceErrorCreate": "Fehler beim Erstellen der Ressource",
    "resourceErrorCreateDescription": "Beim Erstellen der Ressource ist ein Fehler aufgetreten",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Beim Aktualisieren der Ressource ist ein Fehler aufgetreten",
    "access": "Zugriff",
    "accessControl": "Zugriffskontrolle",
-    "shareLink": "{resource} Freigabe-Link",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Ressource auswählen",
-    "shareLinks": "Freigabe-Links",
+    "shareLinks": "Shareable Links",
    "share": "Teilbare Links",
    "shareDescription2": "Erstellen Sie teilbare Links zu Ressourcen. Links bieten temporären oder unbegrenzten Zugriff auf Ihre Ressource. Sie können die Verfallsdauer des Links beim Erstellen eines Links festlegen.",
    "shareEasyCreate": "Einfach zu erstellen und zu teilen",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Administratoren haben immer Zugriff auf diese Ressource.",
    "resourcePolicySelectTitle": "Zugriffsrichtlinie für Ressourcen",
    "resourcePolicySelectDescription": "Wählen Sie den Ressourcentransfertyp für die Authentifizierung",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Inline-Ressourcenrichtlinie",
    "resourcePolicyInlineDescription": "Zugriffsrichtlinie nur für diese Ressource",
    "resourcePolicyShared": "Geteilte Ressourcenrichtlinie",
-    "resourcePolicySharedDescription": "Diese Ressource verwendet eine geteilte Richtlinie. Richtlinienebene Einstellungen (Authentifizierungsmethoden, E-Mail-Whitelist) sind gesperrt. Sie können ressourcenspezifische Regeln, Rollen und Benutzer hinzufügen.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Zugriffskontrolle",
    "resourceUsersRolesDescription": "Konfigurieren Sie, welche Benutzer und Rollen diese Ressource besuchen können",
    "resourceUsersRolesSubmit": "Zugriffskontrollen speichern",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Sichtbarkeit",
    "resourceVisibilityTitleDescription": "Ressourcensichtbarkeit vollständig aktivieren oder deaktivieren",
    "resourceGeneral": "Allgemeine Einstellungen",
-    "resourceGeneralDescription": "Konfigurieren Sie die allgemeinen Einstellungen für diese Ressource",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Ressource aktivieren",
    "resourceTransfer": "Ressource übertragen",
    "resourceTransferDescription": "Diese Ressource auf einen anderen Standort übertragen",
@@ -1220,11 +1294,14 @@
    "addLabels": "Etiketten hinzufügen",
    "siteLabelsTab": "Etiketten",
    "siteLabelsDescription": "Verwalten Sie die mit diesem Standort verbundenen Etiketten.",
-    "labelsNotFound": "Etiketten nicht gefunden",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Etiketten suchen",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# Etikett} other {# Etiketten}}",
    "labelOverflowCount": "+{count, plural, one {# Etikett} other {# Etiketten}}",
    "accessLabelFilterClear": "Etikettenfilter löschen",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Farbe auswählen",
    "createNewLabel": "Neues Org-Etikett \"{label}\" erstellen",
    "inviteInvalidDescription": "Der Einladungslink ist ungültig.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Ressourcen",
    "sidebarProxyResources": "Öffentlich",
    "sidebarClientResources": "Privat",
-    "sidebarPolicies": "Richtlinien",
-    "sidebarResourcePolicies": "Ressourcen",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Zugriffskontrolle",
    "sidebarLogsAndAnalytics": "Protokolle & Analysen",
    "sidebarTeam": "Team",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Einladungen",
    "sidebarRoles": "Rollen",
-    "sidebarShareableLinks": "Links",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API-Schlüssel",
    "sidebarProvisioning": "Bereitstellung",
    "sidebarSettings": "Einstellungen",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Ressource {id}",
    "blueprints": "Blaupausen",
    "blueprintsLog": "Blaupausen-Protokoll",
-    "blueprintsDescription": "Frühere Blaupausen-Anwendungen und deren Ergebnisse ansehen",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Blueprint hinzufügen",
    "blueprintGoBack": "Alle Blueprints ansehen",
    "blueprintCreate": "Blueprint erstellen",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Docker Blueprint aktivieren",
    "enableDockerSocketDescription": "Aktiviere Docker-Socket-Label-Scraping für Blueprint-Etiketten. Der Socket-Pfad muss dem Site-Connector angegeben werden. Lesen Sie, wie dies in <docsLink>der Dokumentation</docsLink> funktioniert.",
    "newtAutoUpdate": "Standort-Auto-Update aktivieren",
-    "newtAutoUpdateDescription": "Wenn aktiviert, aktualisieren sich die Standort-Connectoren automatisch auf die neueste Version, sobald eine neue Version verfügbar ist.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Standort-Auto-Update",
    "siteAutoUpdateLabel": "Autoupdate aktivieren",
-    "siteAutoUpdateDescription": "Steuern Sie, ob der Connector dieses Standorts automatisch die neueste Version herunterlädt.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Standard der Organisation: {state}",
    "siteAutoUpdateOverriding": "Organisations-Einstellung überschreiben",
    "siteAutoUpdateResetToOrg": "Auf Standard der Organisation zurücksetzen",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Kontoeinrichtung abgeschlossen! Willkommen bei Pangolin!",
    "documentation": "Dokumentation",
    "saveAllSettings": "Alle Einstellungen speichern",
-    "saveResourceTargets": "Ziele speichern",
-    "saveResourceHttp": "Proxy-Einstellungen speichern",
-    "saveProxyProtocol": "Proxy-Protokolleinstellungen speichern",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Einstellungen aktualisiert",
    "settingsUpdatedDescription": "Einstellungen erfolgreich aktualisiert",
    "settingsErrorUpdate": "Einstellungen konnten nicht aktualisiert werden",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Unbekannt",
    "healthCheck": "Gesundheits-Check",
    "configureHealthCheck": "Gesundheits-Check konfigurieren",
-    "configureHealthCheckDescription": "Richten Sie die Gesundheitsüberwachung für {target} ein",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Gesundheits-Checks aktivieren",
    "healthCheckDisabledStateDescription": "Wenn deaktiviert, führt der Standort keine Gesundheitsprüfungen durch und der Zustand wird als unbekannt betrachtet.",
    "enableHealthChecksDescription": "Überwachen Sie die Gesundheit dieses Ziels. Bei Bedarf können Sie einen anderen Endpunkt als das Ziel überwachen.",
    "healthScheme": "Methode",
    "healthSelectScheme": "Methode auswählen",
-    "healthCheckPortInvalid": "Der Gesundheitskontroll-Port muss zwischen 1 und 65535 liegen",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Pfad",
    "healthHostname": "IP / Host",
    "healthPort": "Port",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Gerätegenehmigungen erforderlich",
    "requireDeviceApprovalDescription": "Benutzer mit dieser Rolle benötigen neue Geräte, die von einem Administrator genehmigt wurden, bevor sie sich verbinden und auf Ressourcen zugreifen können.",
    "sshSettings": "SSH-Einstellungen",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP-Einstellungen",
    "vncSettings": "VNC-Einstellungen",
    "sshServer": "SSH-Server",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Stellen Sie sicher, dass Ihr Zielhost korrekt konfiguriert ist, um den Auth-Daemon auszuführen, bevor Sie dieses Setup abschließen, andernfalls wird die Bereitstellung fehlschlagen.",
    "sshDaemonPort": "Daemon-Port",
    "sshServerDestination": "Serverziel",
-    "sshServerDestinationDescription": "Konfigurieren Sie das Ziel und den Port des SSH-Servers",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Ziel",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Die Auswahl mehrerer Standorte ermöglicht eine widerstandsfähige Weiterleitung und einen Failover für hohe Verfügbarkeit.",
    "roleAllowSsh": "SSH erlauben",
    "roleAllowSshAllow": "Erlauben",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Benutzer kann nur die angegebenen Befehle mit sudo ausführen.",
    "sshSudo": "sudo erlauben",
    "sshSudoCommands": "Sudo-Befehle",
-    "sshSudoCommandsDescription": "Komma-getrennte Liste von Befehlen, die der Benutzer mit sudo ausführen darf. Es müssen absolute Pfade verwendet werden.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Home-Verzeichnis erstellen",
    "sshUnixGroups": "Unix-Gruppen",
-    "sshUnixGroupsDescription": "Durch Komma getrennte Unix-Gruppen, um den Benutzer auf dem Zielhost hinzuzufügen.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Wiederholungsversuche",
    "expectedResponseCodes": "Erwartete Antwortcodes",
    "expectedResponseCodesDescription": "HTTP-Statuscode, der einen gesunden Zustand anzeigt. Wenn leer gelassen, wird 200-300 als gesund angesehen.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Proxy-Protokoll aktivieren",
    "proxyProtocolInfo": "Client-IP-Adressen für TCP-Backends beibehalten",
    "proxyProtocolVersion": "Proxy-Protokollversion",
-    "version1": " Version 1 (empfohlen)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Version 2",
-    "versionDescription": "Die Version 1 ist textbasiert und unterstützt die Version 2, ist binär und effizienter, aber weniger kompatibel.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Warnung",
    "proxyProtocolWarning": "Die Backend-Anwendung muss so konfiguriert sein, dass Proxy-Protokoll-Verbindungen akzeptiert werden. Wenn Ihr Backend das Proxy-Protokoll nicht unterstützt, wird das Aktivieren aller Verbindungen unterbrochen, so dass Sie dies nur aktivieren, wenn Sie wissen, was Sie tun. Stellen Sie sicher, dass Sie Ihr Backend so konfigurieren, dass es Proxy-Protokoll-Header von Traefik vertraut.",
    "restarting": "Neustarten...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Bestätigung eingeben",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Standard Identitätsanbieter",
-    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
    "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
    "editInternalResourceDialogAddRoles": "Rollen hinzufügen",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Art des Wartungsmodus",
    "showMaintenancePage": "Eine Wartungsseite für Besucher anzeigen",
    "enableMaintenanceMode": "Wartungsmodus aktivieren",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatisch",
    "automaticModeDescription": " Wartungsseite nur anzeigen, wenn alle Backend-Ziele deaktiviert oder ungesund sind. Deine Ressource funktioniert normal, solange mindestens ein Ziel gesund ist.",
    "forced": "Erzwungen",
@@ -3082,6 +3182,8 @@
    "warning:": "Warnung:",
    "forcedeModeWarning": "Der gesamte Datenverkehr wird zur Wartungsseite weitergeleitet. Ihre Backend-Ressourcen werden keine Anfragen erhalten.",
    "pageTitle": "Seitentitel",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Die Hauptüberschrift auf der Wartungsseite",
    "maintenancePageMessage": "Wartungsmeldung",
    "maintenancePageMessagePlaceholder": "Wir sind bald wieder da! Unsere Seite wird derzeit planmäßig gewartet.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Sind Sie sicher, dass Sie die Verknüpfung dieses Identitätsanbieters mit dieser Organisation aufheben möchten?",
    "idpUnassociateDescription": "Alle Benutzer, die mit diesem Identitätsanbieter verbunden sind, werden aus dieser Organisation entfernt, aber der Identitätsanbieter bleibt für andere verbundene Organisationen weiterhin bestehen.",
    "idpUnassociateConfirm": "Verknüpfung des Identitätsanbieters aufheben bestätigen",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Dies kann für diese Organisation nicht rückgängig gemacht werden.",
    "idpUnassociatedDescription": "Identitätsanbieter erfolgreich von dieser Organisation gelöst",
    "idpUnassociateMenu": "Verknüpfung aufheben",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Verbindung wird hergestellt…",
    "sshInitializing": "Initialisieren…",
    "sshSignInTitle": "Anmelden bei SSH",
-    "sshSignInDescription": "Geben Sie Ihre SSH-Anmeldedaten ein",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Passwort",
    "sshPrivateKeyTab": "Privater Schlüssel",
    "sshPrivateKeyField": "Privater Schlüssel",
    "sshPrivateKeyDisclaimer": "Ihr privater Schlüssel wird von Pangolin nicht gespeichert oder angezeigt. Alternativ können Sie kurzlebige Zertifikate für nahtlose Authentifizierung mit Ihrer bestehenden Pangolin-Identität verwenden.",
    "sshLearnMore": "Mehr erfahren",
    "sshPrivateKeyFile": "Private Schlüsseldatei",
-    "sshAuthenticate": "Authentifizieren",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Beenden",
    "sshPoweredBy": "Bereitgestellt von",
    "sshErrorNoTarget": "Kein Ziel angegeben",
    "sshErrorWebSocket": "WebSocket-Verbindung fehlgeschlagen",
    "sshErrorAuthFailed": "Authentifizierung fehlgeschlagen",
-    "sshErrorConnectionClosed": "Verbindung geschlossen, bevor die Authentifizierung abgeschlossen wurde"
+    "sshErrorConnectionClosed": "Verbindung geschlossen, bevor die Authentifizierung abgeschlossen wurde",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -101,8 +101,6 @@
    "sitesTableViewPrivateResources": "View Private Resources",
    "siteInstallNewt": "Install Site",
    "siteInstallNewtDescription": "Install the site connector for your system",
-    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
-    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Configuration",
    "WgConfigurationDescription": "Use the following configuration to connect to the network",
    "operatingSystem": "Operating System",
@@ -150,16 +148,16 @@
    "siteCredentialsSaveDescription": "You will only be able to see this once. Make sure to copy it to a secure place.",
    "siteInfo": "Site Information",
    "status": "Status",
-    "shareTitle": "Manage Shareable Links",
+    "shareTitle": "Manage Share Links",
    "shareDescription": "Create shareable links to grant temporary or permanent access to proxy resources",
-    "shareSearch": "Search shareable links...",
-    "shareCreate": "Create Shareable Link",
+    "shareSearch": "Search share links...",
+    "shareCreate": "Create Share Link",
    "shareErrorDelete": "Failed to delete link",
    "shareErrorDeleteMessage": "An error occurred deleting link",
    "shareDeleted": "Link deleted",
    "shareDeletedDescription": "The link has been deleted",
-    "shareDelete": "Delete Shareable Link",
-    "shareDeleteConfirm": "Confirm Delete Shareable Link",
+    "shareDelete": "Delete Share Link",
+    "shareDeleteConfirm": "Confirm Delete Share Link",
    "shareQuestionRemove": "Are you sure you want to delete this share link?",
    "shareMessageRemove": "Once deleted, the link will no longer work and anyone using it will lose access to the resource.",
    "shareTokenDescription": "The access token can be passed in two ways: as a query parameter or in the request headers. These must be passed from the client on every request for authenticated access.",
@@ -179,7 +177,6 @@
    "shareCreateDescription": "Anyone with this link can access the resource",
    "shareTitleOptional": "Title (optional)",
    "sharePathOptional": "Path (optional)",
-    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Expire In",
    "neverExpire": "Never expire",
    "shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
@@ -203,8 +200,8 @@
    "shareErrorSelectResource": "Please select a resource",
    "proxyResourceTitle": "Manage Public Resources",
    "proxyResourceDescription": "Create and manage resources that are publicly accessible through a web browser",
-    "publicResourcesBannerTitle": "Web-based Public Access",
-    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
+    "proxyResourcesBannerTitle": "Web-based Public Access",
+    "proxyResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Manage Private Resources",
    "clientResourceDescription": "Create and manage resources that are only accessible through a connected client",
    "privateResourcesBannerTitle": "Zero-Trust Private Access",
@@ -212,19 +209,15 @@
    "resourcesSearch": "Search resources...",
    "resourceAdd": "Add Resource",
    "resourceErrorDelte": "Error deleting resource",
-    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
-    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
-    "resourcePoliciesBannerButtonText": "Learn More",
-    "resourcePoliciesTitle": "Manage Public Resource Policies",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
+    "resourcePoliciesTitle": "Manage Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Attached resources",
    "resourcePoliciesAttachedResources": "{count} resource(s)",
-    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "no resources",
-    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your resources",
    "resourcePoliciesSearch": "Search policies...",
    "resourcePoliciesAdd": "Add Policy",
    "resourcePoliciesDefaultBadgeText": "Default policy",
-    "resourcePoliciesCreate": "Create Public Resource Policy",
+    "resourcePoliciesCreate": "Create Resource Policy",
    "resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
    "resourcePolicyName": "Policy Name",
    "resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
@@ -281,7 +274,7 @@
    "back": "Back",
    "cancel": "Cancel",
    "resourceConfig": "Configuration Snippets",
-    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource",
    "resourceAddEntrypoints": "Traefik: Add Entrypoints",
    "resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
    "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
@@ -294,8 +287,6 @@
    "labelDelete": "Delete Label",
    "labelAdd": "Add Label",
    "labelCreateSuccessMessage": "Label Created Successfully",
-    "labelDuplicateError": "Duplicate Label",
-    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Label Modified Successfully",
    "labelNameField": "Label Name",
    "labelColorField": "Label Color",
@@ -320,7 +311,7 @@
    "rules": "Rules",
    "resourceSettingDescription": "Configure the settings on the resource",
    "resourceSetting": "{resourceName} Settings",
-    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
+    "resourcePolicySettingDescription": "Configure the settings on the resource policy",
    "resourcePolicySetting": "{policyName} Settings",
    "alwaysAllow": "Bypass Auth",
    "alwaysDeny": "Block Access",
@@ -728,7 +719,7 @@
    "targetSubmit": "Add Target",
    "targetNoOne": "This resource doesn't have any targets. Add a target to configure where to send requests to the backend.",
    "targetNoOneDescription": "Adding more than one target above will enable load balancing.",
-    "targetsSubmit": "Save Settings",
+    "targetsSubmit": "Save Targets",
    "addTarget": "Add Target",
    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing will not work between sites that are not connected to the same node, but failover will work.",
    "targetErrorInvalidIp": "Invalid IP address",
@@ -762,11 +753,11 @@
    "rulesErrorDuplicate": "Duplicate rule",
    "rulesErrorDuplicateDescription": "A rule with these settings already exists",
    "rulesErrorInvalidIpAddressRange": "Invalid CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
-    "rulesErrorInvalidUrl": "Invalid path",
-    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
-    "rulesErrorInvalidIpAddress": "Invalid IP address",
-    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
+    "rulesErrorInvalidIpAddressRangeDescription": "Please enter a valid CIDR value",
+    "rulesErrorInvalidUrl": "Invalid URL path",
+    "rulesErrorInvalidUrlDescription": "Please enter a valid URL path value",
+    "rulesErrorInvalidIpAddress": "Invalid IP",
+    "rulesErrorInvalidIpAddressDescription": "Please enter a valid IP address",
    "rulesErrorUpdate": "Failed to update rules",
    "rulesErrorUpdateDescription": "An error occurred while updating rules",
    "rulesUpdated": "Enable Rules",
@@ -774,24 +765,15 @@
    "rulesMatchIpAddressRangeDescription": "Enter an address in CIDR format (e.g., 103.21.244.0/22)",
    "rulesMatchIpAddress": "Enter an IP address (e.g., 103.21.244.12)",
    "rulesMatchUrl": "Enter a URL path or pattern (e.g., /api/v1/todos or /api/v1/*)",
-    "rulesErrorInvalidPriority": "Invalid priority",
-    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
-    "rulesErrorDuplicatePriority": "Duplicate priorities",
-    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
-    "rulesErrorValidation": "Invalid rules",
-    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
-    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
-    "rulesErrorValueRequired": "Enter a value for this rule.",
-    "rulesErrorInvalidCountry": "Invalid country",
-    "rulesErrorInvalidCountryDescription": "Select a valid country.",
-    "rulesErrorInvalidAsn": "Invalid ASN",
-    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
+    "rulesErrorInvalidPriority": "Invalid Priority",
+    "rulesErrorInvalidPriorityDescription": "Please enter a valid priority",
+    "rulesErrorDuplicatePriority": "Duplicate Priorities",
+    "rulesErrorDuplicatePriorityDescription": "Please enter unique priorities",
    "ruleUpdated": "Rules updated",
    "ruleUpdatedDescription": "Rules updated successfully",
    "ruleErrorUpdate": "Operation failed",
    "ruleErrorUpdateDescription": "An error occurred during the save operation",
    "rulesPriority": "Priority",
-    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Action",
    "rulesMatchType": "Match Type",
    "value": "Value",
@@ -810,7 +792,7 @@
    "rulesResource": "Resource Rules Configuration",
    "rulesResourceDescription": "Configure rules to control access to the resource",
    "ruleSubmit": "Add Rule",
-    "rulesNoOne": "No rules yet.",
+    "rulesNoOne": "No rules. Add a rule using the form.",
    "rulesOrder": "Rules are evaluated by priority in ascending order.",
    "rulesSubmit": "Save Rules",
    "policyErrorCreate": "Error creating policy",
@@ -821,48 +803,7 @@
    "policyErrorUpdateMessageDescription": "An unexpected error occurred",
    "policyCreatedSuccess": "Resource policy succesfully created",
    "policyUpdatedSuccess": "Resource policy succesfully updated",
-    "authMethodsSave": "Save Settings",
-    "policyAuthStackTitle": "Authentication",
-    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
-    "policyAuthOrLogicTitle": "Multiple authentication methods active",
-    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
-    "policyAuthMethodActive": "Active",
-    "policyAuthMethodOff": "Off",
-    "policyAuthSsoTitle": "Platform SSO",
-    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
-    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
-    "policyAuthSsoDefaultIdp": "Default provider",
-    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
-    "policyAuthOtherMethodsTitle": "Other Methods",
-    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
-    "policyAuthPasscodeTitle": "Passcode",
-    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
-    "policyAuthPasscodeSummary": "Passcode set",
-    "policyAuthPincodeTitle": "PIN Code",
-    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
-    "policyAuthPincodeSummary": "6-digit PIN set",
-    "policyAuthEmailTitle": "Email Whitelist",
-    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
-    "policyAuthEmailSummary": "{count} addresses allowed",
-    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
-    "policyAuthHeaderAuthTitle": "Basic Header Auth",
-    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
-    "policyAuthHeaderAuthSummary": "Header configured",
-    "policyAuthHeaderName": "Header name",
-    "policyAuthHeaderValue": "Expected value",
-    "policyAuthSetPasscode": "Set Passcode",
-    "policyAuthSetPincode": "Set PIN Code",
-    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
-    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
-    "policyAccessRulesTitle": "Access Rules",
-    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
-    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
-    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
-    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
-    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
-    "rulesPlaceholderCidr": "10.0.0.0/8",
-    "rulesPlaceholderPath": "/admin/*",
-    "rulesPlaceholderGeo": "RU, KP",
+    "authMethodsSave": "Save auth methods",
    "rulesSave": "Save Rules",
    "resourceErrorCreate": "Error creating resource",
    "resourceErrorCreateDescription": "An error occurred when creating the resource",
@@ -883,9 +824,9 @@
    "resourcesErrorUpdateDescription": "An error occurred while updating the resource",
    "access": "Access",
    "accessControl": "Access Control",
-    "shareLink": "{resource} Shareable Link",
+    "shareLink": "{resource} Share Link",
    "resourceSelect": "Select resource",
-    "shareLinks": "Shareable Links",
+    "shareLinks": "Share Links",
    "share": "Shareable Links",
    "shareDescription2": "Create shareable links to resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one.",
    "shareEasyCreate": "Easy to create and share",
@@ -975,18 +916,10 @@
    "resourceRoleDescription": "Admins can always access this resource.",
    "resourcePolicySelectTitle": "Resource Access Policy",
    "resourcePolicySelectDescription": "Select the resource policy type for authentication",
-    "resourcePolicyTypeLabel": "Policy type",
-    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Inline Resource Policy",
    "resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
    "resourcePolicyShared": "Shared Resource Policy",
-    "resourcePolicySharedDescription": "This resource uses a shared policy.",
-    "sharedPolicy": "Shared Policy",
-    "sharedPolicyNoneDescription": "This resource has its own policy.",
-    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
-    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
-    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
-    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy. Policy-level settings (auth methods, email whitelist) are locked. You can add resource-specific rules, roles, and users below.",
    "resourceUsersRoles": "Access Controls",
    "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
    "resourceUsersRolesSubmit": "Save Access Controls",
@@ -1011,14 +944,7 @@
    "resourceVisibilityTitle": "Visibility",
    "resourceVisibilityTitleDescription": "Completely enable or disable resource visibility",
    "resourceGeneral": "General Settings",
-    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
-    "resourceGeneralDetailsSubsection": "Resource Details",
-    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
-    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
-    "resourceGeneralPublicAddressSubsection": "Public Address",
-    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
-    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
-    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
+    "resourceGeneralDescription": "Configure the general settings for this resource",
    "resourceEnable": "Enable Resource",
    "resourceTransfer": "Transfer Resource",
    "resourceTransferDescription": "Transfer this resource to a different site",
@@ -1294,14 +1220,11 @@
    "addLabels": "Add labels",
    "siteLabelsTab": "Labels",
    "siteLabelsDescription": "Manage labels associated with this site.",
-    "labelsNotFound": "No labels found.",
-    "labelsEmptyCreateHint": "Start typing above to create a label.",
+    "labelsNotFound": "Labels not found",
    "labelSearch": "Search labels",
-    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
    "accessLabelFilterClear": "Clear label filters",
-    "accessFilterClear": "Clear filters",
    "selectColor": "Select color",
    "createNewLabel": "Create new org label \"{label}\"",
    "inviteInvalidDescription": "The invite link is invalid.",
@@ -1538,8 +1461,8 @@
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
-    "sidebarPolicies": "Shared Policies",
-    "sidebarResourcePolicies": "Public Resources",
+    "sidebarPolicies": "Policies",
+    "sidebarResourcePolicies": "Resources",
    "sidebarAccessControl": "Access Control",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1547,7 +1470,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Invitations",
    "sidebarRoles": "Roles",
-    "sidebarShareableLinks": "Shareable Links",
+    "sidebarShareableLinks": "Links",
    "sidebarApiKeys": "API Keys",
    "sidebarProvisioning": "Provisioning",
    "sidebarSettings": "Settings",
@@ -1724,7 +1647,7 @@
    "standaloneHcFilterResourceIdFallback": "Resource {id}",
    "blueprints": "Blueprints",
    "blueprintsLog": "Blueprints Log",
-    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
+    "blueprintsDescription": "View past blueprint applications and their results",
    "blueprintAdd": "Add Blueprint",
    "blueprintGoBack": "See all Blueprints",
    "blueprintCreate": "Create Blueprint",
@@ -1744,10 +1667,10 @@
    "enableDockerSocket": "Enable Docker Blueprint",
    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
    "newtAutoUpdate": "Enable Site Auto-Update",
-    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically update to the latest version when a new release is available.",
    "siteAutoUpdate": "Site Auto-Update",
    "siteAutoUpdateLabel": "Enable Auto-Update",
-    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
+    "siteAutoUpdateDescription": "Control whether this site's connector automatically downloads the latest version.",
    "siteAutoUpdateOrgDefault": "Organization default: {state}",
    "siteAutoUpdateOverriding": "Overriding organization setting",
    "siteAutoUpdateResetToOrg": "Reset to Organization Default",
@@ -1845,9 +1768,9 @@
    "accountSetupSuccess": "Account setup completed! Welcome to Pangolin!",
    "documentation": "Documentation",
    "saveAllSettings": "Save All Settings",
-    "saveResourceTargets": "Save Settings",
-    "saveResourceHttp": "Save Settings",
-    "saveProxyProtocol": "Save Settings",
+    "saveResourceTargets": "Save Targets",
+    "saveResourceHttp": "Save Proxy Settings",
+    "saveProxyProtocol": "Save Proxy protocol settings",
    "settingsUpdated": "Settings updated",
    "settingsUpdatedDescription": "Settings updated successfully",
    "settingsErrorUpdate": "Failed to update settings",
@@ -2104,13 +2027,13 @@
    "healthCheckUnknown": "Unknown",
    "healthCheck": "Health Check",
    "configureHealthCheck": "Configure Health Check",
-    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
+    "configureHealthCheckDescription": "Set up health monitoring for {target}",
    "enableHealthChecks": "Enable Health Checks",
    "healthCheckDisabledStateDescription": "When disabled, the site will not perform health checks and the state will be considered unknown.",
    "enableHealthChecksDescription": "Monitor the health of this target. You can monitor a different endpoint than the target if required.",
    "healthScheme": "Method",
    "healthSelectScheme": "Select Method",
-    "healthCheckPortInvalid": "Port must be between 1 and 65535",
+    "healthCheckPortInvalid": "Health check port must be between 1 and 65535",
    "healthCheckPath": "Path",
    "healthHostname": "IP / Host",
    "healthPort": "Port",
@@ -2123,7 +2046,6 @@
    "requireDeviceApproval": "Require Device Approvals",
    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
    "sshSettings": "SSH Settings",
-    "sshAccess": "SSH Access",
    "rdpSettings": "RDP Settings",
    "vncSettings": "VNC Settings",
    "sshServer": "SSH Server",
@@ -2150,13 +2072,8 @@
    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
    "sshDaemonPort": "Daemon Port",
    "sshServerDestination": "Server Destination",
-    "sshServerDestinationDescription": "Configure the destination of the SSH server",
+    "sshServerDestinationDescription": "Configure the destination and port of the SSH server",
    "destination": "Destination",
-    "destinationRequired": "Destination is required.",
-    "domainRequired": "Domain is required.",
-    "proxyPortRequired": "Port is required.",
-    "invalidPathConfiguration": "Invalid path configuration.",
-    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
    "roleAllowSsh": "Allow SSH",
    "roleAllowSshAllow": "Allow",
@@ -2171,25 +2088,10 @@
    "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
    "sshSudo": "Allow sudo",
    "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
+    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo. Absolute paths must be used.",
    "sshCreateHomeDir": "Create Home Directory",
    "sshUnixGroups": "Unix Groups",
-    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
-    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
-    "roleTextImportTitle": "Import from File",
-    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
-    "roleTextImportSkipHeader": "Skip First Row (Header)",
-    "roleTextImportOverride": "Replace Existing",
-    "roleTextImportAppend": "Append to Existing",
-    "roleTextImportMode": "Import Mode",
-    "roleTextImportPreview": "Preview",
-    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
-    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
-    "roleTextImportConfirm": "Import",
-    "roleTextImportInvalidFile": "Unsupported file type",
-    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
-    "roleTextImportEmpty": "No items found in file",
-    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
+    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -2973,10 +2875,9 @@
    "enableProxyProtocol": "Enable Proxy Protocol",
    "proxyProtocolInfo": "Preserve client IP addresses for TCP backends",
    "proxyProtocolVersion": "Proxy Protocol Version",
-    "version1": "Version 1 (Recommended)",
+    "version1": " Version 1 (Recommended)",
    "version2": "Version 2",
-    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
-    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
+    "versionDescription": "Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Warning",
    "proxyProtocolWarning": "The backend application must be configured to accept Proxy Protocol connections. If your backend doesn't support Proxy Protocol, enabling this will break all connections so only enable this if you know what you're doing. Make sure to configure your backend to trust Proxy Protocol headers from Traefik.",
    "restarting": "Restarting...",
@@ -3133,7 +3034,7 @@
    "enterConfirmation": "Enter confirmation",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Default Identity Provider",
-    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Network Settings",
    "editInternalResourceDialogAccessPolicy": "Access Policy",
    "editInternalResourceDialogAddRoles": "Add Roles",
@@ -3174,7 +3075,6 @@
    "maintenanceModeType": "Maintenance Mode Type",
    "showMaintenancePage": "Show a maintenance page to visitors",
    "enableMaintenanceMode": "Enable Maintenance Mode",
-    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatic",
    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
    "forced": "Forced",
@@ -3182,8 +3082,6 @@
    "warning:": "Warning:",
    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
    "pageTitle": "Page Title",
-    "maintenancePageContentSubsection": "Page Content",
-    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "The main heading displayed on the maintenance page",
    "maintenancePageMessage": "Maintenance Message",
    "maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
@@ -3543,58 +3441,18 @@
    "sshConnecting": "Connecting…",
    "sshInitializing": "Initializing…",
    "sshSignInTitle": "Sign in to SSH",
-    "sshSignInDescription": "Enter your SSH credentials to connect",
+    "sshSignInDescription": "Enter your SSH credentials",
    "sshPasswordTab": "Password",
    "sshPrivateKeyTab": "Private Key",
    "sshPrivateKeyField": "Private Key",
    "sshPrivateKeyDisclaimer": "Your private key is not stored or visible to Pangolin. Alternatively, you can use short-lived certificates for seamless authentication using your existing Pangolin identity.",
    "sshLearnMore": "Learn more",
    "sshPrivateKeyFile": "Private Key File",
-    "sshAuthenticate": "Connect",
+    "sshAuthenticate": "Authenticate",
    "sshTerminate": "Terminate",
    "sshPoweredBy": "Powered by",
    "sshErrorNoTarget": "No target specified",
    "sshErrorWebSocket": "WebSocket connection failed",
    "sshErrorAuthFailed": "Authentication failed",
-    "sshErrorConnectionClosed": "Connection closed before authentication completed",
-    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
-    "browserGatewayNoResourceForDomain": "No resource found for this domain",
-    "browserGatewayNoTarget": "No target",
-    "browserGatewayConnect": "Connect",
-    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
-    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
-    "sshTerminalError": "Error: {error}",
-    "sshConnectionClosedCode": "Connection closed (code {code})",
-    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
-    "sshPrivateKeyRequired": "Private key is required",
-    "vncTitle": "VNC",
-    "vncSignInDescription": "Enter your VNC password to connect",
-    "vncPasswordOptional": "Password (optional)",
-    "vncNoResourceTarget": "No resource target is available",
-    "vncFailedToLoadNovnc": "Failed to load noVNC",
-    "vncAuthFailedStatus": "Status {status}",
-    "vncPasteClipboard": "Paste clipboard",
-    "rdpTitle": "RDP",
-    "rdpSignInTitle": "Sign in to Remote Desktop",
-    "rdpSignInDescription": "Enter Windows credentials to connect",
-    "rdpLoadingModule": "Loading module...",
-    "rdpFailedToLoadModule": "Failed to load RDP module",
-    "rdpNotReady": "Not ready",
-    "rdpModuleInitializing": "RDP module is still initializing",
-    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
-    "rdpDownloadFailed": "Download failed: {fileName}",
-    "rdpUploaded": "Uploaded: {fileName}",
-    "rdpNoConnectionTarget": "No connection target available",
-    "rdpConnectionFailed": "Connection failed",
-    "rdpFit": "Fit",
-    "rdpFull": "Full",
-    "rdpReal": "Real",
-    "rdpMeta": "Meta",
-    "rdpUploadFiles": "Upload files",
-    "rdpFilesReadyToPaste": "Files ready to paste",
-    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
-    "rdpUploadFailed": "Upload failed",
-    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
-    "sessionToolbarShow": "Show toolbar",
-    "sessionToolbarHide": "Hide toolbar"
+    "sshErrorConnectionClosed": "Connection closed before authentication completed"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Ver Recursos Privados",
    "siteInstallNewt": "Instalar Newt",
    "siteInstallNewtDescription": "Recibe Newt corriendo en tu sistema",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configuración de Wirex Guard",
    "WgConfigurationDescription": "Utilice la siguiente configuración para conectarse a la red",
    "operatingSystem": "Sistema operativo",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Sólo podrás verlo una vez. Asegúrate de copiarlo a un lugar seguro.",
    "siteInfo": "Información del sitio",
    "status": "Estado",
-    "shareTitle": "Administrar Enlaces de Compartir",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Crear enlaces compartidos para conceder acceso temporal o permanente a recursos proxy",
-    "shareSearch": "Buscar enlaces compartidos...",
-    "shareCreate": "Crear enlace Compartir",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Error al eliminar el enlace",
    "shareErrorDeleteMessage": "Se ha producido un error al eliminar el enlace",
    "shareDeleted": "Enlace eliminado",
    "shareDeletedDescription": "El enlace ha sido eliminado",
-    "shareDelete": "Borrar Enlace Compartido",
-    "shareDeleteConfirm": "Confirmar Borrado del Enlace Compartido",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "¿Está seguro de que desea borrar este enlace compartido?",
    "shareMessageRemove": "Una vez borrado, el enlace dejará de funcionar y cualquier persona que lo use perderá acceso al recurso.",
    "shareTokenDescription": "El token de acceso puede ser pasado de dos maneras: como parámetro de consulta o en las cabeceras de solicitud. Estos deben ser pasados del cliente en cada solicitud de acceso autenticado.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Cualquiera con este enlace puede acceder al recurso",
    "shareTitleOptional": "Título (opcional)",
    "sharePathOptional": "Ruta (opcional)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Caduca en",
    "neverExpire": "Nunca expirar",
    "shareExpireDescription": "El tiempo de caducidad es cuánto tiempo el enlace será utilizable y proporcionará acceso al recurso. Después de este tiempo, el enlace ya no funcionará, y los usuarios que usaron este enlace perderán el acceso al recurso.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Por favor, seleccione un recurso",
    "proxyResourceTitle": "Administrar recursos públicos",
    "proxyResourceDescription": "Crear y administrar recursos que sean accesibles públicamente a través de un navegador web",
-    "publicResourcesBannerTitle": "Acceso público basado en web",
-    "publicResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Administrar recursos privados",
    "clientResourceDescription": "Crear y administrar recursos que sólo son accesibles a través de un cliente conectado",
    "privateResourcesBannerTitle": "Acceso privado de confianza cero",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Buscar recursos...",
    "resourceAdd": "Añadir Recurso",
    "resourceErrorDelte": "Error al eliminar el recurso",
-    "resourcePoliciesTitle": "Administrar Políticas de Recursos",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Recursos Adjuntos",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} recurso/s",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "sin recursos",
-    "resourcePoliciesDescription": "Cree y administre políticas de autenticación para controlar el acceso a sus recursos",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Buscar políticas...",
    "resourcePoliciesAdd": "Agregar Política",
    "resourcePoliciesDefaultBadgeText": "Política predeterminada",
-    "resourcePoliciesCreate": "Crear Política de Recursos",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Siga los pasos a continuación para crear una nueva política",
    "resourcePolicyName": "Nombre de la política",
    "resourcePolicyNameDescription": "Déle a esta política un nombre para identificarla en sus recursos",
@@ -274,7 +281,7 @@
    "back": "Atrás",
    "cancel": "Cancelar",
    "resourceConfig": "Fragmentos de configuración",
-    "resourceConfigDescription": "Copia y pega estos fragmentos de configuración para configurar el recurso TCP/UDP",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Añadir puntos de entrada",
    "resourceExposePorts": "Gerbil: Exponer puertos en Docker Compose",
    "resourceLearnRaw": "Aprende cómo configurar los recursos TCP/UDP",
@@ -287,6 +294,8 @@
    "labelDelete": "Eliminar etiqueta",
    "labelAdd": "Agregar etiqueta",
    "labelCreateSuccessMessage": "Etiqueta creada correctamente",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etiqueta modificada correctamente",
    "labelNameField": "Nombre de la etiqueta",
    "labelColorField": "Color de la etiqueta",
@@ -311,7 +320,7 @@
    "rules": "Reglas",
    "resourceSettingDescription": "Configurar la configuración del recurso",
    "resourceSetting": "Ajustes {resourceName}",
-    "resourcePolicySettingDescription": "Configure la configuración en la política de recursos",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Configuración {policyName}",
    "alwaysAllow": "Autorización Bypass",
    "alwaysDeny": "Bloquear acceso",
@@ -719,7 +728,7 @@
    "targetSubmit": "Añadir destino",
    "targetNoOne": "Este recurso no tiene ningún objetivo. Agrega un objetivo para configurar dónde enviar peticiones al backend.",
    "targetNoOneDescription": "Si se añade más de un objetivo anterior se activará el balance de carga.",
-    "targetsSubmit": "Guardar objetivos",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Añadir destino",
    "proxyMultiSiteRoundRobinNodeHelp": "El enrutamiento de turnos no funcionará entre sitios que no están conectados al mismo nodo, pero el failover funcionará.",
    "targetErrorInvalidIp": "Dirección IP inválida",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Duplicar regla",
    "rulesErrorDuplicateDescription": "Ya existe una regla con estos ajustes",
    "rulesErrorInvalidIpAddressRange": "CIDR inválido",
-    "rulesErrorInvalidIpAddressRangeDescription": "Por favor, introduzca un valor CIDR válido",
-    "rulesErrorInvalidUrl": "Ruta URL inválida",
-    "rulesErrorInvalidUrlDescription": "Por favor, introduzca un valor de ruta de URL válido",
-    "rulesErrorInvalidIpAddress": "IP inválida",
-    "rulesErrorInvalidIpAddressDescription": "Por favor, introduzca una dirección IP válida",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Error al actualizar las reglas",
    "rulesErrorUpdateDescription": "Se ha producido un error al actualizar las reglas",
    "rulesUpdated": "Activar Reglas",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Introduzca una dirección en formato CIDR (por ejemplo, 103.21.244.0/22)",
    "rulesMatchIpAddress": "Introduzca una dirección IP (por ejemplo, 103.21.244.12)",
    "rulesMatchUrl": "Introduzca una ruta URL o patrón (por ej., /api/v1/todos o /api/v1/*)",
-    "rulesErrorInvalidPriority": "Prioridad inválida",
-    "rulesErrorInvalidPriorityDescription": "Por favor, introduzca una prioridad válida",
-    "rulesErrorDuplicatePriority": "Prioridades duplicadas",
-    "rulesErrorDuplicatePriorityDescription": "Por favor, introduzca prioridades únicas",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Reglas actualizadas",
    "ruleUpdatedDescription": "Reglas actualizadas correctamente",
    "ruleErrorUpdate": "Operación fallida",
    "ruleErrorUpdateDescription": "Se ha producido un error durante la operación de guardado",
    "rulesPriority": "Prioridad",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Accin",
    "rulesMatchType": "Tipo de partida",
    "value": "Valor",
@@ -792,7 +810,7 @@
    "rulesResource": "Configuración de reglas de recursos",
    "rulesResourceDescription": "Configurar reglas para controlar el acceso al recurso",
    "ruleSubmit": "Añadir Regla",
-    "rulesNoOne": "No hay reglas. Agregue una regla usando el formulario.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Las reglas son evaluadas por prioridad en orden ascendente.",
    "rulesSubmit": "Guardar Reglas",
    "policyErrorCreate": "Error al crear la política",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Se ha producido un error inesperado",
    "policyCreatedSuccess": "Política de recursos creada con éxito",
    "policyUpdatedSuccess": "Política de recursos actualizada con éxito",
-    "authMethodsSave": "Guardar métodos de autenticación",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Guardar reglas",
    "resourceErrorCreate": "Error al crear recurso",
    "resourceErrorCreateDescription": "Se ha producido un error al crear el recurso",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Se ha producido un error al actualizar el recurso",
    "access": "Acceder",
    "accessControl": "Control de acceso",
-    "shareLink": "{resource} Compartir Enlace",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Seleccionar recurso",
-    "shareLinks": "Compartir enlaces",
+    "shareLinks": "Shareable Links",
    "share": "Enlaces compartibles",
    "shareDescription2": "Crea enlaces compartidos a recursos. Los enlaces proporcionan acceso temporal o ilimitado a tu recurso. Puede configurar la duración de caducidad del enlace cuando cree uno.",
    "shareEasyCreate": "Fácil de crear y compartir",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Los administradores siempre pueden acceder a este recurso.",
    "resourcePolicySelectTitle": "Política de Acceso a Recursos",
    "resourcePolicySelectDescription": "Seleccione el tipo de política de recursos para la autenticación",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Política de Recursos Integrada",
    "resourcePolicyInlineDescription": "Política de Acceso solo destinada a este recurso",
    "resourcePolicyShared": "Política de Recursos Compartida",
-    "resourcePolicySharedDescription": "Este recurso utiliza una política compartida. Las configuraciones a nivel de política (métodos de autenticación, lista blanca de correos electrónicos) están bloqueadas. Puede agregar reglas específicas de recursos, roles y usuarios más abajo.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Controles de acceso",
    "resourceUsersRolesDescription": "Configurar qué usuarios y roles pueden visitar este recurso",
    "resourceUsersRolesSubmit": "Guardar controles de acceso",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilidad",
    "resourceVisibilityTitleDescription": "Activar o desactivar completamente la visibilidad de los recursos",
    "resourceGeneral": "Configuración General",
-    "resourceGeneralDescription": "Configurar la configuración general de este recurso",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Activar recurso",
    "resourceTransfer": "Transferir recursos",
    "resourceTransferDescription": "Transferir este recurso a un sitio diferente",
@@ -1220,11 +1294,14 @@
    "addLabels": "Agregar etiquetas",
    "siteLabelsTab": "Etiquetas",
    "siteLabelsDescription": "Administrar las etiquetas asociadas con este sitio.",
-    "labelsNotFound": "Etiquetas no encontradas",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Buscar etiquetas",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# etiqueta} other {# etiquetas}}",
    "labelOverflowCount": "+{count, plural, one {# etiqueta} other {# etiquetas}}",
    "accessLabelFilterClear": "Borrar filtros de etiquetas",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Seleccionar color",
    "createNewLabel": "Crear nueva etiqueta de organización \"{label}\"",
    "inviteInvalidDescription": "El enlace de invitación no es válido.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
-    "sidebarPolicies": "Políticas",
-    "sidebarResourcePolicies": "Recursos",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Control de acceso",
    "sidebarLogsAndAnalytics": "Registros y análisis",
    "sidebarTeam": "Equipo",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Invitaciones",
    "sidebarRoles": "Roles",
-    "sidebarShareableLinks": "Enlaces",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "Claves API",
    "sidebarProvisioning": "Aprovisionamiento",
    "sidebarSettings": "Ajustes",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Recurso {id}",
    "blueprints": "Planos",
    "blueprintsLog": "Registro de planos",
-    "blueprintsDescription": "Ver aplicaciones de plano anteriores y sus resultados",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Añadir plano",
    "blueprintGoBack": "Ver todos los Planos",
    "blueprintCreate": "Crear Plano",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Habilitar Plano Docker",
    "enableDockerSocketDescription": "Activar el raspado de etiquetas del socket Docker para etiquetas de planos. La ruta del socket debe proporcionarse al conector del sitio. Lea sobre cómo funciona esto en <docsLink>la documentación</docsLink>.",
    "newtAutoUpdate": "Habilitar actualización automática del sitio",
-    "newtAutoUpdateDescription": "Cuando está habilitado, los conectores del sitio se actualizarán automáticamente a la última versión cuando haya disponible una nueva versión.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Actualización automática del sitio",
    "siteAutoUpdateLabel": "Habilitar actualización automática",
-    "siteAutoUpdateDescription": "Controlar si el conector de este sitio descarga automáticamente la última versión.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Predeterminado de la organización: {state}",
    "siteAutoUpdateOverriding": "Configuración de anulación de la organización",
    "siteAutoUpdateResetToOrg": "Restablecer al predeterminado de la organización",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "¡Configuración de cuenta completada! ¡Bienvenido a Pangolin!",
    "documentation": "Documentación",
    "saveAllSettings": "Guardar todos los ajustes",
-    "saveResourceTargets": "Guardar objetivos",
-    "saveResourceHttp": "Guardar ajustes de proxy",
-    "saveProxyProtocol": "Guardar configuraciones del protocolo de proxy",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Ajustes actualizados",
    "settingsUpdatedDescription": "Configuraciones actualizadas correctamente",
    "settingsErrorUpdate": "Error al actualizar ajustes",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Desconocido",
    "healthCheck": "Chequeo de salud",
    "configureHealthCheck": "Configurar Chequeo de Salud",
-    "configureHealthCheckDescription": "Configura la monitorización de salud para {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Activar Chequeos de Salud",
    "healthCheckDisabledStateDescription": "Cuando está deshabilitado, el sitio no realizará comprobaciones de salud y el estado se considerará desconocido.",
    "enableHealthChecksDescription": "Controlar la salud de este objetivo. Puedes supervisar un punto final diferente al objetivo si es necesario.",
    "healthScheme": "Método",
    "healthSelectScheme": "Seleccionar método",
-    "healthCheckPortInvalid": "El puerto de chequeo de salud debe estar entre 1 y 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Ruta",
    "healthHostname": "IP / Nombre del host",
    "healthPort": "Puerto",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Requiere aprobaciones del dispositivo",
    "requireDeviceApprovalDescription": "Los usuarios con este rol necesitan nuevos dispositivos aprobados por un administrador antes de poder conectarse y acceder a los recursos.",
    "sshSettings": "Configuración SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Configuración RDP",
    "vncSettings": "Configuración VNC",
    "sshServer": "Servidor SSH",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Asegúrese de que su host objetivo esté correctamente configurado para ejecutar el daemon de autenticación antes de completar esta configuración, o la provisión fallará.",
    "sshDaemonPort": "Puerto del Daemon",
    "sshServerDestination": "Destino del Servidor",
-    "sshServerDestinationDescription": "Configure el destino y el puerto del servidor SSH",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Destino",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Seleccionar múltiples sitios permite el enrutamiento resiliente y el failover para alta disponibilidad.",
    "roleAllowSsh": "Permitir SSH",
    "roleAllowSshAllow": "Permitir",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "El usuario sólo puede ejecutar los comandos especificados con sudo.",
    "sshSudo": "Permitir sudo",
    "sshSudoCommands": "Comandos Sudo",
-    "sshSudoCommandsDescription": "Lista separada por comas de comandos que el usuario puede ejecutar con sudo. Se deben usar rutas absolutas.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Crear directorio principal",
    "sshUnixGroups": "Grupos Unix",
-    "sshUnixGroupsDescription": "Grupos Unix separados por comas para agregar el usuario en el host de destino.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Intentos de Reintento",
    "expectedResponseCodes": "Códigos de respuesta esperados",
    "expectedResponseCodesDescription": "Código de estado HTTP que indica un estado saludable. Si se deja en blanco, se considera saludable de 200 a 300.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Habilitar protocolo proxy",
    "proxyProtocolInfo": "Conservar direcciones IP del cliente para backends TCP",
    "proxyProtocolVersion": "Versión del Protocolo Proxy",
-    "version1": " Versión 1 (Recomendado)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Versión 2",
-    "versionDescription": "La versión 1 está basada en texto y es ampliamente soportada. La versión 2 es binaria y más eficiente pero menos compatible.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Advertencia",
    "proxyProtocolWarning": "La aplicación backend debe configurarse para aceptar conexiones Proxy Protocol. Si el backend no soporta Proxy Protocol, activarlo romperá todas las conexiones, así que sólo habilítelo si sabe lo que está haciendo. Asegúrese de configurar su backend para que confíe en las cabeceras del protocolo Proxy de Traefik.",
    "restarting": "Reiniciando...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Ingresar confirmación",
    "blueprintViewDetails": "Detalles",
    "defaultIdentityProvider": "Proveedor de identidad predeterminado",
-    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Configuración de red",
    "editInternalResourceDialogAccessPolicy": "Política de acceso",
    "editInternalResourceDialogAddRoles": "Agregar roles",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Tipo de modo de mantenimiento",
    "showMaintenancePage": "Mostrar página de mantenimiento a los visitantes",
    "enableMaintenanceMode": "Habilitar modo de mantenimiento",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automático",
    "automaticModeDescription": "Mostrar página de mantenimiento solo cuando todos los objetivos de backend están caídos o no saludables. Su recurso continúa funcionando normalmente siempre que al menos un objetivo esté saludable.",
    "forced": "Forzado",
@@ -3082,6 +3182,8 @@
    "warning:": "Advertencia:",
    "forcedeModeWarning": "Todo el tráfico será dirigido a la página de mantenimiento. Sus recursos de backend no recibirán solicitudes.",
    "pageTitle": "Título de la página",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "El encabezado principal visible en la página de mantenimiento",
    "maintenancePageMessage": "Mensaje de mantenimiento",
    "maintenancePageMessagePlaceholder": "¡Volveremos pronto! Nuestro sitio está actualmente en mantenimiento programado.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "¿Está seguro de que desea desasociar este proveedor de identidad de esta organización?",
    "idpUnassociateDescription": "Todos los usuarios asociados con este proveedor de identidad serán eliminados de esta organización, pero el proveedor de identidad continuará existiendo para otras organizaciones asociadas.",
    "idpUnassociateConfirm": "Confirme Desasociar Proveedor de Identidad",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Esto no se puede deshacer para esta organización.",
    "idpUnassociatedDescription": "Proveedor de identidad desasociado de esta organización con éxito",
    "idpUnassociateMenu": "Desasociar",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Conectando…",
    "sshInitializing": "Inicializando…",
    "sshSignInTitle": "Iniciar sesión en SSH",
-    "sshSignInDescription": "Ingrese sus credenciales SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Contraseña",
    "sshPrivateKeyTab": "Clave Privada",
    "sshPrivateKeyField": "Clave Privada",
    "sshPrivateKeyDisclaimer": "Su clave privada no se almacena ni es visible para Pangolin. Alternativamente, puede usar certificados de corta duración para una autenticación sin interrupciones usando su identidad Pangolin existente.",
    "sshLearnMore": "Más información",
    "sshPrivateKeyFile": "Archivo de clave privada",
-    "sshAuthenticate": "Autenticarse",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Terminar",
    "sshPoweredBy": "Desarrollado por",
    "sshErrorNoTarget": "No se especificó el objetivo",
    "sshErrorWebSocket": "Conexión WebSocket fallida",
    "sshErrorAuthFailed": "Falló la autenticación",
-    "sshErrorConnectionClosed": "La conexión se cerró antes de completar la autenticación"
+    "sshErrorConnectionClosed": "La conexión se cerró antes de completar la autenticación",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Voir les ressources privées",
    "siteInstallNewt": "Installer Newt",
    "siteInstallNewtDescription": "Faites fonctionner Newt sur votre système",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configuration WireGuard",
    "WgConfigurationDescription": "Utilisez la configuration suivante pour vous connecter au réseau",
    "operatingSystem": "Système d'exploitation",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Vous ne pourrez voir cela qu'une seule fois. Assurez-vous de l'enregistrer dans un endroit sécurisé.",
    "siteInfo": "Informations du nœud",
    "status": "Statut",
-    "shareTitle": "Gérer les liens partageables",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Créez des liens partageables pour accorder un accès temporaire ou permanent aux ressources de proxy",
-    "shareSearch": "Rechercher des liens partageables...",
-    "shareCreate": "Créer un lien partageable",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Impossible de supprimer le lien",
    "shareErrorDeleteMessage": "Une erreur s'est produite lors de la suppression du lien",
    "shareDeleted": "Lien supprimé",
    "shareDeletedDescription": "Le lien a été supprimé",
-    "shareDelete": "Supprimer le lien de partage",
-    "shareDeleteConfirm": "Confirmer la suppression du lien de partage",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Êtes-vous sûr de vouloir supprimer ce lien de partage ?",
    "shareMessageRemove": "Une fois supprimé, le lien ne fonctionnera plus et toute personne l'utilisant perdra l'accès à la ressource.",
    "shareTokenDescription": "Le jeton d'accès peut être passé de deux façons : en tant que paramètre de requête ou dans les en-têtes de la requête. Elles doivent être transmises par le client à chaque demande d'accès authentifié.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "N'importe qui avec ce lien peut accéder à la ressource",
    "shareTitleOptional": "Titre (facultatif)",
    "sharePathOptional": "Chemin (optionnel)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Expire dans",
    "neverExpire": "N'expire jamais",
    "shareExpireDescription": "Le délai d'expiration correspond à la période pendant laquelle le lien sera utilisable et permettra d'accéder à la ressource. Passé ce délai, le lien ne fonctionnera plus et les utilisateurs qui l'ont utilisé perdront l'accès à la ressource.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Veuillez sélectionner une ressource",
    "proxyResourceTitle": "Gérer les ressources publiques",
    "proxyResourceDescription": "Créer et gérer des ressources accessibles au public via un navigateur web",
-    "publicResourcesBannerTitle": "Accès public basé sur le Web",
-    "publicResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Gérer les ressources privées",
    "clientResourceDescription": "Créer et gérer des ressources qui ne sont accessibles que via un client connecté",
    "privateResourcesBannerTitle": "Accès privé sans confiance",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Chercher des ressources...",
    "resourceAdd": "Ajouter une ressource",
    "resourceErrorDelte": "Erreur lors de la de suppression de la ressource",
-    "resourcePoliciesTitle": "Gérer les politiques de ressource",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Ressources attachées",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} ressource(s)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "pas de ressources",
-    "resourcePoliciesDescription": "Créer et gérer des politiques d'authentification pour contrôler l'accès à vos ressources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Chercher des politiques...",
    "resourcePoliciesAdd": "Ajouter une politique",
    "resourcePoliciesDefaultBadgeText": "Politique par défaut",
-    "resourcePoliciesCreate": "Créer une politique de ressource",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle politique",
    "resourcePolicyName": "Nom de la politique",
    "resourcePolicyNameDescription": "Donnez à cette politique un nom pour l'identifier parmi vos ressources",
@@ -274,7 +281,7 @@
    "back": "Précédent",
    "cancel": "Abandonner",
    "resourceConfig": "Snippets de configuration",
-    "resourceConfigDescription": "Copiez et collez ces extraits de configuration pour configurer la ressource TCP/UDP",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Ajouter des points d'entrée",
    "resourceExposePorts": "Gerbil: Exposer des ports dans Docker Compose",
    "resourceLearnRaw": "Apprenez à configurer les ressources TCP/UDP",
@@ -287,6 +294,8 @@
    "labelDelete": "Supprimer Étiquette",
    "labelAdd": "Ajouter Étiquette",
    "labelCreateSuccessMessage": "Étiquette créée avec succès",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Étiquette modifiée avec succès",
    "labelNameField": "Nom de l'étiquette",
    "labelColorField": "Couleur de l'étiquette",
@@ -311,7 +320,7 @@
    "rules": "Règles",
    "resourceSettingDescription": "Configurer les paramètres de la ressource",
    "resourceSetting": "Réglages de {resourceName}",
-    "resourcePolicySettingDescription": "Configurer les paramètres de la politique de ressource",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Paramètres de {policyName}",
    "alwaysAllow": "Outrepasser l'authentification",
    "alwaysDeny": "Bloquer l'accès",
@@ -719,7 +728,7 @@
    "targetSubmit": "Ajouter une cible",
    "targetNoOne": "Cette ressource n'a aucune cible. Ajoutez une cible pour configurer où envoyer des requêtes à l'arrière-plan.",
    "targetNoOneDescription": "L'ajout de plus d'une cible ci-dessus activera l'équilibrage de charge.",
-    "targetsSubmit": "Enregistrer les cibles",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Ajouter une cible",
    "proxyMultiSiteRoundRobinNodeHelp": "Le routage en tourniquet n'opérera pas entre des sites qui ne sont pas connectés au même nœud, mais le basculement fonctionnera.",
    "targetErrorInvalidIp": "Adresse IP invalide",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Règle en double",
    "rulesErrorDuplicateDescription": "Une règle avec ces paramètres existe déjà",
    "rulesErrorInvalidIpAddressRange": "CIDR invalide",
-    "rulesErrorInvalidIpAddressRangeDescription": "Veuillez entrer une valeur CIDR valide",
-    "rulesErrorInvalidUrl": "Chemin URL invalide",
-    "rulesErrorInvalidUrlDescription": "Veuillez entrer un chemin URL valide",
-    "rulesErrorInvalidIpAddress": "IP invalide",
-    "rulesErrorInvalidIpAddressDescription": "Veuillez entrer une adresse IP valide",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Échec de la mise à jour des règles",
    "rulesErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour des règles",
    "rulesUpdated": "Activer les règles",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Entrez une adresse au format CIDR (ex: 103.21.244.0/22)",
    "rulesMatchIpAddress": "Entrez une adresse IP (ex: 103.21.244.12)",
    "rulesMatchUrl": "Entrez un chemin URL ou un motif (ex: /api/v1/todos ou /api/v1/*)",
-    "rulesErrorInvalidPriority": "Priorité invalide",
-    "rulesErrorInvalidPriorityDescription": "Veuillez entrer une priorité valide",
-    "rulesErrorDuplicatePriority": "Priorités en double",
-    "rulesErrorDuplicatePriorityDescription": "Veuillez entrer des priorités uniques",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Règles mises à jour",
    "ruleUpdatedDescription": "Règles mises à jour avec succès",
    "ruleErrorUpdate": "L'opération a échoué",
    "ruleErrorUpdateDescription": "Une erreur s'est produite lors de l'enregistrement",
    "rulesPriority": "Priorité",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Action",
    "rulesMatchType": "Type de correspondance",
    "value": "Valeur",
@@ -792,7 +810,7 @@
    "rulesResource": "Configuration des règles de ressource",
    "rulesResourceDescription": "Configurer les règles pour contrôler l'accès à la ressource",
    "ruleSubmit": "Ajouter une règle",
-    "rulesNoOne": "Aucune règle. Ajoutez une règle en utilisant le formulaire.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Les règles sont évaluées par priorité dans l'ordre croissant.",
    "rulesSubmit": "Enregistrer les règles",
    "policyErrorCreate": "Erreur lors de la création de la politique",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Une erreur inattendue s'est produite",
    "policyCreatedSuccess": "Politique de ressource créée avec succès",
    "policyUpdatedSuccess": "Politique de ressource mise à jour avec succès",
-    "authMethodsSave": "Enregistrer les méthodes d'authentification",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Enregistrer les règles",
    "resourceErrorCreate": "Erreur lors de la création de la ressource",
    "resourceErrorCreateDescription": "Une erreur s'est produite lors de la création de la ressource",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour de la ressource",
    "access": "Accès",
    "accessControl": "Contrôle d'accès",
-    "shareLink": "Lien de partage {resource}",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Sélectionner une ressource",
-    "shareLinks": "Liens de partage",
+    "shareLinks": "Shareable Links",
    "share": "Liens partageables",
    "shareDescription2": "Créez des liens partageables vers des ressources. Les liens fournissent un accès temporaire ou illimité à votre ressource. Vous pouvez configurer la durée d'expiration du lien lorsque vous en créez un.",
    "shareEasyCreate": "Facile à créer et à partager",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Les administrateurs peuvent toujours accéder à cette ressource.",
    "resourcePolicySelectTitle": "Politique d'accès à la ressource",
    "resourcePolicySelectDescription": "Sélectionner le type de politique de ressource pour l'authentification",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Politique de ressource en ligne",
    "resourcePolicyInlineDescription": "Politique d'accès limitée uniquement à cette ressource",
    "resourcePolicyShared": "Politique de ressource partagée",
-    "resourcePolicySharedDescription": "Cette ressource utilise une politique partagée. Les paramètres de niveau politique (méthodes d'authentification, liste blanche email) sont verrouillés. Vous pouvez ajouter des règles spécifiques à la ressource, rôles et utilisateurs ci-dessous.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Contrôles d'accès",
    "resourceUsersRolesDescription": "Configurer quels utilisateurs et rôles peuvent visiter cette ressource",
    "resourceUsersRolesSubmit": "Enregistrer les contrôles d'accès",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilité",
    "resourceVisibilityTitleDescription": "Activer ou désactiver complètement la visibilité de la ressource",
    "resourceGeneral": "Paramètres généraux",
-    "resourceGeneralDescription": "Configurer les paramètres généraux de cette ressource",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Activer la ressource",
    "resourceTransfer": "Transférer la ressource",
    "resourceTransferDescription": "Transférer cette ressource vers un autre site",
@@ -1220,11 +1294,14 @@
    "addLabels": "Ajouter des étiquettes",
    "siteLabelsTab": "Étiquettes",
    "siteLabelsDescription": "Gérer les étiquettes associées à ce site.",
-    "labelsNotFound": "Étiquettes introuvables",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Chercher des étiquettes",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# étiquette} other {# étiquettes}}",
    "labelOverflowCount": "+{count, plural, one {# étiquette} other {# étiquettes}}",
    "accessLabelFilterClear": "Effacer les filtres d'étiquette",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Sélectionner la couleur",
    "createNewLabel": "Créer une nouvelle étiquette d'organisation \"{label}\"",
    "inviteInvalidDescription": "Le lien d'invitation n'est pas valide.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Ressource",
    "sidebarProxyResources": "Publique",
    "sidebarClientResources": "Privé",
-    "sidebarPolicies": "Politiques",
-    "sidebarResourcePolicies": "Ressources",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Contrôle d'accès",
    "sidebarLogsAndAnalytics": "Journaux & Analytiques",
    "sidebarTeam": "Equipe",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Administrateur",
    "sidebarInvitations": "Invitations",
    "sidebarRoles": "Rôles",
-    "sidebarShareableLinks": "Liens",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "Clés API",
    "sidebarProvisioning": "Mise en place",
    "sidebarSettings": "Réglages",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Ressource {id}",
    "blueprints": "Configs",
    "blueprintsLog": "Journal des plans",
-    "blueprintsDescription": "Voir les applications passées des plans et leurs résultats",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Ajouter une Config",
    "blueprintGoBack": "Voir toutes les Configs",
    "blueprintCreate": "Créer une Config",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Activer la Config Docker",
    "enableDockerSocketDescription": "Activer le ramassage d'étiquettes de socket Docker pour les étiquettes de plan. Le chemin du socket doit être fourni au connecteur du site. Lisez plus à ce sujet dans <docsLink>la documentation</docsLink>.",
    "newtAutoUpdate": "Activer la mise à jour automatique du site",
-    "newtAutoUpdateDescription": "Lorsqu'il est activé, les connecteurs de site se mettront automatiquement à jour vers la dernière version lorsqu'une nouvelle version sera disponible.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Mise à jour automatique du site",
    "siteAutoUpdateLabel": "Activer la mise à jour automatique",
-    "siteAutoUpdateDescription": "Contrôler si le connecteur de ce site télécharge automatiquement la dernière version.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Valeur par défaut de l'organisation : {state}",
    "siteAutoUpdateOverriding": "Substitution des paramètres de l'organisation",
    "siteAutoUpdateResetToOrg": "Réinitialiser à la valeur par défaut de l'organisation",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Configuration du compte terminée! Bienvenue chez Pangolin !",
    "documentation": "Documentation",
    "saveAllSettings": "Enregistrer tous les paramètres",
-    "saveResourceTargets": "Enregistrer les cibles",
-    "saveResourceHttp": "Enregistrer les paramètres de proxy",
-    "saveProxyProtocol": "Enregistrer les paramètres du protocole proxy",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Paramètres mis à jour",
    "settingsUpdatedDescription": "Paramètres mis à jour avec succès",
    "settingsErrorUpdate": "Échec de la mise à jour des paramètres",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Inconnu",
    "healthCheck": "Vérification de l'état de santé",
    "configureHealthCheck": "Configurer la vérification de l'état de santé",
-    "configureHealthCheckDescription": "Configurer la surveillance de la santé pour {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Activer les vérifications de santé",
    "healthCheckDisabledStateDescription": "Lorsqu'il est désactivé, le site ne procédera pas aux vérifications de santé et l'état sera considéré comme inconnu.",
    "enableHealthChecksDescription": "Surveiller la vie de cette cible. Vous pouvez surveiller un point de terminaison différent de la cible si nécessaire.",
    "healthScheme": "Méthode",
    "healthSelectScheme": "Sélectionnez la méthode",
-    "healthCheckPortInvalid": "Le port du bilan de santé doit être compris entre 1 et 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Chemin d'accès",
    "healthHostname": "IP / Hôte",
    "healthPort": "Port",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Exiger les autorisations de l'appareil",
    "requireDeviceApprovalDescription": "Les utilisateurs ayant ce rôle ont besoin de nouveaux périphériques approuvés par un administrateur avant de pouvoir se connecter et accéder aux ressources.",
    "sshSettings": "Paramètres SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Paramètres RDP",
    "vncSettings": "Paramètres VNC",
    "sshServer": "Serveur SSH",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Assurez-vous que votre hôte cible est correctement configuré pour exécuter le daemon auth avant de terminer cette configuration, ou l'approvisionnement échouera.",
    "sshDaemonPort": "Port du Démon",
    "sshServerDestination": "Destination du Serveur",
-    "sshServerDestinationDescription": "Configurer la destination et le port du serveur SSH",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Destination",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "La sélection de plusieurs sites permet un routage résilient et une bascule pour une haute disponibilité.",
    "roleAllowSsh": "Autoriser SSH",
    "roleAllowSshAllow": "Autoriser",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "L'utilisateur ne peut exécuter que les commandes spécifiées avec sudo.",
    "sshSudo": "Autoriser sudo",
    "sshSudoCommands": "Commandes Sudo",
-    "sshSudoCommandsDescription": "Liste de commandes séparées par des virgules que l'utilisateur est autorisé à exécuter avec sudo. Des chemins absolus doivent être utilisés.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Créer un répertoire personnel",
    "sshUnixGroups": "Groupes Unix",
-    "sshUnixGroupsDescription": "Groupes Unix séparés par des virgules pour ajouter l'utilisateur sur l'hôte cible.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Tentatives de réessai",
    "expectedResponseCodes": "Codes de réponse attendus",
    "expectedResponseCodesDescription": "Code de statut HTTP indiquant un état de santé satisfaisant. Si non renseigné, 200-300 est considéré comme satisfaisant.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Activer le protocole Proxy",
    "proxyProtocolInfo": "Conserver les adresses IP du client pour les backends TCP",
    "proxyProtocolVersion": "Version du protocole proxy",
-    "version1": " Version 1 (Recommandé)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Version 2",
-    "versionDescription": "La version 1 est basée sur du texte et est largement supportée. La version 2 est binaire et plus efficace mais moins compatible.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Avertissement",
    "proxyProtocolWarning": "L'application backend doit être configurée pour accepter les connexions Proxy Protocol. Si votre backend ne prend pas en charge le protocole Proxy, l'activation de cette option va perturber toutes les connexions, donc n'activez cette option que si vous savez ce que vous faites. Assurez-vous de configurer votre backend pour faire confiance aux en-têtes du protocole Proxy de Traefik.",
    "restarting": "Redémarrage...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Entrez la confirmation",
    "blueprintViewDetails": "Détails",
    "defaultIdentityProvider": "Fournisseur d'identité par défaut",
-    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
    "editInternalResourceDialogAccessPolicy": "Politique d'accès",
    "editInternalResourceDialogAddRoles": "Ajouter des rôles",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Type de mode de maintenance",
    "showMaintenancePage": "Afficher une page de maintenance aux visiteurs",
    "enableMaintenanceMode": "Activer le mode de maintenance",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatique",
    "automaticModeDescription": "Afficher la page de maintenance uniquement lorsque toutes les cibles backend sont en panne ou dégradées. Votre ressource continue à fonctionner normalement tant qu'au moins une cible est en bonne santé.",
    "forced": "Forcé",
@@ -3082,6 +3182,8 @@
    "warning:": "Attention :",
    "forcedeModeWarning": "Tout le trafic sera dirigé vers la page de maintenance. Vos ressources backend ne recevront aucune demande.",
    "pageTitle": "Titre de la page",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Le titre principal affiché sur la page de maintenance",
    "maintenancePageMessage": "Message de maintenance",
    "maintenancePageMessagePlaceholder": "Nous serons bientôt de retour ! Notre site est actuellement en maintenance planifiée.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Êtes-vous sûr de vouloir dissocier ce fournisseur d'identités de cette organisation?",
    "idpUnassociateDescription": "Tous les utilisateurs associés à ce fournisseur d'identités seront retirés de cette organisation, mais le fournisseur d'identités continuera d'exister pour d'autres organisations associées.",
    "idpUnassociateConfirm": "Confirmer la dissociation du fournisseur d'identités",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Cela ne peut pas être annulé pour cette organisation.",
    "idpUnassociatedDescription": "Fournisseur d'identités dissocié de cette organisation avec succès",
    "idpUnassociateMenu": "Dissocier",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Connexion…",
    "sshInitializing": "Initialisation…",
    "sshSignInTitle": "Se connecter à SSH",
-    "sshSignInDescription": "Entrez vos identifiants SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Mot de passe",
    "sshPrivateKeyTab": "Clé Privée",
    "sshPrivateKeyField": "Clé Privée",
    "sshPrivateKeyDisclaimer": "Votre clé privée n'est pas stockée ou visible par Pangolin. Alternativement, vous pouvez utiliser des certificats de courte durée pour une authentification transparente utilisant votre identité Pangolin existante.",
    "sshLearnMore": "En savoir plus",
    "sshPrivateKeyFile": "Fichier de Clé Privée",
-    "sshAuthenticate": "Authentifier",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Terminer",
    "sshPoweredBy": "Propulsé par",
    "sshErrorNoTarget": "Aucune cible spécifiée",
    "sshErrorWebSocket": "Échec de la connexion WebSocket",
    "sshErrorAuthFailed": "Échec de l'authentification",
-    "sshErrorConnectionClosed": "Connexion fermée avant que l'authentification soit terminée"
+    "sshErrorConnectionClosed": "Connexion fermée avant que l'authentification soit terminée",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Visualizza Risorse Private",
    "siteInstallNewt": "Installa Newt",
    "siteInstallNewtDescription": "Esegui Newt sul tuo sistema",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configurazione WireGuard",
    "WgConfigurationDescription": "Utilizzare la seguente configurazione per connettersi alla rete",
    "operatingSystem": "Sistema Operativo",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Potrai vederlo solo una volta. Assicurati di copiarlo in un luogo sicuro.",
    "siteInfo": "Informazioni Sito",
    "status": "Stato",
-    "shareTitle": "Gestisci Collegamenti Di Condivisione",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Crea link condivisibili per concedere accesso temporaneo o permanente alle risorse proxy",
-    "shareSearch": "Cerca link condivisi...",
-    "shareCreate": "Crea Link Di Condivisione",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Impossibile eliminare il link",
    "shareErrorDeleteMessage": "Si è verificato un errore durante l'eliminazione del link",
    "shareDeleted": "Link eliminato",
    "shareDeletedDescription": "Il link è stato eliminato",
-    "shareDelete": "Elimina Link di Condivisione",
-    "shareDeleteConfirm": "Conferma Eliminazione Link di Condivisione",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Sei sicuro di voler eliminare questo link di condivisione?",
    "shareMessageRemove": "Una volta eliminato, il link non funzionerà più e chiunque lo utilizzi perderà l'accesso alla risorsa.",
    "shareTokenDescription": "Il token di accesso può essere passato in due modi: come parametro di interrogazione o nelle intestazioni della richiesta. Questi devono essere passati dal client su ogni richiesta di accesso autenticato.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Chiunque con questo link può accedere alla risorsa",
    "shareTitleOptional": "Titolo (facoltativo)",
    "sharePathOptional": "Percorso (opzionale)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Scadenza In",
    "neverExpire": "Nessuna scadenza",
    "shareExpireDescription": "Il tempo di scadenza indica per quanto tempo il link sarà utilizzabile e fornirà accesso alla risorsa. Dopo questo tempo, il link non funzionerà più e gli utenti che hanno utilizzato questo link perderanno l'accesso alla risorsa.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Seleziona una risorsa",
    "proxyResourceTitle": "Gestisci Risorse Pubbliche",
    "proxyResourceDescription": "Creare e gestire risorse pubbliche accessibili tramite un browser web",
-    "publicResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
-    "publicResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Gestisci Risorse Private",
    "clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
    "privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Cerca risorse...",
    "resourceAdd": "Aggiungi Risorsa",
    "resourceErrorDelte": "Errore nell'eliminare la risorsa",
-    "resourcePoliciesTitle": "Gestisci Politiche sulle Risorse",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Risorse collegate",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} risorsa(e)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "nessuna risorsa",
-    "resourcePoliciesDescription": "Crea e gestisci le politiche di autenticazione per controllare l'accesso alle tue risorse",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Cerca politiche...",
    "resourcePoliciesAdd": "Aggiungi Politica",
    "resourcePoliciesDefaultBadgeText": "Politica Predefinita",
-    "resourcePoliciesCreate": "Crea Politica Risorse",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Segui i passaggi seguenti per creare una nuova politica",
    "resourcePolicyName": "Nome Politica",
    "resourcePolicyNameDescription": "Dai un nome a questa politica per identificarla tra le tue risorse",
@@ -274,7 +281,7 @@
    "back": "Indietro",
    "cancel": "Annulla",
    "resourceConfig": "Snippet Di Configurazione",
-    "resourceConfigDescription": "Copia e incolla questi snippet di configurazione per configurare la risorsa TCP/UDP",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Aggiungi Entrypoint",
    "resourceExposePorts": "Gerbil: espone le porte in Docker Compose",
    "resourceLearnRaw": "Scopri come configurare le risorse TCP/UDP",
@@ -287,6 +294,8 @@
    "labelDelete": "Elimina Etichetta",
    "labelAdd": "Aggiungi Etichetta",
    "labelCreateSuccessMessage": "Etichetta Creata con Successo",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etichetta Modificata con Successo",
    "labelNameField": "Nome Etichetta",
    "labelColorField": "Colore Etichetta",
@@ -311,7 +320,7 @@
    "rules": "Regole",
    "resourceSettingDescription": "Configura le impostazioni sulla risorsa",
    "resourceSetting": "Impostazioni {resourceName}",
-    "resourcePolicySettingDescription": "Configura le impostazioni sulla politica delle risorse",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Impostazioni del sito {policyName}",
    "alwaysAllow": "Bypass Autenticazione",
    "alwaysDeny": "Blocca Accesso",
@@ -719,7 +728,7 @@
    "targetSubmit": "Aggiungi Target",
    "targetNoOne": "Questa risorsa non ha destinazioni. Aggiungi un obiettivo per configurare dove inviare richieste al backend.",
    "targetNoOneDescription": "L'aggiunta di più di un target abiliterà il bilanciamento del carico.",
-    "targetsSubmit": "Salva Target",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Aggiungi Target",
    "proxyMultiSiteRoundRobinNodeHelp": "Il routing round robin non funzionerà tra siti che non sono connessi allo stesso nodo, ma il failover funzionerà.",
    "targetErrorInvalidIp": "Indirizzo IP non valido",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Regola duplicata",
    "rulesErrorDuplicateDescription": "Esiste già una regola con queste impostazioni",
    "rulesErrorInvalidIpAddressRange": "CIDR non valido",
-    "rulesErrorInvalidIpAddressRangeDescription": "Inserisci un valore CIDR valido",
-    "rulesErrorInvalidUrl": "Percorso URL non valido",
-    "rulesErrorInvalidUrlDescription": "Inserisci un valore di percorso URL valido",
-    "rulesErrorInvalidIpAddress": "IP non valido",
-    "rulesErrorInvalidIpAddressDescription": "Inserisci un indirizzo IP valido",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Impossibile aggiornare le regole",
    "rulesErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento delle regole",
    "rulesUpdated": "Abilita Regole",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Inserisci un indirizzo in formato CIDR (es. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Inserisci un indirizzo IP (es. 103.21.244.12)",
    "rulesMatchUrl": "Inserisci un percorso URL o pattern (es. /api/v1/todos o /api/v1/*)",
-    "rulesErrorInvalidPriority": "Priorità Non Valida",
-    "rulesErrorInvalidPriorityDescription": "Inserisci una priorità valida",
-    "rulesErrorDuplicatePriority": "Priorità Duplicate",
-    "rulesErrorDuplicatePriorityDescription": "Inserisci priorità uniche",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Regole aggiornate",
    "ruleUpdatedDescription": "Regole aggiornate con successo",
    "ruleErrorUpdate": "Operazione fallita",
    "ruleErrorUpdateDescription": "Si è verificato un errore durante il salvataggio",
    "rulesPriority": "Priorità",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Azione",
    "rulesMatchType": "Tipo di Corrispondenza",
    "value": "Valore",
@@ -792,7 +810,7 @@
    "rulesResource": "Configurazione Regole Risorsa",
    "rulesResourceDescription": "Configura le regole per controllare l'accesso alla risorsa",
    "ruleSubmit": "Aggiungi Regola",
-    "rulesNoOne": "Nessuna regola. Aggiungi una regola usando il modulo.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Le regole sono valutate per priorità in ordine crescente.",
    "rulesSubmit": "Salva Regole",
    "policyErrorCreate": "Errore nella creazione della politica",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Si è verificato un errore imprevisto",
    "policyCreatedSuccess": "Politica risorse creata con successo",
    "policyUpdatedSuccess": "Politica risorse aggiornata con successo",
-    "authMethodsSave": "Salva metodi di autenticazione",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Salva Regole",
    "resourceErrorCreate": "Errore nella creazione della risorsa",
    "resourceErrorCreateDescription": "Si è verificato un errore durante la creazione della risorsa",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento della risorsa",
    "access": "Accesso",
    "accessControl": "Controllo Accessi",
-    "shareLink": "Link di Condivisione {resource}",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Seleziona risorsa",
-    "shareLinks": "Link di Condivisione",
+    "shareLinks": "Shareable Links",
    "share": "Link Condivisibili",
    "shareDescription2": "Crea link condivisibili alle risorse. I link forniscono un accesso temporaneo o illimitato alla tua risorsa. È possibile configurare la durata di scadenza del collegamento quando ne viene creato uno.",
    "shareEasyCreate": "Facile da creare e condividere",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Gli amministratori possono sempre accedere a questa risorsa.",
    "resourcePolicySelectTitle": "Politica di Accesso Risorse",
    "resourcePolicySelectDescription": "Seleziona il tipo di politica delle risorse per l'autenticazione",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Politica Inline delle Risorse",
    "resourcePolicyInlineDescription": "Politica di Accesso limitata solo a questa risorsa",
    "resourcePolicyShared": "Politica Condivisa delle Risorse",
-    "resourcePolicySharedDescription": "Questa risorsa utilizza una politica condivisa. Le impostazioni a livello di politica (metodi di autenticazione, email whitelist) sono bloccate. Puoi aggiungere regole, ruoli e utenti specifici per la risorsa di seguito.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Controlli di Accesso",
    "resourceUsersRolesDescription": "Configura quali utenti e ruoli possono visitare questa risorsa",
    "resourceUsersRolesSubmit": "Salva Controlli di Accesso",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilità",
    "resourceVisibilityTitleDescription": "Abilita o disabilita completamente la visibilità della risorsa",
    "resourceGeneral": "Impostazioni Generali",
-    "resourceGeneralDescription": "Configura le impostazioni generali per questa risorsa",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Abilita Risorsa",
    "resourceTransfer": "Trasferisci Risorsa",
    "resourceTransferDescription": "Trasferisci questa risorsa a un sito diverso",
@@ -1220,11 +1294,14 @@
    "addLabels": "Aggiungi etichette",
    "siteLabelsTab": "Etichette",
    "siteLabelsDescription": "Gestisci le etichette associate a questo sito.",
-    "labelsNotFound": "Etichette non trovate",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Cerca etichette",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# etichetta} other {# etichette}}",
    "labelOverflowCount": "+{count, plural, one {# etichetta} other {# etichette}}",
    "accessLabelFilterClear": "Cancella filtri etichette",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Seleziona colore",
    "createNewLabel": "Crea nuova etichetta dell'organizzazione \"{label}\"",
    "inviteInvalidDescription": "Il link di invito non è valido.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Risorse",
    "sidebarProxyResources": "Pubblico",
    "sidebarClientResources": "Privato",
-    "sidebarPolicies": "Politiche",
-    "sidebarResourcePolicies": "Risorse",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Controllo Accesso",
    "sidebarLogsAndAnalytics": "Registri E Analisi",
    "sidebarTeam": "Squadra",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Amministratore",
    "sidebarInvitations": "Inviti",
    "sidebarRoles": "Ruoli",
-    "sidebarShareableLinks": "Collegamenti",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "Chiavi API",
    "sidebarProvisioning": "Accantonamento",
    "sidebarSettings": "Impostazioni",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Risorsa {id}",
    "blueprints": "Progetti",
    "blueprintsLog": "Registro Progetti",
-    "blueprintsDescription": "Visualizza le applicazioni passate dei progetti e i loro risultati",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Aggiungi Progetto",
    "blueprintGoBack": "Vedi tutti i progetti",
    "blueprintCreate": "Crea Progetto",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Abilita Progetto Docker",
    "enableDockerSocketDescription": "Abilita lo scraping delle etichette Docker Socket per le etichette dei progetti. Il percorso del socket deve essere fornito al connettore del sito. Leggi come funziona nel <docsLink>documentazione</docsLink>.",
    "newtAutoUpdate": "Abilita Aggiornamento Automatico del Sito",
-    "newtAutoUpdateDescription": "Quando abilitato, i connettori di sito si aggiorneranno automaticamente all'ultima versione quando è disponibile un nuovo rilascio.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Aggiornamento Automatico del Sito",
    "siteAutoUpdateLabel": "Abilita Aggiornamento Automatico",
-    "siteAutoUpdateDescription": "Controlla se il connettore di questo sito scarica automaticamente l'ultima versione.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Predefinito dell'organizzazione: {state}",
    "siteAutoUpdateOverriding": "Sovrascrivere le impostazioni dell'organizzazione",
    "siteAutoUpdateResetToOrg": "Reimposta al Predefinito dell'Organizzazione",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Configurazione dell'account completata! Benvenuto su Pangolin!",
    "documentation": "Documentazione",
    "saveAllSettings": "Salva Tutte le Impostazioni",
-    "saveResourceTargets": "Salva Target",
-    "saveResourceHttp": "Salva Impostazioni Proxy",
-    "saveProxyProtocol": "Salva impostazioni protocollo proxy",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Impostazioni aggiornate",
    "settingsUpdatedDescription": "Impostazioni aggiornate con successo",
    "settingsErrorUpdate": "Impossibile aggiornare le impostazioni",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Sconosciuto",
    "healthCheck": "Controllo Salute",
    "configureHealthCheck": "Configura Controllo Salute",
-    "configureHealthCheckDescription": "Imposta il monitoraggio della salute per {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Abilita i Controlli di Salute",
    "healthCheckDisabledStateDescription": "Quando disabilitato, il sito non eseguirà controlli di integrità e lo stato sarà considerato sconosciuto.",
    "enableHealthChecksDescription": "Monitorare lo stato di salute di questo obiettivo. Se necessario, è possibile monitorare un endpoint diverso da quello del bersaglio.",
    "healthScheme": "Metodo",
    "healthSelectScheme": "Seleziona Metodo",
-    "healthCheckPortInvalid": "La porta di controllo dello stato di salute deve essere compresa tra 1 e 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Percorso",
    "healthHostname": "IP / Nome host",
    "healthPort": "Porta",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Richiede Approvazioni Dispositivo",
    "requireDeviceApprovalDescription": "Gli utenti con questo ruolo hanno bisogno di nuovi dispositivi approvati da un amministratore prima di poter connettersi e accedere alle risorse.",
    "sshSettings": "Impostazioni SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Impostazioni RDP",
    "vncSettings": "Impostazioni VNC",
    "sshServer": "Server SSH",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Assicurati che l'host target sia correttamente configurato per eseguire il demone di autenticazione prima di completare questa configurazione, altrimenti il provisioning fallirà.",
    "sshDaemonPort": "Porta Daemon",
    "sshServerDestination": "Destinazione Server",
-    "sshServerDestinationDescription": "Configura la destinazione e la porta del server SSH",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Destinazione",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Selezionare più siti abilita instradamento resiliente e failover per alta disponibilità.",
    "roleAllowSsh": "Consenti SSH",
    "roleAllowSshAllow": "Consenti",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "L'utente può eseguire solo i comandi specificati con sudo.",
    "sshSudo": "Consenti sudo",
    "sshSudoCommands": "Comandi Sudo",
-    "sshSudoCommandsDescription": "Elenco separato da virgole di comandi che l'utente è autorizzato a eseguire con sudo. Devono essere utilizzati percorsi assoluti.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Crea Cartella Home",
    "sshUnixGroups": "Gruppi Unix",
-    "sshUnixGroupsDescription": "Gruppi Unix separati da virgole per aggiungere l'utente sull'host di destinazione.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Tentativi di Riprova",
    "expectedResponseCodes": "Codici di Risposta Attesi",
    "expectedResponseCodesDescription": "Codice di stato HTTP che indica lo stato di salute. Se lasciato vuoto, considerato sano è compreso tra 200-300.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Abilita Protocollo Proxy",
    "proxyProtocolInfo": "Conserva gli indirizzi IP del client per i backend TCP",
    "proxyProtocolVersion": "Versione Protocollo Proxy",
-    "version1": " Versione 1 (Consigliato)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Versione 2",
-    "versionDescription": "La versione 1 è testuale e ampiamente supportata. La versione 2 è binaria e più efficiente, ma meno compatibile.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Attenzione",
    "proxyProtocolWarning": "L'applicazione backend deve essere configurata per accettare le connessioni del protocollo proxy. Se il tuo backend non supporta il protocollo proxy, abilitarlo interromperà tutte le connessioni, quindi attivalo solo se sai cosa stai facendo. Assicurati di configurare il tuo backend per fidarti delle intestazioni del protocollo proxy da Traefik.",
    "restarting": "Riavvio...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Inserisci conferma",
    "blueprintViewDetails": "Dettagli",
    "defaultIdentityProvider": "Provider di Identità Predefinito",
-    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
    "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
    "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Tipo di Modalità di Manutenzione",
    "showMaintenancePage": "Mostra una pagina di manutenzione ai visitatori",
    "enableMaintenanceMode": "Abilita Modalità di Manutenzione",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatico",
    "automaticModeDescription": "Mostra pagina di manutenzione solo quando tutti i target del backend sono inattivi o non in salute. La tua risorsa continua a funzionare normalmente finché almeno un target è in salute.",
    "forced": "Forzato",
@@ -3082,6 +3182,8 @@
    "warning:": "Avviso:",
    "forcedeModeWarning": "Tutto il traffico verrà indirizzato alla pagina di manutenzione. Le risorse del tuo backend non riceveranno richieste.",
    "pageTitle": "Titolo Pagina",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "L'intestazione principale visualizzata sulla pagina di manutenzione",
    "maintenancePageMessage": "Messaggio di Manutenzione",
    "maintenancePageMessagePlaceholder": "Torneremo presto! Il nostro sito è attualmente in manutenzione programmata.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Sei sicuro di voler disassociare questo provider di identità da questa organizzazione?",
    "idpUnassociateDescription": "Tutti gli utenti associati a questo provider di identità verranno rimossi da questa organizzazione, ma il provider di identità continuerà ad esistere per altre organizzazioni associate.",
    "idpUnassociateConfirm": "Conferma Disassociazione Provider di Identità",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Questo non può essere annullato per questa organizzazione.",
    "idpUnassociatedDescription": "Provider di identità disassociato con successo da questa organizzazione",
    "idpUnassociateMenu": "Disassocia",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Connessione…",
    "sshInitializing": "Inizializzazione…",
    "sshSignInTitle": "Accedi a SSH",
-    "sshSignInDescription": "Inserisci le tue credenziali SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Password",
    "sshPrivateKeyTab": "Chiave Privata",
    "sshPrivateKeyField": "Chiave Privata",
    "sshPrivateKeyDisclaimer": "La tua chiave privata non è memorizzata o visibile a Pangolin. In alternativa, puoi utilizzare certificati a vita breve per un'autenticazione continua utilizzando la tua identità Pangolin esistente.",
    "sshLearnMore": "Scopri di più",
    "sshPrivateKeyFile": "File Chiave Privata",
-    "sshAuthenticate": "Autentica",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Termina",
    "sshPoweredBy": "Offerto da",
    "sshErrorNoTarget": "Nessun obiettivo specificato",
    "sshErrorWebSocket": "Connessione WebSocket fallita",
    "sshErrorAuthFailed": "Autenticazione fallita",
-    "sshErrorConnectionClosed": "Connessione chiusa prima del completamento dell'autenticazione"
+    "sshErrorConnectionClosed": "Connessione chiusa prima del completamento dell'autenticazione",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "개인 리소스 보기",
    "siteInstallNewt": "Newt 설치",
    "siteInstallNewtDescription": "시스템에서 Newt 실행하기",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard 구성",
    "WgConfigurationDescription": "네트워크에 연결하기 위한 다음 구성을 사용하세요.",
    "operatingSystem": "운영 체제",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
    "siteInfo": "사이트 정보",
    "status": "상태",
-    "shareTitle": "공유 링크 관리",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "공유 가능한 링크를 생성하여 프록시 리소스에 임시 또는 영구적으로 액세스하세요.",
-    "shareSearch": "공유 링크 검색...",
-    "shareCreate": "공유 링크 생성",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "링크 삭제에 실패했습니다.",
    "shareErrorDeleteMessage": "링크 삭제 중 오류가 발생했습니다.",
    "shareDeleted": "링크가 삭제되었습니다.",
    "shareDeletedDescription": "링크가 삭제되었습니다.",
-    "shareDelete": "공유 링크 삭제",
-    "shareDeleteConfirm": "공유 링크 삭제 확인",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "이 공유 링크를 삭제하시겠습니까?",
    "shareMessageRemove": "삭제되면 링크가 더 이상 작동하지 않으며, 이를 사용하는 모든 사용자는 자원에 대한 접근을 잃게 됩니다.",
    "shareTokenDescription": "액세스 토큰은 쿼리 매개변수 또는 요청 헤더의 두 가지 방법으로 전달될 수 있습니다. 이는 인증된 액세스를 위해 클라이언트에서 모든 요청마다 전달되어야 합니다.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "이 링크가 있는 누구나 리소스에 접근할 수 있습니다.",
    "shareTitleOptional": "제목 (선택 사항)",
    "sharePathOptional": "경로 (선택 사항)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "만료됨",
    "neverExpire": "만료되지 않음",
    "shareExpireDescription": "만료 시간은 링크가 사용 가능하고 리소스에 접근할 수 있는 기간입니다. 이 시간이 지나면 링크는 더 이상 작동하지 않으며, 이 링크를 사용한 사용자는 리소스에 대한 접근 권한을 잃게 됩니다.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "리소스를 선택하세요",
    "proxyResourceTitle": "공개 리소스 관리",
    "proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
-    "publicResourcesBannerTitle": "웹 기반 공공 접근",
-    "publicResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "개인 리소스 관리",
    "clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
    "privateResourcesBannerTitle": "제로 트러스트 개인 접근",
@@ -209,15 +212,19 @@
    "resourcesSearch": "리소스 검색...",
    "resourceAdd": "리소스 추가",
    "resourceErrorDelte": "리소스 삭제 중 오류 발생",
-    "resourcePoliciesTitle": "리소스 정책 관리",
-    "resourcePoliciesAttachedResourcesColumnTitle": "첨부 리소스",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} 리소스",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "리소스 없음",
-    "resourcePoliciesDescription": "리소스에 대한 접근을 제어할 인증 정책을 생성 및 관리합니다",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "정책 검색...",
    "resourcePoliciesAdd": "정책 추가",
    "resourcePoliciesDefaultBadgeText": "기본 정책",
-    "resourcePoliciesCreate": "리소스 정책 생성",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "새로운 정책을 생성하려면 아래 단계들을 따르세요",
    "resourcePolicyName": "정책 이름",
    "resourcePolicyNameDescription": "이 정책에 리소스 간에 식별할 이름을 지정합니다",
@@ -274,7 +281,7 @@
    "back": "뒤로",
    "cancel": "취소",
    "resourceConfig": "구성 스니펫",
-    "resourceConfigDescription": "TCP/UDP 리소스를 설정하기 위해 이 구성 스니펫을 복사하여 붙여넣습니다.",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: 엔트리포인트 추가",
    "resourceExposePorts": "Gerbil: Docker Compose에서 포트 노출",
    "resourceLearnRaw": "TCP/UDP 리소스 구성 방법 알아보기",
@@ -287,6 +294,8 @@
    "labelDelete": "레이블 삭제",
    "labelAdd": "레이블 추가",
    "labelCreateSuccessMessage": "레이블이 성공적으로 생성되었습니다",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "레이블이 성공적으로 수정되었습니다",
    "labelNameField": "레이블 이름",
    "labelColorField": "레이블 색상",
@@ -311,7 +320,7 @@
    "rules": "규칙",
    "resourceSettingDescription": "리소스의 설정을 구성하세요.",
    "resourceSetting": "{resourceName} 설정",
-    "resourcePolicySettingDescription": "리소스 정책에 대한 설정을 구성합니다",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} 설정",
    "alwaysAllow": "인증 우회",
    "alwaysDeny": "접근 차단",
@@ -719,7 +728,7 @@
    "targetSubmit": "대상 추가",
    "targetNoOne": "이 리소스에는 대상이 없습니다. 백엔드로 요청을 보낼 대상을 구성하려면 대상을 추가하세요.",
    "targetNoOneDescription": "위에 하나 이상의 대상을 추가하면 로드 밸런싱이 활성화됩니다.",
-    "targetsSubmit": "대상 저장",
+    "targetsSubmit": "Save Settings",
    "addTarget": "대상 추가",
    "proxyMultiSiteRoundRobinNodeHelp": "라운드 로빈 라우팅은 동일한 노드에 연결되지 않은 사이트 간에는 작동하지 않으나, 대체 라우팅은 작동합니다.",
    "targetErrorInvalidIp": "유효하지 않은 IP 주소",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "중복 규칙",
    "rulesErrorDuplicateDescription": "이 설정을 가진 규칙이 이미 존재합니다.",
    "rulesErrorInvalidIpAddressRange": "유효하지 않은 CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "유효한 CIDR 값을 입력하십시오.",
-    "rulesErrorInvalidUrl": "유효하지 않은 URL 경로",
-    "rulesErrorInvalidUrlDescription": "유효한 URL 경로 값을 입력해 주세요.",
-    "rulesErrorInvalidIpAddress": "유효하지 않은 IP",
-    "rulesErrorInvalidIpAddressDescription": "유효한 IP 주소를 입력하세요",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "규칙 업데이트에 실패했습니다.",
    "rulesErrorUpdateDescription": "규칙 업데이트 중 오류가 발생했습니다.",
    "rulesUpdated": "규칙 활성화",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "CIDR 형식으로 주소를 입력하세요 (예: 103.21.244.0/22)",
    "rulesMatchIpAddress": "IP 주소를 입력하세요 (예: 103.21.244.12)",
    "rulesMatchUrl": "URL 경로 또는 패턴을 입력하세요 (예: /api/v1/todos 또는 /api/v1/*)",
-    "rulesErrorInvalidPriority": "유효하지 않은 우선순위",
-    "rulesErrorInvalidPriorityDescription": "유효한 우선 순위를 입력하세요.",
-    "rulesErrorDuplicatePriority": "중복 우선순위",
-    "rulesErrorDuplicatePriorityDescription": "고유한 우선 순위를 입력하십시오.",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "규칙이 업데이트되었습니다",
    "ruleUpdatedDescription": "규칙이 성공적으로 업데이트되었습니다",
    "ruleErrorUpdate": "작업 실패",
    "ruleErrorUpdateDescription": "저장 작업 중 오류가 발생했습니다.",
    "rulesPriority": "우선순위",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "작업",
    "rulesMatchType": "일치 유형",
    "value": "값",
@@ -792,7 +810,7 @@
    "rulesResource": "리소스 규칙 구성",
    "rulesResourceDescription": "리소스에 대한 접근을 제어하는 규칙 구성",
    "ruleSubmit": "규칙 추가",
-    "rulesNoOne": "규칙이 없습니다. 양식을 사용하여 규칙을 추가하십시오.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "규칙은 우선 순위에 따라 오름차순으로 평가됩니다.",
    "rulesSubmit": "규칙 저장",
    "policyErrorCreate": "정책 생성 오류",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "예기치 않은 오류가 발생했습니다",
    "policyCreatedSuccess": "리소스 정책이 성공적으로 생성되었습니다",
    "policyUpdatedSuccess": "리소스 정책이 성공적으로 업데이트되었습니다",
-    "authMethodsSave": "인증 방법 저장",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "규칙 저장",
    "resourceErrorCreate": "리소스 생성 오류",
    "resourceErrorCreateDescription": "리소스를 생성하는 중 오류가 발생했습니다.",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "리소스를 업데이트하는 동안 오류가 발생했습니다.",
    "access": "접속",
    "accessControl": "액세스 제어",
-    "shareLink": "{resource} 공유 링크",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "리소스 선택",
-    "shareLinks": "공유 링크",
+    "shareLinks": "Shareable Links",
    "share": "공유 가능한 링크",
    "shareDescription2": "리소스에 대한 공유 가능한 링크를 생성하세요. 링크는 리소스에 대한 임시 또는 무제한 액세스를 제공합니다. 링크를 생성할 때 만료 기간을 설정할 수 있습니다.",
    "shareEasyCreate": "생성하고 공유하기 쉬움",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "관리자는 항상 이 리소스에 접근할 수 있습니다.",
    "resourcePolicySelectTitle": "리소스 액세스 정책",
    "resourcePolicySelectDescription": "인증을 위한 리소스 정책 유형을 선택하세요",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "인라인 리소스 정책",
    "resourcePolicyInlineDescription": "이 리소스에만 범위가 있는 액세스 정책",
    "resourcePolicyShared": "공유 리소스 정책",
-    "resourcePolicySharedDescription": "이 리소스는 공유 정책을 사용합니다. 정책 수준 설정(인증 방법, 이메일 화이트리스트)은 잠겨 있습니다. 아래에서 리소스별 규칙, 역할 및 사용자를 추가할 수 있습니다.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "접근 제어",
    "resourceUsersRolesDescription": "이 리소스를 방문할 수 있는 사용자 및 역할을 구성하십시오",
    "resourceUsersRolesSubmit": "접근 제어 저장",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "가시성",
    "resourceVisibilityTitleDescription": "리소스 가시성을 완전히 활성화하거나 비활성화",
    "resourceGeneral": "일반 설정",
-    "resourceGeneralDescription": "이 리소스에 대한 일반 설정을 구성하십시오.",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "리소스 활성화",
    "resourceTransfer": "리소스 전송",
    "resourceTransferDescription": "이 리소스를 다른 사이트로 전송",
@@ -1220,11 +1294,14 @@
    "addLabels": "레이블 추가",
    "siteLabelsTab": "레이블",
    "siteLabelsDescription": "이 사이트와 연결된 레이블을 관리합니다.",
-    "labelsNotFound": "레이블을 찾을 수 없습니다",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "레이블 검색",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, other {# 레이블}}",
    "labelOverflowCount": " +{count, plural, other {# 레이블}}",
    "accessLabelFilterClear": "레이블 필터 초기화",
+    "accessFilterClear": "Clear filters",
    "selectColor": "색상 선택",
    "createNewLabel": "새 조직 레이블 \"{label}\" 만들기",
    "inviteInvalidDescription": "초대 링크가 유효하지 않습니다.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "리소스",
    "sidebarProxyResources": "공유",
    "sidebarClientResources": "비공개",
-    "sidebarPolicies": "정책",
-    "sidebarResourcePolicies": "리소스",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "액세스 제어",
    "sidebarLogsAndAnalytics": "로그 및 분석",
    "sidebarTeam": "팀",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "관리자",
    "sidebarInvitations": "초대",
    "sidebarRoles": "역할",
-    "sidebarShareableLinks": "링크",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API 키",
    "sidebarProvisioning": "프로비저닝",
    "sidebarSettings": "설정",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "리소스 {id}",
    "blueprints": "청사진",
    "blueprintsLog": "블루프린트 로그",
-    "blueprintsDescription": "과거 블루프린트 적용 및 결과 보기",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "청사진 추가",
    "blueprintGoBack": "모든 청사진 보기",
    "blueprintCreate": "청사진 생성",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Docker 청사진 활성화",
    "enableDockerSocketDescription": "블루프린트 레이블을 위한 Docker 소켓 레이블 스크래핑을 활성화합니다. 소켓 경로는 사이트 커넥터에 제공되어야 합니다. 동작 방법에 대한 자세한 정보는 <docsLink>문서</docsLink>에서 확인하세요.",
    "newtAutoUpdate": "사이트 자동 업데이트 활성화",
-    "newtAutoUpdateDescription": "활성화되면, 사이트 커넥터는 새 릴리스가 출시될 때 자동으로 최신 버전으로 업데이트됩니다.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "사이트 자동 업데이트",
    "siteAutoUpdateLabel": "자동 업데이트 활성화",
-    "siteAutoUpdateDescription": "이 사이트의 커넥터가 최신 버전을 자동으로 다운로드할지 여부를 제어합니다.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "조직 기본값: {state}",
    "siteAutoUpdateOverriding": "조직 설정 재정의",
    "siteAutoUpdateResetToOrg": "조직 기본값으로 재설정",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "계정 설정이 완료되었습니다! 판골린에 오신 것을 환영합니다!",
    "documentation": "문서",
    "saveAllSettings": "모든 설정 저장",
-    "saveResourceTargets": "대상 저장",
-    "saveResourceHttp": "프록시 설정 저장",
-    "saveProxyProtocol": "프록시 프로토콜 설정 저장",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "설정이 업데이트되었습니다",
    "settingsUpdatedDescription": "설정이 성공적으로 업데이트되었습니다.",
    "settingsErrorUpdate": "설정 업데이트 실패",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "알 수 없음",
    "healthCheck": "상태 확인",
    "configureHealthCheck": "상태 확인 설정",
-    "configureHealthCheckDescription": "{target}에 대한 상태 모니터링 설정",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "상태 확인 활성화",
    "healthCheckDisabledStateDescription": "비활성화되면 이 사이트가 상태 확인을 수행하지 않으며 상태가 알 수 없는 것으로 간주됩니다.",
    "enableHealthChecksDescription": "이 대상을 모니터링하여 건강 상태를 확인하세요. 필요에 따라 대상과 다른 엔드포인트를 모니터링할 수 있습니다.",
    "healthScheme": "방법",
    "healthSelectScheme": "방법 선택",
-    "healthCheckPortInvalid": "올바르지 않은 서브넷 마스크입니다. 1에서 65535 사이여야 합니다",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "경로",
    "healthHostname": "IP / 호스트",
    "healthPort": "포트",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "장치 승인 요구",
    "requireDeviceApprovalDescription": "이 역할을 가진 사용자는 장치가 연결되기 전에 관리자의 승인이 필요합니다.",
    "sshSettings": "SSH 설정",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP 설정",
    "vncSettings": "VNC 설정",
    "sshServer": "SSH 서버",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "이 설정을 완료하기 전에 인증 데몬을 실행할 대상 호스트가 적절히 구성되었는지 확인하십시오. 그렇지 않으면 프로비저닝이 실패할 수 있습니다.",
    "sshDaemonPort": "데몬 포트",
    "sshServerDestination": "서버 목적지",
-    "sshServerDestinationDescription": "SSH 서버의 목적지 및 포트를 구성합니다",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "대상지",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "여러 사이트를 선택하면 고가용성을 위한 내구성 있는 라우팅 및 장애 조치를 활성화합니다.",
    "roleAllowSsh": "SSH 허용",
    "roleAllowSshAllow": "허용",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "사용자는 sudo로 지정된 명령만 실행할 수 있습니다.",
    "sshSudo": "Sudo 허용",
    "sshSudoCommands": "Sudo 명령",
-    "sshSudoCommandsDescription": "사용자가 sudo로 실행할 수 있는 명령의 쉼표로 구분된 목록입니다. 절대 경로를 사용해야 합니다.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "홈 디렉터리 생성",
    "sshUnixGroups": "유닉스 그룹",
-    "sshUnixGroupsDescription": "대상 호스트에서 사용자에게 추가할 유닉스 그룹의 쉼표로 구분된 목록입니다.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "재시도 횟수",
    "expectedResponseCodes": "예상 응답 코드",
    "expectedResponseCodesDescription": "정상 상태를 나타내는 HTTP 상태 코드입니다. 비워 두면 200-300이 정상으로 간주됩니다.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "프록시 프로토콜 활성화",
    "proxyProtocolInfo": "TCP 백엔드에 대한 클라이언트 IP 주소를 유지합니다.",
    "proxyProtocolVersion": "프록시 프로토콜 버전",
-    "version1": " 버전 1 (추천)",
+    "version1": "Version 1 (Recommended)",
    "version2": "버전 2",
-    "versionDescription": "버전 1은 텍스트 기반으로 널리 지원됩니다. 버전 2는 이진 기반으로 더 효율적이지만 호환성이 낮습니다.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "경고",
    "proxyProtocolWarning": "백엔드 애플리케이션이 프록시 프로토콜 연결을 허용하도록 구성되어야 합니다. 백엔드가 프록시 프로토콜을 지원하지 않으면, 이를 활성화하면 모든 연결이 끊어집니다. 트래픽에서 온 프록시 프로토콜 헤더를 백엔드가 신뢰하도록 구성하십시오.",
    "restarting": "재시작 중...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "확인 입력",
    "blueprintViewDetails": "세부 정보",
    "defaultIdentityProvider": "기본 아이덴티티 공급자",
-    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "네트워크 설정",
    "editInternalResourceDialogAccessPolicy": "액세스 정책",
    "editInternalResourceDialogAddRoles": "역할 추가",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "유지보수 모드 유형",
    "showMaintenancePage": "방문자에게 유지보수 페이지 표시",
    "enableMaintenanceMode": "유지보수 모드 활성화",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "자동",
    "automaticModeDescription": "백엔드 타깃이 모두 다운되거나 건강하지 않을 때만 유지보수 페이지를 표시합니다. 적어도 하나의 타깃이 건강한 한 리소스는 정상 작동합니다.",
    "forced": "강제",
@@ -3082,6 +3182,8 @@
    "warning:": "경고:",
    "forcedeModeWarning": "모든 트래픽이 유지보수 페이지로 전달됩니다. 백엔드 리소스는 어떠한 요청도 받지 않습니다.",
    "pageTitle": "페이지 제목",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "유지보수 페이지에 표시될 주요 제목",
    "maintenancePageMessage": "유지보수 메시지",
    "maintenancePageMessagePlaceholder": "곧 돌아오겠습니다! 사이트는 현재 예정된 유지보수를 진행 중입니다.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "정말로 이 조직에서 이 아이덴티티 공급자의 연관을 해제하시겠습니까?",
    "idpUnassociateDescription": "이 아이덴티티 공급자와 연관된 모든 사용자는 이 조직에서 제거될 것이지만, 아이덴티티 공급자는 다른 연관된 조직에 계속해서 존재할 것입니다.",
    "idpUnassociateConfirm": "아이덴티티 공급자 연관 해제 확인",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "이 조직에서 이것은 되돌릴 수 없습니다.",
    "idpUnassociatedDescription": "아이덴티티 공급자가 이 조직에서 성공적으로 연관 해제되었습니다",
    "idpUnassociateMenu": "연관 해제",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "연결 중…",
    "sshInitializing": "초기화 중…",
    "sshSignInTitle": "SSH에 로그인",
-    "sshSignInDescription": "SSH 자격 증명을 입력하세요",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "비밀번호",
    "sshPrivateKeyTab": "개인 키",
    "sshPrivateKeyField": "개인 키",
    "sshPrivateKeyDisclaimer": "당신의 개인 키는 Pangolin에 저장되거나 보이지 않습니다. 대신, 기존 Pangolin 신원을 사용하여 매끄러운 인증을 제공하는 단기 인증서를 사용할 수 있습니다.",
    "sshLearnMore": "자세히 알아보기",
    "sshPrivateKeyFile": "개인 키 파일",
-    "sshAuthenticate": "인증",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "종료",
    "sshPoweredBy": "제공자",
    "sshErrorNoTarget": "지정된 대상이 없습니다",
    "sshErrorWebSocket": "WebSocket 연결 실패",
    "sshErrorAuthFailed": "인증 실패",
-    "sshErrorConnectionClosed": "인증이 완료되기 전에 연결이 닫혔습니다"
+    "sshErrorConnectionClosed": "인증이 완료되기 전에 연결이 닫혔습니다",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Vis private ressurser",
    "siteInstallNewt": "Installer Newt",
    "siteInstallNewtDescription": "Få Newt til å kjøre på systemet ditt",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Konfigurasjon",
    "WgConfigurationDescription": "Bruk følgende konfigurasjon for å koble til nettverket",
    "operatingSystem": "Operativsystem",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Du vil kun kunne se dette én gang. Sørg for å kopiere det til et sikkert sted.",
    "siteInfo": "Områdeinformasjon",
    "status": "Status",
-    "shareTitle": "Administrer delingslenker",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Opprett delbare lenker for å gi midlertidige eller permanent tilgang til proxyressurser",
-    "shareSearch": "Søk delingslenker...",
-    "shareCreate": "Opprett delingslenke",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Klarte ikke å slette lenke",
    "shareErrorDeleteMessage": "En feil oppstod ved sletting av lenke",
    "shareDeleted": "Lenke slettet",
    "shareDeletedDescription": "Lenken har blitt slettet",
-    "shareDelete": "Slett delingslenke",
-    "shareDeleteConfirm": "Bekreft sletting av delingslenke",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Er du sikker på at du vil slette denne delingslenken?",
    "shareMessageRemove": "Når slettet, vil lenken ikke lenger fungere, og alle som bruker den vil miste tilgang til ressursen.",
    "shareTokenDescription": "Adgangstoken kan sendes på to måter: som en spørringsparameter eller i forespørselsoverskriftene. Disse må sendes fra klienten på hver forespørsel om autentisert tilgang.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Alle med denne lenken får tilgang til ressursen",
    "shareTitleOptional": "Tittel (valgfritt)",
    "sharePathOptional": "Bane (valgfritt)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Utløper om",
    "neverExpire": "Utløper aldri",
    "shareExpireDescription": "Utløpstid er hvor lenge lenken vil være brukbar og gi tilgang til ressursen. Etter denne tiden vil lenken ikke lenger fungere, og brukere som brukte denne lenken vil miste tilgangen til ressursen.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Vennligst velg en ressurs",
    "proxyResourceTitle": "Administrere offentlige ressurser",
    "proxyResourceDescription": "Opprett og administrer ressurser som er offentlig tilgjengelige via en nettleser",
-    "publicResourcesBannerTitle": "Nettbasert offentlig tilgang",
-    "publicResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Administrer private ressurser",
    "clientResourceDescription": "Opprette og administrere ressurser som bare er tilgjengelige via en tilkoblet klient",
    "privateResourcesBannerTitle": "Zero-Trust privat tilgang",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Søk i ressurser...",
    "resourceAdd": "Legg til ressurs",
    "resourceErrorDelte": "Feil ved sletting av ressurs",
-    "resourcePoliciesTitle": "Administrer Ressurspolitikk",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Vedlagte ressurser",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} ressurs(er)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "ingen ressurser",
-    "resourcePoliciesDescription": "Opprett og administrer autentiseringsregler for å kontrollere tilgang til dine ressurser",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Søk etter regler...",
    "resourcePoliciesAdd": "Legg til policy",
    "resourcePoliciesDefaultBadgeText": "Standard politisk",
-    "resourcePoliciesCreate": "Opprett Ressurspolitikk",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Følg trinnene nedenfor for å lage en ny policy",
    "resourcePolicyName": "Polisnavn",
    "resourcePolicyNameDescription": "Gi denne policynavnet for å identifisere den på tvers av dine ressurser",
@@ -274,7 +281,7 @@
    "back": "Tilbake",
    "cancel": "Avbryt",
    "resourceConfig": "Konfigurasjonsutdrag",
-    "resourceConfigDescription": "Kopier og lim inn disse konfigurasjons-øyeblikkene for å sette opp TCP/UDP ressursen",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Legg til inngangspunkter",
    "resourceExposePorts": "Gerbil: Eksponer Porter i Docker Compose",
    "resourceLearnRaw": "Lær hvordan å konfigurere TCP/UDP-ressurser",
@@ -287,6 +294,8 @@
    "labelDelete": "Slett etikett",
    "labelAdd": "Legg til etikett",
    "labelCreateSuccessMessage": "Etikett opprettet vellykket",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etikett endret vellykket",
    "labelNameField": "Etikettnavn",
    "labelColorField": "Etikettfarge",
@@ -311,7 +320,7 @@
    "rules": "Regler",
    "resourceSettingDescription": "Konfigurere innstillingene på ressursen",
    "resourceSetting": "{resourceName} Innstillinger",
-    "resourcePolicySettingDescription": "Konfigurer innstillingene på ressurspolitikken",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} Innstillinger",
    "alwaysAllow": "Omgå Auth",
    "alwaysDeny": "Blokker tilgang",
@@ -719,7 +728,7 @@
    "targetSubmit": "Legg til mål",
    "targetNoOne": "Denne ressursen har ikke noen mål. Legg til et mål for å konfigurere hvor du vil sende forespørsler til backend.",
    "targetNoOneDescription": "Å legge til mer enn ett mål ovenfor vil aktivere lastbalansering.",
-    "targetsSubmit": "Lagre mål",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Legg til mål",
    "proxyMultiSiteRoundRobinNodeHelp": "Rundkjøringrutefordeling vil ikke fungere mellom steder som ikke er koblet til samme node, men failover vil fungere.",
    "targetErrorInvalidIp": "Ugyldig IP-adresse",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Duplisert regel",
    "rulesErrorDuplicateDescription": "En regel med disse innstillingene finnes allerede",
    "rulesErrorInvalidIpAddressRange": "Ugyldig CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Vennligst skriv inn en gyldig CIDR-verdi",
-    "rulesErrorInvalidUrl": "Ugyldig URL-sti",
-    "rulesErrorInvalidUrlDescription": "Skriv inn en gyldig verdi for URL-sti",
-    "rulesErrorInvalidIpAddress": "Ugyldig IP",
-    "rulesErrorInvalidIpAddressDescription": "Skriv inn en gyldig IP-adresse",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Kunne ikke oppdatere regler",
    "rulesErrorUpdateDescription": "Det oppsto en feil under oppdatering av regler",
    "rulesUpdated": "Aktiver Regler",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Angi en adresse i CIDR-format (f.eks., 103.21.244.0/22)",
    "rulesMatchIpAddress": "Angi en IP-adresse (f.eks. 103.21.244.12)",
    "rulesMatchUrl": "Skriv inn en URL-sti eller et mønster (f.eks. /api/v1/todos eller /api/v1/*)",
-    "rulesErrorInvalidPriority": "Ugyldig prioritet",
-    "rulesErrorInvalidPriorityDescription": "Vennligst skriv inn en gyldig prioritet",
-    "rulesErrorDuplicatePriority": "Dupliserte prioriteringer",
-    "rulesErrorDuplicatePriorityDescription": "Vennligst angi unike prioriteringer",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Regler oppdatert",
    "ruleUpdatedDescription": "Reglene er oppdatert",
    "ruleErrorUpdate": "Operasjon mislyktes",
    "ruleErrorUpdateDescription": "En feil oppsto under lagringsoperasjonen",
    "rulesPriority": "Prioritet",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Handling",
    "rulesMatchType": "Trefftype",
    "value": "Verdi",
@@ -792,7 +810,7 @@
    "rulesResource": "Konfigurasjon av ressursregler",
    "rulesResourceDescription": "Konfigurer regler for å kontrollere tilgang til ressursen",
    "ruleSubmit": "Legg til regel",
-    "rulesNoOne": "Ingen regler. Legg til en regel ved å bruke skjemaet.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Regler evalueres etter prioritet i stigende rekkefølge.",
    "rulesSubmit": "Lagre regler",
    "policyErrorCreate": "Feil ved opprettelse av policy",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "En uventet feil oppstod",
    "policyCreatedSuccess": "Ressurspolitikken ble opprettet vellykket",
    "policyUpdatedSuccess": "Ressurspolitikken ble oppdatert vellykket",
-    "authMethodsSave": "Lagre autentiseringsmetoder",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Lagre Regler",
    "resourceErrorCreate": "Feil under oppretting av ressurs",
    "resourceErrorCreateDescription": "Det oppstod en feil under oppretting av ressursen",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "En feil oppstod under oppdatering av ressursen",
    "access": "Tilgang",
    "accessControl": "Tilgangskontroll",
-    "shareLink": "{resource} Del Lenke",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Velg ressurs",
-    "shareLinks": "Del lenker",
+    "shareLinks": "Shareable Links",
    "share": "Delbare lenker",
    "shareDescription2": "Opprett delbare lenker til ressurser. Lenker gir midlertidig eller ubegrenset tilgang til din ressurs. Du kan konfigurere utløpsvarigheten på lenken når du oppretter en.",
    "shareEasyCreate": "Enkelt å lage og dele",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Administratorer har alltid tilgang til denne ressursen.",
    "resourcePolicySelectTitle": "Ressurstilgangspolitikk",
    "resourcePolicySelectDescription": "Velg policytype for autentisering",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Inline Ressursregler",
    "resourcePolicyInlineDescription": "Tilgangspolitikk som kun er gyldig for denne ressursen",
    "resourcePolicyShared": "Delte Ressursregler",
-    "resourcePolicySharedDescription": "Denne ressursen bruker en delt policy. Policyinnstillinger (autentiseringsmetoder, e-post whitelist) er låst. Du kan legge til ressurs-spesifikke regler, roller, og brukere nedenfor.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Tilgangskontroller",
    "resourceUsersRolesDescription": "Konfigurer hvilke brukere og roller som har tilgang til denne ressursen",
    "resourceUsersRolesSubmit": "Lagre tilgangskontroller",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Synlighet",
    "resourceVisibilityTitleDescription": "Fullstendig aktiver eller deaktiver ressursynlighet",
    "resourceGeneral": "Generelle innstillinger",
-    "resourceGeneralDescription": "Konfigurer de generelle innstillingene for denne ressursen",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Aktiver ressurs",
    "resourceTransfer": "Overfør Ressurs",
    "resourceTransferDescription": "Overfør denne ressursen til et annet område",
@@ -1220,11 +1294,14 @@
    "addLabels": "Legg til etiketter",
    "siteLabelsTab": "Etiketter",
    "siteLabelsDescription": "Administrer etiketter knyttet til dette nettstedet.",
-    "labelsNotFound": "Etiketter ikke funnet",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Søk etter etiketter",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {en etikett} other {# etiketter}}",
    "labelOverflowCount": "+{count, plural, one {en etikett} other {# etiketter}}",
    "accessLabelFilterClear": "Fjern etikettfiltre",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Velg farge",
    "createNewLabel": "Opprett ny org-etikett \"{label}\"",
    "inviteInvalidDescription": "Invitasjonslenken er ugyldig.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Ressurser",
    "sidebarProxyResources": "Offentlig",
    "sidebarClientResources": "Privat",
-    "sidebarPolicies": "Retningslinjer",
-    "sidebarResourcePolicies": "Ressurser",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Tilgangskontroll",
    "sidebarLogsAndAnalytics": "Logger og analyser",
    "sidebarTeam": "Lag",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Administrator",
    "sidebarInvitations": "Invitasjoner",
    "sidebarRoles": "Roller",
-    "sidebarShareableLinks": "Lenker",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API-nøkler",
    "sidebarProvisioning": "Levering",
    "sidebarSettings": "Innstillinger",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Ressurs {id}",
    "blueprints": "Tegninger",
    "blueprintsLog": "Blåkopieringslogg",
-    "blueprintsDescription": "Vis tidligere applikasjoner av blåkopier og deres resultater",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Legg til blåkopi",
    "blueprintGoBack": "Se alle blåkopier",
    "blueprintCreate": "Opprette mal",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Aktiver Docker blåkopi",
    "enableDockerSocketDescription": "Aktiver Docker Socket etikett skrubbing for blueprint etiketter. Socket bane må oppgis til nettstedkobleren. Les om hvordan dette fungerer i <docsLink>dokumentasjonen</docsLink>.",
    "newtAutoUpdate": "Aktiver Automatisk Oppdatering av Nettsted",
-    "newtAutoUpdateDescription": "Når aktivert, vil nettstedskoblere automatisk oppdatere til nyeste versjon når en ny utgave er tilgjengelig.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Automatisk Oppdatering av Nettsted",
    "siteAutoUpdateLabel": "Aktiver Automatisk Oppdatering",
-    "siteAutoUpdateDescription": "Kontroller om denne sidens kobler automatisk laster ned den nyeste versjonen.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Organisasjon standard: {state}",
    "siteAutoUpdateOverriding": "Overstyrer organisasjonens innstilling",
    "siteAutoUpdateResetToOrg": "Tilbakestill til Organisasjonsstandard",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Kontooppsett fullført! Velkommen til Pangolin!",
    "documentation": "Dokumentasjon",
    "saveAllSettings": "Lagre alle innstillinger",
-    "saveResourceTargets": "Lagre mål",
-    "saveResourceHttp": "Lagre proxy-innstillinger",
-    "saveProxyProtocol": "Lagre proxy-protokollinnstillinger",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Innstillinger oppdatert",
    "settingsUpdatedDescription": "Innstillinger oppdatert vellykket",
    "settingsErrorUpdate": "Klarte ikke å oppdatere innstillinger",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Ukjent",
    "healthCheck": "Helsekontroll",
    "configureHealthCheck": "Konfigurer Helsekontroll",
-    "configureHealthCheckDescription": "Sett opp helsekontroll for {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Aktiver Helsekontroller",
    "healthCheckDisabledStateDescription": "Når deaktivert, vil ikke nettstedet utføre helsekontroller, og tilstanden vil anses som ukjent.",
    "enableHealthChecksDescription": "Overvåk helsen til dette målet. Du kan overvåke et annet endepunkt enn målet hvis nødvendig.",
    "healthScheme": "Metode",
    "healthSelectScheme": "Velg metode",
-    "healthCheckPortInvalid": "Helsekontrollporten må være mellom 1 og 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Sti",
    "healthHostname": "IP / Vert",
    "healthPort": "Port",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Krev enhetsgodkjenning",
    "requireDeviceApprovalDescription": "Brukere med denne rollen trenger nye enheter godkjent av en admin før de kan koble seg og få tilgang til ressurser.",
    "sshSettings": "SSH Innstillinger",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP Innstillinger",
    "vncSettings": "VNC Innstillinger",
    "sshServer": "SSH-server",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Sørg for at målenheten din er riktig konfigurert for å kjøre autentiseringsdaemon før du fullfører denne oppsettet, eller klargjøring vil mislykkes.",
    "sshDaemonPort": "Daemon-port",
    "sshServerDestination": "Serverens Destinasjon",
-    "sshServerDestinationDescription": "Konfigurer destinasjonen og porten til SSH-serveren",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Destinasjon",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Ved å velge flere nettsteder aktiveres robust ruting og feilaktig avbrudd for høy tilgjengelighet.",
    "roleAllowSsh": "Tillat SSH",
    "roleAllowSshAllow": "Tillat",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Brukeren kan bare kjøre de angitte kommandoene med sudo.",
    "sshSudo": "Tillat sudo",
    "sshSudoCommands": "Sudo kommandoer",
-    "sshSudoCommandsDescription": "Kommaseparert liste over kommandoer brukeren tillates å kjøre med sudo. Absolutte stier må brukes.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Opprett hjemmappe",
    "sshUnixGroups": "Unix grupper",
-    "sshUnixGroupsDescription": "Kommaseparerte Unix grupper for å legge brukeren til på mål-verten.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Forsøk på nytt",
    "expectedResponseCodes": "Forventede svarkoder",
    "expectedResponseCodesDescription": "HTTP-statuskode som indikerer sunn status. Hvis den blir stående tom, regnes 200-300 som sunn.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Aktiver Proxy-protokoll",
    "proxyProtocolInfo": "Bevar klientens IP-adresser for TCP backends",
    "proxyProtocolVersion": "Proxy protokoll versjon",
-    "version1": " Versjon 1 (Anbefalt)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Versjon 2",
-    "versionDescription": "Versjon 1 er tekstbasert og støttet. Versjon 2 er binært og mer effektivt, men mindre kompatibel.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Advarsel",
    "proxyProtocolWarning": "backend-programmet må konfigureres til å akseptere forbindelser i Proxy Protokoll. Hvis backend ikke støtter Proxy Beskyttelse vil aktivering av dette ødelegge alle tilkoblinger så bare dette hvis du vet hva du gjør. Sørg for å konfigurere backend til å stole på Proxy Protokoll overskrifter fra Traefik.",
    "restarting": "Restarter...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Skriv inn bekreftelse",
    "blueprintViewDetails": "Detaljer",
    "defaultIdentityProvider": "Standard identitetsleverandør",
-    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
    "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
    "editInternalResourceDialogAddRoles": "Legg til roller",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Vedlikeholdsmodus type",
    "showMaintenancePage": "Vis en vedlikeholdsside til besøkende",
    "enableMaintenanceMode": "Aktiver vedlikeholdsmodus",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatisk",
    "automaticModeDescription": "Vis vedlikeholdsside kun når alle serverens mål er nede eller usunne. Ressursen din fortsetter å fungere normalt så lenge minst ett mål er sunt.",
    "forced": "Tvunget",
@@ -3082,6 +3182,8 @@
    "warning:": "Advarsel:",
    "forcedeModeWarning": "All trafikk vil bli dirigeres til vedlikeholdssiden. Serverens ressurser vil ikke motta noen forespørsler.",
    "pageTitle": "Sidetittel",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Hovedoverskriften vist på vedlikeholdssiden",
    "maintenancePageMessage": "Vedlikeholdsbeskjed",
    "maintenancePageMessagePlaceholder": "Vi kommer snart tilbake! Vårt nettsted gjennomgår for øyeblikket planlagt vedlikehold.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Er du sikker på at du vil frakoble denne identitetsleverandøren fra denne organisasjonen?",
    "idpUnassociateDescription": "Alle brukere knyttet til denne identitetsleverandøren vil bli fjernet fra denne organisasjonen, men identitetsleverandøren vil fortsatt eksistere for andre tilknyttede organisasjoner.",
    "idpUnassociateConfirm": "Bekreft frakobling av identitetsleverandør",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Dette kan ikke angres for denne organisasjonen.",
    "idpUnassociatedDescription": "Identitetsleverandør er vellykket frakoblet fra denne organisasjonen",
    "idpUnassociateMenu": "Frakoble",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Kobler til…",
    "sshInitializing": "Initialiserer…",
    "sshSignInTitle": "Logg inn på SSH",
-    "sshSignInDescription": "Oppgi dine SSH-legitimasjoner",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Passord",
    "sshPrivateKeyTab": "Privat Nøkkel",
    "sshPrivateKeyField": "Privat Nøkkel",
    "sshPrivateKeyDisclaimer": "Din private nøkkel er ikke lagret eller synlig for Pangolin. Alternativt kan du bruke kortevaliderte sertifikater for sømløs autentisering ved å bruke din eksisterende Pangolin-identitet.",
    "sshLearnMore": "Lær mer",
    "sshPrivateKeyFile": "Privat Nøkkelfil",
-    "sshAuthenticate": "Autentiser",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Avslutt",
    "sshPoweredBy": "Drevet av",
    "sshErrorNoTarget": "Ingen mål spesifisert",
    "sshErrorWebSocket": "WebSocket-tilkobling mislyktes",
    "sshErrorAuthFailed": "Autentisering mislyktes",
-    "sshErrorConnectionClosed": "Tilkobling avsluttet før autentisering ble fullført"
+    "sshErrorConnectionClosed": "Tilkobling avsluttet før autentisering ble fullført",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Privébronnen bekijken",
    "siteInstallNewt": "Installeer Newt",
    "siteInstallNewtDescription": "Laat Newt draaien op uw systeem",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Configuratie",
    "WgConfigurationDescription": "Gebruik de volgende configuratie om verbinding te maken met het netwerk",
    "operatingSystem": "Operating systeem",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Je kunt dit slechts één keer zien. Kopieer het naar een beveiligde plek.",
    "siteInfo": "Site informatie",
    "status": "Status",
-    "shareTitle": "Beheer deellinks",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Maak deelbare links aan om tijdelijke of permanente toegang tot proxybronnen te verlenen",
-    "shareSearch": "Zoek share links...",
-    "shareCreate": "Maak Share link",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Kan link niet verwijderen",
    "shareErrorDeleteMessage": "Fout opgetreden tijdens het verwijderen link",
    "shareDeleted": "Link verwijderd",
    "shareDeletedDescription": "De link is verwijderd",
-    "shareDelete": "Verwijder Deel Link",
-    "shareDeleteConfirm": "Bevestig verwijdering van Deel Link",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Weet u zeker dat u deze deel link wilt verwijderen?",
    "shareMessageRemove": "Zodra verwijderd, zal de link niet meer werken en zal iedereen die het gebruikt de toegang tot de bron verliezen.",
    "shareTokenDescription": "De toegangstoken kan op twee manieren worden doorgegeven: als queryparameter of in de aanvraagheaders. Deze moeten worden doorgegeven van de client op elk verzoek voor geverifieerde toegang.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Iedereen met deze link heeft toegang tot de pagina",
    "shareTitleOptional": "Titel (optioneel)",
    "sharePathOptional": "Pad (optioneel)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Vervalt in",
    "neverExpire": "Nooit verlopen",
    "shareExpireDescription": "Vervaltijd is hoe lang de link bruikbaar is en geeft toegang tot de bron. Na deze tijd zal de link niet meer werken en zullen gebruikers die deze link hebben gebruikt de toegang tot de pagina verliezen.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Selecteer een bron",
    "proxyResourceTitle": "Openbare bronnen beheren",
    "proxyResourceDescription": "Creëer en beheer bronnen die openbaar toegankelijk zijn via een webbrowser",
-    "publicResourcesBannerTitle": "Webgebaseerde openbare toegang",
-    "publicResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<69><76>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Privébronnen beheren",
    "clientResourceDescription": "Creëer en beheer bronnen die alleen toegankelijk zijn via een verbonden client",
    "privateResourcesBannerTitle": "Zero-Trust Private Access",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Zoek bronnen...",
    "resourceAdd": "Bron toevoegen",
    "resourceErrorDelte": "Fout bij verwijderen document",
-    "resourcePoliciesTitle": "Beheer Bron Beleid",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Bijgevoegde bronnen",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} bron(nen)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "geen bronnen",
-    "resourcePoliciesDescription": "Maak en beheer authenticatiebeleid om toegang tot uw bronnen te controleren",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Beleidsregels zoeken...",
    "resourcePoliciesAdd": "Beleid toevoegen",
    "resourcePoliciesDefaultBadgeText": "Standaard beleidsregel",
-    "resourcePoliciesCreate": "Creëer Bronbeleid",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Volg de onderstaande stappen om een nieuw beleid aan te maken",
    "resourcePolicyName": "Beleidsregelnaam",
    "resourcePolicyNameDescription": "Geef deze beleidsregel een naam om deze te identificeren in uw bronnen",
@@ -274,7 +281,7 @@
    "back": "Achterzijde",
    "cancel": "Annuleren",
    "resourceConfig": "Configuratie tekstbouwstenen",
-    "resourceConfigDescription": "Kopieer en plak deze configuratie-snippets om de TCP/UDP-bron in te stellen",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Entrypoints toevoegen",
    "resourceExposePorts": "Gerbild: Gevangen blootstellen in Docker Compose",
    "resourceLearnRaw": "Leer hoe je TCP/UDP bronnen kunt configureren",
@@ -287,6 +294,8 @@
    "labelDelete": "Label verwijderen",
    "labelAdd": "Label toevoegen",
    "labelCreateSuccessMessage": "Label succesvol aangemaakt",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Label succesvol gewijzigd",
    "labelNameField": "Labelnaam",
    "labelColorField": "Label kleur",
@@ -311,7 +320,7 @@
    "rules": "Regels",
    "resourceSettingDescription": "Configureer de instellingen in de bron",
    "resourceSetting": "{resourceName} instellingen",
-    "resourcePolicySettingDescription": "Configureer de instellingen op het bronbeleid",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} instellingen",
    "alwaysAllow": "Authenticatie omzeilen",
    "alwaysDeny": "Blokkeer toegang",
@@ -719,7 +728,7 @@
    "targetSubmit": "Doelwit toevoegen",
    "targetNoOne": "Deze bron heeft geen doelwitten. Voeg een doel toe om te configureren waar verzoeken naar de backend verzonden kunnen worden.",
    "targetNoOneDescription": "Het toevoegen van meer dan één doel hierboven zal de load balancering mogelijk maken.",
-    "targetsSubmit": "Doelstellingen opslaan",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Doelwit toevoegen",
    "proxyMultiSiteRoundRobinNodeHelp": "Round-robin routering werkt niet tussen locaties die niet met hetzelfde knooppunt zijn verbonden, maar failover werkt wel.",
    "targetErrorInvalidIp": "Ongeldig IP-adres",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Dupliceer regel",
    "rulesErrorDuplicateDescription": "Een regel met deze instellingen bestaat al",
    "rulesErrorInvalidIpAddressRange": "Ongeldige CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Voer een geldige CIDR waarde in",
-    "rulesErrorInvalidUrl": "Ongeldige URL pad",
-    "rulesErrorInvalidUrlDescription": "Voer een geldige URL padwaarde in",
-    "rulesErrorInvalidIpAddress": "Ongeldig IP",
-    "rulesErrorInvalidIpAddressDescription": "Voer een geldig IP-adres in",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Regels bijwerken mislukt",
    "rulesErrorUpdateDescription": "Fout opgetreden tijdens het bijwerken van de regels",
    "rulesUpdated": "Regels inschakelen",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Voer een adres in in het CIDR-formaat (bijv. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Voer een IP-adres in (bijv. 103.21.244.12)",
    "rulesMatchUrl": "Voer een URL-pad of patroon in (bijv. /api/v1/todos of /api/v1/*)",
-    "rulesErrorInvalidPriority": "Ongeldige prioriteit",
-    "rulesErrorInvalidPriorityDescription": "Voer een geldige prioriteit in",
-    "rulesErrorDuplicatePriority": "Dubbele prioriteiten",
-    "rulesErrorDuplicatePriorityDescription": "Voer unieke prioriteiten in",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Regels bijgewerkt",
    "ruleUpdatedDescription": "Regels met succes bijgewerkt",
    "ruleErrorUpdate": "Bewerking mislukt",
    "ruleErrorUpdateDescription": "Er is een fout opgetreden tijdens het opslaan",
    "rulesPriority": "Prioriteit",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "actie",
    "rulesMatchType": "Wedstrijd Type",
    "value": "Waarde",
@@ -792,7 +810,7 @@
    "rulesResource": "Configuratie Resource Regels",
    "rulesResourceDescription": "Regels instellen om toegang tot de bron te beheren",
    "ruleSubmit": "Regel toevoegen",
-    "rulesNoOne": "Geen regels. Voeg een regel toe via het formulier.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Regels worden in oplopende volgorde volgens prioriteit beoordeeld.",
    "rulesSubmit": "Regels opslaan",
    "policyErrorCreate": "Fout bij het maken van beleid",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Er is een onverwachte fout opgetreden",
    "policyCreatedSuccess": "Bronbeleid met succes aangemaakt",
    "policyUpdatedSuccess": "Bronbeleid succesvol bijgewerkt",
-    "authMethodsSave": "Bewaar authenticatiemethoden",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Regels opslaan",
    "resourceErrorCreate": "Fout bij maken document",
    "resourceErrorCreateDescription": "Er is een fout opgetreden bij het maken van het document",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Er is een fout opgetreden tijdens het bijwerken van het document",
    "access": "Toegangsrechten",
    "accessControl": "Toegangs controle",
-    "shareLink": "{resource} Share link",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Selecteer resource",
-    "shareLinks": "Links delen",
+    "shareLinks": "Shareable Links",
    "share": "Deelbare links",
    "shareDescription2": "Maak deelbare links naar bronnen. Links bieden tijdelijke of onbeperkte toegang tot je bestand. U kunt de vervalduur van de link configureren wanneer u er een aanmaakt.",
    "shareEasyCreate": "Makkelijk te maken en te delen",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Beheerders hebben altijd toegang tot deze bron.",
    "resourcePolicySelectTitle": "Toegangsbeleid voor bronnen",
    "resourcePolicySelectDescription": "Selecteer het bronbeleidstype voor authenticatie",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Inline bronbeleid",
    "resourcePolicyInlineDescription": "Toegangsbeleid alleen gericht op deze bron",
    "resourcePolicyShared": "Gedeeld bronbeleid",
-    "resourcePolicySharedDescription": "Deze bron gebruikt een gedeeld beleid. Instellingen op beleidsniveau (authenticatiemethoden, e-mailwhitelist) zijn vergrendeld. U kunt hieronder bron-specifieke regels, rollen en gebruikers toevoegen.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Toegang Bediening",
    "resourceUsersRolesDescription": "Configureer welke gebruikers en rollen deze pagina kunnen bezoeken",
    "resourceUsersRolesSubmit": "Bewaar Toegangsbesturing",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Zichtbaarheid",
    "resourceVisibilityTitleDescription": "Zichtbaarheid van bestanden volledig in- of uitschakelen",
    "resourceGeneral": "Algemene instellingen",
-    "resourceGeneralDescription": "Configureer de algemene instellingen voor deze bron",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Resource inschakelen",
    "resourceTransfer": "Bronnen overdragen",
    "resourceTransferDescription": "Verplaats dit document naar een andere site",
@@ -1220,11 +1294,14 @@
    "addLabels": "Labels toevoegen",
    "siteLabelsTab": "Labels",
    "siteLabelsDescription": "Beheer labels geassocieerd met deze site.",
-    "labelsNotFound": "Labels niet gevonden",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Labels zoeken",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
    "accessLabelFilterClear": "Labelfilters wissen",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Kleur selecteren",
    "createNewLabel": "Nieuw org-label \"{label}\" aanmaken",
    "inviteInvalidDescription": "Uitnodigingslink is ongeldig.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Bronnen",
    "sidebarProxyResources": "Openbaar",
    "sidebarClientResources": "Privé",
-    "sidebarPolicies": "Beleid",
-    "sidebarResourcePolicies": "Bronnen",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Toegangs controle",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Beheerder",
    "sidebarInvitations": "Uitnodigingen",
    "sidebarRoles": "Rollen",
-    "sidebarShareableLinks": "Koppelingen",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API sleutels",
    "sidebarProvisioning": "Provisie",
    "sidebarSettings": "Instellingen",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Bron {id}",
    "blueprints": "Blauwdrukken",
    "blueprintsLog": "Log Blueprints",
-    "blueprintsDescription": "Bekijk eerdere blueprint-toepassingen en hun resultaten",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Blauwdruk toevoegen",
    "blueprintGoBack": "Bekijk alle Blauwdrukken",
    "blueprintCreate": "Creëer blauwdruk",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Schakel Docker Blauwdruk in",
    "enableDockerSocketDescription": "Schakel Docker Socket-label in voor blueprint-labels. Socket-pad moet worden opgegeven aan de siteconnector. Lees meer over hoe dit werkt in <docsLink>de documentatie</docsLink>.",
    "newtAutoUpdate": "Automatische site-update inschakelen",
-    "newtAutoUpdateDescription": "Wanneer ingeschakeld, zullen site-connectors automatisch updaten naar de nieuwste versie wanneer een nieuwe release beschikbaar is.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Automatische site-update",
    "siteAutoUpdateLabel": "Automatische update inschakelen",
-    "siteAutoUpdateDescription": "Controleer of de siteconnector automatisch de laatste versie downloadt.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Standaard van organisatie: {state}",
    "siteAutoUpdateOverriding": "Overschrijving van organisatiestandaardinstelling",
    "siteAutoUpdateResetToOrg": "Terugzetten naar standaard van organisatie",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Accountinstelling voltooid! Welkom bij Pangolin!",
    "documentation": "Documentatie",
    "saveAllSettings": "Alle instellingen opslaan",
-    "saveResourceTargets": "Doelstellingen opslaan",
-    "saveResourceHttp": "Proxyinstellingen opslaan",
-    "saveProxyProtocol": "Proxy-protocolinstellingen opslaan",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Instellingen bijgewerkt",
    "settingsUpdatedDescription": "Instellingen succesvol bijgewerkt",
    "settingsErrorUpdate": "Bijwerken van instellingen mislukt",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Onbekend",
    "healthCheck": "Gezondheidscontrole",
    "configureHealthCheck": "Configureer Gezondheidscontrole",
-    "configureHealthCheckDescription": "Stel gezondheid monitor voor {target} in",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Inschakelen Gezondheidscontroles",
    "healthCheckDisabledStateDescription": "Wanneer uitgeschakeld, zal de site geen gezondheidscontroles uitvoeren en wordt de staat als onbekend beschouwd.",
    "enableHealthChecksDescription": "Controleer de gezondheid van dit doel. U kunt een ander eindpunt monitoren dan het doel indien vereist.",
    "healthScheme": "Methode",
    "healthSelectScheme": "Selecteer methode",
-    "healthCheckPortInvalid": "Health check poort moet tussen 1 en 65535 zijn",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Pad",
    "healthHostname": "IP / Hostnaam",
    "healthPort": "Poort",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Vereist goedkeuring van apparaat",
    "requireDeviceApprovalDescription": "Gebruikers met deze rol hebben nieuwe apparaten nodig die door een beheerder zijn goedgekeurd voordat ze verbinding kunnen maken met bronnen en deze kunnen gebruiken.",
    "sshSettings": "SSH-instellingen",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP-instellingen",
    "vncSettings": "VNC-instellingen",
    "sshServer": "SSH-server",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Zorg ervoor dat uw doelhost goed is geconfigureerd om de auth daemon uit te voeren voordat u deze configuratie voltooit, anders zal de voorziening mislukken.",
    "sshDaemonPort": "Demonpoort",
    "sshServerDestination": "Serverbestemming",
-    "sshServerDestinationDescription": "Configureer de bestemming en poort van de SSH-server",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Bestemming",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Het selecteren van meerdere sites maakt veerkrachtige routering mogelijk en failover voor hoge beschikbaarheid.",
    "roleAllowSsh": "SSH toestaan",
    "roleAllowSshAllow": "Toestaan",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Gebruiker kan alleen de opgegeven commando's uitvoeren met de sudo.",
    "sshSudo": "sudo toestaan",
    "sshSudoCommands": "Sudo Commando's",
-    "sshSudoCommandsDescription": "Commagescheiden lijst van commando's die de gebruiker met sudo mag uitvoeren. Absolute paden moeten worden gebruikt.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Maak Home Directory",
    "sshUnixGroups": "Unix groepen",
-    "sshUnixGroupsDescription": "Door komma's gescheiden Unix-groepen om de gebruiker toe te voegen aan de doelhost.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Herhaal Pogingen",
    "expectedResponseCodes": "Verwachte Reactiecodes",
    "expectedResponseCodesDescription": "HTTP-statuscode die gezonde status aangeeft. Indien leeg wordt 200-300 als gezond beschouwd.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Proxy Protocol inschakelen",
    "proxyProtocolInfo": "Behoud IP adressen van de client voor TCP backends",
    "proxyProtocolVersion": "Proxy Protocol Versie",
-    "version1": " Versie 1 (Aanbevolen)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Versie 2",
-    "versionDescription": "Versie 1 is text-based en breed ondersteund. Versie 2 is binair en efficiënter maar minder compatibel.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Waarschuwing",
    "proxyProtocolWarning": "De backend applicatie moet worden geconfigureerd om Proxy Protocol verbindingen te accepteren. Als je backend geen Proxy Protocol ondersteunt, zal het inschakelen van dit alle verbindingen verbreken, dus schakel dit alleen in als je weet wat je doet. Zorg ervoor dat je je backend configureert om Proxy Protocol headers van Traefik.",
    "restarting": "Herstarten...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Bevestiging invoeren",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Standaard Identiteitsprovider",
-    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
    "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
    "editInternalResourceDialogAddRoles": "Rollen toevoegen",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Type onderhoudsmodus",
    "showMaintenancePage": "Toon een onderhoudspagina aan bezoekers",
    "enableMaintenanceMode": "Onderhoudsmodus inschakelen",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatisch",
    "automaticModeDescription": " Toon onderhoudspagina alleen wanneer alle back-enddoelen niet beschikbaar zijn of ongezond zijn. Jouw bron blijft normaal functioneren zolang er tenminste één doel gezond is.",
    "forced": "Geforceerd",
@@ -3082,6 +3182,8 @@
    "warning:": "Waarschuwing:",
    "forcedeModeWarning": "Al het verkeer wordt naar de onderhoudspagina geleid. Jouw back-endbronnen ontvangen geen verzoeken.",
    "pageTitle": "Paginatitel",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "De hoofdkop die op de onderhoudspagina wordt weergegeven",
    "maintenancePageMessage": "Onderhoudsbericht",
    "maintenancePageMessagePlaceholder": "We keren snel terug! Onze site ondergaat momenteel gepland onderhoud.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Weet u zeker dat u deze identiteitsprovider van deze organisatie wilt loskoppelen?",
    "idpUnassociateDescription": "Alle gebruikers die aan deze identiteitsprovider zijn gekoppeld, worden uit deze organisatie verwijderd, maar de identiteitsprovider blijft bestaan voor andere gerelateerde organisaties.",
    "idpUnassociateConfirm": "Bevestig ontkoppelen identiteitsprovider",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Dit kan niet ongedaan worden gemaakt voor deze organisatie.",
    "idpUnassociatedDescription": "Identiteitsprovider succesvol losgekoppeld van deze organisatie",
    "idpUnassociateMenu": "Ontkoppelen",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Verbinding maken…",
    "sshInitializing": "Initialiseren…",
    "sshSignInTitle": "Meld u aan bij SSH",
-    "sshSignInDescription": "Voer uw SSH-referenties in",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Wachtwoord",
    "sshPrivateKeyTab": "Privésleutel",
    "sshPrivateKeyField": "Privésleutel",
    "sshPrivateKeyDisclaimer": "Uw privésleutel wordt niet opgeslagen of zichtbaar gemaakt voor Pangolin. U kunt ook gebruik maken van kortlopende certificaten voor naadloze authenticatie met uw bestaande Pangolin-identiteit.",
    "sshLearnMore": "Meer informatie",
    "sshPrivateKeyFile": "Bestand met privésleutel",
-    "sshAuthenticate": "Authenticeren",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Beëindigen",
    "sshPoweredBy": "Aangeboden door",
    "sshErrorNoTarget": "Geen doelwit gespecificeerd",
    "sshErrorWebSocket": "WebSocket-verbinding is mislukt",
    "sshErrorAuthFailed": "Authenticatie mislukt",
-    "sshErrorConnectionClosed": "Verbinding gesloten voordat authenticatie was voltooid"
+    "sshErrorConnectionClosed": "Verbinding gesloten voordat authenticatie was voltooid",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Zobacz zasoby prywatne",
    "siteInstallNewt": "Zainstaluj Newt",
    "siteInstallNewtDescription": "Uruchom Newt w swoim systemie",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Konfiguracja WireGuard",
    "WgConfigurationDescription": "Użyj następującej konfiguracji, aby połączyć się z siecią",
    "operatingSystem": "System operacyjny",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Możesz to zobaczyć tylko raz. Upewnij się, że skopiuj je do bezpiecznego miejsca.",
    "siteInfo": "Informacje o witrynie",
    "status": "Status",
-    "shareTitle": "Zarządzaj linkami udostępniania",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Utwórz linki do współdzielenia, aby przyznać tymczasowy lub stały dostęp do zasobów proxy",
-    "shareSearch": "Szukaj linków udostępnienia...",
-    "shareCreate": "Utwórz link udostępniania",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Nie udało się usunąć linku",
    "shareErrorDeleteMessage": "Wystąpił błąd podczas usuwania linku",
    "shareDeleted": "Link usunięty",
    "shareDeletedDescription": "Link został usunięty",
-    "shareDelete": "Usuń link udostępniania",
-    "shareDeleteConfirm": "Potwierdź usunięcie linku udostępniania",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Czy na pewno chcesz usunąć ten link udostępniania?",
    "shareMessageRemove": "Po usunięciu, link przestanie działać i wszyscy korzystający z niego stracą dostęp do zasobu.",
    "shareTokenDescription": "Token dostępu może być przekazywany na dwa sposoby: jako parametr zapytania lub w nagłówkach żądania. Muszą być przekazywane z klienta na każde żądanie uwierzytelnionego dostępu.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Każdy z tym linkiem może uzyskać dostęp do zasobu",
    "shareTitleOptional": "Tytuł (opcjonalnie)",
    "sharePathOptional": "Ścieżka (opcjonalnie)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Wygasa za",
    "neverExpire": "Nigdy nie wygasa",
    "shareExpireDescription": "Czas wygaśnięcia to jak długo link będzie mógł być użyty i zapewni dostęp do zasobu. Po tym czasie link nie będzie już działał, a użytkownicy, którzy użyli tego linku, utracą dostęp do zasobu.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Wybierz zasób",
    "proxyResourceTitle": "Zarządzaj zasobami publicznymi",
    "proxyResourceDescription": "Twórz i zarządzaj zasobami, które są publicznie dostępne w przeglądarce internetowej",
-    "publicResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
-    "publicResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Zarządzaj zasobami prywatnymi",
    "clientResourceDescription": "Twórz i zarządzaj zasobami, które są dostępne tylko za pośrednictwem połączonego klienta",
    "privateResourcesBannerTitle": "Zero zaufania do prywatnego dostępu",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Szukaj zasobów...",
    "resourceAdd": "Dodaj zasób",
    "resourceErrorDelte": "Błąd podczas usuwania zasobu",
-    "resourcePoliciesTitle": "Zarządzaj politykami zasobów",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Dołączone zasoby",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} zasób(y)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "brak zasobów",
-    "resourcePoliciesDescription": "Twórz i zarządzaj politykami uwierzytelniania, aby kontrolować dostęp do swoich zasobów",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Szukaj polityk...",
    "resourcePoliciesAdd": "Dodaj politykę",
    "resourcePoliciesDefaultBadgeText": "Domyślna polityka",
-    "resourcePoliciesCreate": "Utwórz politykę zasobu",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nową politykę",
    "resourcePolicyName": "Nazwa polityki",
    "resourcePolicyNameDescription": "Nadaj tej polityce nazwę, aby można ją było zidentyfikować w całych zasobach",
@@ -274,7 +281,7 @@
    "back": "Powrót",
    "cancel": "Anuluj",
    "resourceConfig": "Snippety konfiguracji",
-    "resourceConfigDescription": "Skopiuj i wklej te fragmenty konfiguracji, aby skonfigurować zasób TCP/UDP",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Dodaj punkty wejścia",
    "resourceExposePorts": "Gerbil: Podnieś porty w Komponencie Dockera",
    "resourceLearnRaw": "Dowiedz się, jak skonfigurować zasoby TCP/UDP",
@@ -287,6 +294,8 @@
    "labelDelete": "Usuń etykietę",
    "labelAdd": "Dodaj etykietę",
    "labelCreateSuccessMessage": "Etykieta została utworzona pomyślnie",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etykieta została pomyślnie zmodyfikowana",
    "labelNameField": "Nazwa etykiety",
    "labelColorField": "Kolor etykiety",
@@ -311,7 +320,7 @@
    "rules": "Regulamin",
    "resourceSettingDescription": "Skonfiguruj ustawienia zasobu",
    "resourceSetting": "Ustawienia {resourceName}",
-    "resourcePolicySettingDescription": "Skonfiguruj ustawienia w polityce zasobów",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Ustawienia {policyName}",
    "alwaysAllow": "Omijanie uwierzytelniania",
    "alwaysDeny": "Blokuj dostęp",
@@ -719,7 +728,7 @@
    "targetSubmit": "Dodaj cel",
    "targetNoOne": "Ten zasób nie ma żadnych celów. Dodaj cel do skonfigurowania adresów wysyłania żądań do backendu.",
    "targetNoOneDescription": "Dodanie więcej niż jednego celu powyżej włączy równoważenie obciążenia.",
-    "targetsSubmit": "Zapisz cele",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Dodaj cel",
    "proxyMultiSiteRoundRobinNodeHelp": "Trasowanie round-robin nie będzie działać między witrynami, które nie są połączone z tym samym węzłem, ale przełączanie awaryjne będzie działać.",
    "targetErrorInvalidIp": "Nieprawidłowy adres IP",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Duplikat reguły",
    "rulesErrorDuplicateDescription": "Reguła o tych ustawieniach już istnieje",
    "rulesErrorInvalidIpAddressRange": "Nieprawidłowy CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Wprowadź prawidłową wartość CIDR",
-    "rulesErrorInvalidUrl": "Nieprawidłowa ścieżka URL",
-    "rulesErrorInvalidUrlDescription": "Wprowadź prawidłową wartość ścieżki URL",
-    "rulesErrorInvalidIpAddress": "Nieprawidłowe IP",
-    "rulesErrorInvalidIpAddressDescription": "Wprowadź prawidłowy adres IP",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Nie udało się zaktualizować reguł",
    "rulesErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji reguł",
    "rulesUpdated": "Włącz reguły",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Wprowadź adres w formacie CIDR (np. 103.21.244.0/22)",
    "rulesMatchIpAddress": "Wprowadź adres IP (np. 103.21.244.12)",
    "rulesMatchUrl": "Wprowadź ścieżkę URL lub wzorzec (np. /api/v1/todos lub /api/v1/*)",
-    "rulesErrorInvalidPriority": "Nieprawidłowy priorytet",
-    "rulesErrorInvalidPriorityDescription": "Wprowadź prawidłowy priorytet",
-    "rulesErrorDuplicatePriority": "Zduplikowane priorytety",
-    "rulesErrorDuplicatePriorityDescription": "Wprowadź unikalne priorytety",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Reguły zaktualizowane",
    "ruleUpdatedDescription": "Reguły zostały pomyślnie zaktualizowane",
    "ruleErrorUpdate": "Operacja nie powiodła się",
    "ruleErrorUpdateDescription": "Wystąpił błąd podczas operacji zapisu",
    "rulesPriority": "Priorytet",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Akcja",
    "rulesMatchType": "Typ dopasowania",
    "value": "Wartość",
@@ -792,7 +810,7 @@
    "rulesResource": "Konfiguracja reguł zasobu",
    "rulesResourceDescription": "Skonfiguruj reguły, aby kontrolować dostęp do zasobu",
    "ruleSubmit": "Dodaj regułę",
-    "rulesNoOne": "Brak reguł. Dodaj regułę używając formularza.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Reguły są oceniane według priorytetu w kolejności rosnącej.",
    "rulesSubmit": "Zapisz reguły",
    "policyErrorCreate": "Błąd przy tworzeniu polityki",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Wystąpił nieoczekiwany błąd",
    "policyCreatedSuccess": "Polityka zasobów została pomyślnie utworzona",
    "policyUpdatedSuccess": "Polityka zasobów została pomyślnie zaktualizowana",
-    "authMethodsSave": "Zapisz metody uwierzytelniania",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Zapisz zasady",
    "resourceErrorCreate": "Błąd podczas tworzenia zasobu",
    "resourceErrorCreateDescription": "Wystąpił błąd podczas tworzenia zasobu",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji zasobu",
    "access": "Dostęp",
    "accessControl": "Kontrola dostępu",
-    "shareLink": "Link udostępniania {resource}",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Wybierz zasób",
-    "shareLinks": "Linki udostępniania",
+    "shareLinks": "Shareable Links",
    "share": "Linki do udostępniania",
    "shareDescription2": "Utwórz linki do zasobów, które można współdzielić. Linki zapewniają tymczasowy lub nieograniczony dostęp do twojego zasobu. Możesz skonfigurować czas ważności linku, gdy go utworzysz.",
    "shareEasyCreate": "Łatwe tworzenie i udostępnianie",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Administratorzy zawsze mają dostęp do tego zasobu.",
    "resourcePolicySelectTitle": "Polityka dostępu do zasobów",
    "resourcePolicySelectDescription": "Wybierz typ polityki zasobów do uwierzytelniania",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Warunkowa polityka zasobów",
    "resourcePolicyInlineDescription": "Polityka dostępu tylko do tego zasobu",
    "resourcePolicyShared": "Dzielona polityka zasobów",
-    "resourcePolicySharedDescription": "Ten zasób korzysta z dzielonej polityki. Ustawienia na poziomie polityki (metody uwierzytelniania, biała lista e-maili) są zablokowane. Możesz dodać zasady specyficzne dla zasobów, role i użytkowników poniżej.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Kontrola dostępu",
    "resourceUsersRolesDescription": "Skonfiguruj, którzy użytkownicy i role mogą odwiedzać ten zasób",
    "resourceUsersRolesSubmit": "Zapisz kontrole dostępu",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Widoczność",
    "resourceVisibilityTitleDescription": "Całkowicie włącz lub wyłącz widoczność zasobu",
    "resourceGeneral": "Ustawienia ogólne",
-    "resourceGeneralDescription": "Skonfiguruj ustawienia ogólne dla tego zasobu",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Włącz zasób",
    "resourceTransfer": "Przenieś zasób",
    "resourceTransferDescription": "Przenieś ten zasób do innej witryny",
@@ -1220,11 +1294,14 @@
    "addLabels": "Dodaj etykiety",
    "siteLabelsTab": "Etykiety",
    "siteLabelsDescription": "Zarządzaj etykietami powiązanymi z tą stroną.",
-    "labelsNotFound": "Nie znaleziono etykiet",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Szukaj etykiet",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# etykieta} few {# etykiety} many {# etykiet} other {# etykiet}}",
    "labelOverflowCount": "+{count, plural, one {# etykieta} few {# etykiety} many {# etykiet} other {# etykiet}}",
    "accessLabelFilterClear": "Wyczyść filtry etykiet",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Wybierz kolor",
    "createNewLabel": "Utwórz nową etykietę org \"{label}\"",
    "inviteInvalidDescription": "Link zapraszający jest nieprawidłowy.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Zasoby",
    "sidebarProxyResources": "Publiczne",
    "sidebarClientResources": "Prywatny",
-    "sidebarPolicies": "Polityki",
-    "sidebarResourcePolicies": "Zasoby",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Kontrola dostępu",
    "sidebarLogsAndAnalytics": "Logi i Analityki",
    "sidebarTeam": "Drużyna",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Administrator",
    "sidebarInvitations": "Zaproszenia",
    "sidebarRoles": "Role",
-    "sidebarShareableLinks": "Linki",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "Klucze API",
    "sidebarProvisioning": "Dostarczanie",
    "sidebarSettings": "Ustawienia",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Zasób {id}",
    "blueprints": "Schematy",
    "blueprintsLog": "Dziennik szablonów",
-    "blueprintsDescription": "Zobacz wcześniejsze zastosowania szablonów i ich wyniki",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Dodaj schemat",
    "blueprintGoBack": "Zobacz wszystkie schematy",
    "blueprintCreate": "Utwórz schemat",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Włącz schemat dokera",
    "enableDockerSocketDescription": "Włącz etykietowanie gniazda dokera dla etykiet szablonów. Ścieżka do gniazda musi być dostarczona do łącznika strony. Przeczytaj zarówno jak to działa w <docsLink>dokumentacji</docsLink>.",
    "newtAutoUpdate": "Włącz automatyczną aktualizację witryny",
-    "newtAutoUpdateDescription": "Kiedy włączone, łączniki witryn będą się automatycznie aktualizować do najnowszej wersji, gdy dostępne będzie nowe wydanie.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Automatyczna aktualizacja strony",
    "siteAutoUpdateLabel": "Włącz aktualizacje automatyczne",
-    "siteAutoUpdateDescription": "Kontroluj czy łącznik tej strony automatycznie pobiera najnowszą wersję.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Domyślnie dla organizacji: {state}",
    "siteAutoUpdateOverriding": "Nadpisywanie ustawień organizacji",
    "siteAutoUpdateResetToOrg": "Zresetuj do domyślnych ustawień organizacji",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Konfiguracja konta zakończona! Witaj w Pangolin!",
    "documentation": "Dokumentacja",
    "saveAllSettings": "Zapisz wszystkie ustawienia",
-    "saveResourceTargets": "Zapisz cele",
-    "saveResourceHttp": "Zapisz ustawienia proxy",
-    "saveProxyProtocol": "Zapisz ustawienia protokołu proxy",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Ustawienia zaktualizowane",
    "settingsUpdatedDescription": "Ustawienia zostały pomyślnie zaktualizowane",
    "settingsErrorUpdate": "Nie udało się zaktualizować ustawień",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Nieznany",
    "healthCheck": "Kontrola Zdrowia",
    "configureHealthCheck": "Skonfiguruj Kontrolę Zdrowia",
-    "configureHealthCheckDescription": "Skonfiguruj monitorowanie zdrowia dla {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Włącz Kontrole Zdrowia",
    "healthCheckDisabledStateDescription": "Gdy wyłączone, strona nie będzie wykonywać kontroli zdrowia, a stan zostanie uznany za nieznany.",
    "enableHealthChecksDescription": "Monitoruj zdrowie tego celu. Możesz monitorować inny punkt końcowy niż docelowy w razie potrzeby.",
    "healthScheme": "Metoda",
    "healthSelectScheme": "Wybierz metodę",
-    "healthCheckPortInvalid": "Port oceny stanu musi znajdować się między 1 a 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Ścieżka",
    "healthHostname": "IP / Nazwa hosta",
    "healthPort": "Port",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Wymagaj zatwierdzenia urządzenia",
    "requireDeviceApprovalDescription": "Użytkownicy o tej roli potrzebują nowych urządzeń zatwierdzonych przez administratora, zanim będą mogli połączyć się i uzyskać dostęp do zasobów.",
    "sshSettings": "Ustawienia SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Ustawienia RDP",
    "vncSettings": "Ustawienia VNC",
    "sshServer": "Serwer SSH",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Upewnij się, że Twoja maszyna docelowa jest poprawnie skonfigurowana do uruchamiania demona uwierzytelniania zanim ukończysz tę konfigurację, w przeciwnym razie provisioning zakończy się niepowodzeniem.",
    "sshDaemonPort": "Port Demona",
    "sshServerDestination": "Miejsce docelowe serwera",
-    "sshServerDestinationDescription": "Skonfiguruj miejsce docelowe i port serwera SSH",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Miejsce docelowe",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Wybór wielu stron umożliwia odporność trasowania i zmienioność dla wysokiej dostępności.",
    "roleAllowSsh": "Zezwalaj na SSH",
    "roleAllowSshAllow": "Zezwól",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Użytkownik może uruchamiać tylko określone polecenia z sudo.",
    "sshSudo": "Zezwól na sudo",
    "sshSudoCommands": "Komendy Sudo",
-    "sshSudoCommandsDescription": "Lista rozdzielona przecinkami poleceń, które użytkownik może uruchomić z sudo. Należy używać ścieżek bezwzględnych.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Utwórz katalog domowy",
    "sshUnixGroups": "Grupy Unix",
-    "sshUnixGroupsDescription": "Oddzielone przecinkami grupy Unix, aby dodać użytkownika do docelowego hosta.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Próby Ponowienia",
    "expectedResponseCodes": "Oczekiwane Kody Odpowiedzi",
    "expectedResponseCodesDescription": "Kod statusu HTTP, który wskazuje zdrowy status. Jeśli pozostanie pusty, uznaje się 200-300 za zdrowy.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Włącz protokół proxy",
    "proxyProtocolInfo": "Zachowaj adresy IP klienta dla backendów TCP",
    "proxyProtocolVersion": "Wersja protokołu proxy",
-    "version1": " Wersja 1 (zalecane)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Wersja 2",
-    "versionDescription": "Wersja 1 jest oparta na tekście i szeroko wspierana. Wersja 2 jest binarna i bardziej efektywna, ale mniej kompatybilna.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Ostrzeżenie",
    "proxyProtocolWarning": "Aplikacja backend musi być skonfigurowana do akceptowania połączeń protokołu proxy. Jeśli Twój backend nie obsługuje protokołu Proxy, włączenie tego spowoduje przerwanie wszystkich połączeń, więc włącz to tylko jeśli wiesz, co robisz. Upewnij się, że konfiguracja twojego backendu do zaufanych nagłówków protokołu proxy z Traefik.",
    "restarting": "Restartowanie...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Wprowadź potwierdzenie",
    "blueprintViewDetails": "Szczegóły",
    "defaultIdentityProvider": "Domyślny dostawca tożsamości",
-    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
    "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
    "editInternalResourceDialogAddRoles": "Dodaj role",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Typ trybu konserwacji",
    "showMaintenancePage": "Pokaż odwiedzającym stronę konserwacji",
    "enableMaintenanceMode": "Włącz tryb konserwacji",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatycznie",
    "automaticModeDescription": "Pokaż stronę konserwacyjną tylko wtedy, gdy wszystkie cele zaplecza są wyłączone lub niezdrowe. Twój zasób działa nadal normalnie, o ile przynajmniej jeden cel jest zdrowy.",
    "forced": "Wymuszone",
@@ -3082,6 +3182,8 @@
    "warning:": "Ostrzeżenie:",
    "forcedeModeWarning": "Cały ruch zostanie skierowany na stronę konserwacyjną. Twoje zasoby zaplecza nie otrzymają żadnych żądań.",
    "pageTitle": "Tytuł strony",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Główny nagłówek wyświetlany na stronie konserwacyjnej",
    "maintenancePageMessage": "Komunikat konserwacyjny",
    "maintenancePageMessagePlaceholder": "Wrócimy wkrótce! Nasza strona przechodzi obecnie zaplanowaną konserwację.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Czy na pewno chcesz odłączyć tego dostawcę tożsamości od tej organizacji?",
    "idpUnassociateDescription": "Wszystkie użytkownicy powiązani z tym dostawcą tożsamości zostaną usunięci z tej organizacji, ale dostawca tożsamości będzie nadal istniał dla innych powiązanych organizacji.",
    "idpUnassociateConfirm": "Potwierdź odłączenie dostawcy tożsamości",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Tego nie można cofnąć dla tej organizacji.",
    "idpUnassociatedDescription": "Dostawca tożsamości pomyślnie odłączony od tej organizacji",
    "idpUnassociateMenu": "Odłącz",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Łączenie…",
    "sshInitializing": "Inicjalizacja…",
    "sshSignInTitle": "Zaloguj się do SSH",
-    "sshSignInDescription": "Wprowadź swoje poświadczenia SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Hasło",
    "sshPrivateKeyTab": "Klucz prywatny",
    "sshPrivateKeyField": "Klucz prywatny",
    "sshPrivateKeyDisclaimer": "Twój klucz prywatny nie jest przechowywany ani widoczny dla Pangolin. Alternatywnie, możesz używać certyfikatów krótkoterminowych do bezproblemowego uwierzytelniania za pomocą Twojej istniejącej tożsamości Pangolin.",
    "sshLearnMore": "Dowiedz się więcej",
    "sshPrivateKeyFile": "Plik klucza prywatnego",
-    "sshAuthenticate": "Uwierzytelnij",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Zakończ",
    "sshPoweredBy": "Obsługiwane przez",
    "sshErrorNoTarget": "Nie określono celu",
    "sshErrorWebSocket": "Połączenie WebSocket nie powiodło się",
    "sshErrorAuthFailed": "Uwierzytelnianie nie powiodło się",
-    "sshErrorConnectionClosed": "Połączenie zamknięte przed ukończeniem uwierzytelniania"
+    "sshErrorConnectionClosed": "Połączenie zamknięte przed ukończeniem uwierzytelniania",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Visualizar Recursos Privados",
    "siteInstallNewt": "Instalar Novo",
    "siteInstallNewtDescription": "Novo item em execução no seu sistema",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Configuração do WireGuard",
    "WgConfigurationDescription": "Use a seguinte configuração para conectar-se à rede",
    "operatingSystem": "Sistema operacional",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Você só será capaz de ver esta vez. Certifique-se de copiá-lo para um lugar seguro.",
    "siteInfo": "Informações do Site",
    "status": "SItuação",
-    "shareTitle": "Gerir links partilhados",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Criar links compartilháveis para conceder acesso temporário ou permanente aos recursos do proxy",
-    "shareSearch": "Pesquisar links de compartilhamento...",
-    "shareCreate": "Criar Link de Compartilhamento",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Falha ao apagar o link",
    "shareErrorDeleteMessage": "Ocorreu um erro ao apagar o link",
    "shareDeleted": "Link excluído",
    "shareDeletedDescription": "O link foi eliminado",
-    "shareDelete": "Excluir Link de Compartilhamento",
-    "shareDeleteConfirm": "Confirmar Exclusão de Link de Compartilhamento",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Tem certeza de que deseja excluir este link de compartilhamento?",
    "shareMessageRemove": "Uma vez excluído, o link não funcionará mais e qualquer pessoa que o utilizar perderá o acesso ao recurso.",
    "shareTokenDescription": "O token de acesso pode ser passado de duas maneiras: como um parâmetro de consulta ou nos cabeçalhos da solicitação. Estes devem ser passados do cliente em todas as solicitações para acesso autenticado.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Qualquer um com este link pode aceder o recurso",
    "shareTitleOptional": "Título (opcional)",
    "sharePathOptional": "Caminho (opcional)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Expira em",
    "neverExpire": "Nunca expirar",
    "shareExpireDescription": "Tempo de expiração é quanto tempo o link será utilizável e oferecerá acesso ao recurso. Após este tempo, o link não funcionará mais, e os utilizadores que usaram este link perderão acesso ao recurso.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Por favor, selecione um recurso",
    "proxyResourceTitle": "Gerenciar Recursos Públicos",
    "proxyResourceDescription": "Criar e gerenciar recursos que são acessíveis publicamente por meio de um navegador da web",
-    "publicResourcesBannerTitle": "Acesso Público via Web",
-    "publicResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Gerenciar recursos privados",
    "clientResourceDescription": "Criar e gerenciar recursos que só são acessíveis por meio de um cliente conectado",
    "privateResourcesBannerTitle": "Acesso Privado com Confiança Zero",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Procurar recursos...",
    "resourceAdd": "Adicionar Recurso",
    "resourceErrorDelte": "Erro ao apagar recurso",
-    "resourcePoliciesTitle": "Gerenciar Políticas de Recurso",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Recursos Anexados",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} recurso(s)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "sem recursos",
-    "resourcePoliciesDescription": "Crie e gerencie políticas de autenticação para controlar o acesso aos seus recursos",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Pesquisar políticas...",
    "resourcePoliciesAdd": "Adicionar Política",
    "resourcePoliciesDefaultBadgeText": "Política Padrão",
-    "resourcePoliciesCreate": "Criar Política de Recurso",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Siga os passos abaixo para criar uma nova política",
    "resourcePolicyName": "Nome da Política",
    "resourcePolicyNameDescription": "Dê um nome a esta política para identificá-la em seus recursos",
@@ -274,7 +281,7 @@
    "back": "Anterior",
    "cancel": "cancelar",
    "resourceConfig": "Snippets de Configuração",
-    "resourceConfigDescription": "Copie e cole estes snippets de configuração para configurar o recurso TCP/UDP",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Adicionar pontos de entrada",
    "resourceExposePorts": "Gerbil: Expor Portas no Docker Compose",
    "resourceLearnRaw": "Aprenda como configurar os recursos TCP/UDP",
@@ -287,6 +294,8 @@
    "labelDelete": "Excluir Etiqueta",
    "labelAdd": "Adicionar Etiqueta",
    "labelCreateSuccessMessage": "Etiqueta Criada com Sucesso",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etiqueta Modificada com Sucesso",
    "labelNameField": "Nome da Etiqueta",
    "labelColorField": "Cor da Etiqueta",
@@ -311,7 +320,7 @@
    "rules": "Regras",
    "resourceSettingDescription": "Configure as configurações do recurso",
    "resourceSetting": "Configurações do {resourceName}",
-    "resourcePolicySettingDescription": "Configure as configurações na política de recurso",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Configurações de {policyName}",
    "alwaysAllow": "Autenticação de bypass",
    "alwaysDeny": "Bloquear Acesso",
@@ -719,7 +728,7 @@
    "targetSubmit": "Adicionar Alvo",
    "targetNoOne": "Este recurso não tem nenhum alvo. Adicione um alvo para configurar para onde enviar solicitações para o backend.",
    "targetNoOneDescription": "Adicionar mais de um alvo acima habilitará o balanceamento de carga.",
-    "targetsSubmit": "Guardar Alvos",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Adicionar Alvo",
    "proxyMultiSiteRoundRobinNodeHelp": "O roteamento round robin não funcionará entre sites que não estão conectados ao mesmo nó, mas o failover funcionará.",
    "targetErrorInvalidIp": "Endereço IP inválido",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Regra duplicada",
    "rulesErrorDuplicateDescription": "Uma regra com estas configurações já existe",
    "rulesErrorInvalidIpAddressRange": "CIDR inválido",
-    "rulesErrorInvalidIpAddressRangeDescription": "Por favor, insira um valor CIDR válido",
-    "rulesErrorInvalidUrl": "Caminho URL inválido",
-    "rulesErrorInvalidUrlDescription": "Por favor, insira um valor de caminho URL válido",
-    "rulesErrorInvalidIpAddress": "IP inválido",
-    "rulesErrorInvalidIpAddressDescription": "Por favor, insira um endereço IP válido",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Falha ao atualizar regras",
    "rulesErrorUpdateDescription": "Ocorreu um erro ao atualizar regras",
    "rulesUpdated": "Ativar Regras",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Insira um endereço no formato CIDR (ex: 103.21.244.0/22)",
    "rulesMatchIpAddress": "Insira um endereço IP (ex: 103.21.244.12)",
    "rulesMatchUrl": "Insira um caminho URL ou padrão (ex: /api/v1/todos ou /api/v1/*)",
-    "rulesErrorInvalidPriority": "Prioridade Inválida",
-    "rulesErrorInvalidPriorityDescription": "Por favor, insira uma prioridade válida",
-    "rulesErrorDuplicatePriority": "Prioridades Duplicadas",
-    "rulesErrorDuplicatePriorityDescription": "Por favor, insira prioridades únicas",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Regras atualizadas",
    "ruleUpdatedDescription": "Regras atualizadas com sucesso",
    "ruleErrorUpdate": "Operação falhou",
    "ruleErrorUpdateDescription": "Ocorreu um erro durante a operação de salvamento",
    "rulesPriority": "Prioridade",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Ação",
    "rulesMatchType": "Tipo de Correspondência",
    "value": "Valor",
@@ -792,7 +810,7 @@
    "rulesResource": "Configuração de Regras do Recurso",
    "rulesResourceDescription": "Configurar regras para controlar o acesso ao recurso",
    "ruleSubmit": "Adicionar Regra",
-    "rulesNoOne": "Sem regras. Adicione uma regra usando o formulário.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "As regras são avaliadas por prioridade em ordem ascendente.",
    "rulesSubmit": "Guardar Regras",
    "policyErrorCreate": "Erro ao criar política",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Ocorreu um erro inesperado",
    "policyCreatedSuccess": "Política de recurso criada com sucesso",
    "policyUpdatedSuccess": "Política de recurso atualizada com sucesso",
-    "authMethodsSave": "Salvar métodos de autenticação",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Guardar Regras",
    "resourceErrorCreate": "Erro ao criar recurso",
    "resourceErrorCreateDescription": "Ocorreu um erro ao criar o recurso",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Ocorreu um erro ao atualizar o recurso",
    "access": "Acesso",
    "accessControl": "Controle de Acesso",
-    "shareLink": "Link de Compartilhamento {resource}",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Selecionar recurso",
-    "shareLinks": "Links de Compartilhamento",
+    "shareLinks": "Shareable Links",
    "share": "Links Compartilháveis",
    "shareDescription2": "Crie links compartilháveis para recursos. Links fornecem acesso temporário ou ilimitado ao seu recurso. Você pode configurar a duração de expiração do link quando você criar um.",
    "shareEasyCreate": "Fácil de criar e compartilhar",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Administradores sempre podem aceder este recurso.",
    "resourcePolicySelectTitle": "Política de Acesso ao Recurso",
    "resourcePolicySelectDescription": "Selecione o tipo de política de recurso para autenticação",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Política de Recurso Inline",
    "resourcePolicyInlineDescription": "Política de Acesso abrange apenas este recurso",
    "resourcePolicyShared": "Política de Recurso Compartilhada",
-    "resourcePolicySharedDescription": "Este recurso usa uma política compartilhada. As configurações a nível de política (métodos de autenticação, lista de emails permitidos) estão bloqueadas. Você pode adicionar regras, funções e usuários específicos ao recurso abaixo.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Controlos de Acesso",
    "resourceUsersRolesDescription": "Configure quais utilizadores e funções podem visitar este recurso",
    "resourceUsersRolesSubmit": "Guardar Controlos de Acesso",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibilidade",
    "resourceVisibilityTitleDescription": "Ativar ou desativar completamente a visibilidade do recurso",
    "resourceGeneral": "Configurações Gerais",
-    "resourceGeneralDescription": "Configure as configurações gerais para este recurso",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Ativar Recurso",
    "resourceTransfer": "Transferir Recurso",
    "resourceTransferDescription": "Transferir este recurso para um site diferente",
@@ -1220,11 +1294,14 @@
    "addLabels": "Adicionar etiquetas",
    "siteLabelsTab": "Etiquetas",
    "siteLabelsDescription": "Gerencie etiquetas associadas a este site.",
-    "labelsNotFound": "Etiquetas não encontradas",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Pesquisar etiquetas",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# etiqueta} other {# etiquetas}}",
    "labelOverflowCount": "+{count, plural, one {# etiqueta} other {# etiquetas}}",
    "accessLabelFilterClear": "Limpar filtros de etiquetas",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Selecionar cor",
    "createNewLabel": "Criar nova etiqueta na organização \"{label}\"",
    "inviteInvalidDescription": "O link do convite é inválido.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
-    "sidebarPolicies": "Políticas",
-    "sidebarResourcePolicies": "Recursos",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Controle de Acesso",
    "sidebarLogsAndAnalytics": "Registros e Análises",
    "sidebarTeam": "Equipe",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Administrador",
    "sidebarInvitations": "Convites",
    "sidebarRoles": "Papéis",
-    "sidebarShareableLinks": "Links",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "Chaves API",
    "sidebarProvisioning": "Provisionamento",
    "sidebarSettings": "Configurações",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Recurso {id}",
    "blueprints": "Diagramas",
    "blueprintsLog": "Registo dos Blueprint",
-    "blueprintsDescription": "Ver aplicações de blueprint passadas e seus resultados",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Adicionar Diagrama",
    "blueprintGoBack": "Ver todos os Diagramas",
    "blueprintCreate": "Criar Diagrama",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Habilitar o Diagrama Docker",
    "enableDockerSocketDescription": "Ative a raspagem de etiquetas do Docker Socket para etiquetas de modelo. O caminho do Socket deve ser fornecido ao conector do site. Leia sobre como isso funciona na <docsLink>documentação</docsLink>.",
    "newtAutoUpdate": "Ativar Atualização Automática do Site",
-    "newtAutoUpdateDescription": "Quando ativado, os conectores de site atualizarão automaticamente para a versão mais recente quando uma nova versão estiver disponível.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Atualização Automática do Site",
    "siteAutoUpdateLabel": "Ativar Atualização Automática",
-    "siteAutoUpdateDescription": "Controle se o conector deste site baixa automaticamente a versão mais recente.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Padrão da organização: {state}",
    "siteAutoUpdateOverriding": "Substituindo configuração da organização",
    "siteAutoUpdateResetToOrg": "Redefinir para Padrão da Organização",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Configuração da conta concluída! Bem-vindo ao Pangolin!",
    "documentation": "Documentação",
    "saveAllSettings": "Guardar Todas as Configurações",
-    "saveResourceTargets": "Guardar Alvos",
-    "saveResourceHttp": "Guardar Configurações de Proxy",
-    "saveProxyProtocol": "Salvar configurações do protocolo de proxy",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Configurações atualizadas",
    "settingsUpdatedDescription": "Configurações atualizadas com sucesso",
    "settingsErrorUpdate": "Falha ao atualizar configurações",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Desconhecido",
    "healthCheck": "Verificação de Saúde",
    "configureHealthCheck": "Configurar Verificação de Saúde",
-    "configureHealthCheckDescription": "Configure a monitorização de saúde para {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Ativar Verificações de Saúde",
    "healthCheckDisabledStateDescription": "Quando desativado, o site não realizará verificações de saúde e o estado será considerado desconhecido.",
    "enableHealthChecksDescription": "Monitore a saúde deste alvo. Você pode monitorar um ponto de extremidade diferente do alvo, se necessário.",
    "healthScheme": "Método",
    "healthSelectScheme": "Selecione o Método",
-    "healthCheckPortInvalid": "A porta do exame de saúde deve estar entre 1 e 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Caminho",
    "healthHostname": "IP / Nome do Host",
    "healthPort": "Porta",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Exigir aprovação do dispositivo",
    "requireDeviceApprovalDescription": "Usuários com esta função precisam de novos dispositivos aprovados por um administrador antes que eles possam se conectar e acessar recursos.",
    "sshSettings": "Configurações SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Configurações RDP",
    "vncSettings": "Configurações VNC",
    "sshServer": "Servidor SSH",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Certifique-se de que seu host de destino está devidamente configurado para executar o daemon de autenticação antes de concluir esta configuração, ou o provisionamento falhará.",
    "sshDaemonPort": "Porta do Daemon",
    "sshServerDestination": "Destino do Servidor",
-    "sshServerDestinationDescription": "Configure o destino e a porta do servidor SSH",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Destino",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Selecionar vários sites permite roteamento resiliente e failover para alta disponibilidade.",
    "roleAllowSsh": "Permitir SSH",
    "roleAllowSshAllow": "Autorizar",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Usuário só pode executar os comandos especificados com sudo.",
    "sshSudo": "Permitir sudo",
    "sshSudoCommands": "Comandos Sudo",
-    "sshSudoCommandsDescription": "Lista separada por vírgulas de comandos que o usuário pode executar com sudo. Caminhos absolutos devem ser usados.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Criar Diretório Inicial",
    "sshUnixGroups": "Grupos Unix",
-    "sshUnixGroupsDescription": "Grupos Unix separados por vírgulas para adicionar o usuário no host alvo.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Tentativas de Repetição",
    "expectedResponseCodes": "Códigos de Resposta Esperados",
    "expectedResponseCodesDescription": "Código de status HTTP que indica estado saudável. Se deixado em branco, 200-300 é considerado saudável.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Habilitar protocolo proxy",
    "proxyProtocolInfo": "Preservar endereços IP do cliente para backends TCP",
    "proxyProtocolVersion": "Versão do Protocolo Proxy",
-    "version1": " Versão 1 (recomendado)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Versão 2",
-    "versionDescription": "A versão 1 é baseada em texto e amplamente suportada. A versão 2 é binária e mais eficiente, mas menos compatível.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "ATENÇÃO",
    "proxyProtocolWarning": "A aplicação de backend deve ser configurada para aceitar conexões de protocolo proxy. Se o seu backend não suporta o Protocolo de Proxy, habilitando isto quebrará todas as conexões, então só habilite isso se você souber o que está fazendo. Certifique-se de configurar seu backend para confiar nos cabeçalhos do protocolo proxy no Traefik.",
    "restarting": "Reiniciando...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Inserir confirmação",
    "blueprintViewDetails": "Detalhes",
    "defaultIdentityProvider": "Provedor de Identidade Padrão",
-    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
    "editInternalResourceDialogAccessPolicy": "Política de Acesso",
    "editInternalResourceDialogAddRoles": "Adicionar Funções",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Tipo de Modo de Manutenção",
    "showMaintenancePage": "Mostrar uma página de manutenção para os visitantes",
    "enableMaintenanceMode": "Ativar Modo de Manutenção",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automático",
    "automaticModeDescription": "Exibir página de manutenção apenas quando todos os destinos de back-end estiverem inativos ou não saudáveis. Seu recurso continua funcionando normalmente desde que pelo menos um destino esteja saudável.",
    "forced": "Forçado",
@@ -3082,6 +3182,8 @@
    "warning:": "Aviso:",
    "forcedeModeWarning": "Todo o tráfego será direcionado para a página de manutenção. Seus recursos de back-end não receberão nenhuma solicitação.",
    "pageTitle": "Título da Página",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "O título principal exibido na página de manutenção",
    "maintenancePageMessage": "Mensagem de Manutenção",
    "maintenancePageMessagePlaceholder": "Voltaremos em breve! Nosso site está passando por manutenção programada.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Tem certeza de que deseja desassociar este provedor de identidade desta organização?",
    "idpUnassociateDescription": "Todos os usuários associados a este provedor de identidade serão removidos desta organização, mas o provedor de identidade continuará a existir para outras organizações associadas.",
    "idpUnassociateConfirm": "Confirmar Desassociação do Provedor de Identidade",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Isso não pode ser desfeito para esta organização.",
    "idpUnassociatedDescription": "Provedor de identidade desassociado desta organização com sucesso",
    "idpUnassociateMenu": "Desassociar",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "A conectar…",
    "sshInitializing": "A iniciar…",
    "sshSignInTitle": "Entrar no SSH",
-    "sshSignInDescription": "Insira suas credenciais SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Palavra-passe",
    "sshPrivateKeyTab": "Chave Privada",
    "sshPrivateKeyField": "Chave Privada",
    "sshPrivateKeyDisclaimer": "Sua chave privada não é armazenada ou visível para Pangolin. Alternativamente, você pode usar certificados de curta duração para autenticação perfeita usando sua identidade Pangolin existente.",
    "sshLearnMore": "Saiba mais",
    "sshPrivateKeyFile": "Arquivo de Chave Privada",
-    "sshAuthenticate": "Autenticar",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Terminar",
    "sshPoweredBy": "Desenvolvido por",
    "sshErrorNoTarget": "Nenhum alvo especificado",
    "sshErrorWebSocket": "Falha na conexão WebSocket",
    "sshErrorAuthFailed": "Falha na autenticação",
-    "sshErrorConnectionClosed": "Conexão encerrada antes de concluir a autenticação"
+    "sshErrorConnectionClosed": "Conexão encerrada antes de concluir a autenticação",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Просмотр частных ресурсов",
    "siteInstallNewt": "Установить Newt",
    "siteInstallNewtDescription": "Запустите Newt в вашей системе",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "Конфигурация WireGuard",
    "WgConfigurationDescription": "Используйте следующую конфигурацию для подключения к сети",
    "operatingSystem": "Операционная система",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Вы сможете увидеть эти данные только один раз. Обязательно скопируйте их в безопасное место.",
    "siteInfo": "Информация о сайте",
    "status": "Статус",
-    "shareTitle": "Управление общими ссылками",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Создавайте общие ссылки, чтобы предоставить временный или постоянный доступ к прокси ресурсам",
-    "shareSearch": "Поиск общих ссылок...",
-    "shareCreate": "Создать общую ссылку",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Не удалось удалить ссылку",
    "shareErrorDeleteMessage": "Произошла ошибка при удалении ссылки",
    "shareDeleted": "Ссылка удалена",
    "shareDeletedDescription": "Ссылка была успешно удалена",
-    "shareDelete": "Удалить общую ссылку",
-    "shareDeleteConfirm": "Подтвердите удаление общей ссылки",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Вы уверены, что хотите удалить эту общую ссылку?",
    "shareMessageRemove": "После удаления ссылка перестанет работать, и все, кто ее использует, потеряют доступ к ресурсу.",
    "shareTokenDescription": "Токен доступа может быть передан двумя способами: как параметр запроса или в заголовках запроса. Они должны быть переданы от клиента по каждому запросу для аутентифицированного доступа.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Любой, у кого есть эта ссылка, может получить доступ к ресурсу",
    "shareTitleOptional": "Заголовок (необязательно)",
    "sharePathOptional": "Путь (необязательно)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Срок действия",
    "neverExpire": "Бессрочный доступ",
    "shareExpireDescription": "Срок действия - это период, в течение которого ссылка будет работать и предоставлять доступ к ресурсу. После этого времени ссылка перестанет работать, и пользователи, использовавшие эту ссылку, потеряют доступ к ресурсу.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Пожалуйста, выберите ресурс",
    "proxyResourceTitle": "Управление публичными ресурсами",
    "proxyResourceDescription": "Создание и управление ресурсами, которые доступны через веб-браузер",
-    "publicResourcesBannerTitle": "Общедоступный доступ через веб",
-    "publicResourcesBannerDescription": "Общедоступные ресурсы - это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Управление приватными ресурсами",
    "clientResourceDescription": "Создание и управление ресурсами, которые доступны только через подключенный клиент",
    "privateResourcesBannerTitle": "Частный доступ с нулевым доверием",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Поиск ресурсов...",
    "resourceAdd": "Добавить ресурс",
    "resourceErrorDelte": "Ошибка при удалении ресурса",
-    "resourcePoliciesTitle": "Управление политиками ресурсов",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Прикрепленные ресурсы",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} ресурс(ов)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "нет ресурсов",
-    "resourcePoliciesDescription": "Создавайте и управляйте политиками аутентификации для контроля доступа к вашим ресурсам",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Поиск политик...",
    "resourcePoliciesAdd": "Добавить политику",
    "resourcePoliciesDefaultBadgeText": "Политика по умолчанию",
-    "resourcePoliciesCreate": "Создать политику ресурса",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Следуйте шагам ниже, чтобы создать новую политику",
    "resourcePolicyName": "Имя политики",
    "resourcePolicyNameDescription": "Дайте этой политике имя для идентификации ее в ваших ресурсах",
@@ -274,7 +281,7 @@
    "back": "Назад",
    "cancel": "Отмена",
    "resourceConfig": "Фрагменты конфигурации",
-    "resourceConfigDescription": "Скопируйте и вставьте эти сниппеты для настройки TCP/UDP ресурса",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Добавить точки входа",
    "resourceExposePorts": "Gerbil: Открыть порты в Docker Compose",
    "resourceLearnRaw": "Узнайте, как настроить TCP/UDP-ресурсы",
@@ -287,6 +294,8 @@
    "labelDelete": "Удалить метку",
    "labelAdd": "Добавить метку",
    "labelCreateSuccessMessage": "Метка успешно создана",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Метка успешно изменена",
    "labelNameField": "Название метки",
    "labelColorField": "Цвет метки",
@@ -311,7 +320,7 @@
    "rules": "Правила",
    "resourceSettingDescription": "Настройка параметров ресурса",
    "resourceSetting": "Настройки {resourceName}",
-    "resourcePolicySettingDescription": "Настройка параметров политики ресурса",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "Настройки {policyName}",
    "alwaysAllow": "Авторизация байпасса",
    "alwaysDeny": "Блокировать доступ",
@@ -719,7 +728,7 @@
    "targetSubmit": "Добавить цель",
    "targetNoOne": "Этот ресурс не имеет никаких целей. Добавьте цель для настройки, где отправлять запросы в бэкэнд.",
    "targetNoOneDescription": "Добавление более одной цели выше включит балансировку нагрузки.",
-    "targetsSubmit": "Сохранить цели",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Добавить цель",
    "proxyMultiSiteRoundRobinNodeHelp": "Роутинг с балансировкой нагрузки не будет работать между сайтами, не подключенными к одному и тому же узлу, но подмена будет работать.",
    "targetErrorInvalidIp": "Неверный IP-адрес",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Дублирующее правило",
    "rulesErrorDuplicateDescription": "Правило с такими настройками уже существует",
    "rulesErrorInvalidIpAddressRange": "Неверный CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Пожалуйста, введите корректное значение CIDR",
-    "rulesErrorInvalidUrl": "Неверный URL путь",
-    "rulesErrorInvalidUrlDescription": "Пожалуйста, введите корректное значение URL пути",
-    "rulesErrorInvalidIpAddress": "Неверный IP",
-    "rulesErrorInvalidIpAddressDescription": "Пожалуйста, введите корректный IP адрес",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Не удалось обновить правила",
    "rulesErrorUpdateDescription": "Произошла ошибка при обновлении правил",
    "rulesUpdated": "Включить правила",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Введите адрес в формате CIDR (например, 103.21.244.0/22)",
    "rulesMatchIpAddress": "Введите IP адрес (например, 103.21.244.12)",
    "rulesMatchUrl": "Введите URL путь или шаблон (например, /api/v1/todos или /api/v1/*)",
-    "rulesErrorInvalidPriority": "Неверный приоритет",
-    "rulesErrorInvalidPriorityDescription": "Пожалуйста, введите корректный приоритет",
-    "rulesErrorDuplicatePriority": "Дублирующие приоритеты",
-    "rulesErrorDuplicatePriorityDescription": "Пожалуйста, введите уникальные приоритеты",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Правила обновлены",
    "ruleUpdatedDescription": "Правила успешно обновлены",
    "ruleErrorUpdate": "Операция не удалась",
    "ruleErrorUpdateDescription": "Произошла ошибка во время операции сохранения",
    "rulesPriority": "Приоритет",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Действие",
    "rulesMatchType": "Тип совпадения",
    "value": "Значение",
@@ -792,7 +810,7 @@
    "rulesResource": "Конфигурация правил ресурса",
    "rulesResourceDescription": "Настройка правил для контроля доступа к ресурсу",
    "ruleSubmit": "Добавить правило",
-    "rulesNoOne": "Нет правил. Добавьте правило с помощью формы.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Правила оцениваются по приоритету в возрастающем порядке.",
    "rulesSubmit": "Сохранить правила",
    "policyErrorCreate": "Ошибка создания политики",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Произошла неожиданная ошибка",
    "policyCreatedSuccess": "Политика ресурса успешно создана",
    "policyUpdatedSuccess": "Политика ресурса успешно обновлена",
-    "authMethodsSave": "Сохранить методы аутентификации",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Сохранить правила",
    "resourceErrorCreate": "Ошибка при создании ресурса",
    "resourceErrorCreateDescription": "Произошла ошибка при создании ресурса",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Произошла ошибка при обновлении ресурса",
    "access": "Доступ",
    "accessControl": "Контроль доступа",
-    "shareLink": "Общая ссылка {resource}",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Выберите ресурс",
-    "shareLinks": "Общие ссылки",
+    "shareLinks": "Shareable Links",
    "share": "Общие ссылки",
    "shareDescription2": "Создавайте общие ссылки на ресурсы. Ссылки обеспечивают временный или неограниченный доступ к вашему ресурсу. Вы можете настроить продолжительность действия ссылки при ее создании.",
    "shareEasyCreate": "Легко создавать и делиться",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Администраторы всегда имеют доступ к этому ресурсу.",
    "resourcePolicySelectTitle": "Политика доступа к ресурсам",
    "resourcePolicySelectDescription": "Выберите тип политики ресурса для аутентификации",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Политика ресурса на месте",
    "resourcePolicyInlineDescription": "Политика доступа ограничена только этим ресурсом",
    "resourcePolicyShared": "Общая политика ресурса",
-    "resourcePolicySharedDescription": "Этот ресурс использует общую политику. Настройки уровня политики (методы аутентификации, список разрешенных email) заблокированы. Вы можете добавить правила, роли и пользователей, специфичные для ресурса, ниже.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Контроль доступа",
    "resourceUsersRolesDescription": "Выберите пользователей и роли с доступом к этому ресурсу",
    "resourceUsersRolesSubmit": "Сохранить контроль доступа",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Видимость",
    "resourceVisibilityTitleDescription": "Включите или отключите видимость ресурса",
    "resourceGeneral": "Общие настройки",
-    "resourceGeneralDescription": "Настройте общие параметры этого ресурса",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Ресурс активен",
    "resourceTransfer": "Перенести ресурс",
    "resourceTransferDescription": "Перенесите этот ресурс на другой сайт",
@@ -1220,11 +1294,14 @@
    "addLabels": "Добавить метки",
    "siteLabelsTab": "Метки",
    "siteLabelsDescription": "Управляйте метками, связанными с этим сайтом.",
-    "labelsNotFound": "Метки не найдены",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Поиск меток",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# метка} few {# метки} many {# меток} other {# меток}}",
    "labelOverflowCount": "+{count, plural, one {# метка} few {# метки} many {# меток} other {# меток}}",
    "accessLabelFilterClear": "Очистить фильтры меток",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Выберите цвет",
    "createNewLabel": "Создать новую метку организации \"{label}\"",
    "inviteInvalidDescription": "Ссылка на приглашение недействительна.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Ресурсы",
    "sidebarProxyResources": "Публичный",
    "sidebarClientResources": "Приватный",
-    "sidebarPolicies": "Политики",
-    "sidebarResourcePolicies": "Ресурсы",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Контроль доступа",
    "sidebarLogsAndAnalytics": "Журналы и аналитика",
    "sidebarTeam": "Команда",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Админ",
    "sidebarInvitations": "Приглашения",
    "sidebarRoles": "Роли",
-    "sidebarShareableLinks": "Ссылки",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API ключи",
    "sidebarProvisioning": "Подготовка",
    "sidebarSettings": "Настройки",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Ресурс {id}",
    "blueprints": "Чертежи",
    "blueprintsLog": "Журнал чертежей",
-    "blueprintsDescription": "Просмотр прошлых применений чертежа и их результатов",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Добавить чертёж",
    "blueprintGoBack": "Посмотреть все чертежи",
    "blueprintCreate": "Создать чертёж",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Включить чертёж Docker",
    "enableDockerSocketDescription": "Включить сбор меток Docker Socket для чертежей. Путь сокета должен быть предоставлен подключателю сайта. Прочтите о том, как это работает, в <docsLink>документации</docsLink>.",
    "newtAutoUpdate": "Включить автообновление сайта",
-    "newtAutoUpdateDescription": "При включении, коннекторы сайта будут автоматически обновляться до последней версии, когда доступен новый выпуск.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Автообновление сайта",
    "siteAutoUpdateLabel": "Включить автообновление",
-    "siteAutoUpdateDescription": "Контролировать, будет ли коннектор этого сайта автоматически загружать последнюю версию.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Значение по умолчанию для организации: {state}",
    "siteAutoUpdateOverriding": "Переопределение настройки организации",
    "siteAutoUpdateResetToOrg": "Сброс до значения по умолчанию для организации",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Настройка аккаунта завершена! Добро пожаловать в Pangolin!",
    "documentation": "Документация",
    "saveAllSettings": "Сохранить все настройки",
-    "saveResourceTargets": "Сохранить цели",
-    "saveResourceHttp": "Сохранить настройки прокси",
-    "saveProxyProtocol": "Сохранить настройки прокси-протокола",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Настройки обновлены",
    "settingsUpdatedDescription": "Настройки успешно обновлены",
    "settingsErrorUpdate": "Не удалось обновить настройки",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Неизвестно",
    "healthCheck": "Проверка здоровья",
    "configureHealthCheck": "Настроить проверку здоровья",
-    "configureHealthCheckDescription": "Настройте мониторинг состояния для {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Включить проверки здоровья",
    "healthCheckDisabledStateDescription": "Когда отключен, сайт не будет выполнять проверки состояния и состояние будет считаться неизвестным.",
    "enableHealthChecksDescription": "Мониторинг здоровья этой цели. При необходимости можно контролировать другую конечную точку.",
    "healthScheme": "Метод",
    "healthSelectScheme": "Выберите метод",
-    "healthCheckPortInvalid": "Порт проверки здоровья должен быть от 1 до 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Путь",
    "healthHostname": "IP / хост",
    "healthPort": "Порт",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Требовать подтверждения устройства",
    "requireDeviceApprovalDescription": "Пользователям с этой ролью нужны новые устройства, одобренные администратором, прежде чем они смогут подключаться и получать доступ к ресурсам.",
    "sshSettings": "Настройки SSH",
+    "sshAccess": "SSH Access",
    "rdpSettings": "Настройки RDP",
    "vncSettings": "Настройки VNC",
    "sshServer": "SSH сервер",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Убедитесь, что целевой хост правильно настроен для запуска демона аутентификации перед завершением этой настройки, иначе предоставление не удастся.",
    "sshDaemonPort": "Порт демона",
    "sshServerDestination": "Пункт назначения сервера",
-    "sshServerDestinationDescription": "Настройте пункт назначения и порт SSH-сервера",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Пункт назначения",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Выбор нескольких сайтов включает в себя устойчивую маршрутизацию и автоматический отказ для обеспечения высокой доступности.",
    "roleAllowSsh": "Разрешить SSH",
    "roleAllowSshAllow": "Разрешить",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Пользователь может запускать только указанные команды с помощью sudo.",
    "sshSudo": "Разрешить sudo",
    "sshSudoCommands": "Sudo Команды",
-    "sshSudoCommandsDescription": "Список команд, которые пользователь может выполнять с sudo, через запятую. Должны использоваться абсолютные пути.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Создать домашний каталог",
    "sshUnixGroups": "Unix группы",
-    "sshUnixGroupsDescription": "Группы Unix через запятую, чтобы добавить пользователя на целевой хост.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Количество попыток повторного запроса",
    "expectedResponseCodes": "Ожидаемые коды ответов",
    "expectedResponseCodesDescription": "HTTP-код состояния, указывающий на здоровое состояние. Если оставить пустым, 200-300 считается здоровым.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Включить Прокси Протокол",
    "proxyProtocolInfo": "Сохранять IP-адреса клиента для backend'ов TCP",
    "proxyProtocolVersion": "Версия протокола прокси",
-    "version1": " Версия 1 (рекомендуется)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Версия 2",
-    "versionDescription": "Версия 1 основана на тексте и широко поддерживается. Версия 2 является бинарной и более эффективной, но менее совместимой.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Предупреждение",
    "proxyProtocolWarning": "Бэкэнд приложение должно быть настроено на принятие соединений прокси-протокола. Если ваш бэкэнд не поддерживает Прокси-протокол, то включение этой опции прервет все подключения, поэтому включите это только если вы знаете, что вы делаете. Обязательно настройте вашего бэкэнда на доверие заголовкам Proxy Protocol от Traefik.",
    "restarting": "Перезапуск...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Введите подтверждение",
    "blueprintViewDetails": "Подробности",
    "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
-    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Настройки сети",
    "editInternalResourceDialogAccessPolicy": "Политика доступа",
    "editInternalResourceDialogAddRoles": "Добавить роли",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Тип режима обслуживания",
    "showMaintenancePage": "Показать страницу обслуживания посетителям",
    "enableMaintenanceMode": "Включить режим обслуживания",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Автоматический",
    "automaticModeDescription": "Показывать страницу обслуживания только когда все цели бэкэнда недоступны или неисправны. Ваш ресурс продолжит работать нормально, пока хотя бы одна цель здорова.",
    "forced": "Принудительно",
@@ -3082,6 +3182,8 @@
    "warning:": "Предупреждение:",
    "forcedeModeWarning": "Весь трафик будет направлен на страницу обслуживания. Ваши бекэнд ресурсы не будут получать никакие запросы.",
    "pageTitle": "Заголовок страницы",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Основной заголовок, отображаемый на странице обслуживания",
    "maintenancePageMessage": "Сообщение об обслуживании",
    "maintenancePageMessagePlaceholder": "Мы скоро вернемся! Наш сайт в настоящее время проходит плановое техническое обслуживание.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Вы уверены, что хотите рассоединить этого поставщика удостоверений с этой организацией?",
    "idpUnassociateDescription": "Все пользователи, связанные с этим поставщиком удостоверений, будут удалены из этой организации, но поставщик удостоверений будет продолжать существовать для других связанных организаций.",
    "idpUnassociateConfirm": "Подтвердите рассоединение поставщика удостоверений",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Это не может быть отменено для этой организации.",
    "idpUnassociatedDescription": "Поставщик удостоверений успешно рассоединен с этой организацией",
    "idpUnassociateMenu": "Рассоединить",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Подключение…",
    "sshInitializing": "Инициализация…",
    "sshSignInTitle": "Вход в SSH",
-    "sshSignInDescription": "Введите свои учетные данные SSH",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Пароль",
    "sshPrivateKeyTab": "Закрытый ключ",
    "sshPrivateKeyField": "Закрытый ключ",
    "sshPrivateKeyDisclaimer": "Ваш закрытый ключ не хранится и не виден для Pangolin. Вместо этого вы можете использовать краткосрочные сертификаты для бесшовной аутентификации с использованием вашей текущей идентификации Pangolin.",
    "sshLearnMore": "Узнать больше",
    "sshPrivateKeyFile": "Файл закрытого ключа",
-    "sshAuthenticate": "Аутентификация",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Завершить",
    "sshPoweredBy": "Разработано",
    "sshErrorNoTarget": "Цель не указана",
    "sshErrorWebSocket": "Подключение WebSocket не удалось",
    "sshErrorAuthFailed": "Ошибка аутентификации",
-    "sshErrorConnectionClosed": "Подключение закрыто до завершения аутентификации"
+    "sshErrorConnectionClosed": "Подключение закрыто до завершения аутентификации",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "Özel Kaynakları Görüntüle",
    "siteInstallNewt": "Newt Yükle",
    "siteInstallNewtDescription": "Newt'i sisteminizde çalıştırma",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Yapılandırması",
    "WgConfigurationDescription": "Ağınıza bağlanmak için aşağıdaki yapılandırmayı kullanın",
    "operatingSystem": "İşletim Sistemi",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "Yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyaladığınızdan emin olun.",
    "siteInfo": "Site Bilgilendirmesi",
    "status": "Durum",
-    "shareTitle": "Paylaşım Bağlantılarını Yönet",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Kaynaklarınıza geçici veya kalıcı erişim sağlamak için paylaşılabilir bağlantılar oluşturun",
-    "shareSearch": "Paylaşım bağlantılarını ara...",
-    "shareCreate": "Paylaşım Bağlantısı Oluştur",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Bağlantı silinirken hata oluştu",
    "shareErrorDeleteMessage": "Bağlantı silinirken bir hata oluştu",
    "shareDeleted": "Bağlantı silindi",
    "shareDeletedDescription": "Bağlantı silindi",
-    "shareDelete": "Paylaşım Bağlantısını Sil",
-    "shareDeleteConfirm": "Paylaşım Bağlantısının Silinmesini Onayla",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Bu paylaşım bağlantısını silmek istediğinizden emin misiniz?",
    "shareMessageRemove": "Silindikten sonra, bağlantı artık çalışmayacak ve kullanan herkes kaynağa erişimini kaybedecek.",
    "shareTokenDescription": "Erişim jetonunuz iki şekilde iletilebilir: sorgu parametresi olarak veya istek başlıklarında. Kimlik doğrulanmış erişim için her istekten müşteri tarafından iletilmelidir.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Bu bağlantıya sahip olan herkes kaynağa erişebilir",
    "shareTitleOptional": "Başlık (isteğe bağlı)",
    "sharePathOptional": "Yol (isteğe bağlı)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Süresi Dolacak",
    "neverExpire": "Hiçbir Zaman Sona Ermez",
    "shareExpireDescription": "Son kullanma süresi, bağlantının kullanılabilir ve kaynağa erişim sağlayacak süresidir. Bu süreden sonra bağlantı çalışmayı durduracak ve bu bağlantıyı kullanan kullanıcılar kaynağa erişimini kaybedecektir.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Lütfen bir kaynak seçin",
    "proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
    "proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
-    "publicResourcesBannerTitle": "Web Tabanlı Genel Erişim",
-    "publicResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Özel Kaynakları Yönet",
    "clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
    "privateResourcesBannerTitle": "Sıfır Güven Özel Erişim",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Kaynakları ara...",
    "resourceAdd": "Kaynak Ekle",
    "resourceErrorDelte": "Kaynak silinirken hata",
-    "resourcePoliciesTitle": "Kaynak Politikalarını Yönet",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Ekteki kaynaklar",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} kaynak",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "hiçbir kaynak",
-    "resourcePoliciesDescription": "Kaynaklarınıza erişimi kontrol etmek için kimlik doğrulama politikaları oluşturun ve yönetin",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Politikaları ara...",
    "resourcePoliciesAdd": "Politika Ekle",
    "resourcePoliciesDefaultBadgeText": "Varsayılan politika",
-    "resourcePoliciesCreate": "Kaynak Politikası Oluştur",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Yeni bir politika oluşturmak için aşağıdaki adımları izleyin",
    "resourcePolicyName": "Politika Adı",
    "resourcePolicyNameDescription": "Bu politikaya kaynaklarınız arasında kolayca tanımlayabilmek için bir ad verin",
@@ -274,7 +281,7 @@
    "back": "Geri",
    "cancel": "İptal",
    "resourceConfig": "Yapılandırma Parçaları",
-    "resourceConfigDescription": "TCP/UDP kaynağınızı kurmak için bu yapılandırma parçalarını kopyalayıp yapıştırın",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Başlangıç Noktaları Ekleyin",
    "resourceExposePorts": "Gerbil: Docker Compose'da Portları Açın",
    "resourceLearnRaw": "TCP/UDP kaynaklarını nasıl yapılandıracağınızı öğrenin",
@@ -287,6 +294,8 @@
    "labelDelete": "Etiketi Sil",
    "labelAdd": "Etiket Ekle",
    "labelCreateSuccessMessage": "Etiket Başarıyla Oluşturuldu",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Etiket Başarıyla Değiştirildi",
    "labelNameField": "Etiket Adı",
    "labelColorField": "Etiket Rengi",
@@ -311,7 +320,7 @@
    "rules": "Kurallar",
    "resourceSettingDescription": "Kaynağınızdaki ayarları yapılandırın",
    "resourceSetting": "{resourceName} Ayarları",
-    "resourcePolicySettingDescription": "Kaynak politikası üzerindeki ayarları yapılandır",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} Ayarları",
    "alwaysAllow": "Kimlik Doğrulamayı Atla",
    "alwaysDeny": "Erişimi Engelle",
@@ -719,7 +728,7 @@
    "targetSubmit": "Hedef Ekle",
    "targetNoOne": "Bu kaynağın hedefleri yok. Arka uca gönderilecek istekleri yapılandırmak için bir hedef ekleyin.",
    "targetNoOneDescription": "Yukarıdaki birden fazla hedef ekleyerek yük dengeleme etkinleştirilecektir.",
-    "targetsSubmit": "Hedefleri Kaydet",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Hedef Ekle",
    "proxyMultiSiteRoundRobinNodeHelp": "Round robin yönlendirme, aynı düğüme bağlı olmayan siteler arasında çalışmayacaktır, ancak failover çalışacaktır.",
    "targetErrorInvalidIp": "Geçersiz IP adresi",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Yinelenen kural",
    "rulesErrorDuplicateDescription": "Bu ayarlara sahip bir kural zaten mevcut",
    "rulesErrorInvalidIpAddressRange": "Geçersiz CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Lütfen geçerli bir CIDR değeri girin",
-    "rulesErrorInvalidUrl": "Geçersiz URL yolu",
-    "rulesErrorInvalidUrlDescription": "Lütfen geçerli bir URL yolu değeri girin",
-    "rulesErrorInvalidIpAddress": "Geçersiz IP",
-    "rulesErrorInvalidIpAddressDescription": "Lütfen geçerli bir IP adresi girin",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Kurallar güncellenemedi",
    "rulesErrorUpdateDescription": "Kurallar güncellenirken bir hata oluştu",
    "rulesUpdated": "Kuralları Etkinleştir",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "CIDR formatında bir adres girin (örneğin, 103.21.244.0/22)",
    "rulesMatchIpAddress": "Bir IP adresi girin (örneğin, 103.21.244.12)",
    "rulesMatchUrl": "Bir URL yolu veya deseni girin (örneğin, /api/v1/todos veya /api/v1/*)",
-    "rulesErrorInvalidPriority": "Geçersiz Öncelik",
-    "rulesErrorInvalidPriorityDescription": "Lütfen geçerli bir öncelik girin",
-    "rulesErrorDuplicatePriority": "Yinelenen Öncelikler",
-    "rulesErrorDuplicatePriorityDescription": "Lütfen benzersiz öncelikler girin",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Kurallar güncellendi",
    "ruleUpdatedDescription": "Kurallar başarıyla güncellendi",
    "ruleErrorUpdate": "Operasyon başarısız oldu",
    "ruleErrorUpdateDescription": "Kaydetme operasyonu sırasında bir hata oluştu",
    "rulesPriority": "Öncelik",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Aksiyon",
    "rulesMatchType": "Eşleşme Türü",
    "value": "Değer",
@@ -792,7 +810,7 @@
    "rulesResource": "Kaynak Kuralları Yapılandırması",
    "rulesResourceDescription": "Kaynağa erişimi kontrol etmek için kuralları yapılandırın",
    "ruleSubmit": "Kural Ekle",
-    "rulesNoOne": "Kural yok. Formu kullanarak bir kural ekleyin.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Kurallar, artan öncelik sırasına göre değerlendirilir.",
    "rulesSubmit": "Kuralları Kaydet",
    "policyErrorCreate": "Politika oluşturulurken hata oluştu",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "Beklenmeyen bir hata oluştu",
    "policyCreatedSuccess": "Kaynak politikası başarıyla oluşturuldu",
    "policyUpdatedSuccess": "Kaynak politikası başarıyla güncellendi",
-    "authMethodsSave": "Kimlik doğrulama yöntemlerini kaydet",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Kuralları Kaydet",
    "resourceErrorCreate": "Kaynak oluşturma hatası",
    "resourceErrorCreateDescription": "Kaynak oluşturulurken bir hata oluştu",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "Kaynak güncellenirken bir hata oluştu",
    "access": "Erişim",
    "accessControl": "Erişim Kontrolü",
-    "shareLink": "{resource} Paylaşım Bağlantısı",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Kaynak seçin",
-    "shareLinks": "Paylaşım Bağlantıları",
+    "shareLinks": "Shareable Links",
    "share": "Paylaşılabilir Bağlantılar",
    "shareDescription2": "Kaynaklarınıza geçici veya sınırsız erişim sağlamak için paylaşılabilir bağlantılar oluşturun. Bağlantı oluştururken sona erme süresini yapılandırabilirsiniz.",
    "shareEasyCreate": "Kolayca oluştur ve paylaş",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Yöneticiler her zaman bu kaynağa erişebilir.",
    "resourcePolicySelectTitle": "Kaynak Erişim Politikası",
    "resourcePolicySelectDescription": "Kimlik doğrulama için kaynak politika türünü seçin",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Satır İçi Kaynak Politikası",
    "resourcePolicyInlineDescription": "Erişim Politikası sadece bu kaynağa yönelik",
    "resourcePolicyShared": "Paylaşılan Kaynak Politikası",
-    "resourcePolicySharedDescription": "Bu kaynak paylaşılan bir politika kullanır. Politika düzeyindeki ayarlar (kimlik doğrulama yöntemleri, e-posta beyaz listesi) kilitlidir. Aşağıda, kaynakla ilgili özel kurallar, roller ve kullanıcılar ekleyebilirsiniz.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Erişim Kontrolleri",
    "resourceUsersRolesDescription": "Bu kaynağı kimlerin ziyaret edebileceği kullanıcıları ve rolleri yapılandırın",
    "resourceUsersRolesSubmit": "Erişim Kontrollerini Kaydet",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Görünürlük",
    "resourceVisibilityTitleDescription": "Kaynak görünürlüğünü tamamen etkinleştirin veya devre dışı bırakın",
    "resourceGeneral": "Genel Ayarlar",
-    "resourceGeneralDescription": "Bu kaynak için genel ayarları yapılandırın",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Kaynağı Etkinleştir",
    "resourceTransfer": "Kaynağı Aktar",
    "resourceTransferDescription": "Bu kaynağı farklı bir siteye aktarın",
@@ -1220,11 +1294,14 @@
    "addLabels": "Etiketler ekle",
    "siteLabelsTab": "Etiketler",
    "siteLabelsDescription": "Bu siteyle ilişkili etiketleri yönetin.",
-    "labelsNotFound": "Etiketler bulunamadı",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Etiket ara",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# etiket} other {# etiketler}}",
    "labelOverflowCount": "+{count, plural, one {# etiket} other {# etiketler}}",
    "accessLabelFilterClear": "Etiket filtrelerini temizle",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Renk seç",
    "createNewLabel": "Yeni kuruluş etiketi \"{label}\" oluştur",
    "inviteInvalidDescription": "Davet bağlantısı geçersiz.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Kaynaklar",
    "sidebarProxyResources": "Herkese Açık",
    "sidebarClientResources": "Özel",
-    "sidebarPolicies": "Politikalar",
-    "sidebarResourcePolicies": "Kaynaklar",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Erişim Kontrolü",
    "sidebarLogsAndAnalytics": "Kayıtlar & Analitik",
    "sidebarTeam": "Ekip",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Yönetici",
    "sidebarInvitations": "Davetiye",
    "sidebarRoles": "Roller",
-    "sidebarShareableLinks": "Bağlantılar",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API Anahtarları",
    "sidebarProvisioning": "Tedarik",
    "sidebarSettings": "Ayarlar",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Kaynak {id}",
    "blueprints": "Planlar",
    "blueprintsLog": "Şablonlar Günlüğü",
-    "blueprintsDescription": "Geçmiş şablon uygulamalarını ve sonuçlarını görüntüleyin",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Plan Ekle",
    "blueprintGoBack": "Tüm Planları Gör",
    "blueprintCreate": "Plan Oluştur",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Docker Soketini Etkinleştir",
    "enableDockerSocketDescription": "Plan etiketleri için Docker Socket etiket toplamasını etkinleştirin. Site bağlantısına soket yolu sağlanmalıdır. Bunun nasıl çalıştığını <docsLink>belgelemede</docsLink> okuyun.",
    "newtAutoUpdate": "Site Otomatik-Güncellemesini Etkinleştir",
-    "newtAutoUpdateDescription": "Etkinleştirildiğinde, site bağdaştırıcıları yeni sürüm mevcut olduğunda otomatik olarak en son sürüme güncellenecek.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Site Otomatik-Güncellemesi",
    "siteAutoUpdateLabel": "Otomatik Güncellemeyi Etkinleştir",
-    "siteAutoUpdateDescription": "Bu sitenin bağdaştırıcısının en son sürümü otomatik olarak indirip indirmeyeceğini kontrol edin.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Kuruluş varsayılanı: {state}",
    "siteAutoUpdateOverriding": "Kuruluş ayarını geçersiz kılıyor",
    "siteAutoUpdateResetToOrg": "Kuruluş Varsayılanına Sıfırla",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Hesap kurulumu tamamlandı! Pangolin'e hoş geldiniz!",
    "documentation": "Dokümantasyon",
    "saveAllSettings": "Tüm Ayarları Kaydet",
-    "saveResourceTargets": "Hedefleri Kaydet",
-    "saveResourceHttp": "Proxy Ayarlarını Kaydet",
-    "saveProxyProtocol": "Proxy protokol ayarlarını kaydet",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Ayarlar güncellendi",
    "settingsUpdatedDescription": "Ayarlar başarıyla güncellendi",
    "settingsErrorUpdate": "Ayarlar güncellenemedi",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Bilinmiyor",
    "healthCheck": "Sağlık Kontrolü",
    "configureHealthCheck": "Sağlık Kontrolünü Yapılandır",
-    "configureHealthCheckDescription": "{hedef} için sağlık izleme kurun",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Sağlık Kontrollerini Etkinleştir",
    "healthCheckDisabledStateDescription": "Devre dışı bırakıldığında, site sağlık kontrolleri yapmaz ve durum bilinmeyen olarak kabul edilecektir.",
    "enableHealthChecksDescription": "Bu hedefin sağlığını izleyin. Gerekirse hedef dışındaki bir son noktayı izleyebilirsiniz.",
    "healthScheme": "Yöntem",
    "healthSelectScheme": "Yöntem Seç",
-    "healthCheckPortInvalid": "Sağlık Kontrolü portu 1 ile 65535 arasında olmalıdır",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Yol",
    "healthHostname": "IP / Hostname",
    "healthPort": "Bağlantı Noktası",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Cihaz Onaylarını Gerektir",
    "requireDeviceApprovalDescription": "Bu role sahip kullanıcıların yeni cihazlarının bağlanabilmesi ve kaynaklara erişebilmesi için bir yönetici tarafından onaylanması gerekiyor.",
    "sshSettings": "SSH Ayarları",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP Ayarları",
    "vncSettings": "VNC Ayarları",
    "sshServer": "SSH Sunucusu",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Bu kurulumu tamamlamadan önce hedef ana bilgisayarınızın kimlik doğrulama daemonunu çalıştıracak şekilde düzgün yapılandırıldığından emin olun, aksi takdirde sağlama başarısız olur.",
    "sshDaemonPort": "Daemon Bağlantı Noktası",
    "sshServerDestination": "Sunucu Hedefi",
-    "sshServerDestinationDescription": "SSH sunucusunun hedefini ve bağlantı noktasını yapılandırın",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Hedef",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Birden fazla site seçmek, yüksek erişilebilirlik için dayanıklı yönlendirme ve failover sağlar.",
    "roleAllowSsh": "SSH'a İzin Ver",
    "roleAllowSshAllow": "İzin Ver",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "Kullanıcı sadece belirtilen komutları sudo ile çalıştırabilir.",
    "sshSudo": "Sudo'ya izin ver",
    "sshSudoCommands": "Sudo Komutları",
-    "sshSudoCommandsDescription": "Kullanıcının sudo ile çalıştırmasına izin verilen komutların virgülle ayrılmış listesi. Mutlak yollar kullanılmalıdır.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Ev Dizini Oluştur",
    "sshUnixGroups": "Unix Grupları",
-    "sshUnixGroupsDescription": "Hedef konakta kullanıcıya eklenecek Unix gruplarının virgülle ayrılmış listesi.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Tekrar Deneme Girişimleri",
    "expectedResponseCodes": "Beklenen Yanıt Kodları",
    "expectedResponseCodesDescription": "Sağlıklı durumu gösteren HTTP durum kodu. Boş bırakılırsa, 200-300 arası sağlıklı kabul edilir.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Proxy Protokolünü Etkinleştir",
    "proxyProtocolInfo": "TCP ara yüzlerini koruyarak istemci IP adreslerini saklayın",
    "proxyProtocolVersion": "Proxy Protokol Versiyonu",
-    "version1": " Versiyon 1 (Önerilen)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Versiyon 2",
-    "versionDescription": "Versiyon 1 metin tabanlı ve yaygın olarak desteklenir. Versiyon 2 ise ikili ve daha verimlidir ama daha az uyumludur.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Uyarı",
    "proxyProtocolWarning": "Arka uç uygulamanız, Proxy Protokol bağlantılarını kabul etmek üzere yapılandırılmalıdır. Arka ucunuz Proxy Protokolünü desteklemiyorsa, bunu etkinleştirmek tüm bağlantıları koparır. Traefik'ten gelen Proxy Protokol başlıklarına güvenecek şekilde arka ucunuzu yapılandırdığınızdan emin olun.",
    "restarting": "Yeniden Başlatılıyor...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Onayı girin",
    "blueprintViewDetails": "Detaylar",
    "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
-    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
    "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
    "editInternalResourceDialogAddRoles": "Roller Ekle",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Bakım Modu Türü",
    "showMaintenancePage": "Ziyaretçilere bir bakım sayfası gösterin",
    "enableMaintenanceMode": "Bakım Modunu Etkinleştir",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Otomatik",
    "automaticModeDescription": "Tüm arka uç hedefleri kapalı veya sağlıksız olduğunda yalnızca bakım sayfasını gösterin. Sağlıklı en az bir hedef olduğu sürece kaynağınız normal şekilde çalışmaya devam eder.",
    "forced": "Zorunlu",
@@ -3082,6 +3182,8 @@
    "warning:": "Uyarı:",
    "forcedeModeWarning": "Tüm trafik bakım sayfasına yönlendirilecek. Arka plan kaynaklarınız herhangi bir isteği almayacaktır.",
    "pageTitle": "Sayfa Başlığı",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "Bakım sayfasında gösterilen ana başlık",
    "maintenancePageMessage": "Bakım Mesajı",
    "maintenancePageMessagePlaceholder": "Yakında geri döneceğiz! Sitemiz şu anda planlı bakım altındadır.",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "Bu kimlik sağlayıcının bu kuruluştan ilişiğini kesmek istediğinizden emin misiniz?",
    "idpUnassociateDescription": "Bu kimlik sağlayıcı ile ilişkilendirilen tüm kullanıcılar bu kuruluştan kaldırılacaktır, ancak kimlik sağlayıcı diğer ilişkilendirilen kuruluşlar için var olmaya devam edecektir.",
    "idpUnassociateConfirm": "Kimlik Sağlayıcının İlişkisinin Kesilmesini Onayla",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "Bu işlem bu kuruluş için geri alınamaz.",
    "idpUnassociatedDescription": "Kimlik sağlayıcı bu kuruluştan başarıyla ayrıldı",
    "idpUnassociateMenu": "İlişkiyi Kes",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "Bağlanılıyor…",
    "sshInitializing": "Başlatılıyor…",
    "sshSignInTitle": "SSH'a Giriş Yap",
-    "sshSignInDescription": "SSH kimlik bilgilerinizi girin",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Şifre",
    "sshPrivateKeyTab": "Özel Anahtar",
    "sshPrivateKeyField": "Özel Anahtar",
    "sshPrivateKeyDisclaimer": "Özel anahtarınız Pangolin'de saklanmaz veya görünmez. Alternatif olarak, mevcut Pangolin kimliğinizle sorunsuz kimlik doğrulama için kısa ömürlü sertifikalar kullanabilirsiniz.",
    "sshLearnMore": "Daha fazla bilgi",
    "sshPrivateKeyFile": "Özel Anahtar Dosyası",
-    "sshAuthenticate": "Kimlik Doğrulama",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Sonlandır",
    "sshPoweredBy": "Tarafından sağlanmaktadır",
    "sshErrorNoTarget": "Belirtilen hedef yok",
    "sshErrorWebSocket": "WebSocket bağlantısı başarısız oldu",
    "sshErrorAuthFailed": "Kimlik doğrulama başarısız",
-    "sshErrorConnectionClosed": "Kimlik doğrulama tamamlanmadan bağlantı kapandı"
+    "sshErrorConnectionClosed": "Kimlik doğrulama tamamlanmadan bağlantı kapandı",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "查看私有资源",
    "siteInstallNewt": "安装 Newt",
    "siteInstallNewtDescription": "在您的系统中运行 Newt",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard 配置",
    "WgConfigurationDescription": "使用以下配置连接到网络",
    "operatingSystem": "操作系统",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "您只能看到一次。请确保将其复制并保存到一个安全的地方。",
    "siteInfo": "站点信息",
    "status": "状态",
-    "shareTitle": "管理共享链接",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "创建可共享的链接，允许临时或永久访问代理资源",
-    "shareSearch": "搜索共享链接...",
-    "shareCreate": "创建共享链接",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "删除链接失败",
    "shareErrorDeleteMessage": "删除链接时出错",
    "shareDeleted": "链接已删除",
    "shareDeletedDescription": "链接已删除",
-    "shareDelete": "删除共享链接",
-    "shareDeleteConfirm": "确认删除共享链接",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "您确定要删除这个共享链接吗？",
    "shareMessageRemove": "删除后，该链接将不再可用，使用它的任何人将失去对资源的访问权限。",
    "shareTokenDescription": "访问令牌可以通过两种方式传递：作为查询参数或请求标题。 每次验证访问请求都必须从客户端传递。",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "任何具有此链接的人都可以访问资源",
    "shareTitleOptional": "标题 (可选)",
    "sharePathOptional": "路径（可选）",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "过期时间",
    "neverExpire": "永不过期",
    "shareExpireDescription": "过期时间是链接可以使用并提供对资源的访问时间。 此时间后，链接将不再工作，使用此链接的用户将失去对资源的访问。",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "请选择一个资源",
    "proxyResourceTitle": "管理公共资源",
    "proxyResourceDescription": "创建和管理可通过 Web 浏览器公开访问的资源",
-    "publicResourcesBannerTitle": "基于Web的公共访问",
-    "publicResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同，它们不需要客户端软件，并且可以包含身份和上下文感知访问策略。",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "管理私有资源",
    "clientResourceDescription": "创建和管理只能通过连接客户端访问的资源",
    "privateResourcesBannerTitle": "零信任的私人访问",
@@ -209,15 +212,19 @@
    "resourcesSearch": "搜索资源...",
    "resourceAdd": "添加资源",
    "resourceErrorDelte": "删除资源时出错",
-    "resourcePoliciesTitle": "管理资源策略",
-    "resourcePoliciesAttachedResourcesColumnTitle": "附加资源",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} 个资源",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "没有资源",
-    "resourcePoliciesDescription": "创建和管理身份验证策略以控制对资源的访问",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "搜索策略……",
    "resourcePoliciesAdd": "添加策略",
    "resourcePoliciesDefaultBadgeText": "默认策略",
-    "resourcePoliciesCreate": "创建资源策略",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "按照以下步骤创建新策略",
    "resourcePolicyName": "策略名称",
    "resourcePolicyNameDescription": "给此策略命名，以便在您的资源中识别它",
@@ -274,7 +281,7 @@
    "back": "后退",
    "cancel": "取消",
    "resourceConfig": "配置片段",
-    "resourceConfigDescription": "复制并粘贴这些配置片段以设置 TCP/UDP 资源",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: 添加入口点",
    "resourceExposePorts": "Gerbil：在 Docker Compose 中显示端口",
    "resourceLearnRaw": "学习如何配置 TCP/UDP 资源",
@@ -287,6 +294,8 @@
    "labelDelete": "删除标签",
    "labelAdd": "添加标签",
    "labelCreateSuccessMessage": "标签创建成功",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "标签修改成功",
    "labelNameField": "标签名称",
    "labelColorField": "标签颜色",
@@ -311,7 +320,7 @@
    "rules": "规则",
    "resourceSettingDescription": "配置资源上的设置",
    "resourceSetting": "{resourceName} 设置",
-    "resourcePolicySettingDescription": "配置资源策略上的设置",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} 设置",
    "alwaysAllow": "旁路认证",
    "alwaysDeny": "屏蔽访问",
@@ -719,7 +728,7 @@
    "targetSubmit": "添加目标",
    "targetNoOne": "此资源没有任何目标。添加目标来配置向后端发送请求的位置。",
    "targetNoOneDescription": "在上面添加多个目标将启用负载平衡。",
-    "targetsSubmit": "保存目标",
+    "targetsSubmit": "Save Settings",
    "addTarget": "添加目标",
    "proxyMultiSiteRoundRobinNodeHelp": "轮询路由在未连接到相同节点的站点之间将不起作用，但故障转移会生效。",
    "targetErrorInvalidIp": "无效的 IP 地址",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "复制规则",
    "rulesErrorDuplicateDescription": "带有这些设置的规则已存在",
    "rulesErrorInvalidIpAddressRange": "无效的 CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "请输入一个有效的 CIDR 值",
-    "rulesErrorInvalidUrl": "无效的 URL 路径",
-    "rulesErrorInvalidUrlDescription": "请输入一个有效的 URL 路径值",
-    "rulesErrorInvalidIpAddress": "无效的 IP",
-    "rulesErrorInvalidIpAddressDescription": "请输入一个有效的IP地址",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "更新规则失败",
    "rulesErrorUpdateDescription": "更新规则时出错",
    "rulesUpdated": "启用规则",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "以 CIDR 格式输入地址(如：103.21.244.0/22)",
    "rulesMatchIpAddress": "输入IP地址(例如，103.21.244.12)",
    "rulesMatchUrl": "输入一个 URL 路径或模式(例如/api/v1/todos 或 /api/v1/*)",
-    "rulesErrorInvalidPriority": "无效的优先级",
-    "rulesErrorInvalidPriorityDescription": "请输入一个有效的优先级",
-    "rulesErrorDuplicatePriority": "重复的优先级",
-    "rulesErrorDuplicatePriorityDescription": "请输入唯一的优先级",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "规则已更新",
    "ruleUpdatedDescription": "规则更新成功",
    "ruleErrorUpdate": "操作失败",
    "ruleErrorUpdateDescription": "保存过程中发生错误",
    "rulesPriority": "优先权",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "行为",
    "rulesMatchType": "匹配类型",
    "value": "值",
@@ -792,7 +810,7 @@
    "rulesResource": "资源规则配置",
    "rulesResourceDescription": "配置规则来控制对资源的访问",
    "ruleSubmit": "添加规则",
-    "rulesNoOne": "没有规则。使用表单添加规则。",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "规则按优先顺序评定。",
    "rulesSubmit": "保存规则",
    "policyErrorCreate": "创建策略时出错",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "发生意外错误",
    "policyCreatedSuccess": "资源策略创建成功",
    "policyUpdatedSuccess": "资源策略更新成功",
-    "authMethodsSave": "保存身份验证方法",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "保存规则",
    "resourceErrorCreate": "创建资源时出错",
    "resourceErrorCreateDescription": "创建资源时出错",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "更新资源时出错",
    "access": "访问权限",
    "accessControl": "访问控制",
-    "shareLink": "{resource} 的分享链接",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "选择资源",
-    "shareLinks": "分享链接",
+    "shareLinks": "Shareable Links",
    "share": "分享链接",
    "shareDescription2": "创建资源的可共享链接。链接提供了对您资源的临时或无限制访问。 当您创建链接时，您可以配置链接的到期时间。",
    "shareEasyCreate": "轻松创建和分享",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "管理员总是可以访问此资源。",
    "resourcePolicySelectTitle": "资源访问策略",
    "resourcePolicySelectDescription": "选择用于认证的资源策略类型",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "内联资源策略",
    "resourcePolicyInlineDescription": "仅限于此资源的访问策略",
    "resourcePolicyShared": "共享资源策略",
-    "resourcePolicySharedDescription": "此资源使用共享策略。策略级设置（身份验证方法、电子邮件白名单）被锁定。您可以在下方添加特定资源的规则、角色和用户。",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "访问控制",
    "resourceUsersRolesDescription": "配置用户和角色可以访问此资源",
    "resourceUsersRolesSubmit": "保存访问控制",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "可见性",
    "resourceVisibilityTitleDescription": "完全启用或禁用资源可见性",
    "resourceGeneral": "常规设置",
-    "resourceGeneralDescription": "配置此资源的常规设置",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "启用资源",
    "resourceTransfer": "转移资源",
    "resourceTransferDescription": "将此资源转移到另一个站点",
@@ -1220,11 +1294,14 @@
    "addLabels": "添加标签",
    "siteLabelsTab": "标签",
    "siteLabelsDescription": "管理与此网站相关的标签。",
-    "labelsNotFound": "找不到标签",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "搜索标签",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, other {# 标签}}",
    "labelOverflowCount": "+{count, plural, other {# 标签}}",
    "accessLabelFilterClear": "清除标签过滤器",
+    "accessFilterClear": "Clear filters",
    "selectColor": "选择颜色",
    "createNewLabel": "创建新的组织标签 \"{label}\"",
    "inviteInvalidDescription": "邀请链接无效。",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "资源",
    "sidebarProxyResources": "公开的",
    "sidebarClientResources": "非公开的",
-    "sidebarPolicies": "策略",
-    "sidebarResourcePolicies": "资源",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "访问控制",
    "sidebarLogsAndAnalytics": "日志与分析",
    "sidebarTeam": "团队",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "管理员",
    "sidebarInvitations": "邀请",
    "sidebarRoles": "角色",
-    "sidebarShareableLinks": "链接",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API密钥",
    "sidebarProvisioning": "置备中",
    "sidebarSettings": "设置",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "资源 {id}",
    "blueprints": "蓝图",
    "blueprintsLog": "蓝图日志",
-    "blueprintsDescription": "查看过去的蓝图应用及其结果",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "添加蓝图",
    "blueprintGoBack": "查看所有蓝图",
    "blueprintCreate": "创建蓝图",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "启用 Docker 蓝图",
    "enableDockerSocketDescription": "启用用于蓝图标签的 Docker 套接字标签擦除。必须为站点连接器提供套接字路径。阅读<docsLink>文档</docsLink>以了解相关工作原理。",
    "newtAutoUpdate": "启用站点自动更新",
-    "newtAutoUpdateDescription": "启用时，站点连接器将在有新版本发布时自动更新到最新版本。",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "站点自动更新",
    "siteAutoUpdateLabel": "启用自动更新",
-    "siteAutoUpdateDescription": "控制此站点连接器是否自动下载最新版本。",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "组织默认设置：{state}",
    "siteAutoUpdateOverriding": "覆盖组织设置",
    "siteAutoUpdateResetToOrg": "重置为组织默认设置",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "账号设置完成！欢迎来到 Pangolin！",
    "documentation": "文档",
    "saveAllSettings": "保存所有设置",
-    "saveResourceTargets": "保存目标",
-    "saveResourceHttp": "保存代理设置",
-    "saveProxyProtocol": "保存代理协议设置",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "设置已更新",
    "settingsUpdatedDescription": "设置更新成功",
    "settingsErrorUpdate": "设置更新失败",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "未知",
    "healthCheck": "健康检查",
    "configureHealthCheck": "配置健康检查",
-    "configureHealthCheckDescription": "为 {target} 设置健康监控",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "启用健康检查",
    "healthCheckDisabledStateDescription": "禁用后，站点不会进行健康检查，状态将被视为未知。",
    "enableHealthChecksDescription": "监视此目标的健康状况。如果需要，您可以监视一个不同的终点。",
    "healthScheme": "方法",
    "healthSelectScheme": "选择方法",
-    "healthCheckPortInvalid": "健康检查端口必须介于 1 到 65535 之间",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "路径",
    "healthHostname": "IP / 主机",
    "healthPort": "端口",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "需要设备批准",
    "requireDeviceApprovalDescription": "具有此角色的用户需要管理员批准的新设备才能连接和访问资源。",
    "sshSettings": "SSH 设置",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP 设置",
    "vncSettings": "VNC 设置",
    "sshServer": "SSH 服务器",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "在完成本设置之前，请确保您的目标主机已经正确配置以运行身份验证守护程序，否则配置将失败。",
    "sshDaemonPort": "守护程序端口",
    "sshServerDestination": "服务器目标",
-    "sshServerDestinationDescription": "配置 SSH 服务器的目标和端口",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "目标",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "选择多个站点可实现高可用性的弹性路由和故障转移。",
    "roleAllowSsh": "允许 SSH",
    "roleAllowSshAllow": "允许",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "用户只能用 sudo 运行指定的命令。",
    "sshSudo": "允许Sudo",
    "sshSudoCommands": "Sudo 命令",
-    "sshSudoCommandsDescription": "逗号分隔的命令列表，用户可以通过sudo运行。必须使用绝对路径。",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "创建主目录",
    "sshUnixGroups": "Unix 组",
-    "sshUnixGroupsDescription": "用逗号分隔了Unix组，将用户添加到目标主机上。",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "重试次数",
    "expectedResponseCodes": "期望响应代码",
    "expectedResponseCodesDescription": "HTTP 状态码表示健康状态。如留空，200-300 被视为健康。",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "启用代理协议",
    "proxyProtocolInfo": "为TCP后端保留客户端IP地址",
    "proxyProtocolVersion": "代理协议版本",
-    "version1": " 版本 1 (推荐)",
+    "version1": "Version 1 (Recommended)",
    "version2": "版本 2",
-    "versionDescription": "版本 1 是基于文本和广泛支持的版本。版本 2 是二进制和更有效率但不那么兼容。",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "警告",
    "proxyProtocolWarning": "后端应用程序必须配置为接受代理协议连接。 如果您的后端不支持代理协议，启用此功能将会中断所有连接，只有当您知道自己在做什么时才能启用此功能。 请务必从Traefik配置您的后端到信任代理协议标题。",
    "restarting": "正在重启...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "输入确认",
    "blueprintViewDetails": "详细信息",
    "defaultIdentityProvider": "默认身份提供商",
-    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "网络设置",
    "editInternalResourceDialogAccessPolicy": "访问策略",
    "editInternalResourceDialogAddRoles": "添加角色",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "维护模式类型",
    "showMaintenancePage": "只在所有后端目标都故障或不健康时显示维护页面。只要至少一个目标健康，您的资源将正常工作。",
    "enableMaintenanceMode": "启用维护模式",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "自动",
    "automaticModeDescription": "如果所有后端目标都故障或不健康，则仅显示维护页面。只要至少一个目标健康，您的资源将正常工作。",
    "forced": "强制",
@@ -3082,6 +3182,8 @@
    "warning:": "警告：",
    "forcedeModeWarning": "所有流量将被引导到维护页面。您的后端资源不会收到任何请求。",
    "pageTitle": "页面标题",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "维护页面显示的主标题",
    "maintenancePageMessage": "维护信息",
    "maintenancePageMessagePlaceholder": "我们很快回来！ 我们的网站目前正在进行计划中的维护。",
@@ -3346,6 +3448,8 @@
    "idpUnassociateQuestion": "您确定要将此身份提供者从此组织中取消关联吗？",
    "idpUnassociateDescription": "与此身份提供者关联的所有用户将从该组织中移除，但身份提供者仍会继续存在于关联的其他组织中。",
    "idpUnassociateConfirm": "确认取消关联身份提供者",
+    "idpConfirmDeleteAndRemoveMeFromOrg": "DELETE AND REMOVE ME FROM ORG",
+    "idpUnassociateAndRemoveMeFromOrg": "UNASSOCIATE AND REMOVE ME FROM ORG",
    "idpUnassociateWarning": "此操作无法对该组织撤销。",
    "idpUnassociatedDescription": "身份提供者已成功从该组织中取消关联",
    "idpUnassociateMenu": "取消关联",
@@ -3439,18 +3543,58 @@
    "sshConnecting": "正在连接…",
    "sshInitializing": "初始化中…",
    "sshSignInTitle": "登录 SSH",
-    "sshSignInDescription": "输入您的 SSH 凭据",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "密码",
    "sshPrivateKeyTab": "私钥",
    "sshPrivateKeyField": "私钥",
    "sshPrivateKeyDisclaimer": "您的私钥不会被 Pangolin 存储或显示。或者，您可以使用短期证书，使用您现有的 Pangolin 身份无缝认证。",
    "sshLearnMore": "了解更多",
    "sshPrivateKeyFile": "私钥文件",
-    "sshAuthenticate": "验证",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "终止",
    "sshPoweredBy": "支持者",
    "sshErrorNoTarget": "未指定目标",
    "sshErrorWebSocket": "WebSocket 连接失败",
    "sshErrorAuthFailed": "身份验证失败",
-    "sshErrorConnectionClosed": "认证完成前连接已关闭"
+    "sshErrorConnectionClosed": "认证完成前连接已关闭",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -152,8 +152,8 @@
    "shareErrorSelectResource": "請選擇一個資源",
    "proxyResourceTitle": "管理公開資源",
    "proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
-    "publicResourcesBannerTitle": "基於網頁的公開存取",
-    "publicResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
+    "proxyResourcesBannerTitle": "基於網頁的公開存取",
+    "proxyResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
    "clientResourceTitle": "管理私有資源",
    "clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
    "privateResourcesBannerTitle": "零信任私有存取",
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -87,7 +87,7 @@ function createDb() {

 export const db = createDb();
 export default db;
-export const primaryDb = db.$primary as typeof db; // is this typeof a problem - technically they are different types
+export const primaryDb = db.$primary as typeof db; // is this typeof a problem - techincally they are different types
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -2,7 +2,7 @@ import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
-import { db as mainDb } from "./driver";
+import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
 import { createPool } from "./poolConfig";

 function createLogsDb() {
@@ -63,7 +63,8 @@ function createLogsDb() {
            })
        );
    } else {
-        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
            const replicaPool = createPool(
                conn.connection_string,
@@ -90,4 +91,4 @@ function createLogsDb() {

 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/poolConfig.ts
+++ b/server/db/pg/poolConfig.ts
@@ -1,4 +1,5 @@
 import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";

 export function createPoolConfig(
    connectionString: string,
@@ -26,7 +27,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
    pool.on("error", (err) => {
        // This catches errors on idle clients in the pool. Without this
        // handler an unexpected disconnect would crash the process.
-        console.error(
+        logger.error(
            `Unexpected error on idle ${label} database client: ${err.message}`
        );
    });
@@ -35,7 +36,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
        // Set a statement timeout on every new connection so a single slow
        // query can't block the pool forever
        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
-            console.warn(
+            logger.warn(
                `Failed to set statement_timeout on ${label} client: ${err.message}`
            );
        });
@@ -59,4 +60,4 @@ export function createPool(
    );
    attachPoolErrorHandlers(pool, label);
    return pool;
-}
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -580,6 +580,24 @@ export const trialNotifications = pgTable("trialNotifications", {
    sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });

+export const browserGatewayTarget = pgTable("browserGatewayTarget", {
+    browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: varchar("authToken").notNull(),
+    type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: varchar("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +645,6 @@ export type AlertEmailRecipients = InferSelectModel<
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -147,10 +147,12 @@ export const resources = pgTable("resources", {
    }),
    ssl: boolean("ssl").notNull().default(false),
    blockAccess: boolean("blockAccess").notNull().default(false),
+    sso: boolean("sso").notNull().default(true),
    proxyPort: integer("proxyPort"),
-    sso: boolean("sso"),
-    emailWhitelistEnabled: boolean("emailWhitelistEnabled"),
-    applyRules: boolean("applyRules"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
+        .notNull()
+        .default(false),
+    applyRules: boolean("applyRules").notNull().default(false),
    enabled: boolean("enabled").notNull().default(true),
    stickySession: boolean("stickySession").notNull().default(false),
    tlsServerName: varchar("tlsServerName"),
@@ -288,12 +290,7 @@ export const targets = pgTable("targets", {
    pathMatchType: text("pathMatchType"), // exact, prefix, regex
    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
-    priority: integer("priority").notNull().default(100),
-    mode: varchar("mode")
-        .$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
-        .notNull()
-        .default("http"),
-    authToken: varchar("authToken")
+    priority: integer("priority").notNull().default(100)
 });

 export const targetHealthCheck = pgTable("targetHealthCheck", {
@@ -889,9 +886,7 @@ export const resourcePolicyRules = pgTable("resourcePolicyRules", {
    enabled: boolean("enabled").notNull().default(true),
    priority: integer("priority").notNull(),
    action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
-    match: varchar("match")
-        .$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
-        .notNull(),
+    match: varchar("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
    value: varchar("value").notNull()
 });

--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -45,9 +45,9 @@ export type ResourceWithAuth = {
    password: ResourcePassword | ResourcePolicyPassword | null;
    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
-    applyRules: boolean | null;
-    sso: boolean | null;
-    emailWhitelistEnabled: boolean | null;
+    applyRules: boolean;
+    sso: boolean;
+    emailWhitelistEnabled: boolean;
    org: Org;
 };

--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -588,6 +588,26 @@ export const trialNotifications = sqliteTable("trialNotifications", {
    sentAt: integer("sentAt").notNull()
 });

+export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
+    browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
+        autoIncrement: true
+    }),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: text("authToken").notNull(),
+    type: text("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: text("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +647,6 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -165,12 +165,14 @@ export const resources = sqliteTable("resources", {
    blockAccess: integer("blockAccess", { mode: "boolean" })
        .notNull()
        .default(false),
+    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
    proxyPort: integer("proxyPort"),
-    sso: integer("sso", { mode: "boolean" }),
-    emailWhitelistEnabled: integer("emailWhitelistEnabled", {
-        mode: "boolean"
-    }),
-    applyRules: integer("applyRules", { mode: "boolean" }),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    applyRules: integer("applyRules", { mode: "boolean" })
+        .notNull()
+        .default(false),
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    stickySession: integer("stickySession", { mode: "boolean" })
        .notNull()
@@ -320,12 +322,7 @@ export const targets = sqliteTable("targets", {
    pathMatchType: text("pathMatchType"), // exact, prefix, regex
    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
-    priority: integer("priority").notNull().default(100),
-    mode: text("mode")
-        .$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
-        .notNull()
-        .default("http"),
-    authToken: text("authToken")
+    priority: integer("priority").notNull().default(100)
 });

 export const targetHealthCheck = sqliteTable("targetHealthCheck", {
@@ -1251,9 +1248,7 @@ export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    priority: integer("priority").notNull(),
    action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
-    match: text("match")
-        .$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
-        .notNull(),
+    match: text("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
    value: text("value").notNull()
 });

--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -157,9 +157,7 @@ function getOpenApiDocumentation() {
                        content: {
                            "application/json": {
                                schema: z.object({
-                                    data: z
-                                        .record(z.string(), z.any())
-                                        .nullable(),
+                                    data: z.unknown().nullable(),
                                    success: z.boolean(),
                                    error: z.boolean(),
                                    message: z.string(),
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -31,7 +31,7 @@ export enum TierFeature {
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
-    [TierFeature.Labels]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.Labels]: ["tier2", "tier3", "enterprise"],
    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
@@ -71,6 +71,16 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
-    [TierFeature.AdvancedPublicResources]: ["tier3", "enterprise"],
-    [TierFeature.AdvancedPrivateResources]: ["tier3", "enterprise"]
+    [TierFeature.AdvancedPublicResources]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ],
+    [TierFeature.AdvancedPrivateResources]: [
+        "tier1",
+        "tier2",
+        "tier3",
+        "enterprise"
+    ]
 };
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -10,23 +10,16 @@ import {
    clientSiteResources
 } from "@server/db";
 import { Config, ConfigSchema } from "./types";
-import {
-    PublicResourcesResults,
-    updatePublicResources
-} from "./publicResources";
+import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { sites } from "@server/db";
 import { eq, and, isNotNull } from "drizzle-orm";
-import {
-    addTargets as addProxyTargets,
-    sendBrowserGatewayTargets
-} from "@server/routers/newt/targets";
+import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
 import {
    ClientResourcesResults,
-    updatePrivateResources
-} from "./privateResources";
-import { updateResourcePolicies } from "./resourcePolicies";
+    updateClientResources
+} from "./clientResources";
 import { BlueprintSource } from "@server/routers/blueprints/types";
 import { stringify as stringifyYaml } from "yaml";
 import { generateName } from "@server/db/names";
@@ -60,18 +53,16 @@ export async function applyBlueprint({
    let error: any | null = null;

    try {
-        let proxyResourcesResults: PublicResourcesResults = [];
+        let proxyResourcesResults: ProxyResourcesResults = [];
        let clientResourcesResults: ClientResourcesResults = [];
        await db.transaction(async (trx) => {
-            await updateResourcePolicies(orgId, config, trx);
-
-            proxyResourcesResults = await updatePublicResources(
+            proxyResourcesResults = await updateProxyResources(
                orgId,
                config,
                trx,
                siteId
            );
-            clientResourcesResults = await updatePrivateResources(
+            clientResourcesResults = await updateClientResources(
                orgId,
                config,
                trx,
@@ -110,27 +101,13 @@ export async function applyBlueprint({
                                (hc) => hc.targetId === target.targetId
                            );

-                        if (["http", "tcp", "udp"].includes(target.mode)) {
-                            await addProxyTargets(
-                                site.newt.newtId,
-                                [target],
-                                matchingHealthcheck
-                                    ? [matchingHealthcheck]
-                                    : [],
-                                result.proxyResource.mode === "udp"
-                                    ? "udp"
-                                    : "tcp",
-                                site.newt.version
-                            );
-                        } else if (
-                            ["ssh", "rdp", "vnc"].includes(target.mode)
-                        ) {
-                            await sendBrowserGatewayTargets(
-                                site.newt.newtId,
-                                [target],
-                                site.newt.version
-                            );
-                        }
+                        await addProxyTargets(
+                            site.newt.newtId,
+                            [target],
+                            matchingHealthcheck ? [matchingHealthcheck] : [],
+                            result.proxyResource.mode === "udp" ? "udp" : "tcp",
+                            site.newt.version
+                        );
                    }
                }
            }
--- a/server/lib/blueprints/privateResources.ts
+++ b/server/lib/blueprints/privateResources.ts
@@ -23,8 +23,6 @@ import logger from "@server/logger";
 import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
-import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { tierMatrix } from "../billing/tierMatrix";

 async function getDomainForSiteResource(
    siteResourceId: number | undefined,
@@ -105,7 +103,7 @@ export type ClientResourcesResults = {
    oldSites: { siteId: number }[];
 }[];

-export async function updatePrivateResources(
+export async function updateClientResources(
    orgId: string,
    config: Config,
    trx: Transaction,
@@ -116,30 +114,6 @@ export async function updatePrivateResources(
    for (const [resourceNiceId, resourceData] of Object.entries(
        config["client-resources"]
    )) {
-        if (resourceData.mode === "http") {
-            const hasHttpFeature = await isLicensedOrSubscribed(
-                orgId,
-                tierMatrix.advancedPrivateResources
-            );
-            if (!hasHttpFeature) {
-                throw new Error(
-                    "HTTP private resources are not included in your current plan. Please upgrade."
-                );
-            }
-        }
-
-        if (resourceData.mode === "ssh") {
-            const hasSshFeature = await isLicensedOrSubscribed(
-                orgId,
-                tierMatrix.advancedPrivateResources
-            );
-            if (!hasSshFeature) {
-                throw new Error(
-                    "SSH private resources are not included in your current plan. Please upgrade."
-                );
-            }
-        }
-
        const [existingResource] = await trx
            .select()
            .from(siteResources)
@@ -392,9 +366,7 @@ export async function updatePrivateResources(
                        }))
                    );
                    existingRoles.push(created);
-                    logger.info(
-                        `Auto-created role "${name}" in org ${orgId} from blueprint`
-                    );
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
                }

                const roleIds = existingRoles.map((role) => role.roleId);
@@ -415,11 +387,7 @@ export async function updatePrivateResources(
        } else {
            let aliasAddress: string | null = null;
            let releaseAliasLock: (() => Promise<void>) | null = null;
-            if (
-                resourceData.mode === "host" ||
-                resourceData.mode === "http" ||
-                resourceData.mode === "ssh"
-            ) {
+            if (resourceData.mode === "host" || resourceData.mode === "http") {
                const { value, release } = await getNextAvailableAliasAddress(
                    orgId,
                    trx
@@ -542,9 +510,7 @@ export async function updatePrivateResources(
                        }))
                    );
                    existingRoles.push(created);
-                    logger.info(
-                        `Auto-created role "${name}" in org ${orgId} from blueprint`
-                    );
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
                }

                const roleIds = existingRoles.map((role) => role.roleId);
--- a/server/lib/blueprints/publicResources.ts
+++ b/server/lib/blueprints/publicResources.ts
@@ -47,24 +47,20 @@ import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";
 import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
-import { build } from "@server/build";
-import { encrypt } from "@server/lib/crypto";
-import { generateId } from "@server/auth/sessions/app";
-import serverConfig from "@server/lib/config";

-export type PublicResourcesResults = {
+export type ProxyResourcesResults = {
    proxyResource: Resource;
    targetsToUpdate: Target[];
    healthchecksToUpdate: TargetHealthCheck[];
 }[];

-export async function updatePublicResources(
+export async function updateProxyResources(
    orgId: string,
    config: Config,
    trx: Transaction,
    siteId?: number
-): Promise<PublicResourcesResults> {
-    const results: PublicResourcesResults = [];
+): Promise<ProxyResourcesResults> {
+    const results: ProxyResourcesResults = [];

    for (const [resourceNiceId, resourceData] of Object.entries(
        config["proxy-resources"]
@@ -83,7 +79,7 @@ export async function updatePublicResources(
            if (targetSiteId) {
                // Look up site by niceId
                [site] = await trx
-                    .select({ siteId: sites.siteId, type: sites.type })
+                    .select({ siteId: sites.siteId })
                    .from(sites)
                    .where(
                        and(
@@ -95,7 +91,7 @@ export async function updatePublicResources(
            } else if (siteId) {
                // Use the provided siteId directly, but verify it belongs to the org
                [site] = await trx
-                    .select({ siteId: sites.siteId, type: sites.type })
+                    .select({ siteId: sites.siteId })
                    .from(sites)
                    .where(
                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
@@ -122,15 +118,6 @@ export async function updatePublicResources(
                internalPortToCreate = targetData["internal-port"];
            }

-            let authToken: string | undefined;
-            if (site.type !== "local") {
-                const plainToken = generateId(48);
-                authToken = encrypt(
-                    plainToken,
-                    serverConfig.getRawConfig().server.secret!
-                );
-            }
-
            // Create target
            const [newTarget] = await trx
                .insert(targets)
@@ -138,12 +125,10 @@ export async function updatePublicResources(
                    resourceId: resourceId,
                    siteId: site.siteId,
                    ip: targetData.hostname,
-                    mode: resourceData.mode as Target["mode"],
                    method: targetData.method,
                    port: targetData.port,
                    enabled: targetData.enabled,
                    internalPort: internalPortToCreate,
-                    authToken: authToken,
                    path: targetData.path,
                    pathMatchType: targetData["path-match"],
                    rewritePath:
@@ -237,59 +222,17 @@ export async function updatePublicResources(
            headers = JSON.stringify(resourceData.headers);
        }

-        if (["ssh", "rdp", "vnc"].includes(resourceData.mode || "")) {
-            const isLicensed = await isLicensedOrSubscribed(
-                orgId,
-                tierMatrix.advancedPublicResources
-            );
-            if (!isLicensed) {
-                throw new Error(
-                    "Your current subscription does not support browser gateway resources. Please upgrade to access this feature."
-                );
-            }
-        }
-
-        if (resourceData.policy) {
-            const isLicensed = await isLicensedOrSubscribed(
-                orgId,
-                tierMatrix.resourcePolicies
-            );
-            if (!isLicensed) {
-                throw new Error(
-                    "Your current subscription does not support shared resource policies. Please upgrade to access this feature."
-                );
-            }
-        }
-
        if (existingResource) {
            let domain;
            if (
                ["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
            ) {
-                if (resourceData["full-domain"]?.startsWith("*.")) {
-                    const isLicensed = await isLicensedOrSubscribed(
-                        orgId,
-                        tierMatrix.wildcardSubdomain
-                    );
-                    if (!isLicensed) {
-                        throw new Error(
-                            "Wildcard subdomains are not supported on your current plan. Please upgrade to access this feature."
-                        );
-                    }
-                }
-
                domain = await getDomain(
                    existingResource.resourceId,
                    resourceData["full-domain"]!,
                    orgId,
                    trx
                );
-
-                await enforceDomainNamespacePaywall(
-                    orgId,
-                    domain.domainId,
-                    trx
-                );
            }

            // check if the only key in the resource is targets, if so, skip the update
@@ -579,13 +522,6 @@ export async function updatePublicResources(
                                    ? (resourceData["proxy-protocol-version"] ??
                                      1)
                                    : 1,
-                            pamMode:
-                                resourceData["auth-daemon"]?.pam ||
-                                "passthrough",
-                            authDaemonMode:
-                                resourceData["auth-daemon"]?.mode || "native",
-                            authDaemonPort:
-                                resourceData["auth-daemon"]?.port || 22123,
                            resourcePolicyId: null,
                            defaultResourcePolicyId: inlinePolicyId
                        })
@@ -728,8 +664,7 @@ export async function updatePublicResources(
                                    ? "/"
                                    : undefined),
                            rewritePathType: targetData["rewrite-match"],
-                            priority: targetData.priority,
-                            mode: resourceData.mode
+                            priority: targetData.priority
                        })
                        .where(eq(targets.targetId, existingTarget.targetId))
                        .returning();
@@ -971,30 +906,12 @@ export async function updatePublicResources(
            if (
                ["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
            ) {
-                if (resourceData["full-domain"]?.startsWith("*.")) {
-                    const isLicensed = await isLicensedOrSubscribed(
-                        orgId,
-                        tierMatrix.wildcardSubdomain
-                    );
-                    if (!isLicensed) {
-                        throw new Error(
-                            "Wildcard subdomains are not supported on your current plan. Please upgrade to access this feature."
-                        );
-                    }
-                }
-
                domain = await getDomain(
                    undefined,
                    resourceData["full-domain"]!,
                    orgId,
                    trx
                );
-
-                await enforceDomainNamespacePaywall(
-                    orgId,
-                    domain.domainId,
-                    trx
-                );
            }

            const isLicensed = await isLicensedOrSubscribed(
@@ -1467,6 +1384,17 @@ async function syncWhitelistUsers(
        .where(eq(resourceWhitelist.resourceId, resourceId));

    for (const email of whitelistUsers) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(and(eq(users.email, email), eq(userOrgs.orgId, orgId)))
+            .limit(1);
+
+        if (!user) {
+            throw new Error(`User not found: ${email} in org ${orgId}`);
+        }
+
        const existingWhitelistEntry = existingWhitelist.find(
            (w) => w.email === email
        );
@@ -1938,37 +1866,6 @@ function checkIfTargetChanged(
    return false;
 }

-async function enforceDomainNamespacePaywall(
-    orgId: string,
-    domainId: string,
-    trx: Transaction
-) {
-    if (build !== "saas") {
-        return;
-    }
-
-    const hasDomainNamespaceAccess = await isLicensedOrSubscribed(
-        orgId,
-        tierMatrix.domainNamespaces
-    );
-
-    if (hasDomainNamespaceAccess) {
-        return;
-    }
-
-    const [namespaceDomain] = await trx
-        .select()
-        .from(domainNamespaces)
-        .where(eq(domainNamespaces.domainId, domainId))
-        .limit(1);
-
-    if (namespaceDomain) {
-        throw new Error(
-            "Your current subscription does not support custom domain namespaces. Please upgrade to access this feature."
-        );
-    }
-}
-
 export async function getDomain(
    resourceId: number | undefined,
    fullDomain: string,
--- a/server/lib/blueprints/resourcePolicies.ts
+++ b/server/lib/blueprints/resourcePolicies.ts
@@ -1,653 +0,0 @@
-import {
-    db,
-    idp,
-    idpOrg,
-    resourcePolicies,
-    resourcePolicyHeaderAuth,
-    resourcePolicyPassword,
-    resourcePolicyPincode,
-    resourcePolicyRules,
-    resourcePolicyWhiteList,
-    rolePolicies,
-    roles,
-    Transaction,
-    userOrgs,
-    userPolicies,
-    users
-} from "@server/db";
-import { eq, and, or } from "drizzle-orm";
-import { Config, ResourcePolicyData } from "./types";
-import logger from "@server/logger";
-import { getUniqueResourcePolicyName } from "@server/db/names";
-import { hashPassword } from "@server/auth/password";
-import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
-import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { tierMatrix } from "../billing/tierMatrix";
-
-export type ResourcePoliciesResults = {
-    resourcePolicyId: number;
-    niceId: string;
-}[];
-
-export async function updateResourcePolicies(
-    orgId: string,
-    config: Config,
-    trx: Transaction
-): Promise<ResourcePoliciesResults> {
-    const results: ResourcePoliciesResults = [];
-
-    for (const [policyNiceId, policyData] of Object.entries(
-        config["public-policies"]
-    )) {
-        const isLicensed = await isLicensedOrSubscribed(
-            orgId,
-            tierMatrix.resourcePolicies
-        );
-        if (!isLicensed) {
-            throw new Error(
-                "Your current subscription does not support shared resource policies. Please upgrade to access this feature."
-            );
-        }
-
-        // Validate rules
-        for (const rule of policyData.rules) {
-            if (rule.match === "cidr" && !isValidCIDR(rule.value)) {
-                throw new Error(
-                    `Invalid CIDR provided in resource policy '${policyNiceId}': ${rule.value}`
-                );
-            } else if (rule.match === "ip" && !isValidIP(rule.value)) {
-                throw new Error(
-                    `Invalid IP provided in resource policy '${policyNiceId}': ${rule.value}`
-                );
-            } else if (
-                rule.match === "path" &&
-                !isValidUrlGlobPattern(rule.value)
-            ) {
-                throw new Error(
-                    `Invalid URL glob pattern provided in resource policy '${policyNiceId}': ${rule.value}`
-                );
-            }
-        }
-
-        // Validate auto-login-idp if provided
-        if (policyData["auto-login-idp"]) {
-            const [provider] = await trx
-                .select()
-                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(
-                    and(
-                        eq(idp.idpId, policyData["auto-login-idp"]),
-                        eq(idpOrg.orgId, orgId)
-                    )
-                )
-                .limit(1);
-
-            if (!provider) {
-                throw new Error(
-                    `Identity provider not found for policy '${policyNiceId}' in this organization`
-                );
-            }
-        }
-
-        // Look up the admin role
-        const [adminRole] = await trx
-            .select()
-            .from(roles)
-            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
-            .limit(1);
-
-        if (!adminRole) {
-            throw new Error("Admin role not found");
-        }
-
-        // Find existing policy by niceId and orgId
-        const [existingPolicy] = await trx
-            .select()
-            .from(resourcePolicies)
-            .where(
-                and(
-                    eq(resourcePolicies.niceId, policyNiceId),
-                    eq(resourcePolicies.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        let resourcePolicyId: number;
-
-        if (existingPolicy) {
-            // Update the existing policy
-            await trx
-                .update(resourcePolicies)
-                .set({
-                    name: policyData.name,
-                    sso: policyData.sso ?? true,
-                    idpId: policyData["auto-login-idp"] ?? null,
-                    emailWhitelistEnabled:
-                        policyData["email-whitelist-enabled"] ??
-                        policyData["whitelist-users"].length > 0,
-                    applyRules:
-                        policyData["apply-rules"] || policyData.rules.length > 0
-                })
-                .where(
-                    eq(
-                        resourcePolicies.resourcePolicyId,
-                        existingPolicy.resourcePolicyId
-                    )
-                );
-
-            resourcePolicyId = existingPolicy.resourcePolicyId;
-
-            // Sync password
-            await trx
-                .delete(resourcePolicyPassword)
-                .where(
-                    eq(
-                        resourcePolicyPassword.resourcePolicyId,
-                        resourcePolicyId
-                    )
-                );
-            if (policyData.password) {
-                const passwordHash = await hashPassword(policyData.password);
-                await trx.insert(resourcePolicyPassword).values({
-                    resourcePolicyId,
-                    passwordHash
-                });
-            }
-
-            // Sync pincode
-            await trx
-                .delete(resourcePolicyPincode)
-                .where(
-                    eq(resourcePolicyPincode.resourcePolicyId, resourcePolicyId)
-                );
-            if (policyData.pincode) {
-                const pincodeHash = await hashPassword(policyData.pincode);
-                await trx.insert(resourcePolicyPincode).values({
-                    resourcePolicyId,
-                    pincodeHash,
-                    digitLength: 6
-                });
-            }
-
-            // Sync header auth
-            await trx
-                .delete(resourcePolicyHeaderAuth)
-                .where(
-                    eq(
-                        resourcePolicyHeaderAuth.resourcePolicyId,
-                        resourcePolicyId
-                    )
-                );
-            if (policyData["basic-auth"]) {
-                const basicAuth = policyData["basic-auth"];
-                const headerAuthHash = await hashPassword(
-                    Buffer.from(
-                        `${basicAuth.user}:${basicAuth.password}`
-                    ).toString("base64")
-                );
-                await trx.insert(resourcePolicyHeaderAuth).values({
-                    resourcePolicyId,
-                    headerAuthHash,
-                    extendedCompatibility:
-                        basicAuth["extended-compatibility"] ?? true
-                });
-            }
-
-            // Sync SSO roles
-            await syncRolePolicies(
-                resourcePolicyId,
-                policyData["sso-roles"],
-                orgId,
-                adminRole.roleId,
-                trx
-            );
-
-            // Sync SSO users
-            await syncUserPolicies(
-                resourcePolicyId,
-                policyData["sso-users"],
-                orgId,
-                trx
-            );
-
-            // Sync whitelist users
-            await syncWhitelistPolicyUsers(
-                resourcePolicyId,
-                policyData["whitelist-users"],
-                trx
-            );
-
-            // Sync rules
-            await syncPolicyRules(resourcePolicyId, policyData.rules, trx);
-
-            logger.debug(
-                `Updated resource policy ${resourcePolicyId} (${policyNiceId})`
-            );
-        } else {
-            // Create a new policy
-            const [newPolicy] = await trx
-                .insert(resourcePolicies)
-                .values({
-                    niceId: policyNiceId,
-                    orgId,
-                    name: policyData.name,
-                    sso: policyData.sso ?? true,
-                    idpId: policyData["auto-login-idp"] ?? null,
-                    emailWhitelistEnabled:
-                        policyData["email-whitelist-enabled"] ??
-                        policyData["whitelist-users"].length > 0,
-                    applyRules:
-                        policyData["apply-rules"] ||
-                        policyData.rules.length > 0,
-                    scope: "global"
-                })
-                .returning();
-
-            resourcePolicyId = newPolicy.resourcePolicyId;
-
-            // Always add admin role
-            await trx.insert(rolePolicies).values({
-                roleId: adminRole.roleId,
-                resourcePolicyId
-            });
-
-            // Add SSO roles
-            await addRolePolicies(
-                resourcePolicyId,
-                policyData["sso-roles"],
-                orgId,
-                adminRole.roleId,
-                trx
-            );
-
-            // Add SSO users
-            await addUserPolicies(
-                resourcePolicyId,
-                policyData["sso-users"],
-                orgId,
-                trx
-            );
-
-            // Add password
-            if (policyData.password) {
-                const passwordHash = await hashPassword(policyData.password);
-                await trx.insert(resourcePolicyPassword).values({
-                    resourcePolicyId,
-                    passwordHash
-                });
-            }
-
-            // Add pincode
-            if (policyData.pincode) {
-                const pincodeHash = await hashPassword(policyData.pincode);
-                await trx.insert(resourcePolicyPincode).values({
-                    resourcePolicyId,
-                    pincodeHash,
-                    digitLength: 6
-                });
-            }
-
-            // Add header auth
-            if (policyData["basic-auth"]) {
-                const basicAuth = policyData["basic-auth"];
-                const headerAuthHash = await hashPassword(
-                    Buffer.from(
-                        `${basicAuth.user}:${basicAuth.password}`
-                    ).toString("base64")
-                );
-                await trx.insert(resourcePolicyHeaderAuth).values({
-                    resourcePolicyId,
-                    headerAuthHash,
-                    extendedCompatibility:
-                        basicAuth["extended-compatibility"] ?? true
-                });
-            }
-
-            // Add whitelist users
-            if (policyData["whitelist-users"].length > 0) {
-                await trx.insert(resourcePolicyWhiteList).values(
-                    policyData["whitelist-users"].map((email) => ({
-                        email,
-                        resourcePolicyId
-                    }))
-                );
-            }
-
-            // Add rules
-            if (policyData.rules.length > 0) {
-                await trx.insert(resourcePolicyRules).values(
-                    policyData.rules.map((rule, index) => ({
-                        resourcePolicyId,
-                        action: getRuleAction(rule.action),
-                        match: getRuleMatch(rule.match),
-                        value: rule.value,
-                        priority: rule.priority ?? index + 1,
-                        enabled: rule.enabled ?? true
-                    }))
-                );
-            }
-
-            logger.debug(
-                `Created resource policy ${resourcePolicyId} (${policyNiceId})`
-            );
-        }
-
-        results.push({ resourcePolicyId, niceId: policyNiceId });
-    }
-
-    return results;
-}
-
-function getRuleAction(input: string): "ACCEPT" | "DROP" | "PASS" {
-    if (input === "allow") return "ACCEPT";
-    if (input === "deny") return "DROP";
-    return "PASS";
-}
-
-function getRuleMatch(
-    input: string
-): "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION" {
-    return input.toUpperCase() as
-        | "CIDR"
-        | "IP"
-        | "PATH"
-        | "COUNTRY"
-        | "ASN"
-        | "REGION";
-}
-
-async function syncRolePolicies(
-    policyId: number,
-    ssoRoles: string[],
-    orgId: string,
-    adminRoleId: number,
-    trx: Transaction
-) {
-    const existingRolePolicies = await trx
-        .select()
-        .from(rolePolicies)
-        .where(eq(rolePolicies.resourcePolicyId, policyId));
-
-    for (const roleName of ssoRoles) {
-        const [role] = await trx
-            .select()
-            .from(roles)
-            .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
-            .limit(1);
-
-        if (!role) {
-            logger.warn(
-                `Role '${roleName}' not found in org '${orgId}', skipping`
-            );
-            continue;
-        }
-
-        if (role.isAdmin) {
-            continue; // admin role is always included, skip
-        }
-
-        const alreadyExists = existingRolePolicies.some(
-            (rp) => rp.roleId === role.roleId
-        );
-
-        if (!alreadyExists) {
-            await trx.insert(rolePolicies).values({
-                roleId: role.roleId,
-                resourcePolicyId: policyId
-            });
-        }
-    }
-
-    // Remove roles no longer in the list (except admin)
-    for (const existingRolePolicy of existingRolePolicies) {
-        if (existingRolePolicy.roleId === adminRoleId) {
-            continue;
-        }
-
-        const [role] = await trx
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, existingRolePolicy.roleId))
-            .limit(1);
-
-        if (role?.isAdmin) {
-            continue;
-        }
-
-        if (role && !ssoRoles.includes(role.name)) {
-            await trx
-                .delete(rolePolicies)
-                .where(
-                    and(
-                        eq(rolePolicies.resourcePolicyId, policyId),
-                        eq(rolePolicies.roleId, existingRolePolicy.roleId)
-                    )
-                );
-        }
-    }
-}
-
-async function addRolePolicies(
-    policyId: number,
-    ssoRoles: string[],
-    orgId: string,
-    adminRoleId: number,
-    trx: Transaction
-) {
-    for (const roleName of ssoRoles) {
-        const [role] = await trx
-            .select()
-            .from(roles)
-            .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
-            .limit(1);
-
-        if (!role) {
-            logger.warn(
-                `Role '${roleName}' not found in org '${orgId}', skipping`
-            );
-            continue;
-        }
-
-        if (role.isAdmin) {
-            continue; // admin already added
-        }
-
-        await trx.insert(rolePolicies).values({
-            roleId: role.roleId,
-            resourcePolicyId: policyId
-        });
-    }
-}
-
-async function syncUserPolicies(
-    policyId: number,
-    ssoUsers: string[],
-    orgId: string,
-    trx: Transaction
-) {
-    const existingUserPolicies = await trx
-        .select()
-        .from(userPolicies)
-        .where(eq(userPolicies.resourcePolicyId, policyId));
-
-    for (const username of ssoUsers) {
-        const [user] = await trx
-            .select()
-            .from(users)
-            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(
-                and(
-                    or(eq(users.username, username), eq(users.email, username)),
-                    eq(userOrgs.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!user) {
-            logger.warn(
-                `User '${username}' not found in org '${orgId}', skipping`
-            );
-            continue;
-        }
-
-        const alreadyExists = existingUserPolicies.some(
-            (up) => up.userId === user.user.userId
-        );
-
-        if (!alreadyExists) {
-            await trx.insert(userPolicies).values({
-                userId: user.user.userId,
-                resourcePolicyId: policyId
-            });
-        }
-    }
-
-    // Remove users no longer in the list
-    for (const existingUserPolicy of existingUserPolicies) {
-        const [user] = await trx
-            .select()
-            .from(users)
-            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(
-                and(
-                    eq(users.userId, existingUserPolicy.userId),
-                    eq(userOrgs.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (
-            user &&
-            user.user.username &&
-            !ssoUsers.includes(user.user.username) &&
-            !ssoUsers.includes(user.user.email ?? "")
-        ) {
-            await trx
-                .delete(userPolicies)
-                .where(
-                    and(
-                        eq(userPolicies.resourcePolicyId, policyId),
-                        eq(userPolicies.userId, existingUserPolicy.userId)
-                    )
-                );
-        }
-    }
-}
-
-async function addUserPolicies(
-    policyId: number,
-    ssoUsers: string[],
-    orgId: string,
-    trx: Transaction
-) {
-    for (const username of ssoUsers) {
-        const [user] = await trx
-            .select()
-            .from(users)
-            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(
-                and(
-                    or(eq(users.username, username), eq(users.email, username)),
-                    eq(userOrgs.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!user) {
-            logger.warn(
-                `User '${username}' not found in org '${orgId}', skipping`
-            );
-            continue;
-        }
-
-        await trx.insert(userPolicies).values({
-            userId: user.user.userId,
-            resourcePolicyId: policyId
-        });
-    }
-}
-
-async function syncWhitelistPolicyUsers(
-    policyId: number,
-    whitelistUsers: string[],
-    trx: Transaction
-) {
-    const existingWhitelist = await trx
-        .select()
-        .from(resourcePolicyWhiteList)
-        .where(eq(resourcePolicyWhiteList.resourcePolicyId, policyId));
-
-    for (const email of whitelistUsers) {
-        const alreadyExists = existingWhitelist.some((w) => w.email === email);
-
-        if (!alreadyExists) {
-            await trx.insert(resourcePolicyWhiteList).values({
-                email,
-                resourcePolicyId: policyId
-            });
-        }
-    }
-
-    for (const existingEntry of existingWhitelist) {
-        if (!whitelistUsers.includes(existingEntry.email)) {
-            await trx
-                .delete(resourcePolicyWhiteList)
-                .where(
-                    and(
-                        eq(resourcePolicyWhiteList.resourcePolicyId, policyId),
-                        eq(resourcePolicyWhiteList.email, existingEntry.email)
-                    )
-                );
-        }
-    }
-}
-
-async function syncPolicyRules(
-    policyId: number,
-    rules: ResourcePolicyData["rules"],
-    trx: Transaction
-) {
-    const existingRules = await trx
-        .select()
-        .from(resourcePolicyRules)
-        .where(eq(resourcePolicyRules.resourcePolicyId, policyId))
-        .orderBy(resourcePolicyRules.priority);
-
-    for (const [index, rule] of rules.entries()) {
-        const intendedPriority = rule.priority ?? index + 1;
-        const existingRule = existingRules[index];
-
-        if (existingRule) {
-            await trx
-                .update(resourcePolicyRules)
-                .set({
-                    action: getRuleAction(rule.action),
-                    match: getRuleMatch(rule.match),
-                    value: rule.value,
-                    priority: intendedPriority,
-                    enabled: rule.enabled ?? true
-                })
-                .where(eq(resourcePolicyRules.ruleId, existingRule.ruleId));
-        } else {
-            await trx.insert(resourcePolicyRules).values({
-                resourcePolicyId: policyId,
-                action: getRuleAction(rule.action),
-                match: getRuleMatch(rule.match),
-                value: rule.value,
-                priority: intendedPriority,
-                enabled: rule.enabled ?? true
-            });
-        }
-    }
-
-    // Remove extra rules
-    if (existingRules.length > rules.length) {
-        const rulesToDelete = existingRules.slice(rules.length);
-        for (const rule of rulesToDelete) {
-            await trx
-                .delete(resourcePolicyRules)
-                .where(eq(resourcePolicyRules.ruleId, rule.ruleId));
-        }
-    }
-}
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,23 +1,8 @@
 import { z } from "zod";
-import { existsSync } from "node:fs";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
 import { isValidRegionId } from "@server/db/regions";
 import { wildcardSubdomainSchema } from "@server/lib/schemas";
-import config from "@server/lib/config";
-
-const maxmindDbPath = config.getRawConfig().server.maxmind_db_path;
-const maxmindAsnPath = config.getRawConfig().server.maxmind_asn_path;
-
-const hasMaxmindCountryDb =
-    typeof maxmindDbPath === "string" &&
-    maxmindDbPath.length > 0 &&
-    existsSync(maxmindDbPath);
-
-const hasMaxmindAsnDb =
-    typeof maxmindAsnPath === "string" &&
-    maxmindAsnPath.length > 0 &&
-    existsSync(maxmindAsnPath);

 export const SiteSchema = z.object({
    name: z.string().min(1).max(100),
@@ -98,8 +83,7 @@ export const RuleSchema = z
        action: z.enum(["allow", "deny", "pass"]),
        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
        value: z.coerce.string(),
-        priority: z.int().optional(),
-        enabled: z.boolean().optional().default(true)
+        priority: z.int().optional()
    })
    .refine(
        (rule) => {
@@ -132,9 +116,6 @@ export const RuleSchema = z
    .refine(
        (rule) => {
            if (rule.match === "country") {
-                if (!hasMaxmindCountryDb) {
-                    return false;
-                }
                // Check if it's a valid 2-letter country code or "ALL"
                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
            }
@@ -143,15 +124,12 @@ export const RuleSchema = z
        {
            path: ["value"],
            message:
-                "Country rules require a valid existing server.maxmind_db_path and value must be a 2-letter country code or 'ALL'"
+                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
        }
    )
    .refine(
        (rule) => {
            if (rule.match === "asn") {
-                if (!hasMaxmindCountryDb || !hasMaxmindAsnDb) {
-                    return false;
-                }
                // Check if it's either AS<number> format or "ALL"
                const asNumberPattern = /^AS\d+$/i;
                return asNumberPattern.test(rule.value) || rule.value === "ALL";
@@ -161,7 +139,7 @@ export const RuleSchema = z
        {
            path: ["value"],
            message:
-                "ASN rules require valid existing server.maxmind_db_path and server.maxmind_asn_path, and value must be 'AS<number>' format or 'ALL'"
+                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
        }
    )
    .refine(
@@ -289,37 +267,8 @@ export const PublicResourceSchema = z
                return true;
            }

-            const effectiveProtocol = resource.mode ?? resource.protocol;
-            if (effectiveProtocol !== "ssh") {
-                return true;
-            }
-
-            const authDaemonMode = resource["auth-daemon"]?.mode;
-            if (authDaemonMode !== "native" && authDaemonMode !== "site") {
-                return true;
-            }
-
-            return (
-                resource.targets.filter((target) => target != null).length <= 1
-            );
-        },
-        {
-            path: ["targets"],
-            error: "When protocol is 'ssh' and auth-daemon mode is 'native' or 'site', only one target/site is allowed"
-        }
-    )
-    .refine(
-        (resource) => {
-            if (isTargetsOnlyResource(resource)) {
-                return true;
-            }
-
-            // If protocol/mode is http, ssh, rdp, or vnc, it must have a full-domain
-            const effectiveProtocol = resource.mode ?? resource.protocol;
-            if (
-                effectiveProtocol !== undefined &&
-                ["http", "ssh", "rdp", "vnc"].includes(effectiveProtocol)
-            ) {
+            // If protocol/mode is http, it must have a full-domain
+            if ((resource.mode ?? resource.protocol) === "http") {
                return (
                    resource["full-domain"] !== undefined &&
                    resource["full-domain"].length > 0
@@ -329,7 +278,7 @@ export const PublicResourceSchema = z
        },
        {
            path: ["full-domain"],
-            error: "When protocol is 'http', 'ssh', 'rdp', or 'vnc', a 'full-domain' must be provided"
+            error: "When protocol is 'http', a 'full-domain' must be provided"
        }
    )
    .refine(
@@ -556,90 +505,7 @@ export const PrivateResourceSchema = z
        {
            message: "Destination must be a valid CIDR notation for cidr mode"
        }
-    )
-    .refine(
-        (data) => {
-            if (data.mode !== "ssh") {
-                return true;
-            }
-
-            const authDaemonMode = data["auth-daemon"]?.mode;
-            if (authDaemonMode !== "native" && authDaemonMode !== "site") {
-                return true;
-            }
-
-            const uniqueSites = new Set<string>();
-            if (data.site) {
-                uniqueSites.add(data.site);
-            }
-            for (const site of data.sites) {
-                uniqueSites.add(site);
-            }
-
-            return uniqueSites.size <= 1;
-        },
-        {
-            path: ["sites"],
-            message:
-                "When mode is 'ssh' and auth-daemon mode is 'native' or 'site', only one site/target is allowed"
-        }
-    )
-    .transform((data) => {
-        if (
-            data.mode === "ssh" &&
-            data.destination !== undefined &&
-            data["destination-port"] === undefined
-        ) {
-            data["destination-port"] = 22;
-        }
-        return data;
-    });
-
-export const ResourcePolicyRuleSchema = RuleSchema;
-
-export const ResourcePolicySchema = z.object({
-    name: z.string().min(1).max(255),
-    sso: z.boolean().optional().default(true),
-    "auto-login-idp": z.int().positive().optional().nullable(),
-    "sso-roles": z
-        .array(z.string())
-        .optional()
-        .default([])
-        .refine((roles) => !roles.includes("Admin"), {
-            error: "Admin role cannot be included in sso-roles"
-        }),
-    "sso-users": z.array(z.string()).optional().default([]),
-    password: z.string().min(4).max(100).optional().nullable(),
-    pincode: z
-        .string()
-        .regex(/^\d{6}$/)
-        .optional()
-        .nullable(),
-    "basic-auth": z
-        .object({
-            user: z.string().min(4).max(100),
-            password: z.string().min(4).max(100),
-            "extended-compatibility": z.boolean().default(true)
-        })
-        .optional()
-        .nullable(),
-    "email-whitelist-enabled": z.boolean().optional().default(false),
-    "whitelist-users": z
-        .array(
-            z.email().or(
-                z.string().regex(/^\*@[\w.-]+\.[a-zA-Z]{2,}$/, {
-                    error: "Invalid email address. Wildcard (*) must be the entire local part."
-                })
-            )
-        )
-        .max(50)
-        .transform((v) => v.map((e) => e.toLowerCase()))
-        .optional()
-        .default([]),
-    "apply-rules": z.boolean().optional().default(false),
-    rules: z.array(ResourcePolicyRuleSchema).optional().default([])
-});
-export type ResourcePolicyData = z.infer<typeof ResourcePolicySchema>;
+    );

 // Schema for the entire configuration object
 export const ConfigSchema = z
@@ -660,10 +526,6 @@ export const ConfigSchema = z
            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
-        "public-policies": z
-            .record(z.string(), ResourcePolicySchema)
-            .optional()
-            .prefault({}),
        sites: z.record(z.string(), SiteSchema).optional().prefault({})
    })
    .transform((data) => {
@@ -694,10 +556,6 @@ export const ConfigSchema = z
                string,
                z.infer<typeof PrivateResourceSchema>
            >;
-            "public-policies": Record<
-                string,
-                z.infer<typeof ResourcePolicySchema>
-            >;
            sites: Record<string, z.infer<typeof SiteSchema>>;
        };
    })
@@ -837,4 +695,3 @@ export type Site = z.infer<typeof SiteSchema>;
 export type Target = z.infer<typeof TargetSchema>;
 export type Resource = z.infer<typeof PublicResourceSchema>;
 export type Config = z.infer<typeof ConfigSchema>;
-export type BlueprintResourcePolicy = z.infer<typeof ResourcePolicySchema>;
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -504,7 +504,7 @@ export function generateRemoteSubnets(
                const parseResult = cidrSchema.safeParse(sr.destination);
                return parseResult.success;
            }
-            if (sr.mode === "host" || sr.mode === "ssh") {
+            if (sr.mode === "host") {
                // check if its a valid IP using zod
                const ipSchema = z.union([z.ipv4(), z.ipv6()]);
                const parseResult = ipSchema.safeParse(sr.destination);
@@ -514,7 +514,7 @@ export function generateRemoteSubnets(
        })
        .map((sr) => {
            if (sr.mode === "cidr") return sr.destination;
-            if (sr.mode === "host" || sr.mode === "ssh") {
+            if (sr.mode === "host") {
                return `${sr.destination}/32`;
            }
            return ""; // This should never be reached due to filtering, but satisfies TypeScript
@@ -531,7 +531,7 @@ export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
        .filter(
            (sr) =>
                sr.aliasAddress &&
-                ((sr.alias && (sr.mode == "host" || sr.mode == "ssh")) ||
+                ((sr.alias && sr.mode == "host") ||
                    (sr.fullDomain && sr.mode == "http"))
        )
        .map((sr) => ({
@@ -577,10 +577,6 @@ export function generateSubnetProxyTargets(
            continue;
        }

-        if (!siteResource.destination) {
-            continue;
-        }
-
        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
        const portRange = [
            ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -588,7 +584,7 @@ export function generateSubnetProxyTargets(
        ];
        const disableIcmp = siteResource.disableIcmp ?? false;

-        if (siteResource.mode == "host" || siteResource.mode == "ssh") {
+        if (siteResource.mode == "host") {
            let destination = siteResource.destination;
            // check if this is a valid ip
            const ipSchema = z.union([z.ipv4(), z.ipv6()]);
@@ -669,12 +665,7 @@ export async function generateSubnetProxyTargetV2(
        return;
    }

-    if (!siteResource.destination) {
-        // ssh can have no destination
-        return;
-    }
-
-    const targets: SubnetProxyTargetV2[] = [];
+    let targets: SubnetProxyTargetV2[] = [];

    const portRange = [
        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -682,7 +673,7 @@ export async function generateSubnetProxyTargetV2(
    ];
    const disableIcmp = siteResource.disableIcmp ?? false;

-    if (siteResource.mode == "host" || siteResource.mode == "ssh") {
+    if (siteResource.mode == "host") {
        let destination = siteResource.destination;
        // check if this is a valid ip
        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
--- a/server/lib/telemetry.ts
+++ b/server/lib/telemetry.ts
@@ -181,7 +181,6 @@ class TelemetryClient {
            let numPrivResourceHosts = 0;
            let numPrivResourceCidr = 0;
            let numPrivResourceHttp = 0;
-            let numPrivResourceSsh = 0;
            for (const res of allPrivateResources) {
                if (res.mode === "host") {
                    numPrivResourceHosts += 1;
@@ -189,8 +188,6 @@ class TelemetryClient {
                    numPrivResourceCidr += 1;
                } else if (res.mode === "http") {
                    numPrivResourceHttp += 1;
-                } else if (res.mode === "ssh") {
-                    numPrivResourceSsh += 1;
                }

                if (res.alias) {
@@ -210,7 +207,6 @@ class TelemetryClient {
                numPrivateResourceHosts: numPrivResourceHosts,
                numPrivateResourceCidr: numPrivResourceCidr,
                numPrivateResourceHttp: numPrivResourceHttp,
-                numPrivateResourceSsh: numPrivResourceSsh,
                numAlertRules: numAlertRules.count,
                numUserDevices: userDevicesCount.count,
                numMachineClients: machineClients.count,
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -44,8 +44,7 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
    allowRawResources = true,
-    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
-    allowBrowserGatewayResources = true
+    allowMaintenancePage = true // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -241,7 +240,7 @@ export async function getTraefikConfig(
            continue;
        }

-        if (resource.mode === "http") {
+        if (resource.http) {
            if (!resource.domainId || !resource.fullDomain) {
                continue;
            }
@@ -573,7 +572,7 @@ export async function getTraefikConfig(
                    serviceName
                ].loadBalancer.serversTransport = transportName;
            }
-        } else if (resource.mode === "tcp" || resource.mode === "udp") {
+        } else {
            // Non-HTTP (TCP/UDP) configuration
            if (!resource.enableProxy || !resource.proxyPort) {
                continue;
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -1,7 +1,5 @@
 import z from "zod";
 import ipaddr from "ipaddr.js";
-import { COUNTRIES } from "@server/db/countries";
-import { isValidRegionId } from "@server/db/regions";

 export function isValidCIDR(cidr: string): boolean {
    return (
@@ -69,45 +67,6 @@ export function isValidUrlGlobPattern(pattern: string): boolean {
    return true;
 }

-export const RESOURCE_RULE_MATCH_TYPES = [
-    "CIDR",
-    "IP",
-    "PATH",
-    "COUNTRY",
-    "ASN",
-    "REGION"
-] as const;
-
-export type ResourceRuleMatchType = (typeof RESOURCE_RULE_MATCH_TYPES)[number];
-
-export function getResourceRuleValueValidationError(
-    match: ResourceRuleMatchType,
-    value: string
-): string | null {
-    switch (match) {
-        case "CIDR":
-            return isValidCIDR(value) ? null : "Invalid CIDR provided";
-        case "IP":
-            return isValidIP(value) ? null : "Invalid IP provided";
-        case "PATH":
-            return isValidUrlGlobPattern(value)
-                ? null
-                : "Invalid URL glob pattern provided";
-        case "REGION":
-            return isValidRegionId(value) ? null : "Invalid region ID provided";
-        case "COUNTRY":
-            return COUNTRIES.some((country) => country.code === value)
-                ? null
-                : "Invalid country code provided";
-        case "ASN":
-            return /^AS\d+$/i.test(value.trim())
-                ? null
-                : "Invalid ASN provided";
-        default:
-            return "Invalid rule match type provided";
-    }
-}
-
 export function isUrlValid(url: string | undefined) {
    if (!url) return true; // the link is optional in the schema so if it's empty it's valid
    var pattern = new RegExp(
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,15 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
-import { resources, userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { resources, userOrgs, userResources, roleResources } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
-import {
-    getRoleResourceAccess,
-    getUserResourceAccess
-} from "@server/db/queries/verifySessionQueries";

 export async function verifyResourceAccess(
    req: Request,
@@ -120,22 +116,37 @@ export async function verifyResourceAccess(

        const roleResourceAccess =
            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await getRoleResourceAccess(
-                      resource.resourceId,
-                      req.userOrgRoleIds!
-                  )
-                : null;
+                ? await db
+                      .select()
+                      .from(roleResources)
+                      .where(
+                          and(
+                              eq(roleResources.resourceId, resource.resourceId),
+                              inArray(
+                                  roleResources.roleId,
+                                  req.userOrgRoleIds!
+                              )
+                          )
+                      )
+                      .limit(1)
+                : [];

-        if (roleResourceAccess) {
+        if (roleResourceAccess.length > 0) {
            return next();
        }

-        const userResourceAccess = await getUserResourceAccess(
-            userId,
-            resource.resourceId
-        );
+        const userResourceAccess = await db
+            .select()
+            .from(userResources)
+            .where(
+                and(
+                    eq(userResources.userId, userId),
+                    eq(userResources.resourceId, resource.resourceId)
+                )
+            )
+            .limit(1);

-        if (userResourceAccess) {
+        if (userResourceAccess.length > 0) {
            return next();
        }

--- a/server/middlewares/verifySiteAccess.test.ts
+++ b/server/middlewares/verifySiteAccess.test.ts
@@ -1,322 +0,0 @@
-import { assertEquals } from "@test/assert";
-
-/**
- * Tests for the cross-organization site binding prevention in verifySiteAccess.
- *
- * verifySiteAccess now includes a check: if req.userOrgId is already set by a
- * previous middleware (e.g. verifyResourceAccess or verifyTargetAccess), and the
- * loaded site's orgId differs from req.userOrgId, the request is rejected with
- * 403 Forbidden.
- *
- * Route stacks after fix:
- *   PUT /resource/:resourceId/target
- *     → verifyResourceAccess → verifySiteAccess → verifyLimits → ...
- *   POST /target/:targetId
- *     → verifyTargetAccess → verifySiteAccess → verifyLimits → ...
- *
- * verifyResourceAccess sets req.userOrgId to the resource's org.
- * verifyTargetAccess sets req.userOrgId to the target's resource org.
- * verifySiteAccess then checks site.orgId against req.userOrgId before
- * overwriting it with the site's org.
- */
-
-// --- Core org-matching logic (mirrors the check in verifySiteAccess) ---
-function siteOrgMatchesExpectedOrg(
-    siteOrgId: string | null | undefined,
-    expectedOrgId: string | null | undefined
-): boolean {
-    if (!siteOrgId || !expectedOrgId) {
-        return false;
-    }
-    return siteOrgId === expectedOrgId;
-}
-
-// Simulates the condition check in verifySiteAccess:
-//   if (req.userOrgId && site.orgId !== req.userOrgId) { reject }
-function shouldRejectCrossOrgSite(
-    siteOrgId: string,
-    reqUserOrgId: string | undefined
-): boolean {
-    // The actual check in verifySiteAccess is:
-    //   if (req.userOrgId && site.orgId !== req.userOrgId) { reject }
-    return !!(reqUserOrgId && siteOrgId !== reqUserOrgId);
-}
-
-// --- Tests ---
-
-function testSiteOrgMatchLogic() {
-    console.log("Running verifySiteAccess org-match logic tests...");
-
-    // Test 1: Same org — should match
-    {
-        const result = siteOrgMatchesExpectedOrg(
-            "org-attacker",
-            "org-attacker"
-        );
-        assertEquals(result, true, "Same org should match");
-    }
-
-    // Test 2: Different org — should NOT match (cross-org bypass scenario)
-    {
-        const result = siteOrgMatchesExpectedOrg("org-victim", "org-attacker");
-        assertEquals(
-            result,
-            false,
-            "Cross-org site should NOT match expected org"
-        );
-    }
-
-    // Test 3: Site orgId is null — should NOT match
-    {
-        const result = siteOrgMatchesExpectedOrg(null, "org-attacker");
-        assertEquals(result, false, "Null site orgId should NOT match");
-    }
-
-    // Test 4: Expected orgId is null — should NOT match
-    {
-        const result = siteOrgMatchesExpectedOrg("org-attacker", null);
-        assertEquals(result, false, "Null expected orgId should NOT match");
-    }
-
-    // Test 5: Both null — should NOT match
-    {
-        const result = siteOrgMatchesExpectedOrg(null, null);
-        assertEquals(result, false, "Both null should NOT match");
-    }
-
-    // Test 6: Empty string orgIds — should NOT match (empty string is falsy)
-    {
-        const result = siteOrgMatchesExpectedOrg("", "org-attacker");
-        assertEquals(result, false, "Empty site orgId should NOT match");
-    }
-
-    // Test 7: Undefined orgIds — should NOT match
-    {
-        const result = siteOrgMatchesExpectedOrg(undefined, "org-attacker");
-        assertEquals(result, false, "Undefined site orgId should NOT match");
-    }
-
-    console.log("All verifySiteAccess org-match logic tests passed.");
-}
-
-function testShouldRejectCrossOrgSite() {
-    console.log(
-        "Running shouldRejectCrossOrgSite tests (mirrors verifySiteAccess check)..."
-    );
-
-    // Test: No prior org context (undefined) — should NOT reject
-    // This is the normal case for site-only routes (e.g. PUT /site/:siteId)
-    // where verifySiteAccess runs without a prior verifyResourceAccess.
-    {
-        const shouldReject = shouldRejectCrossOrgSite("org-victim", undefined);
-        assertEquals(
-            shouldReject,
-            false,
-            "No prior org context should NOT reject (normal site routes)"
-        );
-    }
-
-    // Test: Same org — should NOT reject
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org-attacker",
-            "org-attacker"
-        );
-        assertEquals(shouldReject, false, "Same org should NOT reject");
-    }
-
-    // Test: Different org — should reject
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org-victim",
-            "org-attacker"
-        );
-        assertEquals(shouldReject, true, "Cross-org site should be rejected");
-    }
-
-    // Test: Empty string userOrgId — should NOT reject (falsy, check is skipped)
-    {
-        const shouldReject = shouldRejectCrossOrgSite("org-victim", "");
-        assertEquals(
-            shouldReject,
-            false,
-            "Empty string userOrgId should NOT reject (check is skipped)"
-        );
-    }
-
-    console.log("All shouldRejectCrossOrgSite tests passed.");
-}
-
-// --- Route stack validation tests ---
-
-function testRouteStackOrdering() {
-    console.log("Running route stack ordering tests...");
-
-    const createTargetStack = [
-        "verifyResourceAccess",
-        "verifySiteAccess",
-        "verifyLimits",
-        "verifyUserHasAction",
-        "logActionAudit",
-        "createTarget"
-    ];
-
-    const updateTargetStack = [
-        "verifyTargetAccess",
-        "verifySiteAccess",
-        "verifyLimits",
-        "verifyUserHasAction",
-        "logActionAudit",
-        "updateTarget"
-    ];
-
-    // Verify verifySiteAccess comes after resource/target access middleware
-    {
-        const siteAccessIndex = createTargetStack.indexOf("verifySiteAccess");
-        const resourceAccessIndex = createTargetStack.indexOf(
-            "verifyResourceAccess"
-        );
-        assertEquals(
-            siteAccessIndex > resourceAccessIndex,
-            true,
-            "verifySiteAccess must come after verifyResourceAccess in create target stack"
-        );
-    }
-
-    {
-        const siteAccessIndex = updateTargetStack.indexOf("verifySiteAccess");
-        const targetAccessIndex =
-            updateTargetStack.indexOf("verifyTargetAccess");
-        assertEquals(
-            siteAccessIndex > targetAccessIndex,
-            true,
-            "verifySiteAccess must come after verifyTargetAccess in update target stack"
-        );
-    }
-
-    // Verify verifySiteAccess comes before the handler
-    {
-        const siteAccessIndex = createTargetStack.indexOf("verifySiteAccess");
-        const handlerIndex = createTargetStack.indexOf("createTarget");
-        assertEquals(
-            siteAccessIndex < handlerIndex,
-            true,
-            "verifySiteAccess must come before createTarget handler"
-        );
-    }
-
-    {
-        const siteAccessIndex = updateTargetStack.indexOf("verifySiteAccess");
-        const handlerIndex = updateTargetStack.indexOf("updateTarget");
-        assertEquals(
-            siteAccessIndex < handlerIndex,
-            true,
-            "verifySiteAccess must come before updateTarget handler"
-        );
-    }
-
-    console.log("All route stack ordering tests passed.");
-}
-
-// --- Security scenario tests ---
-
-function testSecurityScenarios() {
-    console.log("Running security scenario tests...");
-
-    // Scenario 1: Attacker has resource access in org_attacker, but tries to
-    // bind target to a site in org_victim.
-    // verifyResourceAccess passes (sets req.userOrgId = "org_attacker").
-    // verifySiteAccess loads site (org_victim), checks site.orgId !== req.userOrgId.
-    // Expected: 403 Forbidden.
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org_victim",
-            "org_attacker"
-        );
-        assertEquals(
-            shouldReject,
-            true,
-            "Scenario 1: Cross-org site binding must be rejected"
-        );
-    }
-
-    // Scenario 2: Attacker has resource access AND site access in another org.
-    // Even though the user has site access, verifySiteAccess rejects because
-    // the org-match check runs before the site access check.
-    // Expected: 403 Forbidden (org mismatch caught before site access check).
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org_victim",
-            "org_attacker"
-        );
-        assertEquals(
-            shouldReject,
-            true,
-            "Scenario 2: Cross-org site must be rejected even if user has site access"
-        );
-    }
-
-    // Scenario 3: Legitimate user creates target with site in same org.
-    // verifyResourceAccess passes, verifySiteAccess org-match passes (same org),
-    // verifySiteAccess site access passes.
-    // Expected: 201 Created.
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org_attacker",
-            "org_attacker"
-        );
-        assertEquals(
-            shouldReject,
-            false,
-            "Scenario 3: Same-org site must be allowed"
-        );
-    }
-
-    // Scenario 4: WireGuard site in victim org — org mismatch is caught before
-    // any DB write, pickPort, addPeer, or addTargets side effect.
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org_victim",
-            "org_attacker"
-        );
-        assertEquals(
-            shouldReject,
-            true,
-            "Scenario 4: WireGuard cross-org site must be rejected before addPeer"
-        );
-    }
-
-    // Scenario 5: Newt site in victim org — same as scenario 4 but for newt.
-    {
-        const shouldReject = shouldRejectCrossOrgSite(
-            "org_victim",
-            "org_attacker"
-        );
-        assertEquals(
-            shouldReject,
-            true,
-            "Scenario 5: Newt cross-org site must be rejected before addTargets"
-        );
-    }
-
-    // Scenario 6: Normal site-only route (e.g. PUT /site/:siteId) where
-    // verifySiteAccess runs without a prior verifyResourceAccess.
-    // req.userOrgId is undefined, so the org-match check is skipped.
-    // Normal site access verification proceeds.
-    {
-        const shouldReject = shouldRejectCrossOrgSite("org_victim", undefined);
-        assertEquals(
-            shouldReject,
-            false,
-            "Scenario 6: Site-only routes should skip org-match check"
-        );
-    }
-
-    console.log("All security scenario tests passed.");
-}
-
-// Run all tests
-testSiteOrgMatchLogic();
-testShouldRejectCrossOrgSite();
-testRouteStackOrdering();
-testSecurityScenarios();
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -71,15 +71,6 @@ export async function verifySiteAccess(
            );
        }

-        if (req.userOrgId && site.orgId !== req.userOrgId) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "User does not have access to this site"
-                )
-            );
-        }
-
        if (!req.userOrg) {
            // Get user's role ID in the organization
            const userOrgRole = await db
@@ -137,7 +128,10 @@ export async function verifySiteAccess(
                      .where(
                          and(
                              eq(roleSites.siteId, site.siteId),
-                              inArray(roleSites.roleId, req.userOrgRoleIds!)
+                              inArray(
+                                  roleSites.roleId,
+                                  req.userOrgRoleIds!
+                              )
                          )
                      )
                      .limit(1)
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -109,11 +109,7 @@ export const privateConfigSchema = z
                enable_redis: z.boolean().optional().default(false),
                use_pangolin_dns: z.boolean().optional().default(false),
                use_org_only_idp: z.boolean().optional(),
-                enable_acme_cert_sync: z.boolean().optional().default(true),
-                disable_private_http_placeholder: z
-                    .boolean()
-                    .optional()
-                    .default(false)
+                enable_acme_cert_sync: z.boolean().optional().default(true)
            })
            .optional()
            .prefault({}),
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -12,6 +12,7 @@
 */

 import {
+    browserGatewayTarget,
    certificates,
    db,
    domainNamespaces,
@@ -171,15 +172,8 @@ export async function getTraefikConfig(
                ),
                inArray(sites.type, siteTypes),
                allowRawResources
-                    ? inArray(resources.mode, [
-                          "http",
-                          "udp",
-                          "tcp",
-                          "vnc",
-                          "ssh",
-                          "rdp"
-                      ]) // allow all three
-                    : inArray(resources.mode, ["http", "vnc", "ssh", "rdp"])
+                    ? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
+                    : eq(resources.mode, "http")
            )
        )
        .orderBy(desc(targets.priority), targets.targetId); // stable ordering
@@ -187,10 +181,7 @@ export async function getTraefikConfig(
    // Group by resource and include targets with their unique site data
    const resourcesMap = new Map();

-    for (const row of resourcesWithTargetsAndSites) {
-        if (!["http", "tcp", "udp"].includes(row.mode)) {
-            continue;
-        }
+    resourcesWithTargetsAndSites.forEach((row) => {
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
@@ -200,7 +191,7 @@ export async function getTraefikConfig(
        const priority = row.priority ?? 100;

        if (filterOutNamespaceDomains && row.domainNamespaceId) {
-            continue;
+            return;
        }

        // Create a unique key combining resourceId, path config, and rewrite config
@@ -227,7 +218,7 @@ export async function getTraefikConfig(
                logger.debug(
                    `Invalid path rewrite configuration for resource ${resourceId}: ${validation.error}`
                );
-                continue;
+                return;
            }

            resourcesMap.set(mapKey, {
@@ -284,7 +275,7 @@ export async function getTraefikConfig(
                online: row.siteOnline
            }
        });
-    }
+    });

    // Group browser gateway targets by resource
    type BrowserGatewayResourceEntry = {
@@ -304,12 +295,13 @@ export async function getTraefikConfig(
        maintenanceMessage: string | null;
        maintenanceEstimatedTime: string | null;
        targets: {
-            targetId: number;
+            browserGatewayTargetId: number;
            bgType: string;
            siteId: number;
            siteType: string;
            siteOnline: boolean | null;
            subnet: string | null;
+            siteExitNodeId: number | null;
        }[];
    };
    const browserGatewayResourcesMap = new Map<
@@ -318,10 +310,66 @@ export async function getTraefikConfig(
    >();

    if (allowBrowserGatewayResources) {
-        for (const row of resourcesWithTargetsAndSites) {
-            if (!["ssh", "vnc", "rdp"].includes(row.mode)) {
-                continue;
-            }
+        // Query browser gateway targets for this exit node
+        const browserGatewayRows = await db
+            .select({
+                // Resource fields
+                resourceId: resources.resourceId,
+                resourceName: resources.name,
+                fullDomain: resources.fullDomain,
+                ssl: resources.ssl,
+                subdomain: resources.subdomain,
+                domainId: resources.domainId,
+                enabled: resources.enabled,
+                wildcard: resources.wildcard,
+                domainCertResolver: domains.certResolver,
+                preferWildcardCert: domains.preferWildcardCert,
+                domainNamespaceId: domainNamespaces.domainNamespaceId,
+                // Maintenance fields
+                maintenanceModeEnabled: resources.maintenanceModeEnabled,
+                maintenanceModeType: resources.maintenanceModeType,
+                maintenanceTitle: resources.maintenanceTitle,
+                maintenanceMessage: resources.maintenanceMessage,
+                maintenanceEstimatedTime: resources.maintenanceEstimatedTime,
+                // Browser gateway target fields
+                browserGatewayTargetId:
+                    browserGatewayTarget.browserGatewayTargetId,
+                bgType: browserGatewayTarget.type,
+                // Site fields
+                siteId: sites.siteId,
+                siteType: sites.type,
+                siteOnline: sites.online,
+                subnet: sites.subnet,
+                siteExitNodeId: sites.exitNodeId
+            })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .innerJoin(
+                resources,
+                eq(resources.resourceId, browserGatewayTarget.resourceId)
+            )
+            .leftJoin(domains, eq(domains.domainId, resources.domainId))
+            .leftJoin(
+                domainNamespaces,
+                eq(domainNamespaces.domainId, resources.domainId)
+            )
+            .where(
+                and(
+                    eq(resources.enabled, true),
+                    or(
+                        eq(sites.exitNodeId, exitNodeId),
+                        and(
+                            isNull(sites.exitNodeId),
+                            sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
+                            eq(sites.type, "local"),
+                            sql`(${build != "saas" ? 1 : 0} = 1)`
+                        )
+                    ),
+                    inArray(sites.type, siteTypes)
+                )
+            );
+
+        for (const row of browserGatewayRows) {
            if (filterOutNamespaceDomains && row.domainNamespaceId) {
                continue;
            }
@@ -346,12 +394,13 @@ export async function getTraefikConfig(
                });
            }
            browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
-                targetId: row.targetId,
-                bgType: row.mode,
+                browserGatewayTargetId: row.browserGatewayTargetId,
+                bgType: row.bgType,
                siteId: row.siteId,
                siteType: row.siteType,
                siteOnline: row.siteOnline,
-                subnet: row.subnet
+                subnet: row.subnet,
+                siteExitNodeId: row.siteExitNodeId
            });
        }
    }
@@ -361,11 +410,7 @@ export async function getTraefikConfig(
        fullDomain: string | null;
        mode: "http" | "host" | "cidr" | "ssh";
    }[] = [];
-    if (
-        build == "enterprise" &&
-        !privateConfig.getRawPrivateConfig().flags
-            .disable_private_http_placeholder
-    ) {
+    if (build == "enterprise") {
        // we dont want to do this on the cloud
        // Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
        siteResourcesWithFullDomain = await db
@@ -448,29 +493,16 @@ export async function getTraefikConfig(
        const transportName = `${key}-transport`;
        const headersMiddlewareName = `${key}-headers-middleware`;

-        logger.debug(
-            `Processing resource ${resource.name} with domain ${fullDomain} and ${targets.length} targets`
-        );
-
        if (!resource.enabled) {
-            logger.debug(
-                `Resource ${resource.name} is disabled, skipping Traefik config`
-            );
            continue;
        }

-        if (resource.mode == "http") {
+        if (resource.http) {
            if (!resource.domainId) {
-                logger.debug(
-                    `Resource ${resource.name} does not have a domainId, skipping Traefik config`
-                );
                continue;
            }

            if (!resource.fullDomain) {
-                logger.debug(
-                    `Resource ${resource.name} does not have a fullDomain, skipping Traefik config`
-                );
                continue;
            }

@@ -926,7 +958,7 @@ export async function getTraefikConfig(
                    serviceName
                ].loadBalancer.serversTransport = transportName;
            }
-        } else if (resource.mode == "tcp" || resource.mode == "udp") {
+        } else {
            // Non-HTTP (TCP/UDP) configuration
            if (!resource.enableProxy) {
                continue;
--- a/server/private/routers/alertRule/createAlertRule.ts
+++ b/server/private/routers/alertRule/createAlertRule.ts
@@ -208,7 +208,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/alertRule/deleteAlertRule.ts
+++ b/server/private/routers/alertRule/deleteAlertRule.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -112,4 +112,4 @@ export async function deleteAlertRule(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
-}
+}
--- a/server/private/routers/alertRule/getAlertRule.ts
+++ b/server/private/routers/alertRule/getAlertRule.ts
@@ -32,10 +32,7 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
-import {
-    GetAlertRuleResponse,
-    WebhookAlertConfig
-} from "@server/routers/alertRule/types";
+import { GetAlertRuleResponse, WebhookAlertConfig } from "@server/routers/alertRule/types";

 const paramsSchema = z
    .object({
@@ -58,7 +55,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/alertRule/listAlertRules.ts
+++ b/server/private/routers/alertRule/listAlertRules.ts
@@ -101,7 +101,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/exportAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/exportAccessAuditLog.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/exportActionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportActionAuditLog.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/exportConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -72,9 +72,7 @@ export async function exportConnectionAuditLogs(
            );
        }

-        const parsedParams = queryConnectionAuditLogsParams.safeParse(
-            req.params
-        );
+        const parsedParams = queryConnectionAuditLogsParams.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
@@ -114,4 +112,4 @@ export async function exportConnectionAuditLogs(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
-}
+}
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -11,14 +11,7 @@
 * This file is not licensed under the AGPLv3.
 */

-import {
-    accessAuditLog,
-    logsDb,
-    resources,
-    siteResources,
-    db,
-    primaryDb
-} from "@server/db";
+import { accessAuditLog, logsDb, resources, siteResources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -157,30 +150,21 @@ export function queryAccess(data: Q) {
        .orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
 }

-async function enrichWithResourceDetails(
-    logs: Awaited<ReturnType<typeof queryAccess>>
-) {
+async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
    const resourceIds = logs
-        .map((log) => log.resourceId)
+        .map(log => log.resourceId)
        .filter((id): id is number => id !== null && id !== undefined);

    const siteResourceIds = logs
-        .filter((log) => log.resourceId == null && log.siteResourceId != null)
-        .map((log) => log.siteResourceId)
+        .filter(log => log.resourceId == null && log.siteResourceId != null)
+        .map(log => log.siteResourceId)
        .filter((id): id is number => id !== null && id !== undefined);

    if (resourceIds.length === 0 && siteResourceIds.length === 0) {
-        return logs.map((log) => ({
-            ...log,
-            resourceName: null,
-            resourceNiceId: null
-        }));
+        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
    }

-    const resourceMap = new Map<
-        number,
-        { name: string | null; niceId: string | null }
-    >();
+    const resourceMap = new Map<number, { name: string | null; niceId: string | null }>();

    if (resourceIds.length > 0) {
        const resourceDetails = await primaryDb
@@ -197,10 +181,7 @@ async function enrichWithResourceDetails(
        }
    }

-    const siteResourceMap = new Map<
-        number,
-        { name: string | null; niceId: string | null }
-    >();
+    const siteResourceMap = new Map<number, { name: string | null; niceId: string | null }>();

    if (siteResourceIds.length > 0) {
        const siteResourceDetails = await primaryDb
@@ -213,15 +194,12 @@ async function enrichWithResourceDetails(
            .where(inArray(siteResources.siteResourceId, siteResourceIds));

        for (const r of siteResourceDetails) {
-            siteResourceMap.set(r.siteResourceId, {
-                name: r.name,
-                niceId: r.niceId
-            });
+            siteResourceMap.set(r.siteResourceId, { name: r.name, niceId: r.niceId });
        }
    }

    // Enrich logs with resource details
-    return logs.map((log) => {
+    return logs.map(log => {
        if (log.resourceId != null) {
            const details = resourceMap.get(log.resourceId);
            return {
@@ -295,11 +273,11 @@ async function queryUniqueFilterAttributes(

    // Fetch resource names from main database for the unique resource IDs
    const resourceIds = uniqueResources
-        .map((row) => row.id)
+        .map(row => row.id)
        .filter((id): id is number => id !== null);

    const siteResourceIds = uniqueSiteResources
-        .map((row) => row.id)
+        .map(row => row.id)
        .filter((id): id is number => id !== null);

    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
@@ -315,7 +293,7 @@ async function queryUniqueFilterAttributes(

        resourcesWithNames = [
            ...resourcesWithNames,
-            ...resourceDetails.map((r) => ({
+            ...resourceDetails.map(r => ({
                id: r.resourceId,
                name: r.name
            }))
@@ -333,7 +311,7 @@ async function queryUniqueFilterAttributes(

        resourcesWithNames = [
            ...resourcesWithNames,
-            ...siteResourceDetails.map((r) => ({
+            ...siteResourceDetails.map(r => ({
                id: r.siteResourceId,
                name: r.name
            }))
@@ -366,7 +344,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/queryActionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryActionAuditLog.ts
@@ -171,7 +171,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/queryConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -459,7 +459,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auth/transferSession.ts
+++ b/server/private/routers/auth/transferSession.ts
@@ -17,7 +17,8 @@ import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
-import { db, safeRead, sessions, sessionTransferToken } from "@server/db";
+import { sessions, sessionTransferToken } from "@server/db";
+import { db } from "@server/db";
 import { eq } from "drizzle-orm";
 import { response } from "@server/lib/response";
 import { encodeHexLowerCase } from "@oslojs/encoding";
@@ -56,19 +57,15 @@ export async function transferSession(
            sha256(new TextEncoder().encode(token))
        );

-        const result = await safeRead((db) =>
-            db
-                .select()
-                .from(sessionTransferToken)
-                .where(eq(sessionTransferToken.token, tokenRaw))
-                .innerJoin(
-                    sessions,
-                    eq(sessions.sessionId, sessionTransferToken.sessionId)
-                )
-                .limit(1)
-        );
-
-        const [existing] = result;
+        const [existing] = await db
+            .select()
+            .from(sessionTransferToken)
+            .where(eq(sessionTransferToken.token, tokenRaw))
+            .innerJoin(
+                sessions,
+                eq(sessions.sessionId, sessionTransferToken.sessionId)
+            )
+            .limit(1);

        if (!existing) {
            return next(
--- a/server/private/routers/billing/getOrgUsage.ts
+++ b/server/private/routers/billing/getOrgUsage.ts
@@ -45,7 +45,7 @@ const getOrgSchema = z.strictObject({
 // content: {
 // "application/json": {
 // schema: z.object({
-// data: z.record(z.string(), z.any()).nullable(),
+// data: z.unknown().nullable(),
 // success: z.boolean(),
 // error: z.boolean(),
 // message: z.string(),
--- a/server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts
@@ -0,0 +1,187 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+import { generateId } from "@server/auth/sessions/app";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive(),
+    type: z.enum(["ssh", "rdp", "vnc"]),
+    destination: z.string().nonempty(),
+    destinationPort: z.number().int().min(1).max(65535)
+});
+
+export type CreateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-target",
+    description: "Create a browser gateway target for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+            .limit(1);
+
+        if (!site) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site with ID ${siteId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const plainToken = generateId(48);
+        const encryptedToken = encrypt(
+            plainToken,
+            config.getRawConfig().server.secret!
+        );
+
+        const [record] = await db
+            .insert(browserGatewayTarget)
+            .values({
+                resourceId,
+                siteId,
+                type,
+                destination,
+                destinationPort,
+                authToken: encryptedToken
+            })
+            .returning();
+
+        if (site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, siteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [record],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(
+            `Created browser gateway target ${record.browserGatewayTargetId} for resource ${resourceId}`
+        );
+
+        return response<CreateBrowserGatewayTargetResponse>(res, {
+            data: record,
+            success: true,
+            error: false,
+            message: "Browser gateway target created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to create browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts
@@ -0,0 +1,130 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { browserGatewayTarget, db, newts, sites } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { removeBrowserGatewayTarget } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Delete a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function deleteBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        await db
+            .delete(browserGatewayTarget)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            );
+
+        if (existing.site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, existing.bgt.siteId))
+                .limit(1);
+
+            if (newt) {
+                await removeBrowserGatewayTarget(
+                    newt.newtId,
+                    browserGatewayTargetId,
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Deleted browser gateway target ${browserGatewayTargetId}`);
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Browser gateway target deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to delete browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts
@@ -0,0 +1,109 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+export type GetBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Get a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function getBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [result] = await db
+            .select({ bgt: browserGatewayTarget })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!result) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        return response<GetBrowserGatewayTargetResponse>(res, {
+            data: result.bgt,
+            success: true,
+            error: false,
+            message: "Browser gateway target retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to retrieve browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/getBrowserTarget.ts
+++ b/server/private/routers/browserGatewayTarget/getBrowserTarget.ts
@@ -13,8 +13,9 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, resources, targets } from "@server/db";
-import { eq, and, inArray } from "drizzle-orm";
+import { browserGatewayTarget, db } from "@server/db";
+import { resources, targets } from "@server/db";
+import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -50,30 +51,31 @@ export async function getBrowserTarget(

        logger.info(`Retrieving browser target for domain: ${fullDomain}`);

-        const [row] = await db
+        const [browserTarget] = await db
            .select({
-                ip: targets.ip,
-                port: targets.port,
-                authToken: targets.authToken,
+                destination: browserGatewayTarget.destination,
+                destinationPort: browserGatewayTarget.destinationPort,
+                authToken: browserGatewayTarget.authToken,
                resourceId: resources.resourceId,
                niceId: resources.niceId,
-                name: resources.name,
                orgId: resources.orgId,
                pamMode: resources.pamMode,
                authDaemonMode: resources.authDaemonMode
            })
-            .from(targets)
-            .innerJoin(resources, eq(targets.resourceId, resources.resourceId))
-            .where(
-                and(
-                    eq(resources.fullDomain, fullDomain),
-                    eq(targets.enabled, true),
-                    inArray(targets.mode, ["ssh", "rdp", "vnc"])
-                )
+            .from(browserGatewayTarget)
+            .innerJoin(
+                resources,
+                eq(browserGatewayTarget.resourceId, resources.resourceId)
            )
+            .where(eq(resources.fullDomain, fullDomain))
            .limit(1);

-        if (!row) {
+        const decryptedAuthToken = decrypt(
+            browserTarget.authToken,
+            config.getRawConfig().server.secret!
+        );
+
+        if (!browserTarget) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
@@ -82,21 +84,16 @@ export async function getBrowserTarget(
            );
        }

-        const decryptedAuthToken = row.authToken
-            ? decrypt(row.authToken, config.getRawConfig().server.secret!)
-            : "";
-
        return response<GetBrowserTargetResponse>(res, {
            data: {
-                ip: row.ip,
-                port: row.port,
+                ip: browserTarget.destination,
+                port: browserTarget.destinationPort,
                authToken: decryptedAuthToken,
-                pamMode: row.pamMode,
-                authDaemonMode: row.authDaemonMode,
-                orgId: row.orgId,
-                resourceId: row.resourceId,
-                niceId: row.niceId,
-                name: row.name ?? ""
+                pamMode: browserTarget.pamMode,
+                authDaemonMode: browserTarget.authDaemonMode,
+                orgId: browserTarget.orgId,
+                resourceId: browserTarget.resourceId,
+                niceId: browserTarget.niceId
            },
            success: true,
            error: false,
--- a/server/private/routers/browserGatewayTarget/index.ts
+++ b/server/private/routers/browserGatewayTarget/index.ts
@@ -11,4 +11,9 @@
 * This file is not licensed under the AGPLv3.
 */

+export * from "./createBrowserGatewayTarget";
+export * from "./updateBrowserGatewayTarget";
+export * from "./deleteBrowserGatewayTarget";
+export * from "./getBrowserGatewayTarget";
+export * from "./listBrowserGatewayTargets";
 export * from "./getBrowserTarget";
--- a/server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts
+++ b/server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts
@@ -0,0 +1,159 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const querySchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.number().int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.number().int().nonnegative())
+});
+
+export type ListBrowserGatewayTargetsResponse = {
+    targets: BrowserGatewayTarget[];
+    total: number;
+    limit: number;
+    offset: number;
+};
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-targets",
+    description: "List browser gateway targets for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        query: querySchema
+    },
+    responses: {}
+});
+
+export async function listBrowserGatewayTargets(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { limit, offset } = parsedQuery.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const rows = await db
+            .select({
+                browserGatewayTargetId:
+                    browserGatewayTarget.browserGatewayTargetId,
+                resourceId: browserGatewayTarget.resourceId,
+                siteId: browserGatewayTarget.siteId,
+                authToken: browserGatewayTarget.authToken,
+                type: browserGatewayTarget.type,
+                destination: browserGatewayTarget.destination,
+                destinationPort: browserGatewayTarget.destinationPort,
+                siteName: sites.name
+            })
+            .from(browserGatewayTarget)
+            .leftJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(eq(browserGatewayTarget.resourceId, resourceId))
+            .limit(limit)
+            .offset(offset);
+
+        return response<ListBrowserGatewayTargetsResponse>(res, {
+            data: {
+                targets: rows as any,
+                total: rows.length,
+                limit,
+                offset
+            },
+            success: true,
+            error: false,
+            message: "Browser gateway targets retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to list browser gateway targets"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts
@@ -0,0 +1,180 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive().optional(),
+    type: z.enum(["ssh", "rdp", "vnc"]).optional(),
+    destination: z.string().nonempty().optional(),
+    destinationPort: z.number().int().min(1).max(65535).optional()
+});
+
+export type UpdateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Update a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        const updateValues: Partial<BrowserGatewayTarget> = {};
+        if (siteId !== undefined) updateValues.siteId = siteId;
+        if (type !== undefined) updateValues.type = type;
+        if (destination !== undefined) updateValues.destination = destination;
+        if (destinationPort !== undefined)
+            updateValues.destinationPort = destinationPort;
+
+        const [updated] = await db
+            .update(browserGatewayTarget)
+            .set(updateValues)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            )
+            .returning();
+
+        const targetSiteId = siteId ?? existing.bgt.siteId;
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, targetSiteId))
+            .limit(1);
+
+        if (site && site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, targetSiteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [updated],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Updated browser gateway target ${browserGatewayTargetId}`);
+
+        return response<UpdateBrowserGatewayTargetResponse>(res, {
+            data: updated,
+            success: true,
+            error: false,
+            message: "Browser gateway target updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to update browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/certificates/getCertificate.ts
+++ b/server/private/routers/certificates/getCertificate.ts
@@ -121,7 +121,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/certificates/restartCertificate.ts
+++ b/server/private/routers/certificates/restartCertificate.ts
@@ -46,7 +46,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/domain/checkDomainNamespaceAvailability.ts
+++ b/server/private/routers/domain/checkDomainNamespaceAvailability.ts
@@ -29,7 +29,7 @@ import { tierMatrix } from "@server/lib/billing/tierMatrix";
 const paramsSchema = z.strictObject({});

 const querySchema = z.strictObject({
-    subdomain: z.string()
+    subdomain: z.string(),
    // orgId: build === "saas" ? z.string() : z.string().optional() // Required for saas, optional otherwise
 });

@@ -48,7 +48,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
@@ -33,8 +33,7 @@ const paramsSchema = z
 registry.registerPath({
    method: "delete",
    path: "/org/{orgId}/event-streaming-destination/{destinationId}",
-    description:
-        "Delete an event streaming destination for a specific organization.",
+    description: "Delete an event streaming destination for a specific organization.",
    tags: [OpenAPITags.Org],
    request: {
        params: paramsSchema
@@ -45,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -116,4 +115,4 @@ export async function deleteEventStreamingDestination(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
-}
+}
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -31,6 +31,7 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
 import * as labels from "#private/routers/labels";
 import * as client from "@server/routers/client";
 import * as resource from "#private/routers/resource";
@@ -878,3 +879,48 @@ authenticated.post(
    verifyClientAccess,
    client.rebuildClientAssociationsCacheRoute
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);
--- a/server/private/routers/healthChecks/deleteHealthCheck.ts
+++ b/server/private/routers/healthChecks/deleteHealthCheck.ts
@@ -47,7 +47,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/healthChecks/listHealthChecks.ts
+++ b/server/private/routers/healthChecks/listHealthChecks.ts
@@ -74,7 +74,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -79,10 +79,7 @@ import logger from "@server/logger";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
 import { exchangeSession } from "@server/routers/badger";
-import {
-    ResourceSessionValidationResult,
-    validateResourceSessionToken
-} from "@server/auth/sessions/resource";
+import { validateResourceSessionToken } from "@server/auth/sessions/resource";
 import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
 import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
@@ -219,9 +216,9 @@ export type ResourceWithAuth = {
    password: ResourcePassword | ResourcePolicyPassword | null;
    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
-    applyRules: boolean | null;
-    sso: boolean | null;
-    emailWhitelistEnabled: boolean | null;
+    applyRules: boolean;
+    sso: boolean;
+    emailWhitelistEnabled: boolean;
    org: Org;
 };

@@ -1757,34 +1754,11 @@ hybridRouter.post(
                resourceId
            );

-            // this is for backward compatibility with nodes that did not have the policy id checking
-            const modifiedResult: ResourceSessionValidationResult = {
-                ...result,
-                resourceSession: result.resourceSession
-                    ? {
-                          ...result.resourceSession,
-                          // Prefer policy IDs, but keep legacy IDs populated for older nodes.
-                          pincodeId:
-                              result.resourceSession.policyPincodeId ??
-                              result.resourceSession.pincodeId ??
-                              null,
-                          passwordId:
-                              result.resourceSession.policyPasswordId ??
-                              result.resourceSession.passwordId ??
-                              null,
-                          whitelistId:
-                              result.resourceSession.policyWhitelistId ??
-                              result.resourceSession.whitelistId ??
-                              null
-                      }
-                    : null
-            };
-
            return response(res, {
-                data: modifiedResult,
+                data: result,
                success: true,
                error: false,
-                message: modifiedResult.resourceSession
+                message: result.resourceSession
                    ? "Resource session token is valid"
                    : "Resource session token is invalid or expired",
                status: HttpCode.OK
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -16,6 +16,7 @@ import * as org from "#private/routers/org";
 import * as logs from "#private/routers/auditLogs";
 import * as alertEvents from "#private/routers/alertEvents";
 import * as certificates from "#private/routers/certificates";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";

 import {
    verifyApiKeyHasAction,
@@ -215,3 +216,43 @@ authenticated.delete(
    logActionAudit(ActionsEnum.removeUserRole),
    user.removeUserRole
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyApiKeyOrgAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);
--- a/server/private/routers/internal.ts
+++ b/server/private/routers/internal.ts
@@ -17,9 +17,9 @@ import * as orgIdp from "#private/routers/orgIdp";
 import * as billing from "#private/routers/billing";
 import * as license from "#private/routers/license";
 import * as resource from "#private/routers/resource";
+import * as browserTarget from "#private/routers/browserGatewayTarget";
 import * as ssh from "#private/routers/ssh";
 import * as ws from "@server/routers/ws";
-import * as browserTarget from "#private/routers/browserGatewayTarget";

 import {
    verifySessionUserMiddleware,
--- a/server/private/routers/labels/createOrgLabel.ts
+++ b/server/private/routers/labels/createOrgLabel.ts
@@ -22,7 +22,7 @@ import response from "@server/lib/response";
 import logger from "@server/logger";
 import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
 import HttpCode from "@server/types/HttpCode";
-import { and, eq, sql } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -107,26 +107,6 @@ export async function createOrgLabel(
            }
        }

-        const [existingLabel] = await db
-            .select({ labelId: labels.labelId })
-            .from(labels)
-            .where(
-                and(
-                    eq(labels.orgId, orgId),
-                    sql`LOWER(${labels.name}) = ${name.toLowerCase()}`
-                )
-            )
-            .limit(1);
-
-        if (existingLabel) {
-            return next(
-                createHttpError(
-                    HttpCode.CONFLICT,
-                    "A label with this name already exists"
-                )
-            );
-        }
-
        const label = await db.transaction(async (tx) => {
            const [label] = await tx
                .insert(labels)
--- a/server/private/routers/labels/updateOrgLabel.ts
+++ b/server/private/routers/labels/updateOrgLabel.ts
@@ -16,7 +16,7 @@ import response from "@server/lib/response";
 import logger from "@server/logger";
 import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
 import HttpCode from "@server/types/HttpCode";
-import { and, eq, ne, sql } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -74,29 +74,6 @@ export async function updateOrgLabel(

        const { name, color } = parsedBody.data;

-        if (name && name.toLowerCase() !== existing.name.toLowerCase()) {
-            const [duplicateLabel] = await db
-                .select({ labelId: labels.labelId })
-                .from(labels)
-                .where(
-                    and(
-                        eq(labels.orgId, orgId),
-                        ne(labels.labelId, labelId),
-                        sql`LOWER(${labels.name}) = ${name.toLowerCase()}`
-                    )
-                )
-                .limit(1);
-
-            if (duplicateLabel) {
-                return next(
-                    createHttpError(
-                        HttpCode.CONFLICT,
-                        "A label with this name already exists"
-                    )
-                );
-            }
-        }
-
        const [label] = await db
            .update(labels)
            .set({
--- a/server/private/routers/orgIdp/createOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/createOrgOidcIdp.ts
@@ -69,7 +69,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -127,8 +127,7 @@ export async function createOrgOidcIdp(

        let { autoProvision } = parsedBody.data;

-        if (build == "saas") {
-            // this is not paywalled with a ee license because this whole endpoint is restricted
+        if (build == "saas") { // this is not paywalled with a ee license because this whole endpoint is restricted
            const subscribed = await isSubscribed(
                orgId,
                tierMatrix.deviceApprovals
--- a/server/private/routers/orgIdp/deleteOrgIdp.ts
+++ b/server/private/routers/orgIdp/deleteOrgIdp.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/orgIdp/getOrgIdp.ts
+++ b/server/private/routers/orgIdp/getOrgIdp.ts
@@ -62,7 +62,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/orgIdp/listOrgIdps.ts
+++ b/server/private/routers/orgIdp/listOrgIdps.ts
@@ -78,7 +78,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/policy/createResourcePolicy.ts
+++ b/server/private/routers/policy/createResourcePolicy.ts
@@ -33,8 +33,9 @@ import {
 import { getUniqueResourcePolicyName } from "@server/db/names";
 import response from "@server/lib/response";
 import {
-    getResourceRuleValueValidationError,
-    RESOURCE_RULE_MATCH_TYPES
+    isValidCIDR,
+    isValidIP,
+    isValidUrlGlobPattern
 } from "@server/lib/validators";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -55,9 +56,9 @@ const ruleSchema = z.strictObject({
        enum: ["ACCEPT", "DROP", "PASS"],
        description: "rule action"
    }),
-    match: z.enum(RESOURCE_RULE_MATCH_TYPES).openapi({
+    match: z.enum(["CIDR", "IP", "PATH"]).openapi({
        type: "string",
-        enum: [...RESOURCE_RULE_MATCH_TYPES],
+        enum: ["CIDR", "IP", "PATH"],
        description: "rule match"
    }),
    value: z.string().min(1),
@@ -260,13 +261,26 @@ export async function createResourcePolicy(
        const niceId = await getUniqueResourcePolicyName(orgId);

        for (const rule of rules) {
-            const validationError = getResourceRuleValueValidationError(
-                rule.match,
-                rule.value
-            );
-            if (validationError) {
+            if (rule.match === "CIDR" && !isValidCIDR(rule.value)) {
                return next(
-                    createHttpError(HttpCode.BAD_REQUEST, validationError)
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid CIDR provided"
+                    )
+                );
+            } else if (rule.match === "IP" && !isValidIP(rule.value)) {
+                return next(
+                    createHttpError(HttpCode.BAD_REQUEST, "Invalid IP provided")
+                );
+            } else if (
+                rule.match === "PATH" &&
+                !isValidUrlGlobPattern(rule.value)
+            ) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid URL glob pattern provided"
+                    )
                );
            }
        }
--- a/server/private/routers/policy/listResourcePolicies.ts
+++ b/server/private/routers/policy/listResourcePolicies.ts
@@ -216,7 +216,6 @@ export async function listResourcePolicies(
                : await db
                      .select({
                          resourceId: resources.resourceId,
-                          niceId: resources.niceId,
                          name: resources.name,
                          fullDomain: resources.fullDomain,
                          resourcePolicyId: resources.resourcePolicyId
--- a/server/private/routers/remoteExitNode/exitNodeReconnectScheduler.ts
+++ b/server/private/routers/remoteExitNode/exitNodeReconnectScheduler.ts
@@ -1,202 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import axios from "axios";
-import { db, exitNodes, newts, sites } from "@server/db";
-import { eq } from "drizzle-orm";
-import logger from "@server/logger";
-import redisManager from "#private/lib/redis";
-import { sendToClient } from "#private/routers/ws";
-
-const INITIAL_DELAY_MS = 15 * 1000; // 15 seconds before first check
-const CHECK_INTERVAL_MS = 10 * 1000; // Check every 10 seconds
-const MAX_DURATION_MS = 5 * 60 * 1000; // Give up after 5 minutes
-const REDIS_PENDING_SET = "exit-node-reconnect-pending";
-const REDIS_HASH_PREFIX = "exit-node-reconnect:";
-
-interface PendingReconnect {
-    startTime: number;
-    reachableAt: string;
-}
-
-// In-memory tracking for this node
-const pendingReconnects = new Map<number, PendingReconnect>();
-
-let schedulerInterval: NodeJS.Timeout | null = null;
-
-/**
- * Schedules a reconnect check for newts connected to the given exit node.
- * Called when an exit node transitions from offline to online.
- */
-export async function scheduleExitNodeReconnect(
-    exitNodeId: number,
-    reachableAt: string
-): Promise<void> {
-    logger.info(
-        `Scheduling newt reconnect for exit node ${exitNodeId} (reachableAt: ${reachableAt})`
-    );
-
-    const entry: PendingReconnect = {
-        startTime: Date.now(),
-        reachableAt
-    };
-
-    pendingReconnects.set(exitNodeId, entry);
-
-    // Store in Redis if available for cross-node coordination
-    if (redisManager.isRedisEnabled()) {
-        await redisManager.sadd(REDIS_PENDING_SET, exitNodeId.toString());
-        await redisManager.hset(
-            `${REDIS_HASH_PREFIX}${exitNodeId}`,
-            "startTime",
-            entry.startTime.toString()
-        );
-        await redisManager.hset(
-            `${REDIS_HASH_PREFIX}${exitNodeId}`,
-            "reachableAt",
-            reachableAt
-        );
-    }
-}
-
-/**
- * Starts the background interval that checks pending exit node reconnects.
- */
-export function startExitNodeReconnectScheduler(): void {
-    if (schedulerInterval) {
-        return;
-    }
-
-    schedulerInterval = setInterval(async () => {
-        try {
-            await processPendingReconnects();
-        } catch (error) {
-            logger.error("Error in exit node reconnect scheduler", { error });
-        }
-    }, CHECK_INTERVAL_MS);
-
-    logger.debug("Started exit node reconnect scheduler");
-}
-
-async function processPendingReconnects(): Promise<void> {
-    // Merge in-memory and Redis-tracked pending reconnects
-    const toProcess = new Map(pendingReconnects);
-
-    if (redisManager.isRedisEnabled()) {
-        const redisIds = await redisManager.smembers(REDIS_PENDING_SET);
-        for (const idStr of redisIds) {
-            const id = parseInt(idStr, 10);
-            if (!toProcess.has(id)) {
-                const startTimeStr = await redisManager.hget(
-                    `${REDIS_HASH_PREFIX}${id}`,
-                    "startTime"
-                );
-                const reachableAt = await redisManager.hget(
-                    `${REDIS_HASH_PREFIX}${id}`,
-                    "reachableAt"
-                );
-                if (startTimeStr && reachableAt) {
-                    toProcess.set(id, {
-                        startTime: parseInt(startTimeStr, 10),
-                        reachableAt
-                    });
-                }
-            }
-        }
-    }
-
-    const now = Date.now();
-
-    for (const [exitNodeId, entry] of toProcess) {
-        const elapsed = now - entry.startTime;
-
-        // Give up after max duration
-        if (elapsed >= MAX_DURATION_MS) {
-            logger.warn(
-                `Exit node reconnect check timed out for exit node ${exitNodeId} after 5 minutes`
-            );
-            await removePending(exitNodeId);
-            continue;
-        }
-
-        // Respect initial delay
-        if (elapsed < INITIAL_DELAY_MS) {
-            continue;
-        }
-
-        // Check if the exit node HTTP endpoint is reachable
-        const pingUrl = `${entry.reachableAt}/ping`;
-        try {
-            await axios.get(pingUrl, { timeout: 5000 });
-        } catch {
-            logger.debug(
-                `Exit node ${exitNodeId} not yet reachable at ${pingUrl}`
-            );
-            continue;
-        }
-
-        // Node is reachable — send reconnect to all connected newts
-        logger.info(
-            `Exit node ${exitNodeId} is reachable. Sending newt/wg/reconnect to connected newts.`
-        );
-
-        await sendReconnectToNewts(exitNodeId);
-        await removePending(exitNodeId);
-    }
-}
-
-async function sendReconnectToNewts(exitNodeId: number): Promise<void> {
-    try {
-        const connectedNewts = await db
-            .select({ newtId: newts.newtId })
-            .from(newts)
-            .innerJoin(sites, eq(newts.siteId, sites.siteId))
-            .where(eq(sites.exitNodeId, exitNodeId));
-
-        if (connectedNewts.length === 0) {
-            logger.debug(
-                `No newts found for exit node ${exitNodeId}, nothing to reconnect`
-            );
-            return;
-        }
-
-        logger.info(
-            `Sending newt/wg/reconnect to ${connectedNewts.length} newt(s) for exit node ${exitNodeId}`
-        );
-
-        const reconnectMessage = {
-            type: "newt/wg/reconnect",
-            data: {}
-        };
-
-        await Promise.allSettled(
-            connectedNewts.map(({ newtId }) =>
-                sendToClient(newtId, reconnectMessage)
-            )
-        );
-    } catch (error) {
-        logger.error(
-            `Failed to send reconnect messages for exit node ${exitNodeId}`,
-            { error }
-        );
-    }
-}
-
-async function removePending(exitNodeId: number): Promise<void> {
-    pendingReconnects.delete(exitNodeId);
-
-    if (redisManager.isRedisEnabled()) {
-        await redisManager.srem(REDIS_PENDING_SET, exitNodeId.toString());
-        await redisManager.del(`${REDIS_HASH_PREFIX}${exitNodeId}`);
-    }
-}
--- a/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
+++ b/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
@@ -16,7 +16,6 @@ import { MessageHandler } from "@server/routers/ws";
 import { RemoteExitNode } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { scheduleExitNodeReconnect } from "./exitNodeReconnectScheduler";

 /**
 * Handles ping messages from clients and responds with pong
@@ -38,13 +37,6 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
    }

    try {
-        // Fetch the current state before updating so we can detect the offline→online transition
-        const [currentExitNode] = await db
-            .select({ online: exitNodes.online, reachableAt: exitNodes.reachableAt })
-            .from(exitNodes)
-            .where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId))
-            .limit(1);
-
        // Update the exit node's last ping timestamp
        await db
            .update(exitNodes)
@@ -53,16 +45,6 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
                online: true
            })
            .where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId));
-
-        // If the exit node was offline and is now coming online, schedule newt reconnects
-        if (currentExitNode && !currentExitNode.online && currentExitNode.reachableAt) {
-            scheduleExitNodeReconnect(
-                remoteExitNode.exitNodeId,
-                currentExitNode.reachableAt
-            ).catch((error) => {
-                logger.error("Failed to schedule exit node reconnect", { error });
-            });
-        }
    } catch (error) {
        logger.error("Error handling ping message", { error });
    }
--- a/server/private/routers/remoteExitNode/index.ts
+++ b/server/private/routers/remoteExitNode/index.ts
@@ -22,4 +22,3 @@ export * from "./listRemoteExitNodes";
 export * from "./pickRemoteExitNodeDefaults";
 export * from "./quickStartRemoteExitNode";
 export * from "./offlineChecker";
-export * from "./exitNodeReconnectScheduler";
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -12,7 +12,6 @@
 */

 import { Request, Response, NextFunction } from "express";
-import { randomInt } from "crypto";
 import { z } from "zod";
 import {
    actionAuditLog,
@@ -30,7 +29,8 @@ import {
    userOrgs,
    sites,
    Resource,
-    SiteResource
+    SiteResource,
+    browserGatewayTarget
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
@@ -290,15 +290,16 @@ export async function signSshKey(
            const publicResource = resource as Resource;
            const targetRows = await db
                .select({
-                    siteId: targets.siteId,
-                    ip: targets.ip
+                    siteId: browserGatewayTarget.siteId,
+                    ip: browserGatewayTarget.destination
                })
-                .from(targets)
+                .from(browserGatewayTarget)
                .where(
                    and(
-                        eq(targets.resourceId, publicResource.resourceId),
-                        eq(targets.enabled, true),
-                        eq(targets.mode, "ssh")
+                        eq(
+                            browserGatewayTarget.resourceId,
+                            publicResource.resourceId
+                        )
                    )
                );

@@ -391,7 +392,7 @@ export async function signSshKey(
                if (existingUserWithSameName) {
                    let foundUniqueUsername = false;
                    for (let attempt = 0; attempt < 20; attempt++) {
-                        const randomNum = randomInt(0, 101); // 0 to 100
+                        const randomNum = Math.floor(Math.random() * 101); // 0 to 100
                        const candidateUsername = `${usernameToUse}${randomNum}`;

                        const [existingUser] = await db
--- a/server/private/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -45,7 +45,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -14,8 +14,7 @@
 import {
    handleRemoteExitNodeRegisterMessage,
    handleRemoteExitNodePingMessage,
-    startRemoteExitNodeOfflineChecker,
-    startExitNodeReconnectScheduler
+    startRemoteExitNodeOfflineChecker
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
@@ -30,5 +29,4 @@ export const messageHandlers: Record<string, MessageHandler> = {

 if (build != "saas") {
    startRemoteExitNodeOfflineChecker(); // this is to handle the offline check for remote exit nodes
-    startExitNodeReconnectScheduler(); // check pending exit node reconnects and notify newts
 }
--- a/server/routers/accessToken/deleteAccessToken.ts
+++ b/server/routers/accessToken/deleteAccessToken.ts
@@ -28,7 +28,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/accessToken/generateAccessToken.ts
+++ b/server/routers/accessToken/generateAccessToken.ts
@@ -61,7 +61,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -135,7 +135,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -164,7 +164,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/apiKeys/deleteApiKey.ts
+++ b/server/routers/apiKeys/deleteApiKey.ts
@@ -28,7 +28,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/apiKeys/setApiKeyActions.ts
+++ b/server/routers/apiKeys/setApiKeyActions.ts
@@ -42,7 +42,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/auditLogs/exportRequestAuditLog.ts
+++ b/server/routers/auditLogs/exportRequestAuditLog.ts
@@ -35,7 +35,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.record(z.string(), z.any()).nullable(),
+                        data: z.unknown().nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/Show More
+++ b/Show More