Merge pull request #2778 from fosrl/dev

1.17.0-s.2
Update casting again
2026-04-04 08:56:37 +00:00 · 2026-04-03 12:35:03 -04:00 · 2026-04-03 12:34:37 -04:00 · 2026-04-03 12:19:23 -04:00 · 2026-04-03 12:18:33 -04:00 · 2026-04-03 12:16:31 -04:00
732 changed files with 69295 additions and 26278 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -28,7 +28,9 @@ LICENSE
 CONTRIBUTING.md
 dist
 .git
-migrations/
+server/migrations/
 config/
 build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -44,19 +44,9 @@ updates:
    schedule:
      interval: "daily"
    groups:
-      dev-patch-updates:
+      patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
-      dev-minor-updates:
+      minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -1,4 +1,4 @@
-name: CI/CD Pipeline
+name: Public CICD Pipeline
 # CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
 # Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
@@ -17,7 +17,7 @@ on:
    push:
        tags:
            - "[0-9]+.[0-9]+.[0-9]+"
-            - "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
 concurrency:
  group: ${{ github.ref }}
@@ -29,7 +29,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v2
+              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
@@ -62,7 +62,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Monitor storage space
              run: |
@@ -77,7 +77,7 @@ jobs:
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -95,10 +95,25 @@ jobs:
                  cat server/lib/consts.ts
              shell: bash
            - name: Check if release candidate
              id: check-rc
              run: |
                  TAG=${{ env.TAG }}
                  if [[ "$TAG" == *"-rc."* ]]; then
                      echo "IS_RC=true" >> $GITHUB_ENV
                  else
                      echo "IS_RC=false" >> $GITHUB_ENV
                  fi
              shell: bash
            - name: Build and push Docker images (Docker Hub - ARM64)
              run: |
                  TAG=${{ env.TAG }}
                  if [ "$IS_RC" = "true" ]; then
                      make build-rc-arm tag=$TAG
                  else
                      make build-release-arm tag=$TAG
                  fi
                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash
@@ -119,7 +134,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Monitor storage space
              run: |
@@ -134,7 +149,7 @@ jobs:
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -152,15 +167,30 @@ jobs:
                  cat server/lib/consts.ts
              shell: bash
            - name: Check if release candidate
              id: check-rc
              run: |
                  TAG=${{ env.TAG }}
                  if [[ "$TAG" == *"-rc."* ]]; then
                      echo "IS_RC=true" >> $GITHUB_ENV
                  else
                      echo "IS_RC=false" >> $GITHUB_ENV
                  fi
              shell: bash
            - name: Build and push Docker images (Docker Hub - AMD64)
              run: |
                  TAG=${{ env.TAG }}
                  if [ "$IS_RC" = "true" ]; then
                      make build-rc-amd tag=$TAG
                  else
                      make build-release-amd tag=$TAG
                  fi
                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash
-    sign-and-package:
+    create-manifest:
-        name: Sign and Package
+        name: Create Multi-Arch Manifests
        runs-on: [self-hosted, linux, x64, us-east-1]
        needs: [release-arm, release-amd]
        if: >-
@@ -168,6 +198,55 @@ jobs:
                needs.release-arm.result == 'success' &&
                needs.release-amd.result == 'success'
            }}
        timeout-minutes: 30
        steps:
            - name: Checkout code
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Log in to Docker Hub
              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Check if release candidate
              id: check-rc
              run: |
                  TAG=${{ env.TAG }}
                  if [[ "$TAG" == *"-rc."* ]]; then
                      echo "IS_RC=true" >> $GITHUB_ENV
                  else
                      echo "IS_RC=false" >> $GITHUB_ENV
                  fi
              shell: bash
            - name: Create multi-arch manifests
              run: |
                  TAG=${{ env.TAG }}
                  if [ "$IS_RC" = "true" ]; then
                      make create-manifests-rc tag=$TAG
                  else
                      make create-manifests tag=$TAG
                  fi
                  echo "Created multi-arch manifests for tag: ${TAG}"
              shell: bash
    sign-and-package:
        name: Sign and Package
        runs-on: [self-hosted, linux, x64, us-east-1]
        needs: [release-arm, release-amd, create-manifest]
        if: >-
            ${{
                needs.release-arm.result == 'success' &&
                needs.release-amd.result == 'success' &&
                needs.create-manifest.result == 'success'
            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
@@ -177,7 +256,7 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Extract tag name
              id: get-tag
@@ -185,9 +264,9 @@ jobs:
              shell: bash
            - name: Install Go
-              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
              with:
-                  go-version: 1.24
+                  go-version: 1.25
            - name: Update version in package.json
              run: |
@@ -210,25 +289,17 @@ jobs:
                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
              shell: bash
            - name: Update install/main.go
              run: |
                  PANGOLIN_VERSION=${{ env.TAG }}
                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
                  cat install/main.go
              shell: bash
            - name: Build installer
              working-directory: install
              run: |
-                  make go-build-release
+                  make go-build-release \
                    PANGOLIN_VERSION=${{ env.TAG }} \
                    GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }} \
                    BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
              shell: bash
            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
              with:
                  name: install-bin
                  path: install/bin/
@@ -243,26 +314,100 @@ jobs:
              shell: bash
            - name: Login to GHCR
              env:
                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
              shell: bash
-            - name: Copy tag from Docker Hub to GHCR
+            - name: Copy tags from Docker Hub to GHCR
-              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
              # Wait a bit for both architectures to be available in Docker Hub manifest
              env:
                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
                  set -euo pipefail
                  TAG=${{ env.TAG }}
-                  echo "Waiting for multi-arch manifest to be ready..."
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
                  echo "Waiting for multi-arch manifests to be ready..."
                  sleep 30
                  # Determine if this is an RC release
                  IS_RC="false"
                  if [[ "$TAG" == *"-rc."* ]]; then
                      IS_RC="true"
                  fi
                  if [ "$IS_RC" = "true" ]; then
                      echo "RC release detected - copying version-specific tags only"
                      # SQLite OSS
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:$TAG \
                        docker://$GHCR_IMAGE:$TAG
                      # PostgreSQL OSS
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
                        docker://$GHCR_IMAGE:postgresql-$TAG
                      # SQLite Enterprise
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
                        docker://$GHCR_IMAGE:ee-$TAG
                      # PostgreSQL Enterprise
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
                  else
                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
                      # SQLite OSS - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:$TAG_SUFFIX
                      done
                      # PostgreSQL OSS - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
                      done
                      # SQLite Enterprise - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
                      done
                      # PostgreSQL Enterprise - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
                      done
                  fi
                  echo "All images copied successfully to GHCR!"
              shell: bash
            - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
@@ -270,7 +415,7 @@ jobs:
            - name: Install cosign
              # cosign is used to sign and verify container images (key and keyless)
-              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
            - name: Dual-sign and verify (GHCR & Docker Hub)
              # Sign each image by digest using keyless (OIDC) and key-based signing,
@@ -287,11 +432,48 @@ jobs:
                  issuer="https://token.actions.githubusercontent.com"
                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
-                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                  # Track failures
-                    echo "Processing ${IMAGE}:${TAG}"
+                  FAILED_TAGS=()
                  SUCCESSFUL_TAGS=()
-                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                  # Determine if this is an RC release
-                    REF="${IMAGE}@${DIGEST}"
+                  IS_RC="false"
                  if [[ "$TAG" == *"-rc."* ]]; then
                      IS_RC="true"
                  fi
                  # Define image variants to sign
                  if [ "$IS_RC" = "true" ]; then
                      echo "RC release - signing version-specific tags only"
                      IMAGE_TAGS=(
                          "${TAG}"
                          "postgresql-${TAG}"
                          "ee-${TAG}"
                          "ee-postgresql-${TAG}"
                      )
                  else
                      echo "Regular release - signing all tags"
                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
                      IMAGE_TAGS=(
                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
                      )
                  fi
                  # Sign each image variant for both registries
                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
                      TAG_FAILED=false
                      # Wrap the entire tag processing in error handling
                      (
                        set -e
                        DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
                        REF="${BASE_IMAGE}@${DIGEST}"
                        echo "Resolved digest: ${REF}"
                        echo "==> cosign sign (keyless) --recursive ${REF}"
@@ -300,32 +482,95 @@ jobs:
                        echo "==> cosign sign (key) --recursive ${REF}"
                        cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
                        # Retry wrapper for verification to handle registry propagation delays
                        retry_verify() {
                          local cmd="$1"
                          local attempts=6
                          local delay=5
                          local i=1
                          until eval "$cmd"; do
                            if [ $i -ge $attempts ]; then
                              echo "Verification failed after $attempts attempts"
                              return 1
                            fi
                            echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
                            sleep $delay
                            i=$((i+1))
                            delay=$((delay*2))
                            # Cap the delay to avoid very long waits
                            if [ $delay -gt 60 ]; then delay=60; fi
                          done
                          return 0
                        }
                        echo "==> cosign verify (public key) ${REF}"
-                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+                        if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
                          VERIFIED_INDEX=true
                        else
                          VERIFIED_INDEX=false
                        fi
                        echo "==> cosign verify (keyless policy) ${REF}"
-                    cosign verify \
+                        if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
-                      --certificate-oidc-issuer "${issuer}" \
+                          VERIFIED_INDEX_KEYLESS=true
-                      --certificate-identity-regexp "${id_regex}" \
+                        else
-                      "${REF}" -o text
+                          VERIFIED_INDEX_KEYLESS=false
                        fi
                        # Check if verification succeeded
                        if [ "${VERIFIED_INDEX}" != "true" ] && [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
                          echo "⚠️  WARNING: Verification not available for ${BASE_IMAGE}:${IMAGE_TAG}"
                          echo "This may be due to registry propagation delays. Continuing anyway."
                        fi
                      ) || TAG_FAILED=true
                      if [ "$TAG_FAILED" = "true" ]; then
                        echo "⚠️  WARNING: Failed to sign/verify ${BASE_IMAGE}:${IMAGE_TAG}"
                        FAILED_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
                      else
                        echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
                        SUCCESSFUL_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
                      fi
                    done
                  done
                  # Report summary
                  echo ""
                  echo "=========================================="
                  echo "Sign and Verify Summary"
                  echo "=========================================="
                  echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
                  echo "Failed: ${#FAILED_TAGS[@]}"
                  echo ""
                  if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
                    echo "Failed tags:"
                    for tag in "${FAILED_TAGS[@]}"; do
                      echo "  - $tag"
                    done
                    echo ""
                    echo "⚠️  WARNING: Some tags failed to sign/verify, but continuing anyway"
                  else
                    echo "✓ All images signed and verified successfully!"
                  fi
              shell: bash
    post-run:
-        needs: [pre-run, release-arm, release-amd, sign-and-package]
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
        if: >-
            ${{
                always() &&
                needs.pre-run.result == 'success' &&
                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
            }}
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v2
+              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -21,12 +21,12 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Set up Node.js
-              uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
              with:
-                node-version: '22'
+                node-version: '24'
            - name: Install dependencies
              run: npm ci
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
          skopeo --version
      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
      - name: Input check
        run: |
@@ -45,7 +45,7 @@ jobs:
        run: |
          set -euo pipefail
          skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
-            | jq -r '.Tags[]' | sort -u > src-tags.txt
+            | jq -r '.Tags[]' | grep -v -e '-arm64' -e '-amd64' | sort -u > src-tags.txt
          echo "Found source tags: $(wc -l < src-tags.txt)"
          head -n 20 src-tags.txt || true
--- a/.github/workflows/restart-runners.yml
+++ b/.github/workflows/restart-runners.yml
@@ -14,7 +14,7 @@ jobs:
    permissions: write-all
    steps:
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v6
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
          role-duration-seconds: 3600
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -0,0 +1,160 @@
 name: SAAS Pipeline
 # CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
 # Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
 permissions:
  contents: read
  packages: write      # for GHCR push
  id-token: write      # for Cosign Keyless (OIDC) Signing
 on:
    push:
        tags:
            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
 concurrency:
  group: ${{ github.ref }}
  cancel-in-progress: true
 jobs:
    pre-run:
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Verify AWS identity
              run: aws sts get-caller-identity
            - name: Start EC2 instances
              run: |
                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
                  echo "EC2 instances started"
    release-arm:
        name: Build and Release (ARM64)
        runs-on: [self-hosted, linux, arm64, us-east-1]
        needs: [pre-run]
        if: >-
            ${{
                needs.pre-run.result == 'success'
            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
          # Target images
          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
        steps:
            - name: Checkout code
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Download MaxMind GeoLite2 databases
              env:
                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
              run: |
                echo "Downloading MaxMind GeoLite2 databases..."
                # Download GeoLite2-Country
                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
                  -o GeoLite2-Country.tar.gz
                # Download GeoLite2-ASN
                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
                  -o GeoLite2-ASN.tar.gz
                # Extract the .mmdb files
                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
                # Verify files exist
                if [ ! -f "GeoLite2-Country.mmdb" ]; then
                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
                  exit 1
                fi
                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
                  exit 1
                fi
                # Clean up tar files
                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
                echo "MaxMind databases downloaded successfully"
                ls -lh GeoLite2-*.mmdb
            - name: Monitor storage space
              run: |
                  THRESHOLD=75
                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
                  echo "Used space: $USED_SPACE%"
                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
                      echo y | docker system prune -a
                  else
                      echo "Storage space is above the threshold. No action needed."
                  fi
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Login to Amazon ECR
              id: login-ecr
              uses: aws-actions/amazon-ecr-login@v2
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Update version in package.json
              run: |
                  TAG=${{ env.TAG }}
                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
                  cat server/lib/consts.ts
              shell: bash
            - name: Build and push Docker images (Docker Hub - ARM64)
              run: |
                  TAG=${{ env.TAG }}
                  make build-saas tag=$TAG
                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
              shell: bash
    post-run:
        needs: [pre-run, release-arm]
        if: >-
            ${{
                always() &&
                needs.pre-run.result == 'success' &&
                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
            }}
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Verify AWS identity
              run: aws sts get-caller-identity
            - name: Stop EC2 instances
              run: |
                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
                  echo "EC2 instances stopped"
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -14,7 +14,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          days-before-stale: 14
          days-before-close: 14
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,12 +14,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version: '22'
+          node-version: '24'
      - name: Copy config file
        run: cp config/config.example.yml config/config.yml
@@ -34,10 +34,10 @@ jobs:
        run: npm run set:oss
      - name: Generate database migrations
-        run: npm run db:sqlite:generate
+        run: npm run db:generate
      - name: Apply database migrations
-        run: npm run db:sqlite:push
+        run: npm run db:push
      - name: Test with tsc
        run: npx tsc --noEmit
@@ -62,10 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Copy config file
        run: cp config/config.example.yml config/config.yml
      - name: Build Docker image sqlite
        run: make dev-build-sqlite
@@ -74,10 +71,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Copy config file
        run: cp config/config.example.yml config/config.yml
      - name: Build Docker image pg
        run: make dev-build-pg
--- a/.gitignore
+++ b/.gitignore
@@ -51,3 +51,6 @@ dynamic/
 scratch/
 tsconfig.json
 hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -4,7 +4,7 @@
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "[jsonc]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.json-language-features"
    },
    "[javascript]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
--- a/109
+++ b/109
@@ -1,72 +1,93 @@
-FROM node:24-alpine AS builder
+# FROM node:24-slim AS base
 FROM public.ecr.aws/docker/library/node:24-slim AS base
 WORKDIR /app
-ARG BUILD=oss
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
 ARG DATABASE=sqlite
 RUN apk add --no-cache curl tzdata python3 make g++
 # COPY package.json package-lock.json ./
 COPY package*.json ./
 FROM base AS builder-dev
 RUN npm ci
 COPY . .
-RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
+ARG BUILD=oss
-RUN echo "export const driver: \"pg\" | \"sqlite\" = \"$DATABASE\";" >> server/db/index.ts
+ARG DATABASE=sqlite
-RUN echo "export const build = \"$BUILD\" as \"saas\" | \"enterprise\" | \"oss\";" > server/build.ts
+RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi && \
    npm run set:$DATABASE && \
    npm run set:$BUILD && \
    npm run db:generate && \
    npm run build && \
    npm run build:cli && \
    test -f dist/server.mjs
-# Copy the appropriate TypeScript configuration based on build type
+# Create placeholder files for MaxMind databases to avoid COPY errors
-RUN if [ "$BUILD" = "oss" ]; then cp tsconfig.oss.json tsconfig.json; \
+# Real files should be present for saas builds, placeholders for oss builds
-    elif [ "$BUILD" = "saas" ]; then cp tsconfig.saas.json tsconfig.json; \
+RUN touch /app/GeoLite2-Country.mmdb /app/GeoLite2-ASN.mmdb
    elif [ "$BUILD" = "enterprise" ]; then cp tsconfig.enterprise.json tsconfig.json; \
    fi
-# if the build is oss then remove the server/private directory
+FROM base AS builder
 RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi
-RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema --out init; fi
+RUN npm ci --omit=dev
-RUN mkdir -p dist
+# FROM node:24-slim AS runner
-RUN npm run next:build
+FROM public.ecr.aws/docker/library/node:24-slim AS runner
 RUN node esbuild.mjs -e server/index.ts -o dist/server.mjs -b $BUILD
 RUN if [ "$DATABASE" = "pg" ]; then \
    node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
    else \
    node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
    fi
 # test to make sure the build output is there and error if not
 RUN test -f dist/server.mjs
 RUN npm run build:cli
 # Prune dev dependencies and clean up to prepare for copy to runner
 RUN npm prune --omit=dev && npm cache clean --force
 FROM node:24-alpine AS runner
 WORKDIR /app
-# Only curl and tzdata needed at runtime - no build tools!
+RUN apt-get update && apt-get install -y curl tzdata && rm -rf /var/lib/apt/lists/*
 RUN apk add --no-cache curl tzdata
 # Copy pre-built node_modules from builder (already pruned to production only)
 # This includes the compiled native modules like better-sqlite3
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 COPY --from=builder /app/package.json ./package.json
 COPY --from=builder-dev /app/.next/standalone ./
 COPY --from=builder-dev /app/.next/static ./.next/static
 COPY --from=builder-dev /app/dist ./dist
 COPY --from=builder-dev /app/server/migrations ./dist/init
 COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 COPY server/db/names.json ./dist/names.json
 COPY server/db/ios_models.json ./dist/ios_models.json
 COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public
 # Copy MaxMind databases for SaaS builds
 ARG BUILD=oss
 RUN mkdir -p ./maxmind
 # Copy MaxMind databases (placeholders exist for oss builds, real files for saas)
 COPY --from=builder-dev /app/GeoLite2-Country.mmdb ./maxmind/GeoLite2-Country.mmdb
 COPY --from=builder-dev /app/GeoLite2-ASN.mmdb ./maxmind/GeoLite2-ASN.mmdb
 # Remove MaxMind databases for non-saas builds (keep only for saas)
 RUN if [ "$BUILD" != "saas" ]; then rm -rf ./maxmind; fi
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""
 ARG CREATED=""
 ARG LICENSE="AGPL-3.0"
 # Derive title and description based on BUILD type
 ARG IMAGE_TITLE="Pangolin"
 ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
 # OCI Image Labels
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md
 LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
      org.opencontainers.image.documentation="https://docs.pangolin.net" \
      org.opencontainers.image.vendor="Fossorial" \
      org.opencontainers.image.licenses="${LICENSE}" \
      org.opencontainers.image.title="${IMAGE_TITLE}" \
      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
      org.opencontainers.image.version="${VERSION}" \
      org.opencontainers.image.revision="${REVISION}" \
      org.opencontainers.image.created="${CREATED}"
 CMD ["npm", "run", "start"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,7 +1,9 @@
-FROM node:22-alpine
+FROM node:24-alpine
 WORKDIR /app
 RUN apk add --no-cache python3 make g++
 COPY package*.json ./
 # Install dependencies
--- a/399
+++ b/399
@@ -1,8 +1,27 @@
-.PHONY: build build-pg build-release build-release-arm build-release-amd build-arm build-x86 test clean
+.PHONY: build build-pg build-release build-release-arm build-release-amd create-manifests build-arm build-x86 test clean
 major_tag := $(shell echo $(tag) | cut -d. -f1)
 minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
 # OCI label variables
 CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
 # Common OCI build args for OSS builds
 OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
 	--build-arg REVISION=$(REVISION) \
 	--build-arg CREATED=$(CREATED) \
 	--build-arg IMAGE_TITLE="Pangolin" \
 	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
 # Common OCI build args for Enterprise builds
 OCI_ARGS_EE = --build-arg VERSION=$(tag) \
 	--build-arg REVISION=$(REVISION) \
 	--build-arg CREATED=$(CREATED) \
 	--build-arg LICENSE="Fossorial Commercial" \
 	--build-arg IMAGE_TITLE="Pangolin EE" \
 	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
 .PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
 build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
@@ -15,6 +34,7 @@ build-sqlite:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$(major_tag) \
@@ -30,6 +50,7 @@ build-postgresql:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$(major_tag) \
@@ -45,6 +66,7 @@ build-ee-sqlite:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$(major_tag) \
@@ -60,6 +82,7 @@ build-ee-postgresql:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
@@ -67,6 +90,18 @@ build-ee-postgresql:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
 build-saas:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	docker buildx build \
 		--build-arg BUILD=saas \
 		--build-arg DATABASE=pg \
 		--platform linux/arm64 \
 		--tag $(AWS_IMAGE):$(tag) \
 		--push .
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \
@@ -74,41 +109,65 @@ build-release-arm:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
 	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:latest \
+		--tag fosrl/pangolin:latest-arm64 \
-		--tag fosrl/pangolin:$$MAJOR_TAG \
+		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
-		--tag fosrl/pangolin:$$MINOR_TAG \
+		--tag fosrl/pangolin:$$MINOR_TAG-arm64 \
-		--tag fosrl/pangolin:$(tag) \
+		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:postgresql-latest \
+		--tag fosrl/pangolin:postgresql-latest-arm64 \
-		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG \
+		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
-		--tag fosrl/pangolin:postgresql-$$MINOR_TAG \
+		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-arm64 \
-		--tag fosrl/pangolin:postgresql-$(tag) \
+		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:ee-latest \
+		--tag fosrl/pangolin:ee-latest-arm64 \
-		--tag fosrl/pangolin:ee-$$MAJOR_TAG \
+		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
-		--tag fosrl/pangolin:ee-$$MINOR_TAG \
+		--tag fosrl/pangolin:ee-$$MINOR_TAG-arm64 \
-		--tag fosrl/pangolin:ee-$(tag) \
+		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:ee-postgresql-latest \
+		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
-		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG \
+		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
-		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG \
+		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-arm64 \
-		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
 build-release-amd:
@@ -118,84 +177,344 @@ build-release-amd:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
 	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:latest-amd64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-latest-amd64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
 create-manifests:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make create-manifests tag=<tag>"; \
 		exit 1; \
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
 	echo "Creating multi-arch manifests for sqlite (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$$MAJOR_TAG \
 		--tag fosrl/pangolin:$$MINOR_TAG \
 		--tag fosrl/pangolin:$(tag) \
-		--push . && \
+		fosrl/pangolin:latest-arm64 \
-	docker buildx build \
+		fosrl/pangolin:latest-amd64 && \
-		--build-arg BUILD=oss \
+	echo "Creating multi-arch manifests for postgresql (oss)..." && \
-		--build-arg DATABASE=pg \
+	docker buildx imagetools create \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG \
 		--tag fosrl/pangolin:postgresql-$$MINOR_TAG \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push . && \
+		fosrl/pangolin:postgresql-latest-arm64 \
-	docker buildx build \
+		fosrl/pangolin:postgresql-latest-amd64 && \
-		--build-arg BUILD=enterprise \
+	echo "Creating multi-arch manifests for sqlite (enterprise)..." && \
-		--build-arg DATABASE=sqlite \
+	docker buildx imagetools create \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG \
 		--tag fosrl/pangolin:ee-$$MINOR_TAG \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push . && \
+		fosrl/pangolin:ee-latest-arm64 \
-	docker buildx build \
+		fosrl/pangolin:ee-latest-amd64 && \
-		--build-arg BUILD=enterprise \
+	echo "Creating multi-arch manifests for postgresql (enterprise)..." && \
-		--build-arg DATABASE=pg \
+	docker buildx imagetools create \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG \
 		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
-		--push .
+		fosrl/pangolin:ee-postgresql-latest-arm64 \
 		fosrl/pangolin:ee-postgresql-latest-amd64 && \
 	echo "All multi-arch manifests created successfully!"
 build-rc:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
 build-rc-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
 		exit 1; \
 	fi
 	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
 build-rc-amd:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
 		exit 1; \
 	fi
 	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
 create-manifests-rc:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make create-manifests-rc tag=<tag>"; \
 		exit 1; \
 	fi
 	@echo "Creating multi-arch manifests for RC sqlite (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:$(tag) \
 		fosrl/pangolin:$(tag)-arm64 \
 		fosrl/pangolin:$(tag)-amd64 && \
 	echo "Creating multi-arch manifests for RC postgresql (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:postgresql-$(tag) \
 		fosrl/pangolin:postgresql-$(tag)-arm64 \
 		fosrl/pangolin:postgresql-$(tag)-amd64 && \
 	echo "Creating multi-arch manifests for RC sqlite (enterprise)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-$(tag) \
 		fosrl/pangolin:ee-$(tag)-arm64 \
 		fosrl/pangolin:ee-$(tag)-amd64 && \
 	echo "Creating multi-arch manifests for RC postgresql (enterprise)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		fosrl/pangolin:ee-postgresql-$(tag)-amd64 && \
 	echo "All RC multi-arch manifests created successfully!"
 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		-t fosrl/pangolin:latest .
 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		-t fosrl/pangolin:latest .
 dev-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker build \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		-t fosrl/pangolin:latest .
 dev-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker build \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		-t fosrl/pangolin:postgresql-latest .
 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest
--- a/README.md
+++ b/README.md
@@ -35,9 +35,15 @@
 </div>
 <p align="center">
    <a href="https://docs.pangolin.net/careers/join-us">
        <img src="https://img.shields.io/badge/🚀_We're_Hiring!-Join_Our_Team-brightgreen?style=for-the-badge" alt="We're Hiring!" />
    </a>
 </p>
 <p align="center">
    <strong>
-        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
+        Get started with Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
    </strong>
 </p>
@@ -54,9 +60,9 @@ Pangolin is an open-source, identity-based remote access platform built on WireG
 | <img width=500 /> | Description |
 |-----------------|--------------|
 | **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing - no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
 | **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
 | **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
 | **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/nodes) and connect to our control plane. |
 ## Key Features
@@ -74,20 +80,21 @@ Download the Pangolin client for your platform:
 - [Mac](https://pangolin.net/downloads/mac)
 - [Windows](https://pangolin.net/downloads/windows)
 - [Linux](https://pangolin.net/downloads/linux)
 - [iOS](https://pangolin.net/downloads/ios)
 - [Android](https://pangolin.net/downloads/android)
 ## Get Started
 ### Sign up now
 Create an account at [app.pangolin.net](https://app.pangolin.net) to get started with Pangolin Cloud. A generous free tier is available.
 ### Check out the docs
 We encourage everyone to read the full documentation first, which is
 available at [docs.pangolin.net](https://docs.pangolin.net). This README provides only a very brief subset of
 the docs to illustrate some basic ideas.
 ### Sign up and try now
 For Pangolin's managed service, you will first need to create an account at
 [app.pangolin.net](https://app.pangolin.net). We have a generous free tier to get started.
 ## Licensing
 Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,7 +3,7 @@
 If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
 1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
-2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+2. Send a detailed report to [security@pangolin.net](mailto:security@pangolin.net) with the following information:
 -   Description and location of the vulnerability.
 -   Potential impact of the vulnerability.
--- a/blueprint.py
+++ b/blueprint.py
@@ -1,72 +0,0 @@
 import requests
 import yaml
 import json
 import base64
 # The file path for the YAML file to be read
 # You can change this to the path of your YAML file
 YAML_FILE_PATH = 'blueprint.yaml'
 # The API endpoint and headers from the curl request
 API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
 HEADERS = {
    'accept': '*/*',
    'Authorization': 'Bearer <your_token_here>',
    'Content-Type': 'application/json'
 }
 def convert_and_send(file_path, url, headers):
    """
    Reads a YAML file, converts its content to a JSON payload,
    and sends it via a PUT request to a specified URL.
    """
    try:
        # Read the YAML file content
        with open(file_path, 'r') as file:
            yaml_content = file.read()
        # Parse the YAML string to a Python dictionary
        # This will be used to ensure the YAML is valid before sending
        parsed_yaml = yaml.safe_load(yaml_content)
        # convert the parsed YAML to a JSON string
        json_payload = json.dumps(parsed_yaml)
        print("Converted JSON payload:")
        print(json_payload)
        # Encode the JSON string to Base64
        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
        # Create the final payload with the base64 encoded data
        final_payload = {
            "blueprint": encoded_json
        }
        print("Sending the following Base64 encoded JSON payload:")
        print(final_payload)
        print("-" * 20)
        # Make the PUT request with the base64 encoded payload
        response = requests.put(url, headers=headers, json=final_payload)
        # Print the API response for debugging
        print(f"API Response Status Code: {response.status_code}")
        print("API Response Content:")
        print(response.text)
        # Raise an exception for bad status codes (4xx or 5xx)
        response.raise_for_status()
    except FileNotFoundError:
        print(f"Error: The file '{file_path}' was not found.")
    except yaml.YAMLError as e:
        print(f"Error parsing YAML file: {e}")
    except requests.exceptions.RequestException as e:
        print(f"An error occurred during the API request: {e}")
    except Exception as e:
        print(f"An unexpected error occurred: {e}")
 # Run the function
 if __name__ == "__main__":
    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
--- a/blueprint.yaml
+++ b/blueprint.yaml
@@ -1,70 +0,0 @@
 client-resources:
  client-resource-nice-id-uno:
    name: this is my resource
    protocol: tcp
    proxy-port: 3001
    hostname: localhost
    internal-port: 3000
    site: lively-yosemite-toad
  client-resource-nice-id-duce:
    name: this is my resource
    protocol: udp
    proxy-port: 3000
    hostname: localhost
    internal-port: 3000
    site: lively-yosemite-toad
 proxy-resources:
  resource-nice-id-uno:
    name: this is my resource
    protocol: http
    full-domain: duce.test.example.com
    host-header: example.com
    tls-server-name: example.com
    # auth:
      # pincode: 123456
      # password: sadfasdfadsf
      # sso-enabled: true
      # sso-roles:
      #   - Member
      # sso-users:
      #   - owen@pangolin.net
      # whitelist-users:
      #   - owen@pangolin.net
      # auto-login-idp: 1
    headers:
      - name: X-Example-Header
        value: example-value
      - name: X-Another-Header
        value: another-value
    rules:
      - action: allow
        match: ip
        value: 1.1.1.1
      - action: deny
        match: cidr 
        value: 2.2.2.2/32
      - action: pass
        match: path
        value: /admin
    targets:
    - site: lively-yosemite-toad
      path: /path
      pathMatchType: prefix
      hostname: localhost
      method: http
      port: 8000
    - site: slim-alpine-chipmunk
      hostname: localhost
      path: /yoman
      pathMatchType: exact
      method: http
      port: 8001
  resource-nice-id-duce:
    name: this is other resource
    protocol: tcp
    proxy-port: 3000
    targets:
    - site: lively-yosemite-toad 
      hostname: localhost
      port: 3000
--- a/cli/commands/clearLicenseKeys.ts
+++ b/cli/commands/clearLicenseKeys.ts
@@ -0,0 +1,36 @@
 import { CommandModule } from "yargs";
 import { db, licenseKey } from "@server/db";
 import { eq } from "drizzle-orm";
 type ClearLicenseKeysArgs = { };
 export const clearLicenseKeys: CommandModule<
    {},
    ClearLicenseKeysArgs
 > = {
    command: "clear-license-keys",
    describe:
        "Clear all license keys from the database",
    // no args
    builder: (yargs) => {
        return yargs;
    },
    handler: async (argv: {}) => {
        try {
            console.log(`Clearing all license keys from the database`);
            // Delete all license keys
            const deletedCount = await db
                .delete(licenseKey)
                .where(eq(licenseKey.licenseKeyId, licenseKey.licenseKeyId))  .returning();; // delete all
            console.log(`Deleted ${deletedCount.length} license key(s) from the database`);
            process.exit(0);
        } catch (error) {
            console.error("Error:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/deleteClient.ts
+++ b/cli/commands/deleteClient.ts
@@ -0,0 +1,123 @@
 import { CommandModule } from "yargs";
 import { db, clients, olms, currentFingerprint, userClients, approvals } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 type DeleteClientArgs = {
    orgId: string;
    niceId: string;
 };
 export const deleteClient: CommandModule<{}, DeleteClientArgs> = {
    command: "delete-client",
    describe:
        "Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.",
    builder: (yargs) => {
        return yargs
            .option("orgId", {
                type: "string",
                demandOption: true,
                describe: "The organization ID"
            })
            .option("niceId", {
                type: "string",
                demandOption: true,
                describe: "The client niceId (identifier)"
            });
    },
    handler: async (argv: { orgId: string; niceId: string }) => {
        try {
            const { orgId, niceId } = argv;
            console.log(
                `Deleting client with orgId: ${orgId}, niceId: ${niceId}...`
            );
            // Find the client
            const [client] = await db
                .select()
                .from(clients)
                .where(and(eq(clients.orgId, orgId), eq(clients.niceId, niceId)))
                .limit(1);
            if (!client) {
                console.error(
                    `Error: Client with orgId "${orgId}" and niceId "${niceId}" not found.`
                );
                process.exit(1);
            }
            const clientId = client.clientId;
            console.log(`Found client with clientId: ${clientId}`);
            // Find all OLMs associated with this client
            const associatedOlms = await db
                .select()
                .from(olms)
                .where(eq(olms.clientId, clientId));
            console.log(`Found ${associatedOlms.length} OLM(s) associated with this client`);
            // Delete in a transaction to ensure atomicity
            await db.transaction(async (trx) => {
                // Delete currentFingerprint entries for the associated OLMs
                // Note: We delete these explicitly before deleting OLMs to ensure
                // we have control, even though cascade would handle it
                let fingerprintCount = 0;
                if (associatedOlms.length > 0) {
                    const olmIds = associatedOlms.map((olm) => olm.olmId);
                    const deletedFingerprints = await trx
                        .delete(currentFingerprint)
                        .where(inArray(currentFingerprint.olmId, olmIds))
                        .returning();
                    fingerprintCount = deletedFingerprints.length;
                }
                console.log(`Deleted ${fingerprintCount} current fingerprint(s)`);
                // Delete OLMs
                // Note: OLMs have onDelete: "set null" for clientId, so we need to delete them explicitly
                const deletedOlms = await trx
                    .delete(olms)
                    .where(eq(olms.clientId, clientId))
                    .returning();
                console.log(`Deleted ${deletedOlms.length} OLM(s)`);
                // Delete approvals
                // Note: Approvals have onDelete: "cascade" but we delete explicitly for clarity
                const deletedApprovals = await trx
                    .delete(approvals)
                    .where(eq(approvals.clientId, clientId))
                    .returning();
                console.log(`Deleted ${deletedApprovals.length} approval(s)`);
                // Delete userClients
                // Note: userClients have onDelete: "cascade" but we delete explicitly for clarity
                const deletedUserClients = await trx
                    .delete(userClients)
                    .where(eq(userClients.clientId, clientId))
                    .returning();
                console.log(`Deleted ${deletedUserClients.length} userClient association(s)`);
                // Finally, delete the client itself
                const deletedClients = await trx
                    .delete(clients)
                    .where(eq(clients.clientId, clientId))
                    .returning();
                console.log(`Deleted client: ${deletedClients[0]?.name || niceId}`);
            });
            console.log("\nClient deletion completed successfully!");
            console.log("\nSummary:");
            console.log(`  - Client: ${niceId} (clientId: ${clientId})`);
            console.log(`  - Olm(s): ${associatedOlms.length}`);
            console.log(`  - Current fingerprints: deleted`);
            console.log(`  - Approvals: deleted`);
            console.log(`  - UserClients: deleted`);
            console.log(`  - Snapshots: preserved (not deleted)`);
            process.exit(0);
        } catch (error) {
            console.error("Error deleting client:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/generateOrgCaKeys.ts
+++ b/cli/commands/generateOrgCaKeys.ts
@@ -0,0 +1,121 @@
 import { CommandModule } from "yargs";
 import { db, orgs } from "@server/db";
 import { eq } from "drizzle-orm";
 import { encrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { generateCA } from "@server/lib/sshCA";
 import fs from "fs";
 import yaml from "js-yaml";
 type GenerateOrgCaKeysArgs = {
    orgId: string;
    secret?: string;
    force?: boolean;
 };
 export const generateOrgCaKeys: CommandModule<{}, GenerateOrgCaKeysArgs> = {
    command: "generate-org-ca-keys",
    describe:
        "Generate SSH CA public/private key pair for an organization and store them in the database (private key encrypted with server secret)",
    builder: (yargs) => {
        return yargs
            .option("orgId", {
                type: "string",
                demandOption: true,
                describe: "The organization ID"
            })
            .option("secret", {
                type: "string",
                describe:
                    "Server secret used to encrypt the CA private key. If omitted, read from config file (config.yml or config.yaml)."
            })
            .option("force", {
                type: "boolean",
                default: false,
                describe:
                    "Overwrite existing CA keys for the org if they already exist"
            });
    },
    handler: async (argv: {
        orgId: string;
        secret?: string;
        force?: boolean;
    }) => {
        try {
            const { orgId, force } = argv;
            let secret = argv.secret;
            if (!secret) {
                const configPath = fs.existsSync(configFilePath1)
                    ? configFilePath1
                    : fs.existsSync(configFilePath2)
                      ? configFilePath2
                      : null;
                if (!configPath) {
                    console.error(
                        "Error: No server secret provided and config file not found. " +
                            "Expected config.yml or config.yaml in the config directory, or pass --secret."
                    );
                    process.exit(1);
                }
                const configContent = fs.readFileSync(configPath, "utf8");
                const config = yaml.load(configContent) as {
                    server?: { secret?: string };
                };
                if (!config?.server?.secret) {
                    console.error(
                        "Error: No server.secret in config file. Pass --secret or set server.secret in config."
                    );
                    process.exit(1);
                }
                secret = config.server.secret;
            }
            const [org] = await db
                .select({
                    orgId: orgs.orgId,
                    sshCaPrivateKey: orgs.sshCaPrivateKey,
                    sshCaPublicKey: orgs.sshCaPublicKey
                })
                .from(orgs)
                .where(eq(orgs.orgId, orgId))
                .limit(1);
            if (!org) {
                console.error(`Error: Organization with orgId "${orgId}" not found.`);
                process.exit(1);
            }
            if (org.sshCaPrivateKey != null || org.sshCaPublicKey != null) {
                if (!force) {
                    console.error(
                        "Error: This organization already has CA keys. Use --force to overwrite."
                    );
                    process.exit(1);
                }
            }
            const ca = generateCA(`pangolin-ssh-ca-${orgId}`);
            const encryptedPrivateKey = encrypt(ca.privateKeyPem, secret);
            await db
                .update(orgs)
                .set({
                    sshCaPrivateKey: encryptedPrivateKey,
                    sshCaPublicKey: ca.publicKeyOpenSSH
                })
                .where(eq(orgs.orgId, orgId));
            console.log("SSH CA keys generated and stored for org:", orgId);
            console.log("\nPublic key (OpenSSH format):");
            console.log(ca.publicKeyOpenSSH);
            process.exit(0);
        } catch (error) {
            console.error("Error generating org CA keys:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/rotateServerSecret.ts
+++ b/cli/commands/rotateServerSecret.ts
@@ -7,8 +7,8 @@ import fs from "fs";
 import yaml from "js-yaml";
 type RotateServerSecretArgs = {
-    oldSecret: string;
+    "old-secret": string;
-    newSecret: string;
+    "new-secret": string;
    force?: boolean;
 };
@@ -21,12 +21,12 @@ export const rotateServerSecret: CommandModule<
        "Rotate the server secret by decrypting all encrypted values with the old secret and re-encrypting with a new secret",
    builder: (yargs) => {
        return yargs
-            .option("oldSecret", {
+            .option("old-secret", {
                type: "string",
                demandOption: true,
                describe: "The current server secret (for verification)"
            })
-            .option("newSecret", {
+            .option("new-secret", {
                type: "string",
                demandOption: true,
                describe: "The new server secret to use"
@@ -42,8 +42,8 @@ export const rotateServerSecret: CommandModule<
            });
    },
    handler: async (argv: {
-        oldSecret: string;
+        "old-secret": string;
-        newSecret: string;
+        "new-secret": string;
        force?: boolean;
    }) => {
        try {
@@ -73,8 +73,8 @@ export const rotateServerSecret: CommandModule<
            }
            const configSecret = config.server.secret;
-            const oldSecret = argv.oldSecret;
+            const oldSecret = argv["old-secret"];
-            const newSecret = argv.newSecret;
+            const newSecret = argv["new-secret"];
            const force = argv.force || false;
            // Verify that the provided old secret matches the one in config
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -6,6 +6,9 @@ import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
 import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
 import { clearExitNodes } from "./commands/clearExitNodes";
 import { rotateServerSecret } from "./commands/rotateServerSecret";
 import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -13,5 +16,8 @@ yargs(hideBin(process.argv))
    .command(resetUserSecurityKeys)
    .command(clearExitNodes)
    .command(rotateServerSecret)
    .command(clearLicenseKeys)
    .command(deleteClient)
    .command(generateOrgCaKeys)
    .demandCommand()
    .help().argv;
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -1,27 +1,30 @@
 # To see all available options, please visit the docs:
-# https://docs.pangolin.net/self-host/advanced/config-file
+# https://docs.pangolin.net/
 gerbil:
    start_port: 51820
    base_endpoint: "{{.DashboardDomain}}"
 app:
-  dashboard_url: http://localhost:3002
+    dashboard_url: "https://{{.DashboardDomain}}"
-  log_level: debug
+    log_level: "info"
    telemetry:
        anonymous_usage: true
 domains:
    domain1:
-    base_domain: example.com
+        base_domain: "{{.BaseDomain}}"
 server:
-  secret: my_secret_key
+    secret: "{{.Secret}}"
-
+    cors:
-gerbil:
+        origins: ["https://{{.DashboardDomain}}"]
-  base_endpoint: example.com
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
-
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
-orgs:
+        credentials: false
  block_size: 24
  subnet_group: 100.90.137.0/20
 flags:
    require_email_verification: false
    disable_signup_without_invite: true
-  disable_user_create_org: true
+    disable_user_create_org: false
    allow_raw_resources: true
  enable_integration_api: true
--- a/config/traefik/dynamic_config.yml
+++ b/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,14 +17,16 @@ http:
        - web
      middlewares:
        - redirect-to-https
        - badger
    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
-      rule: "Host(`{{.DashboardDomain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
      service: next-service
      priority: 10
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -28,9 +34,10 @@ http:
    api-router:
      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
      service: api-service
      priority: 100
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -44,3 +51,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
 tcp:
  serversTransports:
    pp-transport-v1:
      proxyProtocol:
        version: 1
    pp-transport-v2:
      proxyProtocol:
        version: 2
--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -3,32 +3,52 @@ api:
  dashboard: true
 providers:
  http:
    endpoint: "http://pangolin:3001/api/v1/traefik-config"
    pollInterval: "5s"
  file:
-    directory: "/var/dynamic"
+    filename: "/etc/traefik/dynamic_config.yml"
    watch: true
 experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
-      version: "v1.2.0"
+      version: "{{.BadgerVersion}}"
 log:
-  level: "DEBUG"
+  level: "INFO"
  format: "common"
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true
 certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web
      email: "{{.LetsEncryptEmail}}"
      storage: "/letsencrypt/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
 entryPoints:
  web:
    address: ":80"
  websecure:
-    address: ":9443"
+    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http:
      tls:
        certResolver: "letsencrypt"
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
 serversTransport:
  insecureSkipVerify: true
 ping:
  entryPoint: "web"
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -4,6 +4,12 @@ services:
    image: fosrl/pangolin:latest
    container_name: pangolin
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 1g
        reservations:
          memory: 256m
    volumes:
      - ./config:/app/config
    healthcheck:
--- a/docker-compose.pgr.yml
+++ b/docker-compose.pgr.yml
@@ -7,8 +7,8 @@ services:
      POSTGRES_DB: postgres # Default database name
      POSTGRES_USER: postgres # Default user
      POSTGRES_PASSWORD: password # Default password (change for production!)
-    volumes:
+    # volumes:
-      - ./config/postgres:/var/lib/postgresql/data
+    #   - ./config/postgres:/var/lib/postgresql/data
    ports:
      - "5432:5432" # Map host port 5432 to container port 5432
    restart: no
--- a/esbuild.mjs
+++ b/esbuild.mjs
@@ -6,6 +6,12 @@ import path from "path";
 import fs from "fs";
 // import { glob } from "glob";
 // Read default build type from server/build.ts
 let build = "oss";
 const buildFile = fs.readFileSync(path.resolve("server/build.ts"), "utf8");
 const m = buildFile.match(/export\s+const\s+build\s*=\s*["'](oss|saas|enterprise)["']/);
 if (m) build = m[1];
 const banner = `
 // patch __dirname
 // import { fileURLToPath } from "url";
@@ -37,7 +43,7 @@ const argv = yargs(hideBin(process.argv))
        describe: "Build type (oss, saas, enterprise)",
        type: "string",
        choices: ["oss", "saas", "enterprise"],
-        default: "oss"
+        default: build
    })
    .help()
    .alias("help", "h").argv;
@@ -275,7 +281,7 @@ esbuild
            })
        ],
        sourcemap: "inline",
-        target: "node22"
+        target: "node24"
    })
    .then((result) => {
        // Check if there were any errors in the build result
--- a/install/Makefile
+++ b/install/Makefile
@@ -1,41 +1,24 @@
-all: update-versions go-build-release put-back
+all: go-build-release
-dev-all: dev-update-versions dev-build dev-clean
+
 # Build with version injection via ldflags
 # Versions can be passed via: make go-build-release PANGOLIN_VERSION=x.x.x GERBIL_VERSION=x.x.x BADGER_VERSION=x.x.x
 # Or fetched automatically if not provided (requires curl and jq)
 PANGOLIN_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name')
 GERBIL_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
 BADGER_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
 LDFLAGS = -X main.pangolinVersion=$(PANGOLIN_VERSION) \
          -X main.gerbilVersion=$(GERBIL_VERSION) \
          -X main.badgerVersion=$(BADGER_VERSION)
 go-build-release:
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/installer_linux_amd64
+	@echo "Building with versions - Pangolin: $(PANGOLIN_VERSION), Gerbil: $(GERBIL_VERSION), Badger: $(BADGER_VERSION)"
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/installer_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/installer_linux_amd64
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/installer_linux_arm64
 clean:
 	rm -f bin/installer_linux_amd64
 	rm -f bin/installer_linux_arm64
-update-versions:
+.PHONY: all go-build-release clean
 	@echo "Fetching latest versions..."
 	cp main.go main.go.bak && \
 	$(MAKE) dev-update-versions
 put-back:
 	mv main.go.bak main.go
 dev-update-versions:
 	if [ -z "$(tag)" ]; then \
 		PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name'); \
 	else \
 		PANGOLIN_VERSION=$(tag); \
 	fi && \
 	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
 	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
 	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \
 	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$$PANGOLIN_VERSION\"/" main.go && \
 	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$$GERBIL_VERSION\"/" main.go && \
 	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$$BADGER_VERSION\"/" main.go && \
 	echo "Updated main.go with latest versions"
 dev-build: go-build-release
 dev-clean:
 	@echo "Restoring version values ..."
 	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"replaceme\"/" main.go && \
 	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"replaceme\"/" main.go && \
 	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"replaceme\"/" main.go
 	@echo "Restored version strings in main.go"
--- a/install/config.go
+++ b/install/config.go
@@ -99,11 +99,6 @@ func ReadAppConfig(configPath string) (*AppConfigValues, error) {
 	return values, nil
 }
 // findPattern finds the start of a pattern in a string
 func findPattern(s, pattern string) int {
 	return bytes.Index([]byte(s), []byte(pattern))
 }
 func copyDockerService(sourceFile, destFile, serviceName string) error {
 	// Read source file
 	sourceData, err := os.ReadFile(sourceFile)
@@ -118,19 +113,19 @@ func copyDockerService(sourceFile, destFile, serviceName string) error {
 	}
 	// Parse source Docker Compose YAML
-	var sourceCompose map[string]interface{}
+	var sourceCompose map[string]any
 	if err := yaml.Unmarshal(sourceData, &sourceCompose); err != nil {
 		return fmt.Errorf("error parsing source Docker Compose file: %w", err)
 	}
 	// Parse destination Docker Compose YAML
-	var destCompose map[string]interface{}
+	var destCompose map[string]any
 	if err := yaml.Unmarshal(destData, &destCompose); err != nil {
 		return fmt.Errorf("error parsing destination Docker Compose file: %w", err)
 	}
 	// Get services section from source
-	sourceServices, ok := sourceCompose["services"].(map[string]interface{})
+	sourceServices, ok := sourceCompose["services"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("services section not found in source file or has invalid format")
 	}
@@ -142,10 +137,10 @@ func copyDockerService(sourceFile, destFile, serviceName string) error {
 	}
 	// Get or create services section in destination
-	destServices, ok := destCompose["services"].(map[string]interface{})
+	destServices, ok := destCompose["services"].(map[string]any)
 	if !ok {
 		// If services section doesn't exist, create it
-		destServices = make(map[string]interface{})
+		destServices = make(map[string]any)
 		destCompose["services"] = destServices
 	}
@@ -187,17 +182,21 @@ func backupConfig() error {
 	return nil
 }
-func MarshalYAMLWithIndent(data interface{}, indent int) ([]byte, error) {
+func MarshalYAMLWithIndent(data any, indent int) (resp []byte, err error) {
 	buffer := new(bytes.Buffer)
 	encoder := yaml.NewEncoder(buffer)
 	encoder.SetIndent(indent)
-	err := encoder.Encode(data)
+	if err := encoder.Encode(data); err != nil {
 	if err != nil {
 		return nil, err
 	}
-	defer encoder.Close()
+	defer func() {
 		if cerr := encoder.Close(); cerr != nil && err == nil {
 			err = cerr
 		}
 	}()
 	return buffer.Bytes(), nil
 }
@@ -209,7 +208,7 @@ func replaceInFile(filepath, oldStr, newStr string) error {
 	}
 	// Replace the string
-	newContent := strings.Replace(string(content), oldStr, newStr, -1)
+	newContent := strings.ReplaceAll(string(content), oldStr, newStr)
 	// Write the modified content back to the file
 	err = os.WriteFile(filepath, []byte(newContent), 0644)
@@ -228,28 +227,28 @@ func CheckAndAddTraefikLogVolume(composePath string) error {
 	}
 	// Parse YAML into a generic map
-	var compose map[string]interface{}
+	var compose map[string]any
 	if err := yaml.Unmarshal(data, &compose); err != nil {
 		return fmt.Errorf("error parsing compose file: %w", err)
 	}
 	// Get services section
-	services, ok := compose["services"].(map[string]interface{})
+	services, ok := compose["services"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("services section not found or invalid")
 	}
 	// Get traefik service
-	traefik, ok := services["traefik"].(map[string]interface{})
+	traefik, ok := services["traefik"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("traefik service not found or invalid")
 	}
 	// Check volumes
 	logVolume := "./config/traefik/logs:/var/log/traefik"
-	var volumes []interface{}
+	var volumes []any
-	if existingVolumes, ok := traefik["volumes"].([]interface{}); ok {
+	if existingVolumes, ok := traefik["volumes"].([]any); ok {
 		// Check if volume already exists
 		for _, v := range existingVolumes {
 			if v.(string) == logVolume {
@@ -295,13 +294,13 @@ func MergeYAML(baseFile, overlayFile string) error {
 	}
 	// Parse base YAML into a map
-	var baseMap map[string]interface{}
+	var baseMap map[string]any
 	if err := yaml.Unmarshal(baseContent, &baseMap); err != nil {
 		return fmt.Errorf("error parsing base YAML: %v", err)
 	}
 	// Parse overlay YAML into a map
-	var overlayMap map[string]interface{}
+	var overlayMap map[string]any
 	if err := yaml.Unmarshal(overlayContent, &overlayMap); err != nil {
 		return fmt.Errorf("error parsing overlay YAML: %v", err)
 	}
@@ -324,8 +323,8 @@ func MergeYAML(baseFile, overlayFile string) error {
 }
 // mergeMap recursively merges two maps
-func mergeMap(base, overlay map[string]interface{}) map[string]interface{} {
+func mergeMap(base, overlay map[string]any) map[string]any {
-	result := make(map[string]interface{})
+	result := make(map[string]any)
 	// Copy all key-values from base map
 	for k, v := range base {
@@ -336,8 +335,8 @@ func mergeMap(base, overlay map[string]interface{}) map[string]interface{} {
 	for k, v := range overlay {
 		// If both maps have the same key and both values are maps, merge recursively
 		if baseVal, ok := base[k]; ok {
-			if baseMap, isBaseMap := baseVal.(map[string]interface{}); isBaseMap {
+			if baseMap, isBaseMap := baseVal.(map[string]any); isBaseMap {
-				if overlayMap, isOverlayMap := v.(map[string]interface{}); isOverlayMap {
+				if overlayMap, isOverlayMap := v.(map[string]any); isOverlayMap {
 					result[k] = mergeMap(baseMap, overlayMap)
 					continue
 				}
--- a/install/config/crowdsec/dynamic_config.yml
+++ b/install/config/crowdsec/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -63,6 +67,7 @@ http:
        - web
      middlewares:
        - redirect-to-https
        - badger
    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
@@ -72,6 +77,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
        - badger
      tls:
        certResolver: letsencrypt
@@ -83,6 +89,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
        - badger
      tls:
        certResolver: letsencrypt
@@ -94,6 +101,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
        - badger
      tls:
        certResolver: letsencrypt
--- a/install/config/crowdsec/traefik_config.yml
+++ b/install/config/crowdsec/traefik_config.yml
@@ -81,11 +81,17 @@ entryPoints:
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http3:
      advertisedPort: 443
    http:
      tls:
        certResolver: "letsencrypt"
-      middlewares: 
+      encodedCharacters:
-        - crowdsec@file
+        allowEncodedSlash: true
        allowEncodedQuestionMark: true
 serversTransport:
  insecureSkipVerify: true
 ping:
  entryPoint: "web"
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -1,9 +1,15 @@
 name: pangolin
 services:
  pangolin:
-    image: docker.io/fosrl/pangolin:{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 1g
        reservations:
          memory: 256m
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -32,15 +38,14 @@ services:
      - 51820:51820/udp
      - 21820:21820/udp
      - 443:443
      - 443:443/udp # For http3 QUIC if desired
      - 80:80
 {{end}}
  traefik:
    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
-{{if .InstallGerbil}}
+{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
    network_mode: service:gerbil # Ports appear on the gerbil service
 {{end}}{{if not .InstallGerbil}}
    ports:
      - 443:443
      - 80:80
--- a/install/config/traefik/dynamic_config.yml
+++ b/install/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,6 +17,7 @@ http:
        - web
      middlewares:
        - redirect-to-https
        - badger
    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
@@ -20,6 +25,8 @@ http:
      service: next-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -29,6 +36,8 @@ http:
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -38,6 +47,8 @@ http:
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -40,9 +40,14 @@ entryPoints:
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http3:
      advertisedPort: 443
    http:
      tls:
        certResolver: "letsencrypt"
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
 serversTransport:
  insecureSkipVerify: true
--- a/install/containers.go
+++ b/install/containers.go
@@ -144,12 +144,13 @@ func installDocker() error {
 }
 func startDockerService() error {
-	if runtime.GOOS == "linux" {
+	switch runtime.GOOS {
 	case "linux":
 		cmd := exec.Command("systemctl", "enable", "--now", "docker")
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		return cmd.Run()
-	} else if runtime.GOOS == "darwin" {
+	case "darwin":
 		// On macOS, Docker is usually started via the Docker Desktop application
 		fmt.Println("Please start Docker Desktop manually on macOS.")
 		return nil
@@ -210,6 +211,47 @@ func isDockerRunning() bool {
 	return true
 }
 func isPodmanRunning() bool {
 	cmd := exec.Command("podman", "info")
 	if err := cmd.Run(); err != nil {
 		return false
 	}
 	return true
 }
 // detectContainerType detects whether the system is currently using Docker or Podman
 // by checking which container runtime is running and has containers
 func detectContainerType() SupportedContainer {
 	// Check if we have running containers with podman
 	if isPodmanRunning() {
 		cmd := exec.Command("podman", "ps", "-q")
 		output, err := cmd.Output()
 		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
 			return Podman
 		}
 	}
 	// Check if we have running containers with docker
 	if isDockerRunning() {
 		cmd := exec.Command("docker", "ps", "-q")
 		output, err := cmd.Output()
 		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
 			return Docker
 		}
 	}
 	// If no containers are running, check which one is installed and running
 	if isPodmanRunning() && isPodmanInstalled() {
 		return Podman
 	}
 	if isDockerRunning() && isDockerInstalled() {
 		return Docker
 	}
 	return Undefined
 }
 // executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
 func executeDockerComposeCommandWithArgs(args ...string) error {
 	var cmd *exec.Cmd
@@ -261,7 +303,7 @@ func pullContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
 // startContainers starts the containers using the appropriate command.
@@ -284,7 +326,7 @@ func startContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
 // stopContainers stops the containers using the appropriate command.
@@ -306,7 +348,7 @@ func stopContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
 // restartContainer restarts a specific container using the appropriate command.
@@ -328,5 +370,5 @@ func restartContainer(container string, containerType SupportedContainer) error
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
--- a/install/crowdsec.go
+++ b/install/crowdsec.go
@@ -27,9 +27,18 @@ func installCrowdsec(config Config) error {
 		os.Exit(1)
 	}
-	os.MkdirAll("config/crowdsec/db", 0755)
+	if err := os.MkdirAll("config/crowdsec/db", 0755); err != nil {
-	os.MkdirAll("config/crowdsec/acquis.d", 0755)
+		fmt.Printf("Error creating config files: %v\n", err)
-	os.MkdirAll("config/traefik/logs", 0755)
+		os.Exit(1)
 	}
 	if err := os.MkdirAll("config/crowdsec/acquis.d", 0755); err != nil {
 		fmt.Printf("Error creating config files: %v\n", err)
 		os.Exit(1)
 	}
 	if err := os.MkdirAll("config/traefik/logs", 0755); err != nil {
 		fmt.Printf("Error creating config files: %v\n", err)
 		os.Exit(1)
 	}
 	if err := copyDockerService("config/crowdsec/docker-compose.yml", "docker-compose.yml", "crowdsec"); err != nil {
 		fmt.Printf("Error copying docker service: %v\n", err)
@@ -93,7 +102,7 @@ func installCrowdsec(config Config) error {
 	if checkIfTextInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK") {
 		fmt.Println("Failed to replace bouncer key! Please retrieve the key and replace it in the config/traefik/dynamic_config.yml file using the following command:")
-		fmt.Println("	docker exec crowdsec cscli bouncers add traefik-bouncer")
+		fmt.Printf("	%s exec crowdsec cscli bouncers add traefik-bouncer\n", config.InstallationContainerType)
 	}
 	return nil
@@ -117,7 +126,7 @@ func GetCrowdSecAPIKey(containerType SupportedContainer) (string, error) {
 	}
 	// Execute the command to get the API key
-	cmd := exec.Command("docker", "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
+	cmd := exec.Command(string(containerType), "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
 	var out bytes.Buffer
 	cmd.Stdout = &out
@@ -153,34 +162,34 @@ func CheckAndAddCrowdsecDependency(composePath string) error {
 	}
 	// Parse YAML into a generic map
-	var compose map[string]interface{}
+	var compose map[string]any
 	if err := yaml.Unmarshal(data, &compose); err != nil {
 		return fmt.Errorf("error parsing compose file: %w", err)
 	}
 	// Get services section
-	services, ok := compose["services"].(map[string]interface{})
+	services, ok := compose["services"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("services section not found or invalid")
 	}
 	// Get traefik service
-	traefik, ok := services["traefik"].(map[string]interface{})
+	traefik, ok := services["traefik"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("traefik service not found or invalid")
 	}
 	// Get dependencies
-	dependsOn, ok := traefik["depends_on"].(map[string]interface{})
+	dependsOn, ok := traefik["depends_on"].(map[string]any)
 	if ok {
 		// Append the new block for crowdsec
-		dependsOn["crowdsec"] = map[string]interface{}{
+		dependsOn["crowdsec"] = map[string]any{
 			"condition": "service_healthy",
 		}
 	} else {
 		// No dependencies exist, create it
-		traefik["depends_on"] = map[string]interface{}{
+		traefik["depends_on"] = map[string]any{
-			"crowdsec": map[string]interface{}{
+			"crowdsec": map[string]any{
 				"condition": "service_healthy",
 			},
 		}
--- a/install/go.mod
+++ b/install/go.mod
@@ -1,10 +1,38 @@
 module installer
-go 1.24.0
+go 1.25.0
 require (
-	golang.org/x/term v0.38.0
+	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
 	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
 )
-require golang.org/x/sys v0.39.0 // indirect
+require (
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/catppuccin/go v0.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
 	github.com/charmbracelet/bubbletea v1.3.6 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/x/ansi v0.9.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -1,7 +1,80 @@
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
 github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
 github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
 github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 h1:JFgG/xnwFfbezlUnFMJy0nusZvytYysV4SCS2cYbvws=
 github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7/go.mod h1:ISC1gtLcVilLOf23wvTfoQuYbW2q0JevFxPfUzZ9Ybw=
 github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
 github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
 github.com/charmbracelet/huh v1.0.0 h1:wOnedH8G4qzJbmhftTqrpppyqHakl/zbbNdXIWJyIxw=
 github.com/charmbracelet/huh v1.0.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
 github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U=
 github.com/charmbracelet/x/conpty v0.1.0/go.mod h1:rMFsDJoDwVmiYM10aD4bH2XiRgwI7NYJtQgl5yskjEQ=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86/go.mod h1:2P0UgXMEa6TsToMSuFqKFQR+fZTO9CNGUNokkPatT/0=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 h1:qko3AQ4gK1MTS/de7F5hPGx6/k1u0w4TeYmBFwzYVP4=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0/go.mod h1:pBhA0ybfXv6hDjQUZ7hk1lVxBiUbupdw5R31yPUViVQ=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY=
 github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=
 github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI=
 github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
 golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/install/input.go
+++ b/install/input.go
@@ -1,74 +1,208 @@
 package main
 import (
-	"bufio"
+	"errors"
 	"fmt"
-	"strings"
+	"os"
-	"syscall"
+	"strconv"
 	"github.com/charmbracelet/huh"
 	"golang.org/x/term"
 )
-func readString(reader *bufio.Reader, prompt string, defaultValue string) string {
+// pangolinTheme is the custom theme using brand colors
 var pangolinTheme = ThemePangolin()
 // isAccessibleMode checks if we should use accessible mode (simple prompts)
 // This is true for: non-TTY, TERM=dumb, or ACCESSIBLE env var set
 func isAccessibleMode() bool {
 	// Check if stdin is not a terminal (piped input, CI, etc.)
 	if !term.IsTerminal(int(os.Stdin.Fd())) {
 		return true
 	}
 	// Check for dumb terminal
 	if os.Getenv("TERM") == "dumb" {
 		return true
 	}
 	// Check for explicit accessible mode request
 	if os.Getenv("ACCESSIBLE") != "" {
 		return true
 	}
 	return false
 }
 // handleAbort checks if the error is a user abort (Ctrl+C) and exits if so
 func handleAbort(err error) {
 	if err != nil && errors.Is(err, huh.ErrUserAborted) {
 		fmt.Println("\nInstallation cancelled.")
 		os.Exit(0)
 	}
 }
 // runField runs a single field with the Pangolin theme, handling accessible mode
 func runField(field huh.Field) error {
 	if isAccessibleMode() {
 		return field.RunAccessible(os.Stdout, os.Stdin)
 	}
 	form := huh.NewForm(huh.NewGroup(field)).WithTheme(pangolinTheme)
 	return form.Run()
 }
 func readString(prompt string, defaultValue string) string {
 	var value string
 	title := prompt
 	if defaultValue != "" {
-		fmt.Printf("%s (default: %s): ", prompt, defaultValue)
+		title = fmt.Sprintf("%s (default: %s)", prompt, defaultValue)
 	} else {
 		fmt.Print(prompt + ": ")
 	}
 	input, _ := reader.ReadString('\n')
 	input = strings.TrimSpace(input)
 	if input == "" {
 		return defaultValue
 	}
 	return input
 	}
-func readStringNoDefault(reader *bufio.Reader, prompt string) string {
+	input := huh.NewInput().
-	fmt.Print(prompt + ": ")
+		Title(title).
-	input, _ := reader.ReadString('\n')
+		Value(&value)
-	return strings.TrimSpace(input)
+
 	// If no default value, this field is required
 	if defaultValue == "" {
 		input = input.Validate(func(s string) error {
 			if s == "" {
 				return fmt.Errorf("this field is required")
 			}
 			return nil
 		})
 	}
-func readPassword(prompt string, reader *bufio.Reader) string {
+	err := runField(input)
-	if term.IsTerminal(int(syscall.Stdin)) {
+	handleAbort(err)
-		fmt.Print(prompt + ": ")
+
-		// Read password without echo if we're in a terminal
+	if value == "" {
-		password, err := term.ReadPassword(int(syscall.Stdin))
+		value = defaultValue
 		fmt.Println() // Add a newline since ReadPassword doesn't add one
 		if err != nil {
 			return ""
 		}
 		input := strings.TrimSpace(string(password))
 		if input == "" {
 			return readPassword(prompt, reader)
 		}
 		return input
 	} else {
 		// Fallback to reading from stdin if not in a terminal
 		return readString(reader, prompt, "")
 	}
 	}
-func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
+	// Print the answer so it remains visible in terminal history (skip in accessible mode as it already shows)
-	defaultStr := "no"
+	if !isAccessibleMode() {
-	if defaultValue {
+		fmt.Printf("%s: %s\n", prompt, value)
 		defaultStr = "yes"
 	}
 	input := readString(reader, prompt+" (yes/no)", defaultStr)
 	return strings.ToLower(input) == "yes"
 	}
 func readBoolNoDefault(reader *bufio.Reader, prompt string) bool {
 	input := readStringNoDefault(reader, prompt+" (yes/no)")
 	return strings.ToLower(input) == "yes"
 }
 func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {
 	input := readString(reader, prompt, fmt.Sprintf("%d", defaultValue))
 	if input == "" {
 		return defaultValue
 	}
 	value := defaultValue
 	fmt.Sscanf(input, "%d", &value)
 	return value
 }
 func readPassword(prompt string) string {
 	var value string
 	for {
 		input := huh.NewInput().
 			Title(prompt).
 			Value(&value).
 			EchoMode(huh.EchoModePassword).
 			Validate(func(s string) error {
 				if s == "" {
 					return fmt.Errorf("password is required")
 				}
 				return nil
 			})
 		err := runField(input)
 		handleAbort(err)
 		if value != "" {
 			// Print confirmation without revealing the password
 			if !isAccessibleMode() {
 				fmt.Printf("%s: %s\n", prompt, "********")
 			}
 			return value
 		}
 	}
 }
 func readBool(prompt string, defaultValue bool) bool {
 	var value = defaultValue
 	confirm := huh.NewConfirm().
 		Title(prompt).
 		Value(&value).
 		Affirmative("Yes").
 		Negative("No")
 	err := runField(confirm)
 	handleAbort(err)
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		answer := "No"
 		if value {
 			answer = "Yes"
 		}
 		fmt.Printf("%s: %s\n", prompt, answer)
 	}
 	return value
 }
 func readBoolNoDefault(prompt string) bool {
 	var value bool
 	confirm := huh.NewConfirm().
 		Title(prompt).
 		Value(&value).
 		Affirmative("Yes").
 		Negative("No")
 	err := runField(confirm)
 	handleAbort(err)
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		answer := "No"
 		if value {
 			answer = "Yes"
 		}
 		fmt.Printf("%s: %s\n", prompt, answer)
 	}
 	return value
 }
 func readInt(prompt string, defaultValue int) int {
 	var value string
 	title := fmt.Sprintf("%s (default: %d)", prompt, defaultValue)
 	input := huh.NewInput().
 		Title(title).
 		Value(&value).
 		Validate(func(s string) error {
 			if s == "" {
 				return nil
 			}
 			_, err := strconv.Atoi(s)
 			if err != nil {
 				return fmt.Errorf("please enter a valid number")
 			}
 			return nil
 		})
 	err := runField(input)
 	handleAbort(err)
 	if value == "" {
 		// Print the answer so it remains visible in terminal history
 		if !isAccessibleMode() {
 			fmt.Printf("%s: %d\n", prompt, defaultValue)
 		}
 		return defaultValue
 	}
 	result, err := strconv.Atoi(value)
 	if err != nil {
 		if !isAccessibleMode() {
 			fmt.Printf("%s: %d\n", prompt, defaultValue)
 		}
 		return defaultValue
 	}
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		fmt.Printf("%s: %d\n", prompt, result)
 	}
 	return result
 }
--- a/install/main.go
+++ b/install/main.go
@@ -1,29 +1,35 @@
 package main
 import (
-	"bufio"
+	"crypto/rand"
 	"embed"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"io/fs"
 	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
 	"text/template"
 	"time"
 )
-// DO NOT EDIT THIS FUNCTION; IT MATCHED BY REGEX IN CICD
+// Version variables injected at build time via -ldflags
 var (
 	pangolinVersion string
 	gerbilVersion   string
 	badgerVersion   string
 )
 func loadVersions(config *Config) {
-	config.PangolinVersion = "replaceme"
+	config.PangolinVersion = pangolinVersion
-	config.GerbilVersion = "replaceme"
+	config.GerbilVersion = gerbilVersion
-	config.BadgerVersion = "replaceme"
+	config.BadgerVersion = badgerVersion
 }
 //go:embed config/*
@@ -49,6 +55,7 @@ type Config struct {
 	DoCrowdsecInstall         bool
 	EnableGeoblocking         bool
 	Secret                    string
 	IsEnterprise              bool
 }
 type SupportedContainer string
@@ -80,14 +87,19 @@ func main() {
 		}
 	}
 	reader := bufio.NewReader(os.Stdin)
 	var config Config
 	var alreadyInstalled = false
 	// Determine installation directory
 	installDir := findOrSelectInstallDirectory()
 	if err := os.Chdir(installDir); err != nil {
 		fmt.Printf("Error changing to installation directory: %v\n", err)
 		os.Exit(1)
 	}
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
-		config = collectUserInput(reader)
+		config = collectUserInput()
 		loadVersions(&config)
 		config.DoCrowdsecInstall = false
@@ -100,7 +112,10 @@ func main() {
 			os.Exit(1)
 		}
-		moveFile("config/docker-compose.yml", "docker-compose.yml")
+		if err := moveFile("config/docker-compose.yml", "docker-compose.yml"); err != nil {
 			fmt.Printf("Error moving docker-compose.yml: %v\n", err)
 			os.Exit(1)
 		}
 		fmt.Println("\nConfiguration files created successfully!")
@@ -115,13 +130,17 @@ func main() {
 		fmt.Println("\n=== Starting installation ===")
-		if readBool(reader, "Would you like to install and start the containers?", true) {
+		if readBool("Would you like to install and start the containers?", true) {
-			config.InstallationContainerType = podmanOrDocker(reader)
+			config.InstallationContainerType = podmanOrDocker()
 			if !isDockerInstalled() && runtime.GOOS == "linux" && config.InstallationContainerType == Docker {
-				if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
+				if readBool("Docker is not installed. Would you like to install it?", true) {
-					installDocker()
+					if err := installDocker(); err != nil {
 						fmt.Printf("Error installing Docker: %v\n", err)
 						return
 					}
 					// try to start docker service but ignore errors
 					if err := startDockerService(); err != nil {
 						fmt.Println("Error starting Docker service:", err)
@@ -130,7 +149,7 @@ func main() {
 					}
 					// wait 10 seconds for docker to start checking if docker is running every 2 seconds
 					fmt.Println("Waiting for Docker to start...")
-					for i := 0; i < 5; i++ {
+					for range 5 {
 						if isDockerRunning() {
 							fmt.Println("Docker is running!")
 							break
@@ -165,7 +184,7 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool(reader, "Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
@@ -173,13 +192,13 @@ func main() {
 			}
 		} else {
 			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool(reader, "Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
 				}
 				// Now you need to update your config file accordingly to enable geoblocking
-				fmt.Println("Please remember to update your config/config.yml file to enable geoblocking! \n")
+				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
 				fmt.Println("Add the following line under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
@@ -190,11 +209,11 @@ func main() {
 	if !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
-		if readBool(reader, "Would you like to install CrowdSec?", false) {
+		if readBool("Would you like to install CrowdSec?", false) {
 			fmt.Println("This installer constitutes a minimal viable CrowdSec deployment. CrowdSec will add extra complexity to your Pangolin installation and may not work to the best of its abilities out of the box. Users are expected to implement configuration adjustments on their own to achieve the best security posture. Consult the CrowdSec documentation for detailed configuration instructions.")
 			// BUG: crowdsec installation will be skipped if the user chooses to install on the first installation.
-			if readBool(reader, "Are you willing to manage CrowdSec?", false) {
+			if readBool("Are you willing to manage CrowdSec?", false) {
 				if config.DashboardDomain == "" {
 					traefikConfig, err := ReadTraefikConfig("config/traefik/traefik_config.yml")
 					if err != nil {
@@ -223,12 +242,21 @@ func main() {
 					fmt.Printf("Let's Encrypt Email: %s\n", config.LetsEncryptEmail)
 					fmt.Printf("Badger Version: %s\n", config.BadgerVersion)
-					if !readBool(reader, "Are these values correct?", true) {
+					if !readBool("Are these values correct?", true) {
-						config = collectUserInput(reader)
+						config = collectUserInput()
 					}
 				}
-				config.InstallationContainerType = podmanOrDocker(reader)
+				// Try to detect container type from existing installation
 				detectedType := detectContainerType()
 				if detectedType == Undefined {
 					// If detection fails, prompt the user
 					fmt.Println("Unable to detect container type from existing installation.")
 					config.InstallationContainerType = podmanOrDocker()
 				} else {
 					config.InstallationContainerType = detectedType
 					fmt.Printf("Detected container type: %s\n", config.InstallationContainerType)
 				}
 				config.DoCrowdsecInstall = true
 				err := installCrowdsec(config)
@@ -266,8 +294,119 @@ func main() {
 	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
-func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
+func hasExistingInstall(dir string) bool {
-	inputContainer := readString(reader, "Would you like to run Pangolin as Docker or Podman containers?", "docker")
+	configPath := filepath.Join(dir, "config", "config.yml")
 	_, err := os.Stat(configPath)
 	return err == nil
 }
 func findOrSelectInstallDirectory() string {
 	const defaultInstallDir = "/opt/pangolin"
 	// Get current working directory
 	cwd, err := os.Getwd()
 	if err != nil {
 		fmt.Printf("Error getting current directory: %v\n", err)
 		os.Exit(1)
 	}
 	// 1. Check current directory for existing install
 	if hasExistingInstall(cwd) {
 		fmt.Printf("Found existing Pangolin installation in current directory: %s\n", cwd)
 		return cwd
 	}
 	// 2. Check default location (/opt/pangolin) for existing install
 	if cwd != defaultInstallDir && hasExistingInstall(defaultInstallDir) {
 		fmt.Printf("\nFound existing Pangolin installation at: %s\n", defaultInstallDir)
 		if readBool(fmt.Sprintf("Would you like to use the existing installation at %s?", defaultInstallDir), true) {
 			return defaultInstallDir
 		}
 	}
 	// 3. No existing install found, prompt for installation directory
 	fmt.Println("\n=== Installation Directory ===")
 	fmt.Println("No existing Pangolin installation detected.")
 	installDir := readString("Enter the installation directory", defaultInstallDir)
 	// Expand ~ to home directory if present
 	if strings.HasPrefix(installDir, "~") {
 		home, err := os.UserHomeDir()
 		if err != nil {
 			fmt.Printf("Error getting home directory: %v\n", err)
 			os.Exit(1)
 		}
 		installDir = filepath.Join(home, installDir[1:])
 	}
 	// Convert to absolute path
 	absPath, err := filepath.Abs(installDir)
 	if err != nil {
 		fmt.Printf("Error resolving path: %v\n", err)
 		os.Exit(1)
 	}
 	installDir = absPath
 	// Check if directory exists
 	if _, err := os.Stat(installDir); os.IsNotExist(err) {
 		// Directory doesn't exist, create it
 		if readBool(fmt.Sprintf("Directory %s does not exist. Create it?", installDir), true) {
 			if err := os.MkdirAll(installDir, 0755); err != nil {
 				fmt.Printf("Error creating directory: %v\n", err)
 				os.Exit(1)
 			}
 			fmt.Printf("Created directory: %s\n", installDir)
 			// Offer to change ownership if running via sudo
 			changeDirectoryOwnership(installDir)
 		} else {
 			fmt.Println("Installation cancelled.")
 			os.Exit(0)
 		}
 	}
 	fmt.Printf("Installation directory: %s\n", installDir)
 	return installDir
 }
 func changeDirectoryOwnership(dir string) {
 	// Check if we're running via sudo by looking for SUDO_USER
 	sudoUser := os.Getenv("SUDO_USER")
 	if sudoUser == "" || os.Geteuid() != 0 {
 		return
 	}
 	sudoUID := os.Getenv("SUDO_UID")
 	sudoGID := os.Getenv("SUDO_GID")
 	if sudoUID == "" || sudoGID == "" {
 		return
 	}
 	fmt.Printf("\nRunning as root via sudo (original user: %s)\n", sudoUser)
 	if readBool(fmt.Sprintf("Would you like to change ownership of %s to user '%s'? This makes it easier to manage config files without sudo.", dir, sudoUser), true) {
 		uid, err := strconv.Atoi(sudoUID)
 		if err != nil {
 			fmt.Printf("Warning: Could not parse SUDO_UID: %v\n", err)
 			return
 		}
 		gid, err := strconv.Atoi(sudoGID)
 		if err != nil {
 			fmt.Printf("Warning: Could not parse SUDO_GID: %v\n", err)
 			return
 		}
 		if err := os.Chown(dir, uid, gid); err != nil {
 			fmt.Printf("Warning: Could not change ownership: %v\n", err)
 		} else {
 			fmt.Printf("Changed ownership of %s to %s\n", dir, sudoUser)
 		}
 	}
 }
 func podmanOrDocker() SupportedContainer {
 	inputContainer := readString("Would you like to run Pangolin as Docker or Podman containers?", "docker")
 	chosenContainer := Docker
 	if strings.EqualFold(inputContainer, "docker") {
@@ -279,16 +418,17 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 		os.Exit(1)
 	}
-	if chosenContainer == Podman {
+	switch chosenContainer {
 	case Podman:
 		if !isPodmanInstalled() {
 			fmt.Println("Podman or podman-compose is not installed. Please install both manually. Automated installation will be available in a later release.")
 			os.Exit(1)
 		}
-		if err := exec.Command("bash", "-c", "cat /etc/sysctl.conf | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
+		if err := exec.Command("bash", "-c", "cat /etc/sysctl.d/99-podman.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start=' || cat /etc/sysctl.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
 			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
 			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
-			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p\". Approve?", true)
+			approved := readBool("The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
 			if approved {
 				if os.Geteuid() != 0 {
 					fmt.Println("You need to run the installer as root for such a configuration.")
@@ -299,8 +439,8 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 				// container low-range ports as unprivileged ports.
 				// Linux only.
-				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p"); err != nil {
+				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system"); err != nil {
-					fmt.Sprintf("failed to configure unprivileged ports: %v.\n", err)
+					fmt.Printf("Error configuring unprivileged ports: %v\n", err)
 					os.Exit(1)
 				}
 			} else {
@@ -310,7 +450,7 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			fmt.Println("Unprivileged ports have been configured.")
 		}
-	} else if chosenContainer == Docker {
+	case Docker:
 		// check if docker is not installed and the user is root
 		if !isDockerInstalled() {
 			if os.Geteuid() != 0 {
@@ -325,7 +465,7 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			fmt.Println("The installer will not be able to run docker commands without running it as root.")
 			os.Exit(1)
 		}
-	} else {
+	default:
 		// This shouldn't happen unless there's a third container runtime.
 		os.Exit(1)
 	}
@@ -333,33 +473,35 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 	return chosenContainer
 }
-func collectUserInput(reader *bufio.Reader) Config {
+func collectUserInput() Config {
 	config := Config{}
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
+	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
 	// Set default dashboard domain after base domain is collected
 	defaultDashboardDomain := ""
 	if config.BaseDomain != "" {
 		defaultDashboardDomain = "pangolin." + config.BaseDomain
 	}
-	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
+	config.DashboardDomain = readString("Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
-	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
+	config.LetsEncryptEmail = readString("Enter email for Let's Encrypt certificates", "")
-	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
+	config.InstallGerbil = readBool("Do you want to use Gerbil to allow tunneled connections", true)
 	// Email configuration
 	fmt.Println("\n=== Email Configuration ===")
-	config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
+	config.EnableEmail = readBool("Enable email functionality (SMTP)", false)
 	if config.EnableEmail {
-		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
+		config.EmailSMTPHost = readString("Enter SMTP host", "")
-		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
+		config.EmailSMTPPort = readInt("Enter SMTP port (default 587)", 587)
-		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
+		config.EmailSMTPUser = readString("Enter SMTP username", "")
-		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
+		config.EmailSMTPPass = readPassword("Enter SMTP password")
-		config.EmailNoReply = readString(reader, "Enter no-reply email address (often the same as SMTP username)", "")
+		config.EmailNoReply = readString("Enter no-reply email address (often the same as SMTP username)", "")
 	}
 	// Validate required fields
@@ -380,8 +522,8 @@ func collectUserInput(reader *bufio.Reader) Config {
 	fmt.Println("\n=== Advanced Configuration ===")
-	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
+	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
+	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -392,15 +534,23 @@ func collectUserInput(reader *bufio.Reader) Config {
 }
 func createConfigFiles(config Config) error {
-	os.MkdirAll("config", 0755)
+	if err := os.MkdirAll("config", 0755); err != nil {
-	os.MkdirAll("config/letsencrypt", 0755)
+		return fmt.Errorf("failed to create config directory: %v", err)
-	os.MkdirAll("config/db", 0755)
+	}
-	os.MkdirAll("config/logs", 0755)
+	if err := os.MkdirAll("config/letsencrypt", 0755); err != nil {
 		return fmt.Errorf("failed to create letsencrypt directory: %v", err)
 	}
 	if err := os.MkdirAll("config/db", 0755); err != nil {
 		return fmt.Errorf("failed to create db directory: %v", err)
 	}
 	if err := os.MkdirAll("config/logs", 0755); err != nil {
 		return fmt.Errorf("failed to create logs directory: %v", err)
 	}
 	// Walk through all embedded files
-	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, err error) error {
+	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, walkErr error) (err error) {
-		if err != nil {
+		if walkErr != nil {
-			return err
+			return walkErr
 		}
 		// Skip the root fs directory itself
@@ -451,7 +601,11 @@ func createConfigFiles(config Config) error {
 		if err != nil {
 			return fmt.Errorf("failed to create %s: %v", path, err)
 		}
-		defer outFile.Close()
+		defer func() {
 			if cerr := outFile.Close(); cerr != nil && err == nil {
 				err = cerr
 			}
 		}()
 		// Execute template
 		if err := tmpl.Execute(outFile, config); err != nil {
@@ -467,18 +621,26 @@ func createConfigFiles(config Config) error {
 	return nil
 }
-func copyFile(src, dst string) error {
+func copyFile(src, dst string) (err error) {
 	source, err := os.Open(src)
 	if err != nil {
 		return err
 	}
-	defer source.Close()
+	defer func() {
 		if cerr := source.Close(); cerr != nil && err == nil {
 			err = cerr
 		}
 	}()
 	destination, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
-	defer destination.Close()
+	defer func() {
 		if cerr := destination.Close(); cerr != nil && err == nil {
 			err = cerr
 		}
 	}()
 	_, err = io.Copy(destination, source)
 	return err
@@ -549,22 +711,24 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 	fmt.Println("To get your setup token, you need to:")
 	fmt.Println("")
 	fmt.Println("1. Start the containers")
-	if containerType == Docker {
+	switch containerType {
 	case Docker:
 		fmt.Println("   docker compose up -d")
-	} else if containerType == Podman {
+	case Podman:
 		fmt.Println("   podman-compose up -d")
 	} else {
 	}
 	fmt.Println("")
 	fmt.Println("2. Wait for the Pangolin container to start and generate the token")
 	fmt.Println("")
 	fmt.Println("3. Check the container logs for the setup token")
-	if containerType == Docker {
+	switch containerType {
 	case Docker:
 		fmt.Println("   docker logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
-	} else if containerType == Podman {
+	case Podman:
 		fmt.Println("   podman logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
 	} else {
 	}
 	fmt.Println("")
 	fmt.Println("4. Look for output like")
 	fmt.Println("   === SETUP TOKEN GENERATED ===")
@@ -580,43 +744,12 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 }
 func generateRandomSecretKey() string {
-	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	secret := make([]byte, 32)
-	const length = 32
+	_, err := rand.Read(secret)
 	var seededRand *rand.Rand = rand.New(
 		rand.NewSource(time.Now().UnixNano()))
 	b := make([]byte, length)
 	for i := range b {
 		b[i] = charset[seededRand.Intn(len(charset))]
 	}
 	return string(b)
 }
 func getPublicIP() string {
 	client := &http.Client{
 		Timeout: 10 * time.Second,
 	}
 	resp, err := client.Get("https://ifconfig.io/ip")
 	if err != nil {
-		return ""
+		panic(fmt.Sprintf("Failed to generate random secret key: %v", err))
 	}
-	defer resp.Body.Close()
+	return base64.StdEncoding.EncodeToString(secret)
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return ""
 	}
 	ip := strings.TrimSpace(string(body))
 	// Validate that it's a valid IP address
 	if net.ParseIP(ip) != nil {
 		return ip
 	}
 	return ""
 }
 // Run external commands with stdio/stderr attached.
@@ -631,10 +764,7 @@ func checkPortsAvailable(port int) error {
 	addr := fmt.Sprintf(":%d", port)
 	ln, err := net.Listen("tcp", addr)
 	if err != nil {
-		return fmt.Errorf(
+		return fmt.Errorf("ERROR: port %d is occupied or cannot be bound: %w", port, err)
 			"ERROR: port %d is occupied or cannot be bound: %w\n\n",
 			port, err,
 		)
 	}
 	if closeErr := ln.Close(); closeErr != nil {
 		fmt.Fprintf(os.Stderr,
--- a/install/theme.go
+++ b/install/theme.go
@@ -0,0 +1,51 @@
 package main
 import (
 	"github.com/charmbracelet/huh"
 	"github.com/charmbracelet/lipgloss"
 )
 // Pangolin brand colors (converted from oklch to hex)
 var (
 	// Primary orange/amber - oklch(0.6717 0.1946 41.93)
 	primaryColor = lipgloss.AdaptiveColor{Light: "#D97706", Dark: "#F59E0B"}
 	// Muted foreground
 	mutedColor = lipgloss.AdaptiveColor{Light: "#737373", Dark: "#A3A3A3"}
 	// Success green
 	successColor = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"}
 	// Error red - oklch(0.577 0.245 27.325)
 	errorColor = lipgloss.AdaptiveColor{Light: "#DC2626", Dark: "#EF4444"}
 	// Normal text
 	normalFg = lipgloss.AdaptiveColor{Light: "#171717", Dark: "#FAFAFA"}
 )
 // ThemePangolin returns a huh theme using Pangolin brand colors
 func ThemePangolin() *huh.Theme {
 	t := huh.ThemeBase()
 	// Focused state styles
 	t.Focused.Base = t.Focused.Base.BorderForeground(primaryColor)
 	t.Focused.Title = t.Focused.Title.Foreground(primaryColor).Bold(true)
 	t.Focused.Description = t.Focused.Description.Foreground(mutedColor)
 	t.Focused.ErrorIndicator = t.Focused.ErrorIndicator.Foreground(errorColor)
 	t.Focused.ErrorMessage = t.Focused.ErrorMessage.Foreground(errorColor)
 	t.Focused.SelectSelector = t.Focused.SelectSelector.Foreground(primaryColor)
 	t.Focused.NextIndicator = t.Focused.NextIndicator.Foreground(primaryColor)
 	t.Focused.PrevIndicator = t.Focused.PrevIndicator.Foreground(primaryColor)
 	t.Focused.Option = t.Focused.Option.Foreground(normalFg)
 	t.Focused.SelectedOption = t.Focused.SelectedOption.Foreground(primaryColor)
 	t.Focused.SelectedPrefix = lipgloss.NewStyle().Foreground(successColor).SetString("✓ ")
 	t.Focused.UnselectedPrefix = lipgloss.NewStyle().Foreground(mutedColor).SetString("  ")
 	t.Focused.FocusedButton = t.Focused.FocusedButton.Foreground(lipgloss.Color("#FFFFFF")).Background(primaryColor)
 	t.Focused.BlurredButton = t.Focused.BlurredButton.Foreground(normalFg).Background(lipgloss.AdaptiveColor{Light: "#E5E5E5", Dark: "#404040"})
 	t.Focused.TextInput.Cursor = t.Focused.TextInput.Cursor.Foreground(primaryColor)
 	t.Focused.TextInput.Prompt = t.Focused.TextInput.Prompt.Foreground(primaryColor)
 	// Blurred state inherits from focused but with hidden border
 	t.Blurred = t.Focused
 	t.Blurred.Base = t.Focused.Base.BorderStyle(lipgloss.HiddenBorder())
 	t.Blurred.Title = t.Blurred.Title.Foreground(mutedColor).Bold(false)
 	t.Blurred.TextInput.Prompt = t.Blurred.TextInput.Prompt.Foreground(mutedColor)
 	return t
 }
--- a/license.py
+++ b/license.py
@@ -0,0 +1,115 @@
 import os
 import sys
 # --- Configuration ---
 # The header text to be added to the files.
 HEADER_TEXT = """/*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 """
 def should_add_header(file_path):
    """
    Checks if a file should receive the commercial license header.
    Returns True if 'private' is in the path or file content.
    """
    # Check if 'private' is in the file path (case-insensitive)
    if 'server/private' in file_path.lower():
        return True
    # Check if 'private' is in the file content (case-insensitive)
    # try:
    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
    #         content = f.read()
    #         if 'private' in content.lower():
    #             return True
    # except Exception as e:
    #     print(f"Could not read file {file_path}: {e}")
    return False
 def process_directory(root_dir):
    """
    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
    skipping any 'node_modules' directories.
    """
    print(f"Scanning directory: {root_dir}")
    files_processed = 0
    headers_added = 0
    for root, dirs, files in os.walk(root_dir):
        # --- MODIFICATION ---
        # Exclude 'node_modules' directories from the scan to improve performance.
        if 'node_modules' in dirs:
            dirs.remove('node_modules')
        for file in files:
            if file.endswith('.ts') or file.endswith('.tsx'):
                file_path = os.path.join(root, file)
                files_processed += 1
                try:
                    with open(file_path, 'r+', encoding='utf-8') as f:
                        original_content = f.read()
                        has_header = original_content.startswith(HEADER_TEXT.strip())
                        if should_add_header(file_path):
                            # Add header only if it's not already there
                            if not has_header:
                                f.seek(0, 0) # Go to the beginning of the file
                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
                                print(f"Added header to: {file_path}")
                                headers_added += 1
                            else:
                                print(f"Header already exists in: {file_path}")
                        else:
                            # Remove header if it exists but shouldn't be there
                            if has_header:
                                # Find the end of the header and remove it (including following newlines)
                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
                                if original_content.startswith(header_with_newlines):
                                    content_without_header = original_content[len(header_with_newlines):]
                                else:
                                    # Handle case where there might be different newline patterns
                                    header_end = len(HEADER_TEXT.strip())
                                    # Skip any newlines after the header
                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
                                        header_end += 1
                                    content_without_header = original_content[header_end:]
                                f.seek(0)
                                f.write(content_without_header)
                                f.truncate()
                                print(f"Removed header from: {file_path}")
                                headers_added += 1  # Reusing counter for modifications
                except Exception as e:
                    print(f"Error processing file {file_path}: {e}")
    print("\n--- Scan Complete ---")
    print(f"Total .ts or .tsx files found: {files_processed}")
    print(f"Files modified (headers added/removed): {headers_added}")
 if __name__ == "__main__":
    # Get the target directory from the command line arguments.
    # If no directory is provided, it uses the current directory ('.').
    if len(sys.argv) > 1:
        target_directory = sys.argv[1]
    else:
        target_directory = '.' # Default to current directory
    if not os.path.isdir(target_directory):
        print(f"Error: Directory '{target_directory}' not found.")
        sys.exit(1)
    process_directory(os.path.abspath(target_directory))
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Create the organization, site, and resources",
    "headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
    "headerAuthCompatibility": "Extended compatibility",
    "setupNewOrg": "New Organization",
    "setupCreateOrg": "Create Organization",
    "setupCreateResources": "Create Resources",
@@ -16,6 +18,8 @@
    "componentsMember": "You're a member of {count, plural, =0 {no organization} one {one organization} other {# organizations}}.",
    "componentsInvalidKey": "Invalid or expired license keys detected. Follow license terms to continue using all features.",
    "dismiss": "Dismiss",
    "subscriptionViolationMessage": "You're beyond your limits for your current plan. Correct the problem by removing sites, users, or other resources to stay within your plan.",
    "subscriptionViolationViewBilling": "View billing",
    "componentsLicenseViolation": "License Violation: This server is using {usedSites} sites which exceeds its licensed limit of {maxSites} sites. Follow license terms to continue using all features.",
    "componentsSupporterMessage": "Thank you for supporting Pangolin as a {tier}!",
    "inviteErrorNotValid": "We're sorry, but it looks like the invite you're trying to access has not been accepted or is no longer valid.",
@@ -53,7 +57,10 @@
    "siteDescription": "Create and manage sites to enable connectivity to private networks",
    "sitesBannerTitle": "Connect Any Network",
    "sitesBannerDescription": "A site is a connection to a remote network that allows Pangolin to provide access to resources, whether public or private, to users anywhere. Install the site network connector (Newt) anywhere you can run a binary or container to establish the connection.",
-    "sitesBannerButtonText": "Install Site",
+    "sitesBannerButtonText": "Install Site Connector",
    "approvalsBannerTitle": "Approve or Deny Device Access",
    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
    "approvalsBannerButtonText": "Learn More",
    "siteCreate": "Create Site",
    "siteCreateDescription2": "Follow the steps below to create and connect a new site",
    "siteCreateDescription": "Create a new site to start connecting resources",
@@ -74,8 +81,8 @@
    "siteConfirmCopy": "I have copied the config",
    "searchSitesProgress": "Search sites...",
    "siteAdd": "Add Site",
-    "siteInstallNewt": "Install Newt",
+    "siteInstallNewt": "Install Site",
-    "siteInstallNewtDescription": "Get Newt running on your system",
+    "siteInstallNewtDescription": "Install the site connector for your system",
    "WgConfiguration": "WireGuard Configuration",
    "WgConfigurationDescription": "Use the following configuration to connect to the network",
    "operatingSystem": "Operating System",
@@ -141,6 +148,11 @@
    "createLink": "Create Link",
    "resourcesNotFound": "No resources found",
    "resourceSearch": "Search resources",
    "machineSearch": "Search machines",
    "machinesSearch": "Search machine clients...",
    "machineNotFound": "No machines found",
    "userDeviceSearch": "Search user devices",
    "userDevicesSearch": "Search user devices...",
    "openMenu": "Open menu",
    "resource": "Resource",
    "title": "Title",
@@ -168,6 +180,7 @@
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
    "resourceRawDescription": "Proxy requests over raw TCP/UDP using a port number.",
    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
    "resourceSeeAll": "See All Resources",
@@ -194,6 +207,7 @@
    "protocolSelect": "Select a protocol",
    "resourcePortNumber": "Port Number",
    "resourcePortNumberDescription": "The external port number to proxy requests.",
    "back": "Back",
    "cancel": "Cancel",
    "resourceConfig": "Configuration Snippets",
    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource",
@@ -239,6 +253,17 @@
    "orgErrorDeleteMessage": "An error occurred while deleting the organization.",
    "orgDeleted": "Organization deleted",
    "orgDeletedMessage": "The organization and its data has been deleted.",
    "deleteAccount": "Delete Account",
    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
    "deleteAccountButton": "Delete Account",
    "deleteAccountConfirmTitle": "Delete Account",
    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
    "deleteAccountConfirmString": "delete account",
    "deleteAccountSuccess": "Account Deleted",
    "deleteAccountSuccessMessage": "Your account has been deleted.",
    "deleteAccountError": "Failed to delete account",
    "deleteAccountPreviewAccount": "Your Account",
    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Organization ID Missing",
    "orgMissingMessage": "Unable to regenerate invitation without an organization ID.",
    "accessUsersManage": "Manage Users",
@@ -255,6 +280,8 @@
    "accessRolesSearch": "Search roles...",
    "accessRolesAdd": "Add Role",
    "accessRoleDelete": "Delete Role",
    "accessApprovalsManage": "Manage Approvals",
    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
    "description": "Description",
    "inviteTitle": "Open Invitations",
    "inviteDescription": "Manage invitations for other users to join the organization",
@@ -301,6 +328,54 @@
    "apiKeysDelete": "Delete API Key",
    "apiKeysManage": "Manage API Keys",
    "apiKeysDescription": "API keys are used to authenticate with the integration API",
    "provisioningKeysTitle": "Provisioning Key",
    "provisioningKeysManage": "Manage Provisioning Keys",
    "provisioningKeysDescription": "Provisioning keys are used to authenticate automated site provisioning for your organization.",
    "provisioningManage": "Provisioning",
    "provisioningDescription": "Manage provisioning keys and review pending sites awaiting approval.",
    "pendingSites": "Pending Sites",
    "siteApproveSuccess": "Site approved successfully",
    "siteApproveError": "Error approving site",
    "provisioningKeys": "Provisioning Keys",
    "searchProvisioningKeys": "Search provisioning keys...",
    "provisioningKeysAdd": "Generate Provisioning Key",
    "provisioningKeysErrorDelete": "Error deleting provisioning key",
    "provisioningKeysErrorDeleteMessage": "Error deleting provisioning key",
    "provisioningKeysQuestionRemove": "Are you sure you want to remove this provisioning key from the organization?",
    "provisioningKeysMessageRemove": "Once removed, the key can no longer be used for site provisioning.",
    "provisioningKeysDeleteConfirm": "Confirm Delete Provisioning Key",
    "provisioningKeysDelete": "Delete Provisioning key",
    "provisioningKeysCreate": "Generate Provisioning Key",
    "provisioningKeysCreateDescription": "Generate a new provisioning key for the organization",
    "provisioningKeysSeeAll": "See all provisioning keys",
    "provisioningKeysSave": "Save the provisioning key",
    "provisioningKeysSaveDescription": "You will only be able to see this once. Copy it to a secure place.",
    "provisioningKeysErrorCreate": "Error creating provisioning key",
    "provisioningKeysList": "New provisioning key",
    "provisioningKeysMaxBatchSize": "Max batch size",
    "provisioningKeysUnlimitedBatchSize": "Unlimited batch size (no limit)",
    "provisioningKeysMaxBatchUnlimited": "Unlimited",
    "provisioningKeysMaxBatchSizeInvalid": "Enter a valid max batch size (1–1,000,000).",
    "provisioningKeysValidUntil": "Valid until",
    "provisioningKeysValidUntilHint": "Leave empty for no expiration.",
    "provisioningKeysValidUntilInvalid": "Enter a valid date and time.",
    "provisioningKeysNumUsed": "Times used",
    "provisioningKeysLastUsed": "Last used",
    "provisioningKeysNoExpiry": "No expiration",
    "provisioningKeysNeverUsed": "Never",
    "provisioningKeysEdit": "Edit Provisioning Key",
    "provisioningKeysEditDescription": "Update the max batch size and expiration time for this key.",
    "provisioningKeysApproveNewSites": "Approve new sites",
    "provisioningKeysApproveNewSitesDescription": "Automatically approve sites that register with this key.",
    "provisioningKeysUpdateError": "Error updating provisioning key",
    "provisioningKeysUpdated": "Provisioning key updated",
    "provisioningKeysUpdatedDescription": "Your changes have been saved.",
    "provisioningKeysBannerTitle": "Site Provisioning Keys",
    "provisioningKeysBannerDescription": "Generate a provisioning key and use it with the Newt connector to automatically create sites on first startup - no need to set up separate credentials for each site.",
    "provisioningKeysBannerButtonText": "Learn More",
    "pendingSitesBannerTitle": "Pending Sites",
    "pendingSitesBannerDescription": "Sites that connect using a provisioning key appear here for review.",
    "pendingSitesBannerButtonText": "Learn More",
    "apiKeysSettings": "{apiKeyName} Settings",
    "userTitle": "Manage All Users",
    "userDescription": "View and manage all users in the system",
@@ -448,6 +523,20 @@
    "selectDuration": "Select duration",
    "selectResource": "Select Resource",
    "filterByResource": "Filter By Resource",
    "selectApprovalState": "Select Approval State",
    "filterByApprovalState": "Filter By Approval State",
    "approvalListEmpty": "No approvals",
    "approvalState": "Approval State",
    "approvalLoadMore": "Load more",
    "loadingApprovals": "Loading Approvals",
    "approve": "Approve",
    "approved": "Approved",
    "denied": "Denied",
    "deniedApproval": "Denied Approval",
    "all": "All",
    "deny": "Deny",
    "viewDetails": "View Details",
    "requestingNewDeviceApproval": "requested a new device",
    "resetFilters": "Reset Filters",
    "totalBlocked": "Requests Blocked By Pangolin",
    "totalRequests": "Total Requests",
@@ -473,9 +562,12 @@
    "userSaved": "User saved",
    "userSavedDescription": "The user has been updated.",
    "autoProvisioned": "Auto Provisioned",
    "autoProvisionSettings": "Auto Provision Settings",
    "autoProvisionedDescription": "Allow this user to be automatically managed by identity provider",
    "accessControlsDescription": "Manage what this user can access and do in the organization",
    "accessControlsSubmit": "Save Access Controls",
    "singleRolePerUserPlanNotice": "Your plan only supports one role per user.",
    "singleRolePerUserEditionNotice": "This edition only supports one role per user.",
    "roles": "Roles",
    "accessUsersRoles": "Manage Users & Roles",
    "accessUsersRolesDescription": "Invite users and add them to roles to manage access to the organization",
@@ -532,6 +624,8 @@
    "targetErrorInvalidPortDescription": "Please enter a valid port number",
    "targetErrorNoSite": "No site selected",
    "targetErrorNoSiteDescription": "Please select a site for the target",
    "targetTargetsCleared": "Targets cleared",
    "targetTargetsClearedDescription": "All targets have been removed from this resource",
    "targetCreated": "Target created",
    "targetCreatedDescription": "Target has been created successfully",
    "targetErrorCreate": "Failed to create target",
@@ -615,6 +709,7 @@
    "resourcesErrorUpdate": "Failed to toggle resource",
    "resourcesErrorUpdateDescription": "An error occurred while updating the resource",
    "access": "Access",
    "accessControl": "Access Control",
    "shareLink": "{resource} Share Link",
    "resourceSelect": "Select resource",
    "shareLinks": "Share Links",
@@ -727,22 +822,35 @@
    "countries": "Countries",
    "accessRoleCreate": "Create Role",
    "accessRoleCreateDescription": "Create a new role to group users and manage their permissions.",
    "accessRoleEdit": "Edit Role",
    "accessRoleEditDescription": "Edit role information.",
    "accessRoleCreateSubmit": "Create Role",
    "accessRoleCreated": "Role created",
    "accessRoleCreatedDescription": "The role has been successfully created.",
    "accessRoleErrorCreate": "Failed to create role",
    "accessRoleErrorCreateDescription": "An error occurred while creating the role.",
    "accessRoleUpdateSubmit": "Update Role",
    "accessRoleUpdated": "Role updated",
    "accessRoleUpdatedDescription": "The role has been successfully updated.",
    "accessApprovalUpdated": "Approval processed",
    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
    "accessRoleErrorUpdate": "Failed to update role",
    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
    "accessApprovalErrorUpdate": "Failed to process approval",
    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
    "accessRoleErrorNewRequired": "New role is required",
    "accessRoleErrorRemove": "Failed to remove role",
    "accessRoleErrorRemoveDescription": "An error occurred while removing the role.",
    "accessRoleName": "Role Name",
-    "accessRoleQuestionRemove": "You're about to delete the {name} role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
    "accessRoleRemove": "Remove Role",
    "accessRoleRemoveDescription": "Remove a role from the organization",
    "accessRoleRemoveSubmit": "Remove Role",
    "accessRoleRemoved": "Role removed",
    "accessRoleRemovedDescription": "The role has been successfully removed.",
    "accessRoleRequiredRemove": "Before deleting this role, please select a new role to transfer existing members to.",
    "network": "Network",
    "manage": "Manage",
    "sitesNotFound": "No sites found.",
    "pangolinServerAdmin": "Server Admin - Pangolin",
@@ -758,6 +866,9 @@
    "sitestCountIncrease": "Increase site count",
    "idpManage": "Manage Identity Providers",
    "idpManageDescription": "View and manage identity providers in the system",
    "idpGlobalModeBanner": "Identity providers (IdPs) per organization are disabled on this server. It is using global IdPs (shared across all organizations). Manage global IdPs in the <adminPanelLink>admin panel</adminPanelLink>. To enable IdPs per organization, edit the server config and set IdP mode to org. <configDocsLink>See the docs</configDocsLink>. If you want to continue using global IdPs and make this disappear from the organization settings, explicitly set the mode to global in the config.",
    "idpGlobalModeBannerUpgradeRequired": "Identity providers (IdPs) per organization are disabled on this server. It is using global IdPs (shared across all organizations). Manage global IdPs in the <adminPanelLink>admin panel</adminPanelLink>. To use identity providers per organization, you must upgrade to the Enterprise edition.",
    "idpGlobalModeBannerLicenseRequired": "Identity providers (IdPs) per organization are disabled on this server. It is using global IdPs (shared across all organizations). Manage global IdPs in the <adminPanelLink>admin panel</adminPanelLink>. To use identity providers per organization, an Enterprise license is required.",
    "idpDeletedDescription": "Identity provider deleted successfully",
    "idpOidc": "OAuth2/OIDC",
    "idpQuestionRemove": "Are you sure you want to permanently delete the identity provider?",
@@ -834,7 +945,7 @@
    "defaultMappingsRole": "Default Role Mapping",
    "defaultMappingsRoleDescription": "The result of this expression must return the role name as defined in the organization as a string.",
    "defaultMappingsOrg": "Default Organization Mapping",
-    "defaultMappingsOrgDescription": "This expression must return the org ID or true for the user to be allowed to access the organization.",
+    "defaultMappingsOrgDescription": "When set, this expression must return the organization ID or true for the user to access that organization. When unset, defining an organization policy for that org is enough: the user is allowed in as long as a valid role mapping can be resolved for them within the organization.",
    "defaultMappingsSubmit": "Save Default Mappings",
    "orgPoliciesEdit": "Edit Organization Policy",
    "org": "Organization",
@@ -848,6 +959,7 @@
    "orgPolicyConfig": "Configure access for an organization",
    "idpUpdatedDescription": "Identity provider updated successfully",
    "redirectUrl": "Redirect URL",
    "orgIdpRedirectUrls": "Redirect URLs",
    "redirectUrlAbout": "About Redirect URL",
    "redirectUrlAboutDescription": "This is the URL to which users will be redirected after authentication. You need to configure this URL in the identity provider's settings.",
    "pangolinAuth": "Auth - Pangolin",
@@ -871,7 +983,7 @@
    "inviteAlready": "Looks like you've been invited!",
    "inviteAlreadyDescription": "To accept the invite, you must log in or create an account.",
    "signupQuestion": "Already have an account?",
-    "login": "Log in",
+    "login": "Log In",
    "resourceNotFound": "Resource Not Found",
    "resourceNotFoundDescription": "The resource you're trying to access does not exist.",
    "pincodeRequirementsLength": "PIN must be exactly 6 digits",
@@ -951,13 +1063,13 @@
    "passwordExpiryDescription": "This organization requires you to change your password every {maxDays} days.",
    "changePasswordNow": "Change Password Now",
    "pincodeAuth": "Authenticator Code",
-    "pincodeSubmit2": "Submit Code",
+    "pincodeSubmit2": "Submit code",
    "passwordResetSubmit": "Request Reset",
    "passwordResetAlreadyHaveCode": "Enter Code",
    "passwordResetSmtpRequired": "Please contact your administrator",
    "passwordResetSmtpRequiredDescription": "A password reset code is required to reset your password. Please contact your administrator for assistance.",
    "passwordBack": "Back to Password",
-    "loginBack": "Go back to log in",
+    "loginBack": "Go back to main login page",
    "signup": "Sign up",
    "loginStart": "Log in to get started",
    "idpOidcTokenValidating": "Validating OIDC token",
@@ -980,12 +1092,12 @@
    "pangolinSetup": "Setup - Pangolin",
    "orgNameRequired": "Organization name is required",
    "orgIdRequired": "Organization ID is required",
    "orgIdMaxLength": "Organization ID must be at most 32 characters",
    "orgErrorCreate": "An error occurred while creating org",
    "pageNotFound": "Page Not Found",
    "pageNotFoundDescription": "Oops! The page you're looking for doesn't exist.",
    "overview": "Overview",
    "home": "Home",
    "accessControl": "Access Control",
    "settings": "Settings",
    "usersAll": "All Users",
    "license": "License",
@@ -1048,6 +1160,12 @@
    "actionGetUser": "Get User",
    "actionGetOrgUser": "Get Organization User",
    "actionListOrgDomains": "List Organization Domains",
    "actionGetDomain": "Get Domain",
    "actionCreateOrgDomain": "Create Domain",
    "actionUpdateOrgDomain": "Update Domain",
    "actionDeleteOrgDomain": "Delete Domain",
    "actionGetDNSRecords": "Get DNS Records",
    "actionRestartOrgDomain": "Restart Domain",
    "actionCreateSite": "Create Site",
    "actionDeleteSite": "Delete Site",
    "actionGetSite": "Get Site",
@@ -1059,6 +1177,7 @@
    "setupTokenDescription": "Enter the setup token from the server console.",
    "setupTokenRequired": "Setup token is required",
    "actionUpdateSite": "Update Site",
    "actionResetSiteBandwidth": "Reset Organization Bandwidth",
    "actionListSiteRoles": "List Allowed Site Roles",
    "actionCreateResource": "Create Resource",
    "actionDeleteResource": "Delete Resource",
@@ -1088,6 +1207,7 @@
    "actionRemoveUser": "Remove User",
    "actionListUsers": "List Users",
    "actionAddUserRole": "Add User Role",
    "actionSetUserOrgRoles": "Set User Roles",
    "actionGenerateAccessToken": "Generate Access Token",
    "actionDeleteAccessToken": "Delete Access Token",
    "actionListAccessTokens": "List Access Tokens",
@@ -1115,6 +1235,10 @@
    "actionUpdateIdpOrg": "Update IDP Org",
    "actionCreateClient": "Create Client",
    "actionDeleteClient": "Delete Client",
    "actionArchiveClient": "Archive Client",
    "actionUnarchiveClient": "Unarchive Client",
    "actionBlockClient": "Block Client",
    "actionUnblockClient": "Unblock Client",
    "actionUpdateClient": "Update Client",
    "actionListClients": "List Clients",
    "actionGetClient": "Get Client",
@@ -1128,17 +1252,18 @@
    "actionViewLogs": "View Logs",
    "noneSelected": "None selected",
    "orgNotFound2": "No organizations found.",
-    "searchProgress": "Search...",
+    "searchPlaceholder": "Search...",
    "emptySearchOptions": "No options found",
    "create": "Create",
    "orgs": "Organizations",
-    "loginError": "An error occurred while logging in",
+    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required to authenticate your device.",
+    "loginRequiredForDevice": "Login is required for your device.",
    "passwordForgot": "Forgot your password?",
    "otpAuth": "Two-Factor Authentication",
    "otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.",
    "otpAuthSubmit": "Submit Code",
    "idpContinue": "Or continue with",
-    "otpAuthBack": "Back to Log In",
+    "otpAuthBack": "Back to Password",
    "navbar": "Navigation Menu",
    "navbarDescription": "Main navigation menu for the application",
    "navbarDocsLink": "Documentation",
@@ -1186,29 +1311,34 @@
    "sidebarOverview": "Overview",
    "sidebarHome": "Home",
    "sidebarSites": "Sites",
    "sidebarApprovals": "Approval Requests",
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
    "sidebarAccessControl": "Access Control",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
    "sidebarUsers": "Users",
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Invitations",
    "sidebarRoles": "Roles",
    "sidebarShareableLinks": "Links",
    "sidebarApiKeys": "API Keys",
    "sidebarProvisioning": "Provisioning",
    "sidebarSettings": "Settings",
    "sidebarAllUsers": "All Users",
    "sidebarIdentityProviders": "Identity Providers",
    "sidebarLicense": "License",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Users",
+    "sidebarUserDevices": "User Devices",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domains",
    "sidebarGeneral": "Manage",
    "sidebarLogAndAnalytics": "Log & Analytics",
    "sidebarBluePrints": "Blueprints",
    "sidebarOrganization": "Organization",
    "sidebarManagement": "Management",
    "sidebarBillingAndLicenses": "Billing & Licenses",
    "sidebarLogsAnalytics": "Analytics",
    "blueprints": "Blueprints",
    "blueprintsDescription": "Apply declarative configurations and view previous runs",
@@ -1229,8 +1359,7 @@
    "contents": "Contents",
    "parsedContents": "Parsed Contents (Read Only)",
    "enableDockerSocket": "Enable Docker Blueprint",
-    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to Newt.",
+    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to Newt. Read about how this works in <docsLink>the documentation</docsLink>.",
    "enableDockerSocketLink": "Learn More",
    "viewDockerContainers": "View Docker Containers",
    "containersIn": "Containers in {siteName}",
    "selectContainerDescription": "Select any container to use as a hostname for this target. Click a port to use a port.",
@@ -1274,6 +1403,7 @@
    "setupErrorCreateAdmin": "An error occurred while creating the server admin account.",
    "certificateStatus": "Certificate Status",
    "loading": "Loading",
    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
    "domains": "Domains",
    "domainsDescription": "Create and manage domains available in the organization",
@@ -1301,6 +1431,7 @@
    "refreshError": "Failed to refresh data",
    "verified": "Verified",
    "pending": "Pending",
    "pendingApproval": "Pending Approval",
    "sidebarBilling": "Billing",
    "billing": "Billing",
    "orgBillingDescription": "Manage billing information and subscriptions",
@@ -1356,6 +1487,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Show More",
    "regionSelectorTitle": "Select Region",
    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Selecting a region helps us provide better performance for your location. You do not have to be in the same region as your server.",
    "regionSelectorPlaceholder": "Choose a region",
    "regionSelectorComingSoon": "Coming Soon",
@@ -1365,10 +1497,11 @@
    "billingUsageLimitsOverview": "Usage Limits Overview",
    "billingMonitorUsage": "Monitor your usage against configured limits. If you need limits increased please contact us support@pangolin.net.",
    "billingDataUsage": "Data Usage",
-    "billingOnlineTime": "Site Online Time",
+    "billingSites": "Sites",
-    "billingUsers": "Active Users",
+    "billingUsers": "Users",
-    "billingDomains": "Active Domains",
+    "billingDomains": "Domains",
-    "billingRemoteExitNodes": "Active Self-hosted Nodes",
+    "billingOrganizations": "Orgs",
    "billingRemoteExitNodes": "Remote Nodes",
    "billingNoLimitConfigured": "No limit configured",
    "billingEstimatedPeriod": "Estimated Billing Period",
    "billingIncludedUsage": "Included Usage",
@@ -1393,15 +1526,24 @@
    "billingFailedToGetPortalUrl": "Failed to get portal URL",
    "billingPortalError": "Portal Error",
    "billingDataUsageInfo": "You're charged for all data transferred through your secure tunnels when connected to the cloud. This includes both incoming and outgoing traffic across all your sites. When you reach your limit, your sites will disconnect until you upgrade your plan or reduce usage. Data is not charged when using nodes.",
-    "billingOnlineTimeInfo": "You're charged based on how long your sites stay connected to the cloud. For example, 44,640 minutes equals one site running 24/7 for a full month. When you reach your limit, your sites will disconnect until you upgrade your plan or reduce usage. Time is not charged when using nodes.",
+    "billingSInfo": "How many sites you can use",
-    "billingUsersInfo": "You're charged for each user in the organization. Billing is calculated daily based on the number of active user accounts in your org.",
+    "billingUsersInfo": "How many users you can use",
-    "billingDomainInfo": "You're charged for each domain in the organization. Billing is calculated daily based on the number of active domain accounts in your org.",
+    "billingDomainInfo": "How many domains you can use",
-    "billingRemoteExitNodesInfo": "You're charged for each managed Node in the organization. Billing is calculated daily based on the number of active managed Nodes in your org.",
+    "billingRemoteExitNodesInfo": "How many remote nodes you can use",
    "billingLicenseKeys": "License Keys",
    "billingLicenseKeysDescription": "Manage your license key subscriptions",
    "billingLicenseSubscription": "License Subscription",
    "billingInactive": "Inactive",
    "billingLicenseItem": "License Item",
    "billingQuantity": "Quantity",
    "billingTotal": "total",
    "billingModifyLicenses": "Modify License Subscription",
    "domainNotFound": "Domain Not Found",
    "domainNotFoundDescription": "This resource is disabled because the domain no longer exists our system. Please set a new domain for this resource.",
    "failed": "Failed",
    "createNewOrgDescription": "Create a new organization",
    "organization": "Organization",
    "primary": "Primary",
    "port": "Port",
    "securityKeyManage": "Manage Security Keys",
    "securityKeyDescription": "Add or remove security keys for passwordless authentication",
@@ -1417,7 +1559,7 @@
    "securityKeyRemoveSuccess": "Security key removed successfully",
    "securityKeyRemoveError": "Failed to remove security key",
    "securityKeyLoadError": "Failed to load security keys",
-    "securityKeyLogin": "Continue with security key",
+    "securityKeyLogin": "Use Security Key",
    "securityKeyAuthError": "Failed to authenticate with security key",
    "securityKeyRecommendation": "Register a backup security key on another device to ensure you always have access to your account.",
    "registering": "Registering...",
@@ -1473,11 +1615,47 @@
    "resourcePortRequired": "Port number is required for non-HTTP resources",
    "resourcePortNotAllowed": "Port number should not be set for HTTP resources",
    "billingPricingCalculatorLink": "Pricing Calculator",
    "billingYourPlan": "Your Plan",
    "billingViewOrModifyPlan": "View or modify your current plan",
    "billingViewPlanDetails": "View Plan Details",
    "billingUsageAndLimits": "Usage and Limits",
    "billingViewUsageAndLimits": "View your plan's limits and current usage",
    "billingCurrentUsage": "Current Usage",
    "billingMaximumLimits": "Maximum Limits",
    "billingRemoteNodes": "Remote Nodes",
    "billingUnlimited": "Unlimited",
    "billingPaidLicenseKeys": "Paid License Keys",
    "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
    "billingCurrentKeys": "Current Keys",
    "billingModifyCurrentPlan": "Modify Current Plan",
    "billingConfirmUpgrade": "Confirm Upgrade",
    "billingConfirmDowngrade": "Confirm Downgrade",
    "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
    "billingConfirmDowngradeDescription": "You are about to downgrade your plan. Review the new limits and pricing below.",
    "billingPlanIncludes": "Plan Includes",
    "billingProcessing": "Processing...",
    "billingConfirmUpgradeButton": "Confirm Upgrade",
    "billingConfirmDowngradeButton": "Confirm Downgrade",
    "billingLimitViolationWarning": "Usage Exceeds New Plan Limits",
    "billingLimitViolationDescription": "Your current usage exceeds the limits of this plan. After downgrading, all actions will be disabled until you reduce usage within the new limits. Please review the features below that are currently over the limits. Limits in violation:",
    "billingFeatureLossWarning": "Feature Availability Notice",
    "billingFeatureLossDescription": "By downgrading, features not available in the new plan will be automatically disabled. Some settings and configurations may be lost. Please review the pricing matrix to understand which features will no longer be available.",
    "billingUsageExceedsLimit": "Current usage ({current}) exceeds limit ({limit})",
    "billingPastDueTitle": "Payment Past Due",
    "billingPastDueDescription": "Your payment is past due. Please update your payment method to continue using your current plan features. If not resolved, your subscription will be canceled and you'll be reverted to the free tier.",
    "billingUnpaidTitle": "Subscription Unpaid",
    "billingUnpaidDescription": "Your subscription is unpaid and you have been reverted to the free tier. Please update your payment method to restore your subscription.",
    "billingIncompleteTitle": "Payment Incomplete",
    "billingIncompleteDescription": "Your payment is incomplete. Please complete the payment process to activate your subscription.",
    "billingIncompleteExpiredTitle": "Payment Expired",
    "billingIncompleteExpiredDescription": "Your payment was never completed and has expired. You have been reverted to the free tier. Please subscribe again to restore access to paid features.",
    "billingManageSubscription": "Manage your subscription",
    "billingResolvePaymentIssue": "Please resolve your payment issue before upgrading or downgrading",
    "signUpTerms": {
        "IAgreeToThe": "I agree to the",
        "termsOfService": "terms of service",
        "and": "and",
-        "privacyPolicy": "privacy policy"
+        "privacyPolicy": "privacy policy."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Keep me in the loop with news, updates, and new features by email."
@@ -1497,8 +1675,8 @@
    "addressDescription": "The internal address of the client. Must fall within the organization's subnet.",
    "selectSites": "Select sites",
    "sitesDescription": "The client will have connectivity to the selected sites",
-    "clientInstallOlm": "Install Olm",
+    "clientInstallOlm": "Install Machine Client",
-    "clientInstallOlmDescription": "Get Olm running on your system",
+    "clientInstallOlmDescription": "Install the machine client for your system",
    "clientOlmCredentials": "Credentials",
    "clientOlmCredentialsDescription": "This is how the client will authenticate with the server",
    "olmEndpoint": "Endpoint",
@@ -1522,6 +1700,7 @@
    "addNewTarget": "Add New Target",
    "targetsList": "Targets List",
    "advancedMode": "Advanced Mode",
    "advancedSettings": "Advanced Settings",
    "targetErrorDuplicateTargetFound": "Duplicate target found",
    "healthCheckHealthy": "Healthy",
    "healthCheckUnhealthy": "Unhealthy",
@@ -1543,6 +1722,26 @@
    "IntervalSeconds": "Healthy Interval",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Time is in seconds",
    "requireDeviceApproval": "Require Device Approvals",
    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
    "sshAccess": "SSH Access",
    "roleAllowSsh": "Allow SSH",
    "roleAllowSshAllow": "Allow",
    "roleAllowSshDisallow": "Disallow",
    "roleAllowSshDescription": "Allow users with this role to connect to resources via SSH. When disabled, the role cannot use SSH access.",
    "sshSudoMode": "Sudo Access",
    "sshSudoModeNone": "None",
    "sshSudoModeNoneDescription": "User cannot run commands with sudo.",
    "sshSudoModeFull": "Full Sudo",
    "sshSudoModeFullDescription": "User can run any command with sudo.",
    "sshSudoModeCommands": "Commands",
    "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
    "sshSudo": "Allow sudo",
    "sshSudoCommands": "Sudo Commands",
    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo.",
    "sshCreateHomeDir": "Create Home Directory",
    "sshUnixGroups": "Unix Groups",
    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -1583,6 +1782,8 @@
    "resourcesTableNoInternalResourcesFound": "No internal resources found.",
    "resourcesTableDestination": "Destination",
    "resourcesTableAlias": "Alias",
    "resourcesTableAliasAddress": "Alias Address",
    "resourcesTableAliasAddressInfo": "This address is part of the organization's utility subnet. It's used to resolve alias records using internal DNS resolution.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "and are only accessible internally when connected with a client.",
    "resourcesTableNoTargets": "No targets",
@@ -1749,6 +1950,40 @@
    "exitNode": "Exit Node",
    "country": "Country",
    "rulesMatchCountry": "Currently based on source IP",
    "region": "Region",
    "selectRegion": "Select region",
    "searchRegions": "Search regions...",
    "noRegionFound": "No region found.",
    "rulesMatchRegion": "Select a regional grouping of countries",
    "rulesErrorInvalidRegion": "Invalid region",
    "rulesErrorInvalidRegionDescription": "Please select a valid region.",
    "regionAfrica": "Africa",
    "regionNorthernAfrica": "Northern Africa",
    "regionEasternAfrica": "Eastern Africa",
    "regionMiddleAfrica": "Middle Africa",
    "regionSouthernAfrica": "Southern Africa",
    "regionWesternAfrica": "Western Africa",
    "regionAmericas": "Americas",
    "regionCaribbean": "Caribbean",
    "regionCentralAmerica": "Central America",
    "regionSouthAmerica": "South America",
    "regionNorthernAmerica": "Northern America",
    "regionAsia": "Asia",
    "regionCentralAsia": "Central Asia",
    "regionEasternAsia": "Eastern Asia",
    "regionSouthEasternAsia": "South-Eastern Asia",
    "regionSouthernAsia": "Southern Asia",
    "regionWesternAsia": "Western Asia",
    "regionEurope": "Europe",
    "regionEasternEurope": "Eastern Europe",
    "regionNorthernEurope": "Northern Europe",
    "regionSouthernEurope": "Southern Europe",
    "regionWesternEurope": "Western Europe",
    "regionOceania": "Oceania",
    "regionAustraliaAndNewZealand": "Australia and New Zealand",
    "regionMelanesia": "Melanesia",
    "regionMicronesia": "Micronesia",
    "regionPolynesia": "Polynesia",
    "managedSelfHosted": {
        "title": "Managed Self-Hosted",
        "description": "More reliable and low-maintenance self-hosted Pangolin server with extra bells and whistles",
@@ -1797,6 +2032,25 @@
    "invalidValue": "Invalid value",
    "idpTypeLabel": "Identity Provider Type",
    "roleMappingExpressionPlaceholder": "e.g., contains(groups, 'admin') && 'Admin' || 'Member'",
    "roleMappingModeFixedRoles": "Fixed Roles",
    "roleMappingModeMappingBuilder": "Mapping Builder",
    "roleMappingModeRawExpression": "Raw Expression",
    "roleMappingFixedRolesPlaceholderSelect": "Select one or more roles",
    "roleMappingFixedRolesPlaceholderFreeform": "Type role names (exact match per organization)",
    "roleMappingFixedRolesDescriptionSameForAll": "Assign the same role set to every auto-provisioned user.",
    "roleMappingFixedRolesDescriptionDefaultPolicy": "For default policies, type role names that exist in each organization where users are provisioned. Names must match exactly.",
    "roleMappingClaimPath": "Claim Path",
    "roleMappingClaimPathPlaceholder": "groups",
    "roleMappingClaimPathDescription": "Path in the token payload that contains source values (for example, groups).",
    "roleMappingMatchValue": "Match Value",
    "roleMappingAssignRoles": "Assign Roles",
    "roleMappingAddMappingRule": "Add Mapping Rule",
    "roleMappingRawExpressionResultDescription": "Expression must evaluate to a string or string array.",
    "roleMappingRawExpressionResultDescriptionSingleRole": "Expression must evaluate to a string (a single role name).",
    "roleMappingMatchValuePlaceholder": "Match value (for example: admin)",
    "roleMappingAssignRolesPlaceholderFreeform": "Type role names (exact per org)",
    "roleMappingBuilderFreeformRowHint": "Role names must match a role in each target organization.",
    "roleMappingRemoveRule": "Remove",
    "idpGoogleConfiguration": "Google Configuration",
    "idpGoogleConfigurationDescription": "Configure the Google OAuth2 credentials",
    "idpGoogleClientIdDescription": "Google OAuth2 Client ID",
@@ -1833,6 +2087,9 @@
    "authPageBrandingQuestionRemove": "Are you sure you want to remove the branding for Auth Pages ?",
    "authPageBrandingDeleteConfirm": "Confirm Delete Branding",
    "brandingLogoURL": "Logo URL",
    "brandingLogoURLOrPath": "Logo URL or Path",
    "brandingLogoPathDescription": "Enter a URL or a local path.",
    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Primary Color",
    "brandingLogoWidth": "Width (px)",
    "brandingLogoHeight": "Height (px)",
@@ -1882,6 +2139,13 @@
    "orgAuthBackToSignIn": "Back to standard sign in",
    "orgAuthNoAccount": "Don't have an account?",
    "subscriptionRequiredToUse": "A subscription is required to use this feature.",
    "mustUpgradeToUse": "You must upgrade your subscription to use this feature.",
    "subscriptionRequiredTierToUse": "This feature requires <tierLink>{tier}</tierLink>.",
    "upgradeToTierToUse": "Upgrade to <tierLink>{tier}</tierLink> to use this feature.",
    "subscriptionTierTier1": "Home",
    "subscriptionTierTier2": "Team",
    "subscriptionTierTier3": "Business",
    "subscriptionTierEnterprise": "Enterprise",
    "idpDisabled": "Identity providers are disabled.",
    "orgAuthPageDisabled": "Organization auth page is disabled.",
    "domainRestartedDescription": "Domain verification restarted successfully",
@@ -1967,10 +2231,10 @@
    "manageMachineClients": "Manage Machine Clients",
    "manageMachineClientsDescription": "Create and manage clients that servers and systems use to privately connect to resources",
    "machineClientsBannerTitle": "Servers & Automated Systems",
-    "machineClientsBannerDescription": "Machine clients are for servers and automated systems that are not associated with a specific user. They authenticate with an ID and secret, and can run with Pangolin CLI, Olm CLI, or Olm as a container.",
+    "machineClientsBannerDescription": "Machine clients are for servers and automated systems that are not associated with a specific user. They authenticate with an ID and secret, and can be deployed as a CLI or a container.",
    "machineClientsBannerPangolinCLI": "Pangolin CLI",
    "machineClientsBannerOlmCLI": "Olm CLI",
-    "machineClientsBannerOlmContainer": "Olm Container",
+    "machineClientsBannerOlmContainer": "Container",
    "clientsTableUserClients": "User",
    "clientsTableMachineClients": "Machine",
    "licenseTableValidUntil": "Valid Until",
@@ -2069,6 +2333,32 @@
            }
        }
    },
    "newPricingLicenseForm": {
        "title": "Get a license",
        "description": "Choose a plan and tell us how you plan to use Pangolin.",
        "chooseTier": "Choose your plan",
        "viewPricingLink": "See pricing, features, and limits",
        "tiers": {
            "starter": {
                "title": "Starter",
                "description": "Enterprise features, 25 users, 25 sites, and community support."
            },
            "scale": {
                "title": "Scale",
                "description": "Enterprise features, 50 users, 50 sites, and priority support."
            }
        },
        "personalUseOnly": "Personal use only (free license - no checkout)",
        "buttons": {
            "continueToCheckout": "Continue to Checkout"
        },
        "toasts": {
            "checkoutError": {
                "title": "Checkout error",
                "description": "Could not start checkout. Please try again."
            }
        }
    },
    "priority": "Priority",
    "priorityDescription": "Higher priority routes are evaluated first. Priority = 100 means automatic ordering (system decides). Use another number to enforce manual priority.",
    "instanceName": "Instance Name",
@@ -2157,6 +2447,8 @@
    "logRetentionAccessDescription": "How long to retain access logs",
    "logRetentionActionLabel": "Action Log Retention",
    "logRetentionActionDescription": "How long to retain action logs",
    "logRetentionConnectionLabel": "Connection Log Retention",
    "logRetentionConnectionDescription": "How long to retain connection logs",
    "logRetentionDisabled": "Disabled",
    "logRetention3Days": "3 days",
    "logRetention7Days": "7 days",
@@ -2167,7 +2459,15 @@
    "logRetentionEndOfFollowingYear": "End of following year",
    "actionLogsDescription": "View a history of actions performed in this organization",
    "accessLogsDescription": "View access auth requests for resources in this organization",
-    "licenseRequiredToUse": "An Enterprise license is required to use this feature.",
+    "connectionLogs": "Connection Logs",
    "connectionLogsDescription": "View connection logs for tunnels in this organization",
    "sidebarLogsConnection": "Connection Logs",
    "sidebarLogsStreaming": "Streaming",
    "sourceAddress": "Source Address",
    "destinationAddress": "Destination Address",
    "duration": "Duration",
    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a free demo or POC trial to learn more</bookADemoLink>.",
    "certResolver": "Certificate Resolver",
    "certResolverDescription": "Select the certificate resolver to use for this resource.",
    "selectCertResolver": "Select Certificate Resolver",
@@ -2228,6 +2528,8 @@
    "deviceCodeInvalidFormat": "Code must be 9 characters (e.g., A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Invalid or expired code",
    "deviceCodeVerifyFailed": "Failed to verify device code",
    "deviceCodeValidating": "Validating device code...",
    "deviceCodeVerifying": "Verifying device authorization...",
    "signedInAs": "Signed in as",
    "deviceCodeEnterPrompt": "Enter the code displayed on the device",
    "continue": "Continue",
@@ -2240,7 +2542,7 @@
    "deviceOrganizationsAccess": "Access to all organizations your account has access to",
    "deviceAuthorize": "Authorize {applicationName}",
    "deviceConnected": "Device Connected!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account.",
+    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "View Devices",
    "viewDevicesDescription": "Manage your connected devices",
@@ -2302,10 +2604,14 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Not you? Use a different account.",
    "deviceLoginDeviceRequestingAccessToAccount": "A device is requesting access to this account.",
    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
    "noData": "No Data",
    "machineClients": "Machine Clients",
    "install": "Install",
    "run": "Run",
    "envFile": "Environment File",
    "serviceFile": "Service File",
    "enableAndStart": "Enable and Start",
    "clientNameDescription": "The display name of the client that can be changed later.",
    "clientAddress": "Client Address (Advanced)",
    "setupFailedToFetchSubnet": "Failed to fetch default subnet",
@@ -2346,6 +2652,7 @@
    "enterConfirmation": "Enter confirmation",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Default Identity Provider",
    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Network Settings",
    "editInternalResourceDialogAccessPolicy": "Access Policy",
    "editInternalResourceDialogAddRoles": "Add Roles",
@@ -2360,8 +2667,231 @@
    "editInternalResourceDialogAccessControl": "Access Control",
    "editInternalResourceDialogAccessControlDescription": "Control which roles, users, and machine clients have access to this resource when connected. Admins always have access.",
    "editInternalResourceDialogPortRangeValidationError": "Port range must be \"*\" for all ports, or a comma-separated list of ports and ranges (e.g., \"80,443,8000-9000\"). Ports must be between 1 and 65535.",
    "internalResourceAuthDaemonStrategy": "SSH Auth Daemon Location",
    "internalResourceAuthDaemonStrategyDescription": "Choose where the SSH authentication daemon runs: on the site (Newt) or on a remote host.",
    "internalResourceAuthDaemonDescription": "The SSH authentication daemon handles SSH key signing and PAM authentication for this resource. Choose whether it runs on the site (Newt) or on a separate remote host. See <docsLink>the documentation</docsLink> for more.",
    "internalResourceAuthDaemonDocsUrl": "https://docs.pangolin.net",
    "internalResourceAuthDaemonStrategyPlaceholder": "Select Strategy",
    "internalResourceAuthDaemonStrategyLabel": "Location",
    "internalResourceAuthDaemonSite": "On Site",
    "internalResourceAuthDaemonSiteDescription": "Auth daemon runs on the site (Newt).",
    "internalResourceAuthDaemonRemote": "Remote Host",
    "internalResourceAuthDaemonRemoteDescription": "Auth daemon runs on this resource's destination - not the site.",
    "internalResourceAuthDaemonPort": "Daemon Port (optional)",
    "orgAuthWhatsThis": "Where can I find my organization ID?",
    "learnMore": "Learn more",
    "backToHome": "Go back to home",
-    "needToSignInToOrg": "Need to use your organization's identity provider?"
+    "needToSignInToOrg": "Need to use your organization's identity provider?",
    "maintenanceMode": "Maintenance Mode",
    "maintenanceModeDescription": "Display a maintenance page to visitors",
    "maintenanceModeType": "Maintenance Mode Type",
    "showMaintenancePage": "Show a maintenance page to visitors",
    "enableMaintenanceMode": "Enable Maintenance Mode",
    "automatic": "Automatic",
    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
    "forced": "Forced",
    "forcedModeDescription": "Always show the maintenance page regardless of backend health. Use this for planned maintenance when you want to prevent all access.",
    "warning:": "Warning:",
    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
    "pageTitle": "Page Title",
    "pageTitleDescription": "The main heading displayed on the maintenance page",
    "maintenancePageMessage": "Maintenance Message",
    "maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
    "maintenancePageMessageDescription": "Detailed message explaining the maintenance",
    "maintenancePageTimeTitle": "Estimated Completion Time (Optional)",
    "maintenanceTime": "e.g., 2 hours, Nov 1 at 5:00 PM",
    "maintenanceEstimatedTimeDescription": "When you expect maintenance to be completed",
    "editDomain": "Edit Domain",
    "editDomainDescription": "Select a domain for your resource",
    "maintenanceModeDisabledTooltip": "This feature requires a valid license to enable.",
    "maintenanceScreenTitle": "Service Temporarily Unavailable",
    "maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.",
    "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
    "createInternalResourceDialogDestinationRequired": "Destination is required",
    "available": "Available",
    "archived": "Archived",
    "noArchivedDevices": "No archived devices found",
    "deviceArchived": "Device archived",
    "deviceArchivedDescription": "The device has been successfully archived.",
    "errorArchivingDevice": "Error archiving device",
    "failedToArchiveDevice": "Failed to archive device",
    "deviceQuestionArchive": "Are you sure you want to archive this device?",
    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
    "deviceArchiveConfirm": "Archive Device",
    "archiveDevice": "Archive Device",
    "archive": "Archive",
    "deviceUnarchived": "Device unarchived",
    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
    "errorUnarchivingDevice": "Error unarchiving device",
    "failedToUnarchiveDevice": "Failed to unarchive device",
    "unarchive": "Unarchive",
    "archiveClient": "Archive Client",
    "archiveClientQuestion": "Are you sure you want to archive this client?",
    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
    "archiveClientConfirm": "Archive Client",
    "blockClient": "Block Client",
    "blockClientQuestion": "Are you sure you want to block this client?",
    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
    "blockClientConfirm": "Block Client",
    "active": "Active",
    "usernameOrEmail": "Username or Email",
    "selectYourOrganization": "Select your organization",
    "signInTo": "Log in in to",
    "signInWithPassword": "Continue with Password",
    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
    "enterPassword": "Enter your password",
    "enterMfaCode": "Enter the code from your authenticator app",
    "securityKeyRequired": "Please use your security key to sign in.",
    "needToUseAnotherAccount": "Need to use a different account?",
    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
    "termsOfService": "Terms of Service",
    "privacyPolicy": "Privacy Policy",
    "userNotFoundWithUsername": "No user found with that username.",
    "verify": "Verify",
    "signIn": "Sign In",
    "forgotPassword": "Forgot password?",
    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
    "continueAnyway": "Continue anyway",
    "dontShowAgain": "Don't show again",
    "orgSignInNotice": "Did you know?",
    "signupOrgNotice": "Trying to sign in?",
    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
    "signupOrgLink": "Sign in or sign up with your organization instead",
    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
    "logIn": "Log In",
    "deviceInformation": "Device Information",
    "deviceInformationDescription": "Information about the device and agent",
    "deviceSecurity": "Device Security",
    "deviceSecurityDescription": "Device security posture information",
    "platform": "Platform",
    "macosVersion": "macOS Version",
    "windowsVersion": "Windows Version",
    "iosVersion": "iOS Version",
    "androidVersion": "Android Version",
    "osVersion": "OS Version",
    "kernelVersion": "Kernel Version",
    "deviceModel": "Device Model",
    "serialNumber": "Serial Number",
    "hostname": "Hostname",
    "firstSeen": "First Seen",
    "lastSeen": "Last Seen",
    "biometricsEnabled": "Biometrics Enabled",
    "diskEncrypted": "Disk Encrypted",
    "firewallEnabled": "Firewall Enabled",
    "autoUpdatesEnabled": "Auto Updates Enabled",
    "tpmAvailable": "TPM Available",
    "windowsAntivirusEnabled": "Antivirus Enabled",
    "macosSipEnabled": "System Integrity Protection (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Firewall Stealth Mode",
    "linuxAppArmorEnabled": "AppArmor",
    "linuxSELinuxEnabled": "SELinux",
    "deviceSettingsDescription": "View device information and settings",
    "devicePendingApprovalDescription": "This device is waiting for approval",
    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
    "unblockClient": "Unblock Client",
    "unblockClientDescription": "The device has been unblocked",
    "unarchiveClient": "Unarchive Client",
    "unarchiveClientDescription": "The device has been unarchived",
    "block": "Block",
    "unblock": "Unblock",
    "deviceActions": "Device Actions",
    "deviceActionsDescription": "Manage device status and access",
    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
    "connected": "Connected",
    "disconnected": "Disconnected",
    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
    "approvalsEmptyStateStep1Title": "Go to Roles",
    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
    "approvalsEmptyStateButtonText": "Manage Roles",
    "domainErrorTitle": "We are having trouble verifying your domain",
    "idpAdminAutoProvisionPoliciesTabHint": "Configure role mapping and organization policies on the <policiesTabLink>Auto Provision Settings</policiesTabLink> tab.",
    "streamingTitle": "Event Streaming",
    "streamingDescription": "Stream events from your organization to external destinations in real time.",
    "streamingUnnamedDestination": "Unnamed destination",
    "streamingNoUrlConfigured": "No URL configured",
    "streamingAddDestination": "Add Destination",
    "streamingHttpWebhookTitle": "HTTP Webhook",
    "streamingHttpWebhookDescription": "Send events to any HTTP endpoint with flexible authentication and templating.",
    "streamingS3Title": "Amazon S3",
    "streamingS3Description": "Stream events to an S3-compatible object storage bucket. Coming soon.",
    "streamingDatadogTitle": "Datadog",
    "streamingDatadogDescription": "Forward events directly to your Datadog account. Coming soon.",
    "streamingTypePickerDescription": "Choose a destination type to get started.",
    "streamingFailedToLoad": "Failed to load destinations",
    "streamingUnexpectedError": "An unexpected error occurred.",
    "streamingFailedToUpdate": "Failed to update destination",
    "streamingDeletedSuccess": "Destination deleted successfully",
    "streamingFailedToDelete": "Failed to delete destination",
    "streamingDeleteTitle": "Delete Destination",
    "streamingDeleteButtonText": "Delete Destination",
    "streamingDeleteDialogAreYouSure": "Are you sure you want to delete",
    "streamingDeleteDialogThisDestination": "this destination",
    "streamingDeleteDialogPermanentlyRemoved": "? All configuration will be permanently removed.",
    "httpDestEditTitle": "Edit Destination",
    "httpDestAddTitle": "Add HTTP Destination",
    "httpDestEditDescription": "Update the configuration for this HTTP event streaming destination.",
    "httpDestAddDescription": "Configure a new HTTP endpoint to receive your organization's events.",
    "httpDestTabSettings": "Settings",
    "httpDestTabHeaders": "Headers",
    "httpDestTabBody": "Body",
    "httpDestTabLogs": "Logs",
    "httpDestNamePlaceholder": "My HTTP destination",
    "httpDestUrlLabel": "Destination URL",
    "httpDestUrlErrorHttpRequired": "URL must use http or https",
    "httpDestUrlErrorHttpsRequired": "HTTPS is required on cloud deployments",
    "httpDestUrlErrorInvalid": "Enter a valid URL (e.g. https://example.com/webhook)",
    "httpDestAuthTitle": "Authentication",
    "httpDestAuthDescription": "Choose how requests to your endpoint are authenticated.",
    "httpDestAuthNoneTitle": "No Authentication",
    "httpDestAuthNoneDescription": "Sends requests without an Authorization header.",
    "httpDestAuthBearerTitle": "Bearer Token",
    "httpDestAuthBearerDescription": "Adds an Authorization: Bearer '<token>' header to each request.",
    "httpDestAuthBearerPlaceholder": "Your API key or token",
    "httpDestAuthBasicTitle": "Basic Auth",
    "httpDestAuthBasicDescription": "Adds an Authorization: Basic '<credentials>' header. Provide credentials as username:password.",
    "httpDestAuthBasicPlaceholder": "username:password",
    "httpDestAuthCustomTitle": "Custom Header",
    "httpDestAuthCustomDescription": "Specify a custom HTTP header name and value for authentication (e.g. X-API-Key).",
    "httpDestAuthCustomHeaderNamePlaceholder": "Header name (e.g. X-API-Key)",
    "httpDestAuthCustomHeaderValuePlaceholder": "Header value",
    "httpDestCustomHeadersTitle": "Custom HTTP Headers",
    "httpDestCustomHeadersDescription": "Add custom headers to every outgoing request. Useful for static tokens or a custom Content-Type. By default, Content-Type: application/json is sent.",
    "httpDestNoHeadersConfigured": "No custom headers configured. Click \"Add Header\" to add one.",
    "httpDestHeaderNamePlaceholder": "Header name",
    "httpDestHeaderValuePlaceholder": "Value",
    "httpDestAddHeader": "Add Header",
    "httpDestBodyTemplateTitle": "Custom Body Template",
    "httpDestBodyTemplateDescription": "Control the JSON payload structure sent to your endpoint. If disabled, a default JSON object is sent for each event.",
    "httpDestEnableBodyTemplate": "Enable custom body template",
    "httpDestBodyTemplateLabel": "Body Template (JSON)",
    "httpDestBodyTemplateHint": "Use template variables to reference event fields in your payload.",
    "httpDestPayloadFormatTitle": "Payload Format",
    "httpDestPayloadFormatDescription": "How events are serialised into each request body.",
    "httpDestFormatJsonArrayTitle": "JSON Array",
    "httpDestFormatJsonArrayDescription": "One request per batch, body is a JSON array. Compatible with most generic webhooks and Datadog.",
    "httpDestFormatNdjsonTitle": "NDJSON",
    "httpDestFormatNdjsonDescription": "One request per batch, body is newline-delimited JSON — one object per line, no outer array. Required by Splunk HEC, Elastic / OpenSearch, and Grafana Loki.",
    "httpDestFormatSingleTitle": "One Event Per Request",
    "httpDestFormatSingleDescription": "Sends a separate HTTP POST for each individual event. Use only for endpoints that cannot handle batches.",
    "httpDestLogTypesTitle": "Log Types",
    "httpDestLogTypesDescription": "Choose which log types are forwarded to this destination. Only enabled log types will be streamed.",
    "httpDestAccessLogsTitle": "Access Logs",
    "httpDestAccessLogsDescription": "Resource access attempts, including authenticated and denied requests.",
    "httpDestActionLogsTitle": "Action Logs",
    "httpDestActionLogsDescription": "Administrative actions performed by users within the organization.",
    "httpDestConnectionLogsTitle": "Connection Logs",
    "httpDestConnectionLogsDescription": "Site and tunnel connection events, including connects and disconnects.",
    "httpDestRequestLogsTitle": "Request Logs",
    "httpDestRequestLogsDescription": "HTTP request logs for proxied resources, including method, path, and response code.",
    "httpDestSaveChanges": "Save Changes",
    "httpDestCreateDestination": "Create Destination",
    "httpDestUpdatedSuccess": "Destination updated successfully",
    "httpDestCreatedSuccess": "Destination created successfully",
    "httpDestUpdateFailed": "Failed to update destination",
    "httpDestCreateFailed": "Failed to create destination"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -1,5 +1,7 @@
 {
  "setupCreate": "創建您的第一個組織、網站和資源",
  "headerAuthCompatibilityInfo": "啟用此選項以在缺少驗證令牌時強制回傳 401 未授權回應。這對於不會在沒有伺服器挑戰的情況下發送憑證的瀏覽器或特定 HTTP 函式庫是必需的。",
  "headerAuthCompatibility": "擴展相容性",
  "setupNewOrg": "新建組織",
  "setupCreateOrg": "創建組織",
  "setupCreateResources": "創建資源",
@@ -51,6 +53,9 @@
  "siteQuestionRemove": "您確定要從組織中刪除該站點嗎？",
  "siteManageSites": "管理站點",
  "siteDescription": "允許通過安全隧道連接到您的網路",
  "sitesBannerTitle": "連接任何網路",
  "sitesBannerDescription": "站點是與遠端網路的連接，使 Pangolin 能夠為任何地方的使用者提供對公共或私有資源的存取。在任何可以執行二進位檔案或容器的地方安裝站點網路連接器 (Newt) 以建立連接。",
  "sitesBannerButtonText": "安裝站點",
  "siteCreate": "創建站點",
  "siteCreateDescription2": "按照下面的步驟創建和連接一個新站點",
  "siteCreateDescription": "創建一個新站點開始連接您的資源",
@@ -65,8 +70,8 @@
  "siteLoadWGConfig": "正在載入 WireGuard 配置...",
  "siteDocker": "擴展 Docker 部署詳細資訊",
  "toggle": "切換",
-    "dockerCompose": "Docker 配置",
+  "dockerCompose": "Docker Compose",
-    "dockerRun": "停靠欄",
+  "dockerRun": "Docker Run",
  "siteLearnLocal": "本地站點不需要隧道連接，點擊了解更多",
  "siteConfirmCopy": "我已經複製了配置資訊",
  "searchSitesProgress": "搜索站點...",
@@ -98,9 +103,10 @@
  "siteLocalDescriptionSaas": "僅本地資源。沒有隧道。僅在遠程節點上可用。",
  "siteSeeAll": "查看所有站點",
  "siteTunnelDescription": "確定如何連接到您的網站",
-    "siteNewtCredentials": "Newt 憑據",
+  "siteNewtCredentials": "Newt 憑證",
-    "siteNewtCredentialsDescription": "這是 Newt 伺服器的身份驗證憑據",
+  "siteNewtCredentialsDescription": "這是 Newt 伺服器的身份驗證憑證",
-    "siteCredentialsSave": "保存您的憑據",
+  "remoteNodeCredentialsDescription": "這是遠端節點與伺服器進行驗證的方式",
  "siteCredentialsSave": "保存您的憑證",
  "siteCredentialsSaveDescription": "您只能看到一次。請確保將其複製並保存到一個安全的地方。",
  "siteInfo": "站點資訊",
  "status": "狀態",
@@ -144,8 +150,14 @@
  "expires": "過期時間",
  "never": "永不過期",
  "shareErrorSelectResource": "請選擇一個資源",
-    "resourceTitle": "管理資源",
+  "proxyResourceTitle": "管理公開資源",
-    "resourceDescription": "為您的私人應用程式創建安全代理",
+  "proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
  "proxyResourcesBannerTitle": "基於網頁的公開存取",
  "proxyResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
  "clientResourceTitle": "管理私有資源",
  "clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
  "privateResourcesBannerTitle": "零信任私有存取",
  "privateResourcesBannerDescription": "私有資源使用零信任安全性，確保使用者和機器只能存取您明確授權的資源。連接使用者裝置或機器客戶端以透過安全的虛擬私人網路存取這些資源。",
  "resourcesSearch": "搜索資源...",
  "resourceAdd": "添加資源",
  "resourceErrorDelte": "刪除資源時出錯",
@@ -179,7 +191,7 @@
  "baseDomain": "根域名",
  "subdomnainDescription": "您的資源可以訪問的子域名。",
  "resourceRawSettings": "TCP/UDP 設置",
-    "resourceRawSettingsDescription": "配置如何通過 TCP/UDP 訪問您的資源。 您映射資源到主機Pangolin伺服器上的埠，這樣您就可以訪問伺服器-公共-ip:mapped埠的資源。",
+  "resourceRawSettingsDescription": "設定如何透過 TCP/UDP 存取資源",
  "protocol": "協議",
  "protocolSelect": "選擇協議",
  "resourcePortNumber": "埠號",
@@ -436,6 +448,16 @@
  "inviteEmailSent": "發送邀請郵件給用戶",
  "inviteValid": "有效",
  "selectDuration": "選擇持續時間",
  "selectResource": "選擇資源",
  "filterByResource": "依資源篩選",
  "resetFilters": "重設篩選條件",
  "totalBlocked": "被 Pangolin 阻擋的請求",
  "totalRequests": "總請求數",
  "requestsByCountry": "依國家/地區的請求",
  "requestsByDay": "依日期的請求",
  "blocked": "已阻擋",
  "allowed": "已允許",
  "topCountries": "熱門國家/地區",
  "accessRoleSelect": "選擇角色",
  "inviteEmailSentDescription": "一封電子郵件已經發送給用戶，帶有下面的訪問連結。他們必須訪問該連結才能接受邀請。",
  "inviteSentDescription": "用戶已被邀請。他們必須訪問下面的連結才能接受邀請。",
@@ -465,7 +487,7 @@
  "proxyErrorTls": "無效的 TLS 伺服器名稱。使用域名格式，或保存空以刪除 TLS 伺服器名稱。",
  "proxyEnableSSL": "啟用 SSL",
  "proxyEnableSSLDescription": "啟用 SSL/TLS 加密以確保您目標的 HTTPS 連接。",
-    "target": "Target",
+  "target": "目標",
  "configureTarget": "配置目標",
  "targetErrorFetch": "獲取目標失敗",
  "targetErrorFetchDescription": "獲取目標時出錯",
@@ -516,6 +538,8 @@
  "targetCreatedDescription": "目標已成功創建",
  "targetErrorCreate": "創建目標失敗",
  "targetErrorCreateDescription": "創建目標時出錯",
  "tlsServerName": "TLS 伺服器名稱",
  "tlsServerNameDescription": "用於 SNI 的 TLS 伺服器名稱",
  "save": "保存",
  "proxyAdditional": "附加代理設置",
  "proxyAdditionalDescription": "配置你的資源如何處理代理設置",
@@ -702,6 +726,7 @@
  "resourceTransferSubmit": "轉移資源",
  "siteDestination": "目標站點",
  "searchSites": "搜索站點",
  "countries": "國家/地區",
  "accessRoleCreate": "創建角色",
  "accessRoleCreateDescription": "創建一個新角色來分組用戶並管理他們的權限。",
  "accessRoleCreateSubmit": "創建角色",
@@ -825,6 +850,7 @@
  "orgPolicyConfig": "配置組織訪問權限",
  "idpUpdatedDescription": "身份提供商更新成功",
  "redirectUrl": "重定向網址",
  "orgIdpRedirectUrls": "重新導向網址",
  "redirectUrlAbout": "關於重定向網址",
  "redirectUrlAboutDescription": "這是用戶在驗證後將被重定向到的URL。您需要在身份提供商設置中配置此URL。",
  "pangolinAuth": "認證 - Pangolin",
@@ -909,6 +935,10 @@
  "passwordResetSent": "我們將發送一個驗證碼到這個電子郵件地址。",
  "passwordResetCode": "驗證碼",
  "passwordResetCodeDescription": "請檢查您的電子郵件以獲取驗證碼。",
  "generatePasswordResetCode": "產生密碼重設代碼",
  "passwordResetCodeGenerated": "密碼重設代碼已產生",
  "passwordResetCodeGeneratedDescription": "請將此代碼分享給使用者。他們可以用它來重設密碼。",
  "passwordResetUrl": "重設網址",
  "passwordNew": "新密碼",
  "passwordNewConfirm": "確認新密碼",
  "changePassword": "更改密碼",
@@ -926,6 +956,9 @@
  "pincodeAuth": "驗證器代碼",
  "pincodeSubmit2": "提交代碼",
  "passwordResetSubmit": "請求重設",
  "passwordResetAlreadyHaveCode": "輸入代碼",
  "passwordResetSmtpRequired": "請聯絡您的管理員",
  "passwordResetSmtpRequiredDescription": "需要密碼重設代碼才能重設您的密碼。請聯絡您的管理員尋求協助。",
  "passwordBack": "回到密碼",
  "loginBack": "返回登錄",
  "signup": "註冊",
@@ -1013,6 +1046,7 @@
  "updateOrgUser": "更新組織用戶",
  "createOrgUser": "創建組織用戶",
  "actionUpdateOrg": "更新組織",
  "actionRemoveInvitation": "移除邀請",
  "actionUpdateUser": "更新用戶",
  "actionGetUser": "獲取用戶",
  "actionGetOrgUser": "獲取組織用戶",
@@ -1057,6 +1091,7 @@
  "actionRemoveUser": "刪除用戶",
  "actionListUsers": "列出用戶",
  "actionAddUserRole": "添加用戶角色",
  "actionSetUserOrgRoles": "Set User Roles",
  "actionGenerateAccessToken": "生成訪問令牌",
  "actionDeleteAccessToken": "刪除訪問令牌",
  "actionListAccessTokens": "訪問令牌",
@@ -1093,12 +1128,15 @@
  "actionListSiteResources": "列出站點資源",
  "actionUpdateSiteResource": "更新站點資源",
  "actionListInvitations": "邀請列表",
  "actionExportLogs": "匯出日誌",
  "actionViewLogs": "查看日誌",
  "noneSelected": "未選擇",
  "orgNotFound2": "未找到組織。",
  "searchProgress": "搜索中...",
  "create": "創建",
  "orgs": "組織",
  "loginError": "登錄時出錯",
  "loginRequiredForDevice": "需要登入以驗證您的裝置。",
  "passwordForgot": "忘記密碼？",
  "otpAuth": "兩步驗證",
  "otpAuthDescription": "從您的身份驗證程序中輸入代碼或您的單次備份代碼。",
@@ -1153,8 +1191,12 @@
  "sidebarHome": "首頁",
  "sidebarSites": "站點",
  "sidebarResources": "資源",
  "sidebarProxyResources": "公開",
  "sidebarClientResources": "私有",
  "sidebarAccessControl": "訪問控制",
  "sidebarLogsAndAnalytics": "日誌與分析",
  "sidebarUsers": "用戶",
  "sidebarAdmin": "管理員",
  "sidebarInvitations": "邀請",
  "sidebarRoles": "角色",
  "sidebarShareableLinks": "分享連結",
@@ -1164,8 +1206,14 @@
  "sidebarIdentityProviders": "身份提供商",
  "sidebarLicense": "證書",
  "sidebarClients": "用戶端",
  "sidebarUserDevices": "使用者",
  "sidebarMachineClients": "機器",
  "sidebarDomains": "域",
  "sidebarGeneral": "管理",
  "sidebarLogAndAnalytics": "日誌與分析",
  "sidebarBluePrints": "藍圖",
  "sidebarOrganization": "組織",
  "sidebarLogsAnalytics": "分析",
  "blueprints": "藍圖",
  "blueprintsDescription": "應用聲明配置並查看先前運行的",
  "blueprintAdd": "添加藍圖",
@@ -1275,12 +1323,24 @@
  "accountSetupSuccess": "帳號設定完成！歡迎來到 Pangolin！",
  "documentation": "文件",
  "saveAllSettings": "保存所有設置",
  "saveResourceTargets": "儲存目標",
  "saveResourceHttp": "儲存代理設定",
  "saveProxyProtocol": "儲存代理協定設定",
  "settingsUpdated": "設置已更新",
  "settingsUpdatedDescription": "所有設置已成功更新",
  "settingsErrorUpdate": "設置更新失敗",
  "settingsErrorUpdateDescription": "更新設置時發生錯誤",
  "sidebarCollapse": "摺疊",
  "sidebarExpand": "展開",
  "productUpdateMoreInfo": "還有 {noOfUpdates} 項更新",
  "productUpdateInfo": "{noOfUpdates} 項更新",
  "productUpdateWhatsNew": "新功能",
  "productUpdateTitle": "產品更新",
  "productUpdateEmpty": "沒有更新",
  "dismissAll": "全部關閉",
  "pangolinUpdateAvailable": "有可用更新",
  "pangolinUpdateAvailableInfo": "版本 {version} 已準備好安裝",
  "pangolinUpdateAvailableReleaseNotes": "查看發行說明",
  "newtUpdateAvailable": "更新可用",
  "newtUpdateAvailableInfo": "新版本的 Newt 已可用。請更新到最新版本以獲得最佳體驗。",
  "domainPickerEnterDomain": "域名",
@@ -1423,6 +1483,9 @@
    "and": "和",
    "privacyPolicy": "隱私政策"
  },
  "signUpMarketing": {
    "keepMeInTheLoop": "透過電子郵件接收新聞、更新和新功能通知。"
  },
  "siteRequired": "需要站點。",
  "olmTunnel": "Olm 隧道",
  "olmTunnelDescription": "使用 Olm 進行用戶端連接",
@@ -1456,15 +1519,14 @@
  "sitesFetchError": "獲取站點時出錯。",
  "olmErrorFetchReleases": "獲取 Olm 發布版本時出錯。",
  "olmErrorFetchLatest": "獲取最新 Olm 發布版本時出錯。",
    "remoteSubnets": "遠程子網",
  "enterCidrRange": "輸入 CIDR 範圍",
    "remoteSubnetsDescription": "添加可以通過用戶端遠端存取該站點的 CIDR 範圍。使用類似 10.0.0.0/24 的格式。這僅適用於 VPN 用戶端連接。",
  "resourceEnableProxy": "啟用公共代理",
  "resourceEnableProxyDescription": "啟用到此資源的公共代理。這允許外部網路通過開放埠訪問資源。需要 Traefik 配置。",
  "externalProxyEnabled": "外部代理已啟用",
  "addNewTarget": "添加新目標",
  "targetsList": "目標列表",
  "advancedMode": "高級模式",
  "advancedSettings": "進階設定",
  "targetErrorDuplicateTargetFound": "找到重複的目標",
  "healthCheckHealthy": "正常",
  "healthCheckUnhealthy": "不正常",
@@ -1476,6 +1538,7 @@
  "enableHealthChecksDescription": "監視此目標的健康狀況。如果需要，您可以監視一個不同的終點。",
  "healthScheme": "方法",
  "healthSelectScheme": "選擇方法",
  "healthCheckPortInvalid": "健康檢查連接埠必須介於 1 到 65535 之間",
  "healthCheckPath": "路徑",
  "healthHostname": "IP / 主機",
  "healthPort": "埠",
@@ -1524,9 +1587,15 @@
  "resourcesTableNoProxyResourcesFound": "未找到代理資源。",
  "resourcesTableNoInternalResourcesFound": "未找到內部資源。",
  "resourcesTableDestination": "目標",
-    "resourcesTableTheseResourcesForUseWith": "這些資源供...使用",
+  "resourcesTableAlias": "別名",
  "resourcesTableClients": "用戶端",
  "resourcesTableAndOnlyAccessibleInternally": "且僅在與用戶端連接時可內部訪問。",
  "resourcesTableNoTargets": "無目標",
  "resourcesTableHealthy": "健康",
  "resourcesTableDegraded": "降級",
  "resourcesTableOffline": "離線",
  "resourcesTableUnknown": "未知",
  "resourcesTableNotMonitored": "未監控",
  "editInternalResourceDialogEditClientResource": "編輯用戶端資源",
  "editInternalResourceDialogUpdateResourceProperties": "更新 {resourceName} 的資源屬性和目標配置。",
  "editInternalResourceDialogResourceProperties": "資源屬性",
@@ -1547,6 +1616,17 @@
  "editInternalResourceDialogInvalidIPAddressFormat": "無效的 IP 位址格式",
  "editInternalResourceDialogDestinationPortMin": "目標埠必須至少為 1",
  "editInternalResourceDialogDestinationPortMax": "目標埠必須小於 65536",
  "editInternalResourceDialogPortModeRequired": "連接埠模式需要協定、代理連接埠和目標連接埠",
  "editInternalResourceDialogMode": "模式",
  "editInternalResourceDialogModePort": "連接埠",
  "editInternalResourceDialogModeHost": "主機",
  "editInternalResourceDialogModeCidr": "CIDR",
  "editInternalResourceDialogDestination": "目的地",
  "editInternalResourceDialogDestinationHostDescription": "站點網路上資源的 IP 位址或主機名稱。",
  "editInternalResourceDialogDestinationIPDescription": "站點網路上資源的 IP 或主機名稱位址。",
  "editInternalResourceDialogDestinationCidrDescription": "站點網路上資源的 CIDR 範圍。",
  "editInternalResourceDialogAlias": "別名",
  "editInternalResourceDialogAliasDescription": "此資源的可選內部 DNS 別名。",
  "createInternalResourceDialogNoSitesAvailable": "暫無可用站點",
  "createInternalResourceDialogNoSitesAvailableDescription": "您需要至少配置一個子網的 Newt 站點來創建內部資源。",
  "createInternalResourceDialogClose": "關閉",
@@ -1555,9 +1635,8 @@
  "createInternalResourceDialogResourceProperties": "資源屬性",
  "createInternalResourceDialogName": "名稱",
  "createInternalResourceDialogSite": "站點",
-    "createInternalResourceDialogSelectSite": "選擇站點...",
+  "selectSite": "選擇站點...",
-    "createInternalResourceDialogSearchSites": "搜索站點...",
+  "noSitesFound": "找不到站點。",
    "createInternalResourceDialogNoSitesFound": "未找到站點。",
  "createInternalResourceDialogProtocol": "協議",
  "createInternalResourceDialogTcp": "TCP",
  "createInternalResourceDialogUdp": "UDP",
@@ -1580,11 +1659,22 @@
  "createInternalResourceDialogInvalidIPAddressFormat": "無效的 IP 位址格式",
  "createInternalResourceDialogDestinationPortMin": "目標埠必須至少為 1",
  "createInternalResourceDialogDestinationPortMax": "目標埠必須小於 65536",
  "createInternalResourceDialogPortModeRequired": "連接埠模式需要協定、代理連接埠和目標連接埠",
  "createInternalResourceDialogMode": "模式",
  "createInternalResourceDialogModePort": "連接埠",
  "createInternalResourceDialogModeHost": "主機",
  "createInternalResourceDialogModeCidr": "CIDR",
  "createInternalResourceDialogDestination": "目的地",
  "createInternalResourceDialogDestinationHostDescription": "站點網路上資源的 IP 位址或主機名稱。",
  "createInternalResourceDialogDestinationCidrDescription": "站點網路上資源的 CIDR 範圍。",
  "createInternalResourceDialogAlias": "別名",
  "createInternalResourceDialogAliasDescription": "此資源的可選內部 DNS 別名。",
  "siteConfiguration": "配置",
  "siteAcceptClientConnections": "接受用戶端連接",
  "siteAcceptClientConnectionsDescription": "允許其他設備透過此 Newt 實例使用用戶端作為閘道器連接。",
  "siteAddress": "站點地址",
  "siteAddressDescription": "指定主機的 IP 位址以供用戶端連接。這是 Pangolin 網路中站點的內部地址，供用戶端訪問。必須在 Org 子網內。",
  "siteNameDescription": "站點的顯示名稱，可以稍後更改。",
  "autoLoginExternalIdp": "自動使用外部 IDP 登錄",
  "autoLoginExternalIdpDescription": "立即將用戶重定向到外部 IDP 進行身份驗證。",
  "selectIdp": "選擇 IDP",
@@ -1608,6 +1698,8 @@
  "remoteExitNodeConfirmDelete": "確認刪除節點",
  "remoteExitNodeDelete": "刪除節點",
  "sidebarRemoteExitNodes": "遠程節點",
  "remoteExitNodeId": "ID",
  "remoteExitNodeSecretKey": "密鑰",
  "remoteExitNodeCreate": {
    "title": "創建節點",
    "description": "創建一個新節點來擴展您的網路連接",
@@ -1731,12 +1823,33 @@
  "idpAzureClientIdDescription2": "您的 Azure 應用程式註冊用戶端 ID",
  "idpAzureClientSecretDescription2": "您的 Azure 應用程式註冊用戶端金鑰",
  "idpGoogleDescription": "Google OAuth2/OIDC 提供商",
-    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
+  "idpAzureDescription": "Microsoft Azure OAuth2/OIDC 提供者",
  "subnet": "子網",
  "subnetDescription": "此組織網路配置的子網。",
  "customDomain": "自訂網域",
  "authPage": "認證頁面",
  "authPageDescription": "配置您的組織認證頁面",
  "authPageDomain": "認證頁面域",
  "authPageBranding": "自訂品牌",
  "authPageBrandingDescription": "設定此組織驗證頁面上顯示的品牌",
  "authPageBrandingUpdated": "驗證頁面品牌更新成功",
  "authPageBrandingRemoved": "驗證頁面品牌移除成功",
  "authPageBrandingRemoveTitle": "移除驗證頁面品牌",
  "authPageBrandingQuestionRemove": "您確定要移除驗證頁面的品牌嗎？",
  "authPageBrandingDeleteConfirm": "確認刪除品牌",
  "brandingLogoURL": "Logo 網址",
  "brandingPrimaryColor": "主要顏色",
  "brandingLogoWidth": "寬度 (px)",
  "brandingLogoHeight": "高度 (px)",
  "brandingOrgTitle": "組織驗證頁面標題",
  "brandingOrgDescription": "{orgName} 將被替換為組織名稱",
  "brandingOrgSubtitle": "組織驗證頁面副標題",
  "brandingResourceTitle": "資源驗證頁面標題",
  "brandingResourceSubtitle": "資源驗證頁面副標題",
  "brandingResourceDescription": "{resourceName} 將被替換為組織名稱",
  "saveAuthPageDomain": "儲存網域",
  "saveAuthPageBranding": "儲存品牌",
  "removeAuthPageBranding": "移除品牌",
  "noDomainSet": "沒有域設置",
  "changeDomain": "更改域",
  "selectDomain": "選擇域",
@@ -1764,6 +1877,15 @@
  "orgAuthChooseIdpDescription": "選擇您的身份提供商以繼續",
  "orgAuthNoIdpConfigured": "此機構沒有配置任何身份提供者。您可以使用您的 Pangolin 身份登錄。",
  "orgAuthSignInWithPangolin": "使用 Pangolin 登錄",
  "orgAuthSignInToOrg": "登入組織",
  "orgAuthSelectOrgTitle": "組織登入",
  "orgAuthSelectOrgDescription": "輸入您的組織 ID 以繼續",
  "orgAuthOrgIdPlaceholder": "your-organization",
  "orgAuthOrgIdHelp": "輸入您組織的唯一識別碼",
  "orgAuthSelectOrgHelp": "輸入組織 ID 後，您將被導向到組織的登入頁面，在那裡您可以使用 SSO 或組織憑證。",
  "orgAuthRememberOrgId": "記住此組織 ID",
  "orgAuthBackToSignIn": "返回標準登入",
  "orgAuthNoAccount": "沒有帳戶？",
  "subscriptionRequiredToUse": "需要訂閱才能使用此功能。",
  "idpDisabled": "身份提供者已禁用。",
  "orgAuthPageDisabled": "組織認證頁面已禁用。",
@@ -1778,6 +1900,8 @@
  "enableTwoFactorAuthentication": "啟用兩步驗證",
  "completeSecuritySteps": "完成安全步驟",
  "securitySettings": "安全設定",
  "dangerSection": "危險區域",
  "dangerSectionDescription": "永久刪除與此組織相關的所有資料",
  "securitySettingsDescription": "配置您組織的安全策略",
  "requireTwoFactorForAllUsers": "所有用戶需要兩步驗證",
  "requireTwoFactorDescription": "如果啟用，此組織的所有內部用戶必須啟用雙重身份驗證才能訪問組織。",
@@ -1815,7 +1939,7 @@
  "securityPolicyChangeWarningText": "這將影響組織中的所有用戶",
  "authPageErrorUpdateMessage": "更新身份驗證頁面設置時出錯",
  "authPageErrorUpdate": "無法更新認證頁面",
-    "authPageUpdated": "身份驗證頁面更新成功",
+  "authPageDomainUpdated": "驗證頁面網域更新成功",
  "healthCheckNotAvailable": "本地的",
  "rewritePath": "重寫路徑",
  "rewritePathDescription": "在轉發到目標之前，可以選擇重寫路徑。",
@@ -1841,8 +1965,19 @@
  "enterpriseEdition": "企業版",
  "unlicensed": "未授權",
  "beta": "測試版",
-    "manageClients": "管理用戶端",
+  "manageUserDevices": "使用者裝置",
-    "manageClientsDescription": "用戶端是可以連接到您的站點的設備",
+  "manageUserDevicesDescription": "查看和管理使用者用於私密連接資源的裝置",
  "downloadClientBannerTitle": "下載 Pangolin 客戶端",
  "downloadClientBannerDescription": "下載適用於您系統的 Pangolin 客戶端，以連接到 Pangolin 網路並私密存取資源。",
  "manageMachineClients": "管理機器客戶端",
  "manageMachineClientsDescription": "建立和管理伺服器和系統用於私密連接資源的客戶端",
  "machineClientsBannerTitle": "伺服器與自動化系統",
  "machineClientsBannerDescription": "機器客戶端適用於與特定使用者無關的伺服器和自動化系統。它們使用 ID 和密鑰進行驗證，可以透過 Pangolin CLI、Olm CLI 或 Olm 容器執行。",
  "machineClientsBannerPangolinCLI": "Pangolin CLI",
  "machineClientsBannerOlmCLI": "Olm CLI",
  "machineClientsBannerOlmContainer": "Olm 容器",
  "clientsTableUserClients": "使用者",
  "clientsTableMachineClients": "機器",
  "licenseTableValidUntil": "有效期至",
  "saasLicenseKeysSettingsTitle": "企業許可證",
  "saasLicenseKeysSettingsDescription": "為自我託管的 Pangolin 實例生成和管理企業許可證金鑰",
@@ -1982,6 +2117,7 @@
  "clientMessageRemove": "一旦刪除，用戶端將無法連接到站點。",
  "sidebarLogs": "日誌",
  "request": "請求",
  "requests": "請求",
  "logs": "日誌",
  "logsSettingsDescription": "監視從此 orginization 中收集的日誌",
  "searchLogs": "搜索日誌...",
@@ -1990,6 +2126,8 @@
  "timestamp": "時間戳",
  "accessLogs": "訪問日誌",
  "exportCsv": "導出 CSV",
  "exportError": "匯出 CSV 時發生未知錯誤",
  "exportCsvTooltip": "在時間範圍內",
  "actorId": "執行者 ID",
  "allowedByRule": "根據規則允許",
  "allowedNoAuth": "無認證",
@@ -2007,6 +2145,7 @@
  "ip": "IP",
  "reason": "原因",
  "requestLogs": "請求日誌",
  "requestAnalytics": "請求分析",
  "host": "主機",
  "location": "地點",
  "actionLogs": "操作日誌",
@@ -2016,6 +2155,7 @@
  "logRetention": "日誌保留",
  "logRetentionDescription": "管理不同類型的日誌為這個機構保留多長時間或禁用這些日誌",
  "requestLogsDescription": "查看此機構資源的詳細請求日誌",
  "requestAnalyticsDescription": "查看此組織資源的詳細請求分析",
  "logRetentionRequestLabel": "請求日誌保留",
  "logRetentionRequestDescription": "保留請求日誌的時間",
  "logRetentionAccessLabel": "訪問日誌保留",
@@ -2029,6 +2169,7 @@
  "logRetention30Days": "30 天",
  "logRetention90Days": "90 天",
  "logRetentionForever": "永遠的",
  "logRetentionEndOfFollowingYear": "次年年底",
  "actionLogsDescription": "查看此機構執行的操作歷史",
  "accessLogsDescription": "查看此機構資源的訪問認證請求",
  "licenseRequiredToUse": "需要企業許可證才能使用此功能。",
@@ -2084,6 +2225,43 @@
  "supportMessageSent": "消息已發送！",
  "supportWillContact": "我們很快就會聯繫起來！",
  "selectLogRetention": "選擇保留日誌",
  "terms": "條款",
  "privacy": "隱私權",
  "security": "安全性",
  "docs": "文件",
  "deviceActivation": "裝置啟用",
  "deviceCodeInvalidFormat": "代碼必須為 9 個字元（例如：A1AJ-N5JD）",
  "deviceCodeInvalidOrExpired": "代碼無效或已過期",
  "deviceCodeVerifyFailed": "驗證裝置代碼失敗",
  "signedInAs": "已登入為",
  "deviceCodeEnterPrompt": "輸入裝置上顯示的代碼",
  "continue": "繼續",
  "deviceUnknownLocation": "未知位置",
  "deviceAuthorizationRequested": "此授權請求來自 {location}，時間為 {date}。請確保您信任此裝置，因為它將獲得帳戶存取權限。",
  "deviceLabel": "裝置：{deviceName}",
  "deviceWantsAccess": "想要存取您的帳戶",
  "deviceExistingAccess": "現有存取權限：",
  "deviceFullAccess": "完整帳戶存取權限",
  "deviceOrganizationsAccess": "存取您帳戶有權限的所有組織",
  "deviceAuthorize": "授權 {applicationName}",
  "deviceConnected": "裝置已連接！",
  "deviceAuthorizedMessage": "裝置已獲授權存取您的帳戶。請返回客戶端應用程式。",
  "pangolinCloud": "Pangolin 雲端",
  "viewDevices": "查看裝置",
  "viewDevicesDescription": "管理您已連接的裝置",
  "noDevices": "找不到裝置",
  "dateCreated": "建立日期",
  "unnamedDevice": "未命名裝置",
  "deviceQuestionRemove": "您確定要刪除此裝置嗎？",
  "deviceMessageRemove": "此操作無法復原。",
  "deviceDeleteConfirm": "刪除裝置",
  "deleteDevice": "刪除裝置",
  "errorLoadingDevices": "載入裝置時發生錯誤",
  "failedToLoadDevices": "載入裝置失敗",
  "deviceDeleted": "裝置已刪除",
  "deviceDeletedDescription": "裝置已成功刪除。",
  "errorDeletingDevice": "刪除裝置時發生錯誤",
  "failedToDeleteDevice": "刪除裝置失敗",
  "showColumns": "顯示列",
  "hideColumns": "隱藏列",
  "columnVisibility": "列可見性",
@@ -2097,5 +2275,125 @@
  "selectedResources": "選定的資源",
  "enableSelected": "啟用選中的",
  "disableSelected": "禁用選中的",
-    "checkSelectedStatus": "檢查選中的狀態"
+  "checkSelectedStatus": "檢查選中的狀態",
  "clients": "客戶端",
  "accessClientSelect": "選擇機器客戶端",
  "resourceClientDescription": "可以存取此資源的機器客戶端",
  "regenerate": "重新產生",
  "credentials": "憑證",
  "savecredentials": "儲存憑證",
  "regenerateCredentialsButton": "重新產生憑證",
  "regenerateCredentials": "重新產生憑證",
  "generatedcredentials": "已產生的憑證",
  "copyandsavethesecredentials": "複製並儲存這些憑證",
  "copyandsavethesecredentialsdescription": "離開此頁面後將不會再顯示這些憑證。請立即安全儲存。",
  "credentialsSaved": "憑證已儲存",
  "credentialsSavedDescription": "憑證已成功重新產生並儲存。",
  "credentialsSaveError": "憑證儲存錯誤",
  "credentialsSaveErrorDescription": "重新產生和儲存憑證時發生錯誤。",
  "regenerateCredentialsWarning": "重新產生憑證將使先前的憑證失效並導致斷線。請確保更新任何使用這些憑證的設定。",
  "confirm": "確認",
  "regenerateCredentialsConfirmation": "您確定要重新產生憑證嗎？",
  "endpoint": "端點",
  "Id": "ID",
  "SecretKey": "密鑰",
  "niceId": "友善 ID",
  "niceIdUpdated": "友善 ID 已更新",
  "niceIdUpdatedSuccessfully": "友善 ID 更新成功",
  "niceIdUpdateError": "更新友善 ID 時發生錯誤",
  "niceIdUpdateErrorDescription": "更新友善 ID 時發生錯誤。",
  "niceIdCannotBeEmpty": "友善 ID 不能為空",
  "enterIdentifier": "輸入識別碼",
  "identifier": "識別碼",
  "deviceLoginUseDifferentAccount": "不是您嗎？使用其他帳戶。",
  "deviceLoginDeviceRequestingAccessToAccount": "有裝置正在請求存取此帳戶。",
  "noData": "無資料",
  "machineClients": "機器客戶端",
  "install": "安裝",
  "run": "執行",
  "clientNameDescription": "客戶端的顯示名稱，可以稍後更改。",
  "clientAddress": "客戶端位址（進階）",
  "setupFailedToFetchSubnet": "取得預設子網路失敗",
  "setupSubnetAdvanced": "子網路（進階）",
  "setupSubnetDescription": "此組織內部網路的子網路。",
  "setupUtilitySubnet": "工具子網路（進階）",
  "setupUtilitySubnetDescription": "此組織別名位址和 DNS 伺服器的子網路。",
  "siteRegenerateAndDisconnect": "重新產生並斷開連接",
  "siteRegenerateAndDisconnectConfirmation": "您確定要重新產生憑證並斷開此站點的連接嗎？",
  "siteRegenerateAndDisconnectWarning": "這將重新產生憑證並立即斷開站點連接。站點需要使用新憑證重新啟動。",
  "siteRegenerateCredentialsConfirmation": "您確定要重新產生此站點的憑證嗎？",
  "siteRegenerateCredentialsWarning": "這將重新產生憑證。站點將保持連接，直到您手動重新啟動並使用新憑證。",
  "clientRegenerateAndDisconnect": "重新產生並斷開連接",
  "clientRegenerateAndDisconnectConfirmation": "您確定要重新產生憑證並斷開此客戶端的連接嗎？",
  "clientRegenerateAndDisconnectWarning": "這將重新產生憑證並立即斷開客戶端連接。客戶端需要使用新憑證重新啟動。",
  "clientRegenerateCredentialsConfirmation": "您確定要重新產生此客戶端的憑證嗎？",
  "clientRegenerateCredentialsWarning": "這將重新產生憑證。客戶端將保持連接，直到您手動重新啟動並使用新憑證。",
  "remoteExitNodeRegenerateAndDisconnect": "重新產生並斷開連接",
  "remoteExitNodeRegenerateAndDisconnectConfirmation": "您確定要重新產生憑證並斷開此遠端出口節點的連接嗎？",
  "remoteExitNodeRegenerateAndDisconnectWarning": "這將重新產生憑證並立即斷開遠端出口節點連接。遠端出口節點需要使用新憑證重新啟動。",
  "remoteExitNodeRegenerateCredentialsConfirmation": "您確定要重新產生此遠端出口節點的憑證嗎？",
  "remoteExitNodeRegenerateCredentialsWarning": "這將重新產生憑證。遠端出口節點將保持連接，直到您手動重新啟動並使用新憑證。",
  "agent": "代理",
  "personalUseOnly": "僅限個人使用",
  "loginPageLicenseWatermark": "此實例僅授權個人使用。",
  "instanceIsUnlicensed": "此實例未授權。",
  "portRestrictions": "連接埠限制",
  "allPorts": "全部",
  "custom": "自訂",
  "allPortsAllowed": "允許所有連接埠",
  "allPortsBlocked": "阻擋所有連接埠",
  "tcpPortsDescription": "指定此資源允許的 TCP 連接埠。使用「*」表示所有連接埠，留空表示阻擋全部，或輸入以逗號分隔的連接埠和範圍（例如：80,443,8000-9000）。",
  "udpPortsDescription": "指定此資源允許的 UDP 連接埠。使用「*」表示所有連接埠，留空表示阻擋全部，或輸入以逗號分隔的連接埠和範圍（例如：53,123,500-600）。",
  "organizationLoginPageTitle": "組織登入頁面",
  "organizationLoginPageDescription": "自訂此組織的登入頁面",
  "resourceLoginPageTitle": "資源登入頁面",
  "resourceLoginPageDescription": "自訂個別資源的登入頁面",
  "enterConfirmation": "輸入確認",
  "blueprintViewDetails": "詳細資訊",
  "defaultIdentityProvider": "預設身份提供者",
  "defaultIdentityProviderDescription": "當選擇預設身份提供者時，使用者將自動被重新導向到該提供者進行驗證。",
  "editInternalResourceDialogNetworkSettings": "網路設定",
  "editInternalResourceDialogAccessPolicy": "存取策略",
  "editInternalResourceDialogAddRoles": "新增角色",
  "editInternalResourceDialogAddUsers": "新增使用者",
  "editInternalResourceDialogAddClients": "新增客戶端",
  "editInternalResourceDialogDestinationLabel": "目的地",
  "editInternalResourceDialogDestinationDescription": "指定內部資源的目的地位址。根據所選模式，這可以是主機名稱、IP 位址或 CIDR 範圍。可選擇設定內部 DNS 別名以便識別。",
  "editInternalResourceDialogPortRestrictionsDescription": "限制對特定 TCP/UDP 連接埠的存取，或允許/阻擋所有連接埠。",
  "editInternalResourceDialogTcp": "TCP",
  "editInternalResourceDialogUdp": "UDP",
  "editInternalResourceDialogIcmp": "ICMP",
  "editInternalResourceDialogAccessControl": "存取控制",
  "editInternalResourceDialogAccessControlDescription": "控制哪些角色、使用者和機器客戶端在連接時可以存取此資源。管理員始終擁有存取權限。",
  "editInternalResourceDialogPortRangeValidationError": "連接埠範圍必須是「*」表示所有連接埠，或以逗號分隔的連接埠和範圍列表（例如：「80,443,8000-9000」）。連接埠必須介於 1 到 65535 之間。",
  "orgAuthWhatsThis": "我在哪裡可以找到我的組織 ID？",
  "learnMore": "了解更多",
  "backToHome": "返回首頁",
  "needToSignInToOrg": "需要使用您組織的身份提供者嗎？",
  "maintenanceMode": "維護模式",
  "maintenanceModeDescription": "向訪客顯示維護頁面",
  "maintenanceModeType": "維護模式類型",
  "showMaintenancePage": "向訪客顯示維護頁面",
  "enableMaintenanceMode": "啟用維護模式",
  "automatic": "自動",
  "automaticModeDescription": "僅在所有後端目標都關閉或不健康時顯示維護頁面。只要至少有一個目標健康，您的資源就會正常運作。",
  "forced": "強制",
  "forcedModeDescription": "無論後端健康狀況如何，始終顯示維護頁面。當您想要阻止所有存取時，用於計劃維護。",
  "warning:": "警告：",
  "forcedeModeWarning": "所有流量將被導向維護頁面。您的後端資源將不會收到任何請求。",
  "pageTitle": "頁面標題",
  "pageTitleDescription": "維護頁面上顯示的主標題",
  "maintenancePageMessage": "維護訊息",
  "maintenancePageMessagePlaceholder": "我們很快就會回來！我們的網站目前正在進行預定維護。",
  "maintenancePageMessageDescription": "說明維護的詳細訊息",
  "maintenancePageTimeTitle": "預計完成時間（可選）",
  "maintenanceTime": "例如：2 小時、11 月 1 日下午 5:00",
  "maintenanceEstimatedTimeDescription": "您預計何時完成維護",
  "editDomain": "編輯網域",
  "editDomainDescription": "為您的資源選擇網域",
  "maintenanceModeDisabledTooltip": "此功能需要有效的授權才能啟用。",
  "maintenanceScreenTitle": "服務暫時無法使用",
  "maintenanceScreenMessage": "我們目前遇到技術問題。請稍後再試。",
  "maintenanceScreenEstimatedCompletion": "預計完成時間：",
  "createInternalResourceDialogDestinationRequired": "目的地為必填欄位"
 }
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
    "version": "0.0.0",
    "private": true,
    "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
    "homepage": "https://github.com/fosrl/pangolin",
    "repository": {
        "type": "git",
@@ -12,30 +12,29 @@
    "license": "SEE LICENSE IN LICENSE AND README.md",
    "scripts": {
        "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
-        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
+        "dev:check": "npx tsc --noEmit && npm run format:check",
-        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
+        "dev:setup": "cp config/config.example.yml config/config.yml && npm run set:oss && npm run set:sqlite && npm run db:sqlite:generate && npm run db:sqlite:push",
-        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
+        "db:generate": "drizzle-kit generate --config=./drizzle.config.ts",
-        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
+        "db:push": "npx tsx server/db/migrate.ts",
-        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
+        "db:studio": "drizzle-kit studio --config=./drizzle.config.ts",
        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
        "db:clear-migrations": "rm -rf server/migrations",
        "set:oss": "echo 'export const build = \"oss\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
        "set:saas": "echo 'export const build = \"saas\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
        "set:enterprise": "echo 'export const build = \"enterprise\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
-        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts",
+        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts && cp drizzle.sqlite.config.ts drizzle.config.ts && cp server/setup/migrationsSqlite.ts server/setup/migrations.ts",
-        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts",
+        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts && cp drizzle.pg.config.ts drizzle.config.ts && cp server/setup/migrationsPg.ts server/setup/migrations.ts",
-        "next:build": "next build",
+        "build:next": "next build",
-        "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
+        "build": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrations.ts -o dist/migrations.mjs",
        "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
        "start": "ENVIRONMENT=prod node dist/migrations.mjs && ENVIRONMENT=prod NODE_ENV=development node --enable-source-maps dist/server.mjs",
        "email": "email dev --dir server/emails/templates --port 3005",
        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs",
        "format:check": "prettier --check .",
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.2.0",
+        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.955.0",
+        "@aws-sdk/client-s3": "3.1011.0",
-        "@faker-js/faker": "10.1.0",
+        "@faker-js/faker": "10.3.0",
        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
        "@monaco-editor/react": "4.7.0",
@@ -60,90 +59,83 @@
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.2",
+        "@react-email/components": "1.0.8",
-        "@react-email/render": "2.0.0",
+        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "2.0.2",
+        "@react-email/tailwind": "2.0.5",
-        "@simplewebauthn/browser": "13.2.2",
+        "@simplewebauthn/browser": "13.3.0",
-        "@simplewebauthn/server": "13.2.2",
+        "@simplewebauthn/server": "13.3.0",
        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.12",
+        "@tanstack/react-query": "5.90.21",
        "@tanstack/react-table": "8.21.3",
        "arctic": "3.7.0",
-        "axios": "1.13.2",
+        "axios": "1.13.5",
        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
        "class-variance-authority": "0.7.1",
        "clsx": "2.1.1",
        "cmdk": "1.1.1",
        "cookie": "1.1.1",
        "cookie-parser": "1.4.7",
-        "cookies": "0.9.1",
+        "cors": "2.8.6",
        "cors": "2.8.5",
        "crypto-js": "4.2.0",
        "d3": "7.9.0",
        "date-fns": "4.1.0",
        "drizzle-orm": "0.45.1",
        "eslint": "9.39.2",
        "eslint-config-next": "16.1.0",
        "express": "5.2.1",
-        "express-rate-limit": "8.2.1",
+        "express-rate-limit": "8.3.0",
-        "glob": "13.0.0",
+        "glob": "13.0.6",
        "helmet": "8.1.0",
        "http-errors": "2.0.1",
        "i": "0.3.7",
        "input-otp": "1.4.2",
-        "ioredis": "5.8.2",
+        "ioredis": "5.10.0",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.562.0",
+        "lucide-react": "0.577.0",
-        "maxmind": "5.0.1",
+        "maxmind": "5.0.5",
        "moment": "2.30.1",
-        "next": "15.5.9",
+        "next": "15.5.14",
-        "next-intl": "4.6.1",
+        "next-intl": "4.8.3",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "node-fetch": "3.3.2",
+        "nodemailer": "8.0.4",
        "nodemailer": "7.0.11",
        "npm": "11.7.0",
        "nprogress": "0.2.0",
        "oslo": "1.2.1",
-        "pg": "8.16.3",
+        "pg": "8.20.0",
-        "posthog-node": "5.17.4",
+        "posthog-node": "5.28.0",
        "qrcode.react": "4.2.0",
-        "react": "19.2.3",
+        "react": "19.2.4",
-        "react-day-picker": "9.13.0",
+        "react-day-picker": "9.14.0",
-        "react-dom": "19.2.3",
+        "react-dom": "19.2.4",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.68.0",
+        "react-hook-form": "7.71.2",
-        "react-icons": "5.5.0",
+        "react-icons": "5.6.0",
        "rebuild": "0.1.2",
        "recharts": "2.15.4",
-        "reodotdev": "1.0.0",
+        "reodotdev": "1.1.0",
-        "resend": "6.6.0",
+        "resend": "6.9.2",
-        "semver": "7.7.3",
+        "semver": "7.7.4",
-        "stripe": "20.1.0",
+        "sshpk": "1.18.0",
        "stripe": "20.4.1",
        "swagger-ui-express": "5.0.1",
-        "tailwind-merge": "3.4.0",
+        "tailwind-merge": "3.5.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
        "use-debounce": "10.1.0",
        "uuid": "13.0.0",
        "vaul": "1.1.2",
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.3",
+        "ws": "8.19.0",
-        "yaml": "2.8.2",
+        "yaml": "2.8.3",
        "yargs": "18.0.0",
-        "zod": "4.2.1",
+        "zod": "4.3.6",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.51.2",
+        "@dotenvx/dotenvx": "1.54.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@tailwindcss/postcss": "4.1.18",
+        "@react-email/preview-server": "5.2.10",
-        "@tanstack/react-query-devtools": "5.91.1",
+        "@tailwindcss/postcss": "4.2.2",
        "@tanstack/react-query-devtools": "5.91.3",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
@@ -152,30 +144,37 @@
        "@types/express": "5.0.6",
        "@types/express-session": "1.18.2",
        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "24.10.2",
+        "@types/node": "25.3.5",
-        "@types/nodemailer": "7.0.4",
+        "@types/nodemailer": "7.0.11",
        "@types/nprogress": "0.2.3",
-        "@types/pg": "8.16.0",
+        "@types/pg": "8.18.0",
-        "@types/react": "19.2.7",
+        "@types/react": "19.2.14",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
        "@types/sshpk": "1.17.4",
        "@types/swagger-ui-express": "4.1.8",
        "@types/topojson-client": "3.1.5",
        "@types/ws": "8.18.1",
        "@types/yargs": "17.0.35",
        "@types/js-yaml": "4.0.9",
        "babel-plugin-react-compiler": "1.0.0",
-        "drizzle-kit": "0.31.8",
+        "drizzle-kit": "0.31.10",
-        "esbuild": "0.27.2",
+        "esbuild": "0.27.4",
        "esbuild-node-externals": "1.20.1",
-        "postcss": "8.5.6",
+        "eslint": "10.0.3",
-        "prettier": "3.7.4",
+        "eslint-config-next": "16.1.7",
-        "react-email": "5.0.7",
+        "postcss": "8.5.8",
-        "tailwindcss": "4.1.18",
+        "prettier": "3.8.1",
        "react-email": "5.2.10",
        "tailwindcss": "4.2.2",
        "tsc-alias": "1.8.16",
        "tsx": "4.21.0",
        "typescript": "5.9.3",
-        "typescript-eslint": "8.49.0"
+        "typescript-eslint": "8.56.1"
    },
    "overrides": {
        "esbuild": "0.27.4",
        "dompurify": "3.3.2"
    }
 }
--- a/public/third-party/dd.png
+++ b/public/third-party/dd.png
--- a/public/third-party/s3.png
+++ b/public/third-party/s3.png
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,9 +1,10 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db";
+import { userActions, roleActions } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 export enum ActionsEnum {
    createOrgUser = "createOrgUser",
@@ -19,6 +20,7 @@ export enum ActionsEnum {
    getSite = "getSite",
    listSites = "listSites",
    updateSite = "updateSite",
    resetSiteBandwidth = "resetSiteBandwidth",
    reGenerateSecret = "reGenerateSecret",
    createResource = "createResource",
    deleteResource = "deleteResource",
@@ -52,6 +54,8 @@ export enum ActionsEnum {
    listRoleResources = "listRoleResources",
    // listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
    removeUserRole = "removeUserRole",
    setUserOrgRoles = "setUserOrgRoles",
    // addUserSite = "addUserSite",
    // addUserAction = "addUserAction",
    // removeUserAction = "removeUserAction",
@@ -78,6 +82,10 @@ export enum ActionsEnum {
    updateSiteResource = "updateSiteResource",
    createClient = "createClient",
    deleteClient = "deleteClient",
    archiveClient = "archiveClient",
    unarchiveClient = "unarchiveClient",
    blockClient = "blockClient",
    unblockClient = "unblockClient",
    updateClient = "updateClient",
    listClients = "listClients",
    getClient = "getClient",
@@ -104,6 +112,10 @@ export enum ActionsEnum {
    listApiKeyActions = "listApiKeyActions",
    listApiKeys = "listApiKeys",
    getApiKey = "getApiKey",
    createSiteProvisioningKey = "createSiteProvisioningKey",
    listSiteProvisioningKeys = "listSiteProvisioningKeys",
    updateSiteProvisioningKey = "updateSiteProvisioningKey",
    deleteSiteProvisioningKey = "deleteSiteProvisioningKey",
    getCertificate = "getCertificate",
    restartCertificate = "restartCertificate",
    billing = "billing",
@@ -125,7 +137,14 @@ export enum ActionsEnum {
    getBlueprint = "getBlueprint",
    applyBlueprint = "applyBlueprint",
    viewLogs = "viewLogs",
-    exportLogs = "exportLogs"
+    exportLogs = "exportLogs",
    listApprovals = "listApprovals",
    updateApprovals = "updateApprovals",
    signSshKey = "signSshKey",
    createEventStreamingDestination = "createEventStreamingDestination",
    updateEventStreamingDestination = "updateEventStreamingDestination",
    deleteEventStreamingDestination = "deleteEventStreamingDestination",
    listEventStreamingDestinations = "listEventStreamingDestinations"
 }
 export async function checkUserActionPermission(
@@ -146,29 +165,16 @@ export async function checkUserActionPermission(
    }
    try {
-        let userOrgRoleId = req.userOrgRoleId;
+        let userOrgRoleIds = req.userOrgRoleIds;
-        // If userOrgRoleId is not available on the request, fetch it
+        if (userOrgRoleIds === undefined) {
-        if (userOrgRoleId === undefined) {
+            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
-            const userOrgRole = await db
+            if (userOrgRoleIds.length === 0) {
                .select()
                .from(userOrgs)
                .where(
                    and(
                        eq(userOrgs.userId, userId),
                        eq(userOrgs.orgId, req.userOrgId!)
                    )
                )
                .limit(1);
            if (userOrgRole.length === 0) {
                throw createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                );
            }
            userOrgRoleId = userOrgRole[0].roleId;
        }
        // Check if the user has direct permission for the action in the current org
@@ -179,7 +185,7 @@ export async function checkUserActionPermission(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
+                    eq(userActions.orgId, req.userOrgId!)
                )
            )
            .limit(1);
@@ -188,14 +194,14 @@ export async function checkUserActionPermission(
            return true;
        }
-        // If no direct permission, check role-based permission
+        // If no direct permission, check role-based permission (any of user's roles)
        const roleActionPermission = await db
            .select()
            .from(roleActions)
            .where(
                and(
                    eq(roleActions.actionId, actionId),
-                    eq(roleActions.roleId, userOrgRoleId!),
+                    inArray(roleActions.roleId, userOrgRoleIds),
                    eq(roleActions.orgId, req.userOrgId!)
                )
            )
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,26 +1,29 @@
 import { db } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";
 export async function canUserAccessResource({
    userId,
    resourceId,
-    roleId
+    roleIds
 }: {
    userId: string;
    resourceId: number;
-    roleId: number;
+    roleIds: number[];
 }): Promise<boolean> {
-    const roleResourceAccess = await db
+    const roleResourceAccess =
        roleIds.length > 0
            ? await db
                  .select()
                  .from(roleResources)
                  .where(
                      and(
                          eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                          inArray(roleResources.roleId, roleIds)
                      )
                  )
-        .limit(1);
+                  .limit(1)
            : [];
    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -0,0 +1,48 @@
 import { db } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 export async function canUserAccessSiteResource({
    userId,
    resourceId,
    roleIds
 }: {
    userId: string;
    resourceId: number;
    roleIds: number[];
 }): Promise<boolean> {
    const roleResourceAccess =
        roleIds.length > 0
            ? await db
                  .select()
                  .from(roleSiteResources)
                  .where(
                      and(
                          eq(roleSiteResources.siteResourceId, resourceId),
                          inArray(roleSiteResources.roleId, roleIds)
                      )
                  )
                  .limit(1)
            : [];
    if (roleResourceAccess.length > 0) {
        return true;
    }
    const userResourceAccess = await db
        .select()
        .from(userSiteResources)
        .where(
            and(
                eq(userSiteResources.userId, userId),
                eq(userSiteResources.siteResourceId, resourceId)
            )
        )
        .limit(1);
    if (userResourceAccess.length > 0) {
        return true;
    }
    return false;
 }
--- a/server/auth/sessions/app.ts
+++ b/server/auth/sessions/app.ts
@@ -3,7 +3,14 @@ import {
    encodeHexLowerCase
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
-import { resourceSessions, Session, sessions, User, users } from "@server/db";
+import {
    resourceSessions,
    safeRead,
    Session,
    sessions,
    User,
    users
 } from "@server/db";
 import { db } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
 import config from "@server/lib/config";
@@ -54,11 +61,15 @@ export async function validateSessionToken(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const result = await db
+
    const result = await safeRead((db) =>
        db
            .select({ user: users, session: sessions })
            .from(sessions)
            .innerJoin(users, eq(sessions.userId, users.userId))
-        .where(eq(sessions.sessionId, sessionId));
+            .where(eq(sessions.sessionId, sessionId))
    );
    if (result.length < 1) {
        return { session: null, user: null };
    }
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -1,7 +1,7 @@
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { resourceSessions, ResourceSession } from "@server/db";
-import { db } from "@server/db";
+import { db, safeRead } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
@@ -66,7 +66,8 @@ export async function validateResourceSessionToken(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const result = await db
+    const result = await safeRead((db) =>
        db
            .select()
            .from(resourceSessions)
            .where(
@@ -74,6 +75,7 @@ export async function validateResourceSessionToken(
                    eq(resourceSessions.sessionId, sessionId),
                    eq(resourceSessions.resourceId, resourceId)
                )
            )
    );
    if (result.length < 1) {
@@ -85,7 +87,7 @@ export async function validateResourceSessionToken(
    if (Date.now() >= resourceSession.expiresAt) {
        await db
            .delete(resourceSessions)
-            .where(eq(resourceSessions.sessionId, resourceSessions.sessionId));
+            .where(eq(resourceSessions.sessionId, sessionId));
        return { resourceSession: null };
    } else if (
        Date.now() >=
@@ -179,7 +181,7 @@ export function serializeResourceSessionCookie(
        return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Secure; Domain=${domain}`;
    } else {
        if (expiresAt === undefined) {
-            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=$domain}`;
+            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=${domain}`;
        }
        return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Domain=${domain}`;
    }
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,6 +1,14 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushConnectionLogToDb } from "#dynamic/routers/newt";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 async function cleanup() {
    await stopPingAccumulator();
    await flushBandwidthToDb();
    await flushConnectionLogToDb();
    await flushSiteBandwidthToDb();
    await wsCleanup();
    process.exit(0);
--- a/server/db/README.md
+++ b/server/db/README.md
@@ -56,15 +56,15 @@ Ensure drizzle-kit is installed.
 You must have a connection string in your config file, as shown above.
 ```bash
-npm run db:pg:generate
+npm run db:generate
-npm run db:pg:push
+npm run db:push
 ```
 ### SQLite
 ```bash
-npm run db:sqlite:generate
+npm run db:generate
-npm run db:sqlite:push
+npm run db:push
 ```
 ## Build Time
--- a/server/db/ios_models.json
+++ b/server/db/ios_models.json
@@ -0,0 +1,150 @@
 {
  "iPad1,1": "iPad",
  "iPad2,1": "iPad 2",
  "iPad2,2": "iPad 2",
  "iPad2,3": "iPad 2",
  "iPad2,4": "iPad 2",
  "iPad3,1": "iPad 3rd Gen",
  "iPad3,3": "iPad 3rd Gen",
  "iPad3,2": "iPad 3rd Gen",
  "iPad3,4": "iPad 4th Gen",
  "iPad3,5": "iPad 4th Gen",
  "iPad3,6": "iPad 4th Gen",
  "iPad6,11": "iPad 9.7 5th Gen",
  "iPad6,12": "iPad 9.7 5th Gen",
  "iPad7,5": "iPad 9.7 6th Gen",
  "iPad7,6": "iPad 9.7 6th Gen",
  "iPad7,11": "iPad 10.2 7th Gen",
  "iPad7,12": "iPad 10.2 7th Gen",
  "iPad11,6": "iPad 10.2 8th Gen",
  "iPad11,7": "iPad 10.2 8th Gen",
  "iPad12,1": "iPad 10.2 9th Gen",
  "iPad12,2": "iPad 10.2 9th Gen",
  "iPad13,18": "iPad 10.9 10th Gen",
  "iPad13,19": "iPad 10.9 10th Gen",
  "iPad4,1": "iPad Air",
  "iPad4,2": "iPad Air",
  "iPad4,3": "iPad Air",
  "iPad5,3": "iPad Air 2",
  "iPad5,4": "iPad Air 2",
  "iPad11,3": "iPad Air 3rd Gen",
  "iPad11,4": "iPad Air 3rd Gen",
  "iPad13,1": "iPad Air 4th Gen",
  "iPad13,2": "iPad Air 4th Gen",
  "iPad13,16": "iPad Air 5th Gen",
  "iPad13,17": "iPad Air 5th Gen",
  "iPad14,8": "iPad Air M2 11",
  "iPad14,9": "iPad Air M2 11",
  "iPad14,10": "iPad Air M2 13",
  "iPad14,11": "iPad Air M2 13",
  "iPad2,5": "iPad mini",
  "iPad2,6": "iPad mini",
  "iPad2,7": "iPad mini",
  "iPad4,4": "iPad mini 2",
  "iPad4,5": "iPad mini 2",
  "iPad4,6": "iPad mini 2",
  "iPad4,7": "iPad mini 3",
  "iPad4,8": "iPad mini 3",
  "iPad4,9": "iPad mini 3",
  "iPad5,1": "iPad mini 4",
  "iPad5,2": "iPad mini 4",
  "iPad11,1": "iPad mini 5th Gen",
  "iPad11,2": "iPad mini 5th Gen",
  "iPad14,1": "iPad mini 6th Gen",
  "iPad14,2": "iPad mini 6th Gen",
  "iPad6,7": "iPad Pro 12.9",
  "iPad6,8": "iPad Pro 12.9",
  "iPad6,3": "iPad Pro 9.7",
  "iPad6,4": "iPad Pro 9.7",
  "iPad7,3": "iPad Pro 10.5",
  "iPad7,4": "iPad Pro 10.5",
  "iPad7,1": "iPad Pro 12.9",
  "iPad7,2": "iPad Pro 12.9",
  "iPad8,1": "iPad Pro 11",
  "iPad8,2": "iPad Pro 11",
  "iPad8,3": "iPad Pro 11",
  "iPad8,4": "iPad Pro 11",
  "iPad8,5": "iPad Pro 12.9",
  "iPad8,6": "iPad Pro 12.9",
  "iPad8,7": "iPad Pro 12.9",
  "iPad8,8": "iPad Pro 12.9",
  "iPad8,9": "iPad Pro 11",
  "iPad8,10": "iPad Pro 11",
  "iPad8,11": "iPad Pro 12.9",
  "iPad8,12": "iPad Pro 12.9",
  "iPad13,4": "iPad Pro 11",
  "iPad13,5": "iPad Pro 11",
  "iPad13,6": "iPad Pro 11",
  "iPad13,7": "iPad Pro 11",
  "iPad13,8": "iPad Pro 12.9",
  "iPad13,9": "iPad Pro 12.9",
  "iPad13,10": "iPad Pro 12.9",
  "iPad13,11": "iPad Pro 12.9",
  "iPad14,3": "iPad Pro 11",
  "iPad14,4": "iPad Pro 11",
  "iPad14,5": "iPad Pro 12.9",
  "iPad14,6": "iPad Pro 12.9",
  "iPad16,3": "iPad Pro M4 11",
  "iPad16,4": "iPad Pro M4 11",
  "iPad16,5": "iPad Pro M4 13",
  "iPad16,6": "iPad Pro M4 13",
  "iPhone1,1": "iPhone",
  "iPhone1,2": "iPhone 3G",
  "iPhone2,1": "iPhone 3GS",
  "iPhone3,1": "iPhone 4",
  "iPhone3,2": "iPhone 4",
  "iPhone3,3": "iPhone 4",
  "iPhone4,1": "iPhone 4S",
  "iPhone5,1": "iPhone 5",
  "iPhone5,2": "iPhone 5",
  "iPhone5,3": "iPhone 5c",
  "iPhone5,4": "iPhone 5c",
  "iPhone6,1": "iPhone 5s",
  "iPhone6,2": "iPhone 5s",
  "iPhone7,2": "iPhone 6",
  "iPhone7,1": "iPhone 6 Plus",
  "iPhone8,1": "iPhone 6s",
  "iPhone8,2": "iPhone 6s Plus",
  "iPhone8,4": "iPhone SE",
  "iPhone9,1": "iPhone 7",
  "iPhone9,3": "iPhone 7",
  "iPhone9,2": "iPhone 7 Plus",
  "iPhone9,4": "iPhone 7 Plus",
  "iPhone10,1": "iPhone 8",
  "iPhone10,4": "iPhone 8",
  "iPhone10,2": "iPhone 8 Plus",
  "iPhone10,5": "iPhone 8 Plus",
  "iPhone10,3": "iPhone X",
  "iPhone10,6": "iPhone X",
  "iPhone11,2": "iPhone Xs",
  "iPhone11,6": "iPhone Xs Max",
  "iPhone11,8": "iPhone XR",
  "iPhone12,1": "iPhone 11",
  "iPhone12,3": "iPhone 11 Pro",
  "iPhone12,5": "iPhone 11 Pro Max",
  "iPhone12,8": "iPhone SE",
  "iPhone13,1": "iPhone 12 mini",
  "iPhone13,2": "iPhone 12",
  "iPhone13,3": "iPhone 12 Pro",
  "iPhone13,4": "iPhone 12 Pro Max",
  "iPhone14,4": "iPhone 13 mini",
  "iPhone14,5": "iPhone 13",
  "iPhone14,2": "iPhone 13 Pro",
  "iPhone14,3": "iPhone 13 Pro Max",
  "iPhone14,6": "iPhone SE",
  "iPhone14,7": "iPhone 14",
  "iPhone14,8": "iPhone 14 Plus",
  "iPhone15,2": "iPhone 14 Pro",
  "iPhone15,3": "iPhone 14 Pro Max",
  "iPhone15,4": "iPhone 15",
  "iPhone15,5": "iPhone 15 Plus",
  "iPhone16,1": "iPhone 15 Pro",
  "iPhone16,2": "iPhone 15 Pro Max",
  "iPod1,1": "iPod touch Original",
  "iPod2,1": "iPod touch 2nd",
  "iPod3,1": "iPod touch 3rd Gen",
  "iPod4,1": "iPod touch 4th",
  "iPod5,1": "iPod touch 5th",
  "iPod7,1": "iPod touch 6th Gen",
  "iPod9,1": "iPod touch 7th Gen"
 }
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -0,0 +1,201 @@
 {
  "PowerMac4,4": "eMac",
  "PowerMac6,4": "eMac",
  "PowerBook2,1": "iBook",
  "PowerBook2,2": "iBook",
  "PowerBook4,1": "iBook",
  "PowerBook4,2": "iBook",
  "PowerBook4,3": "iBook",
  "PowerBook6,3": "iBook",
  "PowerBook6,5": "iBook",
  "PowerBook6,7": "iBook",
  "iMac,1": "iMac",
  "PowerMac2,1": "iMac",
  "PowerMac2,2": "iMac",
  "PowerMac4,1": "iMac",
  "PowerMac4,2": "iMac",
  "PowerMac4,5": "iMac",
  "PowerMac6,1": "iMac",
  "PowerMac6,3*": "iMac",
  "PowerMac6,3": "iMac",
  "PowerMac8,1": "iMac",
  "PowerMac8,2": "iMac",
  "PowerMac12,1": "iMac",
  "iMac4,1": "iMac",
  "iMac4,2": "iMac",
  "iMac5,2": "iMac",
  "iMac5,1": "iMac",
  "iMac6,1": "iMac",
  "iMac7,1": "iMac",
  "iMac8,1": "iMac",
  "iMac9,1": "iMac",
  "iMac10,1": "iMac",
  "iMac11,1": "iMac",
  "iMac11,2": "iMac",
  "iMac11,3": "iMac",
  "iMac12,1": "iMac",
  "iMac12,2": "iMac",
  "iMac13,1": "iMac",
  "iMac13,2": "iMac",
  "iMac14,1": "iMac",
  "iMac14,3": "iMac",
  "iMac14,2": "iMac",
  "iMac14,4": "iMac",
  "iMac15,1": "iMac",
  "iMac16,1": "iMac",
  "iMac16,2": "iMac",
  "iMac17,1": "iMac",
  "iMac18,1": "iMac",
  "iMac18,2": "iMac",
  "iMac18,3": "iMac",
  "iMac19,2": "iMac",
  "iMac19,1": "iMac",
  "iMac20,1": "iMac",
  "iMac20,2": "iMac",
  "iMac21,2": "iMac",
  "iMac21,1": "iMac",
  "iMacPro1,1": "iMac Pro",
  "PowerMac10,1": "Mac mini",
  "PowerMac10,2": "Mac mini",
  "Macmini1,1": "Mac mini",
  "Macmini2,1": "Mac mini",
  "Macmini3,1": "Mac mini",
  "Macmini4,1": "Mac mini",
  "Macmini5,1": "Mac mini",
  "Macmini5,2": "Mac mini",
  "Macmini5,3": "Mac mini",
  "Macmini6,1": "Mac mini",
  "Macmini6,2": "Mac mini",
  "Macmini7,1": "Mac mini",
  "Macmini8,1": "Mac mini",
  "ADP3,2": "Mac mini",
  "Macmini9,1": "Mac mini",
  "Mac14,3": "Mac mini",
  "Mac14,12": "Mac mini",
  "MacPro1,1*": "Mac Pro",
  "MacPro2,1": "Mac Pro",
  "MacPro3,1": "Mac Pro",
  "MacPro4,1": "Mac Pro",
  "MacPro5,1": "Mac Pro",
  "MacPro6,1": "Mac Pro",
  "MacPro7,1": "Mac Pro",
  "N/A*": "Power Macintosh",
  "PowerMac1,1": "Power Macintosh",
  "PowerMac3,1": "Power Macintosh",
  "PowerMac3,3": "Power Macintosh",
  "PowerMac3,4": "Power Macintosh",
  "PowerMac3,5": "Power Macintosh",
  "PowerMac3,6": "Power Macintosh",
  "Mac13,1": "Mac Studio",
  "Mac13,2": "Mac Studio",
  "MacBook1,1": "MacBook",
  "MacBook2,1": "MacBook",
  "MacBook3,1": "MacBook",
  "MacBook4,1": "MacBook",
  "MacBook5,1": "MacBook",
  "MacBook5,2": "MacBook",
  "MacBook6,1": "MacBook",
  "MacBook7,1": "MacBook",
  "MacBook8,1": "MacBook",
  "MacBook9,1": "MacBook",
  "MacBook10,1": "MacBook",
  "MacBookAir1,1": "MacBook Air",
  "MacBookAir2,1": "MacBook Air",
  "MacBookAir3,1": "MacBook Air",
  "MacBookAir3,2": "MacBook Air",
  "MacBookAir4,1": "MacBook Air",
  "MacBookAir4,2": "MacBook Air",
  "MacBookAir5,1": "MacBook Air",
  "MacBookAir5,2": "MacBook Air",
  "MacBookAir6,1": "MacBook Air",
  "MacBookAir6,2": "MacBook Air",
  "MacBookAir7,1": "MacBook Air",
  "MacBookAir7,2": "MacBook Air",
  "MacBookAir8,1": "MacBook Air",
  "MacBookAir8,2": "MacBook Air",
  "MacBookAir9,1": "MacBook Air",
  "MacBookAir10,1": "MacBook Air",
  "Mac14,2": "MacBook Air",
  "MacBookPro1,1": "MacBook Pro",
  "MacBookPro1,2": "MacBook Pro",
  "MacBookPro2,2": "MacBook Pro",
  "MacBookPro2,1": "MacBook Pro",
  "MacBookPro3,1": "MacBook Pro",
  "MacBookPro4,1": "MacBook Pro",
  "MacBookPro5,1": "MacBook Pro",
  "MacBookPro5,2": "MacBook Pro",
  "MacBookPro5,5": "MacBook Pro",
  "MacBookPro5,4": "MacBook Pro",
  "MacBookPro5,3": "MacBook Pro",
  "MacBookPro7,1": "MacBook Pro",
  "MacBookPro6,2": "MacBook Pro",
  "MacBookPro6,1": "MacBook Pro",
  "MacBookPro8,1": "MacBook Pro",
  "MacBookPro8,2": "MacBook Pro",
  "MacBookPro8,3": "MacBook Pro",
  "MacBookPro9,2": "MacBook Pro",
  "MacBookPro9,1": "MacBook Pro",
  "MacBookPro10,1": "MacBook Pro",
  "MacBookPro10,2": "MacBook Pro",
  "MacBookPro11,1": "MacBook Pro",
  "MacBookPro11,2": "MacBook Pro",
  "MacBookPro11,3": "MacBook Pro",
  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro11,4": "MacBook Pro",
  "MacBookPro11,5": "MacBook Pro",
  "MacBookPro13,1": "MacBook Pro",
  "MacBookPro13,2": "MacBook Pro",
  "MacBookPro13,3": "MacBook Pro",
  "MacBookPro14,1": "MacBook Pro",
  "MacBookPro14,2": "MacBook Pro",
  "MacBookPro14,3": "MacBook Pro",
  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,1": "MacBook Pro",
  "MacBookPro15,3": "MacBook Pro",
  "MacBookPro15,4": "MacBook Pro",
  "MacBookPro16,1": "MacBook Pro",
  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,2": "MacBook Pro",
  "MacBookPro16,4": "MacBook Pro",
  "MacBookPro17,1": "MacBook Pro",
  "MacBookPro18,3": "MacBook Pro",
  "MacBookPro18,4": "MacBook Pro",
  "MacBookPro18,1": "MacBook Pro",
  "MacBookPro18,2": "MacBook Pro",
  "Mac14,7": "MacBook Pro",
  "Mac14,9": "MacBook Pro",
  "Mac14,5": "MacBook Pro",
  "Mac14,10": "MacBook Pro",
  "Mac14,6": "MacBook Pro",
  "PowerMac1,2": "Power Macintosh",
  "PowerMac5,1": "Power Macintosh",
  "PowerMac7,2": "Power Macintosh",
  "PowerMac7,3": "Power Macintosh",
  "PowerMac9,1": "Power Macintosh",
  "PowerMac11,2": "Power Macintosh",
  "PowerBook1,1": "PowerBook",
  "PowerBook3,1": "PowerBook",
  "PowerBook3,2": "PowerBook",
  "PowerBook3,3": "PowerBook",
  "PowerBook3,4": "PowerBook",
  "PowerBook3,5": "PowerBook",
  "PowerBook6,1": "PowerBook",
  "PowerBook5,1": "PowerBook",
  "PowerBook6,2": "PowerBook",
  "PowerBook5,2": "PowerBook",
  "PowerBook5,3": "PowerBook",
  "PowerBook6,4": "PowerBook",
  "PowerBook5,4": "PowerBook",
  "PowerBook5,5": "PowerBook",
  "PowerBook6,8": "PowerBook",
  "PowerBook5,6": "PowerBook",
  "PowerBook5,7": "PowerBook",
  "PowerBook5,8": "PowerBook",
  "PowerBook5,9": "PowerBook",
  "RackMac1,1": "Xserve",
  "RackMac1,2": "Xserve",
  "RackMac3,1": "Xserve",
  "Xserve1,1": "Xserve",
  "Xserve2,1": "Xserve",
  "Xserve3,1": "Xserve"
 }
--- a/server/db/migrate.ts
+++ b/server/db/migrate.ts
@@ -0,0 +1,3 @@
 import { runMigrations } from "./";
 await runMigrations();
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -16,6 +16,24 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));
 // Load iOS and Mac model mappings
 let iosModelsFile: string;
 let macModelsFile: string;
 if (!dev) {
    iosModelsFile = join(__DIRNAME, "ios_models.json");
    macModelsFile = join(__DIRNAME, "mac_models.json");
 } else {
    iosModelsFile = join("server/db/ios_models.json");
    macModelsFile = join("server/db/mac_models.json");
 }
 const iosModels: Record<string, string> = JSON.parse(
    readFileSync(iosModelsFile, "utf-8")
 );
 const macModels: Record<string, string> = JSON.parse(
    readFileSync(macModelsFile, "utf-8")
 );
 export async function getUniqueClientName(orgId: string): Promise<string> {
    let loops = 0;
    while (true) {
@@ -159,3 +177,29 @@ export function generateName(): string {
    // clean out any non-alphanumeric characters except for dashes
    return name.replace(/[^a-z0-9-]/g, "");
 }
 export function getMacDeviceName(macIdentifier?: string | null): string | null {
    if (macIdentifier && macModels[macIdentifier]) {
        return macModels[macIdentifier];
    }
    return null;
 }
 export function getIosDeviceName(iosIdentifier?: string | null): string | null {
    if (iosIdentifier && iosModels[iosIdentifier]) {
        return iosModels[iosIdentifier];
    }
    return null;
 }
 export function getUserDeviceName(
    model: string | null,
    fallBack: string | null
 ): string {
    return (
        getMacDeviceName(model) ||
        getIosDeviceName(model) ||
        fallBack ||
        "Unknown Device"
    );
 }
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { createPool } from "./poolConfig";
 function createDb() {
    const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
    // Create connection pools instead of individual connections
    const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
    const primaryPool = createPool(
        connectionString,
-        max: poolConfig?.max_connections || 20,
+        maxConnections,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+        idleTimeoutMs,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
+        connectionTimeoutMs,
-    });
+        "primary"
    );
    const replicas = [];
@@ -55,14 +60,15 @@ function createDb() {
            })
        );
    } else {
        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
+            const replicaPool = createPool(
-                connectionString: conn.connection_string,
+                conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
+                maxReplicaConnections,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+                idleTimeoutMs,
-                connectionTimeoutMillis:
+                connectionTimeoutMs,
-                    poolConfig?.connection_timeout_ms || 5000
+                "replica"
-            });
+            );
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
@@ -85,3 +91,4 @@ export const primaryDb = db.$primary;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
 export const DB_TYPE: "pg" | "sqlite" = "pg";
--- a/server/db/pg/index.ts
+++ b/server/db/pg/index.ts
@@ -1,3 +1,6 @@
 export * from "./driver";
 export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -0,0 +1,94 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
 import { createPool } from "./poolConfig";
 function createLogsDb() {
    // Only use separate logs database in SaaS builds
    if (build !== "saas") {
        return mainDb;
    }
    const config = readConfigFile();
    // Merge configs, prioritizing private config
    const logsConfig = config.postgres_logs;
    // Check environment variable first
    let connectionString = process.env.POSTGRES_LOGS_CONNECTION_STRING;
    let replicaConnections: Array<{ connection_string: string }> = [];
    if (!connectionString && logsConfig) {
        connectionString = logsConfig.connection_string;
        replicaConnections = logsConfig.replicas || [];
    }
    // If POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS is set, use it
    if (process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS) {
        replicaConnections =
            process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS.split(",").map(
                (conn) => ({
                    connection_string: conn.trim()
                })
            );
    }
    // If no logs database is configured, fall back to main database
    if (!connectionString) {
        return mainDb;
    }
    // Create separate connection pool for logs database
    const poolConfig = logsConfig?.pool || config.postgres?.pool;
    const maxConnections = poolConfig?.max_connections || 20;
    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
    const primaryPool = createPool(
        connectionString,
        maxConnections,
        idleTimeoutMs,
        connectionTimeoutMs,
        "logs-primary"
    );
    const replicas = [];
    if (!replicaConnections.length) {
        replicas.push(
            DrizzlePostgres(primaryPool, {
                logger: process.env.QUERY_LOGGING == "true"
            })
        );
    } else {
        const maxReplicaConnections =
            poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
            const replicaPool = createPool(
                conn.connection_string,
                maxReplicaConnections,
                idleTimeoutMs,
                connectionTimeoutMs,
                "logs-replica"
            );
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
                })
            );
        }
    }
    return withReplicas(
        DrizzlePostgres(primaryPool, {
            logger: process.env.QUERY_LOGGING == "true"
        }),
        replicas as any
    );
 }
 export const logsDb = createLogsDb();
 export default logsDb;
 export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/migrate.ts
+++ b/server/db/pg/migrate.ts
@@ -4,7 +4,7 @@ import path from "path";
 const migrationsFolder = path.join("server/migrations");
-const runMigrations = async () => {
+export const runMigrations = async () => {
    console.log("Running migrations...");
    try {
        await migrate(db as any, {
@@ -17,5 +17,3 @@ const runMigrations = async () => {
        process.exit(1);
    }
 };
 runMigrations();
--- a/server/db/pg/poolConfig.ts
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
 import { Pool, PoolConfig } from "pg";
 import logger from "@server/logger";
 export function createPoolConfig(
    connectionString: string,
    maxConnections: number,
    idleTimeoutMs: number,
    connectionTimeoutMs: number
 ): PoolConfig {
    return {
        connectionString,
        max: maxConnections,
        idleTimeoutMillis: idleTimeoutMs,
        connectionTimeoutMillis: connectionTimeoutMs,
        // TCP keepalive to prevent silent connection drops by NAT gateways,
        // load balancers, and other intermediate network devices (e.g. AWS
        // NAT Gateway drops idle TCP connections after ~350s)
        keepAlive: true,
        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
        // Allow connections to be released and recreated more aggressively
        // to avoid stale connections building up
        allowExitOnIdle: false
    };
 }
 export function attachPoolErrorHandlers(pool: Pool, label: string): void {
    pool.on("error", (err) => {
        // This catches errors on idle clients in the pool. Without this
        // handler an unexpected disconnect would crash the process.
        logger.error(
            `Unexpected error on idle ${label} database client: ${err.message}`
        );
    });
    pool.on("connect", (client) => {
        // Set a statement timeout on every new connection so a single slow
        // query can't block the pool forever
        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
            logger.warn(
                `Failed to set statement_timeout on ${label} client: ${err.message}`
            );
        });
    });
 }
 export function createPool(
    connectionString: string,
    maxConnections: number,
    idleTimeoutMs: number,
    connectionTimeoutMs: number,
    label: string
 ): Pool {
    const pool = new Pool(
        createPoolConfig(
            connectionString,
            maxConnections,
            idleTimeoutMs,
            connectionTimeoutMs
        )
    );
    attachPoolErrorHandlers(pool, label);
    return pool;
 }
--- a/server/db/pg/safeRead.ts
+++ b/server/db/pg/safeRead.ts
@@ -0,0 +1,24 @@
 import { db, primaryDb } from "./driver";
 /**
 * Runs a read query with replica fallback for Postgres.
 * Executes the query against the replica first (when replicas exist).
 * If the query throws or returns no data (null, undefined, or empty array),
 * runs the same query against the primary.
 */
 export async function safeRead<T>(
    query: (d: typeof db | typeof primaryDb) => Promise<T>
 ): Promise<T> {
    try {
        const result = await query(db);
        if (result === undefined || result === null) {
            return query(primaryDb);
        }
        if (Array.isArray(result) && result.length === 0) {
            return query(primaryDb);
        }
        return result;
    } catch {
        return query(primaryDb);
    }
 }
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -7,10 +7,22 @@ import {
    bigint,
    real,
    text,
-    index
+    index,
    primaryKey,
    uniqueIndex
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
-import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+import {
    domains,
    orgs,
    targets,
    users,
    exitNodes,
    sessions,
    clients,
    siteResources,
    sites
 } from "./schema";
 export const certificates = pgTable("certificates", {
    certId: serial("certId").primaryKey(),
@@ -74,11 +86,16 @@ export const subscriptions = pgTable("subscriptions", {
    canceledAt: bigint("canceledAt", { mode: "number" }),
    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
    updatedAt: bigint("updatedAt", { mode: "number" }),
-    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" })
+    version: integer("version"),
    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" }),
    type: varchar("type", { length: 50 }) // tier1, tier2, tier3, or license
 });
 export const subscriptionItems = pgTable("subscriptionItems", {
    subscriptionItemId: serial("subscriptionItemId").primaryKey(),
    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", {
        length: 255
    }),
    subscriptionId: varchar("subscriptionId", { length: 255 })
        .notNull()
        .references(() => subscriptions.subscriptionId, {
@@ -86,6 +103,7 @@ export const subscriptionItems = pgTable("subscriptionItems", {
        }),
    planId: varchar("planId", { length: 255 }).notNull(),
    priceId: varchar("priceId", { length: 255 }),
    featureId: varchar("featureId", { length: 255 }),
    meterId: varchar("meterId", { length: 255 }),
    unitAmount: real("unitAmount"),
    tiers: text("tiers"),
@@ -128,6 +146,7 @@ export const limits = pgTable("limits", {
        })
        .notNull(),
    value: real("value"),
    override: boolean("override").default(false),
    description: text("description")
 });
@@ -206,7 +225,7 @@ export const loginPageOrg = pgTable("loginPageOrg", {
 export const loginPageBranding = pgTable("loginPageBranding", {
    loginPageBrandingId: serial("loginPageBrandingId").primaryKey(),
-    logoUrl: text("logoUrl").notNull(),
+    logoUrl: text("logoUrl"),
    logoWidth: integer("logoWidth").notNull(),
    logoHeight: integer("logoHeight").notNull(),
    primaryColor: text("primaryColor"),
@@ -273,6 +292,7 @@ export const accessAuditLog = pgTable(
        actor: varchar("actor", { length: 255 }),
        actorId: varchar("actorId", { length: 255 }),
        resourceId: integer("resourceId"),
        siteResourceId: integer("siteResourceId"),
        ip: varchar("ip", { length: 45 }),
        type: varchar("type", { length: 100 }).notNull(),
        action: boolean("action").notNull(),
@@ -289,6 +309,156 @@ export const accessAuditLog = pgTable(
    ]
 );
 export const connectionAuditLog = pgTable(
    "connectionAuditLog",
    {
        id: serial("id").primaryKey(),
        sessionId: text("sessionId").notNull(),
        siteResourceId: integer("siteResourceId").references(
            () => siteResources.siteResourceId,
            { onDelete: "cascade" }
        ),
        orgId: text("orgId").references(() => orgs.orgId, {
            onDelete: "cascade"
        }),
        siteId: integer("siteId").references(() => sites.siteId, {
            onDelete: "cascade"
        }),
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
        sourceAddr: text("sourceAddr").notNull(),
        destAddr: text("destAddr").notNull(),
        protocol: text("protocol").notNull(),
        startedAt: integer("startedAt").notNull(),
        endedAt: integer("endedAt"),
        bytesTx: integer("bytesTx"),
        bytesRx: integer("bytesRx")
    },
    (table) => [
        index("idx_accessAuditLog_startedAt").on(table.startedAt),
        index("idx_accessAuditLog_org_startedAt").on(
            table.orgId,
            table.startedAt
        ),
        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
    ]
 );
 export const approvals = pgTable("approvals", {
    approvalId: serial("approvalId").primaryKey(),
    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
    orgId: varchar("orgId")
        .references(() => orgs.orgId, {
            onDelete: "cascade"
        })
        .notNull(),
    clientId: integer("clientId").references(() => clients.clientId, {
        onDelete: "cascade"
    }), // clients reference user devices (in this case)
    userId: varchar("userId")
        .references(() => users.userId, {
            // optionally tied to a user and in this case delete when the user deletes
            onDelete: "cascade"
        })
        .notNull(),
    decision: varchar("decision")
        .$type<"approved" | "denied" | "pending">()
        .default("pending")
        .notNull(),
    type: varchar("type")
        .$type<"user_device" /*| 'proxy' // for later */>()
        .notNull()
 });
 export const bannedEmails = pgTable("bannedEmails", {
    email: varchar("email", { length: 255 }).primaryKey()
 });
 export const bannedIps = pgTable("bannedIps", {
    ip: varchar("ip", { length: 255 }).primaryKey()
 });
 export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
    siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
        length: 255
    }).primaryKey(),
    name: varchar("name", { length: 255 }).notNull(),
    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
    lastChars: varchar("lastChars", { length: 4 }).notNull(),
    createdAt: varchar("dateCreated", { length: 255 }).notNull(),
    lastUsed: varchar("lastUsed", { length: 255 }),
    maxBatchSize: integer("maxBatchSize"), // null = no limit
    numUsed: integer("numUsed").notNull().default(0),
    validUntil: varchar("validUntil", { length: 255 }),
    approveNewSites: boolean("approveNewSites").notNull().default(true)
 });
 export const siteProvisioningKeyOrg = pgTable(
    "siteProvisioningKeyOrg",
    {
        siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
            length: 255
        })
            .notNull()
            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
                onDelete: "cascade"
            }),
        orgId: varchar("orgId", { length: 255 })
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" })
    },
    (table) => [
        primaryKey({
            columns: [table.siteProvisioningKeyId, table.orgId]
        })
    ]
 );
 export const eventStreamingDestinations = pgTable(
    "eventStreamingDestinations",
    {
        destinationId: serial("destinationId").primaryKey(),
        orgId: varchar("orgId", { length: 255 })
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        sendConnectionLogs: boolean("sendConnectionLogs").notNull().default(false),
        sendRequestLogs: boolean("sendRequestLogs").notNull().default(false),
        sendActionLogs: boolean("sendActionLogs").notNull().default(false),
        sendAccessLogs: boolean("sendAccessLogs").notNull().default(false),
        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
        config: text("config").notNull(), // JSON string with the configuration for the destination
        enabled: boolean("enabled").notNull().default(true),
        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
    }
 );
 export const eventStreamingCursors = pgTable(
    "eventStreamingCursors",
    {
        cursorId: serial("cursorId").primaryKey(),
        destinationId: integer("destinationId")
            .notNull()
            .references(() => eventStreamingDestinations.destinationId, {
                onDelete: "cascade"
            }),
        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
    },
    (table) => [
        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
            table.destinationId,
            table.logType
        )
    ]
 );
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
@@ -309,3 +479,19 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
 export type SessionTransferToken = InferSelectModel<
    typeof sessionTransferToken
 >;
 export type BannedEmail = InferSelectModel<typeof bannedEmails>;
 export type BannedIp = InferSelectModel<typeof bannedIps>;
 export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
 export type SiteProvisioningKeyOrg = InferSelectModel<
    typeof siteProvisioningKeyOrg
 >;
 export type EventStreamingDestination = InferSelectModel<
    typeof eventStreamingDestinations
 >;
 export type EventStreamingCursor = InferSelectModel<
    typeof eventStreamingCursors
 >;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -1,18 +1,18 @@
 import {
    pgTable,
    serial,
    varchar,
    boolean,
    integer,
    bigint,
    real,
    text,
    index,
    uniqueIndex
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import { randomUUID } from "crypto";
-import { alias } from "yargs";
+import { InferSelectModel } from "drizzle-orm";
 import {
    bigint,
    boolean,
    index,
    integer,
    pgTable,
    primaryKey,
    real,
    serial,
    text,
    unique,
    varchar
 } from "drizzle-orm/pg-core";
 export const domains = pgTable("domains", {
    domainId: varchar("domainId").primaryKey(),
@@ -24,7 +24,8 @@ export const domains = pgTable("domains", {
    tries: integer("tries").notNull().default(0),
    certResolver: varchar("certResolver"),
    customCertResolver: varchar("customCertResolver"),
-    preferWildcardCert: boolean("preferWildcardCert")
+    preferWildcardCert: boolean("preferWildcardCert"),
    errorMessage: text("errorMessage")
 });
 export const dnsRecords = pgTable("dnsRecords", {
@@ -55,7 +56,14 @@ export const orgs = pgTable("orgs", {
        .default(0),
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
-        .default(0)
+        .default(0),
    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: boolean("isBillingOrg"),
    billingOrgId: varchar("billingOrgId")
 });
 export const orgDomains = pgTable("orgDomains", {
@@ -86,12 +94,14 @@ export const sites = pgTable("sites", {
    lastBandwidthUpdate: varchar("lastBandwidthUpdate"),
    type: varchar("type").notNull(), // "newt" or "wireguard"
    online: boolean("online").notNull().default(false),
    lastPing: integer("lastPing"),
    address: varchar("address"),
    endpoint: varchar("endpoint"),
    publicKey: varchar("publicKey"),
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
    status: varchar("status").$type<"pending" | "approved">().default("approved")
 });
 export const resources = pgTable("resources", {
@@ -132,7 +142,18 @@ export const resources = pgTable("resources", {
    }),
    headers: text("headers"), // comma-separated list of headers to add to the request
    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
-    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
        .notNull()
        .default(false),
    maintenanceModeType: text("maintenanceModeType", {
        enum: ["forced", "automatic"]
    }).default("forced"), // "forced" = always show, "automatic" = only when down
    maintenanceTitle: text("maintenanceTitle"),
    maintenanceMessage: text("maintenanceMessage"),
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath")
 });
 export const targets = pgTable("targets", {
@@ -177,7 +198,9 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
    hcFollowRedirects: boolean("hcFollowRedirects").default(true),
    hcMethod: varchar("hcMethod").default("GET"),
    hcStatus: integer("hcStatus"), // http code
-    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcHealth: text("hcHealth")
        .$type<"unknown" | "healthy" | "unhealthy">()
        .default("unknown"), // "unknown", "healthy", "unhealthy"
    hcTlsServerName: text("hcTlsServerName")
 });
@@ -207,7 +230,7 @@ export const siteResources = pgTable("siteResources", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
-    mode: varchar("mode").notNull(), // "host" | "cidr" | "port"
+    mode: varchar("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
    protocol: varchar("protocol"), // only for port mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
@@ -215,9 +238,13 @@ export const siteResources = pgTable("siteResources", {
    enabled: boolean("enabled").notNull().default(true),
    alias: varchar("alias"),
    aliasAddress: varchar("aliasAddress"),
-    tcpPortRangeString: varchar("tcpPortRangeString"),
+    tcpPortRangeString: varchar("tcpPortRangeString").notNull().default("*"),
-    udpPortRangeString: varchar("udpPortRangeString"),
+    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
-    disableIcmp: boolean("disableIcmp").notNull().default(false)
+    disableIcmp: boolean("disableIcmp").notNull().default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
    authDaemonMode: varchar("authDaemonMode", { length: 32 })
        .$type<"site" | "remote">()
        .default("site")
 });
 export const clientSiteResources = pgTable("clientSiteResources", {
@@ -264,8 +291,10 @@ export const users = pgTable("user", {
    dateCreated: varchar("dateCreated").notNull(),
    termsAcceptedTimestamp: varchar("termsAcceptedTimestamp"),
    termsVersion: varchar("termsVersion"),
    marketingEmailConsent: boolean("marketingEmailConsent").default(false),
    serverAdmin: boolean("serverAdmin").notNull().default(false),
-    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" })
+    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" }),
    locale: varchar("locale")
 });
 export const newts = pgTable("newt", {
@@ -313,11 +342,9 @@ export const userOrgs = pgTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId),
    isOwner: boolean("isOwner").notNull().default(false),
-    autoProvisioned: boolean("autoProvisioned").default(false)
+    autoProvisioned: boolean("autoProvisioned").default(false),
    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
 });
 export const emailVerificationCodes = pgTable("emailVerificationCodes", {
@@ -355,9 +382,30 @@ export const roles = pgTable("roles", {
        .notNull(),
    isAdmin: boolean("isAdmin"),
    name: varchar("name").notNull(),
-    description: varchar("description")
+    description: varchar("description"),
    requireDeviceApproval: boolean("requireDeviceApproval").default(false),
    sshSudoMode: varchar("sshSudoMode", { length: 32 }).default("none"), // "none" | "full" | "commands"
    sshSudoCommands: text("sshSudoCommands").default("[]"),
    sshCreateHomeDir: boolean("sshCreateHomeDir").default(true),
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 export const userOrgRoles = pgTable(
    "userOrgRoles",
    {
        userId: varchar("userId")
            .notNull()
            .references(() => users.userId, { onDelete: "cascade" }),
        orgId: varchar("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 export const roleActions = pgTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -425,11 +473,21 @@ export const userInvites = pgTable("userInvites", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    email: varchar("email").notNull(),
    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
-    tokenHash: varchar("token").notNull(),
+    tokenHash: varchar("token").notNull()
 });
 export const userInviteRoles = pgTable(
    "userInviteRoles",
    {
        inviteId: varchar("inviteId")
            .notNull()
            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
-});
+    },
    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
 );
 export const resourcePincode = pgTable("resourcePincode", {
    pincodeId: serial("pincodeId").primaryKey(),
@@ -456,6 +514,23 @@ export const resourceHeaderAuth = pgTable("resourceHeaderAuth", {
    headerAuthHash: varchar("headerAuthHash").notNull()
 });
 export const resourceHeaderAuthExtendedCompatibility = pgTable(
    "resourceHeaderAuthExtendedCompatibility",
    {
        headerAuthExtendedCompatibilityId: serial(
            "headerAuthExtendedCompatibilityId"
        ).primaryKey(),
        resourceId: integer("resourceId")
            .notNull()
            .references(() => resources.resourceId, { onDelete: "cascade" }),
        extendedCompatibilityIsActivated: boolean(
            "extendedCompatibilityIsActivated"
        )
            .notNull()
            .default(true)
    }
 );
 export const resourceAccessToken = pgTable("resourceAccessToken", {
    accessTokenId: varchar("accessTokenId").primaryKey(),
    orgId: varchar("orgId")
@@ -564,7 +639,8 @@ export const idp = pgTable("idp", {
    type: varchar("type").notNull(),
    defaultRoleMapping: varchar("defaultRoleMapping"),
    defaultOrgMapping: varchar("defaultOrgMapping"),
-    autoProvision: boolean("autoProvision").notNull().default(false)
+    autoProvision: boolean("autoProvision").notNull().default(false),
    tags: text("tags")
 });
 export const idpOidcConfig = pgTable("idpOidcConfig", {
@@ -661,7 +737,12 @@ export const clients = pgTable("clients", {
    online: boolean("online").notNull().default(false),
    // endpoint: varchar("endpoint"),
    lastHolePunch: integer("lastHolePunch"),
-    maxConnections: integer("maxConnections")
+    maxConnections: integer("maxConnections"),
    archived: boolean("archived").notNull().default(false),
    blocked: boolean("blocked").notNull().default(false),
    approvalState: varchar("approvalState").$type<
        "pending" | "approved" | "denied"
    >()
 });
 export const clientSitesAssociationsCache = pgTable(
@@ -671,6 +752,7 @@ export const clientSitesAssociationsCache = pgTable(
            .notNull(),
        siteId: integer("siteId").notNull(),
        isRelayed: boolean("isRelayed").notNull().default(false),
        isJitMode: boolean("isJitMode").notNull().default(false),
        endpoint: varchar("endpoint"),
        publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
@@ -685,6 +767,16 @@ export const clientSiteResourcesAssociationsCache = pgTable(
    }
 );
 export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
    snapshotId: serial("snapshotId").primaryKey(),
    clientId: integer("clientId").references(() => clients.clientId, {
        onDelete: "cascade"
    }),
    collectedAt: integer("collectedAt").notNull()
 });
 export const olms = pgTable("olms", {
    olmId: varchar("id").primaryKey(),
    secretHash: varchar("secretHash").notNull(),
@@ -699,7 +791,118 @@ export const olms = pgTable("olms", {
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
-    })
+    }),
    archived: boolean("archived").notNull().default(false)
 });
 export const currentFingerprint = pgTable("currentFingerprint", {
    fingerprintId: serial("id").primaryKey(),
    olmId: text("olmId")
        .references(() => olms.olmId, { onDelete: "cascade" })
        .notNull(),
    firstSeen: integer("firstSeen").notNull(),
    lastSeen: integer("lastSeen").notNull(),
    lastCollectedAt: integer("lastCollectedAt").notNull(),
    username: text("username"),
    hostname: text("hostname"),
    platform: text("platform"),
    osVersion: text("osVersion"),
    kernelVersion: text("kernelVersion"),
    arch: text("arch"),
    deviceModel: text("deviceModel"),
    serialNumber: text("serialNumber"),
    platformFingerprint: varchar("platformFingerprint"),
    // Platform-agnostic checks
    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
    // Windows-specific posture check information
    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
        .notNull()
        .default(false),
    // macOS-specific posture check information
    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
        .notNull()
        .default(false),
    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
        .notNull()
        .default(false),
    // Linux-specific posture check information
    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
        .notNull()
        .default(false),
    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled").notNull().default(false)
 });
 export const fingerprintSnapshots = pgTable("fingerprintSnapshots", {
    snapshotId: serial("id").primaryKey(),
    fingerprintId: integer("fingerprintId").references(
        () => currentFingerprint.fingerprintId,
        {
            onDelete: "set null"
        }
    ),
    username: text("username"),
    hostname: text("hostname"),
    platform: text("platform"),
    osVersion: text("osVersion"),
    kernelVersion: text("kernelVersion"),
    arch: text("arch"),
    deviceModel: text("deviceModel"),
    serialNumber: text("serialNumber"),
    platformFingerprint: varchar("platformFingerprint"),
    // Platform-agnostic checks
    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
    // Windows-specific posture check information
    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
        .notNull()
        .default(false),
    // macOS-specific posture check information
    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
        .notNull()
        .default(false),
    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
        .notNull()
        .default(false),
    // Linux-specific posture check information
    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
        .notNull()
        .default(false),
    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled")
        .notNull()
        .default(false),
    hash: text("hash").notNull(),
    collectedAt: integer("collectedAt").notNull()
 });
 export const olmSessions = pgTable("clientSession", {
@@ -828,6 +1031,16 @@ export const deviceWebAuthCodes = pgTable("deviceWebAuthCodes", {
    })
 });
 export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
    messageId: serial("messageId").primaryKey(),
    wsClientId: varchar("clientId"),
    messageType: varchar("messageType"),
    sentAt: bigint("sentAt", { mode: "number" }).notNull(),
    receivedAt: bigint("receivedAt", { mode: "number" }),
    error: text("error"),
    complete: boolean("complete").notNull().default(false)
 });
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -851,11 +1064,16 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
 export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
    typeof resourceHeaderAuthExtendedCompatibility
 >;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
@@ -885,3 +1103,6 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type RoundTripMessageTracker = InferSelectModel<
    typeof roundTripMessageTracker
 >;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,12 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
+import {
    db,
    loginPage,
    LoginPage,
    loginPageOrg,
    Org,
    orgs,
    roles
 } from "@server/db";
 import {
    Resource,
    ResourcePassword,
@@ -12,17 +20,19 @@ import {
    resources,
    roleResources,
    sessions,
    userOrgs,
    userResources,
-    users
+    users,
    ResourceHeaderAuthExtendedCompatibility,
    resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 export type ResourceWithAuth = {
    resource: Resource | null;
    pincode: ResourcePincode | null;
    password: ResourcePassword | null;
    headerAuth: ResourceHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
    org: Org;
 };
@@ -52,6 +62,13 @@ export async function getResourceByDomain(
            resourceHeaderAuth,
            eq(resourceHeaderAuth.resourceId, resources.resourceId)
        )
        .leftJoin(
            resourceHeaderAuthExtendedCompatibility,
            eq(
                resourceHeaderAuthExtendedCompatibility.resourceId,
                resources.resourceId
            )
        )
        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
        .where(eq(resources.fullDomain, domain))
        .limit(1);
@@ -65,6 +82,8 @@ export async function getResourceByDomain(
        pincode: result.resourcePincode,
        password: result.resourcePassword,
        headerAuth: result.resourceHeaderAuth,
        headerAuthExtendedCompatibility:
            result.resourceHeaderAuthExtendedCompatibility,
        org: result.orgs
    };
 }
@@ -92,16 +111,15 @@ export async function getUserSessionWithUser(
 }
 /**
- * Get user organization role
+ * Get role name by role ID (for display).
 */
-export async function getUserOrgRole(userId: string, orgId: string) {
+export async function getRoleName(roleId: number): Promise<string | null> {
-    const userOrgRole = await db
+    const [row] = await db
-        .select()
+        .select({ name: roles.name })
-        .from(userOrgs)
+        .from(roles)
-        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+        .where(eq(roles.roleId, roleId))
        .limit(1);
-
+    return row?.name ?? null;
    return userOrgRole.length > 0 ? userOrgRole[0] : null;
 }
 /**
@@ -109,7 +127,7 @@ export async function getUserOrgRole(userId: string, orgId: string) {
 */
 export async function getRoleResourceAccess(
    resourceId: number,
-    roleId: number
+    roleIds: number[]
 ) {
    const roleResourceAccess = await db
        .select()
@@ -117,12 +135,11 @@ export async function getRoleResourceAccess(
        .where(
            and(
                eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                inArray(roleResources.roleId, roleIds)
            )
-        )
+        );
        .limit(1);
-    return roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
 }
 /**
--- a/server/db/regions.ts
+++ b/server/db/regions.ts
@@ -0,0 +1,196 @@
 // Regions of the World
 // as of 2025-10-25
 //
 // Adapted according to the United Nations Geoscheme
 // see https://www.unicode.org/cldr/charts/48/supplemental/territory_containment_un_m_49.html
 // see https://unstats.un.org/unsd/methodology/m49
 export const REGIONS = [
    {
        name: "regionAfrica",
        id: "002",
        includes: [
            {
                name: "regionNorthernAfrica",
                id: "015",
                countries: ["DZ", "EG", "LY", "MA", "SD", "TN", "EH"]
            },
            {
                name: "regionEasternAfrica",
                id: "014",
                countries: ["IO", "BI", "KM", "DJ", "ER", "ET", "TF", "KE", "MG", "MW", "MU", "YT", "MZ", "RE", "RW", "SC", "SO", "SS", "UG", "ZM", "ZW"]
            },
            {
                name: "regionMiddleAfrica",
                id: "017",
                countries: ["AO", "CM", "CF", "TD", "CG", "CD", "GQ", "GA", "ST"]
            },
            {
                name: "regionSouthernAfrica",
                id: "018",
                countries: ["BW", "SZ", "LS", "NA", "ZA"]
            },
            {
                name: "regionWesternAfrica",
                id: "011",
                countries: ["BJ", "BF", "CV", "CI", "GM", "GH", "GN", "GW", "LR", "ML", "MR", "NE", "NG", "SH", "SN", "SL", "TG"]
            }
        ]
    },
    {
        name: "regionAmericas",
        id: "019",
        includes: [
            {
                name: "regionCaribbean",
                id: "029",
                countries: ["AI", "AG", "AW", "BS", "BB", "BQ", "VG", "KY", "CU", "CW", "DM", "DO", "GD", "GP", "HT", "JM", "MQ", "MS", "PR", "BL", "KN", "LC", "MF", "VC", "SX", "TT", "TC", "VI"]
            },
            {
                name: "regionCentralAmerica",
                id: "013",
                countries: ["BZ", "CR", "SV", "GT", "HN", "MX", "NI", "PA"]
            },
            {
                name: "regionSouthAmerica",
                id: "005",
                countries: ["AR", "BO", "BV", "BR", "CL", "CO", "EC", "FK", "GF", "GY", "PY", "PE", "GS", "SR", "UY", "VE"]
            },
            {
                name: "regionNorthernAmerica",
                id: "021",
                countries: ["BM", "CA", "GL", "PM", "US"]
            }
        ]
    },
    {
        name: "regionAsia",
        id: "142",
        includes: [
            {
                name: "regionCentralAsia",
                id: "143",
                countries: ["KZ", "KG", "TJ", "TM", "UZ"]
            },
            {
                name: "regionEasternAsia",
                id: "030",
                countries: ["CN", "HK", "MO", "KP", "JP", "MN", "KR"]
            },
            {
                name: "regionSouthEasternAsia",
                id: "035",
                countries: ["BN", "KH", "ID", "LA", "MY", "MM", "PH", "SG", "TH", "TL", "VN"]
            },
            {
                name: "regionSouthernAsia",
                id: "034",
                countries: ["AF", "BD", "BT", "IN", "IR", "MV", "NP", "PK", "LK"]
            },
            {
                name: "regionWesternAsia",
                id: "145",
                countries: ["AM", "AZ", "BH", "CY", "GE", "IQ", "IL", "JO", "KW", "LB", "OM", "QA", "SA", "PS", "SY", "TR", "AE", "YE"]
            }
        ]
    },
    {
        name: "regionEurope",
        id: "150",
        includes: [
            {
                name: "regionEasternEurope",
                id: "151",
                countries: ["BY", "BG", "CZ", "HU", "PL", "MD", "RO", "RU", "SK", "UA"]
            },
            {
                name: "regionNorthernEurope",
                id: "154",
                countries: ["AX", "DK", "EE", "FO", "FI", "GG", "IS", "IE", "IM", "JE", "LV", "LT", "NO", "SJ", "SE", "GB"]
            },
            {
                name: "regionSouthernEurope",
                id: "039",
                countries: ["AL", "AD", "BA", "HR", "GI", "GR", "VA", "IT", "MT", "ME", "MK", "PT", "SM", "RS", "SI", "ES"]
            },
            {
                name: "regionWesternEurope",
                id: "155",
                countries: ["AT", "BE", "FR", "DE", "LI", "LU", "MC", "NL", "CH"]
            }
        ]
    },
    {
        name: "regionOceania",
        id: "009",
        includes: [
            {
                name: "regionAustraliaAndNewZealand",
                id: "053",
                countries: ["AU", "CX", "CC", "HM", "NZ", "NF"]
            },
            {
                name: "regionMelanesia",
                id: "054",
                countries: ["FJ", "NC", "PG", "SB", "VU"]
            },
            {
                name: "regionMicronesia",
                id: "057",
                countries: ["GU", "KI", "MH", "FM", "NR", "MP", "PW", "UM"]
            },
            {
                name: "regionPolynesia",
                id: "061",
                countries: ["AS", "CK", "PF", "NU", "PN", "WS", "TK", "TO", "TV", "WF"]
            }
        ]
    }
 ];
 type Subregion = {
    name: string;
    id: string;
    countries: string[];
 };
 type Region = {
    name: string;
    id: string;
    includes: Subregion[];
 };
 export function getRegionNameById(regionId: string): string | undefined {
    // Check top-level regions
    const region = REGIONS.find((r) => r.id === regionId);
    if (region) {
        return region.name;
    }
    // Check subregions
    for (const region of REGIONS) {
        for (const subregion of region.includes) {
            if (subregion.id === regionId) {
                return subregion.name;
            }
        }
    }
    return undefined;
 }
 export function isValidRegionId(regionId: string): boolean {
    // Check top-level regions
    if (REGIONS.find((r) => r.id === regionId)) {
        return true;
    }
    // Check subregions
    for (const region of REGIONS) {
        if (region.includes.find((s) => s.id === regionId)) {
            return true;
        }
    }
    return false;
 }
--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -24,6 +24,7 @@ export const primaryDb = db;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
    >[0];
 export const DB_TYPE: "pg" | "sqlite" = "sqlite";
 function checkFileExists(filePath: string): boolean {
    try {
--- a/server/db/sqlite/index.ts
+++ b/server/db/sqlite/index.ts
@@ -1,3 +1,6 @@
 export * from "./driver";
 export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
--- a/server/db/sqlite/logsDriver.ts
+++ b/server/db/sqlite/logsDriver.ts
@@ -0,0 +1,7 @@
 import { db as mainDb } from "./driver";
 // SQLite doesn't support separate databases for logs in the same way as Postgres
 // Always use the main database connection for SQLite
 export const logsDb = mainDb;
 export default logsDb;
 export const primaryLogsDb = logsDb;
--- a/server/db/sqlite/migrate.ts
+++ b/server/db/sqlite/migrate.ts
@@ -4,7 +4,7 @@ import path from "path";
 const migrationsFolder = path.join("server/migrations");
-const runMigrations = async () => {
+export const runMigrations = async () => {
    console.log("Running migrations...");
    try {
        migrate(db as any, {
@@ -16,5 +16,3 @@ const runMigrations = async () => {
        process.exit(1);
    }
 };
 runMigrations();
--- a/server/db/sqlite/safeRead.ts
+++ b/server/db/sqlite/safeRead.ts
@@ -0,0 +1,11 @@
 import { db } from "./driver";
 /**
 * Runs a read query. For SQLite there is no replica/primary distinction,
 * so the query is executed once against the database.
 */
 export async function safeRead<T>(
    query: (d: typeof db) => Promise<T>
 ): Promise<T> {
    return query(db);
 }
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -2,11 +2,22 @@ import { InferSelectModel } from "drizzle-orm";
 import {
    index,
    integer,
    primaryKey,
    real,
    sqliteTable,
-    text
+    text,
    uniqueIndex
 } from "drizzle-orm/sqlite-core";
-import { domains, exitNodes, orgs, sessions, users } from "./schema";
+import {
    clients,
    domains,
    exitNodes,
    orgs,
    sessions,
    siteResources,
    sites,
    users
 } from "./schema";
 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -70,13 +81,16 @@ export const subscriptions = sqliteTable("subscriptions", {
    canceledAt: integer("canceledAt"),
    createdAt: integer("createdAt").notNull(),
    updatedAt: integer("updatedAt"),
-    billingCycleAnchor: integer("billingCycleAnchor")
+    version: integer("version"),
    billingCycleAnchor: integer("billingCycleAnchor"),
    type: text("type") // tier1, tier2, tier3, or license
 });
 export const subscriptionItems = sqliteTable("subscriptionItems", {
    subscriptionItemId: integer("subscriptionItemId").primaryKey({
        autoIncrement: true
    }),
    stripeSubscriptionItemId: text("stripeSubscriptionItemId"),
    subscriptionId: text("subscriptionId")
        .notNull()
        .references(() => subscriptions.subscriptionId, {
@@ -84,6 +98,7 @@ export const subscriptionItems = sqliteTable("subscriptionItems", {
        }),
    planId: text("planId").notNull(),
    priceId: text("priceId"),
    featureId: text("featureId"),
    meterId: text("meterId"),
    unitAmount: real("unitAmount"),
    tiers: text("tiers"),
@@ -126,6 +141,7 @@ export const limits = sqliteTable("limits", {
        })
        .notNull(),
    value: real("value"),
    override: integer("override", { mode: "boolean" }).default(false),
    description: text("description")
 });
@@ -206,7 +222,7 @@ export const loginPageBranding = sqliteTable("loginPageBranding", {
    loginPageBrandingId: integer("loginPageBrandingId").primaryKey({
        autoIncrement: true
    }),
-    logoUrl: text("logoUrl").notNull(),
+    logoUrl: text("logoUrl"),
    logoWidth: integer("logoWidth").notNull(),
    logoHeight: integer("logoHeight").notNull(),
    primaryColor: text("primaryColor"),
@@ -273,6 +289,7 @@ export const accessAuditLog = sqliteTable(
        actor: text("actor"),
        actorId: text("actorId"),
        resourceId: integer("resourceId"),
        siteResourceId: integer("siteResourceId"),
        ip: text("ip"),
        location: text("location"),
        type: text("type").notNull(),
@@ -289,6 +306,156 @@ export const accessAuditLog = sqliteTable(
    ]
 );
 export const connectionAuditLog = sqliteTable(
    "connectionAuditLog",
    {
        id: integer("id").primaryKey({ autoIncrement: true }),
        sessionId: text("sessionId").notNull(),
        siteResourceId: integer("siteResourceId").references(
            () => siteResources.siteResourceId,
            { onDelete: "cascade" }
        ),
        orgId: text("orgId").references(() => orgs.orgId, {
            onDelete: "cascade"
        }),
        siteId: integer("siteId").references(() => sites.siteId, {
            onDelete: "cascade"
        }),
        clientId: integer("clientId").references(() => clients.clientId, {
            onDelete: "cascade"
        }),
        userId: text("userId").references(() => users.userId, {
            onDelete: "cascade"
        }),
        sourceAddr: text("sourceAddr").notNull(),
        destAddr: text("destAddr").notNull(),
        protocol: text("protocol").notNull(),
        startedAt: integer("startedAt").notNull(),
        endedAt: integer("endedAt"),
        bytesTx: integer("bytesTx"),
        bytesRx: integer("bytesRx")
    },
    (table) => [
        index("idx_accessAuditLog_startedAt").on(table.startedAt),
        index("idx_accessAuditLog_org_startedAt").on(
            table.orgId,
            table.startedAt
        ),
        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
    ]
 );
 export const approvals = sqliteTable("approvals", {
    approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
    orgId: text("orgId")
        .references(() => orgs.orgId, {
            onDelete: "cascade"
        })
        .notNull(),
    clientId: integer("clientId").references(() => clients.clientId, {
        onDelete: "cascade"
    }), // olms reference user devices clients
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
    }),
    decision: text("decision")
        .$type<"approved" | "denied" | "pending">()
        .default("pending")
        .notNull(),
    type: text("type")
        .$type<"user_device" /*| 'proxy' // for later */>()
        .notNull()
 });
 export const bannedEmails = sqliteTable("bannedEmails", {
    email: text("email").primaryKey()
 });
 export const bannedIps = sqliteTable("bannedIps", {
    ip: text("ip").primaryKey()
 });
 export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
    siteProvisioningKeyId: text("siteProvisioningKeyId").primaryKey(),
    name: text("name").notNull(),
    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
    lastChars: text("lastChars").notNull(),
    createdAt: text("dateCreated").notNull(),
    lastUsed: text("lastUsed"),
    maxBatchSize: integer("maxBatchSize"), // null = no limit
    numUsed: integer("numUsed").notNull().default(0),
    validUntil: text("validUntil"),
    approveNewSites: integer("approveNewSites", { mode: "boolean" })
        .notNull()
        .default(true)
 });
 export const siteProvisioningKeyOrg = sqliteTable(
    "siteProvisioningKeyOrg",
    {
        siteProvisioningKeyId: text("siteProvisioningKeyId")
            .notNull()
            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
                onDelete: "cascade"
            }),
        orgId: text("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" })
    },
    (table) => [
        primaryKey({
            columns: [table.siteProvisioningKeyId, table.orgId]
        })
    ]
 );
 export const eventStreamingDestinations = sqliteTable(
    "eventStreamingDestinations",
    {
        destinationId: integer("destinationId").primaryKey({
            autoIncrement: true
        }),
        orgId: text("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        sendConnectionLogs: integer("sendConnectionLogs", { mode: "boolean" }).notNull().default(false),
        sendRequestLogs: integer("sendRequestLogs", { mode: "boolean" }).notNull().default(false),
        sendActionLogs: integer("sendActionLogs", { mode: "boolean" }).notNull().default(false),
        sendAccessLogs: integer("sendAccessLogs", { mode: "boolean" }).notNull().default(false),
        type: text("type").notNull(), // e.g. "http", "kafka", etc.
        config: text("config").notNull(), // JSON string with the configuration for the destination
        enabled: integer("enabled", { mode: "boolean" })
            .notNull()
            .default(true),
        createdAt: integer("createdAt").notNull(),
        updatedAt: integer("updatedAt").notNull()
    }
 );
 export const eventStreamingCursors = sqliteTable(
    "eventStreamingCursors",
    {
        cursorId: integer("cursorId").primaryKey({ autoIncrement: true }),
        destinationId: integer("destinationId")
            .notNull()
            .references(() => eventStreamingDestinations.destinationId, {
                onDelete: "cascade"
            }),
        logType: text("logType").notNull(), // "request" | "action" | "access" | "connection"
        lastSentId: integer("lastSentId").notNull().default(0),
        lastSentAt: integer("lastSentAt") // epoch milliseconds, null if never sent
    },
    (table) => [
        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
            table.destinationId,
            table.logType
        )
    ]
 );
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
@@ -309,3 +476,13 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
 export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
 export type BannedEmail = InferSelectModel<typeof bannedEmails>;
 export type BannedIp = InferSelectModel<typeof bannedIps>;
 export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
 export type EventStreamingDestination = InferSelectModel<
    typeof eventStreamingDestinations
 >;
 export type EventStreamingCursor = InferSelectModel<
    typeof eventStreamingCursors
 >;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,13 +1,13 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
 import {
    index,
    integer,
    primaryKey,
    sqliteTable,
    text,
-    integer,
+    unique
    index,
    uniqueIndex
 } from "drizzle-orm/sqlite-core";
 import { no } from "zod/v4/locales";
 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -20,7 +20,8 @@ export const domains = sqliteTable("domains", {
    failed: integer("failed", { mode: "boolean" }).notNull().default(false),
    tries: integer("tries").notNull().default(0),
    certResolver: text("certResolver"),
-    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" })
+    preferWildcardCert: integer("preferWildcardCert", { mode: "boolean" }),
    errorMessage: text("errorMessage")
 });
 export const dnsRecords = sqliteTable("dnsRecords", {
@@ -52,7 +53,14 @@ export const orgs = sqliteTable("orgs", {
        .default(0),
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
-        .default(0)
+        .default(0),
    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
        .default(0),
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
    billingOrgId: text("billingOrgId")
 });
 export const userDomains = sqliteTable("userDomains", {
@@ -92,6 +100,7 @@ export const sites = sqliteTable("sites", {
    lastBandwidthUpdate: text("lastBandwidthUpdate"),
    type: text("type").notNull(), // "newt" or "wireguard"
    online: integer("online", { mode: "boolean" }).notNull().default(false),
    lastPing: integer("lastPing"),
    // exit node stuff that is how to connect to the site when it has a wg server
    address: text("address"), // this is the address of the wireguard interface in newt
@@ -101,7 +110,8 @@ export const sites = sqliteTable("sites", {
    listenPort: integer("listenPort"),
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
-        .default(true)
+        .default(true),
    status: text("status").$type<"pending" | "approved">().default("approved")
 });
 export const resources = sqliteTable("resources", {
@@ -150,7 +160,20 @@ export const resources = sqliteTable("resources", {
    proxyProtocol: integer("proxyProtocol", { mode: "boolean" })
        .notNull()
        .default(false),
-    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    maintenanceModeType: text("maintenanceModeType", {
        enum: ["forced", "automatic"]
    }).default("forced"), // "forced" = always show, "automatic" = only when down
    maintenanceTitle: text("maintenanceTitle"),
    maintenanceMessage: text("maintenanceMessage"),
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath")
 });
 export const targets = sqliteTable("targets", {
@@ -201,7 +224,9 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
    }).default(true),
    hcMethod: text("hcMethod").default("GET"),
    hcStatus: integer("hcStatus"), // http code
-    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcHealth: text("hcHealth")
        .$type<"unknown" | "healthy" | "unhealthy">()
        .default("unknown"), // "unknown", "healthy", "unhealthy"
    hcTlsServerName: text("hcTlsServerName")
 });
@@ -233,7 +258,7 @@ export const siteResources = sqliteTable("siteResources", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
-    mode: text("mode").notNull(), // "host" | "cidr" | "port"
+    mode: text("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
    protocol: text("protocol"), // only for port mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
@@ -241,9 +266,15 @@ export const siteResources = sqliteTable("siteResources", {
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    alias: text("alias"),
    aliasAddress: text("aliasAddress"),
-    tcpPortRangeString: text("tcpPortRangeString"),
+    tcpPortRangeString: text("tcpPortRangeString").notNull().default("*"),
-    udpPortRangeString: text("udpPortRangeString"),
+    udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
    disableIcmp: integer("disableIcmp", { mode: "boolean" })
        .notNull()
        .default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
    authDaemonMode: text("authDaemonMode")
        .$type<"site" | "remote">()
        .default("site")
 });
 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -296,10 +327,14 @@ export const users = sqliteTable("user", {
    dateCreated: text("dateCreated").notNull(),
    termsAcceptedTimestamp: text("termsAcceptedTimestamp"),
    termsVersion: text("termsVersion"),
    marketingEmailConsent: integer("marketingEmailConsent", {
        mode: "boolean"
    }).default(false),
    serverAdmin: integer("serverAdmin", { mode: "boolean" })
        .notNull()
        .default(false),
-    lastPasswordChange: integer("lastPasswordChange")
+    lastPasswordChange: integer("lastPasswordChange"),
    locale: text("locale")
 });
 export const securityKeys = sqliteTable("webauthnCredentials", {
@@ -371,7 +406,12 @@ export const clients = sqliteTable("clients", {
    type: text("type").notNull(), // "olm"
    online: integer("online", { mode: "boolean" }).notNull().default(false),
    // endpoint: text("endpoint"),
-    lastHolePunch: integer("lastHolePunch")
+    lastHolePunch: integer("lastHolePunch"),
    archived: integer("archived", { mode: "boolean" }).notNull().default(false),
    blocked: integer("blocked", { mode: "boolean" }).notNull().default(false),
    approvalState: text("approvalState").$type<
        "pending" | "approved" | "denied"
    >()
 });
 export const clientSitesAssociationsCache = sqliteTable(
@@ -383,6 +423,9 @@ export const clientSitesAssociationsCache = sqliteTable(
        isRelayed: integer("isRelayed", { mode: "boolean" })
            .notNull()
            .default(false),
        isJitMode: integer("isJitMode", { mode: "boolean" })
            .notNull()
            .default(false),
        endpoint: text("endpoint"),
        publicKey: text("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
    }
@@ -411,7 +454,160 @@ export const olms = sqliteTable("olms", {
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
    }),
    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
 });
 export const currentFingerprint = sqliteTable("currentFingerprint", {
    fingerprintId: integer("id").primaryKey({ autoIncrement: true }),
    olmId: text("olmId")
        .references(() => olms.olmId, { onDelete: "cascade" })
        .notNull(),
    firstSeen: integer("firstSeen").notNull(),
    lastSeen: integer("lastSeen").notNull(),
    lastCollectedAt: integer("lastCollectedAt").notNull(),
    username: text("username"),
    hostname: text("hostname"),
    platform: text("platform"),
    osVersion: text("osVersion"),
    kernelVersion: text("kernelVersion"),
    arch: text("arch"),
    deviceModel: text("deviceModel"),
    serialNumber: text("serialNumber"),
    platformFingerprint: text("platformFingerprint"),
    // Platform-agnostic checks
    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
        .notNull()
        .default(false),
    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
        .notNull()
        .default(false),
    // Windows-specific posture check information
    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    // macOS-specific posture check information
    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    // Linux-specific posture check information
    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false)
 });
 export const fingerprintSnapshots = sqliteTable("fingerprintSnapshots", {
    snapshotId: integer("id").primaryKey({ autoIncrement: true }),
    fingerprintId: integer("fingerprintId").references(
        () => currentFingerprint.fingerprintId,
        {
            onDelete: "set null"
        }
    ),
    username: text("username"),
    hostname: text("hostname"),
    platform: text("platform"),
    osVersion: text("osVersion"),
    kernelVersion: text("kernelVersion"),
    arch: text("arch"),
    deviceModel: text("deviceModel"),
    serialNumber: text("serialNumber"),
    platformFingerprint: text("platformFingerprint"),
    // Platform-agnostic checks
    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
        .notNull()
        .default(false),
    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
        .notNull()
        .default(false),
    // Windows-specific posture check information
    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    // macOS-specific posture check information
    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    // Linux-specific posture check information
    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
        .notNull()
        .default(false),
    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
        mode: "boolean"
    })
        .notNull()
        .default(false),
    hash: text("hash").notNull(),
    collectedAt: integer("collectedAt").notNull()
 });
 export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
@@ -459,13 +655,11 @@ export const userOrgs = sqliteTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
    roleId: integer("roleId")
        .notNull()
        .references(() => roles.roleId),
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
-    }).default(false)
+    }).default(false),
    pamUsername: text("pamUsername") // cleaned username for ssh and such
 });
 export const emailVerificationCodes = sqliteTable("emailVerificationCodes", {
@@ -503,9 +697,34 @@ export const roles = sqliteTable("roles", {
        .notNull(),
    isAdmin: integer("isAdmin", { mode: "boolean" }),
    name: text("name").notNull(),
-    description: text("description")
+    description: text("description"),
    requireDeviceApproval: integer("requireDeviceApproval", {
        mode: "boolean"
    }).default(false),
    sshSudoMode: text("sshSudoMode").default("none"), // "none" | "full" | "commands"
    sshSudoCommands: text("sshSudoCommands").default("[]"),
    sshCreateHomeDir: integer("sshCreateHomeDir", { mode: "boolean" }).default(
        true
    ),
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 export const userOrgRoles = sqliteTable(
    "userOrgRoles",
    {
        userId: text("userId")
            .notNull()
            .references(() => users.userId, { onDelete: "cascade" }),
        orgId: text("orgId")
            .notNull()
            .references(() => orgs.orgId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
    },
    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 export const roleActions = sqliteTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -591,11 +810,21 @@ export const userInvites = sqliteTable("userInvites", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    email: text("email").notNull(),
    expiresAt: integer("expiresAt").notNull(),
-    tokenHash: text("token").notNull(),
+    tokenHash: text("token").notNull()
 });
 export const userInviteRoles = sqliteTable(
    "userInviteRoles",
    {
        inviteId: text("inviteId")
            .notNull()
            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
        roleId: integer("roleId")
            .notNull()
            .references(() => roles.roleId, { onDelete: "cascade" })
-});
+    },
    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
 );
 export const resourcePincode = sqliteTable("resourcePincode", {
    pincodeId: integer("pincodeId").primaryKey({
@@ -628,6 +857,26 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
    headerAuthHash: text("headerAuthHash").notNull()
 });
 export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
    "resourceHeaderAuthExtendedCompatibility",
    {
        headerAuthExtendedCompatibilityId: integer(
            "headerAuthExtendedCompatibilityId"
        ).primaryKey({
            autoIncrement: true
        }),
        resourceId: integer("resourceId")
            .notNull()
            .references(() => resources.resourceId, { onDelete: "cascade" }),
        extendedCompatibilityIsActivated: integer(
            "extendedCompatibilityIsActivated",
            { mode: "boolean" }
        )
            .notNull()
            .default(true)
    }
 );
 export const resourceAccessToken = sqliteTable("resourceAccessToken", {
    accessTokenId: text("accessTokenId").primaryKey(),
    orgId: text("orgId")
@@ -742,7 +991,8 @@ export const idp = sqliteTable("idp", {
        mode: "boolean"
    })
        .notNull()
-        .default(false)
+        .default(false),
    tags: text("tags")
 });
 // Identity Provider OAuth Configuration
@@ -883,6 +1133,16 @@ export const deviceWebAuthCodes = sqliteTable("deviceWebAuthCodes", {
    })
 });
 export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
    messageId: integer("messageId").primaryKey({ autoIncrement: true }),
    wsClientId: text("clientId"),
    messageType: text("messageType"),
    sentAt: integer("sentAt").notNull(),
    receivedAt: integer("receivedAt"),
    error: text("error"),
    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
 });
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -908,11 +1168,16 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
 export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
 export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
    typeof resourceHeaderAuthExtendedCompatibility
 >;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
@@ -941,3 +1206,6 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
 export type RoundTripMessageTracker = InferSelectModel<
    typeof roundTripMessageTracker
 >;
--- a/server/emails/templates/EnterpriseEditionKeyGenerated.tsx
+++ b/server/emails/templates/EnterpriseEditionKeyGenerated.tsx
@@ -0,0 +1,118 @@
 import React from "react";
 import { Body, Head, Html, Preview, Tailwind } from "@react-email/components";
 import { themeColors } from "./lib/theme";
 import {
    EmailContainer,
    EmailFooter,
    EmailGreeting,
    EmailHeading,
    EmailInfoSection,
    EmailLetterHead,
    EmailSection,
    EmailSignature,
    EmailText
 } from "./components/Email";
 import CopyCodeBox from "./components/CopyCodeBox";
 import ButtonLink from "./components/ButtonLink";
 type EnterpriseEditionKeyGeneratedProps = {
    keyValue: string;
    personalUseOnly: boolean;
    users: number;
    sites: number;
    modifySubscriptionLink?: string;
 };
 export const EnterpriseEditionKeyGenerated = ({
    keyValue,
    personalUseOnly,
    users,
    sites,
    modifySubscriptionLink
 }: EnterpriseEditionKeyGeneratedProps) => {
    const previewText = personalUseOnly
        ? "Your Enterprise Edition key for personal use is ready"
        : "Thank you for your purchase — your Enterprise Edition key is ready";
    return (
        <Html>
            <Head />
            <Preview>{previewText}</Preview>
            <Tailwind config={themeColors}>
                <Body className="font-sans bg-gray-50">
                    <EmailContainer>
                        <EmailLetterHead />
                        <EmailGreeting>Hi there,</EmailGreeting>
                        {personalUseOnly ? (
                            <EmailText>
                                Your Enterprise Edition license key has been
                                generated. Qualifying users can use the
                                Enterprise Edition for free for{" "}
                                <strong>personal use only</strong>.
                            </EmailText>
                        ) : (
                            <>
                                <EmailText>
                                    Thank you for your purchase. Your Enterprise
                                    Edition license key is ready. Below are the
                                    terms of your license.
                                </EmailText>
                                <EmailInfoSection
                                    title="License details"
                                    items={[
                                        {
                                            label: "Licensed users",
                                            value: users
                                        },
                                        {
                                            label: "Licensed sites",
                                            value: sites
                                        }
                                    ]}
                                />
                                {modifySubscriptionLink && (
                                    <EmailSection>
                                        <ButtonLink
                                            href={modifySubscriptionLink}
                                        >
                                            Modify subscription
                                        </ButtonLink>
                                    </EmailSection>
                                )}
                            </>
                        )}
                        <EmailSection>
                            <EmailText>Your license key:</EmailText>
                            <CopyCodeBox
                                text={keyValue}
                                hint="Copy this key and use it when activating Enterprise Edition on your Pangolin host."
                            />
                        </EmailSection>
                        <EmailText>
                            If you need to purchase additional license keys or
                            modify your existing license, please reach out to
                            our support team at{" "}
                            <a
                                href="mailto:support@pangolin.net"
                                className="text-primary font-medium"
                            >
                                support@pangolin.net
                            </a>
                            .
                        </EmailText>
                        <EmailFooter>
                            <EmailSignature />
                        </EmailFooter>
                    </EmailContainer>
                </Body>
            </Tailwind>
        </Html>
    );
 };
 export default EnterpriseEditionKeyGenerated;
--- a/server/emails/templates/components/CopyCodeBox.tsx
+++ b/server/emails/templates/components/CopyCodeBox.tsx
@@ -1,6 +1,14 @@
 import React from "react";
-export default function CopyCodeBox({ text }: { text: string }) {
+const DEFAULT_HINT = "Copy and paste this code when prompted";
 export default function CopyCodeBox({
    text,
    hint
 }: {
    text: string;
    hint?: string;
 }) {
    return (
        <div className="inline-block">
            <div className="bg-gray-50 border border-gray-200 rounded-lg px-6 py-4 mx-auto">
@@ -8,9 +16,7 @@ export default function CopyCodeBox({ text }: { text: string }) {
                    {text}
                </span>
            </div>
-            <p className="text-xs text-gray-500 mt-2">
+            <p className="text-xs text-gray-500 mt-2">{hint ?? DEFAULT_HINT}</p>
                Copy and paste this code when prompted
            </p>
        </div>
    );
 }
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
            session: Session;
            userOrg?: UserOrg;
            apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleId?: number;
+            userOrgRoleIds?: number[];
            userOrgId?: string;
            userOrgIds?: string[];
            remoteExitNode?: RemoteExitNode;
--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -17,6 +17,7 @@ import fs from "fs";
 import path from "path";
 import { APP_PATH } from "./lib/consts";
 import yaml from "js-yaml";
 import { z } from "zod";
 const dev = process.env.ENVIRONMENT !== "prod";
 const externalPort = config.getRawConfig().server.integration_port;
@@ -38,12 +39,24 @@ export function createIntegrationApiServer() {
    apiServer.use(cookieParser());
    apiServer.use(express.json());
    const openApiDocumentation = getOpenApiDocumentation();
    apiServer.use(
        "/v1/docs",
        swaggerUi.serve,
-        swaggerUi.setup(getOpenApiDocumentation())
+        swaggerUi.setup(openApiDocumentation)
    );
    // Unauthenticated OpenAPI spec endpoints
    apiServer.get("/v1/openapi.json", (_req, res) => {
        res.json(openApiDocumentation);
    });
    apiServer.get("/v1/openapi.yaml", (_req, res) => {
        const yamlOutput = yaml.dump(openApiDocumentation);
        res.type("application/yaml").send(yamlOutput);
    });
    // API routes
    const prefix = `/v1`;
    apiServer.use(logIncomingMiddleware);
@@ -75,16 +88,6 @@ function getOpenApiDocumentation() {
        }
    );
    for (const def of registry.definitions) {
        if (def.type === "route") {
            def.route.security = [
                {
                    [bearerAuth.name]: []
                }
            ];
        }
    }
    registry.registerPath({
        method: "get",
        path: "/",
@@ -94,6 +97,74 @@ function getOpenApiDocumentation() {
        responses: {}
    });
    registry.registerPath({
        method: "get",
        path: "/openapi.json",
        description: "Get OpenAPI specification as JSON",
        tags: [],
        request: {},
        responses: {
            "200": {
                description: "OpenAPI specification as JSON",
                content: {
                    "application/json": {
                        schema: {
                            type: "object"
                        }
                    }
                }
            }
        }
    });
    registry.registerPath({
        method: "get",
        path: "/openapi.yaml",
        description: "Get OpenAPI specification as YAML",
        tags: [],
        request: {},
        responses: {
            "200": {
                description: "OpenAPI specification as YAML",
                content: {
                    "application/yaml": {
                        schema: {
                            type: "string"
                        }
                    }
                }
            }
        }
    });
    for (const def of registry.definitions) {
        if (def.type === "route") {
            def.route.security = [
                {
                    [bearerAuth.name]: []
                }
            ];
            // Ensure every route has a generic JSON response schema so Swagger UI can render responses
            const existingResponses = def.route.responses;
            const hasExistingResponses =
                existingResponses && Object.keys(existingResponses).length > 0;
            if (!hasExistingResponses) {
                def.route.responses = {
                    "*": {
                        description: "",
                        content: {
                            "application/json": {
                                schema: z.object({})
                            }
                        }
                    }
                };
            }
        }
    }
    const generator = new OpenApiGeneratorV3(registry.definitions);
    const generated = generator.generateDocument({
@@ -105,11 +176,13 @@ function getOpenApiDocumentation() {
        servers: [{ url: "/v1" }]
    });
    if (!process.env.DISABLE_GEN_OPENAPI) {
        // convert to yaml and save to file
        const outputPath = path.join(APP_PATH, "openapi.yaml");
        const yamlOutput = yaml.dump(generated);
        fs.writeFileSync(outputPath, yamlOutput, "utf8");
        logger.info(`OpenAPI documentation saved to ${outputPath}`);
    }
    return generated;
 }
--- a/server/internalServer.ts
+++ b/server/internalServer.ts
@@ -16,6 +16,11 @@ const internalPort = config.getRawConfig().server.internal_port;
 export function createInternalServer() {
    const internalServer = express();
    const trustProxy = config.getRawConfig().server.trust_proxy;
    if (trustProxy) {
        internalServer.set("trust proxy", trustProxy);
    }
    internalServer.use(helmet());
    internalServer.use(cors());
    internalServer.use(stripDuplicateSesions);
--- a/server/lib/billing/features.ts
+++ b/server/lib/billing/features.ts
@@ -1,30 +1,44 @@
 import Stripe from "stripe";
 export enum FeatureId {
    SITE_UPTIME = "siteUptime",
    USERS = "users",
    SITES = "sites",
    EGRESS_DATA_MB = "egressDataMb",
    DOMAINS = "domains",
-    REMOTE_EXIT_NODES = "remoteExitNodes"
+    REMOTE_EXIT_NODES = "remoteExitNodes",
    ORGINIZATIONS = "organizations",
    TIER1 = "tier1"
 }
-export const FeatureMeterIds: Record<FeatureId, string> = {
+export async function getFeatureDisplayName(featureId: FeatureId): Promise<string> {
-    [FeatureId.SITE_UPTIME]: "mtr_61Srrej5wUJuiTWgo41D3Ee2Ir7WmDLU",
+    switch (featureId) {
-    [FeatureId.USERS]: "mtr_61SrreISyIWpwUNGR41D3Ee2Ir7WmQro",
+        case FeatureId.USERS:
-    [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW",
+            return "Users";
-    [FeatureId.DOMAINS]: "mtr_61Ss9nIKDNMw0LDRU41D3Ee2Ir7WmRPU",
+        case FeatureId.SITES:
-    [FeatureId.REMOTE_EXIT_NODES]: "mtr_61T86UXnfxTVXy9sD41D3Ee2Ir7WmFTE"
+            return "Sites";
        case FeatureId.EGRESS_DATA_MB:
            return "Egress Data (MB)";
        case FeatureId.DOMAINS:
            return "Domains";
        case FeatureId.REMOTE_EXIT_NODES:
            return "Remote Exit Nodes";
        case FeatureId.ORGINIZATIONS:
            return "Organizations";
        case FeatureId.TIER1:
            return "Home Lab";
        default:
            return featureId;
    }
 }
 // this is from the old system
 export const FeatureMeterIds: Partial<Record<FeatureId, string>> = { // right now we are not charging for any data
    // [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW"
 };
-export const FeatureMeterIdsSandbox: Record<FeatureId, string> = {
+export const FeatureMeterIdsSandbox: Partial<Record<FeatureId, string>> = {
-    [FeatureId.SITE_UPTIME]: "mtr_test_61Snh3cees4w60gv841DCpkOb237BDEu",
+    // [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ"
    [FeatureId.USERS]: "mtr_test_61Sn5fLtq1gSfRkyA41DCpkOb237B6au",
    [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ",
    [FeatureId.DOMAINS]: "mtr_test_61SsA8qrdAlgPpFRQ41DCpkOb237BGts",
    [FeatureId.REMOTE_EXIT_NODES]: "mtr_test_61T86Vqmwa3D9ra3341DCpkOb237B94K"
 };
-export function getFeatureMeterId(featureId: FeatureId): string {
+export function getFeatureMeterId(featureId: FeatureId): string | undefined {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
@@ -43,45 +57,81 @@ export function getFeatureIdByMetricId(
    )?.[0];
 }
-export type FeaturePriceSet = {
+export type FeaturePriceSet = Partial<Record<FeatureId, string>>;
-    [key in Exclude<FeatureId, FeatureId.DOMAINS>]: string;
+
-} & {
+export const tier1FeaturePriceSet: FeaturePriceSet = {
-    [FeatureId.DOMAINS]?: string; // Optional since domains are not billed
+    [FeatureId.TIER1]: "price_1SzVE3D3Ee2Ir7Wm6wT5Dl3G"
 };
-export const standardFeaturePriceSet: FeaturePriceSet = {
+export const tier1FeaturePriceSetSandbox: FeaturePriceSet = {
-    // Free tier matches the freeLimitSet
+    [FeatureId.TIER1]: "price_1SxgpPDCpkOb237Bfo4rIsoT"
    [FeatureId.SITE_UPTIME]: "price_1RrQc4D3Ee2Ir7WmaJGZ3MtF",
    [FeatureId.USERS]: "price_1RrQeJD3Ee2Ir7WmgveP3xea",
    [FeatureId.EGRESS_DATA_MB]: "price_1RrQXFD3Ee2Ir7WmvGDlgxQk",
    // [FeatureId.DOMAINS]: "price_1Rz3tMD3Ee2Ir7Wm5qLeASzC",
    [FeatureId.REMOTE_EXIT_NODES]: "price_1S46weD3Ee2Ir7Wm94KEHI4h"
 };
-export const standardFeaturePriceSetSandbox: FeaturePriceSet = {
+export function getTier1FeaturePriceSet(): FeaturePriceSet {
    // Free tier matches the freeLimitSet
    [FeatureId.SITE_UPTIME]: "price_1RefFBDCpkOb237BPrKZ8IEU",
    [FeatureId.USERS]: "price_1ReNa4DCpkOb237Bc67G5muF",
    [FeatureId.EGRESS_DATA_MB]: "price_1Rfp9LDCpkOb237BwuN5Oiu0",
    // [FeatureId.DOMAINS]: "price_1Ryi88DCpkOb237B2D6DM80b",
    [FeatureId.REMOTE_EXIT_NODES]: "price_1RyiZvDCpkOb237BXpmoIYJL"
 };
 export function getStandardFeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
-        return standardFeaturePriceSet;
+        return tier1FeaturePriceSet;
    } else {
-        return standardFeaturePriceSetSandbox;
+        return tier1FeaturePriceSetSandbox;
    }
 }
-export function getLineItems(
+export const tier2FeaturePriceSet: FeaturePriceSet = {
-    featurePriceSet: FeaturePriceSet
+    [FeatureId.USERS]: "price_1SzVCcD3Ee2Ir7Wmn6U3KvPN"
-): Stripe.Checkout.SessionCreateParams.LineItem[] {
+};
-    return Object.entries(featurePriceSet).map(([featureId, priceId]) => ({
+
-        price: priceId
+export const tier2FeaturePriceSetSandbox: FeaturePriceSet = {
-    }));
+    [FeatureId.USERS]: "price_1SxaEHDCpkOb237BD9lBkPiR"
 };
 export function getTier2FeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
        return tier2FeaturePriceSet;
    } else {
        return tier2FeaturePriceSetSandbox;
    }
 }
 export const tier3FeaturePriceSet: FeaturePriceSet = {
    [FeatureId.USERS]: "price_1SzVDKD3Ee2Ir7WmPtOKNusv"
 };
 export const tier3FeaturePriceSetSandbox: FeaturePriceSet = {
    [FeatureId.USERS]: "price_1SxaEODCpkOb237BiXdCBSfs"
 };
 export function getTier3FeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
        return tier3FeaturePriceSet;
    } else {
        return tier3FeaturePriceSetSandbox;
    }
 }
 export function getFeatureIdByPriceId(priceId: string): FeatureId | undefined {
    // Check all feature price sets
    const allPriceSets = [
        getTier1FeaturePriceSet(),
        getTier2FeaturePriceSet(),
        getTier3FeaturePriceSet()
    ];
    for (const priceSet of allPriceSets) {
        const entry = (Object.entries(priceSet) as [FeatureId, string][]).find(
            ([_, price]) => price === priceId
        );
        if (entry) {
            return entry[0];
        }
    }
    return undefined;
 }
--- a/server/lib/billing/getLineItems.ts
+++ b/server/lib/billing/getLineItems.ts
@@ -0,0 +1,25 @@
 import Stripe from "stripe";
 import { FeatureId, FeaturePriceSet } from "./features";
 import { usageService } from "./usageService";
 export async function getLineItems(
    featurePriceSet: FeaturePriceSet,
    orgId: string,
 ): Promise<Stripe.Checkout.SessionCreateParams.LineItem[]> {
    const users = await usageService.getUsage(orgId, FeatureId.USERS);
    return Object.entries(featurePriceSet).map(([featureId, priceId]) => {
        let quantity: number | undefined;
        if (featureId === FeatureId.USERS) {
            quantity = users?.instantaneousValue || 1;
        } else if (featureId === FeatureId.TIER1) {
            quantity = 1;
        }
        return {
            price: priceId,
            quantity: quantity
        };
    });
 }
--- a/server/lib/billing/licenses.ts
+++ b/server/lib/billing/licenses.ts
@@ -0,0 +1,37 @@
 export enum LicenseId {
    SMALL_LICENSE = "small_license",
    BIG_LICENSE = "big_license"
 }
 export type LicensePriceSet = {
    [key in LicenseId]: string;
 };
 export const licensePriceSet: LicensePriceSet = {
    // Free license matches the freeLimitSet
    [LicenseId.SMALL_LICENSE]: "price_1SxKHiD3Ee2Ir7WmvtEh17A8",
    [LicenseId.BIG_LICENSE]: "price_1SxKHiD3Ee2Ir7WmMUiP0H6Y"
 };
 export const licensePriceSetSandbox: LicensePriceSet = {
    // Free license matches the freeLimitSet
    // when matching license the keys closer to 0 index are matched first so list the licenses in descending order of value
    [LicenseId.SMALL_LICENSE]: "price_1SxDwuDCpkOb237Bz0yTiOgN",
    [LicenseId.BIG_LICENSE]: "price_1SxDy0DCpkOb237BWJxrxYkl"
 };
 export function getLicensePriceSet(
    environment?: string,
    sandbox_mode?: boolean
 ): LicensePriceSet {
    if (
        (process.env.ENVIRONMENT == "prod" &&
            process.env.SANDBOX_MODE !== "true") ||
        (environment === "prod" && sandbox_mode !== true)
    ) {
        // THIS GETS LOADED CLIENT SIDE AND SERVER SIDE
        return licensePriceSet;
    } else {
        return licensePriceSetSandbox;
    }
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`import { runMigrations } from "./";`

							`await runMigrations();`