All page types are there and look mostly correct

fix: make tag input wrap around instead of scrolling

cloud

@@ -0,0 +1,110 @@
+git push origin -d 1.11.0-s.0
+git push origin -d 1.11.0-s.1
+git push origin -d 1.11.0-s.2
+git push origin -d 1.11.0-s.3
+git push origin -d 1.11.0-s.4
+git push origin -d 1.11.0-s.5
+git push origin -d 1.11.1-s.0
+git push origin -d 1.12.0-s.0
+git push origin -d 1.12.2-s.0
+git push origin -d 1.12.2-s.1
+git push origin -d 1.12.2-s.2
+git push origin -d 1.12.2-s.3
+git push origin -d 1.12.2-s.4
+git push origin -d 1.12.2-s.5
+git push origin -d 1.13.0.s.0
+git push origin -d 1.13.1-s.0
+git push origin -d 1.14.0-s.2
+git push origin -d 1.14.1-s.0
+git push origin -d 1.14.1-s.1
+git push origin -d 1.14.1-s.2
+git push origin -d 1.14.1-s.3
+git push origin -d 1.15.0-s.0
+git push origin -d 1.15.0-s.1
+git push origin -d 1.15.0-s.2
+git push origin -d 1.15.0-s.3
+git push origin -d 1.15.0-s.4
+git push origin -d 1.15.0-s.5
+git push origin -d 1.15.1-s.0
+git push origin -d 1.15.1-s.1
+git push origin -d 1.15.3-s.0
+git push origin -d 1.15.3-s.1
+git push origin -d 1.15.4-s.0
+git push origin -d 1.15.4-s.1
+git push origin -d 1.15.4-s.10
+git push origin -d 1.15.4-s.2
+git push origin -d 1.15.4-s.3
+git push origin -d 1.15.4-s.4
+git push origin -d 1.15.4-s.5
+git push origin -d 1.15.4-s.6
+git push origin -d 1.15.4-s.7
+git push origin -d 1.15.4-s.8
+git push origin -d 1.15.4-s.9
+git push origin -d 1.16.0-s.0
+git push origin -d 1.16.0-s.1
+git push origin -d 1.16.1-s.0
+git push origin -d 1.16.1-s.1
+git push origin -d 1.16.2-s.0
+git push origin -d 1.16.2-s.1
+git push origin -d 1.16.2-s.10
+git push origin -d 1.16.2-s.11
+git push origin -d 1.16.2-s.12
+git push origin -d 1.16.2-s.13
+git push origin -d 1.16.2-s.14
+git push origin -d 1.16.2-s.15
+git push origin -d 1.16.2-s.16
+git push origin -d 1.16.2-s.17
+git push origin -d 1.16.2-s.18
+git push origin -d 1.16.2-s.19
+git push origin -d 1.16.2-s.2
+git push origin -d 1.16.2-s.20
+git push origin -d 1.16.2-s.21
+git push origin -d 1.16.2-s.22
+git push origin -d 1.16.2-s.3
+git push origin -d 1.16.2-s.4
+git push origin -d 1.16.2-s.5
+git push origin -d 1.16.2-s.6
+git push origin -d 1.16.2-s.7
+git push origin -d 1.16.2-s.8
+git push origin -d 1.16.2-s.9
+git push origin -d 1.17.0-s.0
+git push origin -d 1.17.0-s.1
+git push origin -d 1.17.0-s.2
+git push origin -d 1.17.0-s.3
+git push origin -d 1.17.0-s.4
+git push origin -d 1.17.1-s.0
+git push origin -d 1.17.1-s.1
+git push origin -d 1.17.1-s.2
+git push origin -d 1.17.1-s.3
+git push origin -d 1.17.1-s.4
+git push origin -d 1.17.1-s.5
+git push origin -d 1.17.1-s.6
+git push origin -d 1.17.1-s.7
+git push origin -d 1.18.0-s.0
+git push origin -d 1.18.0-s.1
+git push origin -d 1.18.0-s.2
+git push origin -d 1.18.1-s.0
+git push origin -d 1.18.1-s.1
+git push origin -d 1.18.1-s.2
+git push origin -d 1.18.1-s.3
+git push origin -d 1.18.1-s.4
+git push origin -d 1.18.1-s.5
+git push origin -d 1.18.1-s.6
+git push origin -d 1.18.1-s.7
+git push origin -d 1.18.2-s.0
+git push origin -d 1.18.2-s.1
+git push origin -d 1.18.2-s.2
+git push origin -d 1.18.2-s.3
+git push origin -d 1.18.2-s.4
+git push origin -d 1.18.2-s.5
+git push origin -d 1.18.3-s.0
+git push origin -d 1.18.3-s.1
+git push origin -d 1.18.3-s.2
+git push origin -d 1.18.3-s.3
+git push origin -d 1.18.4-s.0
+git push origin -d 1.18.4-s.1
+git push origin -d 1.18.4-s.2
+git push origin -d 1.18.4-s.3
+git push origin -d 1.18.4-s.4
+git push origin -d 1.18.4-s.5
+git push origin -d 1.18.4-s.6

messages/en-US.json

@@ -255,6 +255,23 @@
     "resourceGoTo": "Go to Resource",
     "resourceDelete": "Delete Resource",
     "resourceDeleteConfirm": "Confirm Delete Resource",
+    "labelDelete": "Delete Label",
+    "labelAdd": "Add Label",
+    "labelCreateSuccessMessage": "Label Created Successfully",
+    "labelEditSuccessMessage": "Label Modified Successfully",
+    "labelNameField": "Label Name",
+    "labelColorField": "Label Color",
+    "labelPlaceholder": "Ex: homelab",
+    "labelCreate": "Create Label",
+    "createLabelDialogTitle": "Create Label",
+    "createLabelDialogDescription": "Create a new label that can be attached to this organization",
+    "labelEdit": "Edit Label",
+    "editLabelDialogTitle": "Update Label",
+    "editLabelDialogDescription": "Edit a new label that can be attached to this organization",
+    "labelDeleteConfirm": "Confirm Delete Label",
+    "labelErrorDelete": "Failed to delete label",
+    "labelMessageRemove": "This action is permanent. All sites, resources, and clients tagged with this label will be untagged.",
+    "labelQuestionRemove": "Are you sure you want to remove the label from the organization?",
     "visibility": "Visibility",
     "enabled": "Enabled",
     "disabled": "Disabled",
@@ -1140,6 +1157,15 @@
     "idpErrorConnectingTo": "There was a problem connecting to {name}. Please contact your administrator.",
     "idpErrorNotFound": "IdP not found",
     "inviteInvalid": "Invalid Invite",
+    "labels": "Labels",
+    "orgLabelsDescription": "Manage labels in this organization.",
+    "addLabels": "Add labels",
+    "siteLabelsTab": "Labels",
+    "siteLabelsDescription": "Manage labels associated with this site.",
+    "labelsNotFound": "Labels not found",
+    "labelSearch": "Search labels",
+    "selectColor": "Select color",
+    "createNewLabel": "Create new org label \"{label}\"",
     "inviteInvalidDescription": "The invite link is invalid.",
     "inviteErrorWrongUser": "Invite is not for this user",
     "inviteErrorUserNotExists": "User does not exist. Please create an account first.",
@@ -1846,6 +1872,7 @@
     "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
     "billingCurrentKeys": "Current Keys",
     "billingModifyCurrentPlan": "Modify Current Plan",
+    "billingManageLicenseSubscriptionDescription": "Manage your subscription for paid self-hosted license keys and download invoices.",
     "billingConfirmUpgrade": "Confirm Upgrade",
     "billingConfirmDowngrade": "Confirm Downgrade",
     "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
@@ -1943,6 +1970,36 @@
     "timeIsInSeconds": "Time is in seconds",
     "requireDeviceApproval": "Require Device Approvals",
     "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
+    "sshSettings": "SSH Settings",
+    "rdpSettings": "RDP Settings",
+    "vncSettings": "VNC Settings",
+    "sshServer": "SSH Server",
+    "rdpServer": "RDP Server",
+    "vncServer": "VNC Server",
+    "sshServerDescription": "Set up the authentication method, daemon location, and server destination",
+    "rdpServerDescription": "Configure the destination and port of the RDP server",
+    "vncServerDescription": "Configure the destination and port of the VNC server",
+    "sshServerMode": "Mode",
+    "sshServerModeStandard": "Standard SSH Server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Uses a Pangolin auth daemon to manage SSH authentication on the site or remote host.",
+    "sshServerModeNative": "Native SSH Server",
+    "sshServerModeNativeDescription": "SSH authentication is handled natively by an existing SSH server without a separate auth daemon.",
+    "sshAuthenticationMethod": "Authentication Method",
+    "sshAuthMethodManual": "Manual Authentication",
+    "sshAuthMethodManualDescription": "Requires existing host credentials. Bypasses automatic provisioning.",
+    "sshAuthMethodAutomated": "Automated Provisioning",
+    "sshAuthMethodAutomatedDescription": "Automatically creates users, groups, and sudo permissions on host.",
+    "sshAuthDaemonLocation": "Auth Daemon Location",
+    "sshDaemonLocationSiteDescription": "Executes locally on the machine hosting the site connector.",
+    "sshDaemonLocationRemote": "On Remote Host",
+    "sshDaemonLocationRemoteDescription": "Executes on a separate target machine on the same network.",
+    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
+    "sshDaemonPort": "Daemon Port",
+    "sshServerDestination": "Server Destination",
+    "sshServerDestinationDescription": "Configure the destination and port of the SSH server",
+    "destination": "Destination",
+    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
     "sshAccess": "SSH Access",
     "roleAllowSsh": "Allow SSH",
     "roleAllowSshAllow": "Allow",
@@ -2937,7 +2994,7 @@
     "learnMore": "Learn more",
     "backToHome": "Go back to home",
     "needToSignInToOrg": "Need to use your organization's identity provider?",
-    "maintenanceMode": "Maintenance Mode",
+    "maintenanceMode": "Maintenance Page",
     "maintenanceModeDescription": "Display a maintenance page to visitors",
     "maintenanceModeType": "Maintenance Mode Type",
     "showMaintenancePage": "Show a maintenance page to visitors",
@@ -2967,6 +3024,7 @@
     "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
     "createInternalResourceDialogDestinationRequired": "Destination is required",
     "available": "Available",
+    "disabledResourceDescription": "When disabled, the resource will be inaccessible by everyone.",
     "archived": "Archived",
     "noArchivedDevices": "No archived devices found",
     "deviceArchived": "Device archived",

next.config.ts

@@ -5,6 +5,7 @@ const withNextIntl = createNextIntlPlugin();
 
 const nextConfig: NextConfig = {
     reactStrictMode: false,
+    transpilePackages: ["@novnc/novnc"],
     eslint: {
         ignoreDuringBuilds: true
     },

package-lock.json

@@ -11,11 +11,14 @@
             "dependencies": {
                 "@asteasolutions/zod-to-openapi": "8.4.1",
                 "@aws-sdk/client-s3": "3.1011.0",
+                "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+                "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
                 "@faker-js/faker": "10.3.0",
                 "@headlessui/react": "2.2.9",
                 "@hookform/resolvers": "5.2.2",
                 "@monaco-editor/react": "4.7.0",
                 "@node-rs/argon2": "2.0.2",
+                "@novnc/novnc": "^1.7.0",
                 "@oslojs/crypto": "1.0.1",
                 "@oslojs/encoding": "1.1.0",
                 "@radix-ui/react-avatar": "1.1.11",
@@ -44,6 +47,9 @@
                 "@tailwindcss/forms": "0.5.11",
                 "@tanstack/react-query": "5.90.21",
                 "@tanstack/react-table": "8.21.3",
+                "@xterm/addon-fit": "^0.11.0",
+                "@xterm/addon-web-links": "^0.12.0",
+                "@xterm/xterm": "^6.0.0",
                 "arctic": "3.7.0",
                 "axios": "1.15.0",
                 "better-sqlite3": "11.9.1",
@@ -1058,7 +1064,6 @@
             "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/code-frame": "^7.29.0",
                 "@babel/generator": "^7.29.0",
@@ -1460,6 +1465,16 @@
             "integrity": "sha512-P5LUNhtbj6YfI3iJjw5EL9eUAG6OitD0W3fWQcpQjDRc/QIsL0tRNuO1PcDvPccWL1fSTXXdE1ds+l95DV/OFA==",
             "license": "MIT"
         },
+        "node_modules/@devolutions/iron-remote-desktop": {
+            "version": "0.0.0",
+            "resolved": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+            "integrity": "sha512-9o7PkCw9fdvGTPs0hgsUJG10QleGgcdsSCw1ekLpUOlVXtWCuiuPH+0bPDFhLWxqbVA+8pyVhwqdOI+t1T3TNA=="
+        },
+        "node_modules/@devolutions/iron-remote-desktop-rdp": {
+            "version": "0.0.0",
+            "resolved": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
+            "integrity": "sha512-O0YVpOJDwUzekH3N2QKj+48WP+56wI0sj4VmaJkGoW5XgyAj2ONn2k3i+vk17Eavx+Vg6vAg3lwYRAOK4kKIDQ=="
+        },
         "node_modules/@dotenvx/dotenvx": {
             "version": "1.54.1",
             "resolved": "https://registry.npmjs.org/@dotenvx/dotenvx/-/dotenvx-1.54.1.tgz",
@@ -2354,7 +2369,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2377,7 +2391,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2400,7 +2413,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2417,7 +2429,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2434,7 +2445,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2451,7 +2461,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2468,7 +2477,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2485,7 +2493,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2502,7 +2509,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2519,7 +2525,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2536,7 +2541,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2553,7 +2557,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2576,7 +2579,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2599,7 +2601,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2622,7 +2623,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2645,7 +2645,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2668,7 +2667,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2691,7 +2689,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2714,7 +2711,6 @@
             "cpu": [
                 "wasm32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
             "optional": true,
             "dependencies": {
@@ -2734,7 +2730,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2754,7 +2749,6 @@
             "cpu": [
                 "ia32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2774,7 +2768,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -3034,7 +3027,6 @@
             "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^14.21.3 || >=16"
             },
@@ -3654,6 +3646,12 @@
                 "node": ">=12.4.0"
             }
         },
+        "node_modules/@novnc/novnc": {
+            "version": "1.7.0",
+            "resolved": "https://registry.npmjs.org/@novnc/novnc/-/novnc-1.7.0.tgz",
+            "integrity": "sha512-ucEJOx4T2avIRCleodk7YobZj5O2Ga2AeLfQ69A/yjG9HHba2+PDgwSkN3FttrmG+70ZGx21sElNFouK13RzyA==",
+            "license": "MPL-2.0"
+        },
         "node_modules/@oslojs/asn1": {
             "version": "1.0.0",
             "resolved": "https://registry.npmjs.org/@oslojs/asn1/-/asn1-1.0.0.tgz",
@@ -6981,7 +6979,6 @@
             "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
             "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=20.0.0"
             },
@@ -8442,7 +8439,6 @@
             "version": "5.90.21",
             "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
             "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
             "dependencies": {
                 "@tanstack/query-core": "5.90.20"
             },
@@ -8558,7 +8554,6 @@
             "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*"
             }
@@ -8906,7 +8901,6 @@
             "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/body-parser": "*",
                 "@types/express-serve-static-core": "^5.0.0",
@@ -9002,7 +8996,6 @@
             "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "undici-types": "~7.18.0"
             }
@@ -9030,7 +9023,6 @@
             "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*",
                 "pg-protocol": "*",
@@ -9056,7 +9048,6 @@
             "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
             "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
             "devOptional": true,
-            "peer": true,
             "dependencies": {
                 "csstype": "^3.2.2"
             }
@@ -9067,7 +9058,6 @@
             "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "peerDependencies": {
                 "@types/react": "^19.2.0"
             }
@@ -9154,7 +9144,8 @@
             "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
             "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
             "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
         },
         "node_modules/@types/ws": {
             "version": "8.18.1",
@@ -9228,7 +9219,6 @@
             "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@typescript-eslint/scope-manager": "8.56.1",
                 "@typescript-eslint/types": "8.56.1",
@@ -9683,6 +9673,27 @@
                 "win32"
             ]
         },
+        "node_modules/@xterm/addon-fit": {
+            "version": "0.11.0",
+            "resolved": "https://registry.npmjs.org/@xterm/addon-fit/-/addon-fit-0.11.0.tgz",
+            "integrity": "sha512-jYcgT6xtVYhnhgxh3QgYDnnNMYTcf8ElbxxFzX0IZo+vabQqSPAjC3c1wJrKB5E19VwQei89QCiZZP86DCPF7g==",
+            "license": "MIT"
+        },
+        "node_modules/@xterm/addon-web-links": {
+            "version": "0.12.0",
+            "resolved": "https://registry.npmjs.org/@xterm/addon-web-links/-/addon-web-links-0.12.0.tgz",
+            "integrity": "sha512-4Smom3RPyVp7ZMYOYDoC/9eGJJJqYhnPLGGqJ6wOBfB8VxPViJNSKdgRYb8NpaM6YSelEKbA2SStD7lGyqaobw==",
+            "license": "MIT"
+        },
+        "node_modules/@xterm/xterm": {
+            "version": "6.0.0",
+            "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-6.0.0.tgz",
+            "integrity": "sha512-TQwDdQGtwwDt+2cgKDLn0IRaSxYu1tSUjgKarSDkUM0ZNiSRXFpjxEsvc/Zgc5kq5omJ+V0a8/kIM2WD3sMOYg==",
+            "license": "MIT",
+            "workspaces": [
+                "addons/*"
+            ]
+        },
         "node_modules/accepts": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz",
@@ -9702,7 +9713,6 @@
             "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "acorn": "bin/acorn"
             },
@@ -10152,7 +10162,6 @@
             "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/types": "^7.26.0"
             }
@@ -10224,7 +10233,6 @@
             "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "bindings": "^1.5.0",
                 "prebuild-install": "^7.1.1"
@@ -10353,7 +10361,6 @@
                 }
             ],
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "baseline-browser-mapping": "^2.9.0",
                 "caniuse-lite": "^1.0.30001759",
@@ -11260,7 +11267,6 @@
             "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
             "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
             "license": "ISC",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             }
@@ -11701,6 +11707,7 @@
             "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
             "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
             "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
             "engines": {
                 "node": ">=20"
             },
@@ -12335,7 +12342,6 @@
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "esbuild": "bin/esbuild"
             },
@@ -12421,7 +12427,6 @@
             "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
                 "@eslint-community/regexpp": "^4.12.2",
@@ -12558,7 +12563,6 @@
             "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@rtsao/scc": "^1.1.0",
                 "array-includes": "^3.1.9",
@@ -12952,7 +12956,6 @@
             "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
             "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "accepts": "^2.0.0",
                 "body-parser": "^2.2.1",
@@ -15370,6 +15373,7 @@
             "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
             "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "dompurify": "3.2.7",
                 "marked": "14.0.0"
@@ -15380,6 +15384,7 @@
             "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
             "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
             "license": "MIT",
+            "peer": true,
             "bin": {
                 "marked": "bin/marked.js"
             },
@@ -15468,7 +15473,6 @@
             "resolved": "https://registry.npmjs.org/next/-/next-15.5.15.tgz",
             "integrity": "sha512-VSqCrJwtLVGwAVE0Sb/yikrQfkwkZW9p+lL/J4+xe+G3ZA+QnWPqgcfH1tDUEuk9y+pthzzVFp4L/U8JerMfMQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@next/env": "15.5.15",
                 "@swc/helpers": "0.5.15",
@@ -16428,7 +16432,6 @@
             "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
             "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "pg-connection-string": "^2.12.0",
                 "pg-pool": "^3.13.0",
@@ -16936,7 +16939,6 @@
             "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
             "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=0.10.0"
             }
@@ -16968,7 +16970,6 @@
             "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
             "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "scheduler": "^0.27.0"
             },
@@ -17261,7 +17262,6 @@
             "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
             "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=18.0.0"
             },
@@ -18723,8 +18723,7 @@
             "version": "4.2.2",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
             "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.2",
@@ -19199,7 +19198,6 @@
             "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
             "devOptional": true,
             "license": "Apache-2.0",
-            "peer": true,
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -19627,7 +19625,6 @@
             "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
             "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@colors/colors": "^1.6.0",
                 "@dabh/diagnostics": "^2.0.8",
@@ -19834,7 +19831,6 @@
             "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
             "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
             "license": "MIT",
-            "peer": true,
             "funding": {
                 "url": "https://github.com/sponsors/colinhacks"
             }

package.json

@@ -34,11 +34,14 @@
     "dependencies": {
         "@asteasolutions/zod-to-openapi": "8.4.1",
         "@aws-sdk/client-s3": "3.1011.0",
+        "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+        "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
         "@faker-js/faker": "10.3.0",
         "@headlessui/react": "2.2.9",
         "@hookform/resolvers": "5.2.2",
         "@monaco-editor/react": "4.7.0",
         "@node-rs/argon2": "2.0.2",
+        "@novnc/novnc": "^1.7.0",
         "@oslojs/crypto": "1.0.1",
         "@oslojs/encoding": "1.1.0",
         "@radix-ui/react-avatar": "1.1.11",
@@ -67,6 +70,9 @@
         "@tailwindcss/forms": "0.5.11",
         "@tanstack/react-query": "5.90.21",
         "@tanstack/react-table": "8.21.3",
+        "@xterm/addon-fit": "^0.11.0",
+        "@xterm/addon-web-links": "^0.12.0",
+        "@xterm/xterm": "^6.0.0",
         "arctic": "3.7.0",
         "axios": "1.15.0",
         "better-sqlite3": "11.9.1",

server/auth/actions.ts

@@ -148,11 +148,22 @@ export enum ActionsEnum {
     updateAlertRule = "updateAlertRule",
     deleteAlertRule = "deleteAlertRule",
     listAlertRules = "listAlertRules",
+    listOrgLabels = "listOrgLabels",
+    createOrgLabel = "createOrgLabel",
+    updateOrgLabel = "updateOrgLabel",
+    deleteOrgLabel = "deleteOrgLabel",
+    attachLabelToItem = "attachLabelToItem",
+    detachLabelFromItem = "detachLabelFromItem",
     getAlertRule = "getAlertRule",
     createHealthCheck = "createHealthCheck",
     updateHealthCheck = "updateHealthCheck",
     deleteHealthCheck = "deleteHealthCheck",
-    listHealthChecks = "listHealthChecks"
+    listHealthChecks = "listHealthChecks",
+    createBrowserGatewayTarget = "createBrowserGatewayTarget",
+    updateBrowserGatewayTarget = "updateBrowserGatewayTarget",
+    deleteBrowserGatewayTarget = "deleteBrowserGatewayTarget",
+    getBrowserGatewayTarget = "getBrowserGatewayTarget",
+    listBrowserGatewayTargets = "listBrowserGatewayTargets"
 }
 
 export async function checkUserActionPermission(

server/db/pg/schema/privateSchema.ts

@@ -580,6 +580,24 @@ export const trialNotifications = pgTable("trialNotifications", {
     sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });
 
+export const browserGatewayTarget = pgTable("browserGatewayTarget", {
+    browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: varchar("authToken").notNull(),
+    type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: varchar("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +645,6 @@ export type AlertEmailRecipients = InferSelectModel<
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;

server/db/pg/schema/schema.ts

@@ -147,7 +147,6 @@ export const resources = pgTable("resources", {
     headers: text("headers"), // comma-separated list of headers to add to the request
     proxyProtocol: boolean("proxyProtocol").notNull().default(false),
     proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
     maintenanceModeEnabled: boolean("maintenanceModeEnabled")
         .notNull()
         .default(false),
@@ -159,9 +158,100 @@ export const resources = pgTable("resources", {
     maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
     postAuthPath: text("postAuthPath"),
     health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: boolean("wildcard").notNull().default(false)
+    wildcard: boolean("wildcard").notNull().default(false),
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });
 
+export const labels = pgTable("labels", {
+    labelId: serial("labelId").primaryKey(),
+    name: varchar("name").notNull(),
+    color: varchar("color").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = pgTable(
+    "siteLabels",
+    {
+        siteLabelId: serial("siteLabelId").primaryKey(),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = pgTable(
+    "resourceLabels",
+    {
+        resourceLabelId: serial("resourceLabelId").primaryKey(),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = pgTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: serial("siteResourceLabelId").primaryKey(),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = pgTable(
+    "clientLabels",
+    {
+        clientLabelId: serial("clientLabelId").primaryKey(),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = pgTable("targets", {
     targetId: serial("targetId").primaryKey(),
     resourceId: integer("resourceId")
@@ -196,9 +286,11 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
             onDelete: "cascade"
         })
         .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
     name: varchar("name"),
     hcEnabled: boolean("hcEnabled").notNull().default(false),
     hcPath: varchar("hcPath"),
@@ -266,8 +358,11 @@ export const siteResources = pgTable("siteResources", {
     udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
     disableIcmp: boolean("disableIcmp").notNull().default(false),
     authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
     authDaemonMode: varchar("authDaemonMode", { length: 32 })
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
         .default("site"),
     domainId: varchar("domainId").references(() => domains.domainId, {
         onDelete: "set null"
@@ -1097,19 +1192,30 @@ export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
     complete: boolean("complete").notNull().default(false)
 });
 
-export const statusHistory = pgTable("statusHistory", {
-    id: serial("id").primaryKey(),
-    entityType: varchar("entityType").notNull(),
-    entityId: integer("entityId").notNull(),
-    orgId: varchar("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: varchar("status").notNull(),
-    timestamp: integer("timestamp").notNull(),
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = pgTable(
+    "statusHistory",
+    {
+        id: serial("id").primaryKey(),
+        entityType: varchar("entityType").notNull(),
+        entityId: integer("entityId").notNull(),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: varchar("status").notNull(),
+        timestamp: integer("timestamp").notNull()
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
 
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1179,3 +1285,4 @@ export type RoundTripMessageTracker = InferSelectModel<
 >;
 export type Network = InferSelectModel<typeof networks>;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;

server/db/sqlite/schema/privateSchema.ts

@@ -588,6 +588,26 @@ export const trialNotifications = sqliteTable("trialNotifications", {
     sentAt: integer("sentAt").notNull()
 });
 
+export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
+    browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
+        autoIncrement: true
+    }),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: text("authToken").notNull(),
+    type: text("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: text("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +647,6 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;

server/db/sqlite/schema/schema.ts

@@ -180,9 +180,106 @@ export const resources = sqliteTable("resources", {
     maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
     postAuthPath: text("postAuthPath"),
     health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false)
+    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });
 
+export const labels = sqliteTable("labels", {
+    labelId: integer("labelId").primaryKey({ autoIncrement: true }),
+    name: text("name").notNull(),
+    color: text("color").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = sqliteTable(
+    "siteLabels",
+    {
+        siteLabelId: integer("siteLabelId").primaryKey({ autoIncrement: true }),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = sqliteTable(
+    "resourceLabels",
+    {
+        resourceLabelId: integer("resourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = sqliteTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: integer("siteResourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = sqliteTable(
+    "clientLabels",
+    {
+        clientLabelId: integer("clientLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = sqliteTable("targets", {
     targetId: integer("targetId").primaryKey({ autoIncrement: true }),
     resourceId: integer("resourceId")
@@ -219,9 +316,11 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
             onDelete: "cascade"
         })
         .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
     name: text("name"),
     hcEnabled: integer("hcEnabled", { mode: "boolean" })
         .notNull()
@@ -295,8 +394,11 @@ export const siteResources = sqliteTable("siteResources", {
         .notNull()
         .default(false),
     authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
     authDaemonMode: text("authDaemonMode")
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
         .default("site"),
     domainId: text("domainId").references(() => domains.domainId, {
         onDelete: "set null"
@@ -1196,19 +1298,30 @@ export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
     complete: integer("complete", { mode: "boolean" }).notNull().default(false)
 });
 
-export const statusHistory = sqliteTable("statusHistory", {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    entityType: text("entityType").notNull(), // "site" | "healthCheck"
-    entityId: integer("entityId").notNull(),  // siteId or targetHealthCheckId
-    orgId: text("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
-    timestamp: integer("timestamp").notNull(), // unix epoch seconds
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = sqliteTable(
+    "statusHistory",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        entityType: text("entityType").notNull(), // "site" | "healthCheck"
+        entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
+        timestamp: integer("timestamp").notNull() // unix epoch seconds
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);
 
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1278,3 +1391,4 @@ export type RoundTripMessageTracker = InferSelectModel<
     typeof roundTripMessageTracker
 >;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;

server/integrationApiServer.ts

@@ -152,17 +152,11 @@ function getOpenApiDocumentation() {
 
             if (!hasExistingResponses) {
                 def.route.responses = {
-                    "200": {
-                        description: "Successful response",
+                    "*": {
+                        description: "",
                         content: {
                             "application/json": {
-                                schema: z.object({
-                                    data: z.unknown().nullable(),
-                                    success: z.boolean(),
-                                    error: z.boolean(),
-                                    message: z.string(),
-                                    status: z.number()
-                                })
+                                schema: z.object({})
                             }
                         }
                     }

server/lib/billing/tierMatrix.ts

@@ -24,10 +24,12 @@ export enum TierFeature {
     DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
     StandaloneHealthChecks = "standaloneHealthChecks",
     AlertingRules = "alertingRules",
-    WildcardSubdomain = "wildcardSubdomain"
+    WildcardSubdomain = "wildcardSubdomain",
+    Labels = "labels"
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
+    [TierFeature.Labels]: ["tier2", "tier3", "enterprise"],
     [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],

server/lib/ip.ts

@@ -873,13 +873,7 @@ export const portRangeStringSchema = z
             message:
                 'Port range must be "*" for all ports, or a comma-separated list of ports and ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535, and ranges must have start <= end.'
         }
-    )
-    .openapi({
-        type: "string",
-        description:
-            'Port range string. Use "*" for all ports, a comma-separated list of ports, or ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535.',
-        example: "80,443,8000-9000"
-    });
+    );
 
 /**
  * Parses a port range string into an array of port range objects

server/lib/openapi/createApiResponseSchema.ts

@@ -1,11 +0,0 @@
-import { z } from "zod";
-
-export function createApiResponseSchema<T extends z.ZodTypeAny>(dataSchema: T) {
-    return z.object({
-        data: dataSchema.nullable(),
-        success: z.boolean(),
-        error: z.boolean(),
-        message: z.string(),
-        status: z.number()
-    });
-}

server/private/lib/acmeCertSync.ts

@@ -780,9 +780,9 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
             }
         }
 
-        logger.debug(
-            `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
-        );
+        // logger.debug(
+        //     `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
+        // );
 
         for (const domain of allDomains) {
             try {

server/private/lib/logStreaming/index.ts

@@ -24,7 +24,8 @@ import { LogStreamingManager } from "./LogStreamingManager";
  */
 export const logStreamingManager = new LogStreamingManager();
 
-if (build != "saas") { // this is handled separately in the saas build, so we don't want to start it here
+if (build !== "saas") {
+    // this is handled separately in the saas build, so we don't want to start it here
     logStreamingManager.start();
 }
 

server/private/lib/traefik/getTraefikConfig.ts

@@ -12,6 +12,7 @@
  */
 
 import {
+    browserGatewayTarget,
     certificates,
     db,
     domainNamespaces,
@@ -277,6 +278,115 @@ export async function getTraefikConfig(
         });
     });
 
+    // Query browser gateway targets for this exit node
+    const browserGatewayRows = await db
+        .select({
+            // Resource fields
+            resourceId: resources.resourceId,
+            resourceName: resources.name,
+            fullDomain: resources.fullDomain,
+            ssl: resources.ssl,
+            subdomain: resources.subdomain,
+            domainId: resources.domainId,
+            enabled: resources.enabled,
+            wildcard: resources.wildcard,
+            domainCertResolver: domains.certResolver,
+            preferWildcardCert: domains.preferWildcardCert,
+            domainNamespaceId: domainNamespaces.domainNamespaceId,
+            // Browser gateway target fields
+            browserGatewayTargetId: browserGatewayTarget.browserGatewayTargetId,
+            bgType: browserGatewayTarget.type,
+            // Site fields
+            siteId: sites.siteId,
+            siteType: sites.type,
+            siteOnline: sites.online,
+            subnet: sites.subnet,
+            siteExitNodeId: sites.exitNodeId
+        })
+        .from(browserGatewayTarget)
+        .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+        .innerJoin(
+            resources,
+            eq(resources.resourceId, browserGatewayTarget.resourceId)
+        )
+        .leftJoin(domains, eq(domains.domainId, resources.domainId))
+        .leftJoin(
+            domainNamespaces,
+            eq(domainNamespaces.domainId, resources.domainId)
+        )
+        .where(
+            and(
+                eq(resources.enabled, true),
+                or(
+                    eq(sites.exitNodeId, exitNodeId),
+                    and(
+                        isNull(sites.exitNodeId),
+                        sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
+                        eq(sites.type, "local"),
+                        sql`(${build != "saas" ? 1 : 0} = 1)`
+                    )
+                ),
+                inArray(sites.type, siteTypes)
+            )
+        );
+
+    // Group browser gateway targets by resource
+    type BrowserGatewayResourceEntry = {
+        resourceId: number;
+        name: string;
+        fullDomain: string | null;
+        ssl: boolean | null;
+        subdomain: string | null;
+        domainId: string | null;
+        enabled: boolean | null;
+        wildcard: boolean | null;
+        domainCertResolver: string | null;
+        preferWildcardCert: boolean | null;
+        targets: {
+            browserGatewayTargetId: number;
+            bgType: string;
+            siteId: number;
+            siteType: string;
+            siteOnline: boolean | null;
+            subnet: string | null;
+            siteExitNodeId: number | null;
+        }[];
+    };
+    const browserGatewayResourcesMap = new Map<
+        number,
+        BrowserGatewayResourceEntry
+    >();
+
+    for (const row of browserGatewayRows) {
+        if (filterOutNamespaceDomains && row.domainNamespaceId) {
+            continue;
+        }
+        if (!browserGatewayResourcesMap.has(row.resourceId)) {
+            browserGatewayResourcesMap.set(row.resourceId, {
+                resourceId: row.resourceId,
+                name: sanitize(row.resourceName) || "",
+                fullDomain: row.fullDomain,
+                ssl: row.ssl,
+                subdomain: row.subdomain,
+                domainId: row.domainId,
+                enabled: row.enabled,
+                wildcard: row.wildcard,
+                domainCertResolver: row.domainCertResolver,
+                preferWildcardCert: row.preferWildcardCert,
+                targets: []
+            });
+        }
+        browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
+            browserGatewayTargetId: row.browserGatewayTargetId,
+            bgType: row.bgType,
+            siteId: row.siteId,
+            siteType: row.siteType,
+            siteOnline: row.siteOnline,
+            subnet: row.subnet,
+            siteExitNodeId: row.siteExitNodeId
+        });
+    }
+
     let siteResourcesWithFullDomain: {
         siteResourceId: number;
         fullDomain: string | null;
@@ -324,6 +434,12 @@ export async function getTraefikConfig(
                 domains.add(sr.fullDomain);
             }
         }
+        // Include browser gateway resource domains
+        for (const bgResource of browserGatewayResourcesMap.values()) {
+            if (bgResource.enabled && bgResource.ssl && bgResource.fullDomain) {
+                domains.add(bgResource.fullDomain);
+            }
+        }
         // get the valid certs for these domains
         validCerts = await getValidCertificatesForDomains(domains, true); // we are caching here because this is called often
         // logger.debug(`Valid certs for domains: ${JSON.stringify(validCerts)}`);
@@ -589,7 +705,7 @@ export async function getTraefikConfig(
                             resource.ssl ? entrypointHttps : entrypointHttp
                         ],
                         service: maintenanceServiceName,
-                        rule: `${rule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                        rule: `${rule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`)) `,
                         priority: 2001,
                         ...(resource.ssl ? { tls } : {})
                     };
@@ -925,6 +1041,185 @@ export async function getTraefikConfig(
         }
     }
 
+    // Generate Traefik config for browser gateway resources
+    const browserGatewayPort = 39999;
+    for (const [, bgResource] of browserGatewayResourcesMap.entries()) {
+        if (!bgResource.enabled) continue;
+        if (!bgResource.domainId) continue;
+        if (!bgResource.fullDomain) continue;
+
+        if (!config_output.http.routers) config_output.http.routers = {};
+        if (!config_output.http.services) config_output.http.services = {};
+
+        const fullDomain = bgResource.fullDomain;
+        const additionalMiddlewares =
+            config.getRawConfig().traefik.additional_middlewares || [];
+        const routerMiddlewares = [
+            badgerMiddlewareName,
+            ...additionalMiddlewares
+        ];
+
+        const hostRule = `Host(\`${fullDomain}\`)`;
+
+        // Build TLS config
+        let tls = {};
+        if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
+            const domainParts = fullDomain.split(".");
+            let wildCard: string;
+            if (domainParts.length <= 2) {
+                wildCard = `*.${domainParts.join(".")}`;
+            } else {
+                wildCard = `*.${domainParts.slice(1).join(".")}`;
+            }
+            if (!bgResource.subdomain) {
+                wildCard = fullDomain;
+            }
+
+            const globalDefaultResolver =
+                config.getRawConfig().traefik.cert_resolver;
+            const globalDefaultPreferWildcard =
+                config.getRawConfig().traefik.prefer_wildcard_cert;
+            const resolverName = bgResource.domainCertResolver
+                ? bgResource.domainCertResolver.trim()
+                : globalDefaultResolver;
+            const preferWildcard =
+                bgResource.preferWildcardCert !== undefined &&
+                bgResource.preferWildcardCert !== null
+                    ? bgResource.preferWildcardCert
+                    : globalDefaultPreferWildcard;
+
+            tls = {
+                certResolver: resolverName,
+                ...(preferWildcard ? { domains: [{ main: wildCard }] } : {})
+            };
+        } else {
+            const matchingCert = validCerts.find(
+                (cert) => cert.queriedDomain === fullDomain
+            );
+            if (!matchingCert) {
+                logger.debug(
+                    `No matching certificate found for browser gateway domain: ${fullDomain}`
+                );
+                continue;
+            }
+        }
+
+        const bgUiServiceName = `bg-r${bgResource.resourceId}-ui-service`;
+
+        if (bgResource.ssl) {
+            const redirectRouterName = `bg-r${bgResource.resourceId}-redirect`;
+            config_output.http.routers![redirectRouterName] = {
+                entryPoints: [config.getRawConfig().traefik.http_entrypoint],
+                middlewares: [redirectHttpsMiddlewareName],
+                service: bgUiServiceName,
+                rule: hostRule,
+                priority: 100
+            };
+        }
+
+        // Collect online sites for this resource (for any type)
+        const anySiteOnline = bgResource.targets.some((t) => t.siteOnline);
+
+        // Group targets by type and generate per-type websocket routers and services
+        const typeMap = new Map<string, typeof bgResource.targets>();
+        for (const t of bgResource.targets) {
+            if (!typeMap.has(t.bgType)) typeMap.set(t.bgType, []);
+            typeMap.get(t.bgType)!.push(t);
+        }
+
+        for (const [bgType, typedTargets] of typeMap.entries()) {
+            const bgKey = `bg-r${bgResource.resourceId}-${bgType}`;
+            const bgRouterName = `${bgKey}-router`;
+            const bgServiceName = `${bgKey}-service`;
+            const bgRule = `${hostRule} && PathPrefix(\`/gateway/${bgType}\`)`;
+
+            const servers = typedTargets
+                .filter((t) => {
+                    if (!t.siteOnline && anySiteOnline) return false;
+                    if (t.siteType === "newt") return !!t.subnet;
+                    return false; // browser gateway only supported on newt sites
+                })
+                .map((t) => ({
+                    url: `http://${t.subnet!.split("/")[0]}:${browserGatewayPort}`
+                }))
+                .filter((v, i, a) => a.findIndex((u) => u.url === v.url) === i);
+
+            config_output.http.routers![bgRouterName] = {
+                entryPoints: [
+                    bgResource.ssl
+                        ? config.getRawConfig().traefik.https_entrypoint
+                        : config.getRawConfig().traefik.http_entrypoint
+                ],
+                middlewares: routerMiddlewares,
+                service: bgServiceName,
+                rule: bgRule,
+                priority: 110, // highest - websocket path takes precedence
+                ...(bgResource.ssl ? { tls } : {})
+            };
+
+            config_output.http.services![bgServiceName] = {
+                loadBalancer: {
+                    servers
+                }
+            };
+        }
+
+        // UI: serve the browser gateway page from the internal pangolin instance.
+        // The primary type is used for the path rewrite (e.g. /rdp), mirroring
+        // how the maintenance page rewrites everything to /maintenance-screen.
+        const primaryType = typeMap.keys().next().value as string;
+        const internalHost = config.getRawConfig().server.internal_hostname;
+        const internalPort = config.getRawConfig().server.next_port;
+        const uiRewriteMiddlewareName = `bg-r${bgResource.resourceId}-ui-rewrite`;
+        const entrypoint = bgResource.ssl
+            ? config.getRawConfig().traefik.https_entrypoint
+            : config.getRawConfig().traefik.http_entrypoint;
+
+        if (!config_output.http.middlewares) {
+            config_output.http.middlewares = {};
+        }
+
+        config_output.http.middlewares![uiRewriteMiddlewareName] = {
+            replacePathRegex: {
+                regex: "^/(.*)",
+                replacement: `/${primaryType}`
+            }
+        };
+
+        config_output.http.services![bgUiServiceName] = {
+            loadBalancer: {
+                servers: [
+                    {
+                        url: `http://${internalHost}:${internalPort}`
+                    }
+                ]
+            }
+        };
+
+        // Assets router at higher priority so /_next files load without rewrite
+        config_output.http.routers![
+            `bg-r${bgResource.resourceId}-assets-router`
+        ] = {
+            entryPoints: [entrypoint],
+            middlewares: routerMiddlewares,
+            service: bgUiServiceName,
+            rule: `${hostRule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
+            priority: 101,
+            ...(bgResource.ssl ? { tls } : {})
+        };
+
+        // Catch-all router rewrites everything on the domain to /{primaryType}
+        config_output.http.routers![`bg-r${bgResource.resourceId}-ui-router`] =
+            {
+                entryPoints: [entrypoint],
+                middlewares: [...routerMiddlewares, uiRewriteMiddlewareName],
+                service: bgUiServiceName,
+                rule: hostRule,
+                priority: 100,
+                ...(bgResource.ssl ? { tls } : {})
+            };
+    }
+
     // Add Traefik routes for siteResource aliases (HTTP mode + SSL) so that
     // Traefik generates TLS certificates for those domains even when no
     // matching resource exists yet.
@@ -1040,7 +1335,7 @@ export async function getTraefikConfig(
             config_output.http.routers[`${siteResourceRouterName}-assets`] = {
                 entryPoints: [config.getRawConfig().traefik.https_entrypoint],
                 service: siteResourceServiceName,
-                rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
                 priority: 101,
                 tls
             };
@@ -1143,7 +1438,7 @@ export async function getTraefikConfig(
                         config.getRawConfig().traefik.https_entrypoint
                     ],
                     service: "landing-service",
-                    rule: `Host(\`${fullDomain}\`) && (PathRegexp(\`^/auth/resource/[^/]+$\`) || PathRegexp(\`^/auth/idp/[0-9]+/oidc/callback\`) || PathPrefix(\`/_next\`) || Path(\`/auth/org\`) || PathRegexp(\`^/__nextjs*\`))`,
+                    rule: `Host(\`${fullDomain}\`) && (PathRegexp(\`^/auth/resource/[^/]+$\`) || PathRegexp(\`^/auth/idp/[0-9]+/oidc/callback\`) || PathPrefix(\`/_next\`) || Path(\`/auth/org\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
                     priority: 203,
                     tls: tls
                 };

server/private/middlewares/verifySubscription.ts

@@ -25,7 +25,7 @@ export function verifyValidSubscription(tiers: Tier[]) {
         next: NextFunction
     ): Promise<any> {
         try {
-            if (build != "saas") {
+            if (build !== "saas") {
                 return next();
             }
 

server/private/routers/alertRule/createAlertRule.ts

@@ -202,22 +202,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createAlertRule(

server/private/routers/alertRule/deleteAlertRule.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteAlertRule(

server/private/routers/alertRule/getAlertRule.ts

@@ -49,22 +49,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getAlertRule(

server/private/routers/alertRule/listAlertRules.ts

@@ -95,22 +95,7 @@ registry.registerPath({
         query: querySchema,
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listAlertRules(

server/private/routers/alertRule/updateAlertRule.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import {
     alertRules,
@@ -149,10 +148,6 @@ const bodySchema = z
 export type UpdateAlertRuleResponse = {
     alertRuleId: number;
 };
-const UpdateAlertRuleResponseDataSchema = z.object({
-    alertRuleId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -169,16 +164,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateAlertRuleResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateAlertRule(

server/private/routers/approvals/processPendingApproval.ts

@@ -24,7 +24,7 @@ import type { NextFunction, Request, Response } from "express";
 
 const paramsSchema = z.strictObject({
     orgId: z.string(),
-    approvalId: z.coerce.number().int().positive()
+    approvalId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const bodySchema = z.strictObject({

server/private/routers/auditLogs/exportAccessAuditLog.ts

@@ -18,7 +18,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryAccessAuditLogsParams,
@@ -38,22 +37,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryAccessAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportAccessAuditLogs(

server/private/routers/auditLogs/exportActionAuditLog.ts

@@ -18,7 +18,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryActionAuditLogsParams,
@@ -38,22 +37,7 @@ registry.registerPath({
         query: queryActionAuditLogsQuery,
         params: queryActionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportActionAuditLogs(

server/private/routers/auditLogs/exportConnectionAuditLog.ts

@@ -18,7 +18,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryConnectionAuditLogsParams,
@@ -38,22 +37,7 @@ registry.registerPath({
         query: queryConnectionAuditLogsQuery,
         params: queryConnectionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportConnectionAuditLogs(

server/private/routers/auditLogs/queryAccessAuditLog.ts

@@ -324,22 +324,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryAccessAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function queryAccessAuditLogs(

server/private/routers/auditLogs/queryActionAuditLog.ts

@@ -165,22 +165,7 @@ registry.registerPath({
         query: queryActionAuditLogsQuery,
         params: queryActionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function queryActionAuditLogs(

server/private/routers/auditLogs/queryConnectionAuditLog.ts

@@ -439,22 +439,7 @@ registry.registerPath({
         query: queryConnectionAuditLogsQuery,
         params: queryConnectionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function queryConnectionAuditLogs(

server/private/routers/billing/getOrgUsage.ts

@@ -39,22 +39,7 @@ const getOrgSchema = z.strictObject({
 //     request: {
 //         params: getOrgSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function getOrgUsage(

server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts

@@ -0,0 +1,187 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+import { generateId } from "@server/auth/sessions/app";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive(),
+    type: z.enum(["ssh", "rdp", "vnc"]),
+    destination: z.string().nonempty(),
+    destinationPort: z.number().int().min(1).max(65535)
+});
+
+export type CreateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-target",
+    description: "Create a browser gateway target for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+            .limit(1);
+
+        if (!site) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site with ID ${siteId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const plainToken = generateId(48);
+        const encryptedToken = encrypt(
+            plainToken,
+            config.getRawConfig().server.secret!
+        );
+
+        const [record] = await db
+            .insert(browserGatewayTarget)
+            .values({
+                resourceId,
+                siteId,
+                type,
+                destination,
+                destinationPort,
+                authToken: encryptedToken
+            })
+            .returning();
+
+        if (site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, siteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [record],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(
+            `Created browser gateway target ${record.browserGatewayTargetId} for resource ${resourceId}`
+        );
+
+        return response<CreateBrowserGatewayTargetResponse>(res, {
+            data: record,
+            success: true,
+            error: false,
+            message: "Browser gateway target created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to create browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts

@@ -0,0 +1,130 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { browserGatewayTarget, db, newts, sites } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { removeBrowserGatewayTarget } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Delete a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function deleteBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        await db
+            .delete(browserGatewayTarget)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            );
+
+        if (existing.site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, existing.bgt.siteId))
+                .limit(1);
+
+            if (newt) {
+                await removeBrowserGatewayTarget(
+                    newt.newtId,
+                    browserGatewayTargetId,
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Deleted browser gateway target ${browserGatewayTargetId}`);
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Browser gateway target deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to delete browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts

@@ -0,0 +1,109 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+export type GetBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Get a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function getBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [result] = await db
+            .select({ bgt: browserGatewayTarget })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!result) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        return response<GetBrowserGatewayTargetResponse>(res, {
+            data: result.bgt,
+            success: true,
+            error: false,
+            message: "Browser gateway target retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to retrieve browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/index.ts

@@ -0,0 +1,18 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createBrowserGatewayTarget";
+export * from "./updateBrowserGatewayTarget";
+export * from "./deleteBrowserGatewayTarget";
+export * from "./getBrowserGatewayTarget";
+export * from "./listBrowserGatewayTargets";

server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts

@@ -0,0 +1,148 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const querySchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.number().int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.number().int().nonnegative())
+});
+
+export type ListBrowserGatewayTargetsResponse = {
+    targets: BrowserGatewayTarget[];
+    total: number;
+    limit: number;
+    offset: number;
+};
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-targets",
+    description: "List browser gateway targets for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        query: querySchema
+    },
+    responses: {}
+});
+
+export async function listBrowserGatewayTargets(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { limit, offset } = parsedQuery.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const targets = await db
+            .select()
+            .from(browserGatewayTarget)
+            .where(eq(browserGatewayTarget.resourceId, resourceId))
+            .limit(limit)
+            .offset(offset);
+
+        return response<ListBrowserGatewayTargetsResponse>(res, {
+            data: {
+                targets: targets,
+                total: targets.length,
+                limit,
+                offset
+            },
+            success: true,
+            error: false,
+            message: "Browser gateway targets retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to list browser gateway targets"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts

@@ -0,0 +1,180 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive().optional(),
+    type: z.enum(["ssh", "rdp", "vnc"]).optional(),
+    destination: z.string().nonempty().optional(),
+    destinationPort: z.number().int().min(1).max(65535).optional()
+});
+
+export type UpdateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Update a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        const updateValues: Partial<BrowserGatewayTarget> = {};
+        if (siteId !== undefined) updateValues.siteId = siteId;
+        if (type !== undefined) updateValues.type = type;
+        if (destination !== undefined) updateValues.destination = destination;
+        if (destinationPort !== undefined)
+            updateValues.destinationPort = destinationPort;
+
+        const [updated] = await db
+            .update(browserGatewayTarget)
+            .set(updateValues)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            )
+            .returning();
+
+        const targetSiteId = siteId ?? existing.bgt.siteId;
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, targetSiteId))
+            .limit(1);
+
+        if (site && site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, targetSiteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [updated],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Updated browser gateway target ${browserGatewayTargetId}`);
+
+        return response<UpdateBrowserGatewayTargetResponse>(res, {
+            data: updated,
+            success: true,
+            error: false,
+            message: "Browser gateway target updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to update browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/certificates/getCertificate.ts

@@ -115,22 +115,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getCertificate(

server/private/routers/certificates/restartCertificate.ts

@@ -25,7 +25,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const restartCertificateParamsSchema = z.strictObject({
-    certId: z.coerce.number().int().positive(),
+    certId: z.string().transform(stoi).pipe(z.int().positive()),
     orgId: z.string()
 });
 
@@ -36,26 +36,11 @@ registry.registerPath({
     tags: ["Certificate"],
     request: {
         params: z.object({
-            certId: z.coerce.number().int().positive(),
+            certId: z.string().transform(stoi).pipe(z.int().positive()),
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function restartCertificate(

server/private/routers/domain/checkDomainNamespaceAvailability.ts

@@ -42,22 +42,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function checkDomainNamespaceAvailability(

server/private/routers/domain/listDomainNamespaces.ts

@@ -25,7 +25,6 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.strictObject({});
 
@@ -66,20 +65,6 @@ export type ListDomainNamespacesResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListDomainNamespacesResponseDataSchema = z.object({
-    domainNamespaces: z.array(
-        z.object({
-            domainNamespaceId: z.string(),
-            domainId: z.string()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/domains/namepaces",
@@ -88,18 +73,7 @@ registry.registerPath({
     request: {
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListDomainNamespacesResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listDomainNamespaces(

server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
 import { logStreamingManager } from "#private/lib/logStreaming";
@@ -43,10 +42,6 @@ const bodySchema = z.strictObject({
 export type CreateEventStreamingDestinationResponse = {
     destinationId: number;
 };
-const CreateEventStreamingDestinationResponseDataSchema = z.object({
-    destinationId: z.number()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -63,16 +58,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateEventStreamingDestinationResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createEventStreamingDestination(

server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteEventStreamingDestination(

server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts

@@ -24,7 +24,6 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -68,31 +67,6 @@ export type ListEventStreamingDestinationsResponse = {
     };
 };
 
-const ListEventStreamingDestinationsResponseDataSchema = z.object({
-    destinations: z.array(
-        z.object({
-            destinationId: z.number(),
-            orgId: z.string(),
-            type: z.string(),
-            config: z.string(),
-            enabled: z.boolean(),
-            lastError: z.string().nullable(),
-            lastErrorAt: z.number().nullable(),
-            createdAt: z.number(),
-            updatedAt: z.number(),
-            sendConnectionLogs: z.boolean(),
-            sendRequestLogs: z.boolean(),
-            sendActionLogs: z.boolean(),
-            sendAccessLogs: z.boolean()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 async function query(orgId: string, limit: number, offset: number) {
     const res = await db
         .select()
@@ -114,18 +88,7 @@ registry.registerPath({
         query: querySchema,
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListEventStreamingDestinationsResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listEventStreamingDestinations(

server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
 import response from "@server/lib/response";
@@ -46,10 +45,6 @@ const bodySchema = z.strictObject({
 export type UpdateEventStreamingDestinationResponse = {
     destinationId: number;
 };
-const UpdateEventStreamingDestinationResponseDataSchema = z.object({
-    destinationId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -66,16 +61,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateEventStreamingDestinationResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateEventStreamingDestination(

server/private/routers/external.ts

@@ -31,6 +31,8 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
+import * as labels from "#private/routers/labels";
 
 import {
     verifyOrgAccess,
@@ -732,6 +734,59 @@ authenticated.get(
     alertRule.getAlertRule
 );
 
+authenticated.get(
+    "/org/:orgId/labels",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.listOrgLabels),
+    labels.listOrgLabels
+);
+
+authenticated.post(
+    "/org/:orgId/labels",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.createOrgLabel),
+    labels.createOrgLabel
+);
+
+authenticated.patch(
+    "/org/:orgId/label/:labelId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.updateOrgLabel),
+    labels.updateOrgLabel
+);
+
+authenticated.delete(
+    "/org/:orgId/label/:labelId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteOrgLabel),
+    labels.deleteOrgLabel
+);
+
+authenticated.put(
+    "/org/:orgId/label/:labelId/attach",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.attachLabelToItem),
+    labels.attachLabelToItem
+);
+
+authenticated.put(
+    "/org/:orgId/label/:labelId/detach",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.detachLabelFromItem),
+    labels.detachLabelFromItem
+);
+
 authenticated.get(
     "/org/:orgId/health-checks",
     verifyValidLicense,
@@ -775,3 +830,48 @@ authenticated.get(
     verifyUserHasAction(ActionsEnum.getTarget),
     healthChecks.getHealthCheckStatusHistory
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);

server/private/routers/healthChecks/createHealthCheck.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, targetHealthCheck, newts, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -53,10 +52,6 @@ const bodySchema = z.strictObject({
 export type CreateHealthCheckResponse = {
     targetHealthCheckId: number;
 };
-const CreateHealthCheckResponseDataSchema = z.object({
-    targetHealthCheckId: z.number()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -73,16 +68,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateHealthCheckResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createHealthCheck(

server/private/routers/healthChecks/deleteHealthCheck.ts

@@ -41,22 +41,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteHealthCheck(

server/private/routers/healthChecks/listHealthChecks.ts

@@ -68,22 +68,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listHealthChecks(

server/private/routers/healthChecks/updateHealthCheck.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, targetHealthCheck, newts, sites } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -82,29 +81,6 @@ export type UpdateHealthCheckResponse = {
     hcHealthyThreshold: number | null;
     hcUnhealthyThreshold: number | null;
 };
-const UpdateHealthCheckResponseDataSchema = z.object({
-    targetHealthCheckId: z.number(),
-    name: z.string().nullable(),
-    siteId: z.number().nullable(),
-    hcEnabled: z.boolean(),
-    hcHealth: z.string().nullable(),
-    hcMode: z.string().nullable(),
-    hcHostname: z.string().nullable(),
-    hcPort: z.number().nullable(),
-    hcPath: z.string().nullable(),
-    hcScheme: z.string().nullable(),
-    hcMethod: z.string().nullable(),
-    hcInterval: z.number().nullable(),
-    hcUnhealthyInterval: z.number().nullable(),
-    hcTimeout: z.number().nullable(),
-    hcHeaders: z.string().nullable(),
-    hcFollowRedirects: z.boolean().nullable(),
-    hcStatus: z.number().nullable(),
-    hcTlsServerName: z.string().nullable(),
-    hcHealthyThreshold: z.number().nullable(),
-    hcUnhealthyThreshold: z.number().nullable()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -121,16 +97,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateHealthCheckResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateHealthCheck(

server/private/routers/integration.ts

@@ -16,6 +16,7 @@ import * as org from "#private/routers/org";
 import * as logs from "#private/routers/auditLogs";
 import * as alertEvents from "#private/routers/alertEvents";
 import * as certificates from "#private/routers/certificates";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
 
 import {
     verifyApiKeyHasAction,
@@ -215,3 +216,43 @@ authenticated.delete(
     logActionAudit(ActionsEnum.removeUserRole),
     user.removeUserRole
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyApiKeyOrgAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);

server/private/routers/labels/attachLabelToItem.ts

@@ -0,0 +1,224 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    clients,
+    clientLabels,
+    db,
+    labels,
+    resourceLabels,
+    resources,
+    siteLabels,
+    siteResourceLabels,
+    siteResources,
+    sites
+} from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, isNull } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    labelId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const attachLabelBodySchema = z.strictObject({
+    siteId: z.number().int().optional(),
+    resourceId: z.number().int().optional(),
+    siteResourceId: z.number().int().optional(),
+    clientId: z.number().int().optional()
+});
+
+export async function attachLabelToItem(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, labelId } = parsedParams.data;
+
+        const parsedBody = attachLabelBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, resourceId, siteResourceId, clientId } =
+            parsedBody.data;
+
+        if (!siteId && !resourceId && !siteResourceId && !clientId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "At least one of `siteId`, `resourceId`, `siteResourceId` or `clientId` should be provided."
+                )
+            );
+        }
+
+        const [existing] = await db
+            .select()
+            .from(labels)
+            .where(and(eq(labels.labelId, labelId), eq(labels.orgId, orgId)));
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Label with Id ${labelId} not found`
+                )
+            );
+        }
+
+        if (siteId) {
+            const siteCount = await db.$count(
+                sites,
+                and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
+            );
+
+            if (siteCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Site with Id ${siteId} doesn't exist.`
+                    )
+                );
+            }
+
+            // idempotent, calling this endpoint multiple times should attach the label only once
+            await db
+                .insert(siteLabels)
+                .values({
+                    labelId,
+                    siteId
+                })
+                .onConflictDoNothing();
+        }
+
+        if (resourceId) {
+            const resourceCount = await db.$count(
+                resources,
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            );
+
+            if (resourceCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Resource with Id ${resourceId} doesn't exist.`
+                    )
+                );
+            }
+
+            // idempotent, calling this endpoint multiple times should attach the label only once
+            await db
+                .insert(resourceLabels)
+                .values({
+                    labelId,
+                    resourceId
+                })
+                .onConflictDoNothing();
+        }
+
+        if (siteResourceId) {
+            const resourceCount = await db.$count(
+                siteResources,
+                and(
+                    eq(siteResources.siteResourceId, siteResourceId),
+                    eq(siteResources.orgId, orgId)
+                )
+            );
+
+            if (resourceCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `SiteResource with Id ${siteResourceId} doesn't exist.`
+                    )
+                );
+            }
+
+            // idempotent, calling this endpoint multiple times should attach the label only once
+            await db
+                .insert(siteResourceLabels)
+                .values({
+                    labelId,
+                    siteResourceId
+                })
+                .onConflictDoNothing();
+        }
+
+        if (clientId) {
+            const clientCount = await db.$count(
+                clients,
+                and(
+                    eq(clients.clientId, clientId),
+                    eq(clients.orgId, orgId),
+                    isNull(clients.userId)
+                )
+            );
+
+            if (clientCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Client with Id ${clientId} doesn't exist.`
+                    )
+                );
+            }
+
+            // idempotent, calling this endpoint multiple times should attach the label only once
+            await db
+                .insert(clientLabels)
+                .values({
+                    labelId,
+                    clientId
+                })
+                .onConflictDoNothing();
+        }
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Label attached successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/labels/createOrgLabel.ts

@@ -0,0 +1,149 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+import {
+    db,
+    labels,
+    resourceLabels,
+    resources,
+    siteLabels,
+    sites
+} from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z.strictObject({
+    name: z.string().nonempty(),
+    color: z
+        .string()
+        .regex(/^#?([0-9a-f]{6}|[0-9a-f]{3})$/i)
+        .nonempty(),
+    siteId: z.number().int().optional(),
+    resourceId: z.number().int().optional()
+});
+
+export async function createOrgLabel(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { name, color, siteId, resourceId } = parsedBody.data;
+
+        if (siteId) {
+            const siteCount = await db.$count(
+                sites,
+                and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
+            );
+
+            if (siteCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        `Site with Id ${siteId} doesn't exist.`
+                    )
+                );
+            }
+        }
+
+        if (resourceId) {
+            const resourceCount = await db.$count(
+                resources,
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            );
+
+            if (resourceCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        `Resource with Id ${resourceId} doesn't exist.`
+                    )
+                );
+            }
+        }
+
+        const label = await db.transaction(async (tx) => {
+            const [label] = await tx
+                .insert(labels)
+                .values({
+                    name,
+                    color,
+                    orgId
+                })
+                .returning();
+
+            if (siteId) {
+                await tx.insert(siteLabels).values({
+                    siteId,
+                    labelId: label.labelId
+                });
+            }
+
+            if (resourceId) {
+                await tx.insert(resourceLabels).values({
+                    resourceId,
+                    labelId: label.labelId
+                });
+            }
+            return label;
+        });
+
+        return response<CreateOrEditLabelResponse>(res, {
+            data: { label },
+            success: true,
+            error: false,
+            message: "Org Label created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/labels/deleteOrgLabel.ts

@@ -0,0 +1,72 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+import { db, labels } from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    labelId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+export async function deleteOrgLabel(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, labelId } = parsedParams.data;
+
+        const [existing] = await db
+            .select()
+            .from(labels)
+            .where(and(eq(labels.labelId, labelId), eq(labels.orgId, orgId)));
+
+        if (!existing) {
+            return next(createHttpError(HttpCode.NOT_FOUND, "Label not found"));
+        }
+
+        await db
+            .delete(labels)
+            .where(and(eq(labels.labelId, labelId), eq(labels.orgId, orgId)));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Label deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/labels/detachLabelFromItem.ts

@@ -0,0 +1,224 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import {
+    clients,
+    clientLabels,
+    db,
+    labels,
+    resourceLabels,
+    resources,
+    siteLabels,
+    siteResourceLabels,
+    siteResources,
+    sites
+} from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq, isNull } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    labelId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const detachLabelBodySchema = z.strictObject({
+    siteId: z.number().int().optional(),
+    resourceId: z.number().int().optional(),
+    siteResourceId: z.number().int().optional(),
+    clientId: z.number().int().optional()
+});
+
+export async function detachLabelFromItem(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, labelId } = parsedParams.data;
+
+        const parsedBody = detachLabelBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, resourceId, siteResourceId, clientId } =
+            parsedBody.data;
+
+        if (!siteId && !resourceId && !siteResourceId && !clientId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "At least one of `siteId`, `resourceId`, `siteResourceId` or `clientId` should be provided."
+                )
+            );
+        }
+
+        const [existing] = await db
+            .select()
+            .from(labels)
+            .where(and(eq(labels.labelId, labelId), eq(labels.orgId, orgId)));
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Label with Id ${labelId} not found`
+                )
+            );
+        }
+
+        if (siteId) {
+            const siteCount = await db.$count(
+                sites,
+                and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
+            );
+
+            if (siteCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Site with Id ${siteId} doesn't exist.`
+                    )
+                );
+            }
+
+            await db
+                .delete(siteLabels)
+                .where(
+                    and(
+                        eq(siteLabels.labelId, labelId),
+                        eq(siteLabels.siteId, siteId)
+                    )
+                );
+        }
+
+        if (resourceId) {
+            const resourceCount = await db.$count(
+                resources,
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            );
+
+            if (resourceCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Resource with Id ${resourceId} doesn't exist.`
+                    )
+                );
+            }
+
+            await db
+                .delete(resourceLabels)
+                .where(
+                    and(
+                        eq(resourceLabels.labelId, labelId),
+                        eq(resourceLabels.resourceId, resourceId)
+                    )
+                );
+        }
+
+        if (siteResourceId) {
+            const resourceCount = await db.$count(
+                siteResources,
+                and(
+                    eq(siteResources.siteResourceId, siteResourceId),
+                    eq(siteResources.orgId, orgId)
+                )
+            );
+
+            if (resourceCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `SiteResource with Id ${siteResourceId} doesn't exist.`
+                    )
+                );
+            }
+
+            await db
+                .delete(siteResourceLabels)
+                .where(
+                    and(
+                        eq(siteResourceLabels.labelId, labelId),
+                        eq(siteResourceLabels.siteResourceId, siteResourceId)
+                    )
+                );
+        }
+
+        if (clientId) {
+            const clientCount = await db.$count(
+                clients,
+                and(
+                    eq(clients.clientId, clientId),
+                    eq(clients.orgId, orgId),
+                    isNull(clients.userId)
+                )
+            );
+
+            if (clientCount === 0) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `Client with Id ${clientId} doesn't exist.`
+                    )
+                );
+            }
+
+            await db
+                .delete(clientLabels)
+                .where(
+                    and(
+                        eq(clientLabels.labelId, labelId),
+                        eq(clientLabels.clientId, clientId)
+                    )
+                );
+        }
+
+        return response(res, {
+            data: {},
+            success: true,
+            error: false,
+            message: "Label detached successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/labels/index.ts

@@ -0,0 +1,19 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./listOrgLabels";
+export * from "./createOrgLabel";
+export * from "./updateOrgLabel";
+export * from "./attachLabelToItem";
+export * from "./detachLabelFromItem";
+export * from "./deleteOrgLabel";

server/private/routers/labels/listOrgLabels.ts

@@ -0,0 +1,155 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { db, labels } from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import type { ListOrgLabelsResponse } from "@server/routers/labels/types";
+import HttpCode from "@server/types/HttpCode";
+import { and, asc, eq, like, sql } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const listLabelsSchema = z.object({
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
+        .optional()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
+        .optional()
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional()
+});
+
+function queryLabelsBase() {
+    return db
+        .select({
+            labelId: labels.labelId,
+            name: labels.name,
+            color: labels.color
+        })
+        .from(labels);
+}
+
+export async function listOrgLabels(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = listLabelsSchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+        const { orgId } = parsedParams.data;
+
+        if (req.user && orgId && orgId !== req.userOrgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        const { pageSize, page, query } = parsedQuery.data;
+
+        const conditions = [and(eq(labels.orgId, orgId))];
+
+        if (query) {
+            conditions.push(
+                like(
+                    sql`LOWER(${labels.name})`,
+                    "%" + query.toLowerCase() + "%"
+                )
+            );
+        }
+
+        const baseQuery = queryLabelsBase().where(and(...conditions));
+
+        // we need to add `as` so that drizzle filters the result as a subquery
+        const countQuery = db.$count(
+            queryLabelsBase()
+                .where(and(...conditions))
+                .as("filtered_labels")
+        );
+
+        const labelListQuery = baseQuery
+            .limit(pageSize)
+            .offset(pageSize * (page - 1))
+            .orderBy(asc(labels.name));
+
+        const [totalCount, rows] = await Promise.all([
+            countQuery,
+            labelListQuery
+        ]);
+
+        return response<ListOrgLabelsResponse>(res, {
+            data: {
+                labels: rows,
+                pagination: {
+                    total: totalCount,
+                    pageSize,
+                    page
+                }
+            },
+            success: true,
+            error: false,
+            message: "Labels retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/labels/updateOrgLabel.ts

@@ -0,0 +1,101 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { db, labels } from "@server/db";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    labelId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const updateLabelBodySchema = z.strictObject({
+    name: z.string().min(1).max(255).optional(),
+    color: z
+        .string()
+        .regex(/^#?([0-9a-f]{6}|[0-9a-f]{3})$/i)
+        .nonempty()
+});
+
+export async function updateOrgLabel(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, labelId } = parsedParams.data;
+
+        const parsedBody = updateLabelBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const [existing] = await db
+            .select()
+            .from(labels)
+            .where(and(eq(labels.labelId, labelId), eq(labels.orgId, orgId)));
+
+        if (!existing) {
+            return next(createHttpError(HttpCode.NOT_FOUND, "Label not found"));
+        }
+
+        const { name, color } = parsedBody.data;
+
+        const [label] = await db
+            .update(labels)
+            .set({
+                name,
+                color
+            })
+            .where(and(eq(labels.labelId, labelId), eq(labels.orgId, orgId)))
+            .returning();
+
+        return response<CreateOrEditLabelResponse>(res, {
+            data: {
+                label
+            },
+            success: true,
+            error: false,
+            message: "Label updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/orgIdp/createOrgOidcIdp.ts

@@ -63,22 +63,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createOrgOidcIdp(

server/private/routers/orgIdp/deleteOrgIdp.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteOrgIdp(

server/private/routers/orgIdp/getOrgIdp.ts

@@ -56,22 +56,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getOrgIdp(

server/private/routers/orgIdp/listOrgIdps.ts

@@ -72,22 +72,7 @@ registry.registerPath({
         query: querySchema,
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listOrgIdps(

server/private/routers/orgIdp/updateOrgOidcIdp.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, idpOrg } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -55,10 +54,6 @@ const bodySchema = z.strictObject({
 export type UpdateOrgIdpResponse = {
     idpId: number;
 };
-const UpdateOrgIdpResponseDataSchema = z.object({
-    idpId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -75,16 +70,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateOrgIdpResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateOrgOidcIdp(

server/private/routers/re-key/reGenerateClientSecret.ts

@@ -28,7 +28,7 @@ import { OlmErrorCodes, sendOlmError } from "@server/routers/olm/error";
 import { sendTerminateClient } from "@server/routers/client/terminate";
 
 const reGenerateSecretParamsSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const reGenerateSecretBodySchema = z.strictObject({

server/private/routers/re-key/reGenerateSiteSecret.ts

@@ -27,7 +27,7 @@ import { getAllowedIps } from "@server/routers/target/helpers";
 import { disconnectClient, sendToClient } from "#private/routers/ws";
 
 const updateSiteParamsSchema = z.strictObject({
-    siteId: z.coerce.number().int().positive()
+    siteId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const updateSiteBodySchema = z.strictObject({

server/private/routers/ssh/signSshKey.ts

@@ -19,10 +19,12 @@ import {
     logsDb,
     newts,
     roles,
+    roleSiteResources,
     roundTripMessageTracker,
     siteResources,
     siteNetworks,
-    userOrgs
+    userOrgs,
+    sites
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
@@ -47,7 +49,8 @@ const bodySchema = z
     .strictObject({
         publicKey: z.string().nonempty(),
         resourceId: z.number().int().positive().optional(),
-        resource: z.string().nonempty().optional() // this is either the nice id or the alias
+        resource: z.string().nonempty().optional(), // this is either the nice id or the alias
+        username: z.string().nonempty().optional()
     })
     .refine(
         (data) => {
@@ -62,19 +65,19 @@ const bodySchema = z
     );
 
 export type SignSshKeyResponse = {
-    certificate: string;
+    certificate?: string;
     messageIds: number[];
-    messageId: number;
+    messageId?: number;
     sshUsername: string;
     sshHost: string;
     resourceId: number;
     siteIds: number[];
     siteId: number;
-    keyId: string;
-    validPrincipals: string[];
-    validAfter: string;
-    validBefore: string;
-    expiresIn: number;
+    keyId?: string;
+    validPrincipals?: string[];
+    validAfter?: string;
+    validBefore?: string;
+    expiresIn?: number;
 };
 
 // registry.registerPath({
@@ -92,22 +95,7 @@ export type SignSshKeyResponse = {
 //             }
 //         }
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function signSshKey(
@@ -140,7 +128,8 @@ export async function signSshKey(
         const {
             publicKey,
             resourceId,
-            resource: resourceQueryString
+            resource: resourceQueryString,
+            username
         } = parsedBody.data;
         const userId = req.user?.userId;
         const roleIds = req.userOrgRoleIds ?? [];
@@ -188,101 +177,6 @@ export async function signSshKey(
             );
         }
 
-        let usernameToUse;
-        if (!userOrg.pamUsername) {
-            if (req.user?.email) {
-                // Extract username from email (first part before @)
-                usernameToUse = req.user?.email
-                    .split("@")[0]
-                    .replace(/[^a-zA-Z0-9_-]/g, "");
-                if (!usernameToUse) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Unable to extract username from email"
-                        )
-                    );
-                }
-            } else if (req.user?.username) {
-                usernameToUse = req.user.username;
-                // We need to clean out any spaces or special characters from the username to ensure it's valid for SSH certificates
-                usernameToUse = usernameToUse.replace(/[^a-zA-Z0-9_-]/g, "-");
-                if (!usernameToUse) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Username is not valid for SSH certificate"
-                        )
-                    );
-                }
-            } else {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "User does not have a valid email or username for SSH certificate"
-                    )
-                );
-            }
-
-            // prefix with p-
-            usernameToUse = `p-${usernameToUse}`;
-
-            // check if we have a existing user in this org with the same
-            const [existingUserWithSameName] = await db
-                .select()
-                .from(userOrgs)
-                .where(
-                    and(
-                        eq(userOrgs.orgId, orgId),
-                        eq(userOrgs.pamUsername, usernameToUse)
-                    )
-                )
-                .limit(1);
-
-            if (existingUserWithSameName) {
-                let foundUniqueUsername = false;
-                for (let attempt = 0; attempt < 20; attempt++) {
-                    const randomNum = Math.floor(Math.random() * 101); // 0 to 100
-                    const candidateUsername = `${usernameToUse}${randomNum}`;
-
-                    const [existingUser] = await db
-                        .select()
-                        .from(userOrgs)
-                        .where(
-                            and(
-                                eq(userOrgs.orgId, orgId),
-                                eq(userOrgs.pamUsername, candidateUsername)
-                            )
-                        )
-                        .limit(1);
-
-                    if (!existingUser) {
-                        usernameToUse = candidateUsername;
-                        foundUniqueUsername = true;
-                        break;
-                    }
-                }
-
-                if (!foundUniqueUsername) {
-                    return next(
-                        createHttpError(
-                            HttpCode.CONFLICT,
-                            "Unable to generate a unique username for SSH certificate"
-                        )
-                    );
-                }
-            }
-
-            await db
-                .update(userOrgs)
-                .set({ pamUsername: usernameToUse })
-                .where(
-                    and(eq(userOrgs.orgId, orgId), eq(userOrgs.userId, userId))
-                );
-        } else {
-            usernameToUse = userOrg.pamUsername;
-        }
-
         // Get and decrypt the org's CA keys
         const caKeys = await getOrgCAKeys(
             orgId,
@@ -375,69 +269,303 @@ export async function signSshKey(
             );
         }
 
-        const roleRows = await db
-            .select()
-            .from(roles)
-            .where(inArray(roles.roleId, roleIds));
-
-        const parsedSudoCommands: string[] = [];
-        const parsedGroupsSet = new Set<string>();
-        let homedir: boolean | null = null;
-        const sudoModeOrder = { none: 0, commands: 1, full: 2 };
-        let sudoMode: "none" | "commands" | "full" = "none";
-        for (const roleRow of roleRows) {
-            try {
-                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
-            } catch {
-                // skip
-            }
-            try {
-                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
-            } catch {
-                // skip
-            }
-            if (roleRow?.sshCreateHomeDir === true) homedir = true;
-            const m = roleRow?.sshSudoMode ?? "none";
-            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
-                sudoMode = m as "none" | "commands" | "full";
-            }
-        }
-        const parsedGroups = Array.from(parsedGroupsSet);
-        if (homedir === null && roleRows.length > 0) {
-            homedir = roleRows[0].sshCreateHomeDir ?? null;
-        }
-
-        const sites = await db
+        const sitesFromNetworks = await db
             .select({ siteId: siteNetworks.siteId })
             .from(siteNetworks)
             .where(eq(siteNetworks.networkId, resource.networkId!));
 
-        const siteIds = sites.map((site) => site.siteId);
+        const siteIds = sitesFromNetworks.map((site) => site.siteId);
 
-        // Sign the public key
-        const now = BigInt(Math.floor(Date.now() / 1000));
-        // only valid for 5 minutes
-        const validFor = 300n;
+        let expiresIn: number | undefined;
+        let messageIds: number[] = [];
+        let cert:
+            | {
+                  certificate: string;
+                  keyId: string;
+                  validPrincipals: string[];
+                  validAfter: Date;
+                  validBefore: Date;
+              }
+            | undefined;
+        // if the pam mode is push then we generate the user's pam username and use that or pull it from the userOrgs table
+        // if the mode is passthrough then just use what was provided because the user will log in themselves
+        let usernameToUse;
+        if (resource.pamMode === "push") {
+            if (!userOrg.pamUsername) {
+                if (req.user?.email) {
+                    // Extract username from email (first part before @)
+                    usernameToUse = req.user?.email
+                        .split("@")[0]
+                        .replace(/[^a-zA-Z0-9_-]/g, "");
+                    if (!usernameToUse) {
+                        return next(
+                            createHttpError(
+                                HttpCode.BAD_REQUEST,
+                                "Unable to extract username from email"
+                            )
+                        );
+                    }
+                } else if (req.user?.username) {
+                    usernameToUse = req.user.username;
+                    // We need to clean out any spaces or special characters from the username to ensure it's valid for SSH certificates
+                    usernameToUse = usernameToUse.replace(
+                        /[^a-zA-Z0-9_-]/g,
+                        "-"
+                    );
+                    if (!usernameToUse) {
+                        return next(
+                            createHttpError(
+                                HttpCode.BAD_REQUEST,
+                                "Username is not valid for SSH certificate"
+                            )
+                        );
+                    }
+                } else {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "User does not have a valid email or username for SSH certificate"
+                        )
+                    );
+                }
 
-        const cert = signPublicKey(caKeys.privateKeyPem, publicKey, {
-            keyId: `${usernameToUse}@${resource.niceId}`,
-            validPrincipals: [usernameToUse, resource.niceId],
-            validAfter: now - 60n, // Start 1 min ago for clock skew
-            validBefore: now + validFor
-        });
+                // prefix with p-
+                usernameToUse = `p-${usernameToUse}`;
+
+                // check if we have a existing user in this org with the same
+                const [existingUserWithSameName] = await db
+                    .select()
+                    .from(userOrgs)
+                    .where(
+                        and(
+                            eq(userOrgs.orgId, orgId),
+                            eq(userOrgs.pamUsername, usernameToUse)
+                        )
+                    )
+                    .limit(1);
+
+                if (existingUserWithSameName) {
+                    let foundUniqueUsername = false;
+                    for (let attempt = 0; attempt < 20; attempt++) {
+                        const randomNum = Math.floor(Math.random() * 101); // 0 to 100
+                        const candidateUsername = `${usernameToUse}${randomNum}`;
+
+                        const [existingUser] = await db
+                            .select()
+                            .from(userOrgs)
+                            .where(
+                                and(
+                                    eq(userOrgs.orgId, orgId),
+                                    eq(userOrgs.pamUsername, candidateUsername)
+                                )
+                            )
+                            .limit(1);
+
+                        if (!existingUser) {
+                            usernameToUse = candidateUsername;
+                            foundUniqueUsername = true;
+                            break;
+                        }
+                    }
+
+                    if (!foundUniqueUsername) {
+                        return next(
+                            createHttpError(
+                                HttpCode.CONFLICT,
+                                "Unable to generate a unique username for SSH certificate"
+                            )
+                        );
+                    }
+                }
+
+                await db
+                    .update(userOrgs)
+                    .set({ pamUsername: usernameToUse })
+                    .where(
+                        and(
+                            eq(userOrgs.orgId, orgId),
+                            eq(userOrgs.userId, userId)
+                        )
+                    );
+            } else {
+                usernameToUse = userOrg.pamUsername;
+            }
+
+            const roleRows = await db
+                .select({
+                    sshSudoCommands: roles.sshSudoCommands,
+                    sshUnixGroups: roles.sshUnixGroups,
+                    sshCreateHomeDir: roles.sshCreateHomeDir,
+                    sshSudoMode: roles.sshSudoMode
+                })
+                .from(roles)
+                .innerJoin(
+                    roleSiteResources,
+                    eq(roleSiteResources.roleId, roles.roleId)
+                )
+                .where(
+                    and(
+                        inArray(roles.roleId, roleIds),
+                        eq(
+                            roleSiteResources.siteResourceId,
+                            resource.siteResourceId
+                        )
+                    )
+                );
+
+            const parsedSudoCommands: string[] = [];
+            const parsedGroupsSet = new Set<string>();
+            let homedir: boolean | null = null;
+            const sudoModeOrder = { none: 0, commands: 1, full: 2 };
+            let sudoMode: "none" | "commands" | "full" = "none";
+            for (const roleRow of roleRows) {
+                try {
+                    const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+                    if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
+                } catch {
+                    // skip
+                }
+                try {
+                    const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+                    if (Array.isArray(grps))
+                        grps.forEach((g: string) => parsedGroupsSet.add(g));
+                } catch {
+                    // skip
+                }
+                if (roleRow?.sshCreateHomeDir === true) homedir = true;
+                const m = roleRow?.sshSudoMode ?? "none";
+                if (
+                    sudoModeOrder[m as keyof typeof sudoModeOrder] >
+                    sudoModeOrder[sudoMode]
+                ) {
+                    sudoMode = m as "none" | "commands" | "full";
+                }
+            }
+            const parsedGroups = Array.from(parsedGroupsSet);
+            if (homedir === null && roleRows.length > 0) {
+                homedir = roleRows[0].sshCreateHomeDir ?? null;
+            }
+
+            // Sign the public key
+            const now = BigInt(Math.floor(Date.now() / 1000));
+            // only valid for 5 minutes
+            const validFor = 300n;
+            expiresIn = Number(validFor); // seconds
+
+            const cert = signPublicKey(caKeys.privateKeyPem, publicKey, {
+                keyId: `${usernameToUse}@${resource.niceId}`,
+                validPrincipals: [usernameToUse, resource.niceId],
+                validAfter: now - 60n, // Start 1 min ago for clock skew
+                validBefore: now + validFor
+            });
+
+            const messageIds: number[] = [];
+            for (const siteId of siteIds) {
+                // get the site
+                const [newt] = await db
+                    .select()
+                    .from(newts)
+                    .where(eq(newts.siteId, siteId))
+                    .limit(1);
+
+                if (!newt) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Site associated with resource not found"
+                        )
+                    );
+                }
+
+                const [message] = await db
+                    .insert(roundTripMessageTracker)
+                    .values({
+                        wsClientId: newt.newtId,
+                        messageType: `newt/pam/connection`,
+                        sentAt: Math.floor(Date.now() / 1000)
+                    })
+                    .returning();
+
+                if (!message) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Failed to create message tracker entry"
+                        )
+                    );
+                }
+
+                messageIds.push(message.messageId);
+
+                await sendToClient(newt.newtId, {
+                    type: `newt/pam/connection`,
+                    data: {
+                        messageId: message.messageId,
+                        orgId: orgId,
+                        agentPort: resource.authDaemonPort ?? 22123,
+                        authDaemonMode: resource.authDaemonMode, // site, remote, native where native is the pty mode
+                        externalAuthDaemon:
+                            resource.authDaemonMode === "remote", // keep this for backward compatibility but new newts are using the authDaemonMode field
+                        agentHost: resource.destination,
+                        caCert: caKeys.publicKeyOpenSSH,
+                        username: usernameToUse,
+                        niceId: resource.niceId,
+                        metadata: {
+                            sudoMode: sudoMode,
+                            sudoCommands: parsedSudoCommands,
+                            homedir: homedir,
+                            groups: parsedGroups
+                        }
+                    }
+                });
+            }
+        } else if (resource.pamMode === "passthrough") {
+            usernameToUse = username;
+            if (!usernameToUse) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Username must be provided when PAM mode is passthrough"
+                    )
+                );
+            }
+        } else {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Invalid PAM mode configured for resource"
+                )
+            );
+        }
+
+        let sshHost: string | undefined;
+        if (
+            resource.authDaemonMode === "site" ||
+            resource.authDaemonMode === "remote"
+        ) {
+            if (resource.alias && resource.alias != "") {
+                sshHost = resource.alias;
+            } else {
+                sshHost = resource.destination;
+            }
+        } else if (resource.authDaemonMode === "native") {
+            if (siteIds.length > 1) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Multiple sites associated with resource, unable to determine SSH host when in native mode"
+                    )
+                );
+            }
 
-        const messageIds: number[] = [];
-        for (const siteId of siteIds) {
             // get the site
-            const [newt] = await db
+            const [site] = await db
                 .select()
-                .from(newts)
-                .where(eq(newts.siteId, siteId))
+                .from(sites)
+                .where(eq(sites.siteId, siteIds[0]))
                 .limit(1);
 
-            if (!newt) {
+            if (!site) {
                 return next(
                     createHttpError(
                         HttpCode.INTERNAL_SERVER_ERROR,
@@ -446,54 +574,26 @@ export async function signSshKey(
                 );
             }
 
-            const [message] = await db
-                .insert(roundTripMessageTracker)
-                .values({
-                    wsClientId: newt.newtId,
-                    messageType: `newt/pam/connection`,
-                    sentAt: Math.floor(Date.now() / 1000)
-                })
-                .returning();
-
-            if (!message) {
+            if (!site.address) {
                 return next(
                     createHttpError(
                         HttpCode.INTERNAL_SERVER_ERROR,
-                        "Failed to create message tracker entry"
+                        "Site address not configured, unable to determine SSH host when in native mode"
                     )
                 );
             }
 
-            messageIds.push(message.messageId);
-
-            await sendToClient(newt.newtId, {
-                type: `newt/pam/connection`,
-                data: {
-                    messageId: message.messageId,
-                    orgId: orgId,
-                    agentPort: resource.authDaemonPort ?? 22123,
-                    externalAuthDaemon: resource.authDaemonMode === "remote",
-                    agentHost: resource.destination,
-                    caCert: caKeys.publicKeyOpenSSH,
-                    username: usernameToUse,
-                    niceId: resource.niceId,
-                    metadata: {
-                        sudoMode: sudoMode,
-                        sudoCommands: parsedSudoCommands,
-                        homedir: homedir,
-                        groups: parsedGroups
-                    }
-                }
-            });
+            // its the address but split off the cidr if there is one
+            sshHost = site.address.split("/")[0];
         }
 
-        const expiresIn = Number(validFor); // seconds
-
-        let sshHost;
-        if (resource.alias && resource.alias != "") {
-            sshHost = resource.alias;
-        } else {
-            sshHost = resource.destination;
+        if (!sshHost) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Unable to determine SSH host for the resource"
+                )
+            );
         }
 
         await logsDb.insert(actionAuditLog).values({
@@ -520,7 +620,7 @@ export async function signSshKey(
                 : undefined,
             metadata: {
                 resourceName: resource.name,
-                siteId: siteIds[0],
+                siteIds: siteIds,
                 sshUsername: usernameToUse,
                 sshHost: sshHost
             },
@@ -530,18 +630,18 @@ export async function signSshKey(
 
         return response<SignSshKeyResponse>(res, {
             data: {
-                certificate: cert.certificate,
+                certificate: cert?.certificate,
                 messageIds: messageIds,
-                messageId: messageIds[0], // just pick the first one for backward compatibility
+                messageId: messageIds[0], // just pick the first one for backward compatibility with older olms
                 sshUsername: usernameToUse,
-                sshHost: sshHost,
+                sshHost: sshHost, // just pick the first one for backward compatibility with older olms
                 resourceId: resource.siteResourceId,
                 siteIds: siteIds,
-                siteId: siteIds[0], // just pick the first one for backward compatibility
-                keyId: cert.keyId,
-                validPrincipals: cert.validPrincipals,
-                validAfter: cert.validAfter.toISOString(),
-                validBefore: cert.validBefore.toISOString(),
+                siteId: siteIds[0], // just pick the first one for backward compatibility with older olms
+                keyId: cert?.keyId,
+                validPrincipals: cert?.validPrincipals,
+                validAfter: cert?.validAfter.toISOString(),
+                validBefore: cert?.validBefore.toISOString(),
                 expiresIn
             },
             success: true,

server/private/routers/user/addUserRole.ts

@@ -27,7 +27,7 @@ import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAs
 
 const addUserRoleParamsSchema = z.strictObject({
     userId: z.string(),
-    roleId: z.coerce.number()
+    roleId: z.string().transform(stoi).pipe(z.number())
 });
 
 registry.registerPath({
@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: addUserRoleParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function addUserRole(

server/private/routers/user/removeUserRole.ts

@@ -27,7 +27,7 @@ import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAs
 
 const removeUserRoleParamsSchema = z.strictObject({
     userId: z.string(),
-    roleId: z.coerce.number()
+    roleId: z.string().transform(stoi).pipe(z.number())
 });
 
 registry.registerPath({
@@ -39,22 +39,7 @@ registry.registerPath({
     request: {
         params: removeUserRoleParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function removeUserRole(

server/routers/accessToken/deleteAccessToken.ts

@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: deleteAccessTokenParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteAccessToken(

server/routers/accessToken/generateAccessToken.ts

@@ -31,7 +31,7 @@ export const generateAccessTokenBodySchema = z.strictObject({
 });
 
 export const generateAccssTokenParamsSchema = z.strictObject({
-    resourceId: z.coerce.number().int().positive()
+    resourceId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 export type GenerateAccessTokenResponse = Omit<
@@ -54,22 +54,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function generateAccessToken(

server/routers/accessToken/listAccessTokens.ts

@@ -129,22 +129,7 @@ registry.registerPath({
         }),
         query: listAccessTokensSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 registry.registerPath({
@@ -158,22 +143,7 @@ registry.registerPath({
         }),
         query: listAccessTokensSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listAccessTokens(

server/routers/apiKeys/createOrgApiKey.ts

@@ -2,7 +2,6 @@ import { NextFunction, Request, Response } from "express";
 import { db } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { apiKeyOrg, apiKeys } from "@server/db";
 import { fromError } from "zod-validation-error";
 import createHttpError from "http-errors";
@@ -33,14 +32,6 @@ export type CreateOrgApiKeyResponse = {
     lastChars: string;
     createdAt: string;
 };
-const CreateOrgApiKeyResponseDataSchema = z.object({
-    apiKeyId: z.string(),
-    name: z.string(),
-    apiKey: z.string(),
-    lastChars: z.string(),
-    createdAt: z.string()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -57,16 +48,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateOrgApiKeyResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createOrgApiKey(

server/routers/apiKeys/deleteApiKey.ts

@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteApiKey(

server/routers/apiKeys/listApiKeyActions.ts

@@ -9,7 +9,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.object({
     apiKeyId: z.string().nonempty()
@@ -45,19 +44,6 @@ export type ListApiKeyActionsResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListApiKeyActionsResponseDataSchema = z.object({
-    actions: z.array(
-        z.object({
-            actionId: z.string()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/api-key/{apiKeyId}/actions",
@@ -67,18 +53,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListApiKeyActionsResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listApiKeyActions(

server/routers/apiKeys/listOrgApiKeys.ts

@@ -9,7 +9,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq, and } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const querySchema = z.object({
     limit: z
@@ -49,23 +48,6 @@ export type ListOrgApiKeysResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListOrgApiKeysResponseDataSchema = z.object({
-    apiKeys: z.array(
-        z.object({
-            apiKeyId: z.string(),
-            orgId: z.string(),
-            lastChars: z.string(),
-            createdAt: z.string(),
-            name: z.string()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/api-keys",
@@ -75,18 +57,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListOrgApiKeysResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listOrgApiKeys(

server/routers/apiKeys/setApiKeyActions.ts

@@ -36,22 +36,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function setApiKeyActions(

server/routers/auditLogs/exportRequestAuditLog.ts

@@ -5,7 +5,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryAccessAuditLogsQuery,
@@ -29,22 +28,7 @@ registry.registerPath({
         }),
         params: queryRequestAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportRequestAuditLogs(

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -156,22 +156,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryRequestAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export type QueryRequestAnalyticsResponse = Awaited<ReturnType<typeof query>>;

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -227,22 +227,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryRequestAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 async function queryUniqueFilterAttributes(

server/routers/auth/checkResourceSession.ts

@@ -9,7 +9,7 @@ import logger from "@server/logger";
 
 export const params = z.strictObject({
     token: z.string(),
-    resourceId: z.coerce.number().int().positive()
+    resourceId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 export type CheckResourceSessionParams = z.infer<typeof params>;

server/routers/auth/lookupUser.ts

@@ -51,22 +51,7 @@ export type LookupUserResponse = {
 //     request: {
 //         body: lookupBodySchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function lookupUser(

server/routers/blueprints/applyJSONBlueprint.ts

@@ -31,22 +31,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function applyJSONBlueprint(

server/routers/blueprints/applyYAMLBlueprint.ts

@@ -54,22 +54,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function applyYAMLBlueprint(

server/routers/blueprints/getBlueprint.ts

@@ -7,12 +7,13 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
+import stoi from "@server/lib/stoi";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { BlueprintData } from "./types";
 
 const getBlueprintSchema = z.strictObject({
-    blueprintId: z.coerce.number().int().positive(),
+    blueprintId: z.string().transform(stoi).pipe(z.int().positive()),
     orgId: z.string()
 });
 
@@ -56,22 +57,7 @@ registry.registerPath({
     request: {
         params: getBlueprintSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getBlueprint(

server/routers/blueprints/listBlueprints.ts

@@ -74,22 +74,7 @@ registry.registerPath({
         }),
         query: listBluePrintsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listBlueprints(

server/routers/client/archiveClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const archiveClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: archiveClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function archiveClient(

server/routers/client/blockClient.ts

@@ -13,7 +13,7 @@ import { sendTerminateClient } from "./terminate";
 import { OlmErrorCodes } from "../olm/error";
 
 const blockClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -24,22 +24,7 @@ registry.registerPath({
     request: {
         params: blockClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function blockClient(

server/routers/client/createClient.ts

@@ -59,22 +59,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createClient(

server/routers/client/createUserClient.ts

@@ -60,22 +60,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createUserClient(

server/routers/client/deleteClient.ts

@@ -14,7 +14,7 @@ import { sendTerminateClient } from "./terminate";
 import { OlmErrorCodes } from "../olm/error";
 
 const deleteClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -25,22 +25,7 @@ registry.registerPath({
     request: {
         params: deleteClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteClient(

server/routers/client/getClient.ts

@@ -253,22 +253,7 @@ registry.registerPath({
             niceId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 registry.registerPath({
@@ -281,22 +266,7 @@ registry.registerPath({
             clientId: z.number()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getClient(

server/routers/client/listClients.ts

@@ -1,15 +1,20 @@
 import {
+    clientLabels,
     clients,
     clientSitesAssociationsCache,
     currentFingerprint,
     db,
+    labels,
     olms,
     orgs,
     roleClients,
     sites,
     userClients,
-    users
+    users,
+    type Label
 } from "@server/db";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -169,6 +174,7 @@ type ClientWithSites = Awaited<ReturnType<typeof queryClientsBase>>[0] & {
         siteNiceId: string | null;
     }>;
     olmUpdateAvailable?: boolean;
+    labels?: Array<Pick<Label, "labelId" | "name" | "color">>;
 };
 
 type OlmWithUpdateAvailable = ClientWithSites;
@@ -186,22 +192,7 @@ registry.registerPath({
         query: listClientsSchema,
         params: listClientsParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listClients(
@@ -270,6 +261,11 @@ export async function listClients(
             (client) => client.clientId
         );
 
+        const isLabelFeatureEnabled = await isLicensedOrSubscribed(
+            orgId,
+            tierMatrix.labels
+        );
+
         // Get client count with filter
         const conditions = [
             and(
@@ -303,18 +299,29 @@ export async function listClients(
         }
 
         if (query) {
-            conditions.push(
-                or(
-                    like(
-                        sql`LOWER(${clients.name})`,
-                        "%" + query.toLowerCase() + "%"
-                    ),
-                    like(
-                        sql`LOWER(${clients.niceId})`,
-                        "%" + query.toLowerCase() + "%"
+            const q = "%" + query.toLowerCase() + "%";
+            const queryList = [
+                like(sql`LOWER(${clients.name})`, q),
+                like(sql`LOWER(${clients.niceId})`, q)
+            ];
+
+            if (isLabelFeatureEnabled) {
+                queryList.push(
+                    inArray(
+                        clients.clientId,
+                        db
+                            .select({ id: clientLabels.clientId })
+                            .from(clientLabels)
+                            .innerJoin(
+                                labels,
+                                eq(labels.labelId, clientLabels.labelId)
+                            )
+                            .where(like(sql`LOWER(${labels.name})`, q))
                     )
-                )
-            );
+                );
+            }
+
+            conditions.push(or(...queryList));
         }
 
         const baseQuery = queryClientsBase().where(and(...conditions));
@@ -341,6 +348,30 @@ export async function listClients(
         const clientIds = clientsList.map((client) => client.clientId);
         const siteAssociations = await getSiteAssociations(clientIds);
 
+        let labelsForClients: Array<{
+            labelId: number;
+            name: string;
+            color: string;
+            clientId: number;
+        }> = [];
+
+        if (isLabelFeatureEnabled && clientIds.length > 0) {
+            labelsForClients = await db
+                .select({
+                    labelId: labels.labelId,
+                    name: labels.name,
+                    color: labels.color,
+                    clientId: clientLabels.clientId
+                })
+                .from(labels)
+                .innerJoin(
+                    clientLabels,
+                    eq(clientLabels.labelId, labels.labelId)
+                )
+                .where(inArray(clientLabels.clientId, clientIds))
+                .orderBy(asc(clientLabels.clientLabelId));
+        }
+
         // Group site associations by client ID
         const sitesByClient = siteAssociations.reduce(
             (acc, association) => {
@@ -368,7 +399,10 @@ export async function listClients(
         const clientsWithSites = clientsList.map((client) => {
             return {
                 ...client,
-                sites: sitesByClient[client.clientId] || []
+                sites: sitesByClient[client.clientId] || [],
+                labels: labelsForClients.filter(
+                    (l) => l.clientId === client.clientId
+                )
             };
         });
 

server/routers/client/listUserDevices.ts

@@ -213,22 +213,7 @@ registry.registerPath({
         query: listUserDevicesSchema,
         params: listUserDevicesParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listUserDevices(

server/routers/client/pickClientDefaults.ts

@@ -6,7 +6,6 @@ import logger from "@server/logger";
 import { generateId } from "@server/auth/sessions/app";
 import { getNextAvailableClientSubnet } from "@server/lib/ip";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
@@ -15,12 +14,6 @@ export type PickClientDefaultsResponse = {
     olmSecret: string;
     subnet: string;
 };
-const PickClientDefaultsResponseDataSchema = z.object({
-    olmId: z.string(),
-    olmSecret: z.string(),
-    subnet: z.string()
-});
-
 
 const pickClientDefaultsSchema = z.strictObject({
     orgId: z.string()
@@ -34,16 +27,7 @@ registry.registerPath({
     request: {
         params: pickClientDefaultsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(PickClientDefaultsResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function pickClientDefaults(

server/routers/client/unarchiveClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const unarchiveClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: unarchiveClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function unarchiveClient(

server/routers/client/unblockClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const unblockClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: unblockClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function unblockClient(

server/routers/client/updateClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const updateClientParamsSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const updateClientSchema = z.strictObject({
@@ -36,22 +36,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateClient(

server/routers/domain/getDNSRecords.ts

@@ -37,22 +37,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getDNSRecords(

server/routers/domain/getDomain.ts

@@ -39,22 +39,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getDomain(

server/routers/domain/listDomains.ts

@@ -9,7 +9,6 @@ import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const listDomainsParamsSchema = z.strictObject({
     orgId: z.string()
@@ -57,28 +56,6 @@ export type ListDomainsResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListDomainsResponseDataSchema = z.object({
-    domains: z.array(
-        z.object({
-            domainId: z.string(),
-            baseDomain: z.string(),
-            verified: z.boolean(),
-            type: z.string().nullable(),
-            failed: z.boolean(),
-            tries: z.number(),
-            configManaged: z.boolean(),
-            certResolver: z.string().nullable(),
-            preferWildcardCert: z.boolean().nullable(),
-            errorMessage: z.string().nullable()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/domains",
@@ -90,16 +67,7 @@ registry.registerPath({
         }),
         query: listDomainsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(ListDomainsResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listDomains(