Merge branch 'main' into dev

support authPath in device login
Update sum
2026-03-02 16:56:39 +00:00 · 2026-02-26 20:14:41 -08:00 · 2026-02-26 14:59:34 -08:00 · 2026-02-25 16:46:20 -08:00 · 2026-02-25 16:45:35 -08:00 · 2026-02-25 16:35:57 -08:00
945 changed files with 70943 additions and 34947 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -28,7 +28,9 @@ LICENSE
 CONTRIBUTING.md
 dist
 .git
-migrations/
+server/migrations/
 config/
 build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
--- a/.eslintrc.json
+++ b/.eslintrc.json
@@ -1,6 +1,3 @@
 {
-    "extends": [
+    "extends": ["next/core-web-vitals", "next/typescript"]
        "next/core-web-vitals",
        "next/typescript"
    ]
 }
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -44,19 +44,9 @@ updates:
    schedule:
      interval: "daily"
    groups:
-      dev-patch-updates:
+      patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
-      dev-minor-updates:
+      minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -1,4 +1,4 @@
-name: CI/CD Pipeline
+name: Public CICD Pipeline
 # CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
 # Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
@@ -17,16 +17,42 @@ on:
    push:
        tags:
            - "[0-9]+.[0-9]+.[0-9]+"
-            - "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
 concurrency:
  group: ${{ github.ref }}
  cancel-in-progress: true
 jobs:
-    release:
+    pre-run:
-        name: Build and Release
+        runs-on: ubuntu-latest
-        runs-on: [self-hosted, linux, x64]
+        permissions: write-all
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Verify AWS identity
              run: aws sts get-caller-identity
            - name: Start EC2 instances
              run: |
                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
                  echo "EC2 instances started"
    release-arm:
        name: Build and Release (ARM64)
        runs-on: [self-hosted, linux, arm64, us-east-1]
        needs: [pre-run]
        if: >-
            ${{
                needs.pre-run.result == 'success'
            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
@@ -36,27 +62,209 @@ jobs:
        steps:
            - name: Checkout code
-              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            - name: Set up QEMU
+            - name: Monitor storage space
-              uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+              run: |
-
+                  THRESHOLD=75
-            - name: Set up Docker Buildx
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
-              uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+                  echo "Used space: $USED_SPACE%"
                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
                      echo y | docker system prune -a
                  else
                      echo "Storage space is above the threshold. No action needed."
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Update version in package.json
              run: |
                  TAG=${{ env.TAG }}
                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
                  cat server/lib/consts.ts
              shell: bash
            - name: Check if release candidate
              id: check-rc
              run: |
                  TAG=${{ env.TAG }}
                  if [[ "$TAG" == *"-rc."* ]]; then
                      echo "IS_RC=true" >> $GITHUB_ENV
                  else
                      echo "IS_RC=false" >> $GITHUB_ENV
                  fi
              shell: bash
            - name: Build and push Docker images (Docker Hub - ARM64)
              run: |
                  TAG=${{ env.TAG }}
                  if [ "$IS_RC" = "true" ]; then
                      make build-rc-arm tag=$TAG
                  else
                      make build-release-arm tag=$TAG
                  fi
                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash
    release-amd:
        name: Build and Release (AMD64)
        runs-on: [self-hosted, linux, x64, us-east-1]
        needs: [pre-run]
        if: >-
            ${{
                needs.pre-run.result == 'success'
            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
          # Target images
          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
        steps:
            - name: Checkout code
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Monitor storage space
              run: |
                  THRESHOLD=75
                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
                  echo "Used space: $USED_SPACE%"
                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
                      echo y | docker system prune -a
                  else
                      echo "Storage space is above the threshold. No action needed."
                  fi
            - name: Log in to Docker Hub
              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Update version in package.json
              run: |
                  TAG=${{ env.TAG }}
                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
                  cat server/lib/consts.ts
              shell: bash
            - name: Check if release candidate
              id: check-rc
              run: |
                  TAG=${{ env.TAG }}
                  if [[ "$TAG" == *"-rc."* ]]; then
                      echo "IS_RC=true" >> $GITHUB_ENV
                  else
                      echo "IS_RC=false" >> $GITHUB_ENV
                  fi
              shell: bash
            - name: Build and push Docker images (Docker Hub - AMD64)
              run: |
                  TAG=${{ env.TAG }}
                  if [ "$IS_RC" = "true" ]; then
                      make build-rc-amd tag=$TAG
                  else
                      make build-release-amd tag=$TAG
                  fi
                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash
    create-manifest:
        name: Create Multi-Arch Manifests
        runs-on: [self-hosted, linux, x64, us-east-1]
        needs: [release-arm, release-amd]
        if: >-
            ${{
                needs.release-arm.result == 'success' &&
                needs.release-amd.result == 'success'
            }}
        timeout-minutes: 30
        steps:
            - name: Checkout code
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Log in to Docker Hub
              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Check if release candidate
              id: check-rc
              run: |
                  TAG=${{ env.TAG }}
                  if [[ "$TAG" == *"-rc."* ]]; then
                      echo "IS_RC=true" >> $GITHUB_ENV
                  else
                      echo "IS_RC=false" >> $GITHUB_ENV
                  fi
              shell: bash
            - name: Create multi-arch manifests
              run: |
                  TAG=${{ env.TAG }}
                  if [ "$IS_RC" = "true" ]; then
                      make create-manifests-rc tag=$TAG
                  else
                      make create-manifests tag=$TAG
                  fi
                  echo "Created multi-arch manifests for tag: ${TAG}"
              shell: bash
    sign-and-package:
        name: Sign and Package
        runs-on: [self-hosted, linux, x64, us-east-1]
        needs: [release-arm, release-amd, create-manifest]
        if: >-
            ${{
                needs.release-arm.result == 'success' &&
                needs.release-amd.result == 'success' &&
                needs.create-manifest.result == 'success'
            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
          # Target images
          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
        steps:
            - name: Checkout code
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Install Go
-              uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
              with:
                  go-version: 1.24
@@ -81,36 +289,21 @@ jobs:
                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
              shell: bash
            - name: Update install/main.go
              run: |
                  PANGOLIN_VERSION=${{ env.TAG }}
                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
                  cat install/main.go
              shell: bash
            - name: Build installer
              working-directory: install
              run: |
-                  make go-build-release 
+                  make go-build-release \
                    PANGOLIN_VERSION=${{ env.TAG }} \
                    GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }} \
                    BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
              shell: bash
            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
              with:
                  name: install-bin
                  path: install/bin/
            - name: Build and push Docker images (Docker Hub)
              run: |
                  TAG=${{ env.TAG }}
                  make build-release tag=$TAG
                  echo "Built & pushed to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash
            - name: Install skopeo + jq
              # skopeo: copy/inspect images between registries
              # jq: JSON parsing tool used to extract digest values
@@ -121,21 +314,105 @@ jobs:
              shell: bash
            - name: Login to GHCR
              env:
                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
              shell: bash
-            - name: Copy tag from Docker Hub to GHCR
+            - name: Copy tags from Docker Hub to GHCR
-              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
              # Wait a bit for both architectures to be available in Docker Hub manifest
              env:
                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
                  set -euo pipefail
                  TAG=${{ env.TAG }}
-                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
-                  skopeo copy --all --retry-times 3 \
+                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
-                    docker://$DOCKERHUB_IMAGE:$TAG \
+
-                    docker://$GHCR_IMAGE:$TAG
+                  echo "Waiting for multi-arch manifests to be ready..."
                  sleep 30
                  # Determine if this is an RC release
                  IS_RC="false"
                  if [[ "$TAG" == *"-rc."* ]]; then
                      IS_RC="true"
                  fi
                  if [ "$IS_RC" = "true" ]; then
                      echo "RC release detected - copying version-specific tags only"
                      # SQLite OSS
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:$TAG \
                        docker://$GHCR_IMAGE:$TAG
                      # PostgreSQL OSS
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
                        docker://$GHCR_IMAGE:postgresql-$TAG
                      # SQLite Enterprise
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
                        docker://$GHCR_IMAGE:ee-$TAG
                      # PostgreSQL Enterprise
                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
                      skopeo copy --all --retry-times 3 \
                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
                  else
                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
                      # SQLite OSS - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:$TAG_SUFFIX
                      done
                      # PostgreSQL OSS - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
                      done
                      # SQLite Enterprise - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
                      done
                      # PostgreSQL Enterprise - all tags
                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
                          skopeo copy --all --retry-times 3 \
                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
                      done
                  fi
                  echo "All images copied successfully to GHCR!"
              shell: bash
            - name: Login to GitHub Container Registry (for cosign)
              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
                password: ${{ secrets.GITHUB_TOKEN }}
            - name: Install cosign
              # cosign is used to sign and verify container images (key and keyless)
              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
@@ -155,26 +432,155 @@ jobs:
                  issuer="https://token.actions.githubusercontent.com"
                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
-                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                  # Track failures
-                    echo "Processing ${IMAGE}:${TAG}"
+                  FAILED_TAGS=()
                  SUCCESSFUL_TAGS=()
-                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                  # Determine if this is an RC release
-                    REF="${IMAGE}@${DIGEST}"
+                  IS_RC="false"
-                    echo "Resolved digest: ${REF}"
+                  if [[ "$TAG" == *"-rc."* ]]; then
                      IS_RC="true"
                  fi
-                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                  # Define image variants to sign
-                    cosign sign --recursive "${REF}"
+                  if [ "$IS_RC" = "true" ]; then
                      echo "RC release - signing version-specific tags only"
                      IMAGE_TAGS=(
                          "${TAG}"
                          "postgresql-${TAG}"
                          "ee-${TAG}"
                          "ee-postgresql-${TAG}"
                      )
                  else
                      echo "Regular release - signing all tags"
                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
                      IMAGE_TAGS=(
                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
                      )
                  fi
-                    echo "==> cosign sign (key) --recursive ${REF}"
+                  # Sign each image variant for both registries
-                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
                      TAG_FAILED=false
-                    echo "==> cosign verify (public key) ${REF}"
+                      # Wrap the entire tag processing in error handling
-                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+                      (
                        set -e
                        DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
                        REF="${BASE_IMAGE}@${DIGEST}"
                        echo "Resolved digest: ${REF}"
-                    echo "==> cosign verify (keyless policy) ${REF}"
+                        echo "==> cosign sign (keyless) --recursive ${REF}"
-                    cosign verify \
+                        cosign sign --recursive "${REF}"
-                      --certificate-oidc-issuer "${issuer}" \
+
-                      --certificate-identity-regexp "${id_regex}" \
+                        echo "==> cosign sign (key) --recursive ${REF}"
-                      "${REF}" -o text
+                        cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
                        # Retry wrapper for verification to handle registry propagation delays
                        retry_verify() {
                          local cmd="$1"
                          local attempts=6
                          local delay=5
                          local i=1
                          until eval "$cmd"; do
                            if [ $i -ge $attempts ]; then
                              echo "Verification failed after $attempts attempts"
                              return 1
                            fi
                            echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
                            sleep $delay
                            i=$((i+1))
                            delay=$((delay*2))
                            # Cap the delay to avoid very long waits
                            if [ $delay -gt 60 ]; then delay=60; fi
                          done
                          return 0
                        }
                        echo "==> cosign verify (public key) ${REF}"
                        if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
                          VERIFIED_INDEX=true
                        else
                          VERIFIED_INDEX=false
                        fi
                        echo "==> cosign verify (keyless policy) ${REF}"
                        if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
                          VERIFIED_INDEX_KEYLESS=true
                        else
                          VERIFIED_INDEX_KEYLESS=false
                        fi
                        # Check if verification succeeded
                        if [ "${VERIFIED_INDEX}" != "true" ] && [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
                          echo "⚠️  WARNING: Verification not available for ${BASE_IMAGE}:${IMAGE_TAG}"
                          echo "This may be due to registry propagation delays. Continuing anyway."
                        fi
                      ) || TAG_FAILED=true
                      if [ "$TAG_FAILED" = "true" ]; then
                        echo "⚠️  WARNING: Failed to sign/verify ${BASE_IMAGE}:${IMAGE_TAG}"
                        FAILED_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
                      else
                        echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
                        SUCCESSFUL_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
                      fi
                    done
                  done
                  # Report summary
                  echo ""
                  echo "=========================================="
                  echo "Sign and Verify Summary"
                  echo "=========================================="
                  echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
                  echo "Failed: ${#FAILED_TAGS[@]}"
                  echo ""
                  if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
                    echo "Failed tags:"
                    for tag in "${FAILED_TAGS[@]}"; do
                      echo "  - $tag"
                    done
                    echo ""
                    echo "⚠️  WARNING: Some tags failed to sign/verify, but continuing anyway"
                  else
                    echo "✓ All images signed and verified successfully!"
                  fi
              shell: bash
    post-run:
        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
        if: >-
            ${{
                always() &&
                needs.pre-run.result == 'success' &&
                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
            }}
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Verify AWS identity
              run: aws sts get-caller-identity
            - name: Stop EC2 instances
              run: |
                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
                  echo "EC2 instances stopped"
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -21,12 +21,12 @@ jobs:
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
-              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Set up Node.js
-              uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
              with:
-                node-version: '22'
+                node-version: '24'
            - name: Install dependencies
              run: npm ci
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -45,7 +45,7 @@ jobs:
        run: |
          set -euo pipefail
          skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
-            | jq -r '.Tags[]' | sort -u > src-tags.txt
+            | jq -r '.Tags[]' | grep -v -e '-arm64' -e '-amd64' | sort -u > src-tags.txt
          echo "Found source tags: $(wc -l < src-tags.txt)"
          head -n 20 src-tags.txt || true
--- a/.github/workflows/restart-runners.yml
+++ b/.github/workflows/restart-runners.yml
@@ -0,0 +1,39 @@
 name: Restart Runners
 on:
  schedule:
    - cron: '0 0 */7 * *'
 permissions:
    id-token: write
    contents: read
 jobs:
  ec2-maintenance-prod:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v6
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
          role-duration-seconds: 3600
          aws-region: ${{ secrets.AWS_REGION }}
      - name: Verify AWS identity
        run: aws sts get-caller-identity
      - name: Start EC2 instance
        run: |
          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
          aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
          echo "EC2 instances started"
      - name: Wait
        run: sleep 600
      - name: Stop EC2 instance
        run: |
          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
          aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
          echo "EC2 instances stopped"
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -0,0 +1,160 @@
 name: SAAS Pipeline
 # CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
 # Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
 permissions:
  contents: read
  packages: write      # for GHCR push
  id-token: write      # for Cosign Keyless (OIDC) Signing
 on:
    push:
        tags:
            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
 concurrency:
  group: ${{ github.ref }}
  cancel-in-progress: true
 jobs:
    pre-run:
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Verify AWS identity
              run: aws sts get-caller-identity
            - name: Start EC2 instances
              run: |
                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
                  echo "EC2 instances started"
    release-arm:
        name: Build and Release (ARM64)
        runs-on: [self-hosted, linux, arm64, us-east-1]
        needs: [pre-run]
        if: >-
            ${{
                needs.pre-run.result == 'success'
            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
          # Target images
          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
        steps:
            - name: Checkout code
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Download MaxMind GeoLite2 databases
              env:
                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
              run: |
                echo "Downloading MaxMind GeoLite2 databases..."
                # Download GeoLite2-Country
                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
                  -o GeoLite2-Country.tar.gz
                # Download GeoLite2-ASN
                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
                  -o GeoLite2-ASN.tar.gz
                # Extract the .mmdb files
                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
                # Verify files exist
                if [ ! -f "GeoLite2-Country.mmdb" ]; then
                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
                  exit 1
                fi
                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
                  exit 1
                fi
                # Clean up tar files
                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
                echo "MaxMind databases downloaded successfully"
                ls -lh GeoLite2-*.mmdb
            - name: Monitor storage space
              run: |
                  THRESHOLD=75
                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
                  echo "Used space: $USED_SPACE%"
                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
                      echo y | docker system prune -a
                  else
                      echo "Storage space is above the threshold. No action needed."
                  fi
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Login to Amazon ECR
              id: login-ecr
              uses: aws-actions/amazon-ecr-login@v2
            - name: Extract tag name
              id: get-tag
              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
              shell: bash
            - name: Update version in package.json
              run: |
                  TAG=${{ env.TAG }}
                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
                  cat server/lib/consts.ts
              shell: bash
            - name: Build and push Docker images (Docker Hub - ARM64)
              run: |
                  TAG=${{ env.TAG }}
                  make build-saas tag=$TAG
                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
              shell: bash
    post-run:
        needs: [pre-run, release-arm]
        if: >-
            ${{
                always() &&
                needs.pre-run.result == 'success' &&
                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
            }}
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v6
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
                  aws-region: ${{ secrets.AWS_REGION }}
            - name: Verify AWS identity
              run: aws sts get-caller-identity
            - name: Stop EC2 instances
              run: |
                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
                  echo "EC2 instances stopped"
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@@ -14,7 +14,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          days-before-stale: 14
          days-before-close: 14
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,13 +12,14 @@ on:
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      - name: Install Node
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
-          node-version: '22'
+          node-version: '24'
      - name: Copy config file
        run: cp config/config.example.yml config/config.yml
@@ -33,10 +34,10 @@ jobs:
        run: npm run set:oss
      - name: Generate database migrations
-        run: npm run db:sqlite:generate
+        run: npm run db:generate
      - name: Apply database migrations
-        run: npm run db:sqlite:push
+        run: npm run db:push
      - name: Test with tsc
        run: npx tsc --noEmit
@@ -57,8 +58,20 @@ jobs:
          echo "App failed to start"
          exit 1
  build-sqlite:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Build Docker image sqlite
-        run: make build-sqlite
+        run: make dev-build-sqlite
  build-postgres:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Build Docker image pg
-        run: make build-pg
+        run: make dev-build-pg
--- a/.gitignore
+++ b/.gitignore
@@ -51,3 +51,6 @@ dynamic/
 scratch/
 tsconfig.json
 hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-25
+24
--- a/.prettierignore
+++ b/.prettierignore
@@ -0,0 +1,12 @@
 .github/
 bruno/
 cli/
 config/
 messages/
 next.config.mjs/
 public/
 tailwind.config.js/
 test/
 **/*.yml
 **/*.yaml
 **/*.md
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,3 @@
 {
    "recommendations": ["esbenp.prettier-vscode"]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,22 @@
 {
    "editor.codeActionsOnSave": {
        "source.addMissingImports.ts": "always"
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "[jsonc]": {
        "editor.defaultFormatter": "vscode.json-language-features"
    },
    "[javascript]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescript]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescriptreact]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[json]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "editor.formatOnSave": true
 }
--- a/107
+++ b/107
@@ -1,70 +1,91 @@
-FROM node:25-alpine AS builder
+FROM node:24-slim AS base
 WORKDIR /app
-ARG BUILD=oss
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
 ARG DATABASE=sqlite
 RUN apk add --no-cache curl tzdata python3 make g++
 # COPY package.json package-lock.json ./
 COPY package*.json ./
 FROM base AS builder-dev
 RUN npm ci
 COPY . .
-RUN echo "export * from \"./$DATABASE\";" > server/db/index.ts
+ARG BUILD=oss
-RUN echo "export const driver: \"pg\" | \"sqlite\" = \"$DATABASE\";" >> server/db/index.ts
+ARG DATABASE=sqlite
-RUN echo "export const build = \"$BUILD\" as \"saas\" | \"enterprise\" | \"oss\";" > server/build.ts
+RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi && \
    npm run set:$DATABASE && \
    npm run set:$BUILD && \
    npm run db:generate && \
    npm run build && \
    npm run build:cli && \
    test -f dist/server.mjs
-# Copy the appropriate TypeScript configuration based on build type
+# Create placeholder files for MaxMind databases to avoid COPY errors
-RUN if [ "$BUILD" = "oss" ]; then cp tsconfig.oss.json tsconfig.json; \
+# Real files should be present for saas builds, placeholders for oss builds
-    elif [ "$BUILD" = "saas" ]; then cp tsconfig.saas.json tsconfig.json; \
+RUN touch /app/GeoLite2-Country.mmdb /app/GeoLite2-ASN.mmdb
    elif [ "$BUILD" = "enterprise" ]; then cp tsconfig.enterprise.json tsconfig.json; \
    fi
-# if the build is oss then remove the server/private directory
+FROM base AS builder
 RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi
-RUN if [ "$DATABASE" = "pg" ]; then npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema --out init; else npx drizzle-kit generate --dialect $DATABASE --schema ./server/db/$DATABASE/schema --out init; fi
+RUN npm ci --omit=dev
-RUN mkdir -p dist
+FROM node:24-slim AS runner
 RUN npm run next:build
 RUN node esbuild.mjs -e server/index.ts -o dist/server.mjs -b $BUILD
 RUN if [ "$DATABASE" = "pg" ]; then \
    node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs; \
    else \
    node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs; \
    fi
 # test to make sure the build output is there and error if not
 RUN test -f dist/server.mjs
 RUN npm run build:cli
 FROM node:25-alpine AS runner
 WORKDIR /app
-# Curl used for the health checks
+RUN apt-get update && apt-get install -y curl tzdata && rm -rf /var/lib/apt/lists/*
 # Python and build tools needed for better-sqlite3 native compilation
 RUN apk add --no-cache curl tzdata python3 make g++
-# COPY package.json package-lock.json ./
+COPY --from=builder /app/node_modules ./node_modules
-COPY package*.json ./
+COPY --from=builder /app/package.json ./package.json
-RUN npm ci --omit=dev && npm cache clean --force
+COPY --from=builder-dev /app/.next/standalone ./
-
+COPY --from=builder-dev /app/.next/static ./.next/static
-COPY --from=builder /app/.next/standalone ./
+COPY --from=builder-dev /app/dist ./dist
-COPY --from=builder /app/.next/static ./.next/static
+COPY --from=builder-dev /app/server/migrations ./dist/init
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 COPY server/db/names.json ./dist/names.json
 COPY server/db/ios_models.json ./dist/ios_models.json
 COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public
 # Copy MaxMind databases for SaaS builds
 ARG BUILD=oss
 RUN mkdir -p ./maxmind
 # Copy MaxMind databases (placeholders exist for oss builds, real files for saas)
 COPY --from=builder-dev /app/GeoLite2-Country.mmdb ./maxmind/GeoLite2-Country.mmdb
 COPY --from=builder-dev /app/GeoLite2-ASN.mmdb ./maxmind/GeoLite2-ASN.mmdb
 # Remove MaxMind databases for non-saas builds (keep only for saas)
 RUN if [ "$BUILD" != "saas" ]; then rm -rf ./maxmind; fi
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""
 ARG CREATED=""
 ARG LICENSE="AGPL-3.0"
 # Derive title and description based on BUILD type
 ARG IMAGE_TITLE="Pangolin"
 ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
 # OCI Image Labels
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md
 LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
      org.opencontainers.image.documentation="https://docs.pangolin.net" \
      org.opencontainers.image.vendor="Fossorial" \
      org.opencontainers.image.licenses="${LICENSE}" \
      org.opencontainers.image.title="${IMAGE_TITLE}" \
      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
      org.opencontainers.image.version="${VERSION}" \
      org.opencontainers.image.revision="${REVISION}" \
      org.opencontainers.image.created="${CREATED}"
 CMD ["npm", "run", "start"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,7 +1,9 @@
-FROM node:22-alpine
+FROM node:24-alpine
 WORKDIR /app
 RUN apk add --no-cache python3 make g++
 COPY package*.json ./
 # Install dependencies
--- a/454
+++ b/454
@@ -1,8 +1,32 @@
-.PHONY: build build-pg build-release build-arm build-x86 test clean
+.PHONY: build build-pg build-release build-release-arm build-release-amd create-manifests build-arm build-x86 test clean
 major_tag := $(shell echo $(tag) | cut -d. -f1)
 minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
-build-release:
+
 # OCI label variables
 CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
 # Common OCI build args for OSS builds
 OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
 	--build-arg REVISION=$(REVISION) \
 	--build-arg CREATED=$(CREATED) \
 	--build-arg IMAGE_TITLE="Pangolin" \
 	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
 # Common OCI build args for Enterprise builds
 OCI_ARGS_EE = --build-arg VERSION=$(tag) \
 	--build-arg REVISION=$(REVISION) \
 	--build-arg CREATED=$(CREATED) \
 	--build-arg LICENSE="Fossorial Commercial" \
 	--build-arg IMAGE_TITLE="Pangolin EE" \
 	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
 .PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
 build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
 build-sqlite:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
@@ -10,33 +34,55 @@ build-release:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$(major_tag) \
 		--tag fosrl/pangolin:$(minor_tag) \
 		--tag fosrl/pangolin:$(tag) \
 		--push .
 build-postgresql:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$(major_tag) \
 		--tag fosrl/pangolin:postgresql-$(minor_tag) \
 		--tag fosrl/pangolin:postgresql-$(tag) \
 		--push .
 build-ee-sqlite:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$(major_tag) \
 		--tag fosrl/pangolin:ee-$(minor_tag) \
 		--tag fosrl/pangolin:ee-$(tag) \
 		--push .
 build-ee-postgresql:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
@@ -44,47 +90,431 @@ build-release:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
-build-rc:
+build-saas:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	docker buildx build \
 		--build-arg BUILD=saas \
 		--build-arg DATABASE=pg \
 		--platform linux/arm64 \
 		--tag $(AWS_IMAGE):$(tag) \
 		--push .
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \
 		exit 1; \
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
 	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:latest-arm64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
 		--tag fosrl/pangolin:$$MINOR_TAG-arm64 \
 		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-latest-arm64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
 		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-arm64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-latest-arm64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
 		--tag fosrl/pangolin:ee-$$MINOR_TAG-arm64 \
 		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
 build-release-amd:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-amd tag=<tag>"; \
 		exit 1; \
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
 	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:latest-amd64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-latest-amd64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
 create-manifests:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make create-manifests tag=<tag>"; \
 		exit 1; \
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
 	echo "Creating multi-arch manifests for sqlite (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$$MAJOR_TAG \
 		--tag fosrl/pangolin:$$MINOR_TAG \
 		--tag fosrl/pangolin:$(tag) \
 		fosrl/pangolin:latest-arm64 \
 		fosrl/pangolin:latest-amd64 && \
 	echo "Creating multi-arch manifests for postgresql (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG \
 		--tag fosrl/pangolin:postgresql-$$MINOR_TAG \
 		--tag fosrl/pangolin:postgresql-$(tag) \
 		fosrl/pangolin:postgresql-latest-arm64 \
 		fosrl/pangolin:postgresql-latest-amd64 && \
 	echo "Creating multi-arch manifests for sqlite (enterprise)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG \
 		--tag fosrl/pangolin:ee-$$MINOR_TAG \
 		--tag fosrl/pangolin:ee-$(tag) \
 		fosrl/pangolin:ee-latest-arm64 \
 		fosrl/pangolin:ee-latest-amd64 && \
 	echo "Creating multi-arch manifests for postgresql (enterprise)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG \
 		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		fosrl/pangolin:ee-postgresql-latest-arm64 \
 		fosrl/pangolin:ee-postgresql-latest-amd64 && \
 	echo "All multi-arch manifests created successfully!"
 build-rc:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
 build-rc-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
 		exit 1; \
 	fi
 	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
 build-rc-amd:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
 		exit 1; \
 	fi
 	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=$(tag) \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg LICENSE="Fossorial Commercial" \
 		--build-arg IMAGE_TITLE="Pangolin EE" \
 		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
 create-manifests-rc:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make create-manifests-rc tag=<tag>"; \
 		exit 1; \
 	fi
 	@echo "Creating multi-arch manifests for RC sqlite (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:$(tag) \
 		fosrl/pangolin:$(tag)-arm64 \
 		fosrl/pangolin:$(tag)-amd64 && \
 	echo "Creating multi-arch manifests for RC postgresql (oss)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:postgresql-$(tag) \
 		fosrl/pangolin:postgresql-$(tag)-arm64 \
 		fosrl/pangolin:postgresql-$(tag)-amd64 && \
 	echo "Creating multi-arch manifests for RC sqlite (enterprise)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-$(tag) \
 		fosrl/pangolin:ee-$(tag)-arm64 \
 		fosrl/pangolin:ee-$(tag)-amd64 && \
 	echo "Creating multi-arch manifests for RC postgresql (enterprise)..." && \
 	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		fosrl/pangolin:ee-postgresql-$(tag)-amd64 && \
 	echo "All RC multi-arch manifests created successfully!"
 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		-t fosrl/pangolin:latest .
 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		-t fosrl/pangolin:latest .
-build-sqlite:
+dev-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker build \
 		--build-arg DATABASE=sqlite \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		-t fosrl/pangolin:latest .
-build-pg:
+dev-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
 	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker build \
 		--build-arg DATABASE=pg \
 		--build-arg VERSION=dev \
 		--build-arg REVISION=$$REVISION \
 		--build-arg CREATED=$$CREATED \
 		--build-arg IMAGE_TITLE="Pangolin" \
 		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		-t fosrl/pangolin:postgresql-latest .
 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest
--- a/README.md
+++ b/README.md
@@ -31,17 +31,23 @@
 [![Slack](https://img.shields.io/badge/chat-slack-yellow?style=flat-square&logo=slack)](https://pangolin.net/slack)
 [![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
 ![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
-[![YouTube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
+[![YouTube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@pangolin-net)
 </div>
 <p align="center">
    <a href="https://docs.pangolin.net/careers/join-us">
        <img src="https://img.shields.io/badge/🚀_We're_Hiring!-Join_Our_Team-brightgreen?style=for-the-badge" alt="We're Hiring!" />
    </a>
 </p>
 <p align="center">
    <strong>
        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
    </strong>
 </p>
-Pangolin is a self-hosted tunneled reverse proxy server with identity and context aware access control, designed to easily expose and protect applications running anywhere. Pangolin acts as a central hub and connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports or requiring a VPN.
+Pangolin is an open-source, identity-based remote access platform built on WireGuard that enables secure, seamless connectivity to private and public resources. Pangolin combines reverse proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to any private resources, all with zero-trust security and granular access control.
 ## Installation
@@ -60,14 +66,22 @@ Pangolin is a self-hosted tunneled reverse proxy server with identity and contex
 ## Key Features
 Pangolin packages everything you need for seamless application access and exposure into one cohesive platform.
 | <img width=500 />                                                                                                                                                                                                                                                                                                                                                                | <img width=500 />                                                  |
 |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| **Manage applications in one place**<br /><br /> Pangolin provides a unified dashboard where you can monitor, configure, and secure all of your services regardless of where they are hosted.                                                                                                                                                                                    | <img src="public/screenshots/hero.png" width=500 /><tr></tr> |
+| **Connect remote networks with sites**<br /><br />Pangolin's lightweight site connectors create secure tunnels from remote networks without requiring public IP addresses or open ports. Sites make any network anywhere available for authorized access.                                                                                                                                                                                   | <img src="public/screenshots/sites.png" width=500 /><tr></tr>               |
-| **Reverse proxy across networks anywhere**<br /><br />Route traffic via tunnels to any private network. Pangolin works like a reverse proxy that spans multiple networks and handles routing, load balancing, health checking, and more to the right services on the other end.                                                                                                  | <img src="public/screenshots/sites.png" width=500 /><tr></tr>          |
+| **Browser-based reverse proxy access**<br /><br />Expose web applications through identity and context-aware tunneled reverse proxies. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet. Users access applications through any web browser with authentication and granular access control.                                                                                                  | <img src="public/clip.gif" width=500 /><tr></tr>          |
-| **Enforce identity and context aware rules**<br /><br />Protect your applications with identity and context aware rules such as SSO, OIDC, PIN, password, temporary share links, geolocation, IP, and more.                                                                                                                                                                                                | <img src="public/auth-diagram1.png" width=500 /><tr></tr>               |
+| **Client-based private resource access**<br /><br />Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites.                                                                                                                                                                                                | <img src="public/screenshots/private-resources.png" width=500 /><tr></tr>               |
-| **Quickly connect Pangolin sites**<br /><br />Pangolin's lightweight [Newt](https://github.com/fosrl/newt) client runs in userspace and can run anywhere. Use it as a site connector to route traffic to backends across all of your environments.                                                                                                                                                                                   | <img src="public/clip.gif" width=500 /><tr></tr>               |
+| **Zero-trust granular access**<br /><br />Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications and services you explicitly define, reducing security risk and attack surface.                                                                                                                                                                                    | <img src="public/screenshots/user-devices.png" width=500 /><tr></tr> |
 ## Download Clients
 Download the Pangolin client for your platform:
 - [Mac](https://pangolin.net/downloads/mac)
 - [Windows](https://pangolin.net/downloads/windows)
 - [Linux](https://pangolin.net/downloads/linux)
 - [iOS](https://pangolin.net/downloads/ios)
 - [Android](https://pangolin.net/downloads/android)
 ## Get Started
--- a/blueprint.py
+++ b/blueprint.py
@@ -1,72 +0,0 @@
 import requests
 import yaml
 import json
 import base64
 # The file path for the YAML file to be read
 # You can change this to the path of your YAML file
 YAML_FILE_PATH = 'blueprint.yaml'
 # The API endpoint and headers from the curl request
 API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
 HEADERS = {
    'accept': '*/*',
    'Authorization': 'Bearer <your_token_here>',
    'Content-Type': 'application/json'
 }
 def convert_and_send(file_path, url, headers):
    """
    Reads a YAML file, converts its content to a JSON payload,
    and sends it via a PUT request to a specified URL.
    """
    try:
        # Read the YAML file content
        with open(file_path, 'r') as file:
            yaml_content = file.read()
        # Parse the YAML string to a Python dictionary
        # This will be used to ensure the YAML is valid before sending
        parsed_yaml = yaml.safe_load(yaml_content)
        # convert the parsed YAML to a JSON string
        json_payload = json.dumps(parsed_yaml)
        print("Converted JSON payload:")
        print(json_payload)
        # Encode the JSON string to Base64
        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
        # Create the final payload with the base64 encoded data
        final_payload = {
            "blueprint": encoded_json
        }
        print("Sending the following Base64 encoded JSON payload:")
        print(final_payload)
        print("-" * 20)
        # Make the PUT request with the base64 encoded payload
        response = requests.put(url, headers=headers, json=final_payload)
        # Print the API response for debugging
        print(f"API Response Status Code: {response.status_code}")
        print("API Response Content:")
        print(response.text)
        # Raise an exception for bad status codes (4xx or 5xx)
        response.raise_for_status()
    except FileNotFoundError:
        print(f"Error: The file '{file_path}' was not found.")
    except yaml.YAMLError as e:
        print(f"Error parsing YAML file: {e}")
    except requests.exceptions.RequestException as e:
        print(f"An error occurred during the API request: {e}")
    except Exception as e:
        print(f"An unexpected error occurred: {e}")
 # Run the function
 if __name__ == "__main__":
    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
--- a/blueprint.yaml
+++ b/blueprint.yaml
@@ -1,70 +0,0 @@
 client-resources:
  client-resource-nice-id-uno:
    name: this is my resource
    protocol: tcp
    proxy-port: 3001
    hostname: localhost
    internal-port: 3000
    site: lively-yosemite-toad
  client-resource-nice-id-duce:
    name: this is my resource
    protocol: udp
    proxy-port: 3000
    hostname: localhost
    internal-port: 3000
    site: lively-yosemite-toad
 proxy-resources:
  resource-nice-id-uno:
    name: this is my resource
    protocol: http
    full-domain: duce.test.example.com
    host-header: example.com
    tls-server-name: example.com
    # auth:
      # pincode: 123456
      # password: sadfasdfadsf
      # sso-enabled: true
      # sso-roles:
      #   - Member
      # sso-users:
      #   - owen@pangolin.net
      # whitelist-users:
      #   - owen@pangolin.net
      # auto-login-idp: 1
    headers:
      - name: X-Example-Header
        value: example-value
      - name: X-Another-Header
        value: another-value
    rules:
      - action: allow
        match: ip
        value: 1.1.1.1
      - action: deny
        match: cidr 
        value: 2.2.2.2/32
      - action: pass
        match: path
        value: /admin
    targets:
    - site: lively-yosemite-toad
      path: /path
      pathMatchType: prefix
      hostname: localhost
      method: http
      port: 8000
    - site: slim-alpine-chipmunk
      hostname: localhost
      path: /yoman
      pathMatchType: exact
      method: http
      port: 8001
  resource-nice-id-duce:
    name: this is other resource
    protocol: tcp
    proxy-port: 3000
    targets:
    - site: lively-yosemite-toad 
      hostname: localhost
      port: 3000
--- a/cli/commands/clearExitNodes.ts
+++ b/cli/commands/clearExitNodes.ts
@@ -0,0 +1,36 @@
 import { CommandModule } from "yargs";
 import { db, exitNodes } from "@server/db";
 import { eq } from "drizzle-orm";
 type ClearExitNodesArgs = { };
 export const clearExitNodes: CommandModule<
    {},
    ClearExitNodesArgs
 > = {
    command: "clear-exit-nodes",
    describe:
        "Clear all exit nodes from the database",
    // no args
    builder: (yargs) => {
        return yargs;
    },
    handler: async (argv: {}) => {
        try {
            console.log(`Clearing all exit nodes from the database`);
            // Delete all exit nodes
            const deletedCount = await db
                .delete(exitNodes)
                .where(eq(exitNodes.exitNodeId, exitNodes.exitNodeId))  .returning();; // delete all
            console.log(`Deleted ${deletedCount.length} exit node(s) from the database`);
            process.exit(0);
        } catch (error) {
            console.error("Error:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/clearLicenseKeys.ts
+++ b/cli/commands/clearLicenseKeys.ts
@@ -0,0 +1,36 @@
 import { CommandModule } from "yargs";
 import { db, licenseKey } from "@server/db";
 import { eq } from "drizzle-orm";
 type ClearLicenseKeysArgs = { };
 export const clearLicenseKeys: CommandModule<
    {},
    ClearLicenseKeysArgs
 > = {
    command: "clear-license-keys",
    describe:
        "Clear all license keys from the database",
    // no args
    builder: (yargs) => {
        return yargs;
    },
    handler: async (argv: {}) => {
        try {
            console.log(`Clearing all license keys from the database`);
            // Delete all license keys
            const deletedCount = await db
                .delete(licenseKey)
                .where(eq(licenseKey.licenseKeyId, licenseKey.licenseKeyId))  .returning();; // delete all
            console.log(`Deleted ${deletedCount.length} license key(s) from the database`);
            process.exit(0);
        } catch (error) {
            console.error("Error:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/deleteClient.ts
+++ b/cli/commands/deleteClient.ts
@@ -0,0 +1,123 @@
 import { CommandModule } from "yargs";
 import { db, clients, olms, currentFingerprint, userClients, approvals } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 type DeleteClientArgs = {
    orgId: string;
    niceId: string;
 };
 export const deleteClient: CommandModule<{}, DeleteClientArgs> = {
    command: "delete-client",
    describe:
        "Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.",
    builder: (yargs) => {
        return yargs
            .option("orgId", {
                type: "string",
                demandOption: true,
                describe: "The organization ID"
            })
            .option("niceId", {
                type: "string",
                demandOption: true,
                describe: "The client niceId (identifier)"
            });
    },
    handler: async (argv: { orgId: string; niceId: string }) => {
        try {
            const { orgId, niceId } = argv;
            console.log(
                `Deleting client with orgId: ${orgId}, niceId: ${niceId}...`
            );
            // Find the client
            const [client] = await db
                .select()
                .from(clients)
                .where(and(eq(clients.orgId, orgId), eq(clients.niceId, niceId)))
                .limit(1);
            if (!client) {
                console.error(
                    `Error: Client with orgId "${orgId}" and niceId "${niceId}" not found.`
                );
                process.exit(1);
            }
            const clientId = client.clientId;
            console.log(`Found client with clientId: ${clientId}`);
            // Find all OLMs associated with this client
            const associatedOlms = await db
                .select()
                .from(olms)
                .where(eq(olms.clientId, clientId));
            console.log(`Found ${associatedOlms.length} OLM(s) associated with this client`);
            // Delete in a transaction to ensure atomicity
            await db.transaction(async (trx) => {
                // Delete currentFingerprint entries for the associated OLMs
                // Note: We delete these explicitly before deleting OLMs to ensure
                // we have control, even though cascade would handle it
                let fingerprintCount = 0;
                if (associatedOlms.length > 0) {
                    const olmIds = associatedOlms.map((olm) => olm.olmId);
                    const deletedFingerprints = await trx
                        .delete(currentFingerprint)
                        .where(inArray(currentFingerprint.olmId, olmIds))
                        .returning();
                    fingerprintCount = deletedFingerprints.length;
                }
                console.log(`Deleted ${fingerprintCount} current fingerprint(s)`);
                // Delete OLMs
                // Note: OLMs have onDelete: "set null" for clientId, so we need to delete them explicitly
                const deletedOlms = await trx
                    .delete(olms)
                    .where(eq(olms.clientId, clientId))
                    .returning();
                console.log(`Deleted ${deletedOlms.length} OLM(s)`);
                // Delete approvals
                // Note: Approvals have onDelete: "cascade" but we delete explicitly for clarity
                const deletedApprovals = await trx
                    .delete(approvals)
                    .where(eq(approvals.clientId, clientId))
                    .returning();
                console.log(`Deleted ${deletedApprovals.length} approval(s)`);
                // Delete userClients
                // Note: userClients have onDelete: "cascade" but we delete explicitly for clarity
                const deletedUserClients = await trx
                    .delete(userClients)
                    .where(eq(userClients.clientId, clientId))
                    .returning();
                console.log(`Deleted ${deletedUserClients.length} userClient association(s)`);
                // Finally, delete the client itself
                const deletedClients = await trx
                    .delete(clients)
                    .where(eq(clients.clientId, clientId))
                    .returning();
                console.log(`Deleted client: ${deletedClients[0]?.name || niceId}`);
            });
            console.log("\nClient deletion completed successfully!");
            console.log("\nSummary:");
            console.log(`  - Client: ${niceId} (clientId: ${clientId})`);
            console.log(`  - Olm(s): ${associatedOlms.length}`);
            console.log(`  - Current fingerprints: deleted`);
            console.log(`  - Approvals: deleted`);
            console.log(`  - UserClients: deleted`);
            console.log(`  - Snapshots: preserved (not deleted)`);
            process.exit(0);
        } catch (error) {
            console.error("Error deleting client:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/generateOrgCaKeys.ts
+++ b/cli/commands/generateOrgCaKeys.ts
@@ -0,0 +1,121 @@
 import { CommandModule } from "yargs";
 import { db, orgs } from "@server/db";
 import { eq } from "drizzle-orm";
 import { encrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { generateCA } from "@server/lib/sshCA";
 import fs from "fs";
 import yaml from "js-yaml";
 type GenerateOrgCaKeysArgs = {
    orgId: string;
    secret?: string;
    force?: boolean;
 };
 export const generateOrgCaKeys: CommandModule<{}, GenerateOrgCaKeysArgs> = {
    command: "generate-org-ca-keys",
    describe:
        "Generate SSH CA public/private key pair for an organization and store them in the database (private key encrypted with server secret)",
    builder: (yargs) => {
        return yargs
            .option("orgId", {
                type: "string",
                demandOption: true,
                describe: "The organization ID"
            })
            .option("secret", {
                type: "string",
                describe:
                    "Server secret used to encrypt the CA private key. If omitted, read from config file (config.yml or config.yaml)."
            })
            .option("force", {
                type: "boolean",
                default: false,
                describe:
                    "Overwrite existing CA keys for the org if they already exist"
            });
    },
    handler: async (argv: {
        orgId: string;
        secret?: string;
        force?: boolean;
    }) => {
        try {
            const { orgId, force } = argv;
            let secret = argv.secret;
            if (!secret) {
                const configPath = fs.existsSync(configFilePath1)
                    ? configFilePath1
                    : fs.existsSync(configFilePath2)
                      ? configFilePath2
                      : null;
                if (!configPath) {
                    console.error(
                        "Error: No server secret provided and config file not found. " +
                            "Expected config.yml or config.yaml in the config directory, or pass --secret."
                    );
                    process.exit(1);
                }
                const configContent = fs.readFileSync(configPath, "utf8");
                const config = yaml.load(configContent) as {
                    server?: { secret?: string };
                };
                if (!config?.server?.secret) {
                    console.error(
                        "Error: No server.secret in config file. Pass --secret or set server.secret in config."
                    );
                    process.exit(1);
                }
                secret = config.server.secret;
            }
            const [org] = await db
                .select({
                    orgId: orgs.orgId,
                    sshCaPrivateKey: orgs.sshCaPrivateKey,
                    sshCaPublicKey: orgs.sshCaPublicKey
                })
                .from(orgs)
                .where(eq(orgs.orgId, orgId))
                .limit(1);
            if (!org) {
                console.error(`Error: Organization with orgId "${orgId}" not found.`);
                process.exit(1);
            }
            if (org.sshCaPrivateKey != null || org.sshCaPublicKey != null) {
                if (!force) {
                    console.error(
                        "Error: This organization already has CA keys. Use --force to overwrite."
                    );
                    process.exit(1);
                }
            }
            const ca = generateCA(`pangolin-ssh-ca-${orgId}`);
            const encryptedPrivateKey = encrypt(ca.privateKeyPem, secret);
            await db
                .update(orgs)
                .set({
                    sshCaPrivateKey: encryptedPrivateKey,
                    sshCaPublicKey: ca.publicKeyOpenSSH
                })
                .where(eq(orgs.orgId, orgId));
            console.log("SSH CA keys generated and stored for org:", orgId);
            console.log("\nPublic key (OpenSSH format):");
            console.log(ca.publicKeyOpenSSH);
            process.exit(0);
        } catch (error) {
            console.error("Error generating org CA keys:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/rotateServerSecret.ts
+++ b/cli/commands/rotateServerSecret.ts
@@ -0,0 +1,284 @@
 import { CommandModule } from "yargs";
 import { db, idpOidcConfig, licenseKey } from "@server/db";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { eq } from "drizzle-orm";
 import fs from "fs";
 import yaml from "js-yaml";
 type RotateServerSecretArgs = {
    "old-secret": string;
    "new-secret": string;
    force?: boolean;
 };
 export const rotateServerSecret: CommandModule<
    {},
    RotateServerSecretArgs
 > = {
    command: "rotate-server-secret",
    describe:
        "Rotate the server secret by decrypting all encrypted values with the old secret and re-encrypting with a new secret",
    builder: (yargs) => {
        return yargs
            .option("old-secret", {
                type: "string",
                demandOption: true,
                describe: "The current server secret (for verification)"
            })
            .option("new-secret", {
                type: "string",
                demandOption: true,
                describe: "The new server secret to use"
            })
            .option("force", {
                type: "boolean",
                default: false,
                describe:
                    "Force rotation even if the old secret doesn't match the config file. " +
                    "Use this if you know the old secret is correct but the config file is out of sync. " +
                    "WARNING: This will attempt to decrypt all values with the provided old secret. " +
                    "If the old secret is incorrect, the rotation will fail or corrupt data."
            });
    },
    handler: async (argv: {
        "old-secret": string;
        "new-secret": string;
        force?: boolean;
    }) => {
        try {
            // Determine which config file exists
            const configPath = fs.existsSync(configFilePath1)
                ? configFilePath1
                : fs.existsSync(configFilePath2)
                  ? configFilePath2
                  : null;
            if (!configPath) {
                console.error(
                    "Error: Config file not found. Expected config.yml or config.yaml in the config directory."
                );
                process.exit(1);
            }
            // Read current config
            const configContent = fs.readFileSync(configPath, "utf8");
            const config = yaml.load(configContent) as any;
            if (!config?.server?.secret) {
                console.error(
                    "Error: No server secret found in config file. Cannot rotate."
                );
                process.exit(1);
            }
            const configSecret = config.server.secret;
            const oldSecret = argv["old-secret"];
            const newSecret = argv["new-secret"];
            const force = argv.force || false;
            // Verify that the provided old secret matches the one in config
            if (configSecret !== oldSecret) {
                if (!force) {
                    console.error(
                        "Error: The provided old secret does not match the secret in the config file."
                    );
                    console.error(
                        "\nIf you are certain the old secret is correct and the config file is out of sync,"
                    );
                    console.error(
                        "you can use the --force flag to bypass this check."
                    );
                    console.error(
                        "\nWARNING: Using --force with an incorrect old secret will cause the rotation to fail"
                    );
                    console.error(
                        "or corrupt encrypted data. Only use --force if you are absolutely certain."
                    );
                    process.exit(1);
                } else {
                    console.warn(
                        "\nWARNING: Using --force flag. Bypassing old secret verification."
                    );
                    console.warn(
                        "The provided old secret does not match the config file, but proceeding anyway."
                    );
                    console.warn(
                        "If the old secret is incorrect, this operation will fail or corrupt data.\n"
                    );
                }
            }
            // Validate new secret
            if (newSecret.length < 8) {
                console.error(
                    "Error: New secret must be at least 8 characters long"
                );
                process.exit(1);
            }
            if (oldSecret === newSecret) {
                console.error("Error: New secret must be different from old secret");
                process.exit(1);
            }
            console.log("Starting server secret rotation...");
            console.log("This will decrypt and re-encrypt all encrypted values in the database.");
            // Read all data first
            console.log("\nReading encrypted data from database...");
            const idpConfigs = await db.select().from(idpOidcConfig);
            const licenseKeys = await db.select().from(licenseKey);
            console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
            console.log(`Found ${licenseKeys.length} license key(s)`);
            // Prepare all decrypted and re-encrypted values
            console.log("\nDecrypting and re-encrypting values...");
            type IdpUpdate = {
                idpOauthConfigId: number;
                encryptedClientId: string;
                encryptedClientSecret: string;
            };
            type LicenseKeyUpdate = {
                oldLicenseKeyId: string;
                newLicenseKeyId: string;
                encryptedToken: string;
                encryptedInstanceId: string;
            };
            const idpUpdates: IdpUpdate[] = [];
            const licenseKeyUpdates: LicenseKeyUpdate[] = [];
            // Process idpOidcConfig entries
            for (const idpConfig of idpConfigs) {
                try {
                    // Decrypt with old secret
                    const decryptedClientId = decrypt(idpConfig.clientId, oldSecret);
                    const decryptedClientSecret = decrypt(
                        idpConfig.clientSecret,
                        oldSecret
                    );
                    // Re-encrypt with new secret
                    const encryptedClientId = encrypt(decryptedClientId, newSecret);
                    const encryptedClientSecret = encrypt(
                        decryptedClientSecret,
                        newSecret
                    );
                    idpUpdates.push({
                        idpOauthConfigId: idpConfig.idpOauthConfigId,
                        encryptedClientId,
                        encryptedClientSecret
                    });
                } catch (error) {
                    console.error(
                        `Error processing IdP config ${idpConfig.idpOauthConfigId}:`,
                        error
                    );
                    throw error;
                }
            }
            // Process licenseKey entries
            for (const key of licenseKeys) {
                try {
                    // Decrypt with old secret
                    const decryptedLicenseKeyId = decrypt(key.licenseKeyId, oldSecret);
                    const decryptedToken = decrypt(key.token, oldSecret);
                    const decryptedInstanceId = decrypt(key.instanceId, oldSecret);
                    // Re-encrypt with new secret
                    const encryptedLicenseKeyId = encrypt(
                        decryptedLicenseKeyId,
                        newSecret
                    );
                    const encryptedToken = encrypt(decryptedToken, newSecret);
                    const encryptedInstanceId = encrypt(
                        decryptedInstanceId,
                        newSecret
                    );
                    licenseKeyUpdates.push({
                        oldLicenseKeyId: key.licenseKeyId,
                        newLicenseKeyId: encryptedLicenseKeyId,
                        encryptedToken,
                        encryptedInstanceId
                    });
                } catch (error) {
                    console.error(
                        `Error processing license key ${key.licenseKeyId}:`,
                        error
                    );
                    throw error;
                }
            }
            // Perform all database updates in a single transaction
            console.log("\nUpdating database in transaction...");
            await db.transaction(async (trx) => {
                // Update idpOidcConfig entries
                for (const update of idpUpdates) {
                    await trx
                        .update(idpOidcConfig)
                        .set({
                            clientId: update.encryptedClientId,
                            clientSecret: update.encryptedClientSecret
                        })
                        .where(
                            eq(
                                idpOidcConfig.idpOauthConfigId,
                                update.idpOauthConfigId
                            )
                        );
                }
                // Update licenseKey entries (delete old, insert new)
                for (const update of licenseKeyUpdates) {
                    // Delete old entry
                    await trx
                        .delete(licenseKey)
                        .where(eq(licenseKey.licenseKeyId, update.oldLicenseKeyId));
                    // Insert new entry with re-encrypted values
                    await trx.insert(licenseKey).values({
                        licenseKeyId: update.newLicenseKeyId,
                        token: update.encryptedToken,
                        instanceId: update.encryptedInstanceId
                    });
                }
            });
            console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
            console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
            // Update config file with new secret
            console.log("\nUpdating config file...");
            config.server.secret = newSecret;
            const newConfigContent = yaml.dump(config, {
                indent: 2,
                lineWidth: -1
            });
            fs.writeFileSync(configPath, newConfigContent, "utf8");
            console.log(`Updated config file: ${configPath}`);
            console.log("\nServer secret rotation completed successfully!");
            console.log(`\nSummary:`);
            console.log(`  - OIDC IdP configurations: ${idpUpdates.length}`);
            console.log(`  - License keys: ${licenseKeyUpdates.length}`);
            console.log(
                `\n  IMPORTANT: Restart the server for the new secret to take effect.`
            );
            process.exit(0);
        } catch (error) {
            console.error("Error rotating server secret:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -4,10 +4,20 @@ import yargs from "yargs";
 import { hideBin } from "yargs/helpers";
 import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
 import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
 import { clearExitNodes } from "./commands/clearExitNodes";
 import { rotateServerSecret } from "./commands/rotateServerSecret";
 import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
 yargs(hideBin(process.argv))
    .scriptName("pangctl")
    .command(setAdminCredentials)
    .command(resetUserSecurityKeys)
    .command(clearExitNodes)
    .command(rotateServerSecret)
    .command(clearLicenseKeys)
    .command(deleteClient)
    .command(generateOrgCaKeys)
    .demandCommand()
    .help().argv;
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -1,27 +1,30 @@
 # To see all available options, please visit the docs:
-# https://docs.pangolin.net/self-host/advanced/config-file
+# https://docs.pangolin.net/
 app:
  dashboard_url: http://localhost:3002
  log_level: debug
 domains:
  domain1:
    base_domain: example.com
 server:
  secret: my_secret_key
 gerbil:
-  base_endpoint: example.com
+    start_port: 51820
    base_endpoint: "{{.DashboardDomain}}"
-orgs:
+app:
-  block_size: 24
+    dashboard_url: "https://{{.DashboardDomain}}"
-  subnet_group: 100.90.137.0/20
+    log_level: "info"
    telemetry:
        anonymous_usage: true
 domains:
    domain1:
        base_domain: "{{.BaseDomain}}"
 server:
    secret: "{{.Secret}}"
    cors:
        origins: ["https://{{.DashboardDomain}}"]
        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
        allowed_headers: ["X-CSRF-Token", "Content-Type"]
        credentials: false
 flags:
-  require_email_verification: false
+    require_email_verification: false
-  disable_signup_without_invite: true
+    disable_signup_without_invite: true
-  disable_user_create_org: true
+    disable_user_create_org: false
-  allow_raw_resources: true
+    allow_raw_resources: true
  enable_integration_api: true
--- a/config/traefik/dynamic_config.yml
+++ b/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,14 +17,16 @@ http:
        - web
      middlewares:
        - redirect-to-https
        - badger
    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
-      rule: "Host(`{{.DashboardDomain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
      service: next-service
      priority: 10
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -28,9 +34,10 @@ http:
    api-router:
      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
      service: api-service
      priority: 100
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -44,3 +51,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
 tcp:
  serversTransports:
    pp-transport-v1:
      proxyProtocol:
        version: 1
    pp-transport-v2:
      proxyProtocol:
        version: 2
--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -3,32 +3,52 @@ api:
  dashboard: true
 providers:
  http:
    endpoint: "http://pangolin:3001/api/v1/traefik-config"
    pollInterval: "5s"
  file:
-    directory: "/var/dynamic"
+    filename: "/etc/traefik/dynamic_config.yml"
    watch: true
 experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
-      version: "v1.2.0"
+      version: "{{.BadgerVersion}}"
 log:
-  level: "DEBUG"
+  level: "INFO"
  format: "common"
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true
 certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web
      email: "{{.LetsEncryptEmail}}"
      storage: "/letsencrypt/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
 entryPoints:
  web:
    address: ":80"
  websecure:
-    address: ":9443"
+    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http:
      tls:
        certResolver: "letsencrypt"
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
 serversTransport:
  insecureSkipVerify: true
 ping:
  entryPoint: "web"
--- a/docker-compose.pgr.yml
+++ b/docker-compose.pgr.yml
@@ -7,8 +7,8 @@ services:
      POSTGRES_DB: postgres # Default database name
      POSTGRES_USER: postgres # Default user
      POSTGRES_PASSWORD: password # Default password (change for production!)
-    volumes:
+    # volumes:
-      - ./config/postgres:/var/lib/postgresql/data
+    #   - ./config/postgres:/var/lib/postgresql/data
    ports:
      - "5432:5432" # Map host port 5432 to container port 5432
    restart: no
--- a/drizzle.pg.config.ts
+++ b/drizzle.pg.config.ts
@@ -1,9 +1,7 @@
 import { defineConfig } from "drizzle-kit";
 import path from "path";
-const schema = [
+const schema = [path.join("server", "db", "pg", "schema")];
    path.join("server", "db", "pg", "schema"),
 ];
 export default defineConfig({
    dialect: "postgresql",
--- a/drizzle.sqlite.config.ts
+++ b/drizzle.sqlite.config.ts
@@ -2,9 +2,7 @@ import { APP_PATH } from "@server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";
-const schema = [
+const schema = [path.join("server", "db", "sqlite", "schema")];
    path.join("server", "db", "sqlite", "schema"),
 ];
 export default defineConfig({
    dialect: "sqlite",
--- a/esbuild.mjs
+++ b/esbuild.mjs
@@ -6,6 +6,12 @@ import path from "path";
 import fs from "fs";
 // import { glob } from "glob";
 // Read default build type from server/build.ts
 let build = "oss";
 const buildFile = fs.readFileSync(path.resolve("server/build.ts"), "utf8");
 const m = buildFile.match(/export\s+const\s+build\s*=\s*["'](oss|saas|enterprise)["']/);
 if (m) build = m[1];
 const banner = `
 // patch __dirname
 // import { fileURLToPath } from "url";
@@ -24,20 +30,20 @@ const argv = yargs(hideBin(process.argv))
        alias: "e",
        describe: "Entry point file",
        type: "string",
-        demandOption: true,
+        demandOption: true
    })
    .option("out", {
        alias: "o",
        describe: "Output file path",
        type: "string",
-        demandOption: true,
+        demandOption: true
    })
    .option("build", {
        alias: "b",
        describe: "Build type (oss, saas, enterprise)",
        type: "string",
        choices: ["oss", "saas", "enterprise"],
-        default: "oss",
+        default: build
    })
    .help()
    .alias("help", "h").argv;
@@ -66,7 +72,9 @@ function privateImportGuardPlugin() {
                // Check if the importing file is NOT in server/private
                const normalizedImporter = path.normalize(importingFile);
-                const isInServerPrivate = normalizedImporter.includes(path.normalize("server/private"));
+                const isInServerPrivate = normalizedImporter.includes(
                    path.normalize("server/private")
                );
                if (!isInServerPrivate) {
                    const violation = {
@@ -79,8 +87,8 @@ function privateImportGuardPlugin() {
                    console.log(`PRIVATE IMPORT VIOLATION:`);
                    console.log(`   File: ${importingFile}`);
                    console.log(`   Import: ${args.path}`);
-                    console.log(`   Resolve dir: ${args.resolveDir || 'N/A'}`);
+                    console.log(`   Resolve dir: ${args.resolveDir || "N/A"}`);
-                    console.log('');
+                    console.log("");
                }
                // Return null to let the default resolver handle it
@@ -89,16 +97,20 @@ function privateImportGuardPlugin() {
            build.onEnd((result) => {
                if (violations.length > 0) {
-                    console.log(`\nSUMMARY: Found ${violations.length} private import violation(s):`);
+                    console.log(
                        `\nSUMMARY: Found ${violations.length} private import violation(s):`
                    );
                    violations.forEach((v, i) => {
-                        console.log(`   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`);
+                        console.log(
                            `   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`
                        );
                    });
-                    console.log('');
+                    console.log("");
                    result.errors.push({
                        text: `Private import violations detected: ${violations.length} violation(s) found`,
                        location: null,
-                        notes: violations.map(v => ({
+                        notes: violations.map((v) => ({
                            text: `${path.relative(process.cwd(), v.file)} imports ${v.importPath}`,
                            location: null
                        }))
@@ -121,7 +133,9 @@ function dynamicImportGuardPlugin() {
                // Check if the importing file is NOT in server/private
                const normalizedImporter = path.normalize(importingFile);
-                const isInServerPrivate = normalizedImporter.includes(path.normalize("server/private"));
+                const isInServerPrivate = normalizedImporter.includes(
                    path.normalize("server/private")
                );
                if (isInServerPrivate) {
                    const violation = {
@@ -134,8 +148,8 @@ function dynamicImportGuardPlugin() {
                    console.log(`DYNAMIC IMPORT VIOLATION:`);
                    console.log(`   File: ${importingFile}`);
                    console.log(`   Import: ${args.path}`);
-                    console.log(`   Resolve dir: ${args.resolveDir || 'N/A'}`);
+                    console.log(`   Resolve dir: ${args.resolveDir || "N/A"}`);
-                    console.log('');
+                    console.log("");
                }
                // Return null to let the default resolver handle it
@@ -144,16 +158,20 @@ function dynamicImportGuardPlugin() {
            build.onEnd((result) => {
                if (violations.length > 0) {
-                    console.log(`\nSUMMARY: Found ${violations.length} dynamic import violation(s):`);
+                    console.log(
                        `\nSUMMARY: Found ${violations.length} dynamic import violation(s):`
                    );
                    violations.forEach((v, i) => {
-                        console.log(`   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`);
+                        console.log(
                            `   ${i + 1}. ${path.relative(process.cwd(), v.file)} imports ${v.importPath}`
                        );
                    });
-                    console.log('');
+                    console.log("");
                    result.errors.push({
                        text: `Dynamic import violations detected: ${violations.length} violation(s) found`,
                        location: null,
-                        notes: violations.map(v => ({
+                        notes: violations.map((v) => ({
                            text: `${path.relative(process.cwd(), v.file)} imports ${v.importPath}`,
                            location: null
                        }))
@@ -172,21 +190,28 @@ function dynamicImportSwitcherPlugin(buildValue) {
            const switches = [];
            build.onStart(() => {
-                console.log(`Dynamic import switcher using build type: ${buildValue}`);
+                console.log(
                    `Dynamic import switcher using build type: ${buildValue}`
                );
            });
            build.onResolve({ filter: /^#dynamic\// }, (args) => {
                // Extract the path after #dynamic/
-                const dynamicPath = args.path.replace(/^#dynamic\//, '');
+                const dynamicPath = args.path.replace(/^#dynamic\//, "");
                // Determine the replacement based on build type
                let replacement;
                if (buildValue === "oss") {
                    replacement = `#open/${dynamicPath}`;
-                } else if (buildValue === "saas" || buildValue === "enterprise") {
+                } else if (
                    buildValue === "saas" ||
                    buildValue === "enterprise"
                ) {
                    replacement = `#closed/${dynamicPath}`; // We use #closed here so that the route guards dont complain after its been changed but this is the same as #private
                } else {
-                    console.warn(`Unknown build type '${buildValue}', defaulting to #open/`);
+                    console.warn(
                        `Unknown build type '${buildValue}', defaulting to #open/`
                    );
                    replacement = `#open/${dynamicPath}`;
                }
@@ -201,8 +226,10 @@ function dynamicImportSwitcherPlugin(buildValue) {
                console.log(`DYNAMIC IMPORT SWITCH:`);
                console.log(`   File: ${args.importer}`);
                console.log(`   Original: ${args.path}`);
-                console.log(`   Switched to: ${replacement} (build: ${buildValue})`);
+                console.log(
-                console.log('');
+                    `   Switched to: ${replacement} (build: ${buildValue})`
                );
                console.log("");
                // Rewrite the import path and let the normal resolution continue
                return build.resolve(replacement, {
@@ -215,12 +242,18 @@ function dynamicImportSwitcherPlugin(buildValue) {
            build.onEnd((result) => {
                if (switches.length > 0) {
-                    console.log(`\nDYNAMIC IMPORT SUMMARY: Switched ${switches.length} import(s) for build type '${buildValue}':`);
+                    console.log(
                        `\nDYNAMIC IMPORT SUMMARY: Switched ${switches.length} import(s) for build type '${buildValue}':`
                    );
                    switches.forEach((s, i) => {
-                        console.log(`   ${i + 1}. ${path.relative(process.cwd(), s.file)}`);
+                        console.log(
-                        console.log(`      ${s.originalPath} → ${s.replacementPath}`);
+                            `   ${i + 1}. ${path.relative(process.cwd(), s.file)}`
                        );
                        console.log(
                            `      ${s.originalPath} → ${s.replacementPath}`
                        );
                    });
-                    console.log('');
+                    console.log("");
                }
            });
        }
@@ -235,7 +268,7 @@ esbuild
        format: "esm",
        minify: false,
        banner: {
-            js: banner,
+            js: banner
        },
        platform: "node",
        external: ["body-parser"],
@@ -244,20 +277,22 @@ esbuild
            dynamicImportGuardPlugin(),
            dynamicImportSwitcherPlugin(argv.build),
            nodeExternalsPlugin({
-                packagePath: getPackagePaths(),
+                packagePath: getPackagePaths()
-            }),
+            })
        ],
        sourcemap: "inline",
-        target: "node22",
+        target: "node24"
    })
    .then((result) => {
        // Check if there were any errors in the build result
        if (result.errors && result.errors.length > 0) {
-            console.error(`Build failed with ${result.errors.length} error(s):`);
+            console.error(
                `Build failed with ${result.errors.length} error(s):`
            );
            result.errors.forEach((error, i) => {
                console.error(`${i + 1}. ${error.text}`);
                if (error.notes) {
-                    error.notes.forEach(note => {
+                    error.notes.forEach((note) => {
                        console.error(`   - ${note.text}`);
                    });
                }
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -1,19 +1,19 @@
-import tseslint from 'typescript-eslint';
+import tseslint from "typescript-eslint";
 export default tseslint.config({
-  files: ["**/*.{ts,tsx,js,jsx}"],
+    files: ["**/*.{ts,tsx,js,jsx}"],
-  languageOptions: {
+    languageOptions: {
-    parser: tseslint.parser,
+        parser: tseslint.parser,
-    parserOptions: {
+        parserOptions: {
-      ecmaVersion: "latest",
+            ecmaVersion: "latest",
-      sourceType: "module",
+            sourceType: "module",
-      ecmaFeatures: {
+            ecmaFeatures: {
-        jsx: true
+                jsx: true
-      }
+            }
        }
    },
    rules: {
        semi: "error",
        "prefer-const": "warn"
    }
  },
  rules: {
    "semi": "error",
    "prefer-const": "warn"
  }
 });
--- a/install/Makefile
+++ b/install/Makefile
@@ -1,41 +1,24 @@
-all: update-versions go-build-release put-back
+all: go-build-release
-dev-all: dev-update-versions dev-build dev-clean
+
 # Build with version injection via ldflags
 # Versions can be passed via: make go-build-release PANGOLIN_VERSION=x.x.x GERBIL_VERSION=x.x.x BADGER_VERSION=x.x.x
 # Or fetched automatically if not provided (requires curl and jq)
 PANGOLIN_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name')
 GERBIL_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
 BADGER_VERSION ?= $(shell curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
 LDFLAGS = -X main.pangolinVersion=$(PANGOLIN_VERSION) \
          -X main.gerbilVersion=$(GERBIL_VERSION) \
          -X main.badgerVersion=$(BADGER_VERSION)
 go-build-release:
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/installer_linux_amd64
+	@echo "Building with versions - Pangolin: $(PANGOLIN_VERSION), Gerbil: $(GERBIL_VERSION), Badger: $(BADGER_VERSION)"
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/installer_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/installer_linux_amd64
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/installer_linux_arm64
 clean:
 	rm -f bin/installer_linux_amd64
 	rm -f bin/installer_linux_arm64
-update-versions:
+.PHONY: all go-build-release clean
 	@echo "Fetching latest versions..."
 	cp main.go main.go.bak && \
 	$(MAKE) dev-update-versions
 put-back:
 	mv main.go.bak main.go
 dev-update-versions:
 	if [ -z "$(tag)" ]; then \
 		PANGOLIN_VERSION=$$(curl -s https://api.github.com/repos/fosrl/pangolin/tags | jq -r '.[0].name'); \
 	else \
 		PANGOLIN_VERSION=$(tag); \
 	fi && \
 	GERBIL_VERSION=$$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') && \
 	BADGER_VERSION=$$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') && \
 	echo "Latest versions - Pangolin: $$PANGOLIN_VERSION, Gerbil: $$GERBIL_VERSION, Badger: $$BADGER_VERSION" && \
 	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$$PANGOLIN_VERSION\"/" main.go && \
 	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$$GERBIL_VERSION\"/" main.go && \
 	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$$BADGER_VERSION\"/" main.go && \
 	echo "Updated main.go with latest versions"
 dev-build: go-build-release
 dev-clean:
 	@echo "Restoring version values ..."
 	sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"replaceme\"/" main.go && \
 	sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"replaceme\"/" main.go && \
 	sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"replaceme\"/" main.go
 	@echo "Restored version strings in main.go"
--- a/install/config.go
+++ b/install/config.go
@@ -118,19 +118,19 @@ func copyDockerService(sourceFile, destFile, serviceName string) error {
 	}
 	// Parse source Docker Compose YAML
-	var sourceCompose map[string]interface{}
+	var sourceCompose map[string]any
 	if err := yaml.Unmarshal(sourceData, &sourceCompose); err != nil {
 		return fmt.Errorf("error parsing source Docker Compose file: %w", err)
 	}
 	// Parse destination Docker Compose YAML
-	var destCompose map[string]interface{}
+	var destCompose map[string]any
 	if err := yaml.Unmarshal(destData, &destCompose); err != nil {
 		return fmt.Errorf("error parsing destination Docker Compose file: %w", err)
 	}
 	// Get services section from source
-	sourceServices, ok := sourceCompose["services"].(map[string]interface{})
+	sourceServices, ok := sourceCompose["services"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("services section not found in source file or has invalid format")
 	}
@@ -142,10 +142,10 @@ func copyDockerService(sourceFile, destFile, serviceName string) error {
 	}
 	// Get or create services section in destination
-	destServices, ok := destCompose["services"].(map[string]interface{})
+	destServices, ok := destCompose["services"].(map[string]any)
 	if !ok {
 		// If services section doesn't exist, create it
-		destServices = make(map[string]interface{})
+		destServices = make(map[string]any)
 		destCompose["services"] = destServices
 	}
@@ -187,13 +187,12 @@ func backupConfig() error {
 	return nil
 }
-func MarshalYAMLWithIndent(data interface{}, indent int) ([]byte, error) {
+func MarshalYAMLWithIndent(data any, indent int) ([]byte, error) {
 	buffer := new(bytes.Buffer)
 	encoder := yaml.NewEncoder(buffer)
 	encoder.SetIndent(indent)
-	err := encoder.Encode(data)
+	if err := encoder.Encode(data); err != nil {
 	if err != nil {
 		return nil, err
 	}
@@ -209,7 +208,7 @@ func replaceInFile(filepath, oldStr, newStr string) error {
 	}
 	// Replace the string
-	newContent := strings.Replace(string(content), oldStr, newStr, -1)
+	newContent := strings.ReplaceAll(string(content), oldStr, newStr)
 	// Write the modified content back to the file
 	err = os.WriteFile(filepath, []byte(newContent), 0644)
@@ -228,28 +227,28 @@ func CheckAndAddTraefikLogVolume(composePath string) error {
 	}
 	// Parse YAML into a generic map
-	var compose map[string]interface{}
+	var compose map[string]any
 	if err := yaml.Unmarshal(data, &compose); err != nil {
 		return fmt.Errorf("error parsing compose file: %w", err)
 	}
 	// Get services section
-	services, ok := compose["services"].(map[string]interface{})
+	services, ok := compose["services"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("services section not found or invalid")
 	}
 	// Get traefik service
-	traefik, ok := services["traefik"].(map[string]interface{})
+	traefik, ok := services["traefik"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("traefik service not found or invalid")
 	}
 	// Check volumes
 	logVolume := "./config/traefik/logs:/var/log/traefik"
-	var volumes []interface{}
+	var volumes []any
-	if existingVolumes, ok := traefik["volumes"].([]interface{}); ok {
+	if existingVolumes, ok := traefik["volumes"].([]any); ok {
 		// Check if volume already exists
 		for _, v := range existingVolumes {
 			if v.(string) == logVolume {
@@ -295,13 +294,13 @@ func MergeYAML(baseFile, overlayFile string) error {
 	}
 	// Parse base YAML into a map
-	var baseMap map[string]interface{}
+	var baseMap map[string]any
 	if err := yaml.Unmarshal(baseContent, &baseMap); err != nil {
 		return fmt.Errorf("error parsing base YAML: %v", err)
 	}
 	// Parse overlay YAML into a map
-	var overlayMap map[string]interface{}
+	var overlayMap map[string]any
 	if err := yaml.Unmarshal(overlayContent, &overlayMap); err != nil {
 		return fmt.Errorf("error parsing overlay YAML: %v", err)
 	}
@@ -324,8 +323,8 @@ func MergeYAML(baseFile, overlayFile string) error {
 }
 // mergeMap recursively merges two maps
-func mergeMap(base, overlay map[string]interface{}) map[string]interface{} {
+func mergeMap(base, overlay map[string]any) map[string]any {
-	result := make(map[string]interface{})
+	result := make(map[string]any)
 	// Copy all key-values from base map
 	for k, v := range base {
@@ -336,8 +335,8 @@ func mergeMap(base, overlay map[string]interface{}) map[string]interface{} {
 	for k, v := range overlay {
 		// If both maps have the same key and both values are maps, merge recursively
 		if baseVal, ok := base[k]; ok {
-			if baseMap, isBaseMap := baseVal.(map[string]interface{}); isBaseMap {
+			if baseMap, isBaseMap := baseVal.(map[string]any); isBaseMap {
-				if overlayMap, isOverlayMap := v.(map[string]interface{}); isOverlayMap {
+				if overlayMap, isOverlayMap := v.(map[string]any); isOverlayMap {
 					result[k] = mergeMap(baseMap, overlayMap)
 					continue
 				}
--- a/install/config/crowdsec/docker-compose.yml
+++ b/install/config/crowdsec/docker-compose.yml
@@ -9,10 +9,15 @@ services:
      PARSERS: crowdsecurity/whitelists
      ENROLL_TAGS: docker
    healthcheck:
-      interval: 10s
+        test:
-      retries: 15
+            - CMD
-      timeout: 10s
+            - cscli
-      test: ["CMD", "cscli", "capi", "status"]
+            - lapi
            - status
        interval: 10s
        timeout: 5s
        retries: 3
        start_period: 30s
    labels:
      - "traefik.enable=false" # Disable traefik for crowdsec
    volumes:
--- a/install/config/crowdsec/dynamic_config.yml
+++ b/install/config/crowdsec/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -63,6 +67,7 @@ http:
        - web
      middlewares:
        - redirect-to-https
        - badger
    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
@@ -72,6 +77,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
        - badger
      tls:
        certResolver: letsencrypt
@@ -83,6 +89,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
        - badger
      tls:
        certResolver: letsencrypt
@@ -94,6 +101,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
        - badger
      tls:
        certResolver: letsencrypt
@@ -107,3 +115,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
 tcp:
  serversTransports:
    pp-transport-v1:
      proxyProtocol:
        version: 1
    pp-transport-v2:
      proxyProtocol:
        version: 2
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -1,7 +1,7 @@
 name: pangolin
 services:
  pangolin:
-    image: docker.io/fosrl/pangolin:{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    volumes:
@@ -38,9 +38,7 @@ services:
    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
-{{if .InstallGerbil}}
+{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
    network_mode: service:gerbil # Ports appear on the gerbil service
 {{end}}{{if not .InstallGerbil}}
    ports:
      - 443:443
      - 80:80
--- a/install/config/traefik/dynamic_config.yml
+++ b/install/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
    badger:
      plugin:
        badger:
          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,6 +17,7 @@ http:
        - web
      middlewares:
        - redirect-to-https
        - badger
    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
@@ -20,6 +25,8 @@ http:
      service: next-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -29,6 +36,8 @@ http:
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
@@ -38,6 +47,8 @@ http:
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - badger
      tls:
        certResolver: letsencrypt
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -43,6 +43,9 @@ entryPoints:
    http:
      tls:
        certResolver: "letsencrypt"
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
 serversTransport:
  insecureSkipVerify: true
--- a/install/containers.go
+++ b/install/containers.go
@@ -73,7 +73,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=ubuntu"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl &&
+			apt-get install -y apt-transport-https ca-certificates curl gpg &&
 			curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
@@ -82,7 +82,7 @@ func installDocker() error {
 	case strings.Contains(osRelease, "ID=debian"):
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			apt-get update &&
-			apt-get install -y apt-transport-https ca-certificates curl &&
+			apt-get install -y apt-transport-https ca-certificates curl gpg &&
 			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg &&
 			echo "deb [arch=%s signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list &&
 			apt-get update &&
@@ -144,12 +144,13 @@ func installDocker() error {
 }
 func startDockerService() error {
-	if runtime.GOOS == "linux" {
+	switch runtime.GOOS {
 	case "linux":
 		cmd := exec.Command("systemctl", "enable", "--now", "docker")
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		return cmd.Run()
-	} else if runtime.GOOS == "darwin" {
+	case "darwin":
 		// On macOS, Docker is usually started via the Docker Desktop application
 		fmt.Println("Please start Docker Desktop manually on macOS.")
 		return nil
@@ -210,6 +211,47 @@ func isDockerRunning() bool {
 	return true
 }
 func isPodmanRunning() bool {
 	cmd := exec.Command("podman", "info")
 	if err := cmd.Run(); err != nil {
 		return false
 	}
 	return true
 }
 // detectContainerType detects whether the system is currently using Docker or Podman
 // by checking which container runtime is running and has containers
 func detectContainerType() SupportedContainer {
 	// Check if we have running containers with podman
 	if isPodmanRunning() {
 		cmd := exec.Command("podman", "ps", "-q")
 		output, err := cmd.Output()
 		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
 			return Podman
 		}
 	}
 	// Check if we have running containers with docker
 	if isDockerRunning() {
 		cmd := exec.Command("docker", "ps", "-q")
 		output, err := cmd.Output()
 		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
 			return Docker
 		}
 	}
 	// If no containers are running, check which one is installed and running
 	if isPodmanRunning() && isPodmanInstalled() {
 		return Podman
 	}
 	if isDockerRunning() && isDockerInstalled() {
 		return Docker
 	}
 	return Undefined
 }
 // executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
 func executeDockerComposeCommandWithArgs(args ...string) error {
 	var cmd *exec.Cmd
@@ -261,7 +303,7 @@ func pullContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
 // startContainers starts the containers using the appropriate command.
@@ -284,7 +326,7 @@ func startContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
 // stopContainers stops the containers using the appropriate command.
@@ -306,7 +348,7 @@ func stopContainers(containerType SupportedContainer) error {
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
 // restartContainer restarts a specific container using the appropriate command.
@@ -328,5 +370,5 @@ func restartContainer(container string, containerType SupportedContainer) error
 		return nil
 	}
-	return fmt.Errorf("Unsupported container type: %s", containerType)
+	return fmt.Errorf("unsupported container type: %s", containerType)
 }
--- a/install/crowdsec.go
+++ b/install/crowdsec.go
@@ -27,9 +27,18 @@ func installCrowdsec(config Config) error {
 		os.Exit(1)
 	}
-	os.MkdirAll("config/crowdsec/db", 0755)
+	if err := os.MkdirAll("config/crowdsec/db", 0755); err != nil {
-	os.MkdirAll("config/crowdsec/acquis.d", 0755)
+		fmt.Printf("Error creating config files: %v\n", err)
-	os.MkdirAll("config/traefik/logs", 0755)
+		os.Exit(1)
 	}
 	if err := os.MkdirAll("config/crowdsec/acquis.d", 0755); err != nil {
 		fmt.Printf("Error creating config files: %v\n", err)
 		os.Exit(1)
 	}
 	if err := os.MkdirAll("config/traefik/logs", 0755); err != nil {
 		fmt.Printf("Error creating config files: %v\n", err)
 		os.Exit(1)
 	}
 	if err := copyDockerService("config/crowdsec/docker-compose.yml", "docker-compose.yml", "crowdsec"); err != nil {
 		fmt.Printf("Error copying docker service: %v\n", err)
@@ -93,7 +102,7 @@ func installCrowdsec(config Config) error {
 	if checkIfTextInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK") {
 		fmt.Println("Failed to replace bouncer key! Please retrieve the key and replace it in the config/traefik/dynamic_config.yml file using the following command:")
-		fmt.Println("	docker exec crowdsec cscli bouncers add traefik-bouncer")
+		fmt.Printf("	%s exec crowdsec cscli bouncers add traefik-bouncer\n", config.InstallationContainerType)
 	}
 	return nil
@@ -117,7 +126,7 @@ func GetCrowdSecAPIKey(containerType SupportedContainer) (string, error) {
 	}
 	// Execute the command to get the API key
-	cmd := exec.Command("docker", "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
+	cmd := exec.Command(string(containerType), "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
 	var out bytes.Buffer
 	cmd.Stdout = &out
@@ -153,34 +162,34 @@ func CheckAndAddCrowdsecDependency(composePath string) error {
 	}
 	// Parse YAML into a generic map
-	var compose map[string]interface{}
+	var compose map[string]any
 	if err := yaml.Unmarshal(data, &compose); err != nil {
 		return fmt.Errorf("error parsing compose file: %w", err)
 	}
 	// Get services section
-	services, ok := compose["services"].(map[string]interface{})
+	services, ok := compose["services"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("services section not found or invalid")
 	}
 	// Get traefik service
-	traefik, ok := services["traefik"].(map[string]interface{})
+	traefik, ok := services["traefik"].(map[string]any)
 	if !ok {
 		return fmt.Errorf("traefik service not found or invalid")
 	}
 	// Get dependencies
-	dependsOn, ok := traefik["depends_on"].(map[string]interface{})
+	dependsOn, ok := traefik["depends_on"].(map[string]any)
 	if ok {
 		// Append the new block for crowdsec
-		dependsOn["crowdsec"] = map[string]interface{}{
+		dependsOn["crowdsec"] = map[string]any{
 			"condition": "service_healthy",
 		}
 	} else {
 		// No dependencies exist, create it
-		traefik["depends_on"] = map[string]interface{}{
+		traefik["depends_on"] = map[string]any{
-			"crowdsec": map[string]interface{}{
+			"crowdsec": map[string]any{
 				"condition": "service_healthy",
 			},
 		}
--- a/install/go.mod
+++ b/install/go.mod
@@ -3,8 +3,36 @@ module installer
 go 1.24.0
 require (
-	golang.org/x/term v0.37.0
+	github.com/charmbracelet/huh v0.8.0
 	github.com/charmbracelet/lipgloss v1.1.0
 	golang.org/x/term v0.40.0
 	gopkg.in/yaml.v3 v3.0.1
 )
-require golang.org/x/sys v0.38.0 // indirect
+require (
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/catppuccin/go v0.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
 	github.com/charmbracelet/bubbletea v1.3.6 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/x/ansi v0.9.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -1,7 +1,80 @@
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
 github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
 github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
 github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 h1:JFgG/xnwFfbezlUnFMJy0nusZvytYysV4SCS2cYbvws=
 github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7/go.mod h1:ISC1gtLcVilLOf23wvTfoQuYbW2q0JevFxPfUzZ9Ybw=
 github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
 github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
 github.com/charmbracelet/huh v0.8.0 h1:Xz/Pm2h64cXQZn/Jvele4J3r7DDiqFCNIVteYukxDvY=
 github.com/charmbracelet/huh v0.8.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
 github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U=
 github.com/charmbracelet/x/conpty v0.1.0/go.mod h1:rMFsDJoDwVmiYM10aD4bH2XiRgwI7NYJtQgl5yskjEQ=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA=
 github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86/go.mod h1:2P0UgXMEa6TsToMSuFqKFQR+fZTO9CNGUNokkPatT/0=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 h1:qko3AQ4gK1MTS/de7F5hPGx6/k1u0w4TeYmBFwzYVP4=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0/go.mod h1:pBhA0ybfXv6hDjQUZ7hk1lVxBiUbupdw5R31yPUViVQ=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY=
 github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=
 github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI=
 github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
 golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/install/input.go
+++ b/install/input.go
@@ -1,74 +1,235 @@
 package main
 import (
-	"bufio"
+	"errors"
 	"fmt"
-	"strings"
+	"os"
-	"syscall"
+	"strconv"
 	"github.com/charmbracelet/huh"
 	"golang.org/x/term"
 )
-func readString(reader *bufio.Reader, prompt string, defaultValue string) string {
+// pangolinTheme is the custom theme using brand colors
 var pangolinTheme = ThemePangolin()
 // isAccessibleMode checks if we should use accessible mode (simple prompts)
 // This is true for: non-TTY, TERM=dumb, or ACCESSIBLE env var set
 func isAccessibleMode() bool {
 	// Check if stdin is not a terminal (piped input, CI, etc.)
 	if !term.IsTerminal(int(os.Stdin.Fd())) {
 		return true
 	}
 	// Check for dumb terminal
 	if os.Getenv("TERM") == "dumb" {
 		return true
 	}
 	// Check for explicit accessible mode request
 	if os.Getenv("ACCESSIBLE") != "" {
 		return true
 	}
 	return false
 }
 // handleAbort checks if the error is a user abort (Ctrl+C) and exits if so
 func handleAbort(err error) {
 	if err != nil && errors.Is(err, huh.ErrUserAborted) {
 		fmt.Println("\nInstallation cancelled.")
 		os.Exit(0)
 	}
 }
 // runField runs a single field with the Pangolin theme, handling accessible mode
 func runField(field huh.Field) error {
 	if isAccessibleMode() {
 		return field.RunAccessible(os.Stdout, os.Stdin)
 	}
 	form := huh.NewForm(huh.NewGroup(field)).WithTheme(pangolinTheme)
 	return form.Run()
 }
 func readString(prompt string, defaultValue string) string {
 	var value string
 	title := prompt
 	if defaultValue != "" {
-		fmt.Printf("%s (default: %s): ", prompt, defaultValue)
+		title = fmt.Sprintf("%s (default: %s)", prompt, defaultValue)
 	} else {
 		fmt.Print(prompt + ": ")
 	}
-	input, _ := reader.ReadString('\n')
+
-	input = strings.TrimSpace(input)
+	input := huh.NewInput().
-	if input == "" {
+		Title(title).
-		return defaultValue
+		Value(&value)
 	// If no default value, this field is required
 	if defaultValue == "" {
 		input = input.Validate(func(s string) error {
 			if s == "" {
 				return fmt.Errorf("this field is required")
 			}
 			return nil
 		})
 	}
 	return input
 }
-func readStringNoDefault(reader *bufio.Reader, prompt string) string {
+	err := runField(input)
-	fmt.Print(prompt + ": ")
+	handleAbort(err)
 	input, _ := reader.ReadString('\n')
 	return strings.TrimSpace(input)
 }
-func readPassword(prompt string, reader *bufio.Reader) string {
+	if value == "" {
-	if term.IsTerminal(int(syscall.Stdin)) {
+		value = defaultValue
 		fmt.Print(prompt + ": ")
 		// Read password without echo if we're in a terminal
 		password, err := term.ReadPassword(int(syscall.Stdin))
 		fmt.Println() // Add a newline since ReadPassword doesn't add one
 		if err != nil {
 			return ""
 		}
 		input := strings.TrimSpace(string(password))
 		if input == "" {
 			return readPassword(prompt, reader)
 		}
 		return input
 	} else {
 		// Fallback to reading from stdin if not in a terminal
 		return readString(reader, prompt, "")
 	}
 }
-func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
+	// Print the answer so it remains visible in terminal history (skip in accessible mode as it already shows)
-	defaultStr := "no"
+	if !isAccessibleMode() {
-	if defaultValue {
+		fmt.Printf("%s: %s\n", prompt, value)
 		defaultStr = "yes"
 	}
 	input := readString(reader, prompt+" (yes/no)", defaultStr)
 	return strings.ToLower(input) == "yes"
 }
 func readBoolNoDefault(reader *bufio.Reader, prompt string) bool {
 	input := readStringNoDefault(reader, prompt+" (yes/no)")
 	return strings.ToLower(input) == "yes"
 }
 func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {
 	input := readString(reader, prompt, fmt.Sprintf("%d", defaultValue))
 	if input == "" {
 		return defaultValue
 	}
 	value := defaultValue
 	fmt.Sscanf(input, "%d", &value)
 	return value
 }
 func readStringNoDefault(prompt string) string {
 	var value string
 	for {
 		input := huh.NewInput().
 			Title(prompt).
 			Value(&value).
 			Validate(func(s string) error {
 				if s == "" {
 					return fmt.Errorf("this field is required")
 				}
 				return nil
 			})
 		err := runField(input)
 		handleAbort(err)
 		if value != "" {
 			// Print the answer so it remains visible in terminal history
 			if !isAccessibleMode() {
 				fmt.Printf("%s: %s\n", prompt, value)
 			}
 			return value
 		}
 	}
 }
 func readPassword(prompt string) string {
 	var value string
 	for {
 		input := huh.NewInput().
 			Title(prompt).
 			Value(&value).
 			EchoMode(huh.EchoModePassword).
 			Validate(func(s string) error {
 				if s == "" {
 					return fmt.Errorf("password is required")
 				}
 				return nil
 			})
 		err := runField(input)
 		handleAbort(err)
 		if value != "" {
 			// Print confirmation without revealing the password
 			if !isAccessibleMode() {
 				fmt.Printf("%s: %s\n", prompt, "********")
 			}
 			return value
 		}
 	}
 }
 func readBool(prompt string, defaultValue bool) bool {
 	var value = defaultValue
 	confirm := huh.NewConfirm().
 		Title(prompt).
 		Value(&value).
 		Affirmative("Yes").
 		Negative("No")
 	err := runField(confirm)
 	handleAbort(err)
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		answer := "No"
 		if value {
 			answer = "Yes"
 		}
 		fmt.Printf("%s: %s\n", prompt, answer)
 	}
 	return value
 }
 func readBoolNoDefault(prompt string) bool {
 	var value bool
 	confirm := huh.NewConfirm().
 		Title(prompt).
 		Value(&value).
 		Affirmative("Yes").
 		Negative("No")
 	err := runField(confirm)
 	handleAbort(err)
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		answer := "No"
 		if value {
 			answer = "Yes"
 		}
 		fmt.Printf("%s: %s\n", prompt, answer)
 	}
 	return value
 }
 func readInt(prompt string, defaultValue int) int {
 	var value string
 	title := fmt.Sprintf("%s (default: %d)", prompt, defaultValue)
 	input := huh.NewInput().
 		Title(title).
 		Value(&value).
 		Validate(func(s string) error {
 			if s == "" {
 				return nil
 			}
 			_, err := strconv.Atoi(s)
 			if err != nil {
 				return fmt.Errorf("please enter a valid number")
 			}
 			return nil
 		})
 	err := runField(input)
 	handleAbort(err)
 	if value == "" {
 		// Print the answer so it remains visible in terminal history
 		if !isAccessibleMode() {
 			fmt.Printf("%s: %d\n", prompt, defaultValue)
 		}
 		return defaultValue
 	}
 	result, err := strconv.Atoi(value)
 	if err != nil {
 		if !isAccessibleMode() {
 			fmt.Printf("%s: %d\n", prompt, defaultValue)
 		}
 		return defaultValue
 	}
 	// Print the answer so it remains visible in terminal history
 	if !isAccessibleMode() {
 		fmt.Printf("%s: %d\n", prompt, result)
 	}
 	return result
 }
--- a/install/main.go
+++ b/install/main.go
@@ -1,12 +1,12 @@
 package main
 import (
-	"bufio"
+	"crypto/rand"
 	"embed"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"io/fs"
 	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@@ -19,11 +19,17 @@ import (
 	"time"
 )
-// DO NOT EDIT THIS FUNCTION; IT MATCHED BY REGEX IN CICD
+// Version variables injected at build time via -ldflags
 var (
 	pangolinVersion string
 	gerbilVersion   string
 	badgerVersion   string
 )
 func loadVersions(config *Config) {
-	config.PangolinVersion = "replaceme"
+	config.PangolinVersion = pangolinVersion
-	config.GerbilVersion = "replaceme"
+	config.GerbilVersion = gerbilVersion
-	config.BadgerVersion = "replaceme"
+	config.BadgerVersion = badgerVersion
 }
 //go:embed config/*
@@ -49,13 +55,14 @@ type Config struct {
 	DoCrowdsecInstall         bool
 	EnableGeoblocking         bool
 	Secret                    string
 	IsEnterprise              bool
 }
 type SupportedContainer string
 const (
-	Docker SupportedContainer = "docker"
+	Docker    SupportedContainer = "docker"
-	Podman SupportedContainer = "podman"
+	Podman    SupportedContainer = "podman"
 	Undefined SupportedContainer = "undefined"
 )
@@ -80,14 +87,12 @@ func main() {
 		}
 	}
 	reader := bufio.NewReader(os.Stdin)
 	var config Config
 	var alreadyInstalled = false
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
-		config = collectUserInput(reader)
+		config = collectUserInput()
 		loadVersions(&config)
 		config.DoCrowdsecInstall = false
@@ -100,7 +105,10 @@ func main() {
 			os.Exit(1)
 		}
-		moveFile("config/docker-compose.yml", "docker-compose.yml")
+		if err := moveFile("config/docker-compose.yml", "docker-compose.yml"); err != nil {
 			fmt.Printf("Error moving docker-compose.yml: %v\n", err)
 			os.Exit(1)
 		}
 		fmt.Println("\nConfiguration files created successfully!")
@@ -115,13 +123,17 @@ func main() {
 		fmt.Println("\n=== Starting installation ===")
-		if readBool(reader, "Would you like to install and start the containers?", true) {
+		if readBool("Would you like to install and start the containers?", true) {
-			config.InstallationContainerType = podmanOrDocker(reader)
+			config.InstallationContainerType = podmanOrDocker()
 			if !isDockerInstalled() && runtime.GOOS == "linux" && config.InstallationContainerType == Docker {
-				if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
+				if readBool("Docker is not installed. Would you like to install it?", true) {
-					installDocker()
+					if err := installDocker(); err != nil {
 						fmt.Printf("Error installing Docker: %v\n", err)
 						return
 					}
 					// try to start docker service but ignore errors
 					if err := startDockerService(); err != nil {
 						fmt.Println("Error starting Docker service:", err)
@@ -130,7 +142,7 @@ func main() {
 					}
 					// wait 10 seconds for docker to start checking if docker is running every 2 seconds
 					fmt.Println("Waiting for Docker to start...")
-					for i := 0; i < 5; i++ {
+					for range 5 {
 						if isDockerRunning() {
 							fmt.Println("Docker is running!")
 							break
@@ -165,7 +177,7 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool(reader, "Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
@@ -173,13 +185,13 @@ func main() {
 			}
 		} else {
 			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool(reader, "Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
 				}
 				// Now you need to update your config file accordingly to enable geoblocking
-				fmt.Println("Please remember to update your config/config.yml file to enable geoblocking! \n")
+				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
 				fmt.Println("Add the following line under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
@@ -190,11 +202,11 @@ func main() {
 	if !checkIsCrowdsecInstalledInCompose() {
 		fmt.Println("\n=== CrowdSec Install ===")
 		// check if crowdsec is installed
-		if readBool(reader, "Would you like to install CrowdSec?", false) {
+		if readBool("Would you like to install CrowdSec?", false) {
 			fmt.Println("This installer constitutes a minimal viable CrowdSec deployment. CrowdSec will add extra complexity to your Pangolin installation and may not work to the best of its abilities out of the box. Users are expected to implement configuration adjustments on their own to achieve the best security posture. Consult the CrowdSec documentation for detailed configuration instructions.")
 			// BUG: crowdsec installation will be skipped if the user chooses to install on the first installation.
-			if readBool(reader, "Are you willing to manage CrowdSec?", false) {
+			if readBool("Are you willing to manage CrowdSec?", false) {
 				if config.DashboardDomain == "" {
 					traefikConfig, err := ReadTraefikConfig("config/traefik/traefik_config.yml")
 					if err != nil {
@@ -209,8 +221,8 @@ func main() {
 					parsedURL, err := url.Parse(appConfig.DashboardURL)
 					if err != nil {
-                        fmt.Printf("Error parsing URL: %v\n", err)
+						fmt.Printf("Error parsing URL: %v\n", err)
-                        return
+						return
 					}
 					config.DashboardDomain = parsedURL.Hostname()
@@ -223,12 +235,21 @@ func main() {
 					fmt.Printf("Let's Encrypt Email: %s\n", config.LetsEncryptEmail)
 					fmt.Printf("Badger Version: %s\n", config.BadgerVersion)
-					if !readBool(reader, "Are these values correct?", true) {
+					if !readBool("Are these values correct?", true) {
-						config = collectUserInput(reader)
+						config = collectUserInput()
 					}
 				}
-				config.InstallationContainerType = podmanOrDocker(reader)
+				// Try to detect container type from existing installation
 				detectedType := detectContainerType()
 				if detectedType == Undefined {
 					// If detection fails, prompt the user
 					fmt.Println("Unable to detect container type from existing installation.")
 					config.InstallationContainerType = podmanOrDocker()
 				} else {
 					config.InstallationContainerType = detectedType
 					fmt.Printf("Detected container type: %s\n", config.InstallationContainerType)
 				}
 				config.DoCrowdsecInstall = true
 				err := installCrowdsec(config)
@@ -242,7 +263,7 @@ func main() {
 		}
 	}
-	if !alreadyInstalled {
+	if !alreadyInstalled || config.DoCrowdsecInstall {
 		// Setup Token Section
 		fmt.Println("\n=== Setup Token ===")
@@ -266,8 +287,8 @@ func main() {
 	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
-func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
+func podmanOrDocker() SupportedContainer {
-	inputContainer := readString(reader, "Would you like to run Pangolin as Docker or Podman containers?", "docker")
+	inputContainer := readString("Would you like to run Pangolin as Docker or Podman containers?", "docker")
 	chosenContainer := Docker
 	if strings.EqualFold(inputContainer, "docker") {
@@ -279,16 +300,17 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 		os.Exit(1)
 	}
-	if chosenContainer == Podman {
+	switch chosenContainer {
 	case Podman:
 		if !isPodmanInstalled() {
 			fmt.Println("Podman or podman-compose is not installed. Please install both manually. Automated installation will be available in a later release.")
 			os.Exit(1)
 		}
-		if err := exec.Command("bash", "-c", "cat /etc/sysctl.conf | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
+		if err := exec.Command("bash", "-c", "cat /etc/sysctl.d/99-podman.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start=' || cat /etc/sysctl.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
 			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
 			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
-			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p\". Approve?", true)
+			approved := readBool("The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
 			if approved {
 				if os.Geteuid() != 0 {
 					fmt.Println("You need to run the installer as root for such a configuration.")
@@ -299,8 +321,8 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 				// container low-range ports as unprivileged ports.
 				// Linux only.
-				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p"); err != nil {
+				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system"); err != nil {
-					fmt.Sprintf("failed to configure unprivileged ports: %v.\n", err)
+					fmt.Printf("Error configuring unprivileged ports: %v\n", err)
 					os.Exit(1)
 				}
 			} else {
@@ -310,7 +332,7 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			fmt.Println("Unprivileged ports have been configured.")
 		}
-	} else if chosenContainer == Docker {
+	case Docker:
 		// check if docker is not installed and the user is root
 		if !isDockerInstalled() {
 			if os.Geteuid() != 0 {
@@ -325,7 +347,7 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			fmt.Println("The installer will not be able to run docker commands without running it as root.")
 			os.Exit(1)
 		}
-	} else {
+	default:
 		// This shouldn't happen unless there's a third container runtime.
 		os.Exit(1)
 	}
@@ -333,33 +355,35 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 	return chosenContainer
 }
-func collectUserInput(reader *bufio.Reader) Config {
+func collectUserInput() Config {
 	config := Config{}
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
-	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
+	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")
 	// Set default dashboard domain after base domain is collected
 	defaultDashboardDomain := ""
 	if config.BaseDomain != "" {
 		defaultDashboardDomain = "pangolin." + config.BaseDomain
 	}
-	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
+	config.DashboardDomain = readString("Enter the domain for the Pangolin dashboard", defaultDashboardDomain)
-	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
+	config.LetsEncryptEmail = readString("Enter email for Let's Encrypt certificates", "")
-	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
+	config.InstallGerbil = readBool("Do you want to use Gerbil to allow tunneled connections", true)
 	// Email configuration
 	fmt.Println("\n=== Email Configuration ===")
-	config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
+	config.EnableEmail = readBool("Enable email functionality (SMTP)", false)
 	if config.EnableEmail {
-		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
+		config.EmailSMTPHost = readString("Enter SMTP host", "")
-		config.EmailSMTPPort = readInt(reader, "Enter SMTP port (default 587)", 587)
+		config.EmailSMTPPort = readInt("Enter SMTP port (default 587)", 587)
-		config.EmailSMTPUser = readString(reader, "Enter SMTP username", "")
+		config.EmailSMTPUser = readString("Enter SMTP username", "")
-		config.EmailSMTPPass = readString(reader, "Enter SMTP password", "") // Should this be readPassword?
+		config.EmailSMTPPass = readPassword("Enter SMTP password")
-		config.EmailNoReply = readString(reader, "Enter no-reply email address", "")
+		config.EmailNoReply = readString("Enter no-reply email address (often the same as SMTP username)", "")
 	}
 	// Validate required fields
@@ -371,13 +395,17 @@ func collectUserInput(reader *bufio.Reader) Config {
 		fmt.Println("Error: Let's Encrypt email is required")
 		os.Exit(1)
 	}
 	if config.EnableEmail && config.EmailNoReply == "" {
 		fmt.Println("Error: No-reply email address is required when email is enabled")
 		os.Exit(1)
 	}
 	// Advanced configuration
 	fmt.Println("\n=== Advanced Configuration ===")
-	config.EnableIPv6 = readBool(reader, "Is your server IPv6 capable?", true)
+	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool(reader, "Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
+	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -388,10 +416,18 @@ func collectUserInput(reader *bufio.Reader) Config {
 }
 func createConfigFiles(config Config) error {
-	os.MkdirAll("config", 0755)
+	if err := os.MkdirAll("config", 0755); err != nil {
-	os.MkdirAll("config/letsencrypt", 0755)
+		return fmt.Errorf("failed to create config directory: %v", err)
-	os.MkdirAll("config/db", 0755)
+	}
-	os.MkdirAll("config/logs", 0755)
+	if err := os.MkdirAll("config/letsencrypt", 0755); err != nil {
 		return fmt.Errorf("failed to create letsencrypt directory: %v", err)
 	}
 	if err := os.MkdirAll("config/db", 0755); err != nil {
 		return fmt.Errorf("failed to create db directory: %v", err)
 	}
 	if err := os.MkdirAll("config/logs", 0755); err != nil {
 		return fmt.Errorf("failed to create logs directory: %v", err)
 	}
 	// Walk through all embedded files
 	err := fs.WalkDir(configFiles, "config", func(path string, d fs.DirEntry, err error) error {
@@ -545,22 +581,24 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 	fmt.Println("To get your setup token, you need to:")
 	fmt.Println("")
 	fmt.Println("1. Start the containers")
-	if containerType == Docker {
+	switch containerType {
 	case Docker:
 		fmt.Println("   docker compose up -d")
-	} else if containerType == Podman {
+	case Podman:
 		fmt.Println("   podman-compose up -d")
 	} else {
 	}
 	fmt.Println("")
 	fmt.Println("2. Wait for the Pangolin container to start and generate the token")
 	fmt.Println("")
 	fmt.Println("3. Check the container logs for the setup token")
-	if containerType == Docker {
+	switch containerType {
 	case Docker:
 		fmt.Println("   docker logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
-	} else if containerType == Podman {
+	case Podman:
 		fmt.Println("   podman logs pangolin | grep -A 2 -B 2 'SETUP TOKEN'")
 	} else {
 	}
 	fmt.Println("")
 	fmt.Println("4. Look for output like")
 	fmt.Println("   === SETUP TOKEN GENERATED ===")
@@ -576,17 +614,12 @@ func showSetupTokenInstructions(containerType SupportedContainer, dashboardDomai
 }
 func generateRandomSecretKey() string {
-	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	secret := make([]byte, 32)
-	const length = 32
+	_, err := rand.Read(secret)
-
+	if err != nil {
-	var seededRand *rand.Rand = rand.New(
+		panic(fmt.Sprintf("Failed to generate random secret key: %v", err))
 		rand.NewSource(time.Now().UnixNano()))
 	b := make([]byte, length)
 	for i := range b {
 		b[i] = charset[seededRand.Intn(len(charset))]
 	}
-	return string(b)
+	return base64.StdEncoding.EncodeToString(secret)
 }
 func getPublicIP() string {
@@ -627,10 +660,7 @@ func checkPortsAvailable(port int) error {
 	addr := fmt.Sprintf(":%d", port)
 	ln, err := net.Listen("tcp", addr)
 	if err != nil {
-		return fmt.Errorf(
+		return fmt.Errorf("ERROR: port %d is occupied or cannot be bound: %w", port, err)
 			"ERROR: port %d is occupied or cannot be bound: %w\n\n",
 			port, err,
 		)
 	}
 	if closeErr := ln.Close(); closeErr != nil {
 		fmt.Fprintf(os.Stderr,
--- a/install/theme.go
+++ b/install/theme.go
@@ -0,0 +1,51 @@
 package main
 import (
 	"github.com/charmbracelet/huh"
 	"github.com/charmbracelet/lipgloss"
 )
 // Pangolin brand colors (converted from oklch to hex)
 var (
 	// Primary orange/amber - oklch(0.6717 0.1946 41.93)
 	primaryColor = lipgloss.AdaptiveColor{Light: "#D97706", Dark: "#F59E0B"}
 	// Muted foreground
 	mutedColor = lipgloss.AdaptiveColor{Light: "#737373", Dark: "#A3A3A3"}
 	// Success green
 	successColor = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"}
 	// Error red - oklch(0.577 0.245 27.325)
 	errorColor = lipgloss.AdaptiveColor{Light: "#DC2626", Dark: "#EF4444"}
 	// Normal text
 	normalFg = lipgloss.AdaptiveColor{Light: "#171717", Dark: "#FAFAFA"}
 )
 // ThemePangolin returns a huh theme using Pangolin brand colors
 func ThemePangolin() *huh.Theme {
 	t := huh.ThemeBase()
 	// Focused state styles
 	t.Focused.Base = t.Focused.Base.BorderForeground(primaryColor)
 	t.Focused.Title = t.Focused.Title.Foreground(primaryColor).Bold(true)
 	t.Focused.Description = t.Focused.Description.Foreground(mutedColor)
 	t.Focused.ErrorIndicator = t.Focused.ErrorIndicator.Foreground(errorColor)
 	t.Focused.ErrorMessage = t.Focused.ErrorMessage.Foreground(errorColor)
 	t.Focused.SelectSelector = t.Focused.SelectSelector.Foreground(primaryColor)
 	t.Focused.NextIndicator = t.Focused.NextIndicator.Foreground(primaryColor)
 	t.Focused.PrevIndicator = t.Focused.PrevIndicator.Foreground(primaryColor)
 	t.Focused.Option = t.Focused.Option.Foreground(normalFg)
 	t.Focused.SelectedOption = t.Focused.SelectedOption.Foreground(primaryColor)
 	t.Focused.SelectedPrefix = lipgloss.NewStyle().Foreground(successColor).SetString("✓ ")
 	t.Focused.UnselectedPrefix = lipgloss.NewStyle().Foreground(mutedColor).SetString("  ")
 	t.Focused.FocusedButton = t.Focused.FocusedButton.Foreground(lipgloss.Color("#FFFFFF")).Background(primaryColor)
 	t.Focused.BlurredButton = t.Focused.BlurredButton.Foreground(normalFg).Background(lipgloss.AdaptiveColor{Light: "#E5E5E5", Dark: "#404040"})
 	t.Focused.TextInput.Cursor = t.Focused.TextInput.Cursor.Foreground(primaryColor)
 	t.Focused.TextInput.Prompt = t.Focused.TextInput.Prompt.Foreground(primaryColor)
 	// Blurred state inherits from focused but with hidden border
 	t.Blurred = t.Focused
 	t.Blurred.Base = t.Focused.Base.BorderStyle(lipgloss.HiddenBorder())
 	t.Blurred.Title = t.Blurred.Title.Foreground(mutedColor).Bold(false)
 	t.Blurred.TextInput.Prompt = t.Blurred.TextInput.Prompt.Foreground(mutedColor)
 	return t
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
--- a/messages/en-US.json
+++ b/messages/en-US.json
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
--- a/next.config.ts
+++ b/next.config.ts
@@ -4,6 +4,7 @@ import createNextIntlPlugin from "next-intl/plugin";
 const withNextIntl = createNextIntlPlugin();
 const nextConfig: NextConfig = {
    reactStrictMode: false,
    eslint: {
        ignoreDuringBuilds: true
    },
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
    "version": "0.0.0",
    "private": true,
    "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
    "homepage": "https://github.com/fosrl/pangolin",
    "repository": {
        "type": "git",
@@ -12,33 +12,33 @@
    "license": "SEE LICENSE IN LICENSE AND README.md",
    "scripts": {
        "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
-        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
+        "dev:check": "npx tsc --noEmit && npm run format:check",
-        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
+        "dev:setup": "cp config/config.example.yml config/config.yml && npm run set:oss && npm run set:sqlite && npm run db:sqlite:generate && npm run db:sqlite:push",
-        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
+        "db:generate": "drizzle-kit generate --config=./drizzle.config.ts",
-        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
+        "db:push": "npx tsx server/db/migrate.ts",
-        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
+        "db:studio": "drizzle-kit studio --config=./drizzle.config.ts",
        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
        "db:clear-migrations": "rm -rf server/migrations",
-        "set:oss": "echo 'export const build = \"oss\" as any;' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
+        "set:oss": "echo 'export const build = \"oss\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
-        "set:saas": "echo 'export const build = \"saas\" as any;' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
+        "set:saas": "echo 'export const build = \"saas\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
-        "set:enterprise": "echo 'export const build = \"enterprise\" as any;' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
+        "set:enterprise": "echo 'export const build = \"enterprise\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.enterprise.json tsconfig.json",
-        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts",
+        "set:sqlite": "echo 'export * from \"./sqlite\";\nexport const driver: \"pg\" | \"sqlite\" = \"sqlite\";' > server/db/index.ts && cp drizzle.sqlite.config.ts drizzle.config.ts && cp server/setup/migrationsSqlite.ts server/setup/migrations.ts",
-        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts",
+        "set:pg": "echo 'export * from \"./pg\";\nexport const driver: \"pg\" | \"sqlite\" = \"pg\";' > server/db/index.ts && cp drizzle.pg.config.ts drizzle.config.ts && cp server/setup/migrationsPg.ts server/setup/migrations.ts",
-        "next:build": "next build",
+        "build:next": "next build",
-        "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
+        "build": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrations.ts -o dist/migrations.mjs",
        "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
        "start": "ENVIRONMENT=prod node dist/migrations.mjs && ENVIRONMENT=prod NODE_ENV=development node --enable-source-maps dist/server.mjs",
        "email": "email dev --dir server/emails/templates --port 3005",
-        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs"
+        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs",
        "format:check": "prettier --check .",
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.1.0",
+        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.922.0",
+        "@aws-sdk/client-s3": "3.989.0",
-        "@faker-js/faker": "^10.1.0",
+        "@faker-js/faker": "10.3.0",
-        "@headlessui/react": "^2.2.9",
+        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
-        "@monaco-editor/react": "^4.7.0",
+        "@monaco-editor/react": "4.7.0",
-        "@node-rs/argon2": "^2.0.2",
+        "@node-rs/argon2": "2.0.2",
        "@oslojs/crypto": "1.0.1",
        "@oslojs/encoding": "1.1.0",
        "@radix-ui/react-avatar": "1.1.11",
@@ -49,138 +49,128 @@
        "@radix-ui/react-icons": "1.3.2",
        "@radix-ui/react-label": "2.1.8",
        "@radix-ui/react-popover": "1.1.15",
-        "@radix-ui/react-progress": "^1.1.8",
+        "@radix-ui/react-progress": "1.1.8",
        "@radix-ui/react-radio-group": "1.3.8",
-        "@radix-ui/react-scroll-area": "^1.2.10",
+        "@radix-ui/react-scroll-area": "1.2.10",
        "@radix-ui/react-select": "2.2.6",
        "@radix-ui/react-separator": "1.1.8",
        "@radix-ui/react-slot": "1.2.4",
        "@radix-ui/react-switch": "1.2.6",
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
-        "@radix-ui/react-tooltip": "^1.2.8",
+        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "0.5.7",
+        "@react-email/components": "1.0.8",
-        "@react-email/render": "^1.3.2",
+        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "1.2.2",
+        "@react-email/tailwind": "2.0.5",
-        "@simplewebauthn/browser": "^13.2.2",
+        "@simplewebauthn/browser": "13.2.2",
-        "@simplewebauthn/server": "^13.2.2",
+        "@simplewebauthn/server": "13.2.3",
-        "@tailwindcss/forms": "^0.5.10",
+        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "^5.90.6",
+        "@tanstack/react-query": "5.90.21",
        "@tanstack/react-table": "8.21.3",
-        "arctic": "^3.7.0",
+        "arctic": "3.7.0",
-        "axios": "^1.13.2",
+        "axios": "1.13.5",
-        "better-sqlite3": "11.7.0",
+        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
-        "class-variance-authority": "^0.7.1",
+        "class-variance-authority": "0.7.1",
        "clsx": "2.1.1",
        "cmdk": "1.1.1",
        "cookie": "^1.0.2",
        "cookie-parser": "1.4.7",
-        "cookies": "^0.9.1",
+        "cors": "2.8.6",
-        "cors": "2.8.5",
+        "crypto-js": "4.2.0",
-        "crypto-js": "^4.2.0",
+        "d3": "7.9.0",
-        "d3": "^7.9.0",
+        "drizzle-orm": "0.45.1",
-        "date-fns": "4.1.0",
+        "express": "5.2.1",
        "drizzle-orm": "0.44.7",
        "eslint": "9.39.1",
        "eslint-config-next": "16.0.3",
        "express": "5.1.0",
        "express-rate-limit": "8.2.1",
-        "glob": "11.1.0",
+        "glob": "13.0.6",
        "helmet": "8.1.0",
-        "http-errors": "2.0.0",
+        "http-errors": "2.0.1",
        "i": "^0.3.7",
        "input-otp": "1.4.2",
-        "ioredis": "5.8.2",
+        "ioredis": "5.9.3",
-        "jmespath": "^0.16.0",
+        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
-        "jsonwebtoken": "^9.0.2",
+        "jsonwebtoken": "9.0.3",
-        "lucide-react": "^0.552.0",
+        "lucide-react": "0.563.0",
-        "maxmind": "5.0.1",
+        "maxmind": "5.0.5",
        "moment": "2.30.1",
-        "next": "15.5.7",
+        "next": "15.5.12",
-        "next-intl": "^4.4.0",
+        "next-intl": "4.8.3",
        "next-themes": "0.4.6",
-        "nextjs-toploader": "^3.9.17",
+        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "node-fetch": "3.3.2",
+        "nodemailer": "8.0.1",
        "nodemailer": "7.0.10",
        "npm": "^11.6.4",
        "nprogress": "^0.2.0",
        "oslo": "1.2.1",
-        "pg": "^8.16.2",
+        "pg": "8.19.0",
-        "posthog-node": "^5.11.2",
+        "posthog-node": "5.26.0",
        "qrcode.react": "4.2.0",
-        "react": "19.2.1",
+        "react": "19.2.4",
-        "react-day-picker": "9.11.1",
+        "react-day-picker": "9.13.2",
-        "react-dom": "19.2.1",
+        "react-dom": "19.2.4",
-        "react-easy-sort": "^1.8.0",
+        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.66.0",
+        "react-hook-form": "7.71.2",
-        "react-icons": "^5.5.0",
+        "react-icons": "5.5.0",
-        "rebuild": "0.1.2",
+        "recharts": "2.15.4",
-        "recharts": "^2.15.4",
+        "reodotdev": "1.0.0",
-        "reodotdev": "^1.0.0",
+        "resend": "6.9.2",
-        "resend": "^6.4.2",
+        "semver": "7.7.4",
-        "semver": "^7.7.3",
+        "sshpk": "^1.18.0",
-        "stripe": "18.2.1",
+        "stripe": "20.3.1",
-        "swagger-ui-express": "^5.0.1",
+        "swagger-ui-express": "5.0.1",
-        "tailwind-merge": "3.3.1",
+        "tailwind-merge": "3.5.0",
-        "topojson-client": "^3.1.0",
+        "topojson-client": "3.1.0",
-        "tw-animate-css": "^1.3.8",
+        "tw-animate-css": "1.4.0",
-        "uuid": "^13.0.0",
+        "use-debounce": "^10.1.0",
        "uuid": "13.0.0",
        "vaul": "1.1.2",
-        "visionscarto-world-atlas": "^1.0.0",
+        "visionscarto-world-atlas": "1.0.0",
-        "winston": "3.18.3",
+        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.3",
+        "ws": "8.19.0",
-        "yaml": "^2.8.1",
+        "yaml": "2.8.2",
        "yargs": "18.0.0",
-        "zod": "4.1.12",
+        "zod": "4.3.6",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.51.1",
+        "@dotenvx/dotenvx": "1.52.0",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "4.3.2",
+        "@react-email/preview-server": "5.2.8",
-        "@tailwindcss/postcss": "^4.1.17",
+        "@tailwindcss/postcss": "4.1.18",
-        "@tanstack/react-query-devtools": "^5.90.2",
+        "@tanstack/react-query-devtools": "5.91.3",
-        "@types/better-sqlite3": "7.6.12",
+        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
-        "@types/crypto-js": "^4.2.2",
+        "@types/crypto-js": "4.2.2",
-        "@types/d3": "^7.4.3",
+        "@types/d3": "7.4.3",
-        "@types/express": "5.0.5",
+        "@types/express": "5.0.6",
-        "@types/express-session": "^1.18.2",
+        "@types/express-session": "1.18.2",
-        "@types/jmespath": "^0.15.2",
+        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
-        "@types/jsonwebtoken": "^9.0.10",
+        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "24.10.1",
+        "@types/node": "25.2.3",
-        "@types/nodemailer": "7.0.3",
+        "@types/nodemailer": "7.0.11",
-        "@types/nprogress": "^0.2.3",
+        "@types/nprogress": "0.2.3",
-        "@types/pg": "8.15.6",
+        "@types/pg": "8.16.0",
-        "@types/react": "19.2.2",
+        "@types/react": "19.2.14",
-        "@types/react-dom": "19.2.2",
+        "@types/react-dom": "19.2.3",
-        "@types/semver": "^7.7.1",
+        "@types/semver": "7.7.1",
-        "@types/swagger-ui-express": "^4.1.8",
+        "@types/sshpk": "^1.17.4",
-        "@types/topojson-client": "^3.1.5",
+        "@types/swagger-ui-express": "4.1.8",
        "@types/topojson-client": "3.1.5",
        "@types/ws": "8.18.1",
-        "@types/yargs": "17.0.34",
+        "@types/yargs": "17.0.35",
-        "babel-plugin-react-compiler": "^1.0.0",
+        "babel-plugin-react-compiler": "1.0.0",
-        "drizzle-kit": "0.31.6",
+        "drizzle-kit": "0.31.9",
-        "esbuild": "0.27.0",
+        "esbuild": "0.27.3",
-        "esbuild-node-externals": "1.19.1",
+        "esbuild-node-externals": "1.20.1",
-        "postcss": "^8",
+        "eslint": "9.39.2",
-        "react-email": "4.3.2",
+        "eslint-config-next": "16.1.6",
-        "tailwindcss": "^4.1.4",
+        "postcss": "8.5.6",
        "prettier": "3.8.1",
        "react-email": "5.2.8",
        "tailwindcss": "4.1.18",
        "tsc-alias": "1.8.16",
-        "tsx": "4.20.6",
+        "tsx": "4.21.0",
-        "typescript": "^5",
+        "typescript": "5.9.3",
-        "typescript-eslint": "^8.46.3"
+        "typescript-eslint": "8.55.0"
    },
    "overrides": {
        "emblor": {
            "react": "19.0.0",
            "react-dom": "19.0.0"
        }
    }
 }
--- a/postcss.config.mjs
+++ b/postcss.config.mjs
@@ -1,8 +1,8 @@
 /** @type {import('postcss-load-config').Config} */
 const config = {
    plugins: {
-        "@tailwindcss/postcss": {},
+        "@tailwindcss/postcss": {}
-    },
+    }
 };
 export default config;
--- a/src/app/favicon.ico
+++ b/src/app/favicon.ico
--- a/public/screenshots/create-resource.png
+++ b/public/screenshots/create-resource.png
--- a/public/screenshots/create-site.png
+++ b/public/screenshots/create-site.png
--- a/public/screenshots/edit-resource.png
+++ b/public/screenshots/edit-resource.png
--- a/public/screenshots/hero.png
+++ b/public/screenshots/hero.png
--- a/public/screenshots/private-resources.png
+++ b/public/screenshots/private-resources.png
--- a/public/screenshots/public-resources.png
+++ b/public/screenshots/public-resources.png
--- a/public/screenshots/resources.png
+++ b/public/screenshots/resources.png
--- a/public/screenshots/sites-fade.png
+++ b/public/screenshots/sites-fade.png
--- a/public/screenshots/sites.png
+++ b/public/screenshots/sites.png
--- a/public/screenshots/user-devices.png
+++ b/public/screenshots/user-devices.png
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -78,6 +78,10 @@ export enum ActionsEnum {
    updateSiteResource = "updateSiteResource",
    createClient = "createClient",
    deleteClient = "deleteClient",
    archiveClient = "archiveClient",
    unarchiveClient = "unarchiveClient",
    blockClient = "blockClient",
    unblockClient = "unblockClient",
    updateClient = "updateClient",
    listClients = "listClients",
    getClient = "getClient",
@@ -125,7 +129,10 @@ export enum ActionsEnum {
    getBlueprint = "getBlueprint",
    applyBlueprint = "applyBlueprint",
    viewLogs = "viewLogs",
-    exportLogs = "exportLogs"
+    exportLogs = "exportLogs",
    listApprovals = "listApprovals",
    updateApprovals = "updateApprovals",
    signSshKey = "signSshKey"
 }
 export async function checkUserActionPermission(
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -0,0 +1,45 @@
 import { db } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";
 export async function canUserAccessSiteResource({
    userId,
    resourceId,
    roleId
 }: {
    userId: string;
    resourceId: number;
    roleId: number;
 }): Promise<boolean> {
    const roleResourceAccess = await db
        .select()
        .from(roleSiteResources)
        .where(
            and(
                eq(roleSiteResources.siteResourceId, resourceId),
                eq(roleSiteResources.roleId, roleId)
            )
        )
        .limit(1);
    if (roleResourceAccess.length > 0) {
        return true;
    }
    const userResourceAccess = await db
        .select()
        .from(userSiteResources)
        .where(
            and(
                eq(userSiteResources.userId, userId),
                eq(userSiteResources.siteResourceId, resourceId)
            )
        )
        .limit(1);
    if (userResourceAccess.length > 0) {
        return true;
    }
    return false;
 }
--- a/server/auth/password.ts
+++ b/server/auth/password.ts
@@ -2,13 +2,13 @@ import { hash, verify } from "@node-rs/argon2";
 export async function verifyPassword(
    password: string,
-    hash: string,
+    hash: string
 ): Promise<boolean> {
    const validPassword = await verify(hash, password, {
        memoryCost: 19456,
        timeCost: 2,
        outputLen: 32,
-        parallelism: 1,
+        parallelism: 1
    });
    return validPassword;
 }
@@ -18,7 +18,7 @@ export async function hashPassword(password: string): Promise<string> {
        memoryCost: 19456,
        timeCost: 2,
        outputLen: 32,
-        parallelism: 1,
+        parallelism: 1
    });
    return passwordHash;
--- a/server/auth/passwordSchema.ts
+++ b/server/auth/passwordSchema.ts
@@ -4,10 +4,13 @@ export const passwordSchema = z
    .string()
    .min(8, { message: "Password must be at least 8 characters long" })
    .max(128, { message: "Password must be at most 128 characters long" })
-    .regex(/^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[~!`@#$%^&*()_\-+={}[\]|\\:;"'<>,.\/?]).*$/, {
+    .regex(
-        message: `Your password must meet the following conditions:
+        /^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[~!`@#$%^&*()_\-+={}[\]|\\:;"'<>,.\/?]).*$/,
        {
            message: `Your password must meet the following conditions:
 at least one uppercase English letter,
 at least one lowercase English letter,
 at least one digit,
 at least one special character.`
-    });
+        }
    );
--- a/server/auth/sessions/app.ts
+++ b/server/auth/sessions/app.ts
@@ -3,7 +3,14 @@ import {
    encodeHexLowerCase
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
-import { resourceSessions, Session, sessions, User, users } from "@server/db";
+import {
    resourceSessions,
    safeRead,
    Session,
    sessions,
    User,
    users
 } from "@server/db";
 import { db } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
 import config from "@server/lib/config";
@@ -54,11 +61,15 @@ export async function validateSessionToken(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const result = await db
+
-        .select({ user: users, session: sessions })
+    const result = await safeRead((db) =>
-        .from(sessions)
+        db
-        .innerJoin(users, eq(sessions.userId, users.userId))
+            .select({ user: users, session: sessions })
-        .where(eq(sessions.sessionId, sessionId));
+            .from(sessions)
            .innerJoin(users, eq(sessions.userId, users.userId))
            .where(eq(sessions.sessionId, sessionId))
    );
    if (result.length < 1) {
        return { session: null, user: null };
    }
--- a/server/auth/sessions/newt.ts
+++ b/server/auth/sessions/newt.ts
@@ -1,6 +1,4 @@
-import {
+import { encodeHexLowerCase } from "@oslojs/encoding";
    encodeHexLowerCase,
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { Newt, newts, newtSessions, NewtSession } from "@server/db";
 import { db } from "@server/db";
@@ -10,25 +8,25 @@ export const EXPIRES = 1000 * 60 * 60 * 24 * 30;
 export async function createNewtSession(
    token: string,
-    newtId: string,
+    newtId: string
 ): Promise<NewtSession> {
    const sessionId = encodeHexLowerCase(
-        sha256(new TextEncoder().encode(token)),
+        sha256(new TextEncoder().encode(token))
    );
    const session: NewtSession = {
        sessionId: sessionId,
        newtId,
-        expiresAt: new Date(Date.now() + EXPIRES).getTime(),
+        expiresAt: new Date(Date.now() + EXPIRES).getTime()
    };
    await db.insert(newtSessions).values(session);
    return session;
 }
 export async function validateNewtSessionToken(
-    token: string,
+    token: string
 ): Promise<SessionValidationResult> {
    const sessionId = encodeHexLowerCase(
-        sha256(new TextEncoder().encode(token)),
+        sha256(new TextEncoder().encode(token))
    );
    const result = await db
        .select({ newt: newts, session: newtSessions })
@@ -45,14 +43,12 @@ export async function validateNewtSessionToken(
            .where(eq(newtSessions.sessionId, session.sessionId));
        return { session: null, newt: null };
    }
-    if (Date.now() >= session.expiresAt - (EXPIRES / 2)) {
+    if (Date.now() >= session.expiresAt - EXPIRES / 2) {
-        session.expiresAt = new Date(
+        session.expiresAt = new Date(Date.now() + EXPIRES).getTime();
            Date.now() + EXPIRES,
        ).getTime();
        await db
            .update(newtSessions)
            .set({
-                expiresAt: session.expiresAt,
+                expiresAt: session.expiresAt
            })
            .where(eq(newtSessions.sessionId, session.sessionId));
    }
--- a/server/auth/sessions/olm.ts
+++ b/server/auth/sessions/olm.ts
@@ -1,6 +1,4 @@
-import {
+import { encodeHexLowerCase } from "@oslojs/encoding";
    encodeHexLowerCase,
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { Olm, olms, olmSessions, OlmSession } from "@server/db";
 import { db } from "@server/db";
@@ -10,25 +8,25 @@ export const EXPIRES = 1000 * 60 * 60 * 24 * 30;
 export async function createOlmSession(
    token: string,
-    olmId: string,
+    olmId: string
 ): Promise<OlmSession> {
    const sessionId = encodeHexLowerCase(
-        sha256(new TextEncoder().encode(token)),
+        sha256(new TextEncoder().encode(token))
    );
    const session: OlmSession = {
        sessionId: sessionId,
        olmId,
-        expiresAt: new Date(Date.now() + EXPIRES).getTime(),
+        expiresAt: new Date(Date.now() + EXPIRES).getTime()
    };
    await db.insert(olmSessions).values(session);
    return session;
 }
 export async function validateOlmSessionToken(
-    token: string,
+    token: string
 ): Promise<SessionValidationResult> {
    const sessionId = encodeHexLowerCase(
-        sha256(new TextEncoder().encode(token)),
+        sha256(new TextEncoder().encode(token))
    );
    const result = await db
        .select({ olm: olms, session: olmSessions })
@@ -45,14 +43,12 @@ export async function validateOlmSessionToken(
            .where(eq(olmSessions.sessionId, session.sessionId));
        return { session: null, olm: null };
    }
-    if (Date.now() >= session.expiresAt - (EXPIRES / 2)) {
+    if (Date.now() >= session.expiresAt - EXPIRES / 2) {
-        session.expiresAt = new Date(
+        session.expiresAt = new Date(Date.now() + EXPIRES).getTime();
            Date.now() + EXPIRES,
        ).getTime();
        await db
            .update(olmSessions)
            .set({
-                expiresAt: session.expiresAt,
+                expiresAt: session.expiresAt
            })
            .where(eq(olmSessions.sessionId, session.sessionId));
    }
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -1,7 +1,7 @@
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { resourceSessions, ResourceSession } from "@server/db";
-import { db } from "@server/db";
+import { db, safeRead } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
@@ -66,15 +66,17 @@ export async function validateResourceSessionToken(
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
-    const result = await db
+    const result = await safeRead((db) =>
-        .select()
+        db
-        .from(resourceSessions)
+            .select()
-        .where(
+            .from(resourceSessions)
-            and(
+            .where(
-                eq(resourceSessions.sessionId, sessionId),
+                and(
-                eq(resourceSessions.resourceId, resourceId)
+                    eq(resourceSessions.sessionId, sessionId),
                    eq(resourceSessions.resourceId, resourceId)
                )
            )
-        );
+    );
    if (result.length < 1) {
        return { resourceSession: null };
@@ -85,7 +87,7 @@ export async function validateResourceSessionToken(
    if (Date.now() >= resourceSession.expiresAt) {
        await db
            .delete(resourceSessions)
-            .where(eq(resourceSessions.sessionId, resourceSessions.sessionId));
+            .where(eq(resourceSessions.sessionId, sessionId));
        return { resourceSession: null };
    } else if (
        Date.now() >=
@@ -179,7 +181,7 @@ export function serializeResourceSessionCookie(
        return `${cookieName}_s.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Secure; Domain=${domain}`;
    } else {
        if (expiresAt === undefined) {
-            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=$domain}`;
+            return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Path=/; Domain=${domain}`;
        }
        return `${cookieName}.${now}=${token}; HttpOnly; SameSite=Lax; Expires=${expiresAt.toUTCString()}; Path=/; Domain=${domain}`;
    }
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,4 +1,4 @@
-import { cleanup as wsCleanup } from "@server/routers/ws";
+import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 async function cleanup() {
    await wsCleanup();
--- a/server/db/README.md
+++ b/server/db/README.md
@@ -56,15 +56,15 @@ Ensure drizzle-kit is installed.
 You must have a connection string in your config file, as shown above.
 ```bash
-npm run db:pg:generate
+npm run db:generate
-npm run db:pg:push
+npm run db:push
 ```
 ### SQLite
 ```bash
-npm run db:sqlite:generate
+npm run db:generate
-npm run db:sqlite:push
+npm run db:push
 ```
 ## Build Time
--- a/server/db/asns.ts
+++ b/server/db/asns.ts
@@ -0,0 +1,321 @@
 // Curated list of major ASNs (Cloud Providers, CDNs, ISPs, etc.)
 // This is not exhaustive - there are 100,000+ ASNs globally
 // Users can still enter any ASN manually in the input field
 export const MAJOR_ASNS = [
    {
        name: "ALL ASNs",
        code: "ALL",
        asn: 0 // Special value that will match all
    },
    // Major Cloud Providers
    {
        name: "Google LLC",
        code: "AS15169",
        asn: 15169
    },
    {
        name: "Amazon AWS",
        code: "AS16509",
        asn: 16509
    },
    {
        name: "Amazon AWS (EC2)",
        code: "AS14618",
        asn: 14618
    },
    {
        name: "Microsoft Azure",
        code: "AS8075",
        asn: 8075
    },
    {
        name: "Microsoft Corporation",
        code: "AS8068",
        asn: 8068
    },
    {
        name: "DigitalOcean",
        code: "AS14061",
        asn: 14061
    },
    {
        name: "Linode",
        code: "AS63949",
        asn: 63949
    },
    {
        name: "Hetzner Online",
        code: "AS24940",
        asn: 24940
    },
    {
        name: "OVH SAS",
        code: "AS16276",
        asn: 16276
    },
    {
        name: "Oracle Cloud",
        code: "AS31898",
        asn: 31898
    },
    {
        name: "Alibaba Cloud",
        code: "AS45102",
        asn: 45102
    },
    {
        name: "IBM Cloud",
        code: "AS36351",
        asn: 36351
    },
    // CDNs
    {
        name: "Cloudflare",
        code: "AS13335",
        asn: 13335
    },
    {
        name: "Fastly",
        code: "AS54113",
        asn: 54113
    },
    {
        name: "Akamai Technologies",
        code: "AS20940",
        asn: 20940
    },
    {
        name: "Akamai (Primary)",
        code: "AS16625",
        asn: 16625
    },
    // Mobile Carriers - US
    {
        name: "T-Mobile USA",
        code: "AS21928",
        asn: 21928
    },
    {
        name: "Verizon Wireless",
        code: "AS6167",
        asn: 6167
    },
    {
        name: "AT&T Mobility",
        code: "AS20057",
        asn: 20057
    },
    {
        name: "Sprint (T-Mobile)",
        code: "AS1239",
        asn: 1239
    },
    {
        name: "US Cellular",
        code: "AS6430",
        asn: 6430
    },
    // Mobile Carriers - Europe
    {
        name: "Vodafone UK",
        code: "AS25135",
        asn: 25135
    },
    {
        name: "EE (UK)",
        code: "AS12576",
        asn: 12576
    },
    {
        name: "Three UK",
        code: "AS29194",
        asn: 29194
    },
    {
        name: "O2 UK",
        code: "AS13285",
        asn: 13285
    },
    {
        name: "Telefonica Spain Mobile",
        code: "AS12430",
        asn: 12430
    },
    // Mobile Carriers - Asia
    {
        name: "NTT DoCoMo (Japan)",
        code: "AS9605",
        asn: 9605
    },
    {
        name: "SoftBank Mobile (Japan)",
        code: "AS17676",
        asn: 17676
    },
    {
        name: "SK Telecom (Korea)",
        code: "AS9318",
        asn: 9318
    },
    {
        name: "KT Corporation Mobile (Korea)",
        code: "AS4766",
        asn: 4766
    },
    {
        name: "Airtel India",
        code: "AS24560",
        asn: 24560
    },
    {
        name: "China Mobile",
        code: "AS9808",
        asn: 9808
    },
    // Major US ISPs
    {
        name: "AT&T Services",
        code: "AS7018",
        asn: 7018
    },
    {
        name: "Comcast Cable",
        code: "AS7922",
        asn: 7922
    },
    {
        name: "Verizon",
        code: "AS701",
        asn: 701
    },
    {
        name: "Cox Communications",
        code: "AS22773",
        asn: 22773
    },
    {
        name: "Charter Communications",
        code: "AS20115",
        asn: 20115
    },
    {
        name: "CenturyLink",
        code: "AS209",
        asn: 209
    },
    // Major European ISPs
    {
        name: "Deutsche Telekom",
        code: "AS3320",
        asn: 3320
    },
    {
        name: "Vodafone",
        code: "AS1273",
        asn: 1273
    },
    {
        name: "British Telecom",
        code: "AS2856",
        asn: 2856
    },
    {
        name: "Orange",
        code: "AS3215",
        asn: 3215
    },
    {
        name: "Telefonica",
        code: "AS12956",
        asn: 12956
    },
    // Major Asian ISPs
    {
        name: "China Telecom",
        code: "AS4134",
        asn: 4134
    },
    {
        name: "China Unicom",
        code: "AS4837",
        asn: 4837
    },
    {
        name: "NTT Communications",
        code: "AS2914",
        asn: 2914
    },
    {
        name: "KDDI Corporation",
        code: "AS2516",
        asn: 2516
    },
    {
        name: "Reliance Jio (India)",
        code: "AS55836",
        asn: 55836
    },
    // VPN/Proxy Providers
    {
        name: "Private Internet Access",
        code: "AS46562",
        asn: 46562
    },
    {
        name: "NordVPN",
        code: "AS202425",
        asn: 202425
    },
    {
        name: "Mullvad VPN",
        code: "AS213281",
        asn: 213281
    },
    // Social Media / Major Tech
    {
        name: "Facebook/Meta",
        code: "AS32934",
        asn: 32934
    },
    {
        name: "Twitter/X",
        code: "AS13414",
        asn: 13414
    },
    {
        name: "Apple",
        code: "AS714",
        asn: 714
    },
    {
        name: "Netflix",
        code: "AS2906",
        asn: 2906
    },
    // Academic/Research
    {
        name: "MIT",
        code: "AS3",
        asn: 3
    },
    {
        name: "Stanford University",
        code: "AS32",
        asn: 32
    },
    {
        name: "CERN",
        code: "AS513",
        asn: 513
    }
 ];
--- a/server/db/countries.ts
+++ b/server/db/countries.ts
--- a/server/db/ios_models.json
+++ b/server/db/ios_models.json
@@ -0,0 +1,150 @@
 {
  "iPad1,1": "iPad",
  "iPad2,1": "iPad 2",
  "iPad2,2": "iPad 2",
  "iPad2,3": "iPad 2",
  "iPad2,4": "iPad 2",
  "iPad3,1": "iPad 3rd Gen",
  "iPad3,3": "iPad 3rd Gen",
  "iPad3,2": "iPad 3rd Gen",
  "iPad3,4": "iPad 4th Gen",
  "iPad3,5": "iPad 4th Gen",
  "iPad3,6": "iPad 4th Gen",
  "iPad6,11": "iPad 9.7 5th Gen",
  "iPad6,12": "iPad 9.7 5th Gen",
  "iPad7,5": "iPad 9.7 6th Gen",
  "iPad7,6": "iPad 9.7 6th Gen",
  "iPad7,11": "iPad 10.2 7th Gen",
  "iPad7,12": "iPad 10.2 7th Gen",
  "iPad11,6": "iPad 10.2 8th Gen",
  "iPad11,7": "iPad 10.2 8th Gen",
  "iPad12,1": "iPad 10.2 9th Gen",
  "iPad12,2": "iPad 10.2 9th Gen",
  "iPad13,18": "iPad 10.9 10th Gen",
  "iPad13,19": "iPad 10.9 10th Gen",
  "iPad4,1": "iPad Air",
  "iPad4,2": "iPad Air",
  "iPad4,3": "iPad Air",
  "iPad5,3": "iPad Air 2",
  "iPad5,4": "iPad Air 2",
  "iPad11,3": "iPad Air 3rd Gen",
  "iPad11,4": "iPad Air 3rd Gen",
  "iPad13,1": "iPad Air 4th Gen",
  "iPad13,2": "iPad Air 4th Gen",
  "iPad13,16": "iPad Air 5th Gen",
  "iPad13,17": "iPad Air 5th Gen",
  "iPad14,8": "iPad Air M2 11",
  "iPad14,9": "iPad Air M2 11",
  "iPad14,10": "iPad Air M2 13",
  "iPad14,11": "iPad Air M2 13",
  "iPad2,5": "iPad mini",
  "iPad2,6": "iPad mini",
  "iPad2,7": "iPad mini",
  "iPad4,4": "iPad mini 2",
  "iPad4,5": "iPad mini 2",
  "iPad4,6": "iPad mini 2",
  "iPad4,7": "iPad mini 3",
  "iPad4,8": "iPad mini 3",
  "iPad4,9": "iPad mini 3",
  "iPad5,1": "iPad mini 4",
  "iPad5,2": "iPad mini 4",
  "iPad11,1": "iPad mini 5th Gen",
  "iPad11,2": "iPad mini 5th Gen",
  "iPad14,1": "iPad mini 6th Gen",
  "iPad14,2": "iPad mini 6th Gen",
  "iPad6,7": "iPad Pro 12.9",
  "iPad6,8": "iPad Pro 12.9",
  "iPad6,3": "iPad Pro 9.7",
  "iPad6,4": "iPad Pro 9.7",
  "iPad7,3": "iPad Pro 10.5",
  "iPad7,4": "iPad Pro 10.5",
  "iPad7,1": "iPad Pro 12.9",
  "iPad7,2": "iPad Pro 12.9",
  "iPad8,1": "iPad Pro 11",
  "iPad8,2": "iPad Pro 11",
  "iPad8,3": "iPad Pro 11",
  "iPad8,4": "iPad Pro 11",
  "iPad8,5": "iPad Pro 12.9",
  "iPad8,6": "iPad Pro 12.9",
  "iPad8,7": "iPad Pro 12.9",
  "iPad8,8": "iPad Pro 12.9",
  "iPad8,9": "iPad Pro 11",
  "iPad8,10": "iPad Pro 11",
  "iPad8,11": "iPad Pro 12.9",
  "iPad8,12": "iPad Pro 12.9",
  "iPad13,4": "iPad Pro 11",
  "iPad13,5": "iPad Pro 11",
  "iPad13,6": "iPad Pro 11",
  "iPad13,7": "iPad Pro 11",
  "iPad13,8": "iPad Pro 12.9",
  "iPad13,9": "iPad Pro 12.9",
  "iPad13,10": "iPad Pro 12.9",
  "iPad13,11": "iPad Pro 12.9",
  "iPad14,3": "iPad Pro 11",
  "iPad14,4": "iPad Pro 11",
  "iPad14,5": "iPad Pro 12.9",
  "iPad14,6": "iPad Pro 12.9",
  "iPad16,3": "iPad Pro M4 11",
  "iPad16,4": "iPad Pro M4 11",
  "iPad16,5": "iPad Pro M4 13",
  "iPad16,6": "iPad Pro M4 13",
  "iPhone1,1": "iPhone",
  "iPhone1,2": "iPhone 3G",
  "iPhone2,1": "iPhone 3GS",
  "iPhone3,1": "iPhone 4",
  "iPhone3,2": "iPhone 4",
  "iPhone3,3": "iPhone 4",
  "iPhone4,1": "iPhone 4S",
  "iPhone5,1": "iPhone 5",
  "iPhone5,2": "iPhone 5",
  "iPhone5,3": "iPhone 5c",
  "iPhone5,4": "iPhone 5c",
  "iPhone6,1": "iPhone 5s",
  "iPhone6,2": "iPhone 5s",
  "iPhone7,2": "iPhone 6",
  "iPhone7,1": "iPhone 6 Plus",
  "iPhone8,1": "iPhone 6s",
  "iPhone8,2": "iPhone 6s Plus",
  "iPhone8,4": "iPhone SE",
  "iPhone9,1": "iPhone 7",
  "iPhone9,3": "iPhone 7",
  "iPhone9,2": "iPhone 7 Plus",
  "iPhone9,4": "iPhone 7 Plus",
  "iPhone10,1": "iPhone 8",
  "iPhone10,4": "iPhone 8",
  "iPhone10,2": "iPhone 8 Plus",
  "iPhone10,5": "iPhone 8 Plus",
  "iPhone10,3": "iPhone X",
  "iPhone10,6": "iPhone X",
  "iPhone11,2": "iPhone Xs",
  "iPhone11,6": "iPhone Xs Max",
  "iPhone11,8": "iPhone XR",
  "iPhone12,1": "iPhone 11",
  "iPhone12,3": "iPhone 11 Pro",
  "iPhone12,5": "iPhone 11 Pro Max",
  "iPhone12,8": "iPhone SE",
  "iPhone13,1": "iPhone 12 mini",
  "iPhone13,2": "iPhone 12",
  "iPhone13,3": "iPhone 12 Pro",
  "iPhone13,4": "iPhone 12 Pro Max",
  "iPhone14,4": "iPhone 13 mini",
  "iPhone14,5": "iPhone 13",
  "iPhone14,2": "iPhone 13 Pro",
  "iPhone14,3": "iPhone 13 Pro Max",
  "iPhone14,6": "iPhone SE",
  "iPhone14,7": "iPhone 14",
  "iPhone14,8": "iPhone 14 Plus",
  "iPhone15,2": "iPhone 14 Pro",
  "iPhone15,3": "iPhone 14 Pro Max",
  "iPhone15,4": "iPhone 15",
  "iPhone15,5": "iPhone 15 Plus",
  "iPhone16,1": "iPhone 15 Pro",
  "iPhone16,2": "iPhone 15 Pro Max",
  "iPod1,1": "iPod touch Original",
  "iPod2,1": "iPod touch 2nd",
  "iPod3,1": "iPod touch 3rd Gen",
  "iPod4,1": "iPod touch 4th",
  "iPod5,1": "iPod touch 5th",
  "iPod7,1": "iPod touch 6th Gen",
  "iPod9,1": "iPod touch 7th Gen"
 }
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -0,0 +1,201 @@
 {
  "PowerMac4,4": "eMac",
  "PowerMac6,4": "eMac",
  "PowerBook2,1": "iBook",
  "PowerBook2,2": "iBook",
  "PowerBook4,1": "iBook",
  "PowerBook4,2": "iBook",
  "PowerBook4,3": "iBook",
  "PowerBook6,3": "iBook",
  "PowerBook6,5": "iBook",
  "PowerBook6,7": "iBook",
  "iMac,1": "iMac",
  "PowerMac2,1": "iMac",
  "PowerMac2,2": "iMac",
  "PowerMac4,1": "iMac",
  "PowerMac4,2": "iMac",
  "PowerMac4,5": "iMac",
  "PowerMac6,1": "iMac",
  "PowerMac6,3*": "iMac",
  "PowerMac6,3": "iMac",
  "PowerMac8,1": "iMac",
  "PowerMac8,2": "iMac",
  "PowerMac12,1": "iMac",
  "iMac4,1": "iMac",
  "iMac4,2": "iMac",
  "iMac5,2": "iMac",
  "iMac5,1": "iMac",
  "iMac6,1": "iMac",
  "iMac7,1": "iMac",
  "iMac8,1": "iMac",
  "iMac9,1": "iMac",
  "iMac10,1": "iMac",
  "iMac11,1": "iMac",
  "iMac11,2": "iMac",
  "iMac11,3": "iMac",
  "iMac12,1": "iMac",
  "iMac12,2": "iMac",
  "iMac13,1": "iMac",
  "iMac13,2": "iMac",
  "iMac14,1": "iMac",
  "iMac14,3": "iMac",
  "iMac14,2": "iMac",
  "iMac14,4": "iMac",
  "iMac15,1": "iMac",
  "iMac16,1": "iMac",
  "iMac16,2": "iMac",
  "iMac17,1": "iMac",
  "iMac18,1": "iMac",
  "iMac18,2": "iMac",
  "iMac18,3": "iMac",
  "iMac19,2": "iMac",
  "iMac19,1": "iMac",
  "iMac20,1": "iMac",
  "iMac20,2": "iMac",
  "iMac21,2": "iMac",
  "iMac21,1": "iMac",
  "iMacPro1,1": "iMac Pro",
  "PowerMac10,1": "Mac mini",
  "PowerMac10,2": "Mac mini",
  "Macmini1,1": "Mac mini",
  "Macmini2,1": "Mac mini",
  "Macmini3,1": "Mac mini",
  "Macmini4,1": "Mac mini",
  "Macmini5,1": "Mac mini",
  "Macmini5,2": "Mac mini",
  "Macmini5,3": "Mac mini",
  "Macmini6,1": "Mac mini",
  "Macmini6,2": "Mac mini",
  "Macmini7,1": "Mac mini",
  "Macmini8,1": "Mac mini",
  "ADP3,2": "Mac mini",
  "Macmini9,1": "Mac mini",
  "Mac14,3": "Mac mini",
  "Mac14,12": "Mac mini",
  "MacPro1,1*": "Mac Pro",
  "MacPro2,1": "Mac Pro",
  "MacPro3,1": "Mac Pro",
  "MacPro4,1": "Mac Pro",
  "MacPro5,1": "Mac Pro",
  "MacPro6,1": "Mac Pro",
  "MacPro7,1": "Mac Pro",
  "N/A*": "Power Macintosh",
  "PowerMac1,1": "Power Macintosh",
  "PowerMac3,1": "Power Macintosh",
  "PowerMac3,3": "Power Macintosh",
  "PowerMac3,4": "Power Macintosh",
  "PowerMac3,5": "Power Macintosh",
  "PowerMac3,6": "Power Macintosh",
  "Mac13,1": "Mac Studio",
  "Mac13,2": "Mac Studio",
  "MacBook1,1": "MacBook",
  "MacBook2,1": "MacBook",
  "MacBook3,1": "MacBook",
  "MacBook4,1": "MacBook",
  "MacBook5,1": "MacBook",
  "MacBook5,2": "MacBook",
  "MacBook6,1": "MacBook",
  "MacBook7,1": "MacBook",
  "MacBook8,1": "MacBook",
  "MacBook9,1": "MacBook",
  "MacBook10,1": "MacBook",
  "MacBookAir1,1": "MacBook Air",
  "MacBookAir2,1": "MacBook Air",
  "MacBookAir3,1": "MacBook Air",
  "MacBookAir3,2": "MacBook Air",
  "MacBookAir4,1": "MacBook Air",
  "MacBookAir4,2": "MacBook Air",
  "MacBookAir5,1": "MacBook Air",
  "MacBookAir5,2": "MacBook Air",
  "MacBookAir6,1": "MacBook Air",
  "MacBookAir6,2": "MacBook Air",
  "MacBookAir7,1": "MacBook Air",
  "MacBookAir7,2": "MacBook Air",
  "MacBookAir8,1": "MacBook Air",
  "MacBookAir8,2": "MacBook Air",
  "MacBookAir9,1": "MacBook Air",
  "MacBookAir10,1": "MacBook Air",
  "Mac14,2": "MacBook Air",
  "MacBookPro1,1": "MacBook Pro",
  "MacBookPro1,2": "MacBook Pro",
  "MacBookPro2,2": "MacBook Pro",
  "MacBookPro2,1": "MacBook Pro",
  "MacBookPro3,1": "MacBook Pro",
  "MacBookPro4,1": "MacBook Pro",
  "MacBookPro5,1": "MacBook Pro",
  "MacBookPro5,2": "MacBook Pro",
  "MacBookPro5,5": "MacBook Pro",
  "MacBookPro5,4": "MacBook Pro",
  "MacBookPro5,3": "MacBook Pro",
  "MacBookPro7,1": "MacBook Pro",
  "MacBookPro6,2": "MacBook Pro",
  "MacBookPro6,1": "MacBook Pro",
  "MacBookPro8,1": "MacBook Pro",
  "MacBookPro8,2": "MacBook Pro",
  "MacBookPro8,3": "MacBook Pro",
  "MacBookPro9,2": "MacBook Pro",
  "MacBookPro9,1": "MacBook Pro",
  "MacBookPro10,1": "MacBook Pro",
  "MacBookPro10,2": "MacBook Pro",
  "MacBookPro11,1": "MacBook Pro",
  "MacBookPro11,2": "MacBook Pro",
  "MacBookPro11,3": "MacBook Pro",
  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro11,4": "MacBook Pro",
  "MacBookPro11,5": "MacBook Pro",
  "MacBookPro13,1": "MacBook Pro",
  "MacBookPro13,2": "MacBook Pro",
  "MacBookPro13,3": "MacBook Pro",
  "MacBookPro14,1": "MacBook Pro",
  "MacBookPro14,2": "MacBook Pro",
  "MacBookPro14,3": "MacBook Pro",
  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,1": "MacBook Pro",
  "MacBookPro15,3": "MacBook Pro",
  "MacBookPro15,4": "MacBook Pro",
  "MacBookPro16,1": "MacBook Pro",
  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,2": "MacBook Pro",
  "MacBookPro16,4": "MacBook Pro",
  "MacBookPro17,1": "MacBook Pro",
  "MacBookPro18,3": "MacBook Pro",
  "MacBookPro18,4": "MacBook Pro",
  "MacBookPro18,1": "MacBook Pro",
  "MacBookPro18,2": "MacBook Pro",
  "Mac14,7": "MacBook Pro",
  "Mac14,9": "MacBook Pro",
  "Mac14,5": "MacBook Pro",
  "Mac14,10": "MacBook Pro",
  "Mac14,6": "MacBook Pro",
  "PowerMac1,2": "Power Macintosh",
  "PowerMac5,1": "Power Macintosh",
  "PowerMac7,2": "Power Macintosh",
  "PowerMac7,3": "Power Macintosh",
  "PowerMac9,1": "Power Macintosh",
  "PowerMac11,2": "Power Macintosh",
  "PowerBook1,1": "PowerBook",
  "PowerBook3,1": "PowerBook",
  "PowerBook3,2": "PowerBook",
  "PowerBook3,3": "PowerBook",
  "PowerBook3,4": "PowerBook",
  "PowerBook3,5": "PowerBook",
  "PowerBook6,1": "PowerBook",
  "PowerBook5,1": "PowerBook",
  "PowerBook6,2": "PowerBook",
  "PowerBook5,2": "PowerBook",
  "PowerBook5,3": "PowerBook",
  "PowerBook6,4": "PowerBook",
  "PowerBook5,4": "PowerBook",
  "PowerBook5,5": "PowerBook",
  "PowerBook6,8": "PowerBook",
  "PowerBook5,6": "PowerBook",
  "PowerBook5,7": "PowerBook",
  "PowerBook5,8": "PowerBook",
  "PowerBook5,9": "PowerBook",
  "RackMac1,1": "Xserve",
  "RackMac1,2": "Xserve",
  "RackMac3,1": "Xserve",
  "Xserve1,1": "Xserve",
  "Xserve2,1": "Xserve",
  "Xserve3,1": "Xserve"
 }
--- a/server/db/maxmindAsn.ts
+++ b/server/db/maxmindAsn.ts
@@ -0,0 +1,13 @@
 import maxmind, { AsnResponse, Reader } from "maxmind";
 import config from "@server/lib/config";
 let maxmindAsnLookup: Reader<AsnResponse> | null;
 if (config.getRawConfig().server.maxmind_asn_path) {
    maxmindAsnLookup = await maxmind.open<AsnResponse>(
        config.getRawConfig().server.maxmind_asn_path!
    );
 } else {
    maxmindAsnLookup = null;
 }
 export { maxmindAsnLookup };
--- a/server/db/migrate.ts
+++ b/server/db/migrate.ts
@@ -0,0 +1,3 @@
 import { runMigrations } from "./";
 await runMigrations();
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,7 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { db, resources, siteResources } from "@server/db";
+import { clients, db, resources, siteResources } from "@server/db";
 import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { __DIRNAME } from "@server/lib/consts";
@@ -15,6 +16,43 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));
 // Load iOS and Mac model mappings
 let iosModelsFile: string;
 let macModelsFile: string;
 if (!dev) {
    iosModelsFile = join(__DIRNAME, "ios_models.json");
    macModelsFile = join(__DIRNAME, "mac_models.json");
 } else {
    iosModelsFile = join("server/db/ios_models.json");
    macModelsFile = join("server/db/mac_models.json");
 }
 const iosModels: Record<string, string> = JSON.parse(
    readFileSync(iosModelsFile, "utf-8")
 );
 const macModels: Record<string, string> = JSON.parse(
    readFileSync(macModelsFile, "utf-8")
 );
 export async function getUniqueClientName(orgId: string): Promise<string> {
    let loops = 0;
    while (true) {
        if (loops > 100) {
            throw new Error("Could not generate a unique name");
        }
        const name = generateName();
        const count = await db
            .select({ niceId: clients.niceId, orgId: clients.orgId })
            .from(clients)
            .where(and(eq(clients.niceId, name), eq(clients.orgId, orgId)));
        if (count.length === 0) {
            return name;
        }
        loops++;
    }
 }
 export async function getUniqueSiteName(orgId: string): Promise<string> {
    let loops = 0;
    while (true) {
@@ -46,11 +84,21 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
            db
                .select({ niceId: resources.niceId, orgId: resources.orgId })
                .from(resources)
-                .where(and(eq(resources.niceId, name), eq(resources.orgId, orgId))),
+                .where(
                    and(eq(resources.niceId, name), eq(resources.orgId, orgId))
                ),
            db
-                .select({ niceId: siteResources.niceId, orgId: siteResources.orgId })
+                .select({
                    niceId: siteResources.niceId,
                    orgId: siteResources.orgId
                })
                .from(siteResources)
-                .where(and(eq(siteResources.niceId, name), eq(siteResources.orgId, orgId)))
+                .where(
                    and(
                        eq(siteResources.niceId, name),
                        eq(siteResources.orgId, orgId)
                    )
                )
        ]);
        if (resourceCount.length === 0 && siteResourceCount.length === 0) {
            return name;
@@ -59,7 +107,9 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
    }
 }
-export async function getUniqueSiteResourceName(orgId: string): Promise<string> {
+export async function getUniqueSiteResourceName(
    orgId: string
 ): Promise<string> {
    let loops = 0;
    while (true) {
        if (loops > 100) {
@@ -71,11 +121,21 @@ export async function getUniqueSiteResourceName(orgId: string): Promise<string>
            db
                .select({ niceId: resources.niceId, orgId: resources.orgId })
                .from(resources)
-                .where(and(eq(resources.niceId, name), eq(resources.orgId, orgId))),
+                .where(
                    and(eq(resources.niceId, name), eq(resources.orgId, orgId))
                ),
            db
-                .select({ niceId: siteResources.niceId, orgId: siteResources.orgId })
+                .select({
                    niceId: siteResources.niceId,
                    orgId: siteResources.orgId
                })
                .from(siteResources)
-                .where(and(eq(siteResources.niceId, name), eq(siteResources.orgId, orgId)))
+                .where(
                    and(
                        eq(siteResources.niceId, name),
                        eq(siteResources.orgId, orgId)
                    )
                )
        ]);
        if (resourceCount.length === 0 && siteResourceCount.length === 0) {
            return name;
@@ -86,9 +146,7 @@ export async function getUniqueSiteResourceName(orgId: string): Promise<string>
 export async function getUniqueExitNodeEndpointName(): Promise<string> {
    let loops = 0;
-    const count = await db
+    const count = await db.select().from(exitNodes);
        .select()
        .from(exitNodes);
    while (true) {
        if (loops > 100) {
            throw new Error("Could not generate a unique name");
@@ -107,14 +165,11 @@ export async function getUniqueExitNodeEndpointName(): Promise<string> {
    }
 }
 export function generateName(): string {
    const name = (
-        names.descriptors[
+        names.descriptors[randomInt(names.descriptors.length)] +
            Math.floor(Math.random() * names.descriptors.length)
        ] +
        "-" +
-        names.animals[Math.floor(Math.random() * names.animals.length)]
+        names.animals[randomInt(names.animals.length)]
    )
        .toLowerCase()
        .replace(/\s/g, "-");
@@ -122,3 +177,29 @@ export function generateName(): string {
    // clean out any non-alphanumeric characters except for dashes
    return name.replace(/[^a-z0-9-]/g, "");
 }
 export function getMacDeviceName(macIdentifier?: string | null): string | null {
    if (macIdentifier && macModels[macIdentifier]) {
        return macModels[macIdentifier];
    }
    return null;
 }
 export function getIosDeviceName(iosIdentifier?: string | null): string | null {
    if (iosIdentifier && iosModels[iosIdentifier]) {
        return iosModels[iosIdentifier];
    }
    return null;
 }
 export function getUserDeviceName(
    model: string | null,
    fallBack: string | null
 ): string {
    return (
        getMacDeviceName(model) ||
        getIosDeviceName(model) ||
        fallBack ||
        "Unknown Device"
    );
 }
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -6,28 +6,28 @@ import { withReplicas } from "drizzle-orm/pg-core";
 function createDb() {
    const config = readConfigFile();
-    if (!config.postgres) {
+    // check the environment variables for postgres config first before the config file
-        // check the environment variables for postgres config
+    if (process.env.POSTGRES_CONNECTION_STRING) {
-        if (process.env.POSTGRES_CONNECTION_STRING) {
+        config.postgres = {
-            config.postgres = {
+            connection_string: process.env.POSTGRES_CONNECTION_STRING
-                connection_string: process.env.POSTGRES_CONNECTION_STRING
+        };
-            };
+        if (process.env.POSTGRES_REPLICA_CONNECTION_STRINGS) {
-            if (process.env.POSTGRES_REPLICA_CONNECTION_STRINGS) {
+            const replicas =
-                const replicas =
+                process.env.POSTGRES_REPLICA_CONNECTION_STRINGS.split(",").map(
-                    process.env.POSTGRES_REPLICA_CONNECTION_STRINGS.split(
+                    (conn) => ({
                        ","
                    ).map((conn) => ({
                        connection_string: conn.trim()
-                    }));
+                    })
-                config.postgres.replicas = replicas;
+                );
-            }
+            config.postgres.replicas = replicas;
        } else {
            throw new Error(
                "Postgres configuration is missing in the configuration file."
            );
        }
    }
    if (!config.postgres) {
        throw new Error(
            "Postgres configuration is missing in the configuration file."
        );
    }
    const connectionString = config.postgres?.connection_string;
    const replicaConnections = config.postgres?.replicas || [];
@@ -51,7 +51,7 @@ function createDb() {
    if (!replicaConnections.length) {
        replicas.push(
            DrizzlePostgres(primaryPool, {
-                logger: process.env.NODE_ENV === "development"
+                logger: process.env.QUERY_LOGGING == "true"
            })
        );
    } else {
@@ -65,7 +65,7 @@ function createDb() {
            });
            replicas.push(
                DrizzlePostgres(replicaPool, {
-                    logger: process.env.NODE_ENV === "development"
+                    logger: process.env.QUERY_LOGGING == "true"
                })
            );
        }
@@ -73,7 +73,7 @@ function createDb() {
    return withReplicas(
        DrizzlePostgres(primaryPool, {
-            logger: process.env.QUERY_LOGGING === "true"
+            logger: process.env.QUERY_LOGGING == "true"
        }),
        replicas as any
    );
@@ -81,6 +81,7 @@ function createDb() {
 export const db = createDb();
 export default db;
 export const primaryDb = db.$primary;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/db/pg/index.ts
+++ b/server/db/pg/index.ts
@@ -1,3 +1,6 @@
 export * from "./driver";
 export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
 export * from "./migrate";
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -0,0 +1,87 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
 function createLogsDb() {
    // Only use separate logs database in SaaS builds
    if (build !== "saas") {
        return mainDb;
    }
    const config = readConfigFile();
    // Merge configs, prioritizing private config
    const logsConfig = config.postgres_logs;
    // Check environment variable first
    let connectionString = process.env.POSTGRES_LOGS_CONNECTION_STRING;
    let replicaConnections: Array<{ connection_string: string }> = [];
    if (!connectionString && logsConfig) {
        connectionString = logsConfig.connection_string;
        replicaConnections = logsConfig.replicas || [];
    }
    // If POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS is set, use it
    if (process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS) {
        replicaConnections =
            process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS.split(",").map(
                (conn) => ({
                    connection_string: conn.trim()
                })
            );
    }
    // If no logs database is configured, fall back to main database
    if (!connectionString) {
        return mainDb;
    }
    // Create separate connection pool for logs database
    const poolConfig = logsConfig?.pool || config.postgres?.pool;
    const primaryPool = new Pool({
        connectionString,
        max: poolConfig?.max_connections || 20,
        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
    });
    const replicas = [];
    if (!replicaConnections.length) {
        replicas.push(
            DrizzlePostgres(primaryPool, {
                logger: process.env.QUERY_LOGGING == "true"
            })
        );
    } else {
        for (const conn of replicaConnections) {
            const replicaPool = new Pool({
                connectionString: conn.connection_string,
                max: poolConfig?.max_replica_connections || 20,
                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
                connectionTimeoutMillis:
                    poolConfig?.connection_timeout_ms || 5000
            });
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
                })
            );
        }
    }
    return withReplicas(
        DrizzlePostgres(primaryPool, {
            logger: process.env.QUERY_LOGGING == "true"
        }),
        replicas as any
    );
 }
 export const logsDb = createLogsDb();
 export default logsDb;
 export const primaryLogsDb = logsDb.$primary;
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,3 @@`
							`import { runMigrations } from "./";`

							`await runMigrations();`